Security Advisories for Thunderbird ESR

Impact key

• Critical Vulnerability can be used to run attacker code and install software, requiring no user interaction beyond normal browsing.
• High Vulnerability can be used to gather sensitive data from sites in other windows or inject data or code into those sites, requiring no more than normal browsing actions.
• Moderate Vulnerabilities that would otherwise be High or Critical except they only work in uncommon non-default configurations or require the user to perform complicated and/or unlikely steps.
• Low Minor security vulnerabilities such as Denial of Service attacks, minor data leaks, or spoofs. (Undetectable spoofs of SSL indicia would have "High" impact because those are generally used to steal sensitive data intended for other sites.)

# Fixed in Thunderbird ESR 17.0.11

• 2013-103 Miscellaneous Network Security Services (NSS) vulnerabilities

# Fixed in Thunderbird ESR 17.0.10

• 2013-101 Memory corruption in workers
• 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
• 2013-98 Use-after-free when updating offline cache
• 2013-96 Improperly initialized memory and overflows in some JavaScript functions
• 2013-95 Access violation with XSLT and uninitialized data
• 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

# Fixed in Thunderbird ESR 17.0.9

• 2013-91 User-defined properties on DOM proxies get the wrong "this" object
• 2013-90 Memory corruption involving scrolling
• 2013-89 Buffer overflow with multi-column, lists, and floats
• 2013-88 Compartment mismatch re-attaching XBL-backed nodes
• 2013-83 Mozilla Updater does not lock MAR file after signature verification
• 2013-82 Calling scope for new Javascript objects can lead to memory corruption
• 2013-79 Use-after-free in Animation Manager during stylesheet cloning
• 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)

# Fixed in Thunderbird ESR 17.0.8

• 2013-75 Local Java applets may read contents of local file system
• 2013-73 Same-origin bypass with web workers and XMLHttpRequest
• 2013-72 Wrong principal used for validating URI for some Javascript components
• 2013-71 Further Privilege escalation through Mozilla Updater
• 2013-69 CRMF requests allow for code execution and XSS attacks
• 2013-68 Document URI misrepresentation and masquerading
• 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
• 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

# Fixed in Thunderbird ESR 17.0.7

• 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context
• 2013-56 PreserveWrapper has inconsistent behavior
• 2013-55 SVG filters can lead to information disclosure
• 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
• 2013-53 Execution of unmapped memory through onreadystatechange event
• 2013-51 Privileged content access and execution via XBL
• 2013-50 Memory corruption found using Address Sanitizer
• 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)

# Fixed in Thunderbird ESR 17.0.6

• 2013-48 Memory corruption found using Address Sanitizer
• 2013-47 Uninitialized functions in DOMSVGZoomEvent
• 2013-46 Use-after-free with video and onresize event
• 2013-44 Local privilege escalation through Mozilla Maintenance Service
• 2013-42 Privileged access for content level constructor
• 2013-41 Miscellaneous memory safety hazards (rv:21.0 / rv:17.0.6)

# Fixed in Thunderbird ESR 17.0.5

• 2013-40 Out-of-bounds array read in CERT_DecodeCertPackage
• 2013-38 Cross-site scripting (XSS) using timed history navigations
• 2013-36 Bypass of SOW protections allows cloning of protected nodes
• 2013-35 WebGL crash with Mesa graphics driver on Linux
• 2013-34 Privilege escalation through Mozilla Updater
• 2013-32 Privilege escalation through Mozilla Maintenance Service
• 2013-31 Out-of-bounds write in Cairo library
• 2013-30 Miscellaneous memory safety hazards (rv:20.0 / rv:17.0.5)

# Fixed in Thunderbird ESR 17.0.4

• 2013-29 Use-after-free in HTML Editor

# Fixed in Thunderbird ESR 17.0.3

• 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer
• 2013-27 Phishing on HTTPS connection through malicious proxy
• 2013-26 Use-after-free in nsImageLoadingContent
• 2013-25 Privacy leak in JavaScript Workers
• 2013-24 Web content bypass of COW and SOW security wrappers
• 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)

# Fixed in Thunderbird ESR 17.0.2

• 2013-20 Mis-issued TURKTRUST certificates
• 2013-19 Use-after-free in Javascript Proxy objects
• 2013-18 Use-after-free in Vibrate
• 2013-17 Use-after-free in ListenerManager
• 2013-16 Use-after-free in serializeToStream
• 2013-15 Privilege escalation through plugin objects
• 2013-14 Chrome Object Wrapper (COW) bypass through changing prototype
• 2013-13 Memory corruption in XBL with XML bindings containing SVG
• 2013-12 Buffer overflow in Javascript string concatenation
• 2013-11 Address space layout leaked in XBL objects
• 2013-10 Event manipulation in plugin handler to bypass same-origin policy
• 2013-09 Compartment mismatch with quickstubs returned values
• 2013-08 AutoWrapperChanger fails to keep objects alive during garbage collection
• 2013-07 Crash due to handling of SSL on threads
• 2013-05 Use-after-free when displaying table with many columns and column groups
• 2013-04 URL spoofing in addressbar during page loads
• 2013-03 Buffer Overflow in Canvas
• 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer
• 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)

# Fixed in Thunderbird ESR 10.0.12

• 2013-20 Mis-issued TURKTRUST certificates
• 2013-17 Use-after-free in ListenerManager
• 2013-16 Use-after-free in serializeToStream
• 2013-15 Privilege escalation through plugin objects
• 2013-12 Buffer overflow in Javascript string concatenation
• 2013-11 Address space layout leaked in XBL objects
• 2013-09 Compartment mismatch with quickstubs returned values
• 2013-05 Use-after-free when displaying table with many columns and column groups
• 2013-04 URL spoofing in addressbar during page loads
• 2013-02 Use-after-free and buffer overflow issues found using Address Sanitizer
• 2013-01 Miscellaneous memory safety hazards (rv:18.0/ rv:10.0.12 / rv:17.0.2)

# Fixed in Thunderbird ESR 10.0.11

• 2012-106 Use-after-free, buffer overflow, and memory corruption issues found using Address Sanitizer
• 2012-105 Use-after-free and buffer overflow issues found using Address Sanitizer
• 2012-103 Frames can shadow top.location
• 2012-101 Improper character decoding in HZ-GB-2312 charset
• 2012-100 Improper security filtering for cross-origin wrappers
• 2012-93 evalInSanbox location context incorrectly applied
• 2012-92 Buffer overflow while rendering GIF images
• 2012-91 Miscellaneous memory safety hazards (rv:17.0/ rv:10.0.11)

# Fixed in Thunderbird ESR 10.0.10

• 2012-90 Fixes for Location object issues
• 2012-67 Installer will launch incorrect executable following new installation

# Fixed in Thunderbird ESR 10.0.9

• 2012-89 defaultValue security checks not applied

# Fixed in Thunderbird ESR 10.0.8

• 2012-87 Use-after-free in the IME State Manager
• 2012-86 Heap memory corruption issues found using Address Sanitizer
• 2012-85 Use-after-free, buffer overflow, and out of bounds read issues found using Address Sanitizer
• 2012-84 Spoofing and script injection through location.hash
• 2012-83 Chrome Object Wrapper (COW) does not disallow access to privileged functions or properties
• 2012-82 top object and location property accessible by plugins
• 2012-81 GetProperty function can bypass security checks
• 2012-79 DOS and crash with full screen and history navigation
• 2012-77 Some DOMWindowUtils methods bypass security checks
• 2012-74 Miscellaneous memory safety hazards (rv:16.0/ rv:10.0.8)
• 2012-59 Location object can be shadowed using Object.defineProperty

# Fixed in Thunderbird ESR 10.0.7

• 2012-72 Web console eval capable of executing chrome-privileged code
• 2012-70 Location object security checks bypassed by chrome code
• 2012-65 Out-of-bounds read in format-number in XSLT
• 2012-63 SVG buffer overflow and use-after-free issues
• 2012-62 WebGL use-after-free and memory corruption
• 2012-61 Memory corruption with bitmap format images with negative height
• 2012-58 Use-after-free issues found using Address Sanitizer
• 2012-57 Miscellaneous memory safety hazards (rv:15.0/ rv:10.0.7)

# Fixed in Thunderbird ESR 10.0.6

• 2012-56 Code execution through javascript: URLs
• 2012-54 Clickjacking of certificate warning page
• 2012-53 Content Security Policy 1.0 implementation errors cause data leakage
• 2012-52 JSDependentString::undepend string conversion results in memory corruption
• 2012-51 X-Frame-Options header ignored when duplicated
• 2012-49 Same-compartment Security Wrappers can be bypassed
• 2012-48 use-after-free in nsGlobalWindow::PageHidden
• 2012-47 Improper filtering of javascript in HTML feed-view
• 2012-45 Spoofing issue with location
• 2012-44 Gecko memory corruption
• 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)

# Fixed in Thunderbird ESR 10.0.5

• 2012-40 Buffer overflow and use-after-free issues found using Address Sanitizer
• 2012-39 NSS parsing errors with zero length items
• 2012-38 Use-after-free while replacing/inserting a node in a document
• 2012-37 Information disclosure though Windows file shares and shortcut files
• 2012-36 Content Security Policy inline-script bypass
• 2012-34 Miscellaneous memory safety hazards (rv:13.0/ rv:10.0.5)

# Fixed in Thunderbird ESR 10.0.4

• 2012-33 Potential site identity spoofing when loading RSS and Atom feeds
• 2012-31 Off-by-one error in OpenType Sanitizer
• 2012-30 Crash with WebGL content using textImage2D
• 2012-29 Potential XSS through ISO-2022-KR/ISO-2022-CN decoding issues
• 2012-27 Page load short-circuit can lead to XSS
• 2012-26 WebGL.drawElements may read illegal video memory due to FindMaxUshortElement error
• 2012-25 Potential memory corruption during font rendering using cairo-dwrite
• 2012-24 Potential XSS via multibyte content processing errors
• 2012-23 Invalid frees causes heap corruption in gfxImageSurface
• 2012-22 use-after-free in IDBKeyRange
• 2012-20 Miscellaneous memory safety hazards (rv:12.0/ rv:10.0.4)

# Fixed in Thunderbird ESR 10.0.3

• 2012-19 Miscellaneous memory safety hazards (rv:11.0/ rv:10.0.3 / rv:1.9.2.28)
• 2012-18 window.fullScreen writeable by untrusted content
• 2012-17 Crash when accessing keyframe cssText after dynamic modification
• 2012-16 Escalation of privilege with Javascript: URL as home page
• 2012-15 XSS with multiple Content Security Policy headers
• 2012-14 SVG issues found with Address Sanitizer
• 2012-13 XSS with Drag and Drop and Javascript: URL
• 2012-12 Use-after-free in shlwapi.dll

# Fixed in Thunderbird ESR 10.0.2

• 2012-11 libpng integer overflow

# Fixed in Thunderbird ESR 10.0.1

• 2012-10 use after free in nsXBLDocumentInfo::ReadPrototypeBindings