__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Thunderbird Security Update [Red Hat RHSA:2007:0401-2] May 31, 2007 17:00 GMT Number R-254 [REVISD 7 June 2007] [REVISED 15 June 2007] [REVISED 22 Jun 2007] [REVISED 7 Dec 2007] ______________________________________________________________________________ PROBLEM: There are several security vulnerabilities in the way Thunderbird: 1) processed certainmalformed JavaScript code; 2) handled certain form and cookie data; 3) processed certian APOP authentication requests; and 4) displayed certain web content. PLATFORM: RHEL Optional Productivity Applications (v. 5 server) Red Hat Desktop (v. 3, v. 4) Red Hat Enterprise Linux AS, ES, WS (v. 2.1, v. 3, v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) RHEL Desktop Workstation (v. 5 client) RH Linux Advanced Workstation 2.1 for the Itanium Processor Debian GNU/Linux 4.0 (etch) Solaris 8, 9, 10 DAMAGE: 1) A web page contining malicious JavaScript code could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird; 2) A malicious web site that is able to set arbitrary form and cookie data could prevent Thunderbird from functioning properly; 3) By sending certian responses when Thunderbird attempted to authenticate against an APOP seraver, a remote attacker could potentially acquire certain portions of a user's authentication credentials; and 4) A malicious web page could generate content which could overlay user interface elements such as the hostname and security indicators, tricking users into thinking they are visiting a different site. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Could potentially execute arbitrary code as ASSESSMENT: the user running Thunderbird. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-254.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0401.html ADDITIONAL LINKS: https://rhn.redhat.com/errata/RHSA-2007-0385.html https://rhn.redhat.com/errata/RHSA-2007-0386.html http://www.debian.org/security/2007/dsa-1300 http://www.debian.org/security/2007/dsa-1305 http://www.debian.org/security/2007/dsa-1306 http://www.debian.org/security/2007/dsa-1308 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-103125-1 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-103136-1 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-1362 CVE-2007-1558 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2871 ______________________________________________________________________________ REVISION HISTORY: 06/07/2007 - revised R-254 to add a link to Red Hat RHSA-2007:0385-4 and RHSA-2007:0386-4 for RHEL Desktop Workstation (v. 5 client), RH Desktop (v. 3), RH Enterprise Linux AS, ES, WS (v. 2.1, v. 3), and RH Linux Advanced Workstation 2.1 for the Itanium Processor. 06/15/2007 - revised R-254 to add links to Debian Security Advisories DSA-1306-1, DSA-1305-1, DSA-1300-1 for Debian GNU/Linux 4.0 (etch). 06/22/2007 - revised R-254 to add links to Debian Security Advisory DSA-1308-1 for Debian GNU/Linux 4.0 (etch). 12/07/2007 - revised R-254 to add links to Sun Alert ID: 103125 and 103136 for Mozilla v1.7, Solaris 8, 9, 10. [***** Start Red Hat RHSA:2007:0401-2 *****] Critical: thunderbird security update Advisory: RHSA-2007:0401-2 Type: Security Advisory Severity: Critical Issued on: 2007-05-30 Last updated on: 2007-05-30 Affected Products: RHEL Optional Productivity Applications (v. 5 server) Red Hat Desktop (v. 4) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) OVAL: com.redhat.rhsa-20070401.xml CVEs (cve.mitre.org): CVE-2007-1362 CVE-2007-1558 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2871 Details Updated thunderbird packages that fix several security bugs are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Thunderbird to crash or potentially execute arbitrary code as the user running Thunderbird. (CVE-2007-2867, CVE-2007-2868) Several denial of service flaws were found in the way Thunderbird handled certain form and cookie data. A malicious web site that is able to set arbitrary form and cookie data could prevent Thunderbird from functioning properly. (CVE-2007-1362, CVE-2007-2869) A flaw was found in the way Thunderbird processed certain APOP authentication requests. By sending certain responses when Thunderbird attempted to authenticate against an APOP server, a remote attacker could potentially acquire certain portions of a user's authentication credentials. (CVE-2007-1558) A flaw was found in the way Thunderbird displayed certain web content. A malicious web page could generate content which could overlay user interface elements such as the hostname and security indicators, tricking users into thinking they are visiting a different site. (CVE-2007-2871) Users of Thunderbird are advised to apply this update, which contains Thunderbird version 1.5.0.12 that corrects these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Optional Productivity Applications (v. 5 server) -------------------------------------------------------------------------------- SRPMS: thunderbird-1.5.0.12-1.el5.src.rpm f7fe1c1c79c97702a10362a5102de401 IA-32: thunderbird-1.5.0.12-1.el5.i386.rpm 4e5f17214f1d336e1a282fb5f82b793c x86_64: thunderbird-1.5.0.12-1.el5.x86_64.rpm 7238bcac06fa2fd194358000c453effe Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: thunderbird-1.5.0.12-0.1.el4.src.rpm 134123edab40c49aa447d0a69aeff277 IA-32: thunderbird-1.5.0.12-0.1.el4.i386.rpm 5beac02b962dc89ca44e7aff900ec954 x86_64: thunderbird-1.5.0.12-0.1.el4.x86_64.rpm d8cef7bf47874f6c1f0ca35919d8b382 Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: thunderbird-1.5.0.12-0.1.el4.src.rpm 134123edab40c49aa447d0a69aeff277 IA-32: thunderbird-1.5.0.12-0.1.el4.i386.rpm 5beac02b962dc89ca44e7aff900ec954 IA-64: thunderbird-1.5.0.12-0.1.el4.ia64.rpm 7626ddc15d91b51ba6af1416e462fc4b PPC: thunderbird-1.5.0.12-0.1.el4.ppc.rpm 187a99e50a36d685db0670a28c7483c2 s390: thunderbird-1.5.0.12-0.1.el4.s390.rpm 208159e6c7493e8717ba3b164f0cc8da s390x: thunderbird-1.5.0.12-0.1.el4.s390x.rpm b32a87963308301ed9c2b79e0f4072bb x86_64: thunderbird-1.5.0.12-0.1.el4.x86_64.rpm d8cef7bf47874f6c1f0ca35919d8b382 Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: thunderbird-1.5.0.12-1.el5.src.rpm f7fe1c1c79c97702a10362a5102de401 IA-32: thunderbird-1.5.0.12-1.el5.i386.rpm 4e5f17214f1d336e1a282fb5f82b793c x86_64: thunderbird-1.5.0.12-1.el5.x86_64.rpm 7238bcac06fa2fd194358000c453effe Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: thunderbird-1.5.0.12-0.1.el4.src.rpm 134123edab40c49aa447d0a69aeff277 IA-32: thunderbird-1.5.0.12-0.1.el4.i386.rpm 5beac02b962dc89ca44e7aff900ec954 IA-64: thunderbird-1.5.0.12-0.1.el4.ia64.rpm 7626ddc15d91b51ba6af1416e462fc4b x86_64: thunderbird-1.5.0.12-0.1.el4.x86_64.rpm d8cef7bf47874f6c1f0ca35919d8b382 Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: thunderbird-1.5.0.12-0.1.el4.src.rpm 134123edab40c49aa447d0a69aeff277 IA-32: thunderbird-1.5.0.12-0.1.el4.i386.rpm 5beac02b962dc89ca44e7aff900ec954 IA-64: thunderbird-1.5.0.12-0.1.el4.ia64.rpm 7626ddc15d91b51ba6af1416e462fc4b x86_64: thunderbird-1.5.0.12-0.1.el4.x86_64.rpm d8cef7bf47874f6c1f0ca35919d8b382 (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 241671 - CVE-2007-1362 Miltiple Seamonkey flaws (CVE-2007-1558, CVE-2007-2867, CVE-2007-2868, CVE-2007-2869, CVE-2007-2871) References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1362 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2868 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2869 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2871 http://www.redhat.com/security/updates/classification/#critical -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA:2007:0401-2 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) CIACTech07-001: MOICE - Microsoft Office Isolated Conversion Environment R-245: Vulnerability in Crypto Library R-246: Multiple Vulnerabilities in Cisco IOS while Processing SSL Packets R-247: Apple Security Update 2007-005 R-248: Security Vulnerabilities in the SOCKS Module of Sun Java System Web Proxy R-249: Avast! Antivirus Vulnerability R-250: File Security Update R-251: Apple QuickTime 7.1.6 Security Update R-252: Mozilla Layout Engine Vulnerable R-253: SeaMonkey Security Update