Integer overflow in Mozilla Thunderbird before 1.5.0.10 and SeaMonkey before 1.0.8 allows remote attackers to trigger a buffer overflow and possibly execute arbitrary code via a text/enhanced or text/richtext e-mail message with an extremely long line.

From Red Hat Security Advisory 2007:0078 :

Updated thunderbird packages that fix several security bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

[Updated 06 March 2007] Updated text description to add CVE-2007-1282 and remove CVE-2007-0994, which was mistakenly listed as affecting Thunderbird. No changes have been made to these erratum packages.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A malicious HTML mail message could execute JavaScript code in such a way that may result in Thunderbird crashing or executing arbitrary code as the user running Thunderbird.
JavaScript support is disabled by default in Thunderbird; these issues are not exploitable unless the user has enabled JavaScript.
(CVE-2007-0775, CVE-2007-0777, CVE-2007-1092)

A flaw was found in the way Thunderbird processed text/enhanced and text/richtext formatted mail message. A specially crafted mail message could execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2007-1282)

Several cross-site scripting (XSS) flaws were found in the way Thunderbird processed certain malformed HTML mail messages. A malicious HTML mail message could display misleading information which may result in a user unknowingly divulging sensitive information such as a password. (CVE-2006-6077, CVE-2007-0995, CVE-2007-0996)

A flaw was found in the way Thunderbird cached web content on the local disk. A malicious HTML mail message may be able to inject arbitrary HTML into a browsing session if the user reloads a targeted site. (CVE-2007-0778)

A flaw was found in the way Thunderbird displayed certain web content.
A malicious HTML mail message could generate content which could overlay user interface elements such as the hostname and security indicators, tricking a user into thinking they are visiting a different site. (CVE-2007-0779)

Two flaws were found in the way Thunderbird displayed blocked popup windows. If a user can be convinced to open a blocked popup, it is possible to read arbitrary local files, or conduct an XSS attack against the user. (CVE-2007-0780, CVE-2007-0800)

Two buffer overflow flaws were found in the Network Security Services (NSS) code for processing the SSLv2 protocol. Connecting to a malicious secure web server could cause the execution of arbitrary code as the user running Thunderbird. (CVE-2007-0008, CVE-2007-0009)

A flaw was found in the way Thunderbird handled the 'location.hostname' value during certain browser domain checks. This flaw could allow a malicious HTML mail message to set domain cookies for an arbitrary site, or possibly perform an XSS attack.
(CVE-2007-0981)

Users of Thunderbird are advised to apply this update, which contains Thunderbird version 1.5.0.10 that corrects these issues.

From Red Hat Security Advisory 2007:0077 :

Updated SeaMonkey packages that fix several security bugs are now available for Red Hat Enterprise Linux 2.1, 3, and 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

[Updated 26 February 2007] Packages for Red Hat Enterprise Linux 4 have been updated to correct an issue which prevented Evolution and other applications linked against the NSS library from functioning.

[Updated 12 March 2007] Packages for Red Hat Enterprise Linux 2.1 and 3 have been updated to correct an issue which prevented Evolution and other applications linked against the NSS library from functioning.

SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor.

Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A malicious web page could execute JavaScript code in such a way that may result in SeaMonkey crashing or executing arbitrary code as the user running SeaMonkey.
(CVE-2007-0775, CVE-2007-0777)

Several cross-site scripting (XSS) flaws were found in the way SeaMonkey processed certain malformed web pages. A malicious web page could display misleading information which may result in a user unknowingly divulging sensitive information such as a password.
(CVE-2006-6077, CVE-2007-0995, CVE-2007-0996)

A flaw was found in the way SeaMonkey cached web pages on the local disk. A malicious web page may be able to inject arbitrary HTML into a browsing session if the user reloads a targeted site. (CVE-2007-0778)

A flaw was found in the way SeaMonkey displayed certain web content. A malicious web page could generate content which could overlay user interface elements such as the hostname and security indicators, tricking a user into thinking they are visiting a different site.
(CVE-2007-0779)

Two flaws were found in the way SeaMonkey displayed blocked popup windows. If a user can be convinced to open a blocked popup, it is possible to read arbitrary local files, or conduct an XSS attack against the user. (CVE-2007-0780, CVE-2007-0800)

Two buffer overflow flaws were found in the Network Security Services (NSS) code for processing the SSLv2 protocol. Connecting to a malicious secure web server could cause the execution of arbitrary code as the user running SeaMonkey. (CVE-2007-0008, CVE-2007-0009)

A flaw was found in the way SeaMonkey handled the 'location.hostname' value during certain browser domain checks. This flaw could allow a malicious web site to set domain cookies for an arbitrary site, or possibly perform an XSS attack. (CVE-2007-0981)

Users of SeaMonkey are advised to upgrade to these erratum packages, which contain SeaMonkey version 1.0.8 that corrects these issues.

Updated thunderbird packages that fix several security bugs are now available for Red Hat Enterprise Linux 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A malicious HTML mail message could execute JavaScript code in such a way that may result in Thunderbird crashing or executing arbitrary code as the user running Thunderbird.
JavaScript support is disabled by default in Thunderbird; these issues are not exploitable unless the user has enabled JavaScript.
(CVE-2007-0775, CVE-2007-0777)

Several cross-site scripting (XSS) flaws were found in the way Thunderbird processed certain malformed HTML mail messages. A malicious HTML mail message could display misleading information which may result in a user unknowingly divulging sensitive information such as a password. (CVE-2006-6077, CVE-2007-0995, CVE-2007-0996)

A flaw was found in the way Thunderbird processed text/enhanced and text/richtext formatted mail message. A specially crafted mail message could execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2007-1282)

A flaw was found in the way Thunderbird cached web content on the local disk. A malicious HTML mail message may be able to inject arbitrary HTML into a browsing session if the user reloads a targeted site. (CVE-2007-0778)

A flaw was found in the way Thunderbird displayed certain web content.
A malicious HTML mail message could generate content which could overlay user interface elements such as the hostname and security indicators, tricking a user into thinking they are visiting a different site. (CVE-2007-0779)

Two flaws were found in the way Thunderbird displayed blocked popup windows. If a user can be convinced to open a blocked popup, it is possible to read arbitrary local files, or conduct an XSS attack against the user. (CVE-2007-0780, CVE-2007-0800)

Two buffer overflow flaws were found in the Network Security Services (NSS) code for processing the SSLv2 protocol. Connecting to a malicious secure web server could cause the execution of arbitrary code as the user running Thunderbird. (CVE-2007-0008, CVE-2007-0009)

A flaw was found in the way Thunderbird handled the 'location.hostname' value during certain browser domain checks. This flaw could allow a malicious HTML mail message to set domain cookies for an arbitrary site, or possibly perform an XSS attack.
(CVE-2007-0981)

Users of Thunderbird are advised to apply this update, which contains Thunderbird version 1.5.0.10 that corrects these issues.

Several remote vulnerabilities have been discovered in Mozilla Firefox.

This will be the last security update of Mozilla-based products for the oldstable (sarge) distribution of Debian. We recommend to upgrade to stable (etch) as soon as possible.

The Common Vulnerabilities and Exposures project identifies the following vulnerabilities :

  - CVE-2007-1282     It was discovered that an integer overflow in     text/enhanced message parsing allows the execution of     arbitrary code.

  - CVE-2007-0994     It was discovered that a regression in the JavaScript     engine allows the execution of JavaScript with elevated     privileges.

  - CVE-2007-0995     It was discovered that incorrect parsing of invalid HTML     characters allows the bypass of content filters.

  - CVE-2007-0996     It was discovered that insecure child frame handling     allows cross-site scripting.

  - CVE-2007-0981     It was discovered that Firefox handles URI with a null     byte in the hostname insecurely.

  - CVE-2007-0008     It was discovered that a buffer overflow in the NSS code     allows the execution of arbitrary code.

  - CVE-2007-0009     It was discovered that a buffer overflow in the NSS code     allows the execution of arbitrary code.

  - CVE-2007-0775     It was discovered that multiple programming errors in     the layout engine allow the execution of arbitrary code.

  - CVE-2007-0778     It was discovered that the page cache calculates hashes     in an insecure manner.

  - CVE-2006-6077     It was discovered that the password manager allows the     disclosure of passwords.

The remote host is affected by the vulnerability described in GLSA-200703-18 (Mozilla Thunderbird: Multiple vulnerabilities)

    Georgi Guninski reported a possible integer overflow in the code     handling text/enhanced or text/richtext MIME emails. Additionally,     various researchers reported errors in the JavaScript engine     potentially leading to memory corruption. Additionally, the binary     version of Mozilla Thunderbird includes a vulnerable NSS library which     contains two possible buffer overflows involving the SSLv2 protocol.
  Impact :

    An attacker could entice a user to read a specially crafted email that     could trigger one of the vulnerabilities, some of them being related to     Mozilla Thunderbird's handling of JavaScript, possibly leading to the     execution of arbitrary code.
  Workaround :

    There is no known workaround at this time for all of these issues, but     some of them can be avoided by disabling JavaScript. Note that the     execution of JavaScript is disabled by default and enabling it is     strongly discouraged.

The remote host is running LedgerSMB or SQL-Ledger, a web-based double-entry accounting system.  The version of LedgerSMB or SQL-Ledger on the remote host contains a design flaw that can be leveraged by a remote attacker to bypass authentication and can gain administrative access of the application.

A new seamonkey package is available for Slackware 11.0 to fix security issues.

New mozilla-thunderbird packages are available for Slackware 10.2, and 11.0 to fix security issues.

Updated thunderbird packages that fix several security bugs are now available for Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

[Updated 06 March 2007] Updated text description to add CVE-2007-1282 and remove CVE-2007-0994, which was mistakenly listed as affecting Thunderbird. No changes have been made to these erratum packages.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the way Thunderbird processed certain malformed JavaScript code. A malicious HTML mail message could execute JavaScript code in such a way that may result in Thunderbird crashing or executing arbitrary code as the user running Thunderbird.
JavaScript support is disabled by default in Thunderbird; these issues are not exploitable unless the user has enabled JavaScript.
(CVE-2007-0775, CVE-2007-0777, CVE-2007-1092)

A flaw was found in the way Thunderbird processed text/enhanced and text/richtext formatted mail message. A specially crafted mail message could execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2007-1282)

Several cross-site scripting (XSS) flaws were found in the way Thunderbird processed certain malformed HTML mail messages. A malicious HTML mail message could display misleading information which may result in a user unknowingly divulging sensitive information such as a password. (CVE-2006-6077, CVE-2007-0995, CVE-2007-0996)

A flaw was found in the way Thunderbird cached web content on the local disk. A malicious HTML mail message may be able to inject arbitrary HTML into a browsing session if the user reloads a targeted site. (CVE-2007-0778)

A flaw was found in the way Thunderbird displayed certain web content.
A malicious HTML mail message could generate content which could overlay user interface elements such as the hostname and security indicators, tricking a user into thinking they are visiting a different site. (CVE-2007-0779)

Two flaws were found in the way Thunderbird displayed blocked popup windows. If a user can be convinced to open a blocked popup, it is possible to read arbitrary local files, or conduct an XSS attack against the user. (CVE-2007-0780, CVE-2007-0800)

Two buffer overflow flaws were found in the Network Security Services (NSS) code for processing the SSLv2 protocol. Connecting to a malicious secure web server could cause the execution of arbitrary code as the user running Thunderbird. (CVE-2007-0008, CVE-2007-0009)

A flaw was found in the way Thunderbird handled the 'location.hostname' value during certain browser domain checks. This flaw could allow a malicious HTML mail message to set domain cookies for an arbitrary site, or possibly perform an XSS attack.
(CVE-2007-0981)

Users of Thunderbird are advised to apply this update, which contains Thunderbird version 1.5.0.10 that corrects these issues.

- Thu Mar 1 2007 Martin Stransky <stransky at redhat.com>     1.5.0.10-1

    - Update to 1.5.0.10

    - Tue Dec 19 2006 Matthias Clasen <mclasen at       redhat.com> 1.5.0.9-2

    - Add a Requires: launchmail (#219884)

    - Tue Dec 19 2006 Christopher Aillon <caillon at       redhat.com> 1.5.0.9-1

    - Update to 1.5.0.9

    - Take firefox's pango fixes

    - Don't offer to import...nothing.

    - Tue Nov 7 2006 Christopher Aillon <caillon at       redhat.com> 1.5.0.8-1

    - Update to 1.5.0.8

    - Allow choosing of download directory

    - Take the user to the correct directory from the       Download Manager.

    - Patch to add support for printing via pango from       Behdad.

    - Sun Oct 8 2006 Christopher Aillon <caillon at       redhat.com> - 1.5.0.7-4

    - Default to use of system colors

    - Wed Oct 4 2006 Christopher Aillon <caillon at       redhat.com> - 1.5.0.7-3

    - Bring the invisible character to parity with GTK+

    - Wed Sep 27 2006 Christopher Aillon <caillon at       redhat.com> - 1.5.0.7-2

    - Fix crash when changing gtk key theme

    - Prevent UI freezes while changing GNOME theme

    - Remove verbiage about pango; no longer required by       upstream.

    - Wed Sep 13 2006 Christopher Aillon <caillon at       redhat.com> - 1.5.0.7-1

    - Update to 1.5.0.7

    - Thu Sep 7 2006 Christopher Aillon <caillon at       redhat.com> - 1.5.0.5-8

    - Shuffle order of the install phase around

    - Thu Sep 7 2006 Christopher Aillon <caillon at       redhat.com> - 1.5.0.5-7

    - Let there be art for Alt+Tab again

    - s/tbdir/mozappdir/g

    - Wed Sep 6 2006 Christopher Aillon <caillon at       redhat.com> - 1.5.0.5-6

    - Fix for cursor position in editor widgets by tagoh and       behdad (#198759)

    - Tue Sep 5 2006 Christopher Aillon <caillon at       redhat.com> - 1.5.0.5-5

    - Update nopangoxft.patch

    - Fix rendering of MathML thanks to Behdad Esfahbod.

    - Update start page text to reflect the MathML fixes.

    - Enable pango by default on all locales

    - Build using -rpath

    - Re-enable GCC visibility

    - Thu Aug 3 2006 Kai Engert <kengert at redhat.com> -       1.5.0.5-4

    - Fix a build failure in mailnews mime code.

    - Tue Aug 1 2006 Matthias Clasen <mclasen at redhat.com>
      - 1.5.0.5-3

    - Rebuild

    - Thu Jul 27 2006 Christopher Aillon <caillon at       redhat.com> - 1.5.0.5-2

    - Update to 1.5.0.5

    - Wed Jul 12 2006 Jesse Keating <jkeating at redhat.com>
      - 1.5.0.4-2.1

    - rebuild

    - Mon Jun 12 2006 Kai Engert <kengert at redhat.com> -       1.5.0.4-2

    - Update to 1.5.0.4

    - Fix desktop-file-utils requires

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Thu Mar 1 2007 Martin Stransky <stransky at redhat.com>     1.5.0.10-1

    - Update to 1.5.0.10

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

 The remote version of Mozilla Thunderbird suffers from various security issues, at least one of which may lead to execution of arbitrary code on the affected host subject to the user's privileges. 

The remote version of Mozilla Thunderbird suffers from various security issues, one of which may lead to execution of arbitrary code on the affected host subject to the user's privileges.

The installed version of SeaMonkey contains various security issues, some of which may lead to execution of arbitrary code on the affected host subject to the user's privileges.

Updated SeaMonkey packages that fix several security bugs are now available for Red Hat Enterprise Linux 2.1, 3, and 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

[Updated 26 February 2007] Packages for Red Hat Enterprise Linux 4 have been updated to correct an issue which prevented Evolution and other applications linked against the NSS library from functioning.

[Updated 12 March 2007] Packages for Red Hat Enterprise Linux 2.1 and 3 have been updated to correct an issue which prevented Evolution and other applications linked against the NSS library from functioning.

SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor.

Several flaws were found in the way SeaMonkey processed certain malformed JavaScript code. A malicious web page could execute JavaScript code in such a way that may result in SeaMonkey crashing or executing arbitrary code as the user running SeaMonkey.
(CVE-2007-0775, CVE-2007-0777)

Several cross-site scripting (XSS) flaws were found in the way SeaMonkey processed certain malformed web pages. A malicious web page could display misleading information which may result in a user unknowingly divulging sensitive information such as a password.
(CVE-2006-6077, CVE-2007-0995, CVE-2007-0996)

A flaw was found in the way SeaMonkey cached web pages on the local disk. A malicious web page may be able to inject arbitrary HTML into a browsing session if the user reloads a targeted site. (CVE-2007-0778)

A flaw was found in the way SeaMonkey displayed certain web content. A malicious web page could generate content which could overlay user interface elements such as the hostname and security indicators, tricking a user into thinking they are visiting a different site.
(CVE-2007-0779)

Two flaws were found in the way SeaMonkey displayed blocked popup windows. If a user can be convinced to open a blocked popup, it is possible to read arbitrary local files, or conduct an XSS attack against the user. (CVE-2007-0780, CVE-2007-0800)

Two buffer overflow flaws were found in the Network Security Services (NSS) code for processing the SSLv2 protocol. Connecting to a malicious secure web server could cause the execution of arbitrary code as the user running SeaMonkey. (CVE-2007-0008, CVE-2007-0009)

A flaw was found in the way SeaMonkey handled the 'location.hostname' value during certain browser domain checks. This flaw could allow a malicious web site to set domain cookies for an arbitrary site, or possibly perform an XSS attack. (CVE-2007-0981)

Users of SeaMonkey are advised to upgrade to these erratum packages, which contain SeaMonkey version 1.0.8 that corrects these issues.

The remote version of Mozilla Thunderbird suffers from various security issues, at least one of which may lead to execution of arbitrary code on the affected host subject to the user's privileges.

ID	Name	Product	Family	Severity
67454	Oracle Linux 4 : thunderbird (ELSA-2007-0078)	Nessus	Oracle Linux Local Security Checks	high
67453	Oracle Linux 3 / 4 : seamonkey (ELSA-2007-0077)	Nessus	Oracle Linux Local Security Checks	high
67452	Oracle Linux 4 : seamonkey (ELSA-2007-0077-2)	Nessus	Oracle Linux Local Security Checks	high
63841	RHEL 5 : thunderbird (RHSA-2007:0108)	Nessus	Red Hat Local Security Checks	high
25779	Debian DSA-1336-1 : mozilla-firefox - several vulnerabilities	Nessus	Debian Local Security Checks	high
24867	GLSA-200703-18 : Mozilla Thunderbird: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
3942	LedgerSMB / SQL-Ledger Authentication Bypass	Nessus Network Monitor	Web Servers	medium
24791	Slackware 11.0 : seamonkey (SSA:2007-066-05)	Nessus	Slackware Local Security Checks	high
24790	Slackware 10.2 / 11.0 : mozilla-thunderbird (SSA:2007-066-04)	Nessus	Slackware Local Security Checks	high
24774	RHEL 4 : thunderbird (RHSA-2007:0078)	Nessus	Red Hat Local Security Checks	high
24769	Fedora Core 5 : thunderbird-1.5.0.10-1.fc5 (2007-309)	Nessus	Fedora Local Security Checks	high
24768	Fedora Core 6 : thunderbird-1.5.0.10-1.fc6 (2007-308)	Nessus	Fedora Local Security Checks	high
24763	CentOS 4 : thunderbird (CESA-2007:0078)	Nessus	CentOS Local Security Checks	high
3931	Mozilla Thunderbird < 1.5.0.10 Multiple Vulnerabilities (deprecated)	Nessus Network Monitor	SMTP Clients	medium
24748	Mozilla Thunderbird < 1.5.0.10 Multiple Vulnerabilities	Nessus	Windows	high
3927	SeaMonkey < 1.0.8 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
24735	SeaMonkey < 1.0.8 Multiple Vulnerabilities	Nessus	Windows	high
24707	RHEL 2.1 / 3 / 4 : seamonkey (RHSA-2007:0077)	Nessus	Red Hat Local Security Checks	high
24703	CentOS 3 / 4 : seamonkey (CESA-2007:0077)	Nessus	CentOS Local Security Checks	high
801328	Mozilla Thunderbird < 1.5.0.10 Multiple Vulnerabilities	Log Correlation Engine	SMTP Clients	high
800879	SeaMonkey < 1.0.8 Multiple Vulnerabilities	Log Correlation Engine	Web Clients	high

Detections

Analytics

CVE-2007-1282

critical

Tenable Plugins

high

high

high

high

high

high

medium

high

high

high

high

high

high

medium

high

medium

high

high

high

high

high