Ubuntu Update for Linux kernel vulnerabilities USN-668-1

Please Install the Updated Packages.

Georgi Guninski, Michal Zalewsk and Chris Evans discovered that the same-origin check in Thunderbird could be bypassed. If a user were tricked into opening a malicious website, an attacker could obtain private information from data stored in the images, or discover information about software on the user's computer. (CVE-2008-5012) Jesse Ruderman discovered that Thunderbird did not properly guard locks on non-native objects. If a user had JavaScript enabled and were tricked into opening malicious web content, an attacker could cause a browser crash and possibly execute arbitrary code with user privileges. (CVE-2008-5014) Several problems were discovered in the browser, layout and JavaScript engines. If a user had JavaScript enabled, these problems could allow an attacker to crash Thunderbird and possibly execute arbitrary code with user privileges. (CVE-2008-5016, CVE-2008-5017, CVE-2008-5018) A flaw was discovered in Thunderbird's DOM constructing code. If a user were tricked into opening a malicious website while having JavaScript enabled, an attacker could cause the browser to crash and potentially execute arbitrary code with user privileges. (CVE-2008-5021) It was discovered that the same-origin check in Thunderbird could be bypassed. If a user had JavaScript enabled and were tricked into opening malicious web content, an attacker could execute JavaScript in the context of a different website. (CVE-2008-5022) Chris Evans discovered that Thunderbird did not properly parse E4X documents, leading to quote characters in the namespace not being properly escaped. (CVE-2008-5024) Boris Zbarsky discovered that Thunderbird did not properly process comments in forwarded in-line messages. If a user had JavaScript enabled and opened a malicious email, an attacker may be able to obtain information about the recipient.

mozilla-thunderbird, thunderbird vulnerabilities on Ubuntu 6.06 LTS , Ubuntu 7.10 , Ubuntu 8.04 LTS , Ubuntu 8.10

• https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-November/000788.html

---

Updated on 2015-03-25