SuSE 11.2 Security Update: MozillaThunderbird (2010-03-05)

Critical Nessus Plugin ID 45034

Synopsis

The remote SuSE system is missing a security patch for MozillaThunderbird

Description

Mozilla Thunderbird was upgraded to version 3.0.3, fixing various bugs and security issues.

Following security issues have been fixed: MFSA 2010-01 / CVE-2010-0159: Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

MFSA 2010-03 / CVE-2009-1571: Security researcher Alin Rad Pop of Secunia Research reported that the HTML parser incorrectly freed used memory when insufficient space was available to process remaining input. Under such circumstances, memory occupied by in-use objects was freed and could later be filled with attacker-controlled text.
These conditions could result in the execution or arbitrary code if methods on the freed objects were subsequently called.

MFSA 2009-65 / CVE-2009-3979 / CVE-2009-3980 / CVE-2009-3982: Crashes with evidence of memory corruption were fixed. (rv:1.9.1.6)

MFSA 2009-66 / CVE-2009-3388 (bmo#504843,bmo#523816):
Memory safety fixes in liboggplay media library were added.

MFSA 2009-67 / CVE-2009-3389 (bmo#515882,bmo#504613): An Integer overflow, crash in libtheora video library was fixed.

Solution

Install the MozillaThunderbird security patch by using 'yast', for example.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=576969

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0159

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0160

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1571

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3988

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0162

Plugin Details

Severity: Critical

ID: 45034

File Name: suse_11_2_MozillaThunderbird-100305.nasl

Version: Revision: 1.6

Agent: unix

Published: 2010/03/11

Updated: 2016/12/21

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

Required KB Items: Host/SuSE/rpm-list

Reference Information

CVE: CVE-2009-1571, CVE-2009-3388, CVE-2009-3389, CVE-2009-3979, CVE-2009-3980, CVE-2009-3982, CVE-2010-0159

CWE: 94, 189, 399