Red Hat Security Advisory: thunderbird security update Security Advisory secalert@redhat.com Red Hat Security Response Team RHSA-2012:1089 Final 1 1 2012-07-17T18:01:00Z Current version 2012-07-17T18:01:00Z 2012-07-17T18:01:00Z Red Hat rhsa-to-cvrf 1.0.1484 2012-07-17T18:58:02Z An updated thunderbird package that fixes multiple security issues is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2012-1948, CVE-2012-1951, CVE-2012-1952, CVE-2012-1953, CVE-2012-1954, CVE-2012-1958, CVE-2012-1962, CVE-2012-1967) Malicious content could bypass same-compartment security wrappers (SCSW) and execute arbitrary code with chrome privileges. (CVE-2012-1959) A flaw in the way Thunderbird called history.forward and history.back could allow an attacker to conceal a malicious URL, possibly tricking a user into believing they are viewing trusted content. (CVE-2012-1955) A flaw in a parser utility class used by Thunderbird to parse feeds (such as RSS) could allow an attacker to execute arbitrary JavaScript with the privileges of the user running Thunderbird. This issue could have affected other Thunderbird components or add-ons that assume the class returns sanitized input. (CVE-2012-1957) A flaw in the way Thunderbird handled X-Frame-Options headers could allow malicious content to perform a clickjacking attack. (CVE-2012-1961) A flaw in the way Content Security Policy (CSP) reports were generated by Thunderbird could allow malicious content to steal a victim's OAuth 2.0 access tokens and OpenID credentials. (CVE-2012-1963) A flaw in the way Thunderbird handled certificate warnings could allow a man-in-the-middle attacker to create a crafted warning, possibly tricking a user into accepting an arbitrary certificate as trusted. (CVE-2012-1964) The nss update RHBA-2012:0337 for Red Hat Enterprise Linux 5 and 6 introduced a mitigation for the CVE-2011-3389 flaw. For compatibility reasons, it remains disabled by default in the nss packages. This update makes Thunderbird enable the mitigation by default. It can be disabled by setting the NSS_SSL_CBC_RANDOM_IV environment variable to 0 before launching Thunderbird. (BZ#838879) Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Abhishek Arya, Arthur Gerkis, Bill Keese, moz_bug_r_a4, Bobby Holley, Mariusz Mlynski, Mario Heiderich, Frédéric Buclin, Karthikeyan Bhargavan, and Matt McCutchen as the original reporters of these issues. Note: None of the issues in this advisory can be exploited by a specially-crafted HTML mail message as JavaScript is disabled by default for mail messages. They could be exploited another way in Thunderbird, for example, when viewing the full remote content of an RSS feed. All Thunderbird users should upgrade to this updated package, which contains Thunderbird version 10.0.6 ESR, which corrects these issues. After installing the update, Thunderbird must be restarted for the changes to take effect. Please see https://www.redhat.com/footer/terms-of-use.html Copyright © 2012 Red Hat, Inc. All rights reserved. Critical https://rhn.redhat.com/errata/RHSA-2012-1089.html https://rhn.redhat.com/errata/RHSA-2012-1089.html https://access.redhat.com/security/updates/classification/#critical https://access.redhat.com/security/updates/classification/#critical https://rhn.redhat.com/errata/RHBA-2012-0337.html https://rhn.redhat.com/errata/RHBA-2012-0337.html https://bugzilla.redhat.com/show_bug.cgi?id=838879 https://bugzilla.redhat.com/show_bug.cgi?id=838879 Red Hat Enterprise Linux Desktop (v. 5 client) RHEL Optional Productivity Applications (v. 5 server) Red Hat Enterprise Linux Workstation (v. 6) Red Hat Enterprise Linux Desktop (v. 6) Red Hat Enterprise Linux Server Optional (v. 6) thunderbird-10.0.6-1.el5_8.src.rpm thunderbird-10.0.6-1.el6_3.src.rpm thunderbird-10.0.6-1.el5_8 as a component of Red Hat Enterprise Linux Desktop (v. 5 client) thunderbird-10.0.6-1.el5_8 as a component of RHEL Optional Productivity Applications (v. 5 server) thunderbird-10.0.6-1.el6_3 as a component of Red Hat Enterprise Linux Workstation (v. 6) thunderbird-10.0.6-1.el6_3 as a component of Red Hat Enterprise Linux Desktop (v. 6) thunderbird-10.0.6-1.el6_3 as a component of Red Hat Enterprise Linux Server Optional (v. 6) Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. 2012-07-14T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1948 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1948.html CVE-2012-1948 https://bugzilla.redhat.com/show_bug.cgi?id=840201 bz#840201: CVE-2012-1948 CVE-2012-1949 Mozilla: Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6) (MFSA 2012-42) Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. 2012-07-14T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1951 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1951.html CVE-2012-1951 Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Google security researcher Abhishek Arya as the original reporter of this issue. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. 2012-07-14T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1952 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1952.html CVE-2012-1952 Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Google security researcher Abhishek Arya as the original reporter of this issue. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. 2012-07-14T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1953 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1953.html CVE-2012-1953 Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Google security researcher Abhishek Arya as the original reporter of this issue. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. 2012-07-14T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1954 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1954.html CVE-2012-1954 https://bugzilla.redhat.com/show_bug.cgi?id=840205 bz#840205: CVE-2012-1951 CVE-2012-1952 CVE-2012-1953 CVE-2012-1954 Mozilla: Gecko memory corruption (MFSA 2012-44) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Google security researcher Abhishek Arya as the original reporter of this issue. A flaw in the way Thunderbird called history.forward and history.back could allow an attacker to conceal a malicious URL, possibly tricking a user into believing they are viewing trusted content. 2012-07-14T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1955 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1955.html CVE-2012-1955 https://bugzilla.redhat.com/show_bug.cgi?id=840206 bz#840206: CVE-2012-1955 Mozilla: Spoofing issue with location (MFSA 2012-45) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Security researcher Mariusz Mlynski as the original reporter of this issue. A flaw in a parser utility class used by Thunderbird to parse feeds (such as RSS) could allow an attacker to execute arbitrary JavaScript with the privileges of the user running Thunderbird. This issue could have affected other Thunderbird components or add-ons that assume the class returns sanitized input. 2012-07-12T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1957 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1957.html CVE-2012-1957 https://bugzilla.redhat.com/show_bug.cgi?id=840208 bz#840208: CVE-2012-1957 Mozilla: Improper filtering of javascript in HTML feed-view (MFSA 2012-47) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Security researcher Mario Heiderich as the original reporter of this issue. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. 2012-07-14T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1958 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1958.html CVE-2012-1958 https://bugzilla.redhat.com/show_bug.cgi?id=840211 bz#840211: CVE-2012-1958 Mozilla: use-after-free in nsGlobalWindow::PageHidden (MFSA 2012-48) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Security researcher Arthur Gerkis as the original reporter of this flaw. Malicious content could bypass same-compartment security wrappers (SCSW) and execute arbitrary code with chrome privileges. 2012-07-14T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1959 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1959.html CVE-2012-1959 https://bugzilla.redhat.com/show_bug.cgi?id=840212 bz#840212: CVE-2012-1959 Mozilla: Same-compartment Security Wrappers can be bypassed (MFSA 2012-49) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Mozilla developer Bobby Holley as the original reporter of this issue. A flaw in the way Thunderbird handled X-Frame-Options headers could allow malicious content to perform a clickjacking attack. 2012-07-14T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1961 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1961.html CVE-2012-1961 https://bugzilla.redhat.com/show_bug.cgi?id=840214 bz#840214: CVE-2012-1961 Mozilla: X-Frame-Options header ignored when duplicated (MFSA 2012-51) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Mozilla developer Frédéric Buclin as the original reporter of this issue. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. 2012-07-14T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1962 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1962.html CVE-2012-1962 https://bugzilla.redhat.com/show_bug.cgi?id=840215 bz#840215: CVE-2012-1962 Mozilla: JSDependentString::undepend string conversion results in memory corruption (MFSA 2012-52) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Security researcher Bill Keese as the original reporter of this issue. A flaw in the way Content Security Policy (CSP) reports were generated by Thunderbird could allow malicious content to steal a victim's OAuth 2.0 access tokens and OpenID credentials. 2012-07-14T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1963 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1963.html CVE-2012-1963 https://bugzilla.redhat.com/show_bug.cgi?id=840220 bz#840220: CVE-2012-1963 Mozilla: Content Security Policy 1.0 implementation errors cause data leakage (MFSA 2012-53) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Security researcher Karthikeyan Bhargavan of Prosecco at INRIA as the original reporter of this flaw. A flaw in the way Thunderbird handled certificate warnings could allow a man-in-the-middle attacker to create a crafted warning, possibly tricking a user into accepting an arbitrary certificate as trusted. 2012-07-14T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1964 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1964.html CVE-2012-1964 https://bugzilla.redhat.com/show_bug.cgi?id=840222 bz#840222: CVE-2012-1964 Mozilla: Clickjacking of certificate warning page (MFSA 2012-54) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges Security Researcher Matt McCutchen for reporting this issue. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. 2012-07-15T00:00:00Z 2012-07-17T00:00:00Z CVE-2012-1967 5Client-5.8.Z:thunderbird-10.0.6-1.el5_8 5Server-DPAS-5.8.Z:thunderbird-10.0.6-1.el5_8 6Client-6.3.z:thunderbird-10.0.6-1.el6_3 6Server-optional-6.3.z:thunderbird-10.0.6-1.el6_3 6Workstation-6.3.z:thunderbird-10.0.6-1.el6_3 Critical 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 https://rhn.redhat.com/errata/RHSA-2012-1089.html https://www.redhat.com/security/data/cve/CVE-2012-1967.html CVE-2012-1967 https://bugzilla.redhat.com/show_bug.cgi?id=840259 bz#840259: CVE-2012-1967 Mozilla: Code execution through javascript: URLs (MFSA 2012-56) Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges moz_bug_r_a4 as the original reporter of this issue.