Bug 7753

Summary: Thunderbird 10.0.8
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal CC: davidwhodgins, fundawang, lemonzest, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/519136/
Whiteboard: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
Source RPM: thunderbird-10.0.7-1.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-10-10 03:59:35 CEST 
RedHat has issued an advisory today (October 9):
https://rhn.redhat.com/errata/RHSA-2012-1351.html

Funda Wang has uploaded updated packages for Mageia 1 and Mageia 2.

Advisory:
========================

Updated mozilla-thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird (CVE-2012-3982,
CVE-2012-3988, CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180,
CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186,
CVE-2012-4187, CVE-2012-4188).

Two flaws in Thunderbird could allow malicious content to bypass intended
restrictions, possibly leading to information disclosure, or Thunderbird
executing arbitrary code. Note that the information disclosure issue could
possibly be combined with other flaws to achieve arbitrary code execution
(CVE-2012-3986, CVE-2012-3991).

Multiple flaws were found in the location object implementation in
Thunderbird. Malicious content could be used to perform cross-site
scripting attacks, script injection, or spoofing attacks (CVE-2012-1956,
CVE-2012-3992, CVE-2012-3994).

Two flaws were found in the way Chrome Object Wrappers were implemented.
Malicious content could be used to perform cross-site scripting attacks or
cause Thunderbird to execute arbitrary code (CVE-2012-3993, CVE-2012-4184).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4188
http://www.mozilla.org/security/announce/2012/mfsa2012-59.html
http://www.mozilla.org/security/announce/2012/mfsa2012-74.html
http://www.mozilla.org/security/announce/2012/mfsa2012-77.html
http://www.mozilla.org/security/announce/2012/mfsa2012-79.html
http://www.mozilla.org/security/announce/2012/mfsa2012-81.html
http://www.mozilla.org/security/announce/2012/mfsa2012-82.html
http://www.mozilla.org/security/announce/2012/mfsa2012-83.html
http://www.mozilla.org/security/announce/2012/mfsa2012-84.html
http://www.mozilla.org/security/announce/2012/mfsa2012-85.html
http://www.mozilla.org/security/announce/2012/mfsa2012-86.html
http://www.mozilla.org/security/announce/2012/mfsa2012-87.html
https://rhn.redhat.com/errata/RHSA-2012-1351.html
========================

Updated packages in core/updates_testing:
========================
mozilla-thunderbird-10.0.8-1.mga1
mozilla-thunderbird-enigmail-10.0.8-1.mga1
nsinstall-10.0.8-1.mga1
mozilla-thunderbird-enigmail-ar-10.0.8-1.mga1
mozilla-thunderbird-enigmail-ca-10.0.8-1.mga1
mozilla-thunderbird-enigmail-cs-10.0.8-1.mga1
mozilla-thunderbird-enigmail-de-10.0.8-1.mga1
mozilla-thunderbird-enigmail-el-10.0.8-1.mga1
mozilla-thunderbird-enigmail-es-10.0.8-1.mga1
mozilla-thunderbird-enigmail-fi-10.0.8-1.mga1
mozilla-thunderbird-enigmail-fr-10.0.8-1.mga1
mozilla-thunderbird-enigmail-it-10.0.8-1.mga1
mozilla-thunderbird-enigmail-ja-10.0.8-1.mga1
mozilla-thunderbird-enigmail-ko-10.0.8-1.mga1
mozilla-thunderbird-enigmail-nb-10.0.8-1.mga1
mozilla-thunderbird-enigmail-nl-10.0.8-1.mga1
mozilla-thunderbird-enigmail-pl-10.0.8-1.mga1
mozilla-thunderbird-enigmail-pt-10.0.8-1.mga1
mozilla-thunderbird-enigmail-pt_BR-10.0.8-1.mga1
mozilla-thunderbird-enigmail-ru-10.0.8-1.mga1
mozilla-thunderbird-enigmail-sl-10.0.8-1.mga1
mozilla-thunderbird-enigmail-sv-10.0.8-1.mga1
mozilla-thunderbird-enigmail-tr-10.0.8-1.mga1
mozilla-thunderbird-enigmail-vi-10.0.8-1.mga1
mozilla-thunderbird-enigmail-zh_CN-10.0.8-1.mga1
mozilla-thunderbird-enigmail-zh_TW-10.0.8-1.mga1
mozilla-thunderbird-ar-10.0.8-1.mga1
mozilla-thunderbird-be-10.0.8-1.mga1
mozilla-thunderbird-bg-10.0.8-1.mga1
mozilla-thunderbird-bn_BD-10.0.8-1.mga1
mozilla-thunderbird-br-10.0.8-1.mga1
mozilla-thunderbird-ca-10.0.8-1.mga1
mozilla-thunderbird-cs-10.0.8-1.mga1
mozilla-thunderbird-da-10.0.8-1.mga1
mozilla-thunderbird-de-10.0.8-1.mga1
mozilla-thunderbird-el-10.0.8-1.mga1
mozilla-thunderbird-en_GB-10.0.8-1.mga1
mozilla-thunderbird-es_AR-10.0.8-1.mga1
mozilla-thunderbird-es_ES-10.0.8-1.mga1
mozilla-thunderbird-et-10.0.8-1.mga1
mozilla-thunderbird-eu-10.0.8-1.mga1
mozilla-thunderbird-fi-10.0.8-1.mga1
mozilla-thunderbird-fr-10.0.8-1.mga1
mozilla-thunderbird-fy-10.0.8-1.mga1
mozilla-thunderbird-ga-10.0.8-1.mga1
mozilla-thunderbird-gd-10.0.8-1.mga1
mozilla-thunderbird-gl-10.0.8-1.mga1
mozilla-thunderbird-he-10.0.8-1.mga1
mozilla-thunderbird-hu-10.0.8-1.mga1
mozilla-thunderbird-id-10.0.8-1.mga1
mozilla-thunderbird-is-10.0.8-1.mga1
mozilla-thunderbird-it-10.0.8-1.mga1
mozilla-thunderbird-ja-10.0.8-1.mga1
mozilla-thunderbird-ko-10.0.8-1.mga1
mozilla-thunderbird-lt-10.0.8-1.mga1
mozilla-thunderbird-nb_NO-10.0.8-1.mga1
mozilla-thunderbird-nl-10.0.8-1.mga1
mozilla-thunderbird-nn_NO-10.0.8-1.mga1
mozilla-thunderbird-pl-10.0.8-1.mga1
mozilla-thunderbird-pt_BR-10.0.8-1.mga1
mozilla-thunderbird-pt_PT-10.0.8-1.mga1
mozilla-thunderbird-ro-10.0.8-1.mga1
mozilla-thunderbird-ru-10.0.8-1.mga1
mozilla-thunderbird-si-10.0.8-1.mga1
mozilla-thunderbird-sk-10.0.8-1.mga1
mozilla-thunderbird-sl-10.0.8-1.mga1
mozilla-thunderbird-sq-10.0.8-1.mga1
mozilla-thunderbird-sv_SE-10.0.8-1.mga1
mozilla-thunderbird-ta_LK-10.0.8-1.mga1
mozilla-thunderbird-tr-10.0.8-1.mga1
mozilla-thunderbird-uk-10.0.8-1.mga1
mozilla-thunderbird-vi-10.0.8-1.mga1
mozilla-thunderbird-zh_CN-10.0.8-1.mga1
mozilla-thunderbird-zh_TW-10.0.8-1.mga1
thunderbird-10.0.8-1.mga2
thunderbird-enigmail-10.0.8-1.mga2
nsinstall-10.0.8-1.mga2
thunderbird-ar-10.0.8-1.mga2
thunderbird-ast-10.0.8-1.mga2
thunderbird-be-10.0.8-1.mga2
thunderbird-bg-10.0.8-1.mga2
thunderbird-bn_BD-10.0.8-1.mga2
thunderbird-br-10.0.8-1.mga2
thunderbird-ca-10.0.8-1.mga2
thunderbird-cs-10.0.8-1.mga2
thunderbird-da-10.0.8-1.mga2
thunderbird-de-10.0.8-1.mga2
thunderbird-el-10.0.8-1.mga2
thunderbird-en_GB-10.0.8-1.mga2
thunderbird-es_AR-10.0.8-1.mga2
thunderbird-es_ES-10.0.8-1.mga2
thunderbird-et-10.0.8-1.mga2
thunderbird-eu-10.0.8-1.mga2
thunderbird-fi-10.0.8-1.mga2
thunderbird-fr-10.0.8-1.mga2
thunderbird-fy-10.0.8-1.mga2
thunderbird-ga-10.0.8-1.mga2
thunderbird-gd-10.0.8-1.mga2
thunderbird-gl-10.0.8-1.mga2
thunderbird-he-10.0.8-1.mga2
thunderbird-hu-10.0.8-1.mga2
thunderbird-id-10.0.8-1.mga2
thunderbird-is-10.0.8-1.mga2
thunderbird-it-10.0.8-1.mga2
thunderbird-ja-10.0.8-1.mga2
thunderbird-ko-10.0.8-1.mga2
thunderbird-lt-10.0.8-1.mga2
thunderbird-nb_NO-10.0.8-1.mga2
thunderbird-nl-10.0.8-1.mga2
thunderbird-nn_NO-10.0.8-1.mga2
thunderbird-pl-10.0.8-1.mga2
thunderbird-pa_IN-10.0.8-1.mga2
thunderbird-pt_BR-10.0.8-1.mga2
thunderbird-pt_PT-10.0.8-1.mga2
thunderbird-ro-10.0.8-1.mga2
thunderbird-ru-10.0.8-1.mga2
thunderbird-si-10.0.8-1.mga2
thunderbird-sk-10.0.8-1.mga2
thunderbird-sl-10.0.8-1.mga2
thunderbird-sq-10.0.8-1.mga2
thunderbird-sv_SE-10.0.8-1.mga2
thunderbird-ta_LK-10.0.8-1.mga2
thunderbird-tr-10.0.8-1.mga2
thunderbird-uk-10.0.8-1.mga2
thunderbird-vi-10.0.8-1.mga2
thunderbird-zh_CN-10.0.8-1.mga2
thunderbird-zh_TW-10.0.8-1.mga2

from SRPMS:
mozilla-thunderbird-10.0.8-1.mga1.src.rpm
mozilla-thunderbird-l10n-10.0.8-1.mga1.src.rpm
thunderbird-10.0.8-1.mga2.src.rpm
thunderbird-l10n-10.0.8-1.mga2.src.rpm
David Walser 2012-10-10 03:59:51 CEST

CC: (none) => fundawang
Whiteboard: (none) => MGA1TOO

Comment 1 Simon Putt 2012-10-10 12:41:01 CEST 
All my extensions are working, and I can also still Sign emails with Enigmail. Works same as previous version.

CC: (none) => lemonzest

Comment 2 Simon Putt 2012-10-10 23:44:18 CEST 
Forgot to add, Mageia 2, x86_64
David Walser 2012-10-10 23:51:59 CEST

URL: (none) => http://lwn.net/Vulnerabilities/519136/

Comment 3 Dave Hodgins 2012-10-11 05:54:52 CEST 
Testing complete using nntp, email, with enigmail Mageia 1 and 2, i586
and x86-64.

Could someone from the sysadmin team push the srpms
thunderbird-10.0.8-1.mga2.src.rpm
thunderbird-l10n-10.0.8-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpms
mozilla-thunderbird-10.0.8-1.mga1.src.rpm
mozilla-thunderbird-l10n-10.0.8-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated mozilla-thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird (CVE-2012-3982,
CVE-2012-3988, CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180,
CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186,
CVE-2012-4187, CVE-2012-4188).

Two flaws in Thunderbird could allow malicious content to bypass intended
restrictions, possibly leading to information disclosure, or Thunderbird
executing arbitrary code. Note that the information disclosure issue could
possibly be combined with other flaws to achieve arbitrary code execution
(CVE-2012-3986, CVE-2012-3991).

Multiple flaws were found in the location object implementation in
Thunderbird. Malicious content could be used to perform cross-site
scripting attacks, script injection, or spoofing attacks (CVE-2012-1956,
CVE-2012-3992, CVE-2012-3994).

Two flaws were found in the way Chrome Object Wrappers were implemented.
Malicious content could be used to perform cross-site scripting attacks or
cause Thunderbird to execute arbitrary code (CVE-2012-3993, CVE-2012-4184).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3991
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3995
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4179
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4180
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4182
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4186
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4187
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4188
http://www.mozilla.org/security/announce/2012/mfsa2012-59.html
http://www.mozilla.org/security/announce/2012/mfsa2012-74.html
http://www.mozilla.org/security/announce/2012/mfsa2012-77.html
http://www.mozilla.org/security/announce/2012/mfsa2012-79.html
http://www.mozilla.org/security/announce/2012/mfsa2012-81.html
http://www.mozilla.org/security/announce/2012/mfsa2012-82.html
http://www.mozilla.org/security/announce/2012/mfsa2012-83.html
http://www.mozilla.org/security/announce/2012/mfsa2012-84.html
http://www.mozilla.org/security/announce/2012/mfsa2012-85.html
http://www.mozilla.org/security/announce/2012/mfsa2012-86.html
http://www.mozilla.org/security/announce/2012/mfsa2012-87.html
https://rhn.redhat.com/errata/RHSA-2012-1351.html

https://bugs.mageia.org/show_bug.cgi?id=7753

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK

Comment 4 Thomas Backlund 2012-10-11 09:29:53 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0289

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED