Package: mozilla-thunderbird Version: 1.0-2 Severity: important Tags: security
Thunderbird is vulnerable to bug #293975; mozilla-firefox: vulnerable to IDN spoofing problems (bugzilla #279099). Maybe severity should be changed to grave? Alex, you decide. The attached file (http://www.shmoo.com/testing_punycode/) will spoof paypal addresses when opened in thunderbird as html email. I have disabled IDN services in firefox (in compreg.dat), which fixes the problem for links clicked in firefox, yet when I click on these links in thunderbird, firefox opens the spoofed links. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.4.27-1-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages mozilla-thunderbird depends on: ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libfontconfig1 2.2.3-4 generic font configuration library ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib ii libgcc1 1:3.4.3-6 GCC support library ii libglib2.0-0 2.6.1-3 The GLib library of C routines ii libgtk2.0-0 2.4.14-2 The GTK+ graphical user interface ii libjpeg62 6b-9 The Independent JPEG Group's JPEG ii libpango1.0-0 1.8.0-3 Layout and rendering of internatio ii libpng12-0 1.2.8rel-1 PNG library - runtime ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3 ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous exte ii libxft2 2.1.2-6 FreeType-based font drawing librar ii libxp6 4.3.0.dfsg.1-10 X Window System printing extension ii libxrender1 0.8.3-7 X Rendering Extension client libra ii libxt6 4.3.0.dfsg.1-10 X Toolkit Intrinsics ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu ii zlib1g 1:1.2.2-3 compression library - runtime -- debconf information: mozilla-thunderbird/browser: DebianClick here to enter paypal
Click here to enter paypal via ssl
