USN-3165-1: Thunderbird vulnerabilities

28 January 2017

Several security issues were fixed in Thunderbird.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

thunderbird - Mozilla Open Source mail and newsgroup client

Details

Multiple memory safety issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9893, CVE-2017-5373)

Andrew Krasichkov discovered that event handlers on elements
were executed despite a Content Security Policy (CSP) that disallowed
inline JavaScript. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-9895)

A memory corruption issue was discovered in WebGL in some circumstances.
If a user were tricked in to opening a specially crafted website in a
browsing context, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-9897)

A use-after-free was discovered when manipulating DOM subtrees in the
Editor. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9898)

A use-after-free was discovered when manipulating DOM events and audio
elements. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9899)

It was discovered that external resources that should be blocked when
loading SVG images can bypass security restrictions using data: URLs. An
attacker could potentially exploit this to obtain sensitive information.
(CVE-2016-9900)

Jann Horn discovered that JavaScript Map/Set were vulnerable to timing
attacks. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
obtain sensitive information across domains. (CVE-2016-9904)

A crash was discovered in EnumerateSubDocuments while adding or removing
sub-documents. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to execute arbitrary code. (CVE-2016-9905)

JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5375)

Nicolas Grégoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to opening
a specially crafted website in a browsing context, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5376)

Jann Horn discovered that an object's address could be discovered through
hashed codes of JavaScript objects shared between pages. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit this to obtain sensitive
information. (CVE-2017-5378)

A use-after-free was discovered during DOM manipulation of SVG content in
some circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2017-5380)

Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to spoof the URL bar contents. (CVE-2017-5383)

Jerri Rice discovered insecure communication methods in the Dev Tools JSON
Viewer. An attacker could potentially exploit this to gain additional
privileges. (CVE-2017-5390)

Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5396)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 16.10

thunderbird - 1:45.7.0+build1-0ubuntu0.16.10.1

Ubuntu 16.04

thunderbird - 1:45.7.0+build1-0ubuntu0.16.04.1

Ubuntu 14.04

thunderbird - 1:45.7.0+build1-0ubuntu0.14.04.1

Ubuntu 12.04

thunderbird - 1:45.7.0+build1-0ubuntu0.12.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

References

CVE-2016-9893

CVE-2016-9895

CVE-2016-9897

CVE-2016-9898

CVE-2016-9899

CVE-2016-9900

CVE-2016-9904

CVE-2016-9905

CVE-2017-5373

CVE-2017-5375

CVE-2017-5376

CVE-2017-5378

CVE-2017-5380

CVE-2017-5383

CVE-2017-5390

CVE-2017-5396

Related notices

USN-3155-1

USN-3175-1

Join the discussion

Ubuntu security updates mailing list

Security announcements mailing list

Need help with your security needs?

Ubuntu Pro provides up to ten-year security coverage for over 23,000 open-source packages within the Ubuntu Main and Universe repositories.

Talk to an expert to find out what would work best for you

Further reading

OpenStack OpenStack

What is OpenStack

Features

Managed

Consulting

Install

Support

Ceph Ceph

What is Ceph

Managed

Consulting

Docs

Install

Kubernetes Kubernetes

What is Kubernetes

Charmed Kubernetes

Managed

Install

Docs

Resources

Managed Services Managed Services

OpenStack

Kubernetes

Ceph

Apps

Observability

Firefighting

AI / ML AI / ML

MLOps

Kubeflow

MLflow

Consulting

Data Science

MLOps workshop

Robotics Robotics

What is ROS

ROS ESM

Community

Docs

IoT IoT

App store

Embedded Linux

Management

Ubuntu Core Ubuntu Core

Features

Success stories

Services

Docs

Ubuntu Desktop Ubuntu Desktop

Organisations

Developers

Flavours

WSL

Ubuntu Server Ubuntu Server

Hyperscale

Docs

Cloud Cloud

What is cloud computing

What is private cloud

What is hybrid cloud

What is multi-cloud

Public cloud

Security Security

ESM

Livepatch

Certifications & Hardening

CVEs

Notices

Docker Images

Landscape Landscape

Features

Managed

Pricing

Install

Docs

Log in to Landscape

Containers Containers

What are containers

Chiselled Ubuntu

Chiselled and .NET

Downloads Downloads

Desktop

Server

Core

Cloud

Support Support

Your subscriptions

Account users

Pricing

Discourse

Observability Observability

What is observability

Managed

Pricing Pricing

Consulting

Desktops

Devices

Solutions

AI

Data

Infrastructure

Secure open source

Sectors

Automotive

Industrial

Government

Telco

Finance

Contact us

About us

Community

Careers

Blog

Resources

Press centre

© 2024 Canonical Ltd.

Ubuntu and Canonical are registered trademarks of Canonical Ltd.

Legal information

Data privacy

Manage your tracker settings

Report a bug on this site

Back to top
Go to the top of the page