Debian Bug report logs - #318728
mozilla-thunderbird: Multiple security problems (fixed in sarge/sid, not-fixed in etch)

version graph

Package: mozilla-thunderbird; Maintainer for mozilla-thunderbird is (unknown);

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Sun, 17 Jul 2005 10:33:02 UTC

Severity: grave

Tags: etch, security

Found in versions mozilla-thunderbird/1.0.2-2, mozilla-thunderbird/1.0.2-3

Fixed in versions mozilla-thunderbird/1.0.2-2.sarge1.0.6, mozilla-thunderbird/1.0.6-1, 1.5-1

Done: Alexander Sack <asac@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, Alexander Sack <asac@debian.org>:
Bug#318728; Package mozilla-thunderbird. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, Alexander Sack <asac@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mozilla-thunderbird: Multiple security problems
Date: Sun, 17 Jul 2005 12:16:31 +0200
Package: mozilla-thunderbird
Severity: grave
Tags: security
Justification: user security hole

Thunderbird 1.0.5 fixes these nine security issues, some of which
are classified as critical by the Mozilla developers:

CAN-2005-2270: Code execution through shared function objects
CAN-2005-2269: XHTML node spoofing
CAN-2005-2266: Same origin violation: frame calling top.focus()
CAN-2005-2265: Possible exploitable crash in InstallVersion.compareTo()
CAN-2005-2261: XML scripts ran even when Javascript disabled
CAN-2005-1532: Privilege escalation via non-DOM property overrides
CAN-2005-1160: Privilege escalation via DOM property overrides
CAN-2005-1159: Missing Install object instance checks
CAN-2005-0989: Javascript "lambda" replace exposes memory contents

Cheers,
        Moritz

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-rc5
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)



Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#318728; Package mozilla-thunderbird. Full text and rfc822 format available.

Acknowledgement sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>. Full text and rfc822 format available.

Message #10 received at 318728@bugs.debian.org (full text, mbox):

From: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
To: 318728@bugs.debian.org
Subject: Please mention in nonvulns/woody
Date: Fri, 22 Jul 2005 22:04:11 +0200
[Message part 1 (text/plain, inline)]
Hello,
before closing this bug (once sarge and sid are updated) please add
the CANs to http://www.debian.org/security/nonvulns-woody

While I could do this in principle myself, I rather have this going
the official path.

Greetings

             Helge
-- 
Dr. Helge Kreutzmann, Dipl.-Phys.           Helge.Kreutzmann@itp.uni-hannover.de
                       gpg signed mail preferred 
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
          Help keep free software "libre": http://www.ffii.de/
[Message part 2 (application/pgp-signature, inline)]

Information stored:
Bug#318728; Package mozilla-thunderbird. Full text and rfc822 format available.

Acknowledgement sent to Alexander Sack <asac@jwsdot.com>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #15 received at 318728-quiet@bugs.debian.org (full text, mbox):

From: Alexander Sack <asac@jwsdot.com>
To: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>, 318728-quiet@bugs.debian.org
Subject: Re: Bug#318728: Please mention in nonvulns/woody
Date: Sat, 23 Jul 2005 11:44:52 +0000
Helge Kreutzmann wrote:

>Hello,
>before closing this bug (once sarge and sid are updated) please add
>the CANs to http://www.debian.org/security/nonvulns-woody
>
>  
>
Yes, but how? Never have done so before.

Thanks,

Alexander



Information stored:
Bug#318728; Package mozilla-thunderbird. Full text and rfc822 format available.

Message #18 received at 318728-quiet@bugs.debian.org (full text, mbox):

From: Y Giridhar Appaji Nag <debian@appaji.net>
To: Alexander Sack <asac@jwsdot.com>, 318728-quiet@bugs.debian.org
Cc: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
Subject: Re: Bug#318728: Please mention in nonvulns/woody
Date: Sat, 23 Jul 2005 20:53:29 +0530
On 05/07/23 11:44 +0000, Alexander Sack said ...
> Helge Kreutzmann wrote:
> 
> > before closing this bug (once sarge and sid are updated) please add
> > the CANs to http://www.debian.org/security/nonvulns-woody
>
> Yes, but how? Never have done so before.

I would assume one needs to edit the
webwml/english/security/nonvulns-woody.src file from  the CVS repository
cvs.debian.org:/cvs/webwml and commit that.  One needs to apply for CVS
write access.

More details at
http://www.debian.org/devel/website/
http://www.debian.org/devel/website/working
http://www.debian.org/devel/website/using_cvs

I don't know how this works, but doesn't the security team add the CANs
to the nonvulns files?

Giridhar

-- 
Y Giridhar Appaji Nag | http://www.appaji.net/



Information stored:
Bug#318728; Package mozilla-thunderbird. Full text and rfc822 format available.

Acknowledgement sent to Helge Kreutzmann <kreutzm@itp.uni-hannover.de>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #23 received at 318728-quiet@bugs.debian.org (full text, mbox):

From: Helge Kreutzmann <kreutzm@itp.uni-hannover.de>
To: Alexander Sack <asac@jwsdot.com>, 318728-quiet@bugs.debian.org
Subject: Re: Bug#318728: Please mention in nonvulns/woody
Date: Sat, 23 Jul 2005 19:34:04 +0200
[Message part 1 (text/plain, inline)]
Hello,
On Sat, Jul 23, 2005 at 08:53:29PM +0530, Y Giridhar Appaji Nag wrote:
> On 05/07/23 11:44 +0000, Alexander Sack said ...
> > Helge Kreutzmann wrote:
> > 
> > > before closing this bug (once sarge and sid are updated) please add
> > > the CANs to http://www.debian.org/security/nonvulns-woody
> >
> > Yes, but how? Never have done so before.
> 
> I would assume one needs to edit the
> webwml/english/security/nonvulns-woody.src file from  the CVS repository
> cvs.debian.org:/cvs/webwml and commit that.  One needs to apply for CVS
> write access.

Yes, this file needs to be edited. I strongly suggest contacting the
security team instead of editing it yourself (or I myself). 
 
> I don't know how this works, but doesn't the security team add the CANs
> to the nonvulns files?

I believe so. Except for typo correction, almost all checkins are done
my joey or mdz. Thus simply check if the file is updated once the
security bug is dealt with.

Greetings

         Helge


-- 
Dr. Helge Kreutzmann, Dipl.-Phys.           Helge.Kreutzmann@itp.uni-hannover.de
                       gpg signed mail preferred 
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
          Help keep free software "libre": http://www.ffii.de/
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Alexander Sack <asac@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #28 received at 318728-close@bugs.debian.org (full text, mbox):

From: Alexander Sack <asac@debian.org>
To: 318728-close@bugs.debian.org
Subject: Bug#318728: fixed in mozilla-thunderbird 1.0.6-1
Date: Thu, 28 Jul 2005 16:03:02 -0700
Source: mozilla-thunderbird
Source-Version: 1.0.6-1

We believe that the bug you reported is fixed in the latest version of
mozilla-thunderbird, which is due to be installed in the Debian FTP archive:

mozilla-thunderbird-dev_1.0.6-1_i386.deb
  to pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.6-1_i386.deb
mozilla-thunderbird-inspector_1.0.6-1_i386.deb
  to pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.6-1_i386.deb
mozilla-thunderbird-offline_1.0.6-1_i386.deb
  to pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.6-1_i386.deb
mozilla-thunderbird-typeaheadfind_1.0.6-1_i386.deb
  to pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.6-1_i386.deb
mozilla-thunderbird_1.0.6-1.diff.gz
  to pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-1.diff.gz
mozilla-thunderbird_1.0.6-1.dsc
  to pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-1.dsc
mozilla-thunderbird_1.0.6-1_i386.deb
  to pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-1_i386.deb
mozilla-thunderbird_1.0.6.orig.tar.gz
  to pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 318728@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Sack <asac@debian.org> (supplier of updated mozilla-thunderbird package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 21 Jul 2005 21:00:00 +0100
Source: mozilla-thunderbird
Binary: mozilla-thunderbird-dev mozilla-thunderbird-inspector mozilla-thunderbird mozilla-thunderbird-typeaheadfind mozilla-thunderbird-offline
Architecture: source i386
Version: 1.0.6-1
Distribution: unstable
Urgency: high
Maintainer: Alexander Sack <asac@debian.org>
Changed-By: Alexander Sack <asac@debian.org>
Description: 
 mozilla-thunderbird - Mozilla Thunderbird standalone mail client
 mozilla-thunderbird-dev - mozilla thunderbird development files
 mozilla-thunderbird-inspector - mozilla thunderbird dom inspector extension
 mozilla-thunderbird-offline - mozilla thunderbird offline extension
 mozilla-thunderbird-typeaheadfind - mozilla thunderbird typeaheadfind extension
Closes: 285728 301481 301481 306893 308961 315588 317937 318728 318747
Changes: 
 mozilla-thunderbird (1.0.6-1) unstable; urgency=high
 .
   * GCC/G++ 4.0 API transition upload.
   * include 90_new_freetype_fix.dpatch to fix new freetype API
       (Closes: 301481, 301481) - consumed from mozilla-firefox packages ...
       thx to Eric Dorland <eric@debian.org>
   * include 90_gcc4_fix.dpatch
   * fixes multiple security bugs (Closes: 318728)
       CAN-2005-2270: Code execution through shared function objects
       CAN-2005-2269: XHTML node spoofing
       CAN-2005-2266: Same origin violation: frame calling top.focus()
       CAN-2005-2265: Possible exploitable crash in InstallVersion.compareTo()
       CAN-2005-2261: XML scripts ran even when Javascript disabled
       CAN-2005-1532: Privilege escalation via non-DOM property overrides
       CAN-2005-1160: Privilege escalation via DOM property overrides
       CAN-2005-1159: Missing Install object instance checks
       CAN-2005-0989: Javascript "lambda" replace exposes memory contents
   * fix gdk_property_get problem that might cause a segfault (Closes: 317937)
       patch by Loic Minier <lool@dooz.org>
       debian/patches/gdk_property_get.dpatch
   * fix CAN-2005-2353: insecure tmp file usage in run-mozilla.sh (Closes: 306893)
       debian/patches/20_run-mozilla_sh_306893_fix.dpatch
   * include german de.po translation (Closes: 318747)
       by Alwin Meschede <ameschede@gmx.de>
   * fixed whitespace in mozilla-thunderbird.templates (Closes: 308961)
       hint by Clytie Siddall <clytie@riverland.net.au>
   * apply fix for seamonkey migration crash (Closes: 285728)
       90_mail_components_miration_src_nsSeamonkeyProfileMigrator_cpp
   * fix 'find' in update-mozilla-thunderbird-chrome (Closes: 315588)
       patch by Michael Spang <mspang@twcny.rr.com>
Files: 
 51519a5bca58bee8543b1a34ef5610dc 899 mail optional mozilla-thunderbird_1.0.6-1.dsc
 6ae9de9f17f05d2143ec363b306d7acd 32933648 mail optional mozilla-thunderbird_1.0.6.orig.tar.gz
 bf1fa30dfb444205b86a61f5e78a843f 94906 mail optional mozilla-thunderbird_1.0.6-1.diff.gz
 e7b1c9f87d26e3cf156d6545a0103285 10636448 mail optional mozilla-thunderbird_1.0.6-1_i386.deb
 92f8f390116106ab2ab8fb68d845876d 26990 mail optional mozilla-thunderbird-offline_1.0.6-1_i386.deb
 aa713a12db4d22bc57930f2c9ccd851b 139336 mail optional mozilla-thunderbird-inspector_1.0.6-1_i386.deb
 a9ed78214f3a089a357f26a461d8930d 78158 mail optional mozilla-thunderbird-typeaheadfind_1.0.6-1_i386.deb
 e2f8d0c00569c57863e855083f214fc9 3563724 mail optional mozilla-thunderbird-dev_1.0.6-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC6VT5v8pLOKgkuT8RApwWAKDBPY+CQP13zY341DzTy841vdQCbACdF7ya
6nbnC0C/1sNTLQ57DeSge5c=
=Zfhc
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Alexander Sack <asac@debian.org>:
Bug#318728; Package mozilla-thunderbird. Full text and rfc822 format available.

Acknowledgement sent to Mikko Rapeli <mikko.rapeli@iki.fi>:
Extra info received and forwarded to list. Copy sent to Alexander Sack <asac@debian.org>. Full text and rfc822 format available.

Message #33 received at 318728@bugs.debian.org (full text, mbox):

From: Mikko Rapeli <mikko.rapeli@iki.fi>
To: 318728@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Sarge needs Thunderbird 1.0.6 too
Date: Fri, 05 Aug 2005 09:33:24 +0300
reopen 318728
tags 318728 sarge
thanks

Thunderbird 1.0.6 compiles, installs and runs well, when source package
is upgraded from 1.0.2-2. 

Though the orig.tar.gz structure seems quite
strange and uupdate doesn't work as it perhaps should, but I'll send
another wishlist bug with patches to fix this for unstable at least...

-Mikko



Bug reopened, originator not changed. Request was from Mikko Rapeli <mikko.rapeli@iki.fi> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Mikko Rapeli <mikko.rapeli@iki.fi> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#318728; Package mozilla-thunderbird. Full text and rfc822 format available.

Acknowledgement sent to Alexander Sack <asac@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #42 received at 318728@bugs.debian.org (full text, mbox):

From: Alexander Sack <asac@debian.org>
To: Mikko Rapeli <mikko.rapeli@iki.fi>, 318728@bugs.debian.org
Subject: Re: Bug#318728: Sarge needs Thunderbird 1.0.6 too
Date: Fri, 5 Aug 2005 09:05:32 +0200
On Fri, Aug 05, 2005 at 09:33:24AM +0300, Mikko Rapeli wrote:
> reopen 318728
> tags 318728 sarge
> thanks
> 
> Thunderbird 1.0.6 compiles, installs and runs well, when source package
> is upgraded from 1.0.2-2. 
> 
> Though the orig.tar.gz structure seems quite
> strange and uupdate doesn't work as it perhaps should, but I'll send
> another wishlist bug with patches to fix this for unstable at least...
> 

1.0.6 version is available at http://people.debian.org/~asac/stable/.

an try to backport fixes can be found in
http://people.debian.org/~asac/security ... this package should install
cleanly without causing any hazards in sarge (no extension/locale breakage). 
feedback is welcome.

News and updates on this whole security process will be posted to my blog:
http://www.asoftsite.org/.

Cheers,
-- 
 GPG messages preferred.   |  .''`.  ** Debian GNU/Linux **
 Alexander Sack            | : :' :      The  universal
 asac@debian.org           | `. `'      Operating System
 http://www.asoftsite.org  |   `-    http://www.debian.org



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#318728; Package mozilla-thunderbird. Full text and rfc822 format available.

Acknowledgement sent to Alexander Sack <asac@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #47 received at 318728@bugs.debian.org (full text, mbox):

From: Alexander Sack <asac@debian.org>
To: Mikko Rapeli <mikko.rapeli@iki.fi>, 318728@bugs.debian.org
Subject: Re: Bug#318728: Sarge needs Thunderbird 1.0.6 too
Date: Fri, 5 Aug 2005 10:27:06 +0200
On Fri, Aug 05, 2005 at 09:33:24AM +0300, Mikko Rapeli wrote:
> reopen 318728
> tags 318728 sarge
> thanks
> 
> Thunderbird 1.0.6 compiles, installs and runs well, when source package
> is upgraded from 1.0.2-2. 
> 
> Though the orig.tar.gz structure seems quite
> strange and uupdate doesn't work as it perhaps should, but I'll send

uupdate is not supported. And since upgrading the package is quite trivial
to do manually (in case of thunderbird), this should be no problem.

-- 
 GPG messages preferred.   |  .''`.  ** Debian GNU/Linux **
 Alexander Sack            | : :' :      The  universal
 asac@debian.org           | `. `'      Operating System
 http://www.asoftsite.org  |   `-    http://www.debian.org



Tags added: fixed Request was from Alexander Sack <asac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: fixed Request was from Alexander Sack <asac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: sarge Request was from Alexander Sack <asac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: etch Request was from Alexander Sack <asac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Alexander Sack <asac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 1.0.2-2. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 1.0.2-2.sarge1.0.6, send any further explanations to Moritz Muehlenhoff <jmm@inutil.org> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 1.0.2-3. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 1.0.6-1, send any further explanations to Moritz Muehlenhoff <jmm@inutil.org> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 318728 cloned as bug 363866. Request was from Alexander Sack <asac@jwsdot.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#318728; Package mozilla-thunderbird. Full text and rfc822 format available.

Acknowledgement sent to Alexander Sack <asac@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #72 received at 318728@bugs.debian.org (full text, mbox):

From: Alexander Sack <asac@debian.org>
To: 318728@bugs.debian.org
Cc: control@bugs.debian.org
Subject: closing previously cloned bug 318728. The new one is 363866
Date: Sat, 12 Aug 2006 18:06:25 +0200
close 318728 1.5-1
thanks

Some time ago, I cloned your mozilla-thunderbird bug #318728 as bug #363866. 
The new bug is the one to track your issue for the new thunderbird package.
Thus, I close your original mozilla-thunderbird bug for all versions of the 1.5 branch and later.

This mail is just a mail to educate you why your original bug is marked as done now.
You don't need to do anything. Your bug is still open and maintained.

Maybe take the time to take a look at your bug at http://bugs.debian.org/363866 and
verify if it still applies. If it is gone, please send a mail to 
363866@bugs.debian.org.

Thanks,

Alexander Sack
asac@debian.org
http://www.asoftsite.org





Bug marked as fixed in version 1.5-1, send any further explanations to Moritz Muehlenhoff <jmm@inutil.org> Request was from Alexander Sack <asac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 00:49:10 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 18:58:55 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.