Bug 8181 - Thunderbird 10.0.11
: Thunderbird 10.0.11
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
:
:
: MGA1TOO mga2-64-OK MGA2-32-OK MGA1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-22 07:24 CET by David Walser
Modified: 2012-11-23 23:09 CET (History)
3 users (show)

See Also:
Source RPM: thunderbird-10.0.10-1.mga2.src.rpm, mozilla-thunderbird-10.0.10-1.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-11-22 07:24:32 CET
RedHat has issued an advisory on November 20:
https://rhn.redhat.com/errata/RHSA-2012-1483.html

Updated packages uploaded for Mageia 1 and Mageia 2.

Source RPMs:
mozilla-thunderbird-10.0.11-1.mga1.src.rpm
mozilla-thunderbird-l10n-10.0.11-1.mga1.src.rpm
thunderbird-10.0.11-1.mga2.src.rpm
thunderbird-l10n-10.0.11-1.mga2.src.rpm

Advisory:
========================

Updated mozilla-thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird (CVE-2012-4214,
CVE-2012-4215, CVE-2012-4216, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833,
CVE-2012-5835, CVE-2012-5839, CVE-2012-5840, CVE-2012-5842).

A buffer overflow flaw was found in the way Thunderbird handled GIF
(Graphics Interchange Format) images. Content containing a malicious GIF
image could cause Thunderbird to crash or, possibly, execute arbitrary code
with the privileges of the user running Thunderbird (CVE-2012-4202).

A flaw was found in the way Thunderbird decoded the HZ-GB-2312 character
encoding. Malicious content could cause Thunderbird to run JavaScript code
with the permissions of different content (CVE-2012-4207).

A flaw was found in the location object implementation in Thunderbird.
Malicious content could possibly use this flaw to allow restricted content
to be loaded by plug-ins (CVE-2012-4209).

A flaw was found in the way cross-origin wrappers were implemented.
Malicious content could use this flaw to perform cross-site scripting
attacks (CVE-2012-5841).

A flaw was found in the evalInSandbox implementation in Thunderbird.
Malicious content could use this flaw to perform cross-site scripting
attacks (CVE-2012-4201).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4201
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4215
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5833
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5839
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5841
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5842
http://www.mozilla.org/security/announce/2012/mfsa2012-91.html
http://www.mozilla.org/security/announce/2012/mfsa2012-92.html
http://www.mozilla.org/security/announce/2012/mfsa2012-93.html
http://www.mozilla.org/security/announce/2012/mfsa2012-100.html
http://www.mozilla.org/security/announce/2012/mfsa2012-101.html
http://www.mozilla.org/security/announce/2012/mfsa2012-103.html
http://www.mozilla.org/security/announce/2012/mfsa2012-105.html
http://www.mozilla.org/security/announce/2012/mfsa2012-106.html
https://rhn.redhat.com/errata/RHSA-2012-1483.html
Comment 1 claire robinson 2012-11-22 13:50:10 CET
Testing mga2 32

Enigmail gives a warning that it is not compatible and wants to check mozilla for updates.

$ rpm -qa | grep thunderbird
thunderbird-enigmail-10.0.11-1.mga2
thunderbird-10.0.11-1.mga2
thunderbird-en_GB-10.0.11-1.mga2
Comment 2 claire robinson 2012-11-22 13:55:49 CET
It gives a list of incompatible Enigmail 1.4 <language> which for some reason is unable to scroll.


Clicked on Don't Check so it wouldn't update from mozilla.


From the about:
GnuPG support provided by Enigmail

Running Enigmail version 1.4 (20121122-0557)

Using gpg executable /usr/bin/gpg to encrypt and decrypt



It does seem to be working though.
Comment 3 claire robinson 2012-11-22 22:21:33 CET
Tested OK mga2 64
Comment 4 Dave Hodgins 2012-11-22 22:40:02 CET
Testing complete.  Mageia 1 and 2, i586 and x86-64.

Could someone from the sysadmin team push the srpms
thunderbird-10.0.11-1.mga2.src.rpm
thunderbird-l10n-10.0.11-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpms
mozilla-thunderbird-10.0.11-1.mga1.src.rpm
mozilla-thunderbird-l10n-10.0.11-1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated mozilla-thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird (CVE-2012-4214,
CVE-2012-4215, CVE-2012-4216, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833,
CVE-2012-5835, CVE-2012-5839, CVE-2012-5840, CVE-2012-5842).

A buffer overflow flaw was found in the way Thunderbird handled GIF
(Graphics Interchange Format) images. Content containing a malicious GIF
image could cause Thunderbird to crash or, possibly, execute arbitrary code
with the privileges of the user running Thunderbird (CVE-2012-4202).

A flaw was found in the way Thunderbird decoded the HZ-GB-2312 character
encoding. Malicious content could cause Thunderbird to run JavaScript code
with the permissions of different content (CVE-2012-4207).

A flaw was found in the location object implementation in Thunderbird.
Malicious content could possibly use this flaw to allow restricted content
to be loaded by plug-ins (CVE-2012-4209).

A flaw was found in the way cross-origin wrappers were implemented.
Malicious content could use this flaw to perform cross-site scripting
attacks (CVE-2012-5841).

A flaw was found in the evalInSandbox implementation in Thunderbird.
Malicious content could use this flaw to perform cross-site scripting
attacks (CVE-2012-4201).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4201
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4214
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4215
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5833
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5835
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5839
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5840
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5841
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5842
http://www.mozilla.org/security/announce/2012/mfsa2012-91.html
http://www.mozilla.org/security/announce/2012/mfsa2012-92.html
http://www.mozilla.org/security/announce/2012/mfsa2012-93.html
http://www.mozilla.org/security/announce/2012/mfsa2012-100.html
http://www.mozilla.org/security/announce/2012/mfsa2012-101.html
http://www.mozilla.org/security/announce/2012/mfsa2012-103.html
http://www.mozilla.org/security/announce/2012/mfsa2012-105.html
http://www.mozilla.org/security/announce/2012/mfsa2012-106.html
https://rhn.redhat.com/errata/RHSA-2012-1483.html

https://bugs.mageia.org/show_bug.cgi?id=8181
Comment 5 Thomas Backlund 2012-11-23 23:09:42 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0343

Note You need to log in before you can comment on or make changes to this bug.