Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : thunderbird vulnerabilities (USN-2603-1)

Ubuntu Security Notice (C) 2015-2016 Canonical, Inc. / NASL script (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Jesse Ruderman, Mats Palmgren, Byron Campen, and Steve Fink discovered
multiple memory safety issues in Thunderbird. If a user were tricked
in to opening a specially crafted message with scripting enabled, an
attacker could potentially exploit these to cause a denial of service
via application crash, or execute arbitrary code with the privileges
of the user invoking Thunderbird. (CVE-2015-2708)

Atte Kettunen discovered a buffer overflow during the rendering of SVG
content with certain CSS properties in some circumstances. If a user
were tricked in to opening a specially crafted message with scripting
enabled, an attacker could potentially exploit this to cause a denial
of service via application crash, or execute arbitrary code with the
privileges of the user invoking Thunderbird. (CVE-2015-2710)

Scott Bell discovered a use-afer-free during the processing of text
when vertical text is enabled. If a user were tricked in to opening a
specially crafted message, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2015-2713)

Ucha Gobejishvili discovered a buffer overflow when parsing compressed
XML content. If a user were tricked in to opening a specially crafted
message with scripting enabled, an attacker could potentially exploit
this to cause a denial of service via application crash, or execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2015-2716).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected thunderbird package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.5
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 83544 ()

Bugtraq ID:

CVE ID: CVE-2015-2708
CVE-2015-2710
CVE-2015-2713
CVE-2015-2716

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now