RHSA-2012:1351 - Security Advisory

Topic

An updated thunderbird package that fixes several security issues is now
available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2012-3982,
CVE-2012-3988, CVE-2012-3990, CVE-2012-3995, CVE-2012-4179, CVE-2012-4180,
CVE-2012-4181, CVE-2012-4182, CVE-2012-4183, CVE-2012-4185, CVE-2012-4186,
CVE-2012-4187, CVE-2012-4188)

Two flaws in Thunderbird could allow malicious content to bypass intended
restrictions, possibly leading to information disclosure, or Thunderbird
executing arbitrary code. Note that the information disclosure issue could
possibly be combined with other flaws to achieve arbitrary code execution.
(CVE-2012-3986, CVE-2012-3991)

Multiple flaws were found in the location object implementation in
Thunderbird. Malicious content could be used to perform cross-site
scripting attacks, script injection, or spoofing attacks. (CVE-2012-1956,
CVE-2012-3992, CVE-2012-3994)

Two flaws were found in the way Chrome Object Wrappers were implemented.
Malicious content could be used to perform cross-site scripting attacks or
cause Thunderbird to execute arbitrary code. (CVE-2012-3993, CVE-2012-4184)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Christian Holler, Jesse Ruderman, Soroush Dalili,
miaubiz, Abhishek Arya, Atte Kettunen, Johnny Stenback, Alice White,
moz_bug_r_a4, and Mariusz Mlynski as the original reporters of these
issues.

Note: None of the issues in this advisory can be exploited by a
specially-crafted HTML mail message as JavaScript is disabled by default
for mail messages. They could be exploited another way in Thunderbird, for
example, when viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 10.0.8 ESR, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 6.3 x86_64
• Red Hat Enterprise Linux for x86_64 - Extended Update Support 6.3 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 6.3 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 6.3 ppc64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server from RHUI 5 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x

Fixes

• BZ - 851912 - CVE-2012-1956 Mozilla: Location object can be shadowed using Object.defineProperty (MFSA 2012-59)
• BZ - 863614 - CVE-2012-3982 Mozilla: Miscellaneous memory safety hazards (rv:10.0.8) (MFSA 2012-74)
• BZ - 863618 - CVE-2012-3986 Mozilla: Some DOMWindowUtils methods bypass security checks (MFSA 2012-77)
• BZ - 863619 - CVE-2012-3988 Mozilla: DOS and crash with full screen and history navigation (MFSA 2012-79)
• BZ - 863621 - CVE-2012-3991 Mozilla: GetProperty function can bypass security checks (MFSA 2012-81)
• BZ - 863622 - CVE-2012-3994 Mozilla: top object and location property accessible by plugins (MFSA 2012-82)
• BZ - 863623 - CVE-2012-3993 CVE-2012-4184 Mozilla: Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties (MFSA 2012-83)
• BZ - 863624 - CVE-2012-3992 Mozilla: Spoofing and script injection through location.hash (MFSA 2012-84)
• BZ - 863625 - CVE-2012-3995 CVE-2012-4179 CVE-2012-4180 CVE-2012-4181 CVE-2012-4182 CVE-2012-4183 Mozilla: Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer (MFSA 2012-85)
• BZ - 863626 - CVE-2012-4185 CVE-2012-4186 CVE-2012-4187 CVE-2012-4188 Mozilla: Heap memory corruption issues found using Address Sanitizer (MFSA 2012-86)
• BZ - 863628 - CVE-2012-3990 Mozilla: Use-after-free in the IME State Manager (MFSA 2012-87)

CVEs

• CVE-2012-3986
• CVE-2012-3994
• CVE-2012-4181
• CVE-2012-4184
• CVE-2012-3991
• CVE-2012-3990
• CVE-2012-3993
• CVE-2012-3992
• CVE-2012-4180
• CVE-2012-4179
• CVE-2012-4185
• CVE-2012-3988
• CVE-2012-4183
• CVE-2012-4186
• CVE-2012-1956
• CVE-2012-4187
• CVE-2012-3982
• CVE-2012-3995
• CVE-2012-4188
• CVE-2012-4182

References

• https://access.redhat.com/security/updates/classification/#critical