Several security issues were fixed in Thunderbird.
Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, and Max Jonas Werner discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1587)
3 December 2014
A security issue affects these releases of Ubuntu and its derivatives:
Several security issues were fixed in Thunderbird.
Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, and Max Jonas Werner discovered multiple memory safety issues in Thunderbird. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1587)
Joe Vennix discovered a crash when using XMLHttpRequest in some circumstances. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit this to cause a denial of service. (CVE-2014-1590)
Berend-Jan Wever discovered a use-after-free during HTML parsing. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1592)
Abhishek Arya discovered a buffer overflow when parsing media content. If a user were tricked in to opening a specially crafted message with scripting enabled, an attacker could potentially exploit this to cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1593)
Byoungyoung Lee, Chengyu Song, and Taesoo Kim discovered a bad cast in the compositor. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit this to cause undefined behaviour, a denial of service via application crash or execute abitrary code with the privileges of the user invoking Thunderbird. (CVE-2014-1594)
The problem can be corrected by updating your system to the following package versions:
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to restart Thunderbird to make all the necessary changes.
Vulmon