Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : thunderbird vulnerabilities (USN-1510-1)

Ubuntu Security Notice (C) 2012-2014 Canonical, Inc. / NASL script (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Benoit Jacob, Jesse Ruderman, Christian Holler, Bill McCloskey, Brian
Smith, Gary Kwong, Christoph Diehl, Chris Jones, Brad Lassey, and Kyle
Huey discovered memory safety issues affecting Thunderbird. If the
user were tricked into opening a specially crafted page, an attacker
could possibly exploit these to cause a denial of service via
application crash, or potentially execute code with the privileges of
the user invoking Thunderbird. (CVE-2012-1948, CVE-2012-1949)

Abhishek Arya discovered four memory safety issues affecting
Thunderbird. If the user were tricked into opening a specially crafted
page, an attacker could possibly exploit these to cause a denial of
service via application crash, or potentially execute code with the
privileges of the user invoking Thunderbird. (CVE-2012-1951,
CVE-2012-1952, CVE-2012-1953, CVE-2012-1954)

Mariusz Mlynski discovered that the address bar may be incorrectly
updated. Calls to history.forward and history.back could be used to
navigate to a site while the address bar still displayed the previous
site. A remote attacker could exploit this to conduct phishing
attacks. (CVE-2012-1955)

Mario Heiderich discovered that HTML <embed> tags were not filtered
out of the HTML <description> of RSS feeds. A remote attacker could
exploit this to conduct cross-site scripting (XSS) attacks via
JavaScript execution in the HTML feed view. (CVE-2012-1957)

Arthur Gerkis discovered a use-after-free vulnerability. If the user
were tricked into opening a specially crafted page, an attacker could
possibly exploit this to cause a denial of service via application
crash, or potentially execute code with the privileges of the user
invoking Thunderbird. (CVE-2012-1958)

Bobby Holley discovered that same-compartment security wrappers (SCSW)
could be bypassed to allow XBL access. If the user were tricked into
opening a specially crafted page, an attacker could possibly exploit
this to execute code with the privileges of the user invoking
Thunderbird. (CVE-2012-1959)

Tony Payne discovered an out-of-bounds memory read in Mozilla's color
management library (QCMS). If the user were tricked into opening a
specially crafted color profile, an attacker could possibly exploit
this to cause a denial of service via application crash.
(CVE-2012-1960)

Frédéric Buclin discovered that the X-Frame-Options header was
ignored when its value was specified multiple times. An attacker could
exploit this to conduct clickjacking attacks. (CVE-2012-1961)

Bill Keese discovered a memory corruption vulnerability. If the user
were tricked into opening a specially crafted page, an attacker could
possibly exploit this to cause a denial of service via application
crash, or potentially execute code with the privileges of the user
invoking Thunderbird. (CVE-2012-1962)

Karthikeyan Bhargavan discovered an information leakage vulnerability
in the Content Security Policy (CSP) 1.0 implementation. If the user
were tricked into opening a specially crafted page, an attacker could
possibly exploit this to access a user's OAuth 2.0 access tokens and
OpenID credentials. (CVE-2012-1963)

It was discovered that the execution of javascript: URLs was not
properly handled in some cases. A remote attacker could exploit this
to execute code with the privileges of the user invoking Thunderbird.
(CVE-2012-1967).

Solution :

Update the affected thunderbird package.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false