Skip to navigation

Security Advisory Critical: thunderbird security update

Advisory: RHSA-2012:1483-1
Type: Security Advisory
Severity: Critical
Issued on: 2012-11-20
Last updated on: 2012-11-20
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server EUS (v. 6.3.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2012-4201
CVE-2012-4202
CVE-2012-4207
CVE-2012-4209
CVE-2012-4214
CVE-2012-4215
CVE-2012-4216
CVE-2012-5829
CVE-2012-5830
CVE-2012-5833
CVE-2012-5835
CVE-2012-5839
CVE-2012-5840
CVE-2012-5841
CVE-2012-5842

Details

An updated thunderbird package that fixes several security issues is now
available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2012-4214,
CVE-2012-4215, CVE-2012-4216, CVE-2012-5829, CVE-2012-5830, CVE-2012-5833,
CVE-2012-5835, CVE-2012-5839, CVE-2012-5840, CVE-2012-5842)

A buffer overflow flaw was found in the way Thunderbird handled GIF
(Graphics Interchange Format) images. Content containing a malicious GIF
image could cause Thunderbird to crash or, possibly, execute arbitrary code
with the privileges of the user running Thunderbird. (CVE-2012-4202)

A flaw was found in the way Thunderbird decoded the HZ-GB-2312 character
encoding. Malicious content could cause Thunderbird to run JavaScript code
with the permissions of different content. (CVE-2012-4207)

A flaw was found in the location object implementation in Thunderbird.
Malicious content could possibly use this flaw to allow restricted content
to be loaded by plug-ins. (CVE-2012-4209)

A flaw was found in the way cross-origin wrappers were implemented.
Malicious content could use this flaw to perform cross-site scripting
attacks. (CVE-2012-5841)

A flaw was found in the evalInSandbox implementation in Thunderbird.
Malicious content could use this flaw to perform cross-site scripting
attacks. (CVE-2012-4201)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Abhishek Arya, miaubiz, Jesse Ruderman, Andrew
McCreight, Bob Clary, Kyle Huey, Atte Kettunen, Masato Kinugawa, Mariusz
Mlynski, Bobby Holley, and moz_bug_r_a4 as the original reporters of
these issues.

Note: All issues except CVE-2012-4202 cannot be exploited by a
specially-crafted HTML mail message as JavaScript is disabled by default
for mail messages. They could be exploited another way in Thunderbird, for
example, when viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 10.0.11 ESR, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-10.0.11-1.el5_8.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: b9ae6df79ea9c284281b2ffc938c9037
SHA-256: 0996dc8c7f180e766fbfee708e0ba3d89aa845412e20a5c4579d7f64cd328b93
 
IA-32:
thunderbird-10.0.11-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 19ba3ab6ee25eb86d44b011aad8839f2
SHA-256: c56f53f3ce472d13ba1c06239e0e06896e202484661ff4631c3fefc095e6fec4
thunderbird-debuginfo-10.0.11-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 4063e236a1f515eb569c5652b9f30f2a
SHA-256: e8c922a4d9c52804dac9a03c48a2eeb278436f38d3dcd9c436fdc058aa5b7d6f
 
x86_64:
thunderbird-10.0.11-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: dadc02ca95a3fd0f76aa5e458a824075
SHA-256: 7b29f1e78e2ab3d60336f1a8a3c65cda0250c79a34b9527faf4891f14384067e
thunderbird-debuginfo-10.0.11-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: eab03058242b11436f65ddae9f73083e
SHA-256: 8942f42d549a26fa33b27fde1bed61fe18c434a9436db0ac7e620698d9331637
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-10.0.11-1.el5_8.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: b9ae6df79ea9c284281b2ffc938c9037
SHA-256: 0996dc8c7f180e766fbfee708e0ba3d89aa845412e20a5c4579d7f64cd328b93
 
IA-32:
thunderbird-10.0.11-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 19ba3ab6ee25eb86d44b011aad8839f2
SHA-256: c56f53f3ce472d13ba1c06239e0e06896e202484661ff4631c3fefc095e6fec4
thunderbird-debuginfo-10.0.11-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 4063e236a1f515eb569c5652b9f30f2a
SHA-256: e8c922a4d9c52804dac9a03c48a2eeb278436f38d3dcd9c436fdc058aa5b7d6f
 
x86_64:
thunderbird-10.0.11-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: dadc02ca95a3fd0f76aa5e458a824075
SHA-256: 7b29f1e78e2ab3d60336f1a8a3c65cda0250c79a34b9527faf4891f14384067e
thunderbird-debuginfo-10.0.11-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: eab03058242b11436f65ddae9f73083e
SHA-256: 8942f42d549a26fa33b27fde1bed61fe18c434a9436db0ac7e620698d9331637
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-10.0.11-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: ff2af052f366c47bc2dc85a678be69fa
SHA-256: fcab1a66282f61f1c7d70ef0a1510c26192efe336fd00a32f7dba384b1551b4b
 
IA-32:
thunderbird-10.0.11-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 086fd6f439cf7c5b72ce26569c36fa0f
SHA-256: fc22b80774490a0ee135dd3d955faa402fd4b93379c915706009acfc7e3b173b
thunderbird-debuginfo-10.0.11-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 77d751d251ae5c6465e8838f03644c95
SHA-256: 5c8bbf49da7f2e65bce922c59d06be951e312cd1a77885dc09292c9cf1f6ec7a
 
x86_64:
thunderbird-10.0.11-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 68493653ecc1bf559ff0369e4fa769a4
SHA-256: 73caef1dc5c78e63e0ac220a1683b9f12a9c2b86cbb88013f9096fddaa5fcea1
thunderbird-debuginfo-10.0.11-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: f68d45999238d5b5c6ef80632fe226db
SHA-256: d2aad2c6a87e9835636c1ecd9212be855a86e129edf77be00dac6d3e0b7fcedb
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-10.0.11-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: ff2af052f366c47bc2dc85a678be69fa
SHA-256: fcab1a66282f61f1c7d70ef0a1510c26192efe336fd00a32f7dba384b1551b4b
 
IA-32:
thunderbird-10.0.11-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 086fd6f439cf7c5b72ce26569c36fa0f
SHA-256: fc22b80774490a0ee135dd3d955faa402fd4b93379c915706009acfc7e3b173b
thunderbird-debuginfo-10.0.11-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 77d751d251ae5c6465e8838f03644c95
SHA-256: 5c8bbf49da7f2e65bce922c59d06be951e312cd1a77885dc09292c9cf1f6ec7a
 
PPC:
thunderbird-10.0.11-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: e4292fe6db060b89f5fcde13de0ca93c
SHA-256: c49512b6a32651fbefd413e0aa314b1739b5a2ab8d178384f94467769c9cf44b
thunderbird-debuginfo-10.0.11-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 92bdef64f584a0788480a09992458804
SHA-256: 6b79f4f5a91d2f453a370827bb9ae4d0f777f091e3bfc0eb82cf16eed450e675
 
s390x:
thunderbird-10.0.11-1.el6_3.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: 484f95bd78682d6771a82cd3062b3273
SHA-256: c0183a1604ebd12dce4338afce6871e4a75ab897a168d74c2d051a55991bed7c
thunderbird-debuginfo-10.0.11-1.el6_3.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: f53d81227b25a86f2ecff172eca21e23
SHA-256: 2ee25b222ebd31a760d85ef0691a7bbc0a66edc3f3d1bd2d23460159b5f3d2cb
 
x86_64:
thunderbird-10.0.11-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 68493653ecc1bf559ff0369e4fa769a4
SHA-256: 73caef1dc5c78e63e0ac220a1683b9f12a9c2b86cbb88013f9096fddaa5fcea1
thunderbird-debuginfo-10.0.11-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: f68d45999238d5b5c6ef80632fe226db
SHA-256: d2aad2c6a87e9835636c1ecd9212be855a86e129edf77be00dac6d3e0b7fcedb
 
Red Hat Enterprise Linux Server EUS (v. 6.3.z)

SRPMS:
thunderbird-10.0.11-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: ff2af052f366c47bc2dc85a678be69fa
SHA-256: fcab1a66282f61f1c7d70ef0a1510c26192efe336fd00a32f7dba384b1551b4b
 
IA-32:
thunderbird-10.0.11-1.el6_3.i686.rpm
File outdated by:  RHSA-2013:0272
    MD5: 086fd6f439cf7c5b72ce26569c36fa0f
SHA-256: fc22b80774490a0ee135dd3d955faa402fd4b93379c915706009acfc7e3b173b
thunderbird-debuginfo-10.0.11-1.el6_3.i686.rpm
File outdated by:  RHSA-2013:0272
    MD5: 77d751d251ae5c6465e8838f03644c95
SHA-256: 5c8bbf49da7f2e65bce922c59d06be951e312cd1a77885dc09292c9cf1f6ec7a
 
PPC:
thunderbird-10.0.11-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2013:0272
    MD5: e4292fe6db060b89f5fcde13de0ca93c
SHA-256: c49512b6a32651fbefd413e0aa314b1739b5a2ab8d178384f94467769c9cf44b
thunderbird-debuginfo-10.0.11-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2013:0272
    MD5: 92bdef64f584a0788480a09992458804
SHA-256: 6b79f4f5a91d2f453a370827bb9ae4d0f777f091e3bfc0eb82cf16eed450e675
 
s390x:
thunderbird-10.0.11-1.el6_3.s390x.rpm
File outdated by:  RHSA-2013:0272
    MD5: 484f95bd78682d6771a82cd3062b3273
SHA-256: c0183a1604ebd12dce4338afce6871e4a75ab897a168d74c2d051a55991bed7c
thunderbird-debuginfo-10.0.11-1.el6_3.s390x.rpm
File outdated by:  RHSA-2013:0272
    MD5: f53d81227b25a86f2ecff172eca21e23
SHA-256: 2ee25b222ebd31a760d85ef0691a7bbc0a66edc3f3d1bd2d23460159b5f3d2cb
 
x86_64:
thunderbird-10.0.11-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2013:0272
    MD5: 68493653ecc1bf559ff0369e4fa769a4
SHA-256: 73caef1dc5c78e63e0ac220a1683b9f12a9c2b86cbb88013f9096fddaa5fcea1
thunderbird-debuginfo-10.0.11-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2013:0272
    MD5: f68d45999238d5b5c6ef80632fe226db
SHA-256: d2aad2c6a87e9835636c1ecd9212be855a86e129edf77be00dac6d3e0b7fcedb
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-10.0.11-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: ff2af052f366c47bc2dc85a678be69fa
SHA-256: fcab1a66282f61f1c7d70ef0a1510c26192efe336fd00a32f7dba384b1551b4b
 
IA-32:
thunderbird-10.0.11-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 086fd6f439cf7c5b72ce26569c36fa0f
SHA-256: fc22b80774490a0ee135dd3d955faa402fd4b93379c915706009acfc7e3b173b
thunderbird-debuginfo-10.0.11-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 77d751d251ae5c6465e8838f03644c95
SHA-256: 5c8bbf49da7f2e65bce922c59d06be951e312cd1a77885dc09292c9cf1f6ec7a
 
x86_64:
thunderbird-10.0.11-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 68493653ecc1bf559ff0369e4fa769a4
SHA-256: 73caef1dc5c78e63e0ac220a1683b9f12a9c2b86cbb88013f9096fddaa5fcea1
thunderbird-debuginfo-10.0.11-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: f68d45999238d5b5c6ef80632fe226db
SHA-256: d2aad2c6a87e9835636c1ecd9212be855a86e129edf77be00dac6d3e0b7fcedb
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

877614 - CVE-2012-5842 Mozilla: Miscellaneous memory safety hazards (rv:10.0.11) (MFSA 2012-91)
877615 - CVE-2012-4202 Mozilla: Buffer overflow while rendering GIF images (MFSA 2012-92)
877616 - CVE-2012-4201 Mozilla: evalInSanbox location context incorrectly applied (MFSA 2012-93)
877628 - CVE-2012-5841 Mozilla: Improper security filtering for cross-origin wrappers (MFSA 2012-100)
877629 - CVE-2012-4207 Mozilla: Improper character decoding in HZ-GB-2312 charset (MFSA 2012-101)
877632 - CVE-2012-4209 Mozilla: Frames can shadow top.location (MFSA 2012-103)
877634 - CVE-2012-4214 CVE-2012-4215 CVE-2012-4216 CVE-2012-5829 CVE-2012-5839 CVE-2012-5840 Mozilla: Use-after-free and buffer overflow issues found using Address Sanitizer (MFSA 2012-105)
877635 - CVE-2012-5830 CVE-2012-5833 CVE-2012-5835 Mozilla: Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer (MFSA 2012-106)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/