[arch-security] [ASA-201605-21] thunderbird: arbitrary code execution

Remi Gacogne rgacogne at archlinux.org
Sun May 15 10:59:24 UTC 2016


Arch Linux Security Advisory ASA-201605-21
==========================================

Severity: Critical
Date    : 2016-05-15
CVE-ID  : CVE-2016-2804 CVE-2016-2805 CVE-2016-2806 CVE-2016-2807
Package : thunderbird
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package thunderbird before version 45.1.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 45.1.0-1.

# pacman -Syu "thunderbird>=45.1.0-1"

The problem has been fixed upstream in version 45.1.0.

Workaround
==========

None.

Description
===========

- CVE-2016-2804:

Gary Kwong, Christian Holler, Andrew McCreight, Boris Zbarsky, and Steve
Fink reported memory safety problems and crashes.

- CVE-2016-2805:

Christian Holler reported a memory safety problem.

- CVE-2016-2806:

Gary Kwong, Christian Holler, Jesse Ruderman, Mats Palmgren, Carsten
Book, Boris Zbarsky, David Bolter, and Randell Jesup reported memory
safety problems and crashes.

- CVE-2016-2807:

Christian Holler, Tyson Smith, and Phil Ringalda reported memory safety
problems and crashes.

Impact
======

A remote attacker can execute arbitrary code on the affected host.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/
https://access.redhat.com/security/cve/CVE-2016-2804
https://access.redhat.com/security/cve/CVE-2016-2805
https://access.redhat.com/security/cve/CVE-2016-2806
https://access.redhat.com/security/cve/CVE-2016-2807

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160515/1d4853a8/attachment.asc>


More information about the arch-security mailing list