Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

USN-3165-1: Thunderbird vulnerabilities

28 January 2017

Several security issues were fixed in Thunderbird.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • thunderbird - Mozilla Open Source mail and newsgroup client

Details

Multiple memory safety issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9893, CVE-2017-5373)

Andrew Krasichkov discovered that event handlers on elements
were executed despite a Content Security Policy (CSP) that disallowed
inline JavaScript. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-9895)

A memory corruption issue was discovered in WebGL in some circumstances.
If a user were tricked in to opening a specially crafted website in a
browsing context, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-9897)

A use-after-free was discovered when manipulating DOM subtrees in the
Editor. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9898)

A use-after-free was discovered when manipulating DOM events and audio
elements. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9899)

It was discovered that external resources that should be blocked when
loading SVG images can bypass security restrictions using data: URLs. An
attacker could potentially exploit this to obtain sensitive information.
(CVE-2016-9900)

Jann Horn discovered that JavaScript Map/Set were vulnerable to timing
attacks. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
obtain sensitive information across domains. (CVE-2016-9904)

A crash was discovered in EnumerateSubDocuments while adding or removing
sub-documents. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to execute arbitrary code. (CVE-2016-9905)

JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5375)

Nicolas Grégoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to opening
a specially crafted website in a browsing context, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5376)

Jann Horn discovered that an object's address could be discovered through
hashed codes of JavaScript objects shared between pages. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit this to obtain sensitive
information. (CVE-2017-5378)

A use-after-free was discovered during DOM manipulation of SVG content in
some circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2017-5380)

Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to spoof the URL bar contents. (CVE-2017-5383)

Jerri Rice discovered insecure communication methods in the Dev Tools JSON
Viewer. An attacker could potentially exploit this to gain additional
privileges. (CVE-2017-5390)

Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5396)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.10
Ubuntu 16.04
Ubuntu 14.04
Ubuntu 12.04

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

Related notices

  • USN-3155-1: firefox-locale-hy, firefox-locale-or, firefox-globalmenu, firefox-locale-si, firefox-locale-lt, firefox-locale-el, firefox-locale-en, firefox-locale-sq, firefox-locale-cak, firefox-locale-is, firefox-locale-zu, firefox-locale-ca, firefox-locale-ko, firefox-locale-pt, firefox-locale-an, firefox-locale-sr, firefox-locale-cs, firefox, firefox-locale-id, firefox-locale-lg, firefox-locale-kn, firefox-locale-sk, firefox-locale-xh, firefox-locale-uk, firefox-locale-mn, firefox-locale-mr, firefox-locale-bg, firefox-locale-ms, firefox-locale-sw, firefox-locale-sv, firefox-mozsymbols, firefox-locale-br, firefox-locale-hi, firefox-locale-it, firefox-locale-bn, firefox-dev, firefox-locale-tr, firefox-locale-pa, firefox-locale-ml, firefox-locale-es, firefox-locale-uz, firefox-locale-te, firefox-locale-zh-hant, firefox-locale-vi, firefox-locale-oc, firefox-locale-hr, firefox-locale-ro, firefox-locale-be, firefox-locale-gu, firefox-locale-da, firefox-locale-af, firefox-locale-kk, firefox-locale-th, firefox-locale-gl, firefox-locale-ast, firefox-locale-nb, firefox-locale-bs, firefox-locale-et, firefox-locale-ar, firefox-locale-fy, firefox-locale-zh-hans, firefox-locale-nso, firefox-locale-he, firefox-locale-mk, firefox-locale-ta, firefox-locale-gd, firefox-locale-fa, firefox-locale-az, firefox-locale-fr, firefox-locale-mai, firefox-locale-hsb, firefox-locale-nl, firefox-locale-eu, firefox-locale-csb, firefox-locale-lv, firefox-locale-de, firefox-locale-fi, firefox-locale-nn, firefox-locale-sl, firefox-locale-eo, firefox-locale-ja, firefox-locale-cy, firefox-locale-km, firefox-testsuite, firefox-locale-pl, firefox-locale-hu, firefox-locale-ga, firefox-locale-ru, firefox-locale-gn, firefox-locale-ka, firefox-locale-ku, firefox-locale-as
  • USN-3175-1: firefox-locale-hy, firefox-locale-or, firefox-globalmenu, firefox-locale-si, firefox-locale-lt, firefox-locale-el, firefox-locale-en, firefox-locale-sq, firefox-locale-cak, firefox-locale-is, firefox-locale-zu, firefox-locale-ca, firefox-locale-ko, firefox-locale-pt, firefox-locale-an, firefox-locale-sr, firefox-locale-cs, firefox, firefox-locale-id, firefox-locale-lg, firefox-locale-kn, firefox-locale-sk, firefox-locale-xh, firefox-locale-uk, firefox-locale-mn, firefox-locale-mr, firefox-locale-bg, firefox-locale-ms, firefox-locale-sw, firefox-locale-sv, firefox-mozsymbols, firefox-locale-br, firefox-locale-hi, firefox-locale-it, firefox-locale-bn, firefox-dev, firefox-locale-tr, firefox-locale-pa, firefox-locale-ml, firefox-locale-es, firefox-locale-uz, firefox-locale-te, firefox-locale-zh-hant, firefox-locale-vi, firefox-locale-oc, firefox-locale-hr, firefox-locale-ro, firefox-locale-be, firefox-locale-gu, firefox-locale-da, firefox-locale-af, firefox-locale-kk, firefox-locale-th, firefox-locale-gl, firefox-locale-ast, firefox-locale-nb, firefox-locale-bs, firefox-locale-et, firefox-locale-ar, firefox-locale-fy, firefox-locale-zh-hans, firefox-locale-nso, firefox-locale-he, firefox-locale-mk, firefox-locale-ta, firefox-locale-gd, firefox-locale-fa, firefox-locale-az, firefox-locale-fr, firefox-locale-mai, firefox-locale-hsb, firefox-locale-nl, firefox-locale-eu, firefox-locale-csb, firefox-locale-lv, firefox-locale-de, firefox-locale-fi, firefox-locale-nn, firefox-locale-sl, firefox-locale-eo, firefox-locale-ja, firefox-locale-cy, firefox-locale-km, firefox-locale-kab, firefox-testsuite, firefox-locale-pl, firefox-locale-hu, firefox-locale-ga, firefox-locale-ru, firefox-locale-gn, firefox-locale-ka, firefox-locale-ku, firefox-locale-as