4.324. thunderbird

An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fixes

CVE-2011-3659
A use-after-free flaw was found in the way Thunderbird removed nsDOMAttribute child nodes. In certain circumstances, due to the premature notification of AttributeChildRemoved, a malicious script could possibly use this flaw to cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.
CVE-2012-0442
Several flaws were found in the processing of malformed content. An HTML mail message containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.
CVE-2012-0449
A flaw was found in the way Thunderbird parsed certain Scalable Vector Graphics (SVG) image files that contained eXtensible Style Sheet Language Transformations (XSLT). An HTML mail message containing a malicious SVG image file could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.
CVE-2011-3670
The same-origin policy in Thunderbird treated http://example.com and http://[example.com] as interchangeable. A malicious script could possibly use this flaw to gain access to sensitive information (such as a client's IP and user e-mail address, or httpOnly cookies) that may be included in HTTP proxy error replies, generated in response to invalid URLs using square brackets.
Note: The CVE-2011-3659 and CVE-2011-3670 issues cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.
For technical details regarding these flaws, refer to the Mozilla security advisories for Thunderbird 3.1.18.:
All Thunderbird users should upgrade to these updated packages, which contain Thunderbird version 3.1.18, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect.
An updated thunderbird package that fixes one security issue is now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fix

CVE-2011-3026
A heap-based buffer overflow flaw was found in the way Thunderbird handled PNG (Portable Network Graphics) images. An HTML mail message or remote content containing a specially-crafted PNG image could cause Thunderbird to crash or, possibly, execute arbitrary code with the privileges of the user running Thunderbird.
All Thunderbird users should upgrade to this updated package, which corrects this issue. After installing the update, Thunderbird must be restarted for the changes to take effect.
An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fixes

CVE-2012-0461, CVE-2012-0462, CVE-2012-0464
Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.
CVE-2012-0456, CVE-2012-0457
Two flaws were found in the way Thunderbird parsed certain Scalable Vector Graphics (SVG) image files. An HTML mail message containing a malicious SVG image file could cause an information leak, or cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.
CVE-2012-0455
A flaw could allow malicious content to bypass intended restrictions, possibly leading to a cross-site scripting (XSS) attack if a user were tricked into dropping a "javascript:" link onto a frame.
CVE-2012-0458
It was found that the home page could be set to a "javascript:" link. If a user were tricked into setting such a home page by dragging a link to the home button, it could cause Firefox to repeatedly crash, eventually leading to arbitrary code execution with the privileges of the user running Firefox. A similar flaw was found and fixed in Thunderbird.
CVE-2012-0459
A flaw was found in the way Thunderbird parsed certain, remote content containing "cssText". Malicious, remote content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.
CVE-2012-0460
It was found that by using the DOM fullscreen API, untrusted content could bypass the mozRequestFullscreen security protections. Malicious content could exploit this API flaw to cause user interface spoofing.
CVE-2012-0451
A flaw was found in the way Thunderbird handled content with multiple Content Security Policy (CSP) headers. This could lead to a cross-site scripting attack if used in conjunction with a website that has a header injection flaw.

Note

All issues except CVE-2012-0456 and CVE-2012-0457 cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.
All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 10.0.3 ESR, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect.
An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fixes

CVE-2011-3062
A flaw was found in Sanitiser for OpenType (OTS), used by Thunderbird to help prevent potential exploits in malformed OpenType fonts. Malicious content could cause Thunderbird to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Thunderbird.
CVE-2012-0467, CVE-2012-0468, CVE-2012-0469
Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.
CVE-2012-0470
Content containing a malicious Scalable Vector Graphics (SVG) image file could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.
CVE-2012-0472
A flaw was found in the way Thunderbird used its embedded Cairo library to render certain fonts. Malicious content could cause Thunderbird to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Thunderbird.
CVE-2012-0478
A flaw was found in the way Thunderbird rendered certain images using WebGL. Malicious content could cause Thunderbird to crash or, under certain conditions, possibly execute arbitrary code with the privileges of the user running Thunderbird.
CVE-2012-0471
A cross-site scripting (XSS) flaw was found in the way Thunderbird handled certain multibyte character sets. Malicious content could cause Thunderbird to run JavaScript code with the permissions of different content.
CVE-2012-0473
A flaw was found in the way Thunderbird rendered certain graphics using WebGL. Malicious content could cause Thunderbird to crash.
CVE-2012-0474
A flaw in the built-in feed reader in Thunderbird allowed the Website field to display the address of different content than the content the user was visiting. An attacker could use this flaw to conceal a malicious URL, possibly tricking a user into believing they are viewing a trusted site, or allowing scripts to be loaded from the attacker's site, possibly leading to cross-site scripting (XSS) attacks.
CVE-2012-0477
A flaw was found in the way Thunderbird decoded the ISO-2022-KR and ISO-2022-CN character sets. Malicious content could cause Thunderbird to run JavaScript code with the permissions of different content.
CVE-2012-0479
A flaw was found in the way the built-in feed reader in Thunderbird handled RSS and Atom feeds. Invalid RSS or Atom content loaded over HTTPS caused Thunderbird to display the address of said content, but not the content. The previous content continued to be displayed. An attacker could use this flaw to perform phishing attacks, or trick users into thinking they are visiting the site reported by the Website field, when the page is actually content controlled by an attacker.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Mateusz Jurczyk of the Google Security Team as the original reporter of CVE-2011-3062; Aki Helin from OUSPG as the original reporter of CVE-2012-0469; Atte Kettunen from OUSPG as the original reporter of CVE-2012-0470; wushi of team509 via iDefense as the original reporter of CVE-2012-0472; Ms2ger as the original reporter of CVE-2012-0478; Anne van Kesteren of Opera Software as the original reporter of CVE-2012-0471; Matias Juntunen as the original reporter of CVE-2012-0473; Jordi Chancel and Eddy Bordi, and Chris McGowen as the original reporters of CVE-2012-0474; Masato Kinugawa as the original reporter of CVE-2012-0477; and Jeroen van der Gun as the original reporter of CVE-2012-0479.

Note

All issues except CVE-2012-0470, CVE-2012-0472, and CVE-2011-3062 cannot be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. It could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.
All Thunderbird users should upgrade to this updated package, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect.
An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
Mozilla Thunderbird is a standalone mail and newsgroup client.

Security Fixes

CVE-2011-3101, CVE-2012-1937, CVE-2012-1938, CVE-2012-1939, CVE-2012-1940, CVE-2012-1941, CVE-2012-1946, CVE-2012-1947
Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird.

Note

Note: CVE-2011-3101 only affected users of certain NVIDIA display drivers with graphics cards that have hardware acceleration enabled.
CVE-2012-1944
It was found that the Content Security Policy (CSP) implementation in Thunderbird no longer blocked Thunderbird inline event handlers. Malicious content could possibly bypass intended restrictions if that content relied on CSP to protect against flaws such as cross-site scripting (XSS).
CVE-2012-1945
If a web server hosted content that is stored on a Microsoft Windows share, or a Samba share, loading such content with Thunderbird could result in Windows shortcut files (.lnk) in the same share also being loaded. An attacker could use this flaw to view the contents of local files and directories on the victim's system. This issue also affected users opening content from Microsoft Windows shares, or Samba shares, that are mounted on their systems.
Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Ken Russell of Google as the original reporter of CVE-2011-3101; Igor Bukanov, Olli Pettay, Boris Zbarsky, and Jesse Ruderman as the original reporters of CVE-2012-1937; Jesse Ruderman, Igor Bukanov, Bill McCloskey, Christian Holler, Andrew McCreight, and Brian Bondy as the original reporters of CVE-2012-1938; Christian Holler as the original reporter of CVE-2012-1939; security researcher Abhishek Arya of Google as the original reporter of CVE-2012-1940, CVE-2012-1941, and CVE-2012-1947; security researcher Arthur Gerkis as the original reporter of CVE-2012-1946; security researcher Adam Barth as the original reporter of CVE-2012-1944; and security researcher Paul Stone as the original reporter of CVE-2012-1945.

Note

None of the issues in this advisory can be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed.
All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 10.0.5 ESR, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect.