Skip to navigation

Security Advisory Critical: thunderbird security update

Advisory: RHSA-2012:0388-1
Type: Security Advisory
Severity: Critical
Issued on: 2012-03-14
Last updated on: 2012-03-14
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server AUS (v. 6.2)
Red Hat Enterprise Linux Server EUS (v. 6.2.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2012-0451
CVE-2012-0455
CVE-2012-0456
CVE-2012-0457
CVE-2012-0458
CVE-2012-0459
CVE-2012-0460
CVE-2012-0461
CVE-2012-0462
CVE-2012-0464

Details

An updated thunderbird package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2012-0461,
CVE-2012-0462, CVE-2012-0464)

Two flaws were found in the way Thunderbird parsed certain Scalable Vector
Graphics (SVG) image files. An HTML mail message containing a malicious SVG
image file could cause an information leak, or cause Thunderbird to crash
or, potentially, execute arbitrary code with the privileges of the user
running Thunderbird. (CVE-2012-0456, CVE-2012-0457)

A flaw could allow malicious content to bypass intended restrictions,
possibly leading to a cross-site scripting (XSS) attack if a user were
tricked into dropping a "javascript:" link onto a frame. (CVE-2012-0455)

It was found that the home page could be set to a "javascript:" link. If a
user were tricked into setting such a home page by dragging a link to the
home button, it could cause Firefox to repeatedly crash, eventually leading
to arbitrary code execution with the privileges of the user running
Firefox. A similar flaw was found and fixed in Thunderbird. (CVE-2012-0458)

A flaw was found in the way Thunderbird parsed certain, remote content
containing "cssText". Malicious, remote content could cause Thunderbird to
crash or, potentially, execute arbitrary code with the privileges of the
user running Thunderbird. (CVE-2012-0459)

It was found that by using the DOM fullscreen API, untrusted content could
bypass the mozRequestFullscreen security protections. Malicious content
could exploit this API flaw to cause user interface spoofing.
(CVE-2012-0460)

A flaw was found in the way Thunderbird handled content with multiple
Content Security Policy (CSP) headers. This could lead to a cross-site
scripting attack if used in conjunction with a website that has a header
injection flaw. (CVE-2012-0451)

Note: All issues except CVE-2012-0456 and CVE-2012-0457 cannot be exploited
by a specially-crafted HTML mail message as JavaScript is disabled by
default for mail messages. It could be exploited another way in
Thunderbird, for example, when viewing the full remote content of an RSS
feed.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 10.0.3 ESR, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-10.0.3-1.el5_8.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: c541e2b67bd9f81a776c2b85884d8dd8
SHA-256: 25f2336252fbd765b50015e93478752cfeba5b0b651c3f00c2acdd46c91e95f3
 
IA-32:
thunderbird-10.0.3-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 83bb3d2b9e31a0f733a8b21e013e2921
SHA-256: bf3afcb54ab2450feb72bd3097353235f914a5b529b9b8a019318d9a65eb5e4e
thunderbird-debuginfo-10.0.3-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: e8b5ad2a30525d412452f94e75ba2a57
SHA-256: aace2c8b3810bde6ca47928e28cc91128c675478e4117a051b0bdebcbed921e0
 
x86_64:
thunderbird-10.0.3-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: c4a4ee7b3f5db5bdd9ff1631b0b48083
SHA-256: b7a78bf76cdab676295ee7fd9b4acfb68495fbf8a5ce8f56839372b1e7b73527
thunderbird-debuginfo-10.0.3-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8c4b4ee34d10c3b5a3c9f5d9c8885362
SHA-256: 1b99b1c84d2be04638ee29acc66336a87536b595161423f817617ed9088903eb
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-10.0.3-1.el5_8.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: c541e2b67bd9f81a776c2b85884d8dd8
SHA-256: 25f2336252fbd765b50015e93478752cfeba5b0b651c3f00c2acdd46c91e95f3
 
IA-32:
thunderbird-10.0.3-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 83bb3d2b9e31a0f733a8b21e013e2921
SHA-256: bf3afcb54ab2450feb72bd3097353235f914a5b529b9b8a019318d9a65eb5e4e
thunderbird-debuginfo-10.0.3-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: e8b5ad2a30525d412452f94e75ba2a57
SHA-256: aace2c8b3810bde6ca47928e28cc91128c675478e4117a051b0bdebcbed921e0
 
x86_64:
thunderbird-10.0.3-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: c4a4ee7b3f5db5bdd9ff1631b0b48083
SHA-256: b7a78bf76cdab676295ee7fd9b4acfb68495fbf8a5ce8f56839372b1e7b73527
thunderbird-debuginfo-10.0.3-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8c4b4ee34d10c3b5a3c9f5d9c8885362
SHA-256: 1b99b1c84d2be04638ee29acc66336a87536b595161423f817617ed9088903eb
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-10.0.3-1.el6_2.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7c9baf35945e8a3444ff3bef0e1afd6f
SHA-256: 52c270a4b556ddca076afee4e766ad9f8206630797b83f9c033fa606497fe376
 
IA-32:
thunderbird-10.0.3-1.el6_2.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 0bef8b1ffa1389f3874f530830cf8c9a
SHA-256: e0bb9bc428258907e6406d69a556f8fdcb2b9a3ce56daf4fa87a623171da5b53
thunderbird-debuginfo-10.0.3-1.el6_2.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 3d513856bcf3131bd7d5e606997448ec
SHA-256: 116199f8c41bada930f56ed65feebbd49d3d8e650d8454d2a669e6efb263957a
 
x86_64:
thunderbird-10.0.3-1.el6_2.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 930eb0bae2a82288a73a2e3e66c842c9
SHA-256: 7a5dc08d3011ee584024a5657bfffae03fbb4071229ba16b2b4ac6674d2770a9
thunderbird-debuginfo-10.0.3-1.el6_2.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 55019c7442535551fd9a44ba369d0888
SHA-256: 6bba1be7234b46546317645f6a5ebb07dcb7f4d99dcbb8242c6715e8b900ea74
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-10.0.3-1.el6_2.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7c9baf35945e8a3444ff3bef0e1afd6f
SHA-256: 52c270a4b556ddca076afee4e766ad9f8206630797b83f9c033fa606497fe376
 
IA-32:
thunderbird-10.0.3-1.el6_2.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 0bef8b1ffa1389f3874f530830cf8c9a
SHA-256: e0bb9bc428258907e6406d69a556f8fdcb2b9a3ce56daf4fa87a623171da5b53
thunderbird-debuginfo-10.0.3-1.el6_2.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 3d513856bcf3131bd7d5e606997448ec
SHA-256: 116199f8c41bada930f56ed65feebbd49d3d8e650d8454d2a669e6efb263957a
 
PPC:
thunderbird-10.0.3-1.el6_2.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: bc8012a29d31adb66f92a7f53aa5cd85
SHA-256: a5240e382a8500e1ec3563463ff6bd86249c681f1db30c9ff91a4baa29bac2b9
thunderbird-debuginfo-10.0.3-1.el6_2.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 68240a2ec7157337481b4fbeaedd80df
SHA-256: da4bea19c076a0b49cb9fe7c442990784686a7aa47871f1f5619a962e5eae474
 
s390x:
thunderbird-10.0.3-1.el6_2.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: fdc292ca840bcde0c16d1b6b8fba2d18
SHA-256: 4e5f5a9e8881362c5490604038a43f4acf7f570a5e1f40a15b3c96cf7fcc96ec
thunderbird-debuginfo-10.0.3-1.el6_2.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: 033669d80ea9524b761fadf7b5fa7333
SHA-256: 8175bb6658e0b431fb17a6d76763cdd67f5210115c93de1748a8568023c1399f
 
x86_64:
thunderbird-10.0.3-1.el6_2.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 930eb0bae2a82288a73a2e3e66c842c9
SHA-256: 7a5dc08d3011ee584024a5657bfffae03fbb4071229ba16b2b4ac6674d2770a9
thunderbird-debuginfo-10.0.3-1.el6_2.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 55019c7442535551fd9a44ba369d0888
SHA-256: 6bba1be7234b46546317645f6a5ebb07dcb7f4d99dcbb8242c6715e8b900ea74
 
Red Hat Enterprise Linux Server AUS (v. 6.2)

SRPMS:
thunderbird-10.0.3-1.el6_2.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7c9baf35945e8a3444ff3bef0e1afd6f
SHA-256: 52c270a4b556ddca076afee4e766ad9f8206630797b83f9c033fa606497fe376
 
x86_64:
thunderbird-10.0.3-1.el6_2.x86_64.rpm
File outdated by:  RHSA-2012:0715
    MD5: 930eb0bae2a82288a73a2e3e66c842c9
SHA-256: 7a5dc08d3011ee584024a5657bfffae03fbb4071229ba16b2b4ac6674d2770a9
thunderbird-debuginfo-10.0.3-1.el6_2.x86_64.rpm
File outdated by:  RHSA-2012:0715
    MD5: 55019c7442535551fd9a44ba369d0888
SHA-256: 6bba1be7234b46546317645f6a5ebb07dcb7f4d99dcbb8242c6715e8b900ea74
 
Red Hat Enterprise Linux Server EUS (v. 6.2.z)

SRPMS:
thunderbird-10.0.3-1.el6_2.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7c9baf35945e8a3444ff3bef0e1afd6f
SHA-256: 52c270a4b556ddca076afee4e766ad9f8206630797b83f9c033fa606497fe376
 
IA-32:
thunderbird-10.0.3-1.el6_2.i686.rpm
File outdated by:  RHSA-2012:0715
    MD5: 0bef8b1ffa1389f3874f530830cf8c9a
SHA-256: e0bb9bc428258907e6406d69a556f8fdcb2b9a3ce56daf4fa87a623171da5b53
thunderbird-debuginfo-10.0.3-1.el6_2.i686.rpm
File outdated by:  RHSA-2012:0715
    MD5: 3d513856bcf3131bd7d5e606997448ec
SHA-256: 116199f8c41bada930f56ed65feebbd49d3d8e650d8454d2a669e6efb263957a
 
PPC:
thunderbird-10.0.3-1.el6_2.ppc64.rpm
File outdated by:  RHSA-2012:0715
    MD5: bc8012a29d31adb66f92a7f53aa5cd85
SHA-256: a5240e382a8500e1ec3563463ff6bd86249c681f1db30c9ff91a4baa29bac2b9
thunderbird-debuginfo-10.0.3-1.el6_2.ppc64.rpm
File outdated by:  RHSA-2012:0715
    MD5: 68240a2ec7157337481b4fbeaedd80df
SHA-256: da4bea19c076a0b49cb9fe7c442990784686a7aa47871f1f5619a962e5eae474
 
s390x:
thunderbird-10.0.3-1.el6_2.s390x.rpm
File outdated by:  RHSA-2012:0715
    MD5: fdc292ca840bcde0c16d1b6b8fba2d18
SHA-256: 4e5f5a9e8881362c5490604038a43f4acf7f570a5e1f40a15b3c96cf7fcc96ec
thunderbird-debuginfo-10.0.3-1.el6_2.s390x.rpm
File outdated by:  RHSA-2012:0715
    MD5: 033669d80ea9524b761fadf7b5fa7333
SHA-256: 8175bb6658e0b431fb17a6d76763cdd67f5210115c93de1748a8568023c1399f
 
x86_64:
thunderbird-10.0.3-1.el6_2.x86_64.rpm
File outdated by:  RHSA-2012:0715
    MD5: 930eb0bae2a82288a73a2e3e66c842c9
SHA-256: 7a5dc08d3011ee584024a5657bfffae03fbb4071229ba16b2b4ac6674d2770a9
thunderbird-debuginfo-10.0.3-1.el6_2.x86_64.rpm
File outdated by:  RHSA-2012:0715
    MD5: 55019c7442535551fd9a44ba369d0888
SHA-256: 6bba1be7234b46546317645f6a5ebb07dcb7f4d99dcbb8242c6715e8b900ea74
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-10.0.3-1.el6_2.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 7c9baf35945e8a3444ff3bef0e1afd6f
SHA-256: 52c270a4b556ddca076afee4e766ad9f8206630797b83f9c033fa606497fe376
 
IA-32:
thunderbird-10.0.3-1.el6_2.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 0bef8b1ffa1389f3874f530830cf8c9a
SHA-256: e0bb9bc428258907e6406d69a556f8fdcb2b9a3ce56daf4fa87a623171da5b53
thunderbird-debuginfo-10.0.3-1.el6_2.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 3d513856bcf3131bd7d5e606997448ec
SHA-256: 116199f8c41bada930f56ed65feebbd49d3d8e650d8454d2a669e6efb263957a
 
x86_64:
thunderbird-10.0.3-1.el6_2.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 930eb0bae2a82288a73a2e3e66c842c9
SHA-256: 7a5dc08d3011ee584024a5657bfffae03fbb4071229ba16b2b4ac6674d2770a9
thunderbird-debuginfo-10.0.3-1.el6_2.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 55019c7442535551fd9a44ba369d0888
SHA-256: 6bba1be7234b46546317645f6a5ebb07dcb7f4d99dcbb8242c6715e8b900ea74
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

803109 - CVE-2012-0461 CVE-2012-0462 CVE-2012-0464 Mozilla: Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28) (MFSA 2012-19)
803111 - CVE-2012-0460 Mozilla: window.fullScreen writeable by untrusted content (MFSA 2012-18)
803112 - CVE-2012-0459 Mozilla: Crash when accessing keyframe cssText after dynamic modification (MFSA 2012-17)
803113 - CVE-2012-0458 Mozilla: Escalation of privilege with Javascript: URL as home page (MFSA 2012-16)
803114 - CVE-2012-0451 Mozilla: XSS with multiple Content Security Policy headers (MFSA 2012-15)
803116 - CVE-2012-0456 CVE-2012-0457 Mozilla: SVG issues found with Address Sanitizer (MFSA 2012-14)
803119 - CVE-2012-0455 Mozilla: XSS with Drag and Drop and Javascript: URL (MFSA 2012-13)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/