Skip to navigation

Security Advisory Important: thunderbird security update

Advisory: RHSA-2013:0982-1
Type: Security Advisory
Severity: Important
Issued on: 2013-06-25
Last updated on: 2013-06-25
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
RHEL Optional Productivity Applications EUS (v. 5.9.z server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server AUS (v. 6.4)
Red Hat Enterprise Linux Server EUS (v. 6.4.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2013-1682
CVE-2013-1684
CVE-2013-1685
CVE-2013-1686
CVE-2013-1687
CVE-2013-1690
CVE-2013-1692
CVE-2013-1693
CVE-2013-1694
CVE-2013-1697

Details

An updated thunderbird package that fixes several security issues is now
available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2013-1682,
CVE-2013-1684, CVE-2013-1685, CVE-2013-1686, CVE-2013-1687, CVE-2013-1690)

It was found that Thunderbird allowed data to be sent in the body of
XMLHttpRequest (XHR) HEAD requests. In some cases this could allow
attackers to conduct Cross-Site Request Forgery (CSRF) attacks.
(CVE-2013-1692)

Timing differences in the way Thunderbird processed SVG image files could
allow an attacker to read data across domains, potentially leading to
information disclosure. (CVE-2013-1693)

Two flaws were found in the way Thunderbird implemented some of its
internal structures (called wrappers). An attacker could use these flaws to
bypass some restrictions placed on them. This could lead to unexpected
behavior or a potentially exploitable crash. (CVE-2013-1694, CVE-2013-1697)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Gary Kwong, Jesse Ruderman, Andrew McCreight,
Abhishek Arya, Mariusz Mlynski, Nils, Johnathan Kuskos, Paul Stone, Boris
Zbarsky, and moz_bug_r_a4 as the original reporters of these issues.

Note: All of the above issues cannot be exploited by a specially-crafted
HTML mail message as JavaScript is disabled by default for mail messages.
They could be exploited another way in Thunderbird, for example, when
viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 17.0.7 ESR, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-17.0.7-1.el5_9.src.rpm
File outdated by:  RHSA-2013:1269
    MD5: 817003be895dcf92b92b884d31eb13d6
SHA-256: 7b9b54da2f7b2964e9178834f0b957c0f1999d8335221d1d0b1005c772b120ff
 
IA-32:
thunderbird-17.0.7-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 10b3bc3a3e23fc12cd5d300f56e227ee
SHA-256: d49bac2bd4009b6c9a440d5a04970cfd7b6ee465d0e014aa252dff8d7a8828a8
thunderbird-debuginfo-17.0.7-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 98ce1498c5a07b9f3975886dd8cd3636
SHA-256: ad1cd447baefe372b4e9dc371fd9413c03697d950dc6ccf8b7c6434d14b55865
 
x86_64:
thunderbird-17.0.7-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7ff21ddd487da4090861cf8985ca2d51
SHA-256: f7d3f86d875a125ccbf6e1e527a295103517702a244af132d64ec22e3e0c88e2
thunderbird-debuginfo-17.0.7-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 37c246d7a35b626b7e026cf053343120
SHA-256: 889ca0df23858324f40c8a0fd292a73564e46a99e4845d3e6e2aa5a091d805fa
 
RHEL Optional Productivity Applications EUS (v. 5.9.z server)

SRPMS:
thunderbird-17.0.7-1.el5_9.src.rpm
File outdated by:  RHSA-2013:1269
    MD5: 817003be895dcf92b92b884d31eb13d6
SHA-256: 7b9b54da2f7b2964e9178834f0b957c0f1999d8335221d1d0b1005c772b120ff
 
IA-32:
thunderbird-17.0.7-1.el5_9.i386.rpm
File outdated by:  RHSA-2013:1269
    MD5: 10b3bc3a3e23fc12cd5d300f56e227ee
SHA-256: d49bac2bd4009b6c9a440d5a04970cfd7b6ee465d0e014aa252dff8d7a8828a8
thunderbird-debuginfo-17.0.7-1.el5_9.i386.rpm
File outdated by:  RHSA-2013:1269
    MD5: 98ce1498c5a07b9f3975886dd8cd3636
SHA-256: ad1cd447baefe372b4e9dc371fd9413c03697d950dc6ccf8b7c6434d14b55865
 
x86_64:
thunderbird-17.0.7-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2013:1269
    MD5: 7ff21ddd487da4090861cf8985ca2d51
SHA-256: f7d3f86d875a125ccbf6e1e527a295103517702a244af132d64ec22e3e0c88e2
thunderbird-debuginfo-17.0.7-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2013:1269
    MD5: 37c246d7a35b626b7e026cf053343120
SHA-256: 889ca0df23858324f40c8a0fd292a73564e46a99e4845d3e6e2aa5a091d805fa
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-17.0.7-1.el5_9.src.rpm
File outdated by:  RHSA-2013:1269
    MD5: 817003be895dcf92b92b884d31eb13d6
SHA-256: 7b9b54da2f7b2964e9178834f0b957c0f1999d8335221d1d0b1005c772b120ff
 
IA-32:
thunderbird-17.0.7-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 10b3bc3a3e23fc12cd5d300f56e227ee
SHA-256: d49bac2bd4009b6c9a440d5a04970cfd7b6ee465d0e014aa252dff8d7a8828a8
thunderbird-debuginfo-17.0.7-1.el5_9.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 98ce1498c5a07b9f3975886dd8cd3636
SHA-256: ad1cd447baefe372b4e9dc371fd9413c03697d950dc6ccf8b7c6434d14b55865
 
x86_64:
thunderbird-17.0.7-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7ff21ddd487da4090861cf8985ca2d51
SHA-256: f7d3f86d875a125ccbf6e1e527a295103517702a244af132d64ec22e3e0c88e2
thunderbird-debuginfo-17.0.7-1.el5_9.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 37c246d7a35b626b7e026cf053343120
SHA-256: 889ca0df23858324f40c8a0fd292a73564e46a99e4845d3e6e2aa5a091d805fa
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-17.0.7-1.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2aa421d36d9d37cfaf15d6ae925cba2d
SHA-256: 9ec5cea1883d8fad2c661345bb646bb3209203b2c3924d83f95553f1853bd83e
 
IA-32:
thunderbird-17.0.7-1.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: a63508db243f036fc6334745fea68c2d
SHA-256: b8d39b3c3d8bf7eb788f275eceec458633066da4d794547bb9507774dad3c5f9
thunderbird-debuginfo-17.0.7-1.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 366daf606ed366ac69403ed82b77649d
SHA-256: 33bed907492e6c9d803f19095d665640b424e81522256fe0bf1c3770cb3b0b9e
 
x86_64:
thunderbird-17.0.7-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 0c35a7d8da8702bc9a7516ea1055da91
SHA-256: 70747c018f654225e5643080b3e2fb052ae76771044017db3d91a179c0720ec9
thunderbird-debuginfo-17.0.7-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7d282f7ad75216973c94caad85c66017
SHA-256: fb2fc95d13df974485ea2cf323af570be4202f1c3bc84351a3ad718353969a7e
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-17.0.7-1.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2aa421d36d9d37cfaf15d6ae925cba2d
SHA-256: 9ec5cea1883d8fad2c661345bb646bb3209203b2c3924d83f95553f1853bd83e
 
IA-32:
thunderbird-17.0.7-1.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: a63508db243f036fc6334745fea68c2d
SHA-256: b8d39b3c3d8bf7eb788f275eceec458633066da4d794547bb9507774dad3c5f9
thunderbird-debuginfo-17.0.7-1.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 366daf606ed366ac69403ed82b77649d
SHA-256: 33bed907492e6c9d803f19095d665640b424e81522256fe0bf1c3770cb3b0b9e
 
PPC:
thunderbird-17.0.7-1.el6_4.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 40829a957acec864c119b3bc2db75838
SHA-256: 71f2558622bcf0db6f9810f09a4bf85e79bdeefe5026fb8860b6c0e856c9ca5a
thunderbird-debuginfo-17.0.7-1.el6_4.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 3bfb2e073366cb015bd98993696abebc
SHA-256: bc2b1c1af3f0998bf3f60b31b8c4a3557b5a48684f10716f7b0104f530b417f4
 
s390x:
thunderbird-17.0.7-1.el6_4.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: c887d6077e7c1548f8244369d5ab11d3
SHA-256: c801dfd47f7c2993c99b720de6f4c8c81b550bcdaca38c733df010c4cbbd5adc
thunderbird-debuginfo-17.0.7-1.el6_4.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: c08a1ebfca03a201cdd502e36f147aa1
SHA-256: b8e348ea86c12b43ee04077691db8d5d6e1d231c4e644e9ae6e16fe527ad62ad
 
x86_64:
thunderbird-17.0.7-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 0c35a7d8da8702bc9a7516ea1055da91
SHA-256: 70747c018f654225e5643080b3e2fb052ae76771044017db3d91a179c0720ec9
thunderbird-debuginfo-17.0.7-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7d282f7ad75216973c94caad85c66017
SHA-256: fb2fc95d13df974485ea2cf323af570be4202f1c3bc84351a3ad718353969a7e
 
Red Hat Enterprise Linux Server AUS (v. 6.4)

SRPMS:
thunderbird-17.0.7-1.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2aa421d36d9d37cfaf15d6ae925cba2d
SHA-256: 9ec5cea1883d8fad2c661345bb646bb3209203b2c3924d83f95553f1853bd83e
 
x86_64:
thunderbird-17.0.7-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2013:1480
    MD5: 0c35a7d8da8702bc9a7516ea1055da91
SHA-256: 70747c018f654225e5643080b3e2fb052ae76771044017db3d91a179c0720ec9
thunderbird-debuginfo-17.0.7-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2013:1480
    MD5: 7d282f7ad75216973c94caad85c66017
SHA-256: fb2fc95d13df974485ea2cf323af570be4202f1c3bc84351a3ad718353969a7e
 
Red Hat Enterprise Linux Server EUS (v. 6.4.z)

SRPMS:
thunderbird-17.0.7-1.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2aa421d36d9d37cfaf15d6ae925cba2d
SHA-256: 9ec5cea1883d8fad2c661345bb646bb3209203b2c3924d83f95553f1853bd83e
 
IA-32:
thunderbird-17.0.7-1.el6_4.i686.rpm
File outdated by:  RHSA-2013:1480
    MD5: a63508db243f036fc6334745fea68c2d
SHA-256: b8d39b3c3d8bf7eb788f275eceec458633066da4d794547bb9507774dad3c5f9
thunderbird-debuginfo-17.0.7-1.el6_4.i686.rpm
File outdated by:  RHSA-2013:1480
    MD5: 366daf606ed366ac69403ed82b77649d
SHA-256: 33bed907492e6c9d803f19095d665640b424e81522256fe0bf1c3770cb3b0b9e
 
PPC:
thunderbird-17.0.7-1.el6_4.ppc64.rpm
File outdated by:  RHSA-2013:1480
    MD5: 40829a957acec864c119b3bc2db75838
SHA-256: 71f2558622bcf0db6f9810f09a4bf85e79bdeefe5026fb8860b6c0e856c9ca5a
thunderbird-debuginfo-17.0.7-1.el6_4.ppc64.rpm
File outdated by:  RHSA-2013:1480
    MD5: 3bfb2e073366cb015bd98993696abebc
SHA-256: bc2b1c1af3f0998bf3f60b31b8c4a3557b5a48684f10716f7b0104f530b417f4
 
s390x:
thunderbird-17.0.7-1.el6_4.s390x.rpm
File outdated by:  RHSA-2013:1480
    MD5: c887d6077e7c1548f8244369d5ab11d3
SHA-256: c801dfd47f7c2993c99b720de6f4c8c81b550bcdaca38c733df010c4cbbd5adc
thunderbird-debuginfo-17.0.7-1.el6_4.s390x.rpm
File outdated by:  RHSA-2013:1480
    MD5: c08a1ebfca03a201cdd502e36f147aa1
SHA-256: b8e348ea86c12b43ee04077691db8d5d6e1d231c4e644e9ae6e16fe527ad62ad
 
x86_64:
thunderbird-17.0.7-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2013:1480
    MD5: 0c35a7d8da8702bc9a7516ea1055da91
SHA-256: 70747c018f654225e5643080b3e2fb052ae76771044017db3d91a179c0720ec9
thunderbird-debuginfo-17.0.7-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2013:1480
    MD5: 7d282f7ad75216973c94caad85c66017
SHA-256: fb2fc95d13df974485ea2cf323af570be4202f1c3bc84351a3ad718353969a7e
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-17.0.7-1.el6_4.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2aa421d36d9d37cfaf15d6ae925cba2d
SHA-256: 9ec5cea1883d8fad2c661345bb646bb3209203b2c3924d83f95553f1853bd83e
 
IA-32:
thunderbird-17.0.7-1.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: a63508db243f036fc6334745fea68c2d
SHA-256: b8d39b3c3d8bf7eb788f275eceec458633066da4d794547bb9507774dad3c5f9
thunderbird-debuginfo-17.0.7-1.el6_4.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 366daf606ed366ac69403ed82b77649d
SHA-256: 33bed907492e6c9d803f19095d665640b424e81522256fe0bf1c3770cb3b0b9e
 
x86_64:
thunderbird-17.0.7-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 0c35a7d8da8702bc9a7516ea1055da91
SHA-256: 70747c018f654225e5643080b3e2fb052ae76771044017db3d91a179c0720ec9
thunderbird-debuginfo-17.0.7-1.el6_4.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7d282f7ad75216973c94caad85c66017
SHA-256: fb2fc95d13df974485ea2cf323af570be4202f1c3bc84351a3ad718353969a7e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

977597 - CVE-2013-1682 Mozilla: Miscellaneous memory safety hazards (rv:17.0.7) (MFSA 2013-49)
977599 - CVE-2013-1684 CVE-2013-1685 CVE-2013-1686 Mozilla: Memory corruption found using Address Sanitizer (MFSA 2013-50)
977600 - CVE-2013-1687 Mozilla: Privileged content access and execution via XBL (MFSA 2013-51)
977602 - CVE-2013-1690 Mozilla: Execution of unmapped memory through onreadystatechange event (MFSA 2013-53)
977603 - CVE-2013-1692 Mozilla: Data in the body of XHR HEAD requests leads to CSRF attacks (MFSA 2013-54)
977605 - CVE-2013-1693 Mozilla: SVG filters can lead to information disclosure (MFSA 2013-55)
977610 - CVE-2013-1694 Mozilla: PreserveWrapper has inconsistent behavior (MFSA 2013-56)
977614 - CVE-2013-1697 Mozilla: XrayWrappers can be bypassed to run user defined methods in a privileged context (MFSA 2013-59)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/