96692

1037966

https://bugzilla.mozilla.org/show_bug.cgi?id=1328121

https://www.mozilla.org/security/advisories/mfsa2017-05/

https://www.mozilla.org/security/advisories/mfsa2017-09/

This update to MozillaThunderbird 51.1.0 fixes security issues and bugs.

In general, these flaws cannot be exploited through email because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

The following vulnerabilities were fixed: boo#1035082, MFSA 2017-13, boo#1028391, MFSA 2017-09)

  - CVE-2017-5443: Out-of-bounds write during BinHex     decoding

  - CVE-2017-5429: Memory safety bugs fixed in Firefox 53,     Firefox ESR 45.9, and Firefox ESR 52.1

  - CVE-2017-5464: Memory corruption with accessibility and     DOM manipulation

  - CVE-2017-5465: Out-of-bounds read in ConvolvePixel

  - CVE-2017-5466: Origin confusion when reloading isolated     data:text/html URL

  - CVE-2017-5467: Memory corruption when drawing Skia     content

  - CVE-2017-5460: Use-after-free in frame selection

  - CVE-2017-5449: Crash during bidirectional unicode     manipulation with animation

  - CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA     frames are sent with incorrect data

  - CVE-2017-5447: Out-of-bounds read during glyph     processing

  - CVE-2017-5444: Buffer overflow while parsing     application/http-index-format content

  - CVE-2017-5445: Uninitialized values used while parsing     application/http-index-format content

  - CVE-2017-5442: Use-after-free during style changes

  - CVE-2017-5469: Potential Buffer overflow in     flex-generated code

  - CVE-2017-5440: Use-after-free in txExecutionState     destructor during XSLT processing

  - CVE-2017-5441: Use-after-free with selection during     scroll events

  - CVE-2017-5439: Use-after-free in nsTArray Length()     during XSLT processing

  - CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT     processing

  - CVE-2017-5437: Vulnerabilities in Libevent library

  - CVE-2017-5436: Out-of-bounds write with malicious font     in Graphite 2

  - CVE-2017-5435: Use-after-free during transaction     processing in the editor

  - CVE-2017-5434: Use-after-free during focus handling

  - CVE-2017-5433: Use-after-free in SMIL animation     functions

  - CVE-2017-5432: Use-after-free in text input selection

  - CVE-2017-5430: Memory safety bugs fixed in Firefox 53     and Firefox ESR 52.1

  - CVE-2017-5459: Buffer overflow in WebGL

  - CVE-2017-5454; Sandbox escape allowing file system read     access through file picker

  - CVE-2017-5451: Addressbar spoofing with onblur event

  - CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP

  - CVE-2017-5401: Memory Corruption when handling     ErrorResult

  - CVE-2017-5402: Use-after-free working with events in     FontFace objects

  - CVE-2017-5403: Use-after-free using addRange to add     range to an incorrect root object

  - CVE-2017-5404: Use-after-free working with ranges in     selections

  - CVE-2017-5406: Segmentation fault in Skia with canvas     operations 

  - CVE-2017-5407: Pixel and history stealing via     floating-point timing side channel with SVG filters

  - CVE-2017-5410: Memory corruption during JavaScript     garbage collection incremental sweeping

  - CVE-2017-5408: Cross-origin reading of video captions in     violation of CORS

  - CVE-2017-5412: Buffer overflow read in SVG filters

  - CVE-2017-5413: Segmentation fault during bidirectional     operations

  - CVE-2017-5414: File picker can choose incorrect default     directory

  - CVE-2017-5416: Null dereference crash in HttpChannel

  - CVE-2017-5426: Gecko Media Plugin sandbox is not started     if seccomp-bpf filter is running

  - CVE-2017-5418: Out of bounds read when parsing HTTP     digest authorization responses

  - CVE-2017-5419: Repeated authentication prompts lead to     DOS attack

  - CVE-2017-5405: FTP response codes can cause use of     uninitialized values for ports

  - CVE-2017-5421: Print preview spoofing

  - CVE-2017-5422: DOS attack by using view-source: protocol     repeatedly in one hyperlink

  - CVE-2017-5399: Memory safety bugs fixed in Thunderbird     52

  - CVE-2017-5398: Memory safety bugs fixed in Thunderbird     52 and Thunderbird 45.8

The following non-security changes are included :

  - Background images not working and other issues related     to embedded images when composing email have been fixed

  - Google Oauth setup can sometimes not progress to the     next step

  - Clicking on a link in an email may not open this link in     the external browser

  - addon blocklist updates

  - enable ALSA for systems without PulseAudio

  - Optionally remove corresponding data files when removing     an account

  - Possibility to copy message filter

  - Calendar: Event can now be created and edited in a tab

  - Calendar: Processing of received invitation counter     proposals

  - Chat: Support Twitter Direct Messages

  - Chat: Liking and favoriting in Twitter

  - Chat: Removed Yahoo! Messenger support

USN-3216-1 fixed vulnerabilities in Firefox. The update resulted in a startup crash when Firefox is used with XRDP. This update fixes the problem.

We apologize for the inconvenience.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to bypass same origin restrictions, obtain sensitive information, spoof the addressbar, spoof the print dialog, cause a denial of service via application crash or hang, or execute arbitrary code. (CVE-2017-5398, CVE-2017-5399, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5405, CVE-2017-5406, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5421, CVE-2017-5422, CVE-2017-5426, CVE-2017-5427).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for MozillaFirefox and mozilla-nss fixes the following issues :

MozillaFirefox was updated to Firefox 52.0 (boo#1028391)

  - requires NSS >= 3.28.3

  - Pages containing insecure password fields now display a     warning directly within username and password fields.

  - Send and open a tab from one device to another with Sync

  - Removed NPAPI support for plugins other than Flash.
    Silverlight, Java, Acrobat and the like are no longer     supported.

  - Removed Battery Status API to reduce fingerprinting of     users by trackers

  - MFSA 2017-05 CVE-2017-5400: asm.js JIT-spray bypass of     ASLR and DEP (bmo#1334933) CVE-2017-5401: Memory     Corruption when handling ErrorResult (bmo#1328861)     CVE-2017-5402: Use-after-free working with events in     FontFace objects (bmo#1334876) CVE-2017-5403:
    Use-after-free using addRange to add range to an     incorrect root object (bmo#1340186) CVE-2017-5404:
    Use-after-free working with ranges in selections     (bmo#1340138) CVE-2017-5406: Segmentation fault in Skia     with canvas operations (bmo#1306890) CVE-2017-5407:
    Pixel and history stealing via floating-point timing     side channel with SVG filters (bmo#1336622)     CVE-2017-5410: Memory corruption during JavaScript     garbage collection incremental sweeping (bmo#1330687)     CVE-2017-5408: Cross-origin reading of video captions in     violation of CORS (bmo#1313711) CVE-2017-5412: Buffer     overflow read in SVG filters (bmo#1328323)     CVE-2017-5413: Segmentation fault during bidirectional     operations (bmo#1337504) CVE-2017-5414: File picker can     choose incorrect default directory (bmo#1319370)     CVE-2017-5415: Addressbar spoofing through blob URL     (bmo#1321719) CVE-2017-5416: Null dereference crash in     HttpChannel (bmo#1328121) CVE-2017-5417: Addressbar     spoofing by draging and dropping URLs (bmo#791597)     CVE-2017-5426: Gecko Media Plugin sandbox is not started     if seccomp-bpf filter is running (bmo#1257361)     CVE-2017-5427: Non-existent chrome.manifest file loaded     during startup (bmo#1295542) CVE-2017-5418: Out of     bounds read when parsing HTTP digest authorization     responses (bmo#1338876) CVE-2017-5419: Repeated     authentication prompts lead to DOS attack (bmo#1312243)     CVE-2017-5420: Javascript: URLs can obfuscate addressbar     location (bmo#1284395) CVE-2017-5405: FTP response codes     can cause use of uninitialized values for ports     (bmo#1336699) CVE-2017-5421: Print preview spoofing     (bmo#1301876) CVE-2017-5422: DOS attack by using     view-source: protocol repeatedly in one hyperlink     (bmo#1295002) CVE-2017-5399: Memory safety bugs fixed in     Firefox 52 CVE-2017-5398: Memory safety bugs fixed in     Firefox 52 and Firefox ESR 45.8

mozilla-nss was updated to NSS 3.28.3

  - This is a patch release to fix binary compatibility     issues. NSS version 3.28, 3.28.1 and 3.28.2 contained     changes that were in violation with the NSS     compatibility promise. ECParams, which is part of the     public API of the freebl/softokn parts of NSS, had been     changed to include an additional attribute. That size     increase caused crashes or malfunctioning with     applications that use that data structure directly, or     indirectly through ECPublicKey, ECPrivateKey,     NSSLOWKEYPublicKey, NSSLOWKEYPrivateKey, or potentially     other data structures that reference ECParams. The     change has been reverted to the original state in bug     bmo#1334108. SECKEYECPublicKey had been extended with a     new attribute, named 'encoding'. If an application     passed type SECKEYECPublicKey to NSS (as part of     SECKEYPublicKey), the NSS library read the uninitialized     attribute. With this NSS release     SECKEYECPublicKey.encoding is deprecated. NSS no longer     reads the attribute, and will always set it to     ECPoint_Undefined. See bug bmo#1340103.

  - requires NSPR >= 4.13.1

  - update to NSS 3.28.2 This is a stability and     compatibility release. Below is a summary of the     changes.

  - Fixed a NSS 3.28 regression in the signature scheme     flexibility that causes connectivity issues between iOS     8 clients and NSS servers with ECDSA certificates     (bmo#1334114)

  - Fixed a possible crash on some Windows systems     (bmo#1323150)

  - Fixed a compatibility issue with TLS clients that do not     provide a list of supported key exchange groups     (bmo#1330612)

The version of Mozilla Firefox installed on the remote Windows host is prior to 52.0. It is, therefore, affected by multiple vulnerabilities :

  - Mozilla developers and community members Boris Zbarsky,     Christian Holler, Honza Bambas, Jon Coppeard, Randell     Jesup, Andre Bargull, Kan-Ru Chen, and Nathan Froyd     reported memory safety bugs present in Firefox 51 and     Firefox ESR 45.7. Some of these bugs showed evidence of     memory corruption and we presume that with enough     effort that some of these could be exploited to run     arbitrary code. (CVE-2017-5398)

  - Mozilla developers and community members Carsten Book,     Calixte Denizet, Christian Holler, Andrew McCreight,     David Bolter, David Keeler, Jon Coppeard, Tyson Smith,     Ronald Crane, Tooru Fujisawa, Ben Kelly, Bob Owen, Jed     Davis, Julian Seward, Julian Hector, Philipp, Markus     Stange, and Andre Bargull reported memory safety bugs     present in Firefox 51. Some of these bugs showed     evidence of memory corruption and we presume that with     enough effort that some of these could be exploited to     run arbitrary code. (CVE-2017-5399)

  - JIT-spray targeting asm.js combined with a heap spray     allows for a bypass of ASLR and DEP protections leading     to potential memory corruption attacks. (CVE-2017-5400)

  - A crash triggerable by web content in which an     ErrorResult references unassigned memory due to a logic     error. The resulting crash may be exploitable.
    (CVE-2017-5401)

  - A use-after-free can occur when events are fired for a     FontFace object after the object has been already been     destroyed while working with fonts. This results in a     potentially exploitable crash. (CVE-2017-5402)

  - When adding a range to an object in the DOM, it is     possible to use addRange to add the range to an     incorrect root object. This triggers a use-after-free,     resulting in a potentially exploitable crash.
    (CVE-2017-5403)

  - A use-after-free error can occur when manipulating     ranges in selections with one node inside a native     anonymous tree and one node outside of it. This results     in a potentially exploitable crash. (CVE-2017-5404)

  - Certain response codes in FTP connections can result in     the use of uninitialized values for ports in FTP     operations. (CVE-2017-5405)

  - A segmentation fault can occur in the Skia graphics     library during some canvas operations due to issues     with mask/clip intersection and empty masks.
    (CVE-2017-5406)

  - Using SVG filters that don't use the fixed point math     implementation on a target iframe, a malicious page can     extract pixel values from a targeted user. This can be     used to extract history information and read text     values across domains. This violates same-origin policy     and leads to information disclosure. (CVE-2017-5407)

  - Video files loaded video captions cross-origin without     checking for the presence of CORS headers permitting     such cross-origin use, leading to potential information     disclosure for video captions. (CVE-2017-5408)

  - The Mozilla Windows updater can be called by a     non-privileged user to delete an arbitrary local file     by passing a special path to the callback parameter     through the Mozilla Maintenance Service, which has     privileged access. Note: This attack requires local     system access and only affects Windows. Other operating     systems are not affected. (CVE-2017-5409)

  - Memory corruption resulting in a potentially     exploitable crash during garbage collection of     JavaScript due errors in how incremental sweeping is     managed for memory cleanup. (CVE-2017-5410)

  - A use-after-free can occur during buffer storage     operations within the ANGLE graphics library, used for     WebGL content. The buffer storage can be freed while     still in use in some circumstances, leading to a     potentially exploitable crash. Note: This issue is in     libGLES, which is only in use on Windows. Other     operating systems are not affected. (CVE-2017-5411)

  - A buffer overflow read during SVG filter color value     operations, resulting in data exposure. (CVE-2017-5412)

  - A segmentation fault can occur during some     bidirectional layout operations. (CVE-2017-5413)

  - The file picker dialog can choose and display the wrong     local default directory when instantiated. On some     operating systems, this can lead to information     disclosure, such as the operating system or the local     account name. (CVE-2017-5414)

  - An attack can use a blob URL and script to spoof an     arbitrary addressbar URL prefaced by blob: as the     protocol, leading to user confusion and further     spoofing attacks. (CVE-2017-5415)

  - In certain circumstances a networking event listener     can be prematurely released. This appears to result in     a null dereference in practice. (CVE-2017-5416)

  - When dragging content from the primary browser pane to     the addressbar on a malicious site, it is possible to     change the addressbar so that the displayed location     following navigation does not match the URL of the     newly loaded page. This allows for spoofing attacks.
    (CVE-2017-5417)

  - An out of bounds read error occurs when parsing some     HTTP digest authorization responses, resulting in     information leakage through the reading of random     memory containing matches to specifically set patterns.
    (CVE-2017-5418)

  - If a malicious site repeatedly triggers a modal     authentication prompt, eventually the browser UI will     become non-responsive, requiring shutdown through the     operating system. This is a denial of service (DOS)     attack. (CVE-2017-5419)

  - A javascript: url loaded by a malicious page can     obfuscate its location by blanking the URL displayed in     the addressbar, allowing for an attacker to spoof an     existing page without the malicious page's address     being displayed correctly. (CVE-2017-5420)

  - A malicious site could spoof the contents of the print     preview window if popup windows are enabled, resulting     in user confusion of what site is currently loaded.
    (CVE-2017-5421)

  - If a malicious site uses the view-source: protocol in a     series within a single hyperlink, it can trigger a     non-exploitable browser crash when the hyperlink is     selected. This was fixed by no longer making     view-source: linkable. (CVE-2017-5422)

  - A non-existent chrome.manifest file will attempt to be     loaded during startup from the primary installation     directory. If a malicious user with local access puts     chrome.manifest and other referenced files in this     directory, they will be loaded and activated during     startup. This could result in malicious software being     added without consent or modification of referenced     installed files. (CVE-2017-5427)

Note that Tenable Network Security has extracted the preceding description block directly from the Mozilla security advisories.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 52.0. It is, therefore, affected by multiple vulnerabilities :

  - Mozilla developers and community members Boris Zbarsky,     Christian Holler, Honza Bambas, Jon Coppeard, Randell     Jesup, Andre Bargull, Kan-Ru Chen, and Nathan Froyd     reported memory safety bugs present in Firefox 51 and     Firefox ESR 45.7. Some of these bugs showed evidence of     memory corruption and we presume that with enough     effort that some of these could be exploited to run     arbitrary code. (CVE-2017-5398)

  - Mozilla developers and community members Carsten Book,     Calixte Denizet, Christian Holler, Andrew McCreight,     David Bolter, David Keeler, Jon Coppeard, Tyson Smith,     Ronald Crane, Tooru Fujisawa, Ben Kelly, Bob Owen, Jed     Davis, Julian Seward, Julian Hector, Philipp, Markus     Stange, and Andre Bargull reported memory safety bugs     present in Firefox 51. Some of these bugs showed     evidence of memory corruption and we presume that with     enough effort that some of these could be exploited to     run arbitrary code. (CVE-2017-5399)

  - JIT-spray targeting asm.js combined with a heap spray     allows for a bypass of ASLR and DEP protections leading     to potential memory corruption attacks. (CVE-2017-5400)

  - A crash triggerable by web content in which an     ErrorResult references unassigned memory due to a logic     error. The resulting crash may be exploitable.
    (CVE-2017-5401)

  - A use-after-free can occur when events are fired for a     FontFace object after the object has been already been     destroyed while working with fonts. This results in a     potentially exploitable crash. (CVE-2017-5402)

  - When adding a range to an object in the DOM, it is     possible to use addRange to add the range to an     incorrect root object. This triggers a use-after-free,     resulting in a potentially exploitable crash.
    (CVE-2017-5403)

  - A use-after-free error can occur when manipulating     ranges in selections with one node inside a native     anonymous tree and one node outside of it. This results     in a potentially exploitable crash. (CVE-2017-5404)

  - Certain response codes in FTP connections can result in     the use of uninitialized values for ports in FTP     operations. (CVE-2017-5405)

  - A segmentation fault can occur in the Skia graphics     library during some canvas operations due to issues     with mask/clip intersection and empty masks.
    (CVE-2017-5406)

  - Using SVG filters that don't use the fixed point math     implementation on a target iframe, a malicious page can     extract pixel values from a targeted user. This can be     used to extract history information and read text     values across domains. This violates same-origin policy     and leads to information disclosure. (CVE-2017-5407)

  - Video files loaded video captions cross-origin without     checking for the presence of CORS headers permitting     such cross-origin use, leading to potential information     disclosure for video captions. (CVE-2017-5408)

  - Memory corruption resulting in a potentially     exploitable crash during garbage collection of     JavaScript due errors in how incremental sweeping is     managed for memory cleanup. (CVE-2017-5410)

  - A buffer overflow read during SVG filter color value     operations, resulting in data exposure. (CVE-2017-5412)

  - A segmentation fault can occur during some     bidirectional layout operations. (CVE-2017-5413)

  - The file picker dialog can choose and display the wrong     local default directory when instantiated. On some     operating systems, this can lead to information     disclosure, such as the operating system or the local     account name. (CVE-2017-5414)

  - An attack can use a blob URL and script to spoof an     arbitrary addressbar URL prefaced by blob: as the     protocol, leading to user confusion and further     spoofing attacks. (CVE-2017-5415)

  - In certain circumstances a networking event listener     can be prematurely released. This appears to result in     a null dereference in practice. (CVE-2017-5416)

  - When dragging content from the primary browser pane to     the addressbar on a malicious site, it is possible to     change the addressbar so that the displayed location     following navigation does not match the URL of the     newly loaded page. This allows for spoofing attacks.
    (CVE-2017-5417)

  - An out of bounds read error occurs when parsing some     HTTP digest authorization responses, resulting in     information leakage through the reading of random     memory containing matches to specifically set patterns.
    (CVE-2017-5418)

  - If a malicious site repeatedly triggers a modal     authentication prompt, eventually the browser UI will     become non-responsive, requiring shutdown through the     operating system. This is a denial of service (DOS)     attack. (CVE-2017-5419)

  - A javascript: url loaded by a malicious page can     obfuscate its location by blanking the URL displayed in     the addressbar, allowing for an attacker to spoof an     existing page without the malicious page's address     being displayed correctly. (CVE-2017-5420)

  - A malicious site could spoof the contents of the print     preview window if popup windows are enabled, resulting     in user confusion of what site is currently loaded.
    (CVE-2017-5421)

  - If a malicious site uses the view-source: protocol in a     series within a single hyperlink, it can trigger a     non-exploitable browser crash when the hyperlink is     selected. This was fixed by no longer making     view-source: linkable. (CVE-2017-5422)

  - The Gecko Media Plugin sandbox allows access to local     files that match specific regular expressions. On OS     OX, this matching allows access to some data in     subdirectories of /private/var that could expose     personal or temporary data. This has been updated to     not allow access to /private/var and its     subdirectories. Note: this issue only affects OS X.
    Other operating systems are not affected.
    (CVE-2017-5425)

  - A non-existent chrome.manifest file will attempt to be     loaded during startup from the primary installation     directory. If a malicious user with local access puts     chrome.manifest and other referenced files in this     directory, they will be loaded and activated during     startup. This could result in malicious software being     added without consent or modification of referenced     installed files. (CVE-2017-5427)

Note that Tenable Network Security has extracted the preceding description block directly from the Mozilla security advisories.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to bypass same origin restrictions, obtain sensitive information, spoof the addressbar, spoof the print dialog, cause a denial of service via application crash or hang, or execute arbitrary code. (CVE-2017-5398, CVE-2017-5399, CVE-2017-5400, CVE-2017-5401, CVE-2017-5402, CVE-2017-5403, CVE-2017-5404, CVE-2017-5405, CVE-2017-5406, CVE-2017-5407, CVE-2017-5408, CVE-2017-5410, CVE-2017-5412, CVE-2017-5413, CVE-2017-5414, CVE-2017-5415, CVE-2017-5416, CVE-2017-5417, CVE-2017-5418, CVE-2017-5419, CVE-2017-5420, CVE-2017-5421, CVE-2017-5422, CVE-2017-5426, CVE-2017-5427).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mozilla Foundation reports :

Please reference CVE/URL list for details

ID	Name	Product	Family	Severity
100020	openSUSE Security Update : MozillaThunderbird (openSUSE-2017-545)	Nessus	SuSE Local Security Checks	critical
99121	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox regression (USN-3216-2)	Nessus	Ubuntu Local Security Checks	critical
97747	openSUSE Security Update : MozillaFirefox / mozilla-nss (openSUSE-2017-344)	Nessus	SuSE Local Security Checks	critical
97639	Mozilla Firefox < 52.0 Multiple Vulnerabilities	Nessus	Windows	high
97637	Mozilla Firefox < 52.0 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	high
97600	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : firefox vulnerabilities (USN-3216-1)	Nessus	Ubuntu Local Security Checks	critical
97592	FreeBSD : mozilla -- multiple vulnerabilities (96eca031-1313-4daf-9be2-9d6e1c4f1eb5)	Nessus	FreeBSD Local Security Checks	critical

CVE-2017-5416

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins