101059

1039465

https://bugzilla.mozilla.org/show_bug.cgi?id=1390980

https://bugzilla.mozilla.org/show_bug.cgi?id=1393624

[debian-lts-announce] 20171101 [SECURITY] [DLA 1153-1] icedove/thunderbird security update

GLSA-201803-14

https://www.mozilla.org/security/advisories/mfsa2017-21/

https://www.mozilla.org/security/advisories/mfsa2017-22/

https://www.mozilla.org/security/advisories/mfsa2017-23/

Versions of Mozilla Firefox ESR earlier than 52.4 are unpatched for the following vulnerabilities :

 - A flaw exists in 'js/src/vm/StructuredClone.cpp' that is triggered when handling structured clone reads. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
 - A flaw exists in 'editor/libeditor/HTMLEditor.cpp' that is triggered when handling root elements in the editor. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'dom/media/GraphDriver.cpp' that is triggered when handling errors. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An overflow condition exists in the 'hnj_hyphen_hyphword()' function in 'hyphen.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code within a process linked against the library.
 - A flaw exists in the 'EditorBase::FinalizeSelection()' function in 'editor/libeditor/EditorBase.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'DocAccessible::DoARIAOwnsRelocation()' function in 'accessible/generic/DocAccessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A use-after-free condition exists in the Fetch API related to missing thread safety. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in 'accessible/generic/DocAccessible.cpp' that is triggered when manipulating Accessible Rich Internet Applications (ARIA) elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in design mode that is triggered when objects are resized. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the 'ssl3_HandleCertificateVerify()' function in 'lib/ssl/ssl3con.c' that is triggered when handling handshake hashes during TLS '1.2' exchanges. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists in the PendingLookup class in 'toolkit/components/downloads/ApplicationReputation.cpp' that is triggered when handling downloads encoded with data: and blob: URL elements. This may allow a context-dependent attacker to bypass the phishing and malware protection feature.
 - A flaw exists in the 'MacOSFontEntry::ReadCMAP()' function in 'gfx/thebes/gfxMacPlatformFontList.mm' that is triggered as certain tibetan and arabic unicode characters are displayed as whitespace in combination with macOS fonts. With a specially crafted IDN domain, a context-dependent attacker can spoof a valid URL and conduct phishing attacks.
 - A flaw exists in the 'nsDocument::InitCSP()' function in 'dom/base/nsDocument.cpp' that is triggered as the sandbox directive does not create unique origin. This may result in incorrect enforcement of the content security policy (CSP).
 - An unspecified flaw exists that is triggered when drawing and validating elements with the ANGLE graphics library. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code.

Versions of Mozilla Firefox earlier than 56 are unpatched for the following vulnerabilities :

 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
 - A flaw exists in the 'js::AddPropertyTypesAfterProtoChange()' function in 'js/src/vm/NativeObject.cpp' that is triggered when handling the 'unknown-properties' flag. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'layout/style/nsCSSPseudoElements.cpp' that is triggered when handling pseudo-element atoms. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
 - A flaw exists in 'dom/base/nsDocument.cpp' that is triggered when handling intersection observers. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'LayerTransactionParent::Destroy()' function in 'gfx/layers/ipc/LayerTransactionParent.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An overflow condition exists in the 'FPSCounter::PrintHistogram()' function in 'gfx/layers/composite/FPSCounter.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code.
 - A flaw exists in the 'FlagAllOperandsAsHavingRemovedUses()' function in 'js/src/jit/IonAnalysis.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'memory/mozjemalloc/mozjemalloc.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'ReadCompressedIndexDataValuesFromBlob()' function in 'dom/indexedDB/ActorsParent.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
 - A flaw exists in 'js/src/vm/StructuredClone.cpp' that is triggered when handling structured clone reads. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
 - A flaw exists in 'editor/libeditor/HTMLEditor.cpp' that is triggered when handling root elements in the editor. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in 'dom/media/GraphDriver.cpp' that is triggered when handling errors. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An overflow condition exists in the 'hnj_hyphen_hyphword()' function in 'hyphen.c' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to cause a buffer overflow and potentially execute arbitrary code within a process linked against the library.
 - A flaw exists in the 'EditorBase::FinalizeSelection()' function in 'editor/libeditor/EditorBase.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - A flaw exists in the 'DocAccessible::DoARIAOwnsRelocation()' function in 'accessible/generic/DocAccessible.cpp' that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.
 - An unspecified flaw exists that is triggered as certain input is not properly validated. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code. No further details have been provided by the vendor.
 - A use-after-free condition exists in the Fetch API related to missing thread safety. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists that is triggered when pages enter fullscreen mode without user notification. This allows a context-dependent attacker to spoof the address bar.
 - A use-after-free error exists in 'accessible/generic/DocAccessible.cpp' that is triggered when manipulating Accessible Rich Internet Applications (ARIA) elements. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in design mode that is triggered when objects are resized. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A use-after-free error exists in the 'ssl3_HandleCertificateVerify()' function in 'lib/ssl/ssl3con.c' that is triggered when handling handshake hashes during TLS '1.2' exchanges. This may allow a context-dependent attacker to dereference already freed memory and potentially execute arbitrary code.
 - A flaw exists that is triggered as the content principal is not properly checked when handling drag and drop actions onto the browser UI. With specially crafted web content including file: URLs, a context-dependent attacker can open local files.
 - A flaw exists in the PendingLookup class in 'toolkit/components/downloads/ApplicationReputation.cpp' that is triggered when handling downloads encoded with data: and blob: URL elements. This may allow a context-dependent attacker to bypass the phishing and malware protection feature.
 - An integer truncation flaw exists in the JavaScript parser that may allow a context-dependent attacker to potentially disclose memory contents.
 - A flaw exists in the 'MacOSFontEntry::ReadCMAP()' function in 'gfx/thebes/gfxMacPlatformFontList.mm' that is triggered as certain tibetan and arabic unicode characters are displayed as whitespace in combination with macOS fonts. With a specially crafted IDN domain, a context-dependent attacker can spoof a valid URL and conduct phishing attacks.
 - A flaw exists that is triggered when creating a modal dialog using the data: protocol via JavaScript. With a specially crafted web page, a context-dependent attacker can spoof the origin of the modal dialog.
 - A flaw exists in the WebExtensions component that is triggered when handling popups and panels in the extension UI. This may allow a context-dependent attacker to load an 'about:' URL.
 - A flaw exists in the WebExtensions component that is triggered when handling file downloads. This may allow a context-dependent attacker to download and open files without user interaction.
 - A flaw exists in the 'nsDocument::InitCSP()' function in 'dom/base/nsDocument.cpp' that is triggered as the sandbox directive does not create unique origin. This may result in incorrect enforcement of the content security policy (CSP).
 - A flaw exists in the WebCrypto API that is triggered as the AES-GCM implementation allows a zero-length IV. This may allow a context-dependent attacker to determine the authentication key.
 - A flaw exists that is is triggered as results of the 'instanceof' operator can be manipulated. With specially crafted web content, a context-dependent attacker can bypass the Xray wrapper mechanism.
 - An unspecified flaw exists that is triggered when drawing and validating elements with the ANGLE graphics library. This may allow a context-dependent attacker to cause a buffer overflow, potentially allowing the execution of arbitrary code.
 - A flaw exists related to speculative execution, which is used as a performance feature to speed up operations. This optimization can result in memory being cached during indirect branch prediction. This may allow a local attacker to train the Branch Target Buffer (BTB) to trigger a false prediction to a specially crafted memory location, causing a speculative execution of a crafted gadget and the caching of arbitrary memory. Using a side-channel attack on the cache the attacker can disclose parts of the privileged kernel memory.

The remote host is affected by the vulnerability described in GLSA-201803-14 (Mozilla Thunderbird: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Thunderbird.
      Please review the referenced Mozilla Foundation Security Advisories and       CVE identifiers below for details.
  Impact :

    A remote attacker may be able to execute arbitrary code, cause a Denial       of Service condition, obtain sensitive information, conduct URL       hijacking, or conduct cross-site scripting (XSS).
  Workaround :

    There is no known workaround at this time.

This update for MozillaFirefox and mozilla-nss fixes the following issues: Mozilla Firefox was updated to ESR 52.4 (bsc#1060445)

  - MFSA 2017-22/CVE-2017-7825: OS X fonts render some     Tibetan and Arabic unicode characters as spaces

  - MFSA 2017-22/CVE-2017-7805: Use-after-free in TLS 1.2     generating handshake hashes

  - MFSA 2017-22/CVE-2017-7819: Use-after-free while     resizing images in design mode

  - MFSA 2017-22/CVE-2017-7818: Use-after-free during ARIA     array manipulation

  - MFSA 2017-22/CVE-2017-7793: Use-after-free with Fetch     API

  - MFSA 2017-22/CVE-2017-7824: Buffer overflow when drawing     and validating elements with ANGLE

  - MFSA 2017-22/CVE-2017-7810: Memory safety bugs fixed in     Firefox 56 and Firefox ESR 52.4

  - MFSA 2017-22/CVE-2017-7823: CSP sandbox directive did     not create a unique origin

  - MFSA 2017-22/CVE-2017-7814: Blob and data URLs bypass     phishing and malware protection warnings Mozilla Network     Security Services (Mozilla NSS) received a security fix :

  - MFSA 2017-22/CVE-2017-7805: Use-after-free in TLS 1.2     generating handshake hashes (bsc#1061005, bsc#1060445)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple security issues have been found in the Mozilla Thunderbird mail client: Multiple memory safety errors, buffer overflows and other implementation errors may lead to crashes or the execution of arbitrary code.

With this update the source package name changes from icedove to thunderbird so icedove will not be mentioned anymore in future advisories.

For Debian 7 'Wheezy', these problems have been fixed in version 1:52.4.0-1~deb7u1.

We recommend that you upgrade your thunderbird packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Mozilla Thunderbird was updated to 52.4.0 (boo#1060445)

  - new behavior was introduced for replies to mailing list     posts: 'When replying to a mailing list, reply will be     sent to address in From header ignoring Reply-to     header'. A new preference mail.override_list_reply_to     allows to restore the previous behavior.

  - Under certain circumstances (image attachment and     non-image attachment), attached images were shown     truncated in messages stored in IMAP folders not     synchronised for offline use.

  - IMAP UIDs > 0x7FFFFFFF now handled properly Security     fixes from Gecko 52.4esr

  - CVE-2017-7793 (bmo#1371889) Use-after-free with Fetch     API

  - CVE-2017-7818 (bmo#1363723) Use-after-free during ARIA     array manipulation

  - CVE-2017-7819 (bmo#1380292) Use-after-free while     resizing images in design mode

  - CVE-2017-7824 (bmo#1398381) Buffer overflow when drawing     and validating elements with ANGLE

  - CVE-2017-7805 (bmo#1377618) (fixed via NSS requirement)     Use-after-free in TLS 1.2 generating handshake hashes

  - CVE-2017-7814 (bmo#1376036) Blob and data URLs bypass     phishing and malware protection warnings

  - CVE-2017-7825 (bmo#1393624, bmo#1390980) (OSX-only) OS X     fonts render some Tibetan and Arabic unicode characters     as spaces

  - CVE-2017-7823 (bmo#1396320) CSP sandbox directive did     not create a unique origin

  - CVE-2017-7810 Memory safety bugs fixed in Firefox 56 and     Firefox ESR 52.4

  - Add alsa-devel BuildRequires: we care for ALSA support     to be built and thus need to ensure we get the     dependencies in place. In the past, alsa-devel was     pulled in by accident: we buildrequire libgnome-devel.
    This required esound-devel and that in turn pulled in     alsa-devel for us. libgnome is being fixed to no longer     require esound-devel.

This update for MozillaFirefox to ESR 52.4, mozilla-nss fixes the following issues: This security issue was fixed for mozilla-nss :

  - CVE-2017-7805: Prevent use-after-free in TLS 1.2 when     generating handshake hashes (bsc#1061005) These security     issues were fixed for Firefox

  - CVE-2017-7825: Fixed some Tibetan and Arabic unicode     characters rendering (bsc#1060445).

  - CVE-2017-7805: Prevent Use-after-free in TLS 1.2     generating handshake hashes (bsc#1060445).

  - CVE-2017-7819: Prevent Use-after-free while resizing     images in design mode (bsc#1060445).

  - CVE-2017-7818: Prevent Use-after-free during ARIA array     manipulation (bsc#1060445).

  - CVE-2017-7793: Prevent Use-after-free with Fetch API     (bsc#1060445).

  - CVE-2017-7824: Prevent Buffer overflow when drawing and     validating elements with ANGLE (bsc#1060445).

  - CVE-2017-7810: Fixed several memory safety bugs     (bsc#1060445).

  - CVE-2017-7823: CSP sandbox directive did not create a     unique origin (bsc#1060445).

  - CVE-2017-7814: Blob and data URLs bypassed phishing and     malware protection warnings (bsc#1060445).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Mozilla Firefox installed on the remote macOS or Mac OS X host is prior to 56. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable application crashes.

The version of Mozilla Firefox ESR installed on the remote macOS or Mac OS X host is prior to 52.4. It is, therefore, affected by multiple vulnerabilities, some of which allow code execution and potentially exploitable crashes.

Mozilla Foundation reports :

CVE-2017-7793: Use-after-free with Fetch API

CVE-2017-7817: Firefox for Android address bar spoofing through fullscreen mode

CVE-2017-7818: Use-after-free during ARIA array manipulation

CVE-2017-7819: Use-after-free while resizing images in design mode

CVE-2017-7824: Buffer overflow when drawing and validating elements with ANGLE

CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes

CVE-2017-7812: Drag and drop of malicious page content to the tab bar can open locally stored files

CVE-2017-7814: Blob and data URLs bypass phishing and malware protection warnings

CVE-2017-7813: Integer truncation in the JavaScript parser

CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode characters as spaces

CVE-2017-7815: Spoofing attack with modal dialogs on non-e10s installations

CVE-2017-7816: WebExtensions can load about: URLs in extension UI

CVE-2017-7821: WebExtensions can download and open non-executable files without user interaction

CVE-2017-7823: CSP sandbox directive did not create a unique origin

CVE-2017-7822: WebCrypto allows AES-GCM with 0-length IV

CVE-2017-7820: Xray wrapper bypass with new tab and web console

CVE-2017-7811: Memory safety bugs fixed in Firefox 56

CVE-2017-7810: Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4

ID	Name	Product	Family	Severity
700331	Mozilla Firefox ESR < 52.4 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
700321	Mozilla Firefox < 56 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
108820	GLSA-201803-14 : Mozilla Thunderbird: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
104542	SUSE SLES11 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2017:2872-2)	Nessus	SuSE Local Security Checks	critical
104335	Debian DLA-1153-1 : icedove/thunderbird security update	Nessus	Debian Local Security Checks	critical
104254	SUSE SLES11 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2017:2872-1)	Nessus	SuSE Local Security Checks	critical
103798	openSUSE Security Update : MozillaThunderbird (openSUSE-2017-1144)	Nessus	SuSE Local Security Checks	critical
103768	SUSE SLED12 / SLES12 Security Update : MozillaFirefox, mozilla-nss (SUSE-SU-2017:2688-1)	Nessus	SuSE Local Security Checks	critical
103678	Mozilla Firefox < 56 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	critical
103677	Mozilla Firefox ESR < 52.4 Multiple Vulnerabilities (macOS)	Nessus	MacOS X Local Security Checks	critical
103556	FreeBSD : mozilla -- multiple vulnerabilities (1098a15b-b0f6-42b7-b5c7-8a8646e8be07)	Nessus	FreeBSD Local Security Checks	critical

CVE-2017-7825

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins