Issued:
2008-04-03
Updated:
2008-04-03

RHSA-2008:0209 - Security Advisory

Synopsis

Moderate: thunderbird security update

Type/Severity

Security Advisory: Moderate

Topic

Updated thunderbird packages that fix several security issues are now
available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of some malformed HTML mail
content. An HTML mail message containing such malicious content could cause
Thunderbird to crash or, potentially, execute arbitrary code as the user
running Thunderbird. (CVE-2008-1233, CVE-2008-1235, CVE-2008-1236,
CVE-2008-1237)

Several flaws were found in the display of malformed web content. An HTML
mail message containing specially-crafted content could, potentially, trick
a user into surrendering sensitive information. (CVE-2008-1234,
CVE-2008-1238, CVE-2008-1241)

Note: JavaScript support is disabled by default in Thunderbird; the above
issues are not exploitable unless JavaScript is enabled.

All Thunderbird users should upgrade to these updated packages, which
contain backported patches to resolve these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 ia64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux Server - Extended Update Support 5.1 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 5.1 i386
  • Red Hat Enterprise Linux Server - Extended Update Support 4.6 x86_64
  • Red Hat Enterprise Linux Server - Extended Update Support 4.6 ia64
  • Red Hat Enterprise Linux Server - Extended Update Support 4.6 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 ia64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux for IBM z Systems 4 s390x
  • Red Hat Enterprise Linux for IBM z Systems 4 s390
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.6 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.6 s390
  • Red Hat Enterprise Linux for Power, big endian 4 ppc
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.6 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 438713 - CVE-2008-1233 Mozilla products XPCNativeWrapper pollution
  • BZ - 438715 - CVE-2008-1234 universal XSS using event handlers
  • BZ - 438717 - CVE-2008-1235 chrome privilege via wrong principal
  • BZ - 438718 - CVE-2008-1236 browser engine crashes
  • BZ - 438721 - CVE-2008-1237 javascript crashes
  • BZ - 438724 - CVE-2008-1238 Referrer spoofing bug
  • BZ - 438730 - CVE-2008-1241 XUL popup spoofing

CVEs

References

Red Hat Enterprise Linux Server 5

SRPM
thunderbird-1.5.0.12-11.el5_1.src.rpm SHA-256: 46b8964df889b3168f2231e4151934ed9fb3d8cb95d6baf2480430a6e6afb200
x86_64
thunderbird-1.5.0.12-11.el5_1.x86_64.rpm SHA-256: 6ac9eca41c56713be04b531700ea92591fd0df36ed80304c5d466cb232c444b0
i386
thunderbird-1.5.0.12-11.el5_1.i386.rpm SHA-256: 9d8d54d05499663a15a3b1467157bdbd073c005cba965670c0a4c07f880581e8

Red Hat Enterprise Linux Server 4

SRPM
thunderbird-1.5.0.12-10.el4.src.rpm SHA-256: 2c0bd832af4e871076f1ef164157b4e35e82f02091229e19220bf52312586f3d
x86_64
thunderbird-1.5.0.12-10.el4.x86_64.rpm SHA-256: cc3c75400a1eea97a3fcf5d95e487ef7fb46e0553af8cc1c4b43789d4afbe18b
thunderbird-1.5.0.12-10.el4.x86_64.rpm SHA-256: cc3c75400a1eea97a3fcf5d95e487ef7fb46e0553af8cc1c4b43789d4afbe18b
ia64
thunderbird-1.5.0.12-10.el4.ia64.rpm SHA-256: 5f20f6d3754e42abb11fd5eeea8880729a8656e44a77c6ecb2203ec4d4da7994
thunderbird-1.5.0.12-10.el4.ia64.rpm SHA-256: 5f20f6d3754e42abb11fd5eeea8880729a8656e44a77c6ecb2203ec4d4da7994
i386
thunderbird-1.5.0.12-10.el4.i386.rpm SHA-256: 8f18e5a06a68db37f4687ab3b8598950e16ae7e260d3d6ff0e17d2e1b7dca68a
thunderbird-1.5.0.12-10.el4.i386.rpm SHA-256: 8f18e5a06a68db37f4687ab3b8598950e16ae7e260d3d6ff0e17d2e1b7dca68a

Red Hat Enterprise Linux Server - Extended Update Support 4.6

SRPM
thunderbird-1.5.0.12-10.el4.src.rpm SHA-256: 2c0bd832af4e871076f1ef164157b4e35e82f02091229e19220bf52312586f3d
x86_64
thunderbird-1.5.0.12-10.el4.x86_64.rpm SHA-256: cc3c75400a1eea97a3fcf5d95e487ef7fb46e0553af8cc1c4b43789d4afbe18b
thunderbird-1.5.0.12-10.el4.x86_64.rpm SHA-256: cc3c75400a1eea97a3fcf5d95e487ef7fb46e0553af8cc1c4b43789d4afbe18b
ia64
thunderbird-1.5.0.12-10.el4.ia64.rpm SHA-256: 5f20f6d3754e42abb11fd5eeea8880729a8656e44a77c6ecb2203ec4d4da7994
thunderbird-1.5.0.12-10.el4.ia64.rpm SHA-256: 5f20f6d3754e42abb11fd5eeea8880729a8656e44a77c6ecb2203ec4d4da7994
i386
thunderbird-1.5.0.12-10.el4.i386.rpm SHA-256: 8f18e5a06a68db37f4687ab3b8598950e16ae7e260d3d6ff0e17d2e1b7dca68a
thunderbird-1.5.0.12-10.el4.i386.rpm SHA-256: 8f18e5a06a68db37f4687ab3b8598950e16ae7e260d3d6ff0e17d2e1b7dca68a

Red Hat Enterprise Linux Workstation 5

SRPM
thunderbird-1.5.0.12-11.el5_1.src.rpm SHA-256: 46b8964df889b3168f2231e4151934ed9fb3d8cb95d6baf2480430a6e6afb200
x86_64
thunderbird-1.5.0.12-11.el5_1.x86_64.rpm SHA-256: 6ac9eca41c56713be04b531700ea92591fd0df36ed80304c5d466cb232c444b0
i386
thunderbird-1.5.0.12-11.el5_1.i386.rpm SHA-256: 9d8d54d05499663a15a3b1467157bdbd073c005cba965670c0a4c07f880581e8

Red Hat Enterprise Linux Workstation 4

SRPM
thunderbird-1.5.0.12-10.el4.src.rpm SHA-256: 2c0bd832af4e871076f1ef164157b4e35e82f02091229e19220bf52312586f3d
x86_64
thunderbird-1.5.0.12-10.el4.x86_64.rpm SHA-256: cc3c75400a1eea97a3fcf5d95e487ef7fb46e0553af8cc1c4b43789d4afbe18b
ia64
thunderbird-1.5.0.12-10.el4.ia64.rpm SHA-256: 5f20f6d3754e42abb11fd5eeea8880729a8656e44a77c6ecb2203ec4d4da7994
i386
thunderbird-1.5.0.12-10.el4.i386.rpm SHA-256: 8f18e5a06a68db37f4687ab3b8598950e16ae7e260d3d6ff0e17d2e1b7dca68a

Red Hat Enterprise Linux Desktop 5

SRPM
thunderbird-1.5.0.12-11.el5_1.src.rpm SHA-256: 46b8964df889b3168f2231e4151934ed9fb3d8cb95d6baf2480430a6e6afb200
x86_64
thunderbird-1.5.0.12-11.el5_1.x86_64.rpm SHA-256: 6ac9eca41c56713be04b531700ea92591fd0df36ed80304c5d466cb232c444b0
i386
thunderbird-1.5.0.12-11.el5_1.i386.rpm SHA-256: 9d8d54d05499663a15a3b1467157bdbd073c005cba965670c0a4c07f880581e8

Red Hat Enterprise Linux Desktop 4

SRPM
thunderbird-1.5.0.12-10.el4.src.rpm SHA-256: 2c0bd832af4e871076f1ef164157b4e35e82f02091229e19220bf52312586f3d
x86_64
thunderbird-1.5.0.12-10.el4.x86_64.rpm SHA-256: cc3c75400a1eea97a3fcf5d95e487ef7fb46e0553af8cc1c4b43789d4afbe18b
i386
thunderbird-1.5.0.12-10.el4.i386.rpm SHA-256: 8f18e5a06a68db37f4687ab3b8598950e16ae7e260d3d6ff0e17d2e1b7dca68a

Red Hat Enterprise Linux for IBM z Systems 4

SRPM
thunderbird-1.5.0.12-10.el4.src.rpm SHA-256: 2c0bd832af4e871076f1ef164157b4e35e82f02091229e19220bf52312586f3d
s390x
thunderbird-1.5.0.12-10.el4.s390x.rpm SHA-256: de7b37573e328e156349cb9f834cc4c1b92922b70d897daf5b7b5e344d421263
s390
thunderbird-1.5.0.12-10.el4.s390.rpm SHA-256: 78196ae287022425bdb8b2f0782cf3800a1395ade2286d77753831592604017d

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 4.6

SRPM
thunderbird-1.5.0.12-10.el4.src.rpm SHA-256: 2c0bd832af4e871076f1ef164157b4e35e82f02091229e19220bf52312586f3d
s390x
thunderbird-1.5.0.12-10.el4.s390x.rpm SHA-256: de7b37573e328e156349cb9f834cc4c1b92922b70d897daf5b7b5e344d421263
s390
thunderbird-1.5.0.12-10.el4.s390.rpm SHA-256: 78196ae287022425bdb8b2f0782cf3800a1395ade2286d77753831592604017d

Red Hat Enterprise Linux for Power, big endian 4

SRPM
thunderbird-1.5.0.12-10.el4.src.rpm SHA-256: 2c0bd832af4e871076f1ef164157b4e35e82f02091229e19220bf52312586f3d
ppc
thunderbird-1.5.0.12-10.el4.ppc.rpm SHA-256: 2fe3f1f0681331a5394ad54be70bc6aa3b2c71334f5448b9180c1c2669118085

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 4.6

SRPM
thunderbird-1.5.0.12-10.el4.src.rpm SHA-256: 2c0bd832af4e871076f1ef164157b4e35e82f02091229e19220bf52312586f3d
ppc
thunderbird-1.5.0.12-10.el4.ppc.rpm SHA-256: 2fe3f1f0681331a5394ad54be70bc6aa3b2c71334f5448b9180c1c2669118085

Red Hat Enterprise Linux Server from RHUI 5

SRPM
thunderbird-1.5.0.12-11.el5_1.src.rpm SHA-256: 46b8964df889b3168f2231e4151934ed9fb3d8cb95d6baf2480430a6e6afb200
x86_64
thunderbird-1.5.0.12-11.el5_1.x86_64.rpm SHA-256: 6ac9eca41c56713be04b531700ea92591fd0df36ed80304c5d466cb232c444b0
i386
thunderbird-1.5.0.12-11.el5_1.i386.rpm SHA-256: 9d8d54d05499663a15a3b1467157bdbd073c005cba965670c0a4c07f880581e8

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.