Home / mailings [USN-1551-2] Thunderbird regressions
Posted on 28 September 2012
Ubuntu Security==========================
==========================
========================
Ubuntu Security Notice USN-1551-2
September 28, 2012
thunderbird regressions
==========================
==========================
========================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 12.04 LTS
- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.04 LTS
Summary:
USN-1551-1 introduced regressions in Thunderbird.
Software Description:
- thunderbird: Mozilla Open Source mail and newsgroup client
Details:
USN-1551-1 fixed vulnerabilities in Thunderbird. The new package caused a=
regression in the message editor and certain performance regressions as
well. This update fixes the problems.
Original advisory details:
Gary Kwong, Christian Holler, Jesse Ruderman, Steve Fink, Bob Clary, And=
rew
Sutherland, Jason Smith, John Schoenick, Vladimir Vukicevic and Daniel
Holbert discovered memory safety issues affecting Thunderbird. If the us=
er
were tricked into opening a specially crafted E-Mail, an attacker could
exploit these to cause a denial of service via application crash, or
potentially execute code with the privileges of the user invoking
Thunderbird. (CVE-2012-1970, CVE-2012-1971)
=20
Abhishek Arya discovered multiple use-after-free vulnerabilities. If the=
user were tricked into opening a specially crafted E-Mail, an attacker
could exploit these to cause a denial of service via application crash, =
or
potentially execute code with the privileges of the user invoking
Thunderbird. (CVE-2012-1972, CVE-2012-1973, CVE-2012-1974, CVE-2012-1975=
,
CVE-2012-1976, CVE-2012-3956, CVE-2012-3957, CVE-2012-3958, CVE-2012-395=
9,
CVE-2012-3960, CVE-2012-3961, CVE-2012-3962, CVE-2012-3963, CVE-2012-396=
4)
=20
Mariusz Mlynsk discovered that it is possible to shadow the location obj=
ect
using Object.defineProperty. This could potentially result in a cross-si=
te
scripting (XSS) attack against plugins. With cross-site scripting
vulnerabilities, if a user were tricked into viewing a specially crafted=
E-Mail, a remote attacker could exploit this to modify the contents or
steal confidential data within the same domain. (CVE-2012-1956)
=20
Fr=C3=A9d=C3=A9ric Hoguin discovered that bitmap format images with a ne=
gative height
could potentially result in memory corruption. If the user were tricked
into opening a specially crafted image, an attacker could exploit this t=
o
cause a denial of service via application crash, or potentially execute
code with the privileges of the user invoking Thunderbird. (CVE-2012-396=
6)
=20
It was discovered that Thunderbird's WebGL implementation was vulnerable=
to
multiple memory safety issues. If the user were tricked into opening a
specially crafted E-Mail, an attacker could exploit these to cause a den=
ial
of service via application crash, or potentially execute code with the
privileges of the user invoking Thunderbird. (CVE-2012-3967, CVE-2012-39=
68)
=20
Arthur Gerkis discovered multiple memory safety issues in Thunderbird's
Scalable Vector Graphics (SVG) implementation. If the user were tricked
into opening a specially crafted image, an attacker could exploit these =
to
cause a denial of service via application crash, or potentially execute
code with the privileges of the user invoking Thunderbird. (CVE-2012-396=
9,
CVE-2012-3970)
=20
Christoph Diehl discovered multiple memory safety issues in the bundled
Graphite 2 library. If the user were tricked into opening a specially
crafted E-Mail, an attacker could exploit these to cause a denial of
service via application crash, or potentially execute code with the
privileges of the user invoking Thunderbird. (CVE-2012-3971)
=20
Nicolas Gr=C3=A9goire discovered an out-of-bounds read in the format-num=
ber
feature of XSLT. This could potentially cause inaccurate formatting of
numbers and information leakage. (CVE-2012-3972)
=20
It was discovered that when the DOMParser is used to parse text/html dat=
a
in a Thunderbird extension, linked resources within this HTML data will =
be
loaded. If the data being parsed in the extension is untrusted, it could=
lead to information leakage and potentially be combined with other attac=
ks
to become exploitable. (CVE-2012-3975)
=20
It was discovered that, in some instances, certain security checks in th=
e
location object could be bypassed. This could allow for the loading of
restricted content and can potentially be combined with other issues to
become exploitable. (CVE-2012-3978)
=20
Colby Russell discovered that eval in the web console can execute inject=
ed
code with chrome privileges, leading to the running of malicious code in=
a
privileged context. If the user were tricked into opening a specially
crafted E-Mail, an attacker could exploit this to cause a denial of serv=
ice
via application crash, or potentially execute code with the privileges o=
f
the user invoking Thunderbird. (CVE-2012-3980)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 12.04 LTS:
thunderbird 15.0.1+build1-0ubuntu0.12.04.1
thunderbird-globalmenu 15.0.1+build1-0ubuntu0.12.04.1
Ubuntu 11.10:
thunderbird 15.0.1+build1-0ubuntu0.11.10.1
thunderbird-globalmenu 15.0.1+build1-0ubuntu0.11.10.1
Ubuntu 11.04:
thunderbird 15.0.1+build1-0ubuntu0.11.04.1
thunderbird-globalmenu 15.0.1+build1-0ubuntu0.11.04.1
Ubuntu 10.04 LTS:
thunderbird 15.0.1+build1-0ubuntu0.10.04.1
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-1551-2
http://www.ubuntu.com/usn/usn-1551-1
https://launchpad.net/bugs/1049428
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/15.0.1+build1-0ubuntu0=
=2E12.04.1
https://launchpad.net/ubuntu/+source/thunderbird/15.0.1+build1-0ubuntu0=
=2E11.10.1
https://launchpad.net/ubuntu/+source/thunderbird/15.0.1+build1-0ubuntu0=
=2E11.04.1
https://launchpad.net/ubuntu/+source/thunderbird/15.0.1+build1-0ubuntu0=
=2E10.04.1
------------
