===========================================================
Ubuntu Security Notice USN-978-1         September 08, 2010
thunderbird vulnerabilities
CVE-2010-2760, CVE-2010-2763, CVE-2010-2764, CVE-2010-2765,
CVE-2010-2766, CVE-2010-2767, CVE-2010-2768, CVE-2010-2769,
CVE-2010-3166, CVE-2010-3167, CVE-2010-3168, CVE-2010-3169
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 10.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 10.04 LTS:
  thunderbird                     3.0.7+build1+nobinonly-0ubuntu0.10.04.1

After a standard system update you need to restart Thunderbird to make
all the necessary changes.

Details follow:

Several dangling pointer vulnerabilities were discovered in Thunderbird. An
attacker could exploit this to crash Thunderbird or possibly run arbitrary
code as the user invoking the program. (CVE-2010-2760, CVE-2010-2767,
CVE-2010-3167)

It was discovered that the XPCSafeJSObjectWrapper (SJOW) security wrapper
did not always honor the same-origin policy. If JavaScript was enabled, an
attacker could exploit this to run untrusted JavaScript from other domains.
(CVE-2010-2763)

Matt Haggard discovered that Thunderbird did not honor same-origin policy
when processing the statusText property of an XMLHttpRequest object. If a
user were tricked into viewing a malicious site, a remote attacker could
use this to gather information about servers on internal private networks.
(CVE-2010-2764)

Chris Rohlf discovered an integer overflow when Thunderbird processed the
HTML frameset element. If a user were tricked into viewing a malicious
site, a remote attacker could use this to crash Thunderbird or possibly run
arbitrary code as the user invoking the program. (CVE-2010-2765)

Several issues were discovered in the browser engine. If a user were
tricked into viewing a malicious site, a remote attacker could use this to
crash Thunderbird or possibly run arbitrary code as the user invoking the
program. (CVE-2010-2766, CVE-2010-3168)

David Huang and Collin Jackson discovered that the <object> tag could
override the charset of a framed HTML document in another origin. An
attacker could utilize this to perform cross-site scripting attacks.
(CVE-2010-2768)

Paul Stone discovered that with designMode enabled an HTML selection
containing JavaScript could be copied and pasted into a document and have
the JavaScript execute within the context of the site where the code was
dropped. If JavaScript was enabled, an attacker could utilize this to
perform cross-site scripting attacks. (CVE-2010-2769)

A buffer overflow was discovered in Thunderbird when processing text runs.
If a user were tricked into viewing a malicious site, a remote attacker
could use this to crash Thunderbird or possibly run arbitrary code as the
user invoking the program. (CVE-2010-3166)

Peter Van der Beken, Jason Oster, Jesse Ruderman, Igor Bukanov, Jeff
Walden, Gary Kwong and Olli Pettay discovered several flaws in the
browser engine. If a user were tricked into viewing a malicious site, a
remote attacker could use this to crash Thunderbird or possibly run
arbitrary code as the user invoking the program. (CVE-2010-3169)


Updated packages for Ubuntu 10.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.0.7+build1+nobinonly-0ubuntu0.10.04.1.diff.gz
      Size/MD5:    95206 4bcbfa877f444cf2450eab3515506da1
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.0.7+build1+nobinonly-0ubuntu0.10.04.1.dsc
      Size/MD5:     2412 0b12f85cb9a236a83093f405c5d6a969
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.0.7+build1+nobinonly.orig.tar.gz
      Size/MD5: 60861438 787f3ada01e85ce751a93dcdd44e5b18

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dbg_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_amd64.deb
      Size/MD5: 64189408 f9d30b6540c1f08db812d3c18b5b2bda
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_amd64.deb
      Size/MD5:  5244574 b269d564ef691c32a2f716c1c7e9aaf3
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support-dbg_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_amd64.deb
      Size/MD5:   149000 dbf4f8177949f0abb27ee28f9aaab9ee
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_amd64.deb
      Size/MD5:     9292 c6ce63a3f9c5c6ac3bc38177e8068c8b
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_amd64.deb
      Size/MD5: 11388676 4a3902f27af3fabbf470d74217cfdec4

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dbg_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_i386.deb
      Size/MD5: 64524720 ffa0415a1fd30ea1676ac8baa2696053
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-dev_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_i386.deb
      Size/MD5:  5835466 7bf21437b4bd3b4ba12e54765f4a080f
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support-dbg_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_i386.deb
      Size/MD5:   148158 08a86b8c727c41a9ba6b238d2dcf38a8
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird-gnome-support_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_i386.deb
      Size/MD5:     9298 5c212edc616b976c85fc5e2388208047
    http://security.ubuntu.com/ubuntu/pool/main/t/thunderbird/thunderbird_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_i386.deb
      Size/MD5: 10452902 c0ca4fcc4079ae3c71c96f46daf40b2a

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dbg_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_powerpc.deb
      Size/MD5: 67162668 bdc28d4ea3920862d7ab443da5da6a00
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_powerpc.deb
      Size/MD5:  5240958 5e2813bf1d9139d5a2f4319f8d7775e3
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support-dbg_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_powerpc.deb
      Size/MD5:   153348 cc627997e576e4a2aa92b1a6e6572658
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_powerpc.deb
      Size/MD5:     9298 948556156feafd5217db3f17cf214cec
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_powerpc.deb
      Size/MD5: 11269402 37707d8067040585eb2ba7bb0ac239d4

  sparc architecture (Sun SPARC/UltraSPARC):

    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dbg_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_sparc.deb
      Size/MD5: 63711766 5546c9d27c8b2f0d7052e2f8ff5f542f
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-dev_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_sparc.deb
      Size/MD5:  5220548 853e41fbba4e18dec5a318c59240d1a6
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support-dbg_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_sparc.deb
      Size/MD5:   144284 4f946395f339d5d5909e22f1526eb3ba
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird-gnome-support_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_sparc.deb
      Size/MD5:     9296 47b20d6748ff4c78d1875c7ab8699f7f
    http://ports.ubuntu.com/pool/main/t/thunderbird/thunderbird_3.0.7+build1+nobinonly-0ubuntu0.10.04.1_sparc.deb
      Size/MD5: 10525676 1a0a82cb2fecabdeec28ee544cf34e42