Note: This is an archival copy of Security Sun Alert 269468 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021030.1.
Article ID : 1021030.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-03
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in Mozilla Thunderbird Related to SSL Certificates May Cause Arbitrary Code Execution



Category
Security

Release Phase
Resolved

Bug Id
6880677, 6899624

Product
Solaris 10 Operating System
OpenSolaris

Date of Preliminary Release
09-Oct-2009

Date of Resolved Release
16-Dec-2009

Security Vulnerability in Mozilla Thunderbird Related to SSL Certificates:

1. Impact

Security vulnerabilities in thunderbird(1) related to handling of SSL server certificates
may allow remote SSL servers with crafted server certificates to compromise an encrypted
communication or cause arbitrary code execution with the privileges of a Thunderbird user.

The following Mozilla advisories describe the vulnerabilities:
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html

http://www.mozilla.org/security/announce/2009/mfsa2009-43.html


Additional references:

CVE-2009-2404 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2404

CVE-2009-2408 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2408

2. Contributing Factors

These issues can occur in the following releases:

SPARC platform

  • Solaris 10 without patch 125541-06
  • OpenSolaris based upon builds snv_48 through snv_124

x86 Platform

  • Solaris 10 without patch 125542-06
  • OpenSolaris based upon builds snv_48 through snv_124

Note 1: Solaris 8 and Solaris 9 do not ship Thunderbird and therefore are not affected by these issues.

Note 2: Thunderbird first shipped with Solaris 10 Update 4 (8/07) in the SUNWthunderbird package.

Systems are only impacted by this issue if SUNWthunderbird is installed on the system.
To determine if SUNWthunderbird is installed use :

      $  pkginfo SUNWthunderbird

Note 3: OpenSolaris distributions may include additional bug fixes above and beyond the build
from which it was derived. The base build can be derived as follows:

	$uname -a
SunOS hostname 5.11 snv_86 i86pc i386 i86pc

3. Symptoms

There are no predictable symptoms that would indicate the described issues have been exploited.

4. Workaround

There are no workarounds for this issue. Please refer to resolution section below.

5. Resolution

These issues are addressed in the following releases:

SPARC platform

  • Solaris 10 with patch 125541-06 or later
  • OpenSolaris based upon builds snv_125 or later
    

x86 Platform

  • Solaris 10 with patch 125542-06 or later
  • OpenSolaris based upon builds snv_125 or later


For more information on Security Sun Alerts, see .


Modification History
26-Oct-2009: Updated Contributing Factors and Resolution sections. Now Resolved.
27-Oct-2008: removed yesterday's updates. Resolution patch not available.
01-Dec-2009: Updated BugID field.
16-Dec-2009: Updated Contributing Factors and Resolution sections. Resolved.


References

125541-06
125542-06

References

SUNPATCH:125541-06
SUNPATCH:125542-06



Attachments
This solution has no attachment