{"id":"USN-2428-1","summary":"thunderbird vulnerabilities","details":"Gary Kwong, Randell Jesup, Nils Ohlmeier, Jesse Ruderman, and Max Jonas\nWerner discovered multiple memory safety issues in Thunderbird. If a user\nwere tricked in to opening a specially crafted message with scripting\nenabled, an attacker could potentially exploit these to cause a denial of\nservice via application crash, or execute arbitrary code with the\nprivileges of the user invoking Thunderbird. (CVE-2014-1587)\n\nJoe Vennix discovered a crash when using XMLHttpRequest in some\ncircumstances. If a user were tricked in to opening a specially crafted\nmessage with scripting enabled, an attacker could potentially exploit this\nto cause a denial of service. (CVE-2014-1590)\n\nBerend-Jan Wever discovered a use-after-free during HTML parsing. If a\nuser were tricked in to opening a specially crafted message with scripting\nenabled, an attacker could potentially exploit this to cause a denial of\nservice via application crash or execute arbitrary code with the\nprivileges of the user invoking Thunderbird. (CVE-2014-1592)\n\nAbhishek Arya discovered a buffer overflow when parsing media content. If\na user were tricked in to opening a specially crafted message with\nscripting enabled, an attacker could potentially exploit this to cause a\ndenial of service via application crash or execute arbitrary code with the\nprivileges of the user invoking Thunderbird. (CVE-2014-1593)\n\nByoungyoung Lee, Chengyu Song, and Taesoo Kim discovered a bad cast in the\ncompositor. If a user were tricked in to opening a specially crafted\nmessage, an attacker could potentially exploit this to cause undefined\nbehaviour, a denial of service via application crash or execute abitrary\ncode with the privileges of the user invoking Thunderbird. (CVE-2014-1594)\n","modified":"2026-04-22T09:04:18.442032Z","published":"2014-12-03T15:57:15Z","related":["UBUNTU-CVE-2014-1587","UBUNTU-CVE-2014-1590","UBUNTU-CVE-2014-1592","UBUNTU-CVE-2014-1593","UBUNTU-CVE-2014-1594"],"upstream":["CVE-2014-1587","CVE-2014-1590","CVE-2014-1592","CVE-2014-1593","CVE-2014-1594","UBUNTU-CVE-2014-1587","UBUNTU-CVE-2014-1590","UBUNTU-CVE-2014-1592","UBUNTU-CVE-2014-1593","UBUNTU-CVE-2014-1594"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-2428-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-1587"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-1590"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-1592"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-1593"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2014-1594"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/thunderbird@1:31.3.0+build1-0ubuntu0.14.04.1?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:31.3.0+build1-0ubuntu0.14.04.1"}]}],"versions":["1:24.0+build1-0ubuntu1","1:24.0+build1-0ubuntu2","1:24.1.1+build1-0ubuntu0.13.10.1","1:24.1.1+build1-0ubuntu1","1:24.2.0+build1-0ubuntu1","1:24.4.0+build1-0ubuntu1","1:24.5.0+build1-0ubuntu0.14.04.1","1:24.6.0+build1-0ubuntu0.14.04.1","1:31.0+build1-0ubuntu0.14.04.1","1:31.1.1+build1-0ubuntu0.14.04.1","1:31.1.2+build1-0ubuntu0.14.04.1","1:31.2.0+build2-0ubuntu0.14.04.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1:31.3.0+build1-0ubuntu0.14.04.1","binary_name":"thunderbird"},{"binary_version":"1:31.3.0+build1-0ubuntu0.14.04.1","binary_name":"thunderbird-globalmenu"},{"binary_version":"1:31.3.0+build1-0ubuntu0.14.04.1","binary_name":"thunderbird-gnome-support"},{"binary_version":"1:31.3.0+build1-0ubuntu0.14.04.1","binary_name":"thunderbird-mozsymbols"},{"binary_version":"1:31.3.0+build1-0ubuntu0.14.04.1","binary_name":"thunderbird-testsuite"},{"binary_version":"1:31.3.0+build1-0ubuntu0.14.04.1","binary_name":"xul-ext-calendar-timezones"},{"binary_version":"1:31.3.0+build1-0ubuntu0.14.04.1","binary_name":"xul-ext-gdata-provider"},{"binary_version":"1:31.3.0+build1-0ubuntu0.14.04.1","binary_name":"xul-ext-lightning"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2428-1.json","cves_map":{"cves":[{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-1587"},{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-1590"},{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-1592"},{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-1593"},{"severity":[{"type":"Ubuntu","score":"medium"}],"id":"CVE-2014-1594"}],"ecosystem":"Ubuntu:14.04:LTS"}}}],"schema_version":"1.7.5"}