Ubuntu Security Notices
USN-3165-1

USN-3165-1: Thunderbird vulnerabilities

Publication date

28 January 2017

Overview

Several security issues were fixed in Thunderbird.

Releases

16.10 16.04 LTS 14.04 LTS 12.04

Packages

thunderbird - Mozilla Open Source mail and newsgroup client

Details

Multiple memory safety issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9893, CVE-2017-5373)

Andrew Krasichkov discovered that event handlers on elements
were executed despite a Content Security Policy (CSP) that disallowed
inline JavaScript. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-9895)

A memory corruption issue was discovered in WebGL in some circumstances.
If a user were tricked in to opening a specially crafted website in a
browsing context, an attacker could...

Multiple memory safety issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9893, CVE-2017-5373)

Andrew Krasichkov discovered that event handlers on elements
were executed despite a Content Security Policy (CSP) that disallowed
inline JavaScript. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-9895)

A memory corruption issue was discovered in WebGL in some circumstances.
If a user were tricked in to opening a specially crafted website in a
browsing context, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-9897)

A use-after-free was discovered when manipulating DOM subtrees in the
Editor. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9898)

A use-after-free was discovered when manipulating DOM events and audio
elements. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9899)

It was discovered that external resources that should be blocked when
loading SVG images can bypass security restrictions using data: URLs. An
attacker could potentially exploit this to obtain sensitive information.
(CVE-2016-9900)

Jann Horn discovered that JavaScript Map/Set were vulnerable to timing
attacks. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
obtain sensitive information across domains. (CVE-2016-9904)

A crash was discovered in EnumerateSubDocuments while adding or removing
sub-documents. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to execute arbitrary code. (CVE-2016-9905)

JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5375)

Nicolas Grégoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to opening
a specially crafted website in a browsing context, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5376)

Jann Horn discovered that an object’s address could be discovered through
hashed codes of JavaScript objects shared between pages. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit this to obtain sensitive
information. (CVE-2017-5378)

A use-after-free was discovered during DOM manipulation of SVG content in
some circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2017-5380)

Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to spoof the URL bar contents. (CVE-2017-5383)

Jerri Rice discovered insecure communication methods in the Dev Tools JSON
Viewer. An attacker could potentially exploit this to gain additional
privileges. (CVE-2017-5390)

Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5396)

Update instructions

After a standard system update you need to restart Thunderbird to make all the necessary changes.
Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version

16.10 yakkety thunderbird – 1:45.7.0+build1-0ubuntu0.16.10.1

16.04 xenial thunderbird – 1:45.7.0+build1-0ubuntu0.16.04.1

14.04 trusty thunderbird – 1:45.7.0+build1-0ubuntu0.14.04.1

12.04 precise thunderbird – 1:45.7.0+build1-0ubuntu0.12.04.1

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

References

CVE-2017-5396

CVE-2017-5390

CVE-2017-5383

CVE-2017-5380

CVE-2017-5378

CVE-2017-5376

CVE-2017-5375

CVE-2017-5373

CVE-2016-9905

CVE-2016-9904

CVE-2017-5396

CVE-2017-5390

CVE-2017-5383

CVE-2017-5380

CVE-2017-5378

CVE-2017-5376

CVE-2017-5375

CVE-2017-5373

CVE-2016-9905

CVE-2016-9904

CVE-2016-9900

CVE-2016-9899

CVE-2016-9898

CVE-2016-9897

CVE-2016-9895

CVE-2016-9893

Related notices

USN-3175-1

USN-3155-1

USN-3175-1

USN-3155-1

Have additional questions?

Talk to a member of the team ›

OpenStack OpenStack

What is OpenStack

Features

Managed

Consulting

Install

Support

Ceph Ceph

What is Ceph

Managed

Consulting

Docs

Install

Kubernetes Kubernetes

What is Kubernetes

Managed

Install

Docs

Resources

Managed Services Managed Services

OpenStack

Kubernetes

Ceph

Apps

Firefighting

AI / ML AI / ML

MLOps

Kubeflow

MLflow

Consulting

Data Science

MLOps workshop

Robotics Robotics

ROS ESM

What is ROS

Community

Docs

IoT IoT

App store

Embedded Linux

Management

Ubuntu Core Ubuntu Core

Features

Success stories

Services

Docs

Ubuntu Desktop Ubuntu Desktop

Organizations

Developers

Flavors

WSL

Ubuntu Server Ubuntu Server

Hyperscale

Docs

Cloud Cloud

What is cloud computing

What is private cloud

What is hybrid cloud

What is multi-cloud

Public cloud

Security Security

Platform Security

ESM

Livepatch

Security standards

CVEs

Notices

Assurances

Landscape Landscape

Features

Managed

Compare

Install

Docs

Log in to Landscape

Containers Containers

What are containers

Chiseled Ubuntu

Chiseled and .NET

Container Build Service

Downloads Downloads

Desktop

Server

Core

Cloud

Support Support

Your subscriptions

Account users

Pricing

Discourse

Pricing Pricing

Desktops

Devices

Solutions

AI

Data

Infrastructure

Managed IT services

Open source security

IoT and devices

Cloud native development

Sectors

Automotive

Industrial

Government

Telco

Finance

Contact us

About us

Community

Careers

Blog

Resources

Press centre

© 2025 Canonical Ltd.

Ubuntu and Canonical are registered trademarks of Canonical Ltd.

Legal information

Data privacy

Manage your tracker settings

Report a bug on this site

Back to top
Go to the top of the page

Ubuntu Release	Package Version
16.10 yakkety	thunderbird – 1:45.7.0+build1-0ubuntu0.16.10.1
16.04 xenial	thunderbird – 1:45.7.0+build1-0ubuntu0.16.04.1
14.04 trusty	thunderbird – 1:45.7.0+build1-0ubuntu0.14.04.1
12.04 precise	thunderbird – 1:45.7.0+build1-0ubuntu0.12.04.1