run-mozilla.sh in Thunderbird, with debugging enabled, allows local users to create or overwrite arbitrary files via a symlink attack on temporary files.
Vladimir V Perepelitsa discovered a bug in Thunderbird’s handling of anonymous
functions during regular expression string replacement A malicious HTML email
could exploit this to capture a random block of client memory (CAN-2005-0989) ...