[USN-998-1] Thunderbird vulnerabilities

Jamie Strandboge jamie at canonical.com
Wed Oct 20 21:51:24 UTC 2010


===========================================================
Ubuntu Security Notice USN-998-1           October 20, 2010
thunderbird vulnerabilities
CVE-2010-3175, CVE-2010-3176, CVE-2010-3178, CVE-2010-3179,
CVE-2010-3180, CVE-2010-3182, CVE-2010-3183
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 10.04 LTS
Ubuntu 10.10

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 10.04 LTS:
  thunderbird                     3.0.9+build1+nobinonly-0ubuntu0.10.04.1

Ubuntu 10.10:
  thunderbird                     3.1.5+build1+nobinonly-0ubuntu0.10.10.1

After a standard system update you need to restart Thunderbird to make all
the necessary changes.

Details follow:

Paul Nickerson, Jesse Ruderman, Olli Pettay, Igor Bukanov, Josh Soref, Gary
Kwong, Martijn Wargers, Siddharth Agarwal and Michal Zalewski discovered
various flaws in the browser engine. An attacker could exploit this to
crash Thunderbird or possibly run arbitrary code as the user invoking the
program. (CVE-2010-3175, CVE-2010-3176)

Alexander Miller, Sergey Glazunov, and others discovered several flaws in
the JavaScript engine. If JavaScript were enabled, an attacker could
exploit this to crash Thunderbird or possibly run arbitrary code as the
user invoking the program. (CVE-2010-3179, CVE-2010-3180, CVE-2010-3183)

Eduardo Vela Nava discovered that Thunderbird could be made to violate the
same-origin policy by using modal calls with JavaScript. If JavaScript were
enabled, an attacker could exploit this to steal information from another
site. (CVE-2010-3178)

Dmitri GribenkoDmitri Gribenko discovered that Thunderbird did not properly
setup the LD_LIBRARY_PATH environment variable. A local attacker could
exploit this to execute arbitrary code as the user invoking the program.
(CVE-2010-3182)


Updated packages for Ubuntu 10.04 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.0.9+build1+nobinonly-0ubuntu0.10.04.1.diff.gz
      Size/MD5:    95097 3b820b97dccc465ea044b7a272fdc8d9
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.0.9+build1+nobinonly-0ubuntu0.10.04.1.dsc
      Size/MD5:     2412 387aa374c72b37d99e7e318b8e43acbf
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.0.9+build1+nobinonly.orig.tar.gz
      Size/MD5: 60899014 7d2be2a088f8b4206907b15c864eed52

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dbg_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_amd64.deb
      Size/MD5: 64192710 d8b9db9d05a778aeec350ff7c7ea74a4
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_amd64.deb
      Size/MD5:  5771404 dd7e6b456234ac984e492046c5640225
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support-dbg_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_amd64.deb
      Size/MD5:   149136 2bb12625422eaa66380afc63abf6705d
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_amd64.deb
      Size/MD5:     9300 fb69d2b349444b85014ab90278fe247c
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_amd64.deb
      Size/MD5: 11417872 a8614d1abad929d534157c00f70bbb3a

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dbg_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_i386.deb
      Size/MD5: 64523832 6f5f6303f3bae014e5b38ea431ce72c3
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_i386.deb
      Size/MD5:  5834496 ebdaf198d5e461b79cbff7c65870ae93
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support-dbg_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_i386.deb
      Size/MD5:   148276 4b96fd44790a55884ab7d965264b3212
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_i386.deb
      Size/MD5:     9290 efaad1dfc9ac1164d389406f09f374a6
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_i386.deb
      Size/MD5: 10456058 43be1c1e3e25086e4194c65ee9d80f51

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dbg_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_powerpc.deb
      Size/MD5: 67174194 fd9e7d09bde7484758afbbf853a3d303
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_powerpc.deb
      Size/MD5:  5240444 d9f5eab1821399e37802f2559f299f6d
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support-dbg_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_powerpc.deb
      Size/MD5:   153468 73f3e25ed341c29828b9b37d1e8fb142
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_powerpc.deb
      Size/MD5:     9304 6da40fbea8cdcebf9c7321001625d78e
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_powerpc.deb
      Size/MD5: 11271328 00b609e4563a886410eb81862a2c759b

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dbg_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_sparc.deb
      Size/MD5: 63719158 b75221c3b7ef3a7066100877a538d5e3
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_sparc.deb
      Size/MD5:  5220982 d75dcceefe7a3aaa20feecdee56815a9
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support-dbg_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_sparc.deb
      Size/MD5:   144390 b635c9ecfe7a71057e5e1037423055c6
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_sparc.deb
      Size/MD5:     9296 a3b49ba9e351f50b756c0966b738ee3f
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_3.0.9+build1+nobinonly-0ubuntu0.10.04.1_sparc.deb
      Size/MD5: 10529270 f5c48a60fef599ed65b3f7b2ee155e99

Updated packages for Ubuntu 10.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.1.5+build1+nobinonly-0ubuntu0.10.10.1.diff.gz
      Size/MD5:    98089 6bcacb112e75b1ea6d1f2c03e42a2655
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.1.5+build1+nobinonly-0ubuntu0.10.10.1.dsc
      Size/MD5:     2468 f92fc2b8b92cf814986e0b9b79019510
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.1.5+build1+nobinonly.orig.tar.gz
      Size/MD5: 66546029 359e65546b29fb7e417637291393f104

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dbg_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_amd64.deb
      Size/MD5: 62603474 6cb66cd9627f6b2421d213cc541098cf
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_amd64.deb
      Size/MD5:  5006090 9a0a610fa02d7bb35aa36d5eb404d156
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support-dbg_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_amd64.deb
      Size/MD5:   181308 1867a97e101e7f97f7ae6ccabc98e1b9
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_amd64.deb
      Size/MD5:     9384 3f0d409e02f351c6362da9ddc12f1e05
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_amd64.deb
      Size/MD5: 12042310 2d7a2e4ca18e79775b58ee9f03512a3a

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dbg_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_i386.deb
      Size/MD5: 63136006 64326c4d59ff770b9dae52e2b16d4eb2
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_i386.deb
      Size/MD5:  5143614 82b15cecbe0d1602421238f034f5008f
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support-dbg_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_i386.deb
      Size/MD5:   180446 9c269d8f53b3bc6e715c793717660c91
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_i386.deb
      Size/MD5:     9376 9fba11d210e9364c2f8914cf4e28e23e
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_i386.deb
      Size/MD5: 11061068 a5d79a92d1a504caa03f5b5d3a646af7

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dbg_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_powerpc.deb
      Size/MD5: 65395550 60846228807534f5aafcd1f85809c51d
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_powerpc.deb
      Size/MD5:  4978992 dac3232b41d546f4bdeadcbb715e49e8
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support-dbg_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_powerpc.deb
      Size/MD5:   187102 ba03adced0f96c0fe84b3dc2edf59636
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_powerpc.deb
      Size/MD5:     9382 42871e6a679dfcb0403c3d0fd73e3cf3
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_3.1.5+build1+nobinonly-0ubuntu0.10.10.1_powerpc.deb
      Size/MD5: 11745480 97c701050c6da23044085945a2bac2a6



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20101020/23396ae0/attachment.sig>


More information about the ubuntu-security-announce mailing list