Skip to navigation

Security Advisory Important: thunderbird security update

Advisory: RHSA-2014:0133-1
Type: Security Advisory
Severity: Important
Issued on: 2014-02-04
Last updated on: 2014-02-04
Affected Products: RHEL Optional Productivity Applications (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop (v. 6)
Red Hat Enterprise Linux Server (v. 6)
Red Hat Enterprise Linux Server AUS (v. 6.5)
Red Hat Enterprise Linux Server EUS (v. 6.5.z)
Red Hat Enterprise Linux Workstation (v. 6)
CVEs (cve.mitre.org): CVE-2014-1477
CVE-2014-1479
CVE-2014-1481
CVE-2014-1482
CVE-2014-1486
CVE-2014-1487

Details

An updated thunderbird package that fixes several security issues is now
available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

Several flaws were found in the processing of malformed content.
Malicious content could cause Thunderbird to crash or, potentially, execute
arbitrary code with the privileges of the user running Thunderbird.
(CVE-2014-1477, CVE-2014-1482, CVE-2014-1486)

A flaw was found in the way Thunderbird handled error messages related to
web workers. An attacker could use this flaw to bypass the same-origin
policy, which could lead to cross-site scripting (XSS) attacks, or could
potentially be used to gather authentication tokens and other data from
third-party websites. (CVE-2014-1487)

A flaw was found in the implementation of System Only Wrappers (SOW).
An attacker could use this flaw to crash Thunderbird. When combined with
other vulnerabilities, this flaw could have additional security
implications. (CVE-2014-1479)

It was found that the Thunderbird JavaScript engine incorrectly handled
window objects. A remote attacker could use this flaw to bypass certain
security checks and possibly execute arbitrary code. (CVE-2014-1481)

Red Hat would like to thank the Mozilla project for reporting these issues.
Upstream acknowledges Christian Holler, Terrence Cole, Jesse Ruderman, Gary
Kwong, Eric Rescorla, Jonathan Kew, Dan Gohman, Ryan VanderMeulen, Sotaro
Ikeda, Cody Crews, Fredrik "Flonka" Lönnqvist, Arthur Gerkis, Masato
Kinugawa, and Boris Zbarsky as the original reporters of these issues.

Note: All of the above issues cannot be exploited by a specially crafted
HTML mail message as JavaScript is disabled by default for mail messages.
They could be exploited another way in Thunderbird, for example, when
viewing the full remote content of an RSS feed.

For technical details regarding these flaws, refer to the Mozilla security
advisories for Thunderbird 24.3.0. You can find a link to the Mozilla
advisories in the References section of this erratum.

All Thunderbird users should upgrade to this updated package, which
contains Thunderbird version 24.3.0, which corrects these issues.
After installing the update, Thunderbird must be restarted for the changes
to take effect.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Updated packages

RHEL Optional Productivity Applications (v. 5 server)

SRPMS:
thunderbird-24.3.0-2.el5_10.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: effbda1154da678bfad50f4f3ad47ffc
SHA-256: f64fd57957788feffd8816142909d21e00603c5319b3992c7c4d0633df978eb3
 
IA-32:
thunderbird-24.3.0-2.el5_10.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 1082ef798a5f6f70f83321b329b87a01
SHA-256: 57c21ddb6079afbcf0dcf403a56806fa7201104150c3ea8f578e30d46814a652
thunderbird-debuginfo-24.3.0-2.el5_10.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 82967dd5a810f6dbce1616b188affbc4
SHA-256: df8d0000f78b37577df1a8b65e3bd8177ba9f9c4ef49f421bea9741a5e006895
 
x86_64:
thunderbird-24.3.0-2.el5_10.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: c7e3f53c832b380aa5d30bf18325212b
SHA-256: e715b6d717a514ae886df2932ab0e9e17afe80a31e327c44a9fd956e4095b2a8
thunderbird-debuginfo-24.3.0-2.el5_10.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: a94230d347ce366a0f6ca435f6fab858
SHA-256: 81c9a5ab6206e5d6d0092088be0134c1dfb4b1e1993e47c90f0f76a17fe88b32
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
thunderbird-24.3.0-2.el5_10.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: effbda1154da678bfad50f4f3ad47ffc
SHA-256: f64fd57957788feffd8816142909d21e00603c5319b3992c7c4d0633df978eb3
 
IA-32:
thunderbird-24.3.0-2.el5_10.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 1082ef798a5f6f70f83321b329b87a01
SHA-256: 57c21ddb6079afbcf0dcf403a56806fa7201104150c3ea8f578e30d46814a652
thunderbird-debuginfo-24.3.0-2.el5_10.i386.rpm
File outdated by:  RHSA-2014:0316
    MD5: 82967dd5a810f6dbce1616b188affbc4
SHA-256: df8d0000f78b37577df1a8b65e3bd8177ba9f9c4ef49f421bea9741a5e006895
 
x86_64:
thunderbird-24.3.0-2.el5_10.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: c7e3f53c832b380aa5d30bf18325212b
SHA-256: e715b6d717a514ae886df2932ab0e9e17afe80a31e327c44a9fd956e4095b2a8
thunderbird-debuginfo-24.3.0-2.el5_10.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: a94230d347ce366a0f6ca435f6fab858
SHA-256: 81c9a5ab6206e5d6d0092088be0134c1dfb4b1e1993e47c90f0f76a17fe88b32
 
Red Hat Enterprise Linux Desktop (v. 6)

SRPMS:
thunderbird-24.3.0-2.el6_5.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 123ac8db7e66dfc34f0ce1be3b980ffc
SHA-256: 90af0cebcb89cc2dff07168ef8dae429356f567726fd7d30eb83a354a0dff9ac
 
IA-32:
thunderbird-24.3.0-2.el6_5.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2e1be72a288d234491793593d391b4c3
SHA-256: a3e38203ef1c1c03948b8b7d0714b4b3101a7d4c1bfaa93baf3abafb4601d570
thunderbird-debuginfo-24.3.0-2.el6_5.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 3eab377a7960687d929088930d5beb9f
SHA-256: 5048a72fbf328104af1a73aece99df16479a7da2006431ef2825696ef3b59b5b
 
x86_64:
thunderbird-24.3.0-2.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: bf8efe9a7790ecf97b28784fd352e5cb
SHA-256: f7de7753df6f61a1060e1133d0228cf11cc96fff3d5c12cf8e70d85b139e56c1
thunderbird-debuginfo-24.3.0-2.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8bad6294c741e8ec99a2b279c2d0452f
SHA-256: 12791d5ab6a95f9031057d746e584625a913f78c319353cdce1795578551a74a
 
Red Hat Enterprise Linux Server (v. 6)

SRPMS:
thunderbird-24.3.0-2.el6_5.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 123ac8db7e66dfc34f0ce1be3b980ffc
SHA-256: 90af0cebcb89cc2dff07168ef8dae429356f567726fd7d30eb83a354a0dff9ac
 
IA-32:
thunderbird-24.3.0-2.el6_5.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2e1be72a288d234491793593d391b4c3
SHA-256: a3e38203ef1c1c03948b8b7d0714b4b3101a7d4c1bfaa93baf3abafb4601d570
thunderbird-debuginfo-24.3.0-2.el6_5.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 3eab377a7960687d929088930d5beb9f
SHA-256: 5048a72fbf328104af1a73aece99df16479a7da2006431ef2825696ef3b59b5b
 
PPC:
thunderbird-24.3.0-2.el6_5.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 3b2ffc35fb73c136468657c506771955
SHA-256: 7de58642a721e59e00ce9c8085a15575da4ee4e329c3ebe877ac7f22e3b9502f
thunderbird-debuginfo-24.3.0-2.el6_5.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: c5e097c7120949d695a6521b2ce94290
SHA-256: ab22e29e5658c6bb3327543b5187c98c94053d55cb4d6197b5d5420c9ab060d7
 
s390x:
thunderbird-24.3.0-2.el6_5.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: 9f8e7a90eb525db5cdcd00e67d693d65
SHA-256: 5eb95cf424963929c3c3c5944eb956b46241b36d76075d387b792cf99efddcf2
thunderbird-debuginfo-24.3.0-2.el6_5.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: 403eb88bf10b7036991817eee55e9323
SHA-256: 1626e4066abcd9f54f09dd0e4d5189fcc70ca699938ea3395f8ecf0b5586d8ed
 
x86_64:
thunderbird-24.3.0-2.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: bf8efe9a7790ecf97b28784fd352e5cb
SHA-256: f7de7753df6f61a1060e1133d0228cf11cc96fff3d5c12cf8e70d85b139e56c1
thunderbird-debuginfo-24.3.0-2.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8bad6294c741e8ec99a2b279c2d0452f
SHA-256: 12791d5ab6a95f9031057d746e584625a913f78c319353cdce1795578551a74a
 
Red Hat Enterprise Linux Server AUS (v. 6.5)

SRPMS:
thunderbird-24.3.0-2.el6_5.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 123ac8db7e66dfc34f0ce1be3b980ffc
SHA-256: 90af0cebcb89cc2dff07168ef8dae429356f567726fd7d30eb83a354a0dff9ac
 
x86_64:
thunderbird-24.3.0-2.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: bf8efe9a7790ecf97b28784fd352e5cb
SHA-256: f7de7753df6f61a1060e1133d0228cf11cc96fff3d5c12cf8e70d85b139e56c1
thunderbird-debuginfo-24.3.0-2.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8bad6294c741e8ec99a2b279c2d0452f
SHA-256: 12791d5ab6a95f9031057d746e584625a913f78c319353cdce1795578551a74a
 
Red Hat Enterprise Linux Server EUS (v. 6.5.z)

SRPMS:
thunderbird-24.3.0-2.el6_5.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 123ac8db7e66dfc34f0ce1be3b980ffc
SHA-256: 90af0cebcb89cc2dff07168ef8dae429356f567726fd7d30eb83a354a0dff9ac
 
IA-32:
thunderbird-24.3.0-2.el6_5.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2e1be72a288d234491793593d391b4c3
SHA-256: a3e38203ef1c1c03948b8b7d0714b4b3101a7d4c1bfaa93baf3abafb4601d570
thunderbird-debuginfo-24.3.0-2.el6_5.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 3eab377a7960687d929088930d5beb9f
SHA-256: 5048a72fbf328104af1a73aece99df16479a7da2006431ef2825696ef3b59b5b
 
PPC:
thunderbird-24.3.0-2.el6_5.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 3b2ffc35fb73c136468657c506771955
SHA-256: 7de58642a721e59e00ce9c8085a15575da4ee4e329c3ebe877ac7f22e3b9502f
thunderbird-debuginfo-24.3.0-2.el6_5.ppc64.rpm
File outdated by:  RHSA-2014:0316
    MD5: c5e097c7120949d695a6521b2ce94290
SHA-256: ab22e29e5658c6bb3327543b5187c98c94053d55cb4d6197b5d5420c9ab060d7
 
s390x:
thunderbird-24.3.0-2.el6_5.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: 9f8e7a90eb525db5cdcd00e67d693d65
SHA-256: 5eb95cf424963929c3c3c5944eb956b46241b36d76075d387b792cf99efddcf2
thunderbird-debuginfo-24.3.0-2.el6_5.s390x.rpm
File outdated by:  RHSA-2014:0316
    MD5: 403eb88bf10b7036991817eee55e9323
SHA-256: 1626e4066abcd9f54f09dd0e4d5189fcc70ca699938ea3395f8ecf0b5586d8ed
 
x86_64:
thunderbird-24.3.0-2.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: bf8efe9a7790ecf97b28784fd352e5cb
SHA-256: f7de7753df6f61a1060e1133d0228cf11cc96fff3d5c12cf8e70d85b139e56c1
thunderbird-debuginfo-24.3.0-2.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8bad6294c741e8ec99a2b279c2d0452f
SHA-256: 12791d5ab6a95f9031057d746e584625a913f78c319353cdce1795578551a74a
 
Red Hat Enterprise Linux Workstation (v. 6)

SRPMS:
thunderbird-24.3.0-2.el6_5.src.rpm
File outdated by:  RHSA-2014:0316
    MD5: 123ac8db7e66dfc34f0ce1be3b980ffc
SHA-256: 90af0cebcb89cc2dff07168ef8dae429356f567726fd7d30eb83a354a0dff9ac
 
IA-32:
thunderbird-24.3.0-2.el6_5.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 2e1be72a288d234491793593d391b4c3
SHA-256: a3e38203ef1c1c03948b8b7d0714b4b3101a7d4c1bfaa93baf3abafb4601d570
thunderbird-debuginfo-24.3.0-2.el6_5.i686.rpm
File outdated by:  RHSA-2014:0316
    MD5: 3eab377a7960687d929088930d5beb9f
SHA-256: 5048a72fbf328104af1a73aece99df16479a7da2006431ef2825696ef3b59b5b
 
x86_64:
thunderbird-24.3.0-2.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: bf8efe9a7790ecf97b28784fd352e5cb
SHA-256: f7de7753df6f61a1060e1133d0228cf11cc96fff3d5c12cf8e70d85b139e56c1
thunderbird-debuginfo-24.3.0-2.el6_5.x86_64.rpm
File outdated by:  RHSA-2014:0316
    MD5: 8bad6294c741e8ec99a2b279c2d0452f
SHA-256: 12791d5ab6a95f9031057d746e584625a913f78c319353cdce1795578551a74a
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1046167 - Thunderbird 24.2 no longer launches default browser for web links
1060938 - CVE-2014-1477 Mozilla: Miscellaneous memory safety hazards (rv:24.3) (MFSA 2014-01)
1060940 - CVE-2014-1479 Mozilla: Clone protected content with XBL scopes (MFSA 2014-02)
1060942 - CVE-2014-1482 Mozilla: Incorrect use of discarded images by RasterImage (MFSA 2014-04)
1060945 - CVE-2014-1486 Mozilla: Use-after-free with imgRequestProxy and image proccessing (MFSA 2014-08)
1060947 - CVE-2014-1487 Mozilla: Cross-origin information leak through web workers (MFSA 2014-09)
1060952 - CVE-2014-1481 Mozilla: Inconsistent JavaScript handling of access to Window objects (MFSA 2014-13)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/