Red Hat Product Errata RHSA-2012:1089 - Security Advisory

Issued:: 2012-07-17
Updated:: 2012-07-17

RHSA-2012:1089 - Security Advisory

Overview
Updated Packages

Synopsis

Critical: thunderbird security update

Type/Severity

Security Advisory: Critical

Topic

An updated thunderbird package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2012-1948,
CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1958,
CVE-2012-1962, CVE-2012-1967)

Malicious content could bypass same-compartment security wrappers (SCSW)
and execute arbitrary code with chrome privileges. (CVE-2012-1959)

A flaw in the way Thunderbird called history.forward and history.back could
allow an attacker to conceal a malicious URL, possibly tricking a user
into believing they are viewing trusted content. (CVE-2012-1955)

A flaw in a parser utility class used by Thunderbird to parse feeds (such
as RSS) could allow an attacker to execute arbitrary JavaScript with the
privileges of the user running Thunderbird. This issue could have affected
other Thunderbird components or add-ons that assume the class returns
sanitized input. (CVE-2012-1957)

A flaw in the way Thunderbird handled X-Frame-Options headers could allow
malicious content to perform a clickjacking attack. (CVE-2012-1961)

A flaw in the way Content Security Policy (CSP) reports were generated by
Thunderbird could allow malicious content to steal a victim's OAuth 2.0
access tokens and OpenID credentials. (CVE-2012-1963)

A flaw in the way Thunderbird handled certificate warnings could allow a
man-in-the-middle attacker to create a crafted warning, possibly tricking
a user into accepting an arbitrary certificate as trusted. (CVE-2012-1964)

The nss update RHBA-2012:0337 for Red Hat Enterprise Linux 5 and 6
introduced a mitigation for the CVE-2011-3389 flaw. For compatibility
reasons, it remains disabled by default in the nss packages. This update
makes Thunderbird enable the mitigation by default. It can be disabled by
setting the NSS_SSL_CBC_RANDOM_IV environment variable to 0 before
launching Thunderbird. (BZ#838879)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Benoit Jacob, Jesse Ruderman, Christian Holler, Bill
McCloskey, Abhishek Arya, Arthur Gerkis, Bill Keese, moz_bug_r_a4, Bobby
Holley, Mariusz Mlynski, Mario Heiderich, Frederic Buclin, Karthikeyan
Bhargavan, and Matt McCutchen as the original reporters of these issues.

Note: None of the issues in this advisory can be exploited by a
specially-crafted HTML mail message as JavaScript is disabled by default
for mail messages. They could be exploited another way in Thunderbird, for
example, when viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 10.0.6 ESR, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

Red Hat Enterprise Linux Server 6 x86_64
Red Hat Enterprise Linux Server 6 i386
Red Hat Enterprise Linux Server 5 x86_64
Red Hat Enterprise Linux Server 5 i386
Red Hat Enterprise Linux Server - Extended Update Support 6.3 x86_64
Red Hat Enterprise Linux Server - Extended Update Support 6.3 i386
Red Hat Enterprise Linux Workstation 6 x86_64
Red Hat Enterprise Linux Workstation 6 i386
Red Hat Enterprise Linux Workstation 5 x86_64
Red Hat Enterprise Linux Workstation 5 i386
Red Hat Enterprise Linux Desktop 6 x86_64
Red Hat Enterprise Linux Desktop 6 i386
Red Hat Enterprise Linux Desktop 5 x86_64
Red Hat Enterprise Linux Desktop 5 i386
Red Hat Enterprise Linux for IBM z Systems 6 s390x
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 6.3 s390x
Red Hat Enterprise Linux for Power, big endian 6 ppc64
Red Hat Enterprise Linux for Power, big endian - Extended Update Support 6.3 ppc64
Red Hat Enterprise Linux Server from RHUI 6 x86_64
Red Hat Enterprise Linux Server from RHUI 6 i386
Red Hat Enterprise Linux Server from RHUI 5 x86_64
Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

BZ - 838879 - Mozilla: Enable mitigation for CVE-2011-3389 (BEAST issue) in firefox/thunderbird
BZ - 840201 - CVE-2012-1948 CVE-2012-1949 Mozilla: Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6) (MFSA 2012-42)
BZ - 840205 - CVE-2012-1951 CVE-2012-1952 CVE-2012-1953 CVE-2012-1954 Mozilla: Gecko memory corruption (MFSA 2012-44)
BZ - 840206 - CVE-2012-1955 Mozilla: Spoofing issue with location (MFSA 2012-45)
BZ - 840208 - CVE-2012-1957 Mozilla: Improper filtering of javascript in HTML feed-view (MFSA 2012-47)
BZ - 840211 - CVE-2012-1958 Mozilla: use-after-free in nsGlobalWindow::PageHidden (MFSA 2012-48)
BZ - 840212 - CVE-2012-1959 Mozilla: Same-compartment Security Wrappers can be bypassed (MFSA 2012-49)
BZ - 840214 - CVE-2012-1961 Mozilla: X-Frame-Options header ignored when duplicated (MFSA 2012-51)
BZ - 840215 - CVE-2012-1962 Mozilla: JSDependentString::undepend string conversion results in memory corruption (MFSA 2012-52)
BZ - 840220 - CVE-2012-1963 Mozilla: Content Security Policy 1.0 implementation errors cause data leakage (MFSA 2012-53)
BZ - 840222 - CVE-2012-1964 Mozilla: Clickjacking of certificate warning page (MFSA 2012-54)
BZ - 840259 - CVE-2012-1967 Mozilla: Code execution through javascript: URLs (MFSA 2012-56)

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 6

SRPM
thunderbird-10.0.6-1.el6_3.src.rpm	SHA-256: 9d830cedf646e979d65996982c160df0b8c79f6b2484329bca5e1cf9aed61fde
x86_64
thunderbird-10.0.6-1.el6_3.x86_64.rpm	SHA-256: 087b17709aa498cf62aaf59034033c869fac2af1bd2a15ac9c84a7ea9ebdd5db
thunderbird-debuginfo-10.0.6-1.el6_3.x86_64.rpm	SHA-256: 1e2b3b140dcdb73ff36dfdc2d785dd50d6bdf3ba085c1a86810e4daec4331ad4
i386
thunderbird-10.0.6-1.el6_3.i686.rpm	SHA-256: 905e86c42bf45580e29fd202f0c7ca6ba8c595f8759aa564967e941ad99aeb2f
thunderbird-debuginfo-10.0.6-1.el6_3.i686.rpm	SHA-256: eed6e57ec27f0cfc751779fd7005253bb025e3abddf8f33f9cb87f1d0d1a8020

Red Hat Enterprise Linux Server 5

SRPM
thunderbird-10.0.6-1.el5_8.src.rpm	SHA-256: 072345e63a43a177b1fa6868b6daf0002afe3890154d5584bfc3be9bf4084087
x86_64
thunderbird-10.0.6-1.el5_8.x86_64.rpm	SHA-256: 2b7ff4ba64f4f5a846958834a62e6122cf891dd973c4bd01a8a3f7dfcb951318
thunderbird-debuginfo-10.0.6-1.el5_8.x86_64.rpm	SHA-256: acdc9b40997c17497e53bc360d85a1a30f0b444a933507aaf3f9e0b59329979b
i386
thunderbird-10.0.6-1.el5_8.i386.rpm	SHA-256: 9e80020369f5392f4b8656bca5efa0e332bf1dbe583d83525aa985c5187254e0
thunderbird-debuginfo-10.0.6-1.el5_8.i386.rpm	SHA-256: cda7412ad1b35e3be5ca71ab1b46bde870b422b58be87bb20908bfe06e27f44f

Red Hat Enterprise Linux Server - Extended Update Support 6.3

SRPM
thunderbird-10.0.6-1.el6_3.src.rpm	SHA-256: 9d830cedf646e979d65996982c160df0b8c79f6b2484329bca5e1cf9aed61fde
x86_64
thunderbird-10.0.6-1.el6_3.x86_64.rpm	SHA-256: 087b17709aa498cf62aaf59034033c869fac2af1bd2a15ac9c84a7ea9ebdd5db
thunderbird-debuginfo-10.0.6-1.el6_3.x86_64.rpm	SHA-256: 1e2b3b140dcdb73ff36dfdc2d785dd50d6bdf3ba085c1a86810e4daec4331ad4
i386
thunderbird-10.0.6-1.el6_3.i686.rpm	SHA-256: 905e86c42bf45580e29fd202f0c7ca6ba8c595f8759aa564967e941ad99aeb2f
thunderbird-debuginfo-10.0.6-1.el6_3.i686.rpm	SHA-256: eed6e57ec27f0cfc751779fd7005253bb025e3abddf8f33f9cb87f1d0d1a8020

Red Hat Enterprise Linux Workstation 6

SRPM
thunderbird-10.0.6-1.el6_3.src.rpm	SHA-256: 9d830cedf646e979d65996982c160df0b8c79f6b2484329bca5e1cf9aed61fde
x86_64
thunderbird-10.0.6-1.el6_3.x86_64.rpm	SHA-256: 087b17709aa498cf62aaf59034033c869fac2af1bd2a15ac9c84a7ea9ebdd5db
thunderbird-debuginfo-10.0.6-1.el6_3.x86_64.rpm	SHA-256: 1e2b3b140dcdb73ff36dfdc2d785dd50d6bdf3ba085c1a86810e4daec4331ad4
i386
thunderbird-10.0.6-1.el6_3.i686.rpm	SHA-256: 905e86c42bf45580e29fd202f0c7ca6ba8c595f8759aa564967e941ad99aeb2f
thunderbird-debuginfo-10.0.6-1.el6_3.i686.rpm	SHA-256: eed6e57ec27f0cfc751779fd7005253bb025e3abddf8f33f9cb87f1d0d1a8020

Red Hat Enterprise Linux Workstation 5

SRPM
thunderbird-10.0.6-1.el5_8.src.rpm	SHA-256: 072345e63a43a177b1fa6868b6daf0002afe3890154d5584bfc3be9bf4084087
x86_64
thunderbird-10.0.6-1.el5_8.x86_64.rpm	SHA-256: 2b7ff4ba64f4f5a846958834a62e6122cf891dd973c4bd01a8a3f7dfcb951318
thunderbird-debuginfo-10.0.6-1.el5_8.x86_64.rpm	SHA-256: acdc9b40997c17497e53bc360d85a1a30f0b444a933507aaf3f9e0b59329979b
i386
thunderbird-10.0.6-1.el5_8.i386.rpm	SHA-256: 9e80020369f5392f4b8656bca5efa0e332bf1dbe583d83525aa985c5187254e0
thunderbird-debuginfo-10.0.6-1.el5_8.i386.rpm	SHA-256: cda7412ad1b35e3be5ca71ab1b46bde870b422b58be87bb20908bfe06e27f44f

Red Hat Enterprise Linux Desktop 6

SRPM
thunderbird-10.0.6-1.el6_3.src.rpm	SHA-256: 9d830cedf646e979d65996982c160df0b8c79f6b2484329bca5e1cf9aed61fde
x86_64
thunderbird-10.0.6-1.el6_3.x86_64.rpm	SHA-256: 087b17709aa498cf62aaf59034033c869fac2af1bd2a15ac9c84a7ea9ebdd5db
thunderbird-debuginfo-10.0.6-1.el6_3.x86_64.rpm	SHA-256: 1e2b3b140dcdb73ff36dfdc2d785dd50d6bdf3ba085c1a86810e4daec4331ad4
i386
thunderbird-10.0.6-1.el6_3.i686.rpm	SHA-256: 905e86c42bf45580e29fd202f0c7ca6ba8c595f8759aa564967e941ad99aeb2f
thunderbird-debuginfo-10.0.6-1.el6_3.i686.rpm	SHA-256: eed6e57ec27f0cfc751779fd7005253bb025e3abddf8f33f9cb87f1d0d1a8020

Red Hat Enterprise Linux Desktop 5

SRPM
thunderbird-10.0.6-1.el5_8.src.rpm	SHA-256: 072345e63a43a177b1fa6868b6daf0002afe3890154d5584bfc3be9bf4084087
x86_64
thunderbird-10.0.6-1.el5_8.x86_64.rpm	SHA-256: 2b7ff4ba64f4f5a846958834a62e6122cf891dd973c4bd01a8a3f7dfcb951318
thunderbird-debuginfo-10.0.6-1.el5_8.x86_64.rpm	SHA-256: acdc9b40997c17497e53bc360d85a1a30f0b444a933507aaf3f9e0b59329979b
i386
thunderbird-10.0.6-1.el5_8.i386.rpm	SHA-256: 9e80020369f5392f4b8656bca5efa0e332bf1dbe583d83525aa985c5187254e0
thunderbird-debuginfo-10.0.6-1.el5_8.i386.rpm	SHA-256: cda7412ad1b35e3be5ca71ab1b46bde870b422b58be87bb20908bfe06e27f44f

Red Hat Enterprise Linux for IBM z Systems 6

SRPM
thunderbird-10.0.6-1.el6_3.src.rpm	SHA-256: 9d830cedf646e979d65996982c160df0b8c79f6b2484329bca5e1cf9aed61fde
s390x
thunderbird-10.0.6-1.el6_3.s390x.rpm	SHA-256: a3fabb3916f0a8c200cc8e05a61b1a50faa6f78d4800b4ddaeaee352db5a7b81
thunderbird-debuginfo-10.0.6-1.el6_3.s390x.rpm	SHA-256: af02cb9999cd93aeb9bea0471b499adb12a00557e7288afebdd5842022799fbc

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 6.3

SRPM
thunderbird-10.0.6-1.el6_3.src.rpm	SHA-256: 9d830cedf646e979d65996982c160df0b8c79f6b2484329bca5e1cf9aed61fde
s390x
thunderbird-10.0.6-1.el6_3.s390x.rpm	SHA-256: a3fabb3916f0a8c200cc8e05a61b1a50faa6f78d4800b4ddaeaee352db5a7b81
thunderbird-debuginfo-10.0.6-1.el6_3.s390x.rpm	SHA-256: af02cb9999cd93aeb9bea0471b499adb12a00557e7288afebdd5842022799fbc

Red Hat Enterprise Linux for Power, big endian 6

SRPM
thunderbird-10.0.6-1.el6_3.src.rpm	SHA-256: 9d830cedf646e979d65996982c160df0b8c79f6b2484329bca5e1cf9aed61fde
ppc64
thunderbird-10.0.6-1.el6_3.ppc64.rpm	SHA-256: 5567040e200b695214f5d8628e5749724d98ddb33dbdd34042338fa3f3db96cd
thunderbird-debuginfo-10.0.6-1.el6_3.ppc64.rpm	SHA-256: 6e285cfd12f055f85cab4c50ac3806024e174537f2818eb45c435fae03f521cc

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 6.3

SRPM
thunderbird-10.0.6-1.el6_3.src.rpm	SHA-256: 9d830cedf646e979d65996982c160df0b8c79f6b2484329bca5e1cf9aed61fde
ppc64
thunderbird-10.0.6-1.el6_3.ppc64.rpm	SHA-256: 5567040e200b695214f5d8628e5749724d98ddb33dbdd34042338fa3f3db96cd
thunderbird-debuginfo-10.0.6-1.el6_3.ppc64.rpm	SHA-256: 6e285cfd12f055f85cab4c50ac3806024e174537f2818eb45c435fae03f521cc

Red Hat Enterprise Linux Server from RHUI 6

SRPM
thunderbird-10.0.6-1.el6_3.src.rpm	SHA-256: 9d830cedf646e979d65996982c160df0b8c79f6b2484329bca5e1cf9aed61fde
x86_64
thunderbird-10.0.6-1.el6_3.x86_64.rpm	SHA-256: 087b17709aa498cf62aaf59034033c869fac2af1bd2a15ac9c84a7ea9ebdd5db
thunderbird-debuginfo-10.0.6-1.el6_3.x86_64.rpm	SHA-256: 1e2b3b140dcdb73ff36dfdc2d785dd50d6bdf3ba085c1a86810e4daec4331ad4
i386
thunderbird-10.0.6-1.el6_3.i686.rpm	SHA-256: 905e86c42bf45580e29fd202f0c7ca6ba8c595f8759aa564967e941ad99aeb2f
thunderbird-debuginfo-10.0.6-1.el6_3.i686.rpm	SHA-256: eed6e57ec27f0cfc751779fd7005253bb025e3abddf8f33f9cb87f1d0d1a8020

Red Hat Enterprise Linux Server from RHUI 5

SRPM
thunderbird-10.0.6-1.el5_8.src.rpm	SHA-256: 072345e63a43a177b1fa6868b6daf0002afe3890154d5584bfc3be9bf4084087
x86_64
thunderbird-10.0.6-1.el5_8.x86_64.rpm	SHA-256: 2b7ff4ba64f4f5a846958834a62e6122cf891dd973c4bd01a8a3f7dfcb951318
thunderbird-debuginfo-10.0.6-1.el5_8.x86_64.rpm	SHA-256: acdc9b40997c17497e53bc360d85a1a30f0b444a933507aaf3f9e0b59329979b
i386
thunderbird-10.0.6-1.el5_8.i386.rpm	SHA-256: 9e80020369f5392f4b8656bca5efa0e332bf1dbe583d83525aa985c5187254e0
thunderbird-debuginfo-10.0.6-1.el5_8.i386.rpm	SHA-256: cda7412ad1b35e3be5ca71ab1b46bde870b422b58be87bb20908bfe06e27f44f

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.