102258

1040123

RHSA-2018:0061

https://bugzilla.mozilla.org/show_bug.cgi?id=1423432

[debian-lts-announce] 20171227 [SECURITY] [DLA 1223-1] thunderbird security update

USN-3529-1

DSA-4075

https://www.mozilla.org/security/advisories/mfsa2017-30/

The remote NewStart CGSL host, running version MAIN 4.05, has thunderbird packages installed that are affected by multiple vulnerabilities:

  - It is possible to spoof the sender's email address and     display an arbitrary sender address to the email     recipient. The real sender's address is not displayed if     preceded by a null character in the display string. This     vulnerability affects Thunderbird < 52.5.2.
    (CVE-2017-7829)

  - Crafted CSS in an RSS feed can leak and reveal local     path strings, which may contain user name. This     vulnerability affects Thunderbird < 52.5.2.
    (CVE-2017-7847)

  - RSS fields can inject new lines into the created email     structure, modifying the message body. This     vulnerability affects Thunderbird < 52.5.2.
    (CVE-2017-7848)

  - It is possible to execute JavaScript in the parsed RSS     feed when RSS feed is viewed as a website, e.g. via     View -> Feed article -> Website or in the standard     format of View -> Feed article -> default format. This     vulnerability affects Thunderbird < 52.5.2.
    (CVE-2017-7846)

  - Memory safety bugs were reported in Firefox 58 and     Firefox ESR 52.6. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort     that some of these could be exploited to run arbitrary     code. This vulnerability affects Thunderbird < 52.7,     Firefox ESR < 52.7, and Firefox < 59. (CVE-2018-5125)

  - A buffer overflow can occur when manipulating the SVG     animatedPathSegList through script. This results in a     potentially exploitable crash. This vulnerability     affects Thunderbird < 52.7, Firefox ESR < 52.7, and     Firefox < 59. (CVE-2018-5127)

  - A lack of parameter validation on IPC messages results     in a potential out-of-bounds write through malformed IPC     messages. This can potentially allow for sandbox escape     through memory corruption in the parent process. This     vulnerability affects Thunderbird < 52.7, Firefox ESR <     52.7, and Firefox < 59. (CVE-2018-5129)

  - An integer overflow can occur during conversion of text     to some Unicode character sets due to an unchecked     length parameter. This vulnerability affects Firefox ESR     < 52.7 and Thunderbird < 52.7. (CVE-2018-5144)

  - Memory safety bugs were reported in Firefox ESR 52.6.
    These bugs showed evidence of memory corruption and we     presume that with enough effort that some of these could     be exploited to run arbitrary code. This vulnerability     affects Firefox ESR < 52.7 and Thunderbird < 52.7.
    (CVE-2018-5145)

  - Memory safety bugs were reported in Firefox 57 and     Firefox ESR 52.5. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort     that some of these could be exploited to run arbitrary     code. This vulnerability affects Thunderbird < 52.6,     Firefox ESR < 52.6, and Firefox < 58. (CVE-2018-5089)

  - An integer overflow vulnerability in the Skia library     when allocating memory for edge builders on some systems     with at least 8 GB of RAM. This results in the use of     uninitialized memory, resulting in a potentially     exploitable crash. This vulnerability affects     Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox <     58. (CVE-2018-5095)

  - A use-after-free vulnerability can occur while editing     events in form elements on a page, resulting in a     potentially exploitable crash. This vulnerability     affects Firefox ESR < 52.6 and Thunderbird < 52.6.
    (CVE-2018-5096)

  - A use-after-free vulnerability can occur during XSL     transformations when the source document for the     transformation is manipulated by script content during     the transformation. This results in a potentially     exploitable crash. This vulnerability affects     Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox <     58. (CVE-2018-5097)

  - A use-after-free vulnerability can occur when form input     elements, focus, and selections are manipulated by     script content. This results in a potentially     exploitable crash. This vulnerability affects     Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox <     58. (CVE-2018-5098)

  - A use-after-free vulnerability can occur when the widget     listener is holding strong references to browser objects     that have previously been freed, resulting in a     potentially exploitable crash when these references are     used. This vulnerability affects Thunderbird < 52.6,     Firefox ESR < 52.6, and Firefox < 58. (CVE-2018-5099)

  - A use-after-free vulnerability can occur when     manipulating HTML media elements with media streams,     resulting in a potentially exploitable crash. This     vulnerability affects Thunderbird < 52.6, Firefox ESR <     52.6, and Firefox < 58. (CVE-2018-5102)

  - A use-after-free vulnerability can occur during mouse     event handling due to issues with multiprocess support.
    This results in a potentially exploitable crash. This     vulnerability affects Thunderbird < 52.6, Firefox ESR <     52.6, and Firefox < 58. (CVE-2018-5103)

  - A use-after-free vulnerability can occur during font     face manipulation when a font face is freed while still     in use, resulting in a potentially exploitable crash.
    This vulnerability affects Thunderbird < 52.6, Firefox     ESR < 52.6, and Firefox < 58. (CVE-2018-5104)

  - If right-to-left text is used in the addressbar with     left-to-right alignment, it is possible in some     circumstances to scroll this text to spoof the displayed     URL. This issue could result in the wrong URL being     displayed as a location, which can mislead users to     believe they are on a different site than the one     loaded. This vulnerability affects Thunderbird < 52.6,     Firefox ESR < 52.6, and Firefox < 58. (CVE-2018-5117)

  - An out of bounds write flaw was found in the processing     of vorbis audio data. A maliciously crafted file or     audio stream could cause the application to crash or,     potentially, execute arbitrary code. (CVE-2018-5146)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version MAIN 5.04, has thunderbird packages installed that are affected by multiple vulnerabilities:

  - It is possible to spoof the sender's email address and     display an arbitrary sender address to the email     recipient. The real sender's address is not displayed if     preceded by a null character in the display string. This     vulnerability affects Thunderbird < 52.5.2.
    (CVE-2017-7829)

  - Crafted CSS in an RSS feed can leak and reveal local     path strings, which may contain user name. This     vulnerability affects Thunderbird < 52.5.2.
    (CVE-2017-7847)

  - RSS fields can inject new lines into the created email     structure, modifying the message body. This     vulnerability affects Thunderbird < 52.5.2.
    (CVE-2017-7848)

  - It is possible to execute JavaScript in the parsed RSS     feed when RSS feed is viewed as a website, e.g. via     View -> Feed article -> Website or in the standard     format of View -> Feed article -> default format. This     vulnerability affects Thunderbird < 52.5.2.
    (CVE-2017-7846)

  - Memory safety bugs were reported in Firefox 57 and     Firefox ESR 52.5. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort     that some of these could be exploited to run arbitrary     code. This vulnerability affects Thunderbird < 52.6,     Firefox ESR < 52.6, and Firefox < 58. (CVE-2018-5089)

  - An integer overflow vulnerability in the Skia library     when allocating memory for edge builders on some systems     with at least 8 GB of RAM. This results in the use of     uninitialized memory, resulting in a potentially     exploitable crash. This vulnerability affects     Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox <     58. (CVE-2018-5095)

  - A use-after-free vulnerability can occur while editing     events in form elements on a page, resulting in a     potentially exploitable crash. This vulnerability     affects Firefox ESR < 52.6 and Thunderbird < 52.6.
    (CVE-2018-5096)

  - A use-after-free vulnerability can occur during XSL     transformations when the source document for the     transformation is manipulated by script content during     the transformation. This results in a potentially     exploitable crash. This vulnerability affects     Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox <     58. (CVE-2018-5097)

  - A use-after-free vulnerability can occur when form input     elements, focus, and selections are manipulated by     script content. This results in a potentially     exploitable crash. This vulnerability affects     Thunderbird < 52.6, Firefox ESR < 52.6, and Firefox <     58. (CVE-2018-5098)

  - A use-after-free vulnerability can occur when the widget     listener is holding strong references to browser objects     that have previously been freed, resulting in a     potentially exploitable crash when these references are     used. This vulnerability affects Thunderbird < 52.6,     Firefox ESR < 52.6, and Firefox < 58. (CVE-2018-5099)

  - A use-after-free vulnerability can occur when     manipulating HTML media elements with media streams,     resulting in a potentially exploitable crash. This     vulnerability affects Thunderbird < 52.6, Firefox ESR <     52.6, and Firefox < 58. (CVE-2018-5102)

  - A use-after-free vulnerability can occur during mouse     event handling due to issues with multiprocess support.
    This results in a potentially exploitable crash. This     vulnerability affects Thunderbird < 52.6, Firefox ESR <     52.6, and Firefox < 58. (CVE-2018-5103)

  - A use-after-free vulnerability can occur during font     face manipulation when a font face is freed while still     in use, resulting in a potentially exploitable crash.
    This vulnerability affects Thunderbird < 52.6, Firefox     ESR < 52.6, and Firefox < 58. (CVE-2018-5104)

  - If right-to-left text is used in the addressbar with     left-to-right alignment, it is possible in some     circumstances to scroll this text to spoof the displayed     URL. This issue could result in the wrong URL being     displayed as a location, which can mislead users to     believe they are on a different site than the one     loaded. This vulnerability affects Thunderbird < 52.6,     Firefox ESR < 52.6, and Firefox < 58. (CVE-2018-5117)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201803-14 (Mozilla Thunderbird: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Thunderbird.
      Please review the referenced Mozilla Foundation Security Advisories and       CVE identifiers below for details.
  Impact :

    A remote attacker may be able to execute arbitrary code, cause a Denial       of Service condition, obtain sensitive information, conduct URL       hijacking, or conduct cross-site scripting (XSS).
  Workaround :

    There is no known workaround at this time.

It was discovered that a From address encoded with a null character is cut off in the message header display. An attacker could potentially exploit this to spoof the sender address. (CVE-2017-7829)

It was discovered that it is possible to execute JavaScript in RSS feeds in some circumstances. If a user were tricked in to opening a specially crafted RSS feed, an attacker could potentially exploit this in combination with another vulnerability, in order to cause unspecified problems. (CVE-2017-7846)

It was discovered that the RSS feed can leak local path names. If a user were tricked in to opening a specially crafted RSS feed, an attacker could potentially exploit this to obtain sensitive information. (CVE-2017-7847)

It was discovered that RSS feeds are vulnerable to new line injection.
If a user were tricked in to opening a specially crafted RSS feed, an attacker could potentially exploit this to cause unspecified problems.
(CVE-2017-7848)

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, execute arbitrary code, or cause other unspecified effects. (CVE-2018-5089, CVE-2018-5095, CVE-2018-5096, CVE-2018-5097, CVE-2018-5098, CVE-2018-5099, CVE-2018-5102, CVE-2018-5013, CVE-2018-5104, CVE-2018-5117).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update upgrades Thunderbird to version 52.5.2.

Security Fix(es) :

  - Multiple flaws were found in the processing of malformed     web content. A web page containing malicious content     could cause Thunderbird to crash or, potentially,     execute arbitrary code with the privileges of the user     running Thunderbird. (CVE-2017-7846, CVE-2017-7847,     CVE-2017-7848, CVE-2017-7829)

From Red Hat Security Advisory 2018:0061 :

An update for thunderbird is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 52.5.2.

Security Fix(es) :

* Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2017-7846, CVE-2017-7847, CVE-2017-7848, CVE-2017-7829)

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges cure53 and Sabri Haddouche as the original reporters.

An update for thunderbird is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 52.5.2.

Security Fix(es) :

* Multiple flaws were found in the processing of malformed web content. A web page containing malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. (CVE-2017-7846, CVE-2017-7847, CVE-2017-7848, CVE-2017-7829)

Red Hat would like to thank the Mozilla project for reporting these issues. Upstream acknowledges cure53 and Sabri Haddouche as the original reporters.

The version of Mozilla Thunderbird installed on the remote Windows host is prior to 52.5.2 It is, therefore, affected by multiple vulnerabilities.

Multiple security issues have been found in Thunderbird, which may lead to the execution of arbitrary code, denial of service, information disclosure or spoofing of sender's email addresses.

Multiple security issues have been found in the Mozilla Thunderbird mail client including information leaks, unintended JavaScript execution and sender address spoofing.

For Debian 7 'Wheezy', these problems have been fixed in version 1:52.5.2-1~deb7u1.

We recommend that you upgrade your thunderbird packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for Mozilla Thunderbird to version 52.5.2 fixes the following vulnerabilities :

  - CVE-2017-7846: JavaScript Execution via RSS in     mailbox:// origin (bsc#1074043)

  - CVE-2017-7847: Local path string can be leaked from RSS     feed (bsc#1074044)

  - CVE-2017-7848: RSS Feed vulnerable to new line Injection     (bsc#1074045)

  - CVE-2017-7829: From address with encoded null character     is cut off in message header display (bsc#1074046)

Mozilla Foundation reports :

CVE-2017-7845: Buffer overflow when drawing and validating elements with ANGLE library using Direct 3D 9

CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin

CVE-2017-7847: Local path string can be leaked from RSS feed

CVE-2017-7848: RSS Feed vulnerable to new line Injection

CVE-2017-7829: Mailsploit part 1: From address with encoded null character is cut off in message header display

ID	Name	Product	Family	Severity
127376	NewStart CGSL MAIN 4.05 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0126)	Nessus	NewStart CGSL Local Security Checks	high
127156	NewStart CGSL MAIN 5.04 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0009)	Nessus	NewStart CGSL Local Security Checks	high
108820	GLSA-201803-14 : Mozilla Thunderbird: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
106482	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : thunderbird vulnerabilities (USN-3529-1)	Nessus	Ubuntu Local Security Checks	high
105683	Scientific Linux Security Update : thunderbird on SL6.x, SL7.x i386/x86_64 (20180107)	Nessus	Scientific Linux Local Security Checks	medium
105671	Oracle Linux 6 / 7 : thunderbird (ELSA-2018-0061)	Nessus	Oracle Linux Local Security Checks	medium
105658	CentOS 6 / 7 : thunderbird (CESA-2018:0061)	Nessus	CentOS Local Security Checks	medium
105646	RHEL 6 / 7 : thunderbird (RHSA-2018:0061)	Nessus	Red Hat Local Security Checks	medium
105507	Mozilla Thunderbird < 52.5.2 Multiple Vulnerabilities	Nessus	Windows	high
105497	Debian DSA-4075-1 : thunderbird - security update	Nessus	Debian Local Security Checks	critical
105465	Debian DLA-1223-1 : thunderbird security update	Nessus	Debian Local Security Checks	medium
105457	openSUSE Security Update : Mozilla Thunderbird (openSUSE-2017-1419)	Nessus	SuSE Local Security Checks	medium
105450	FreeBSD : mozilla -- multiple vulnerabilities (6a09c80e-6ec7-442a-bc65-d72ce69fd887)	Nessus	FreeBSD Local Security Checks	high

CVE-2017-7829

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins