__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Mail Header Processing Heap Overflows
[Mozilla Foundation Security Advisory 2006-74]
December 20, 2006 18:00 GMT Number R-089
[REVISED 14 Mar 2007]
______________________________________________________________________________
PROBLEM: Long Content-Type headers in external message bodies could
cause a heap buffer overflow when processing mail headers.
PLATFORM: Thunderbird 1.5
SeaMonkey 1
Debian GNU/Linux 3.1 sarge
DAMAGE: A heap buffer overflow when processing mail headers.
SOLUTION: Upgraded to the appropriate version.
______________________________________________________________________________
VULNERABILITY The risk is MEDIUM. Long Content-Type headers in external
ASSESSMENT: message bodies could cause a heap buffer overflow when
processing mail headers could cause a heap buffer overflow when
processing mail headers.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-089.shtml
ORIGINAL BULLETIN: Mozilla Foundation Security Advisory 2006-74
http://www.mozilla.org/security/announce/2006/mfsa2006-74.html
ADDITIONAL LINKS: Red Hat RHSA-2006:0759-5
http://rhn.redhat.com/errate/RHSA-2006-0759.html
Red Hat RHSA-2006:0758-2
http://rhn.redhat.com/errate/RHSA-2006-0758.html
Red Hat RHSA-2006:0760-2
http://rhn.redhat.com/errate/RHSA-2006-0760.html
Debian Security Advisory DSA-1265-1
http://www.debian.org/security/2007/dsa-1265
CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=
CVE-2006-6505
______________________________________________________________________________
REVISION HISTORY:
03/14/2007 - revised R-087 to add a link to Debian Security Advisory DSA-1265-1
for Debian GNU/Linux 3.1 sarge.
[***** Start Mozilla Foundation Security Advisory 2006-74 *****]
Mozilla Foundation Security Advisory 2006-74
Title: Mail header processing heap overflows
Impact: Critical
Announced: December 19, 2006
Reporter: Georgi Guninski, David Bienvenu
Products: Thunderbird, SeaMonkey
Fixed in: Thunderbird 1.5.0.9
SeaMonkey 1.0.7
Description
Georgi Guninski reported that long Content-Type headers in external message
bodies could cause a heap buffer overflow when processing mail headers. While
working on that code David Bienvenu discovered a similar overflow could occur
when processing long rfc2047-encoded headers.
Either overflow could be exploited to execute arbitrary code.
Workaround
None, upgrade to a fixed version immediately.
References
https://bugzilla.mozilla.org/show_bug.cgi?id=362213
https://bugzilla.mozilla.org/show_bug.cgi?id=362512
CVE-2006-6505
--------------------------------------------------------------------------------
[***** End Mozilla Foundation Security Advisory 2006-74 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Mozilla for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
R-079: Vulnerability in Remote Installation Service (926121)
R-080: Symantec Veritas NetBackup
R-081: GNOME Foundation Display Manager gdmchooser
R-082: Clamav
R-083: NeoScale Systems CryptoStor 700 Series Appliances Vulnerability
R-084: CSS Cursor Image Buffer Overflow (Windows Only)
R-085: Privilege Escallation Using Watch Point
R-086: LiveConnect Crase Finalizing JS Objects
R-087: XSS by Setting img.src to JavaScript: URI
R-088: Mozilla SVG Processing Remote Code Execution