100234

1039124

https://bugzilla.mozilla.org/show_bug.cgi?id=1372849

https://www.mozilla.org/security/advisories/mfsa2017-18/

https://www.mozilla.org/security/advisories/mfsa2017-19/

https://www.mozilla.org/security/advisories/mfsa2017-20/

This update for MozillaFirefox to ESR 52.3 fixes several issues. These security issues were fixed :

  - CVE-2017-7807 Domain hijacking through AppCache fallback     (bsc#1052829)

  - CVE-2017-7791 Spoofing following page navigation with     data: protocol and modal alerts (bsc#1052829)

  - CVE-2017-7792 Buffer overflow viewing certificates with     an extremely long OID (bsc#1052829)

  - CVE-2017-7782 WindowsDllDetourPatcher allocates memory     without DEP protections (bsc#1052829)

  - CVE-2017-7787 Same-origin policy bypass with iframes     through page reloads (bsc#1052829)

  - CVE-2017-7786 Buffer overflow while painting     non-displayable SVG (bsc#1052829)

  - CVE-2017-7785 Buffer overflow manipulating ARIA     attributes in DOM (bsc#1052829)

  - CVE-2017-7784 Use-after-free with image observers     (bsc#1052829)

  - CVE-2017-7753 Out-of-bounds read with cached style data     and pseudo-elements (bsc#1052829)

  - CVE-2017-7798 XUL injection in the style editor in     devtools (bsc#1052829)

  - CVE-2017-7804 Memory protection bypass through     WindowsDllDetourPatcher (bsc#1052829)

  - CVE-2017-7779 Memory safety bugs fixed in Firefox 55 and     Firefox ESR 52.3 (bsc#1052829)

  - CVE-2017-7800 Use-after-free in WebSockets during     disconnection (bsc#1052829)

  - CVE-2017-7801 Use-after-free with marquee during window     resizing (bsc#1052829)

  - CVE-2017-7802 Use-after-free resizing image elements     (bsc#1052829)

  - CVE-2017-7803 CSP containing 'sandbox' improperly     applied (bsc#1052829)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The update for icedove/thunderbird issued as DLA-1087-1 did not build on i386. This update corrects this. For reference, the original advisory text follows.

Multiple security issues have been found in the Mozilla Thunderbird mail client: Multiple memory safety errors, buffer overflows and other implementation errors may lead to the execution of arbitrary code or spoofing.

For Debian 7 'Wheezy', these problems have been fixed in version 1:52.3.0-4~deb7u2.

We recommend that you upgrade your icedove packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mozilla Firefox was updated to the ESR 52.3 release (bsc#1052829) Following security issues were fixed :

  - MFSA 2017-19/CVE-2017-7807: Domain hijacking through     AppCache fallback

  - MFSA 2017-19/CVE-2017-7791: Spoofing following page     navigation with data: protocol and modal alerts

  - MFSA 2017-19/CVE-2017-7792: Buffer overflow viewing     certificates with an extremely long OID

  - MFSA 2017-19/CVE-2017-7782: WindowsDllDetourPatcher     allocates memory without DEP protections

  - MFSA 2017-19/CVE-2017-7787: Same-origin policy bypass     with iframes through page reloads

  - MFSA 2017-19/CVE-2017-7786: Buffer overflow while     painting non-displayable SVG

  - MFSA 2017-19/CVE-2017-7785: Buffer overflow manipulating     ARIA attributes in DOM

  - MFSA 2017-19/CVE-2017-7784: Use-after-free with image     observers

  - MFSA 2017-19/CVE-2017-7753: Out-of-bounds read with     cached style data and pseudo-elements

  - MFSA 2017-19/CVE-2017-7798: XUL injection in the style     editor in devtools

  - MFSA 2017-19/CVE-2017-7804: Memory protection bypass     through WindowsDllDetourPatcher

  - MFSA 2017-19/CVE-2017-7779: Memory safety bugs fixed in     Firefox 55 and Firefox ESR 52.3

  - MFSA 2017-19/CVE-2017-7800: Use-after-free in WebSockets     during disconnection

  - MFSA 2017-19/CVE-2017-7801: Use-after-free with marquee     during window resizing

  - MFSA 2017-19/CVE-2017-7802: Use-after-free resizing     image elements

  - MFSA 2017-19/CVE-2017-7803: CSP containing 'sandbox'     improperly applied This update also fixes :

  - fixed firefox hangs after a while in FUTEX_WAIT_PRIVATE     if cgroups enabled and running on cpu >=1 (bsc#1031485)

  - The Itanium ia64 build was fixed.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of Mozilla Firefox ESR earlier than 52.3 are unpatched for the following vulnerabilities :

 - A flaw exists in the 'Accessible::RemoveChild()' function in 'accessible/generic/Accessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists in the 'nsMIMEHeaderParamImpl::DecodeRFC5987Param()' function in 'netwerk/mime/nsMIMEHeaderParamImpl.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsWindow::SetParent()' function in 'widget/windows/nsWindow.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A race condition exists in 'media/webrtc/trunk/webrtc/modules/desktop_capture/screen_capturer_mac.mm' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists related to missing thread safety that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'NotifyTrackRemoved()' function in 'dom/media/MediaRecorder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'InitGlobalLexicalOperation()' function in 'js/src/vm/Interpreter-inl.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'js::FinishCompilation()' function in 'js/src/vm/TypeInference.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'TypedArrayObjectTemplate::makeTemplateObject()' function in 'js/src/vm/TypedArrayObject.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
 - A flaw exists in the 'DocAccessible::DoARIAOwnsRelocation()' function in 'accessible/generic/DocAccessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsFTPDirListingConv::DigestBufferLines()' function in 'netwerk/streamconv/converters/nsFTPDirListingConv.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
 - A flaw exists in the 'TraceSelf()' function in 'dom/bindings/TypedArray.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'WebSocket::Send()' function in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'ExpressionDecompiler::decompilePC()' function in 'js/src/jsopcode.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'IonBuilder::addOsrValueTypeBarrier()' function in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
 - A flaw exists in the Developer Tools feature that is triggered as web page source code is not properly validated. This may allow a context-dependent attacker to inject and execute arbitrary XUL code.
 - A use-after-free error exists in the 'WebSocketImpl::Disconnect()' function in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when re-computing the layout for marquee elements during window resizing. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when deleting attached editor DOM nodes. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the 'nsImageLoadingContent::Notify()' function in 'dom/base/nsImageLoadingContent.cpp' that is triggered when reading image observers during frame reconstruction. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when resizing image elements. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - An overflow condition exists that is triggered as certain input is not properly validated when manipulation Accessible Rich Internet Applications (ARIA) attributes. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
 - An overflow condition exists that is triggered as certain input is not properly validated when painting non-displayable SVG elements. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
 - An out-of-bounds read flaw exists that is triggered when handling cached style data and pseudo-elements. This may allow a context-dependent attacker to potentially disclose sensitive memory contents.
 - A flaw exists in the 'nsDocShell::OnNewURI()' function in 'docshell/base/nsDocShell.cpp' that is triggered when handling pages with embedded iframes during page reloads. With a specially crafted web page, a context-dependent attacker can bypass the same-origin policy.
 - A flaw exists in the AppCache feature related to handling of websites under a subdirectory adding fallback pages. With a specially crafted website, a context-dependent attacker can hijack a domain.
 - A flaw exists in the 'openTabPrompt()' and 'openRemotePrompt()' functions in 'toolkit/components/prompts/src/nsPrompter.js' that is triggered when handling page navigations with data: protocols and modal alerts. This may allow a context-dependent attacker to conduct spoofing attacks.
 - A flaw exists in 'xpcom/build/nsWindowsDllInterceptor.h' that is triggered as WindowsDllDetourPatcher may allocate memory with RWX permissions. This may allow a context-dependent attacker to bypass intended DEP protection and more easily exploit another vulnerability that allows code execution.
 - A sandbox directive. This may result in other directives being ignored and incorrect enforcement of the content security policy (CSP).
 - A flaw exists in 'xpcom/build/nsWindowsDllInterceptor.h' that is triggered as the WindowsDllDetourPatcher class destructor may be re-purposed by malicious code. This may allow a context-dependent attacker to bypass memory protections.
 - An overflow condition exists in 'security/manager/ssl/nsNSSCertHelper.cpp' that is triggered when viewing certificates with overly long OIDs. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.

Versions of Mozilla Firefox prior to 55 are unpatched for the following vulnerabilities :

 - A flaw exists that is triggered as the HTTP Strict-Transport-Security (HSTS) header is ignored when processing a response containing multiple HSTS headers. This may allow an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) to bypass HSTS protection and downgrade the HTTP communication.
 - A flaw exists in the 'Key::EncodeAsString()' function in 'dom/indexedDB/Key.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'SelectionManager::SetControlSelectionListener()' and 'SelectionManager::ClearControlSelectionListener()' functions in 'accessible/base/SelectionManager.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
 - A flaw exists in the 'DocAccessible::MoveChild()' function in 'accessible/generic/DocAccessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists in 'xpcom/threads/MozPromise.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when handling edit transactions. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists related to the Android UI thread. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'CanonicalizeLanguageTag()' function in 'js/src/builtin/Intl.js' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists that is triggered as certain input is not properly validated when handling freezing of dense elements. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'Module::instantiate()' function in 'js/src/wasm/WasmModule.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'Accessible::RemoveChild()' function in 'accessible/generic/Accessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'IonBuilder::build()' and 'IonBuilder::buildInline()' functions in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsContentUtils::ConvertStringFromEncoding()' function in 'dom/base/nsContentUtils.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'jit::JitActivation::getRematerializedFrame()' function in 'js/src/vm/Stack.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free error exists in the 'nsMIMEHeaderParamImpl::DecodeRFC5987Param()' function in 'netwerk/mime/nsMIMEHeaderParamImpl.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsWindow::SetParent()' function in 'widget/windows/nsWindow.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A race condition exists in 'media/webrtc/trunk/webrtc/modules/desktop_capture/screen_capturer_mac.mm' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists related to missing thread safety that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'NotifyTrackRemoved()' function in 'dom/media/MediaRecorder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'InitGlobalLexicalOperation()' function in 'js/src/vm/Interpreter-inl.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'js::FinishCompilation()' function in 'js/src/vm/TypeInference.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'TypedArrayObjectTemplate::makeTemplateObject()' function in 'js/src/vm/TypedArrayObject.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'DocAccessible::DoARIAOwnsRelocation()' function in 'accessible/generic/DocAccessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'nsFTPDirListingConv::DigestBufferLines()' function in 'netwerk/streamconv/converters/nsFTPDirListingConv.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'TraceSelf()' function in 'dom/bindings/TypedArray.h' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'WebSocket::Send()' function in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'ExpressionDecompiler::decompilePC()' function in 'js/src/jsopcode.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'IonBuilder::addOsrValueTypeBarrier()' function in 'js/src/jit/IonBuilder.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists related to response header name interning not having same-origin protections. This may allow a context-dependent attacker to disclose stored header names.
 - A flaw exists in the Developer Tools feature that is triggered as web page source code is not properly validated. This may allow a context-dependent attacker to inject and execute arbitrary XUL code.
 - A use-after-free error exists in the 'WebSocketImpl::Disconnect()' function in 'dom/base/WebSocket.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when re-computing the layout for marquee elements during window resizing. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when deleting attached editor DOM nodes. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the 'nsImageLoadingContent::Notify()' function in 'dom/base/nsImageLoadingContent.cpp' that is triggered when reading image observers during frame reconstruction. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when resizing image elements. With a specially crafted web page, a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - An overflow condition exists that is triggered as certain input is not properly validated when manipulation Accessible Rich Internet Applications (ARIA) attributes. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
 - An overflow condition exists that is triggered as certain input is not properly validated when painting non-displayable SVG elements. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
 - A use-after-free error exists that is triggered when handling the layer manager while rendering SVG content. This may allow a context-dependent attacker can dereference already freed memory and potentially execute arbitrary code.
 - An out-of-bounds read flaw exists that is triggered when handling cached style data and pseudo-elements. This may allow a context-dependent attacker to potentially disclose sensitive memory contents.
 - A flaw exists in the 'nsDocShell::OnNewURI()' function in 'docshell/base/nsDocShell.cpp' that is triggered when handling pages with embedded iframes during page reloads. With a specially crafted web page, a context-dependent attacker can bypass the same-origin policy.
 - A flaw exists in the AppCache feature related to handling of websites under a subdirectory adding fallback pages. With a specially crafted website, a context-dependent attacker can hijack a domain.
 - A flaw exists in the 'openTabPrompt()' and 'openRemotePrompt()' functions in 'toolkit/components/prompts/src/nsPrompter.js' that is triggered when handling page navigations with data: protocols and modal alerts. This may allow a context-dependent attacker to conduct spoofing attacks.
 - A flaw exists in 'xpcom/build/nsWindowsDllInterceptor.h' that is triggered as WindowsDllDetourPatcher may allocate memory with RWX permissions. This may allow a context-dependent attacker to bypass intended DEP protection and more easily exploit another vulnerability that allows code execution.
 - A flaw exists in the 'AllowOpen()' function in 'security/sandbox/linux/broker/SandboxBroker.cpp'. This may allow a context-dependent attacker to bypass the sandbox restrictions and truncate files on the system.
 - A flaw exists in the elliptic curve point addition algorithm that is triggered when using mixed Jacobian-affine coordinates. This may allow an attacker with the ability to intercept network traffic '(e.g'. MitM, DNS cache poisoning) to interfere with a connection and cause the calculation of an incorrect shared secret.
 - A flaw exists that is triggered when handling frame-ancestors directives containing origins with paths. This may allow a context-dependent attacker to bypass the content security policy (CSP).
 - A sandbox directive. This may result in other directives being ignored and incorrect enforcement of the content security policy (CSP).
 - A flaw exists in the 'ExecuteServiceCommand()' function in 'toolkit/components/maintenanceservice/workmonitor.cpp' that is triggered when handling patch directory paths. Combined with another local vulnerability this may allow an attacker to have the Windows updater delete any file named 'update.log'.
 - A flaw exists in 'toolkit/content/aboutwebrtc/aboutWebrtc.js' that is triggered as certain input to about:webrtc is not properly validated. This may allow an attacker to create a specially crafted request that executes arbitrary script code in a user's browser session within the trust relationship between their browser and the server or inject XUL code.
 - A flaw exists in the 'nsHttpChannelAuthProvider::ConfirmAuth()' function in 'netwerk/protocol/http/nsHttpChannelAuthProvider.cpp' that is triggered when handling long usernames in URLs. This may allow a context-dependent attacker to cause a denial of service.
 - A flaw exists in 'toolkit/crashreporter/client/crashreporter_win.cpp' that is triggered as the Windows crash reporter may read extra memory for certain non-null-terminated registry values. This may allow an attacker to disclose potentially sensitive memory contents.
 - A flaw exists in 'xpcom/build/nsWindowsDllInterceptor.h' that is triggered as the WindowsDllDetourPatcher class destructor may be re-purposed by malicious code. This may allow a context-dependent attacker to bypass memory protections.
 - A flaw exists that is triggered as sandboxed about:srcdoc iframes do not inherit content security policy (CSP) directives. This may allow a context-dependent attacker to bypass the content security policy (CSP).
 - An overflow condition exists in 'security/manager/ssl/nsNSSCertHelper.cpp' that is triggered when viewing certificates with overly long OIDs. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.

This update for MozillaThunderbird to version 52.3 fixes security issues and bugs. The following vulnerabilities were fixed :

  - CVE-2017-7798: XUL injection in the style editor in     devtools

  - CVE-2017-7800: Use-after-free in WebSockets during     disconnection

  - CVE-2017-7801: Use-after-free with marquee during window     resizing

  - CVE-2017-7784: Use-after-free with image observers

  - CVE-2017-7802: Use-after-free resizing image elements

  - CVE-2017-7785: Buffer overflow manipulating ARIA     attributes in DOM

  - CVE-2017-7786: Buffer overflow while painting     non-displayable SVG

  - CVE-2017-7753: Out-of-bounds read with cached style data     and pseudo-elements#

  - CVE-2017-7787: Same-origin policy bypass with iframes     through page reloads

  - CVE-2017-7807: Domain hijacking through AppCache     fallback

  - CVE-2017-7792: Buffer overflow viewing certificates with     an extremely long OID

  - CVE-2017-7804: Memory protection bypass through     WindowsDllDetourPatcher

  - CVE-2017-7791: Spoofing following page navigation with     data: protocol and modal alerts

  - CVE-2017-7782: WindowsDllDetourPatcher allocates memory     without DEP protections

  - CVE-2017-7803: CSP containing 'sandbox' improperly     applied

  - CVE-2017-7779: Memory safety bugs fixed in Firefox 55     and Firefox ESR 52.3

The following bugs were fixed :

  - Unwanted inline images shown in rogue SPAM messages

  - Deleting message from the POP3 server not working when     maildir storage was used

  - Message disposition flag (replied / forwarded) lost when     reply or forwarded message was stored as draft and draft     was sent later

  - Inline images not scaled to fit when printing

  - Selected text from another message sometimes included in     a reply

  - No authorisation prompt displayed when inserting image     into email body although image URL requires     authentication

  - Large attachments taking a long time to open under some     circumstances

This update to Mozilla Firefox 52.3esr fixes a number of security issues.

The following vulnerabilities were advised upstream under MFSA 2017-19 (boo#1052829) :

  - CVE-2017-7798: XUL injection in the style editor in     devtools

  - CVE-2017-7800: Use-after-free in WebSockets during     disconnection

  - CVE-2017-7801: Use-after-free with marquee during window     resizing

  - CVE-2017-7784: Use-after-free with image observers

  - CVE-2017-7802: Use-after-free resizing image elements

  - CVE-2017-7785: Buffer overflow manipulating ARIA     attributes in DOM

  - CVE-2017-7786: Buffer overflow while painting     non-displayable SVG

  - CVE-2017-7753: Out-of-bounds read with cached style data     and pseudo-elements#

  - CVE-2017-7787: Same-origin policy bypass with iframes     through page reloads

  - CVE-2017-7807: Domain hijacking through AppCache     fallback

  - CVE-2017-7792: Buffer overflow viewing certificates with     an extremely long OID

  - CVE-2017-7804: Memory protection bypass through     WindowsDllDetourPatcher

  - CVE-2017-7791: Spoofing following page navigation with     data: protocol and modal alerts

  - CVE-2017-7782: WindowsDllDetourPatcher allocates memory     without DEP protections

  - CVE-2017-7803: CSP containing 'sandbox' improperly     applied

  - CVE-2017-7779: Memory safety bugs fixed in Firefox 55     and Firefox ESR 52.3

The version of Mozilla Firefox installed on the remote Windows host is prior to 55. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable crashes.

The version of Mozilla Firefox ESR installed on the remote Windows host is prior to 52.3. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable crashes.

Mozilla Foundation reports :

Please reference CVE/URL list for details

ID	Name	Product	Family	Severity
103563	SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2017:2589-1)	Nessus	SuSE Local Security Checks	critical
102961	Debian DLA-1087-2 : icedove/thunderbird regression update	Nessus	Debian Local Security Checks	critical
102856	SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2017:2302-1)	Nessus	SuSE Local Security Checks	critical
700183	Mozilla Firefox ESR < 52.3 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
700182	Mozilla Firefox < 55 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
102622	openSUSE Security Update : MozillaThunderbird (openSUSE-2017-955)	Nessus	SuSE Local Security Checks	critical
102472	openSUSE Security Update : MozillaFirefox (openSUSE-2017-921)	Nessus	SuSE Local Security Checks	critical
102359	Mozilla Firefox < 55 Multiple Vulnerabilities	Nessus	Windows	critical
102358	Mozilla Firefox ESR < 52.3 Multiple Vulnerabilities	Nessus	Windows	critical
102278	FreeBSD : mozilla -- multiple vulnerabilities (555b244e-6b20-4546-851f-d8eb7d6c1ffa)	Nessus	FreeBSD Local Security Checks	critical

CVE-2017-7804

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins