Ubuntu Security Notice USN-668-1
25th November, 2008
mozilla-thunderbird, thunderbird vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 8.10
- Ubuntu 8.04 LTS
- Ubuntu 7.10
- Ubuntu 6.06 LTS
Georgi Guninski, Michal Zalewsk and Chris Evans discovered that the same-origin
check in Thunderbird could be bypassed. If a user were tricked into opening a
malicious website, an attacker could obtain private information from data
stored in the images, or discover information about software on the user's
Jesse Ruderman discovered that Thunderbird did not properly guard locks on
opening malicious web content, an attacker could cause a browser crash and
possibly execute arbitrary code with user privileges. (CVE-2008-5014)
crash Thunderbird and possibly execute arbitrary code with user privileges.
(CVE-2008-5016, CVE-2008-5017, CVE-2008-5018)
A flaw was discovered in Thunderbird's DOM constructing code. If a user were
attacker could cause the browser to crash and potentially execute arbitrary
code with user privileges. (CVE-2008-5021)
It was discovered that the same-origin check in Thunderbird could be bypassed.
Chris Evans discovered that Thunderbird did not properly parse E4X documents,
leading to quote characters in the namespace not being properly escaped.
Boris Zbarsky discovered that Thunderbird did not properly process comments in
malicious email, an attacker may be able to obtain information about the
The problem can be corrected by updating your system to the following package version:
- Ubuntu 8.10:
- thunderbird 126.96.36.199+nobinonly-0ubuntu0.8.10.1
- Ubuntu 8.04 LTS:
- thunderbird 188.8.131.52+nobinonly-0ubuntu0.8.04.1
- Ubuntu 7.10:
- thunderbird 184.108.40.206+nobinonly-0ubuntu0.7.10.1
- Ubuntu 6.06 LTS:
- mozilla-thunderbird 220.127.116.11+18.104.22.168~prepatch080614h-0ubuntu0.6.06.1
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system upgrade you need to restart Thunderbird to effect
the necessary changes.