Arch Linux: ASA-201605-21 Critical: Thunderbird Arbitrary Code Execution

Arch Linux Security Advisory ASA-201605-21
=========================================
Severity: Critical
Date    : 2016-05-15
CVE-ID  : CVE-2016-2804 CVE-2016-2805 CVE-2016-2806 CVE-2016-2807
Package : thunderbird
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package thunderbird before version 45.1.0-1 is vulnerable to
arbitrary code execution.

Resolution
=========
Upgrade to 45.1.0-1.

# pacman -Syu "thunderbird>=45.1.0-1"

The problem has been fixed upstream in version 45.1.0.

Workaround
=========
None.

Description
==========
- CVE-2016-2804:

Gary Kwong, Christian Holler, Andrew McCreight, Boris Zbarsky, and Steve
Fink reported memory safety problems and crashes.

- CVE-2016-2805:

Christian Holler reported a memory safety problem.

- CVE-2016-2806:

Gary Kwong, Christian Holler, Jesse Ruderman, Mats Palmgren, Carsten
Book, Boris Zbarsky, David Bolter, and Randell Jesup reported memory
safety problems and crashes.

- CVE-2016-2807:

Christian Holler, Tyson Smith, and Phil Ringalda reported memory safety
problems and crashes.

Impact
=====
A remote attacker can execute arbitrary code on the affected host.

References
=========
https://www.mozilla.org/en-US/security/advisories/mfsa2016-39/
https://access.redhat.com/security/cve/CVE-2016-2804
https://access.redhat.com/security/cve/CVE-2016-2805
https://access.redhat.com/security/cve/CVE-2016-2806
https://access.redhat.com/security/cve/CVE-2016-2807