Skip to navigation

Security Advisory Critical: thunderbird security update

Advisory: RHSA-2012:1089-1
Type: Security Advisory
Severity: Critical
Issued on: 2012-07-17
Last updated on: 2012-07-17
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server EUS (v. 6.3.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2012-1948
CVE-2012-1951
CVE-2012-1952
CVE-2012-1953
CVE-2012-1954
CVE-2012-1955
CVE-2012-1957
CVE-2012-1958
CVE-2012-1959
CVE-2012-1961
CVE-2012-1962
CVE-2012-1963
CVE-2012-1964
CVE-2012-1967

Details

An updated thunderbird package that fixes multiple security issues is now
available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having critical
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. (CVE-2012-1948,
CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1958,
CVE-2012-1962, CVE-2012-1967)

Malicious content could bypass same-compartment security wrappers (SCSW)
and execute arbitrary code with chrome privileges. (CVE-2012-1959)

A flaw in the way Thunderbird called history.forward and history.back could
allow an attacker to conceal a malicious URL, possibly tricking a user
into believing they are viewing trusted content. (CVE-2012-1955)

A flaw in a parser utility class used by Thunderbird to parse feeds (such
as RSS) could allow an attacker to execute arbitrary JavaScript with the
privileges of the user running Thunderbird. This issue could have affected
other Thunderbird components or add-ons that assume the class returns
sanitized input. (CVE-2012-1957)

A flaw in the way Thunderbird handled X-Frame-Options headers could allow
malicious content to perform a clickjacking attack. (CVE-2012-1961)

A flaw in the way Content Security Policy (CSP) reports were generated by
Thunderbird could allow malicious content to steal a victim's OAuth 2.0
access tokens and OpenID credentials. (CVE-2012-1963)

A flaw in the way Thunderbird handled certificate warnings could allow a
man-in-the-middle attacker to create a crafted warning, possibly tricking
a user into accepting an arbitrary certificate as trusted. (CVE-2012-1964)

The nss update RHBA-2012:0337 for Red Hat Enterprise Linux 5 and 6
introduced a mitigation for the CVE-2011-3389 flaw. For compatibility
reasons, it remains disabled by default in the nss packages. This update
makes Thunderbird enable the mitigation by default. It can be disabled by
setting the NSS_SSL_CBC_RANDOM_IV environment variable to 0 before
launching Thunderbird. (BZ#838879)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Benoit Jacob, Jesse Ruderman, Christian Holler, Bill
McCloskey, Abhishek Arya, Arthur Gerkis, Bill Keese, moz_bug_r_a4, Bobby
Holley, Mariusz Mlynski, Mario Heiderich, Frédéric Buclin, Karthikeyan
Bhargavan, and Matt McCutchen as the original reporters of these issues.

Note: None of the issues in this advisory can be exploited by a
specially-crafted HTML mail message as JavaScript is disabled by default
for mail messages. They could be exploited another way in Thunderbird, for
example, when viewing the full remote content of an RSS feed.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 10.0.6 ESR, which corrects these issues. After
installing the update, Thunderbird must be restarted for the changes to
take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-10.0.6-1.el5_8.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 5c6d1c9b2b3fd82c1e81633279594f46
SHA-256: 072345e63a43a177b1fa6868b6daf0002afe3890154d5584bfc3be9bf4084087
 
IA-32:
thunderbird-10.0.6-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 0795747df50afe92f94462ea284487e4
SHA-256: 9e80020369f5392f4b8656bca5efa0e332bf1dbe583d83525aa985c5187254e0
thunderbird-debuginfo-10.0.6-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 21085e2a6bbb6f3856c8af6921e7b72e
SHA-256: cda7412ad1b35e3be5ca71ab1b46bde870b422b58be87bb20908bfe06e27f44f
 
x86_64:
thunderbird-10.0.6-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 47b2f55a9f351d252a300b34c6d058bc
SHA-256: 2b7ff4ba64f4f5a846958834a62e6122cf891dd973c4bd01a8a3f7dfcb951318
thunderbird-debuginfo-10.0.6-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 84dc62fa40af914b30bc19d79decebcb
SHA-256: acdc9b40997c17497e53bc360d85a1a30f0b444a933507aaf3f9e0b59329979b
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-10.0.6-1.el5_8.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 5c6d1c9b2b3fd82c1e81633279594f46
SHA-256: 072345e63a43a177b1fa6868b6daf0002afe3890154d5584bfc3be9bf4084087
 
IA-32:
thunderbird-10.0.6-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 0795747df50afe92f94462ea284487e4
SHA-256: 9e80020369f5392f4b8656bca5efa0e332bf1dbe583d83525aa985c5187254e0
thunderbird-debuginfo-10.0.6-1.el5_8.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 21085e2a6bbb6f3856c8af6921e7b72e
SHA-256: cda7412ad1b35e3be5ca71ab1b46bde870b422b58be87bb20908bfe06e27f44f
 
x86_64:
thunderbird-10.0.6-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 47b2f55a9f351d252a300b34c6d058bc
SHA-256: 2b7ff4ba64f4f5a846958834a62e6122cf891dd973c4bd01a8a3f7dfcb951318
thunderbird-debuginfo-10.0.6-1.el5_8.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 84dc62fa40af914b30bc19d79decebcb
SHA-256: acdc9b40997c17497e53bc360d85a1a30f0b444a933507aaf3f9e0b59329979b
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-10.0.6-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 571a9846e8230a32d80c5c7a2bc8e4d5
SHA-256: 9d830cedf646e979d65996982c160df0b8c79f6b2484329bca5e1cf9aed61fde
 
IA-32:
thunderbird-10.0.6-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: a315bde4690bfb2aef15deafc6feaa39
SHA-256: 905e86c42bf45580e29fd202f0c7ca6ba8c595f8759aa564967e941ad99aeb2f
thunderbird-debuginfo-10.0.6-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8d4f7fd945950bd8f5008ebf30dcf757
SHA-256: eed6e57ec27f0cfc751779fd7005253bb025e3abddf8f33f9cb87f1d0d1a8020
 
x86_64:
thunderbird-10.0.6-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 439398c2ede5cee856f947c8519e2a4e
SHA-256: 087b17709aa498cf62aaf59034033c869fac2af1bd2a15ac9c84a7ea9ebdd5db
thunderbird-debuginfo-10.0.6-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 951e079ab530e4198283d006e43c75a0
SHA-256: 1e2b3b140dcdb73ff36dfdc2d785dd50d6bdf3ba085c1a86810e4daec4331ad4
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-10.0.6-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 571a9846e8230a32d80c5c7a2bc8e4d5
SHA-256: 9d830cedf646e979d65996982c160df0b8c79f6b2484329bca5e1cf9aed61fde
 
IA-32:
thunderbird-10.0.6-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: a315bde4690bfb2aef15deafc6feaa39
SHA-256: 905e86c42bf45580e29fd202f0c7ca6ba8c595f8759aa564967e941ad99aeb2f
thunderbird-debuginfo-10.0.6-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8d4f7fd945950bd8f5008ebf30dcf757
SHA-256: eed6e57ec27f0cfc751779fd7005253bb025e3abddf8f33f9cb87f1d0d1a8020
 
PPC:
thunderbird-10.0.6-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8fc7f0bd07a0493b5e2cfcbe5736f629
SHA-256: 5567040e200b695214f5d8628e5749724d98ddb33dbdd34042338fa3f3db96cd
thunderbird-debuginfo-10.0.6-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 356636a3294910f6e9f7ef097a8267ce
SHA-256: 6e285cfd12f055f85cab4c50ac3806024e174537f2818eb45c435fae03f521cc
 
s390x:
thunderbird-10.0.6-1.el6_3.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: ff2e553e5881040d90c4fc6d6cd02933
SHA-256: a3fabb3916f0a8c200cc8e05a61b1a50faa6f78d4800b4ddaeaee352db5a7b81
thunderbird-debuginfo-10.0.6-1.el6_3.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: b641d4ce797bdf01fffeda6912a0efd9
SHA-256: af02cb9999cd93aeb9bea0471b499adb12a00557e7288afebdd5842022799fbc
 
x86_64:
thunderbird-10.0.6-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 439398c2ede5cee856f947c8519e2a4e
SHA-256: 087b17709aa498cf62aaf59034033c869fac2af1bd2a15ac9c84a7ea9ebdd5db
thunderbird-debuginfo-10.0.6-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 951e079ab530e4198283d006e43c75a0
SHA-256: 1e2b3b140dcdb73ff36dfdc2d785dd50d6bdf3ba085c1a86810e4daec4331ad4
 
Red Hat Enterprise Linux Server EUS (v. 6.3.z)

SRPMS:
thunderbird-10.0.6-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 571a9846e8230a32d80c5c7a2bc8e4d5
SHA-256: 9d830cedf646e979d65996982c160df0b8c79f6b2484329bca5e1cf9aed61fde
 
IA-32:
thunderbird-10.0.6-1.el6_3.i686.rpm
File outdated by:  RHSA-2013:0272
    MD5: a315bde4690bfb2aef15deafc6feaa39
SHA-256: 905e86c42bf45580e29fd202f0c7ca6ba8c595f8759aa564967e941ad99aeb2f
thunderbird-debuginfo-10.0.6-1.el6_3.i686.rpm
File outdated by:  RHSA-2013:0272
    MD5: 8d4f7fd945950bd8f5008ebf30dcf757
SHA-256: eed6e57ec27f0cfc751779fd7005253bb025e3abddf8f33f9cb87f1d0d1a8020
 
PPC:
thunderbird-10.0.6-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2013:0272
    MD5: 8fc7f0bd07a0493b5e2cfcbe5736f629
SHA-256: 5567040e200b695214f5d8628e5749724d98ddb33dbdd34042338fa3f3db96cd
thunderbird-debuginfo-10.0.6-1.el6_3.ppc64.rpm
File outdated by:  RHSA-2013:0272
    MD5: 356636a3294910f6e9f7ef097a8267ce
SHA-256: 6e285cfd12f055f85cab4c50ac3806024e174537f2818eb45c435fae03f521cc
 
s390x:
thunderbird-10.0.6-1.el6_3.s390x.rpm
File outdated by:  RHSA-2013:0272
    MD5: ff2e553e5881040d90c4fc6d6cd02933
SHA-256: a3fabb3916f0a8c200cc8e05a61b1a50faa6f78d4800b4ddaeaee352db5a7b81
thunderbird-debuginfo-10.0.6-1.el6_3.s390x.rpm
File outdated by:  RHSA-2013:0272
    MD5: b641d4ce797bdf01fffeda6912a0efd9
SHA-256: af02cb9999cd93aeb9bea0471b499adb12a00557e7288afebdd5842022799fbc
 
x86_64:
thunderbird-10.0.6-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2013:0272
    MD5: 439398c2ede5cee856f947c8519e2a4e
SHA-256: 087b17709aa498cf62aaf59034033c869fac2af1bd2a15ac9c84a7ea9ebdd5db
thunderbird-debuginfo-10.0.6-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2013:0272
    MD5: 951e079ab530e4198283d006e43c75a0
SHA-256: 1e2b3b140dcdb73ff36dfdc2d785dd50d6bdf3ba085c1a86810e4daec4331ad4
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-10.0.6-1.el6_3.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 571a9846e8230a32d80c5c7a2bc8e4d5
SHA-256: 9d830cedf646e979d65996982c160df0b8c79f6b2484329bca5e1cf9aed61fde
 
IA-32:
thunderbird-10.0.6-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: a315bde4690bfb2aef15deafc6feaa39
SHA-256: 905e86c42bf45580e29fd202f0c7ca6ba8c595f8759aa564967e941ad99aeb2f
thunderbird-debuginfo-10.0.6-1.el6_3.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8d4f7fd945950bd8f5008ebf30dcf757
SHA-256: eed6e57ec27f0cfc751779fd7005253bb025e3abddf8f33f9cb87f1d0d1a8020
 
x86_64:
thunderbird-10.0.6-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 439398c2ede5cee856f947c8519e2a4e
SHA-256: 087b17709aa498cf62aaf59034033c869fac2af1bd2a15ac9c84a7ea9ebdd5db
thunderbird-debuginfo-10.0.6-1.el6_3.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 951e079ab530e4198283d006e43c75a0
SHA-256: 1e2b3b140dcdb73ff36dfdc2d785dd50d6bdf3ba085c1a86810e4daec4331ad4
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

838879 - Mozilla: Enable mitigation for CVE-2011-3389 (BEAST issue) in firefox/thunderbird
840201 - CVE-2012-1948 CVE-2012-1949 Mozilla: Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6) (MFSA 2012-42)
840205 - CVE-2012-1951 CVE-2012-1952 CVE-2012-1953 CVE-2012-1954 Mozilla: Gecko memory corruption (MFSA 2012-44)
840206 - CVE-2012-1955 Mozilla: Spoofing issue with location (MFSA 2012-45)
840208 - CVE-2012-1957 Mozilla: Improper filtering of javascript in HTML feed-view (MFSA 2012-47)
840211 - CVE-2012-1958 Mozilla: use-after-free in nsGlobalWindow::PageHidden (MFSA 2012-48)
840212 - CVE-2012-1959 Mozilla: Same-compartment Security Wrappers can be bypassed (MFSA 2012-49)
840214 - CVE-2012-1961 Mozilla: X-Frame-Options header ignored when duplicated (MFSA 2012-51)
840215 - CVE-2012-1962 Mozilla: JSDependentString::undepend string conversion results in memory corruption (MFSA 2012-52)
840220 - CVE-2012-1963 Mozilla: Content Security Policy 1.0 implementation errors cause data leakage (MFSA 2012-53)
840222 - CVE-2012-1964 Mozilla: Clickjacking of certificate warning page (MFSA 2012-54)
840259 - CVE-2012-1967 Mozilla: Code execution through javascript: URLs (MFSA 2012-56)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/