Articles / SuSE: New Thunderbird packa…

SuSE: New Thunderbird packages fix remote denial of service

Mozilla Thunderbird was updated to 3.1.12 fixing various security issues. Many of the issues are not exploitable through mail since JavaScript is disabled by default in Thunderbird. These particular issues may be triggered while viewing RSS feeds and displaying full remote content rather than the feed summary. Addons that expose browser functionality may also enable such issues to be exploited. Updated packages are available from download.opensuse.org.

  openSUSE Security Update: MozillaThunderbird: Update to 3.1.12
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2011:0935-2
Rating:             important
References:         #712224 
Affected Products:
                   openSUSE 11.4
                   openSUSE 11.3
______________________________________________________________________________

  An update that contains security fixes can now be
  installed. It includes three new package versions.

Description:

  Mozilla Thunderbird was updated to 3.1.12 fixing various
  bugs and  security issues:

  Mozilla Foundation Security Advisory 2011-32 (MFSA 2011-32)
  http://www.mozilla.org/security/announce/2011/mfsa2011-32.ht
  ml

  Many of the issues listed below are not exploitable through
  mail since JavaScript is disabled by default in
  Thunderbird. These particular issues may be triggered while
  viewing RSS feeds and displaying full remote content rather
  than the feed summary. Addons that expose browser
  functionality may also enable such issues to be exploited.

  * Miscellaneous memory safety hazards (rv:1.9.2.20)

  Mozilla developers and community members identified and
  fixed several memory safety bugs in the browser engine used
  in Thunderbird 3.1 and other Mozilla-based products. Some
  of these bugs showed evidence of memory corruption under
  certain circumstances, and we presume that with enough
  effort at least some of these could be exploited to run
  arbitrary code.

  Gary Kwong, Igor Bukanov, Nils and Bob Clary reported
  memory safety issues which affected Thunderbird 3.1.
  (CVE-2011-2982)

  * Crash in SVGTextElement.getCharNumAtPosition()

  Security researcher regenrecht reported via
  TippingPoint's Zero Day Initiative that a SVG text
  manipulation routine contained a dangling pointer
  vulnerability. (CVE-2011-0084)

  * Privilege escalation using event handlers

  Mozilla security researcher moz_bug_r_a_4 reported a
  vulnerability in event management code that would permit
  JavaScript to be run in the wrong context, including that
  of a different website or potentially in a
  chrome-privileged context. (CVE-2011-2981)

  * Dangling pointer vulnerability in appendChild

  Security researcher regenrecht reported via
  TippingPoint's Zero Day Initiative that appendChild did not
  correctly account for DOM objects it operated upon and
  could be exploited to dereference an invalid pointer.
  (CVE-2011-2378)

  * Privilege escalation dropping a tab element in content
  area

  Mozilla security researcher moz_bug_r_a4 reported that
  web content could receive chrome privileges if it
  registered for drop events and a browser tab element was
  dropped into the content area. (CVE-2011-2984)

  * Binary planting vulnerability in ThinkPadSensor::Startup

  Security researcher Mitja Kolsek of Acros Security
  reported that ThinkPadSensor::Startup could potentially be
  exploited to load a malicious DLL into the running process.
  (CVE-2011-2980)

  * Private data leakage using RegExp.input

  Security researcher shutdown reported that data from
  other domains could be read when RegExp.input was set.
  (CVE-2011-2983)


Patch Instructions:

  To install this openSUSE Security Update use YaST online_update.
  Alternatively you can run the command listed for your product:

  - openSUSE 11.4:

     zypper in -t patch MozillaThunderbird-5050 mozilla-js192-5010

  - openSUSE 11.3:

     zypper in -t patch MozillaThunderbird-5050

  To bring your system up-to-date, use "zypper patch".


Package List:

  - openSUSE 11.4 (i586 x86_64) [New Version: 1.9.2.20 and 3.1.12]:

     MozillaThunderbird-3.1.12-0.11.1
     MozillaThunderbird-buildsymbols-3.1.12-0.11.1
     MozillaThunderbird-devel-3.1.12-0.11.1
     MozillaThunderbird-translations-common-3.1.12-0.11.1
     MozillaThunderbird-translations-other-3.1.12-0.11.1
     enigmail-1.1.2+3.1.12-0.11.1
     mozilla-js192-1.9.2.20-1.2.1
     mozilla-xulrunner192-1.9.2.20-1.2.1
     mozilla-xulrunner192-buildsymbols-1.9.2.20-1.2.1
     mozilla-xulrunner192-devel-1.9.2.20-1.2.1
     mozilla-xulrunner192-gnome-1.9.2.20-1.2.1
     mozilla-xulrunner192-translations-common-1.9.2.20-1.2.1
     mozilla-xulrunner192-translations-other-1.9.2.20-1.2.1

  - openSUSE 11.4 (x86_64) [New Version: 1.9.2.20]:

     mozilla-js192-32bit-1.9.2.20-1.2.1
     mozilla-xulrunner192-32bit-1.9.2.20-1.2.1
     mozilla-xulrunner192-gnome-32bit-1.9.2.20-1.2.1
     mozilla-xulrunner192-translations-common-32bit-1.9.2.20-1.2.1
     mozilla-xulrunner192-translations-other-32bit-1.9.2.20-1.2.1

  - openSUSE 11.3 (i586 x86_64) [New Version: 3.1.12]:

     MozillaThunderbird-3.1.12-0.15.1
     MozillaThunderbird-devel-3.1.12-0.15.1
     MozillaThunderbird-translations-common-3.1.12-0.15.1
     MozillaThunderbird-translations-other-3.1.12-0.15.1
     enigmail-1.1.2+3.1.12-0.15.1


References:

  https://bugzilla.novell.com/712224
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.