Arch Linux alert ASA-201605-21 (thunderbird)

From:
    	     
 
Remi Gacogne <rgacogne@archlinux.org> 
To:
    	     
 
arch-security@archlinux.org 
Subject:
    	     
 
[arch-security] [ASA-201605-21] thunderbird: arbitrary code execution 
Date:
    	     
 
Sun, 15 May 2016 12:59:24 +0200
Message-ID:
    	     
 
<6bf8f387-b4fc-3594-a0bd-2c040633c4e3@archlinux.org>
Arch Linux Security Advisory ASA-201605-21
==========================================

Severity: Critical
Date    : 2016-05-15
CVE-ID  : CVE-2016-2804 CVE-2016-2805 CVE-2016-2806 CVE-2016-2807
Package : thunderbird
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package thunderbird before version 45.1.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 45.1.0-1.

# pacman -Syu "thunderbird>=45.1.0-1"

The problem has been fixed upstream in version 45.1.0.

Workaround
==========

None.

Description
===========

- CVE-2016-2804:

Gary Kwong, Christian Holler, Andrew McCreight, Boris Zbarsky, and Steve
Fink reported memory safety problems and crashes.

- CVE-2016-2805:

Christian Holler reported a memory safety problem.

- CVE-2016-2806:

Gary Kwong, Christian Holler, Jesse Ruderman, Mats Palmgren, Carsten
Book, Boris Zbarsky, David Bolter, and Randell Jesup reported memory
safety problems and crashes.

- CVE-2016-2807:

Christian Holler, Tyson Smith, and Phil Ringalda reported memory safety
problems and crashes.

Impact
======

A remote attacker can execute arbitrary code on the affected host.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa201...
https://access.redhat.com/security/cve/CVE-2016-2804
https://access.redhat.com/security/cve/CVE-2016-2805
https://access.redhat.com/security/cve/CVE-2016-2806
https://access.redhat.com/security/cve/CVE-2016-2807