USN-276-1: Thunderbird vulnerabilities

3 May 2006

mozilla-thunderbird vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 5.10
  • Ubuntu 5.04

Software Description

Details

Igor Bukanov discovered that the JavaScript engine did not properly declare some temporary variables. Under some rare circumstances, a malicious mail with embedded JavaScript could exploit this to execute arbitrary code with the privileges of the user. (CVE-2006-0292, CVE-2006-1742)

The function XULDocument.persist() did not sufficiently validate the names of attributes. An attacker could exploit this to inject arbitrary XML code into the file ‘localstore.rdf’, which is read and evaluated at startup. This could include JavaScript commands that would be run with the user’s privileges. (CVE-2006-0296)

Due to a flaw in the HTML tag parser a specific sequence of HTML tags caused memory corruption. A malicious HTML email could exploit this to crash the browser or even execute arbitrary code with the user’s privileges. (CVE-2006-0748)

An invalid ordering of table-related tags caused Thunderbird to use a negative array index. A malicious HTML email could exploit this to execute arbitrary code with the privileges of the user. (CVE-2006-0749)

Georgi Guninski discovered that forwarding mail in-line while using the default HTML “rich mail” editor executed JavaScript embedded in the email message. Forwarding mail in-line is not the default setting but it is easily accessed through the “Forward As” menu item. (CVE-2006-0884)

As a privacy measure to prevent senders (primarily spammers) from tracking when email is read Thunderbird does not load remote content referenced from an HTML mail message until a user tells it to do so. This normally includes the content of frames and CSS files. It was discovered that it was possible to bypass this restriction by indirectly including remote content through an intermediate inline CSS script or frame. (CVE-2006-1045)

Georgi Guninski discovered that embedded XBL scripts could escalate their (normally reduced) privileges to get full privileges of the user if the email is viewed with “Print Preview”. (CVE-2006-1727)

The crypto.generateCRMFRequest() function had a flaw which could be exploited to run arbitrary code with the user’s privileges. (CVE-2006-1728)

An integer overflow was detected in the handling of the CSS property “letter-spacing”. A malicious HTML email could exploit this to run arbitrary code with the user’s privileges. (CVE-2006-1730)

The methods valueOf.call() and .valueOf.apply() returned an object whose privileges were not properly confined to those of the caller, which made them vulnerable to cross-site scripting attacks. A malicious email with embedded JavaScript code could exploit this to modify the contents or steal confidential data (such as passwords) from other opened web pages. (CVE-2006-1731) The window.controllers array variable (CVE-2006-1732) and event handlers (CVE-2006-1741) were vulnerable to a similar attack.

The privileged built-in XBL bindings were not fully protected from web content and could be accessed by calling valueOf.call() and valueOf.apply() on a method of that binding. A malicious email could exploit this to run arbitrary JavaScript code with the user’s privileges. (CVE-2006-1733)

It was possible to use the Object.watch() method to access an internal function object (the “clone parent”). A malicious email containing JavaScript code could exploit this to execute arbitrary code with the user’s privileges. (CVE-2006-1734)

By calling the XBL.method.eval() method in a special way it was possible to create JavaScript functions that would get compiled with the wrong privileges. A malicious email could exploit this to execute arbitrary JavaScript code with the user’s privileges. (CVE-2006-1735)

Several crashes have been fixed which could be triggered by specially crafted HTML content and involve memory corruption. These could potentially be exploited to execute arbitrary code with the user’s privileges. (CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790)

The “enigmail” plugin has been updated to work with the new Thunderbird and Mozilla versions.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.10
mozilla-thunderbird
Ubuntu 5.04
mozilla-thunderbird

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

References