openSUSE-SU-2019:1162

http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html

20190430 OpenPGP and S/MIME signature forgery attacks in multiple email clients

[oss-security] 20190430 Spoofing OpenPGP and S/MIME Signatures in Emails (multiple clients)

RHSA-2019:1144

https://bugzilla.mozilla.org/show_bug.cgi?id=1507218

https://github.com/RUB-NDS/Johnny-You-Are-Fired

https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf

https://www.mozilla.org/security/advisories/mfsa2019-06/

From Red Hat Security Advisory 2019:1144 :

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 60.6.1. (BZ#1692449)

Security Fix(es) :

* Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 (CVE-2019-9788)

* Mozilla: Use-after-free when removing in-use DOM elements (CVE-2019-9790)

* Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey (CVE-2019-9791)

* Mozilla: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script (CVE-2019-9792)

* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)

* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)

* Mozilla: Improper bounds checks when Spectre mitigations are disabled (CVE-2019-9793)

* Mozilla: Type-confusion in IonMonkey JIT compiler (CVE-2019-9795)

* Mozilla: Use-after-free with SMIL animation controller (CVE-2019-9796)

* Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied (CVE-2018-18506)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

The remote NewStart CGSL host, running version MAIN 4.05, has thunderbird packages installed that are affected by multiple vulnerabilities:

  - Incorrect convexity calculations in Skia in Google     Chrome prior to 72.0.3626.81 allowed a remote attacker     to perform an out of bounds memory write via a crafted     HTML page. (CVE-2019-5785)

  - The type inference system allows the compilation of     functions that can cause type confusions between     arbitrary objects when compiled through the IonMonkey     just-in-time (JIT) compiler and when the constructor     function is entered through on-stack replacement (OSR).
    This allows for possible arbitrary reading and writing     of objects during an exploitable crash. This     vulnerability affects Thunderbird < 60.6, Firefox ESR <     60.6, and Firefox < 66. (CVE-2019-9791)

  - A flaw during verification of certain S/MIME signatures     causes emails to be shown in Thunderbird as having a     valid digital signature, even if the shown message     contents aren't covered by the signature. The flaw     allows an attacker to reuse a valid S/MIME signature to     craft an email message with arbitrary content. This     vulnerability affects Thunderbird < 60.5.1.
    (CVE-2018-18509)

  - Incorrect alias information in IonMonkey JIT compiler     for Array.prototype.slice method may lead to missing     bounds check and a buffer overflow. This vulnerability     affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and     Thunderbird < 60.6.1. (CVE-2019-9810)

  - Incorrect handling of __proto__ mutations may lead to     type confusion in IonMonkey JIT code and can be     leveraged for arbitrary memory read and write. This     vulnerability affects Firefox < 66.0.1, Firefox ESR <     60.6.1, and Thunderbird < 60.6.1. (CVE-2019-9813)

  - When proxy auto-detection is enabled, if a web server     serves a Proxy Auto-Configuration (PAC) file or if a PAC     file is loaded locally, this PAC file can specify that     requests to the localhost are to be sent through the     proxy to another server. This behavior is disallowed by     default when a proxy is manually configured, but when     enabled could allow for attacks on services and tools     that bind to the localhost for networked behavior if     they are accessed through browsing. This vulnerability     affects Firefox < 65. (CVE-2018-18506)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox 65, Firefox ESR 60.5, and     Thunderbird 60.5. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort     that some of these could be exploited to run arbitrary     code. This vulnerability affects Thunderbird < 60.6,     Firefox ESR < 60.6, and Firefox < 66. (CVE-2019-9788)

  - A use-after-free vulnerability can occur when a raw     pointer to a DOM element on a page is obtained using     JavaScript and the element is then removed while still     in use. This results in a potentially exploitable crash.
    This vulnerability affects Thunderbird < 60.6, Firefox     ESR < 60.6, and Firefox < 66. (CVE-2019-9790)

  - The IonMonkey just-in-time (JIT) compiler can leak an     internal JS_OPTIMIZED_OUT magic value to the running     script during a bailout. This magic value can then be     used by JavaScript to achieve memory corruption, which     results in a potentially exploitable crash. This     vulnerability affects Thunderbird < 60.6, Firefox ESR <     60.6, and Firefox < 66. (CVE-2019-9792)

  - A mechanism was discovered that removes some bounds     checking for string, array, or typed array accesses if     Spectre mitigations have been disabled. This     vulnerability could allow an attacker to create an     arbitrary value in compiled JavaScript, for which the     range analysis will infer a fully controlled, incorrect     range in circumstances where users have explicitly     disabled Spectre mitigations. *Note: Spectre mitigations     are currently enabled for all users by default     settings.*. This vulnerability affects Thunderbird <     60.6, Firefox ESR < 60.6, and Firefox < 66.
    (CVE-2019-9793)

  - A vulnerability where type-confusion in the IonMonkey     just-in-time (JIT) compiler could potentially be used by     malicious JavaScript to trigger a potentially     exploitable crash. This vulnerability affects     Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox <     66. (CVE-2019-9795)

  - A use-after-free vulnerability can occur when the SMIL     animation controller incorrectly registers with the     refresh driver twice when only a single registration is     expected. When a registration is later freed with the     removal of the animation controller element, the refresh     driver incorrectly leaves a dangling pointer to the     driver's observer array. This vulnerability affects     Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox <     66. (CVE-2019-9796)

  - png_image_free in png.c in libpng 1.6.36 has a use-     after-free because png_image_free_function is called     under png_safe_execute. (CVE-2019-7317)

  - If a crafted hyperlink is dragged and dropped to the     bookmark bar or sidebar and the resulting bookmark is     subsequently dragged and dropped into the web content     area, an arbitrary query of a user's browser history can     be run and transmitted to the content page via drop     event data. This allows for the theft of browser history     by a malicious site. This vulnerability affects     Thunderbird < 60.7, Firefox < 67, and Firefox ESR <     60.7. (CVE-2019-11698)

  - Lack of correct bounds checking in Skia in Google Chrome     prior to 73.0.3683.75 allowed a remote attacker to     perform an out of bounds memory read via a crafted HTML     page. (CVE-2019-5798)

  - Cross-origin images can be read from a canvas element in     violation of the same-origin policy using the     transferFromImageBitmap method. *Note: This only affects     Firefox 65. Previous versions are unaffected.*. This     vulnerability affects Firefox < 65.0.1. (CVE-2018-18511)

  - A use-after-free vulnerability can occur when working     with XMLHttpRequest (XHR) in an event loop, causing the     XHR main thread to be called after it has been freed.
    This results in a potentially exploitable crash. This     vulnerability affects Thunderbird < 60.7, Firefox < 67,     and Firefox ESR < 60.7. (CVE-2019-11691)

  - A use-after-free vulnerability can occur when listeners     are removed from the event listener manager while still     in use, resulting in a potentially exploitable crash.
    This vulnerability affects Thunderbird < 60.7, Firefox <     67, and Firefox ESR < 60.7. (CVE-2019-11692)

  - The bufferdata function in WebGL is vulnerable to a     buffer overflow with specific graphics drivers on Linux.
    This could result in malicious content freezing a tab or     triggering a potentially exploitable crash. *Note: this     issue only occurs on Linux. Other operating systems are     unaffected.*. This vulnerability affects Thunderbird <     60.7, Firefox < 67, and Firefox ESR < 60.7.
    (CVE-2019-11693)

  - Cross-origin images can be read in violation of the     same-origin policy by exporting an image after using     createImageBitmap to read the image and then rendering     the resulting bitmap image within a canvas element. This     vulnerability affects Firefox < 66. (CVE-2019-9797)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox 66, Firefox ESR 60.6, and     Thunderbird 60.6. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort     that some of these could be exploited to run arbitrary     code. This vulnerability affects Thunderbird < 60.7,     Firefox < 67, and Firefox ESR < 60.7. (CVE-2019-9800)

  - Images from a different domain can be read using a     canvas object in some circumstances. This could be used     to steal image data from a different site in violation     of same-origin policy. This vulnerability affects     Thunderbird < 60.7, Firefox < 67, and Firefox ESR <     60.7. (CVE-2019-9817)

  - A vulnerability where a JavaScript compartment mismatch     can occur while working with the fetch API, resulting in     a potentially exploitable crash. This vulnerability     affects Thunderbird < 60.7, Firefox < 67, and Firefox     ESR < 60.7. (CVE-2019-9819)

  - A use-after-free vulnerability can occur in the chrome     event handler when it is freed while still in use. This     results in a potentially exploitable crash. This     vulnerability affects Thunderbird < 60.7, Firefox < 67,     and Firefox ESR < 60.7. (CVE-2019-9820)

  - An integer overflow in path handling lead to a use after     free in Skia in Google Chrome prior to 71.0.3578.80     allowed a remote attacker to potentially exploit heap     corruption via a crafted HTML page. (CVE-2018-18356)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version MAIN 4.06, has thunderbird packages installed that are affected by multiple vulnerabilities:

  - Incorrect convexity calculations in Skia in Google     Chrome prior to 72.0.3626.81 allowed a remote attacker     to perform an out of bounds memory write via a crafted     HTML page. (CVE-2019-5785)

  - The type inference system allows the compilation of     functions that can cause type confusions between     arbitrary objects when compiled through the IonMonkey     just-in-time (JIT) compiler and when the constructor     function is entered through on-stack replacement (OSR).
    This allows for possible arbitrary reading and writing     of objects during an exploitable crash. This     vulnerability affects Thunderbird < 60.6, Firefox ESR <     60.6, and Firefox < 66. (CVE-2019-9791)

  - A flaw during verification of certain S/MIME signatures     causes emails to be shown in Thunderbird as having a     valid digital signature, even if the shown message     contents aren't covered by the signature. The flaw     allows an attacker to reuse a valid S/MIME signature to     craft an email message with arbitrary content. This     vulnerability affects Thunderbird < 60.5.1.
    (CVE-2018-18509)

  - Incorrect alias information in IonMonkey JIT compiler     for Array.prototype.slice method may lead to missing     bounds check and a buffer overflow. This vulnerability     affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and     Thunderbird < 60.6.1. (CVE-2019-9810)

  - Incorrect handling of __proto__ mutations may lead to     type confusion in IonMonkey JIT code and can be     leveraged for arbitrary memory read and write. This     vulnerability affects Firefox < 66.0.1, Firefox ESR <     60.6.1, and Thunderbird < 60.6.1. (CVE-2019-9813)

  - When proxy auto-detection is enabled, if a web server     serves a Proxy Auto-Configuration (PAC) file or if a PAC     file is loaded locally, this PAC file can specify that     requests to the localhost are to be sent through the     proxy to another server. This behavior is disallowed by     default when a proxy is manually configured, but when     enabled could allow for attacks on services and tools     that bind to the localhost for networked behavior if     they are accessed through browsing. This vulnerability     affects Firefox < 65. (CVE-2018-18506)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox 65, Firefox ESR 60.5, and     Thunderbird 60.5. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort     that some of these could be exploited to run arbitrary     code. This vulnerability affects Thunderbird < 60.6,     Firefox ESR < 60.6, and Firefox < 66. (CVE-2019-9788)

  - A use-after-free vulnerability can occur when a raw     pointer to a DOM element on a page is obtained using     JavaScript and the element is then removed while still     in use. This results in a potentially exploitable crash.
    This vulnerability affects Thunderbird < 60.6, Firefox     ESR < 60.6, and Firefox < 66. (CVE-2019-9790)

  - The IonMonkey just-in-time (JIT) compiler can leak an     internal JS_OPTIMIZED_OUT magic value to the running     script during a bailout. This magic value can then be     used by JavaScript to achieve memory corruption, which     results in a potentially exploitable crash. This     vulnerability affects Thunderbird < 60.6, Firefox ESR <     60.6, and Firefox < 66. (CVE-2019-9792)

  - A mechanism was discovered that removes some bounds     checking for string, array, or typed array accesses if     Spectre mitigations have been disabled. This     vulnerability could allow an attacker to create an     arbitrary value in compiled JavaScript, for which the     range analysis will infer a fully controlled, incorrect     range in circumstances where users have explicitly     disabled Spectre mitigations. *Note: Spectre mitigations     are currently enabled for all users by default     settings.*. This vulnerability affects Thunderbird <     60.6, Firefox ESR < 60.6, and Firefox < 66.
    (CVE-2019-9793)

  - A vulnerability where type-confusion in the IonMonkey     just-in-time (JIT) compiler could potentially be used by     malicious JavaScript to trigger a potentially     exploitable crash. This vulnerability affects     Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox <     66. (CVE-2019-9795)

  - A use-after-free vulnerability can occur when the SMIL     animation controller incorrectly registers with the     refresh driver twice when only a single registration is     expected. When a registration is later freed with the     removal of the animation controller element, the refresh     driver incorrectly leaves a dangling pointer to the     driver's observer array. This vulnerability affects     Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox <     66. (CVE-2019-9796)

  - An integer overflow in path handling lead to a use after     free in Skia in Google Chrome prior to 71.0.3578.80     allowed a remote attacker to potentially exploit heap     corruption via a crafted HTML page. (CVE-2018-18356)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has thunderbird packages installed that are affected by multiple vulnerabilities:

  - Incorrect convexity calculations in Skia in Google     Chrome prior to 72.0.3626.81 allowed a remote attacker     to perform an out of bounds memory write via a crafted     HTML page. (CVE-2019-5785)

  - The type inference system allows the compilation of     functions that can cause type confusions between     arbitrary objects when compiled through the IonMonkey     just-in-time (JIT) compiler and when the constructor     function is entered through on-stack replacement (OSR).
    This allows for possible arbitrary reading and writing     of objects during an exploitable crash. This     vulnerability affects Thunderbird < 60.6, Firefox ESR <     60.6, and Firefox < 66. (CVE-2019-9791)

  - A flaw during verification of certain S/MIME signatures     causes emails to be shown in Thunderbird as having a     valid digital signature, even if the shown message     contents aren't covered by the signature. The flaw     allows an attacker to reuse a valid S/MIME signature to     craft an email message with arbitrary content. This     vulnerability affects Thunderbird < 60.5.1.
    (CVE-2018-18509)

  - Incorrect alias information in IonMonkey JIT compiler     for Array.prototype.slice method may lead to missing     bounds check and a buffer overflow. This vulnerability     affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and     Thunderbird < 60.6.1. (CVE-2019-9810)

  - Incorrect handling of __proto__ mutations may lead to     type confusion in IonMonkey JIT code and can be     leveraged for arbitrary memory read and write. This     vulnerability affects Firefox < 66.0.1, Firefox ESR <     60.6.1, and Thunderbird < 60.6.1. (CVE-2019-9813)

  - When proxy auto-detection is enabled, if a web server     serves a Proxy Auto-Configuration (PAC) file or if a PAC     file is loaded locally, this PAC file can specify that     requests to the localhost are to be sent through the     proxy to another server. This behavior is disallowed by     default when a proxy is manually configured, but when     enabled could allow for attacks on services and tools     that bind to the localhost for networked behavior if     they are accessed through browsing. This vulnerability     affects Firefox < 65. (CVE-2018-18506)

  - Mozilla developers and community members reported memory     safety bugs present in Firefox 65, Firefox ESR 60.5, and     Thunderbird 60.5. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort     that some of these could be exploited to run arbitrary     code. This vulnerability affects Thunderbird < 60.6,     Firefox ESR < 60.6, and Firefox < 66. (CVE-2019-9788)

  - A use-after-free vulnerability can occur when a raw     pointer to a DOM element on a page is obtained using     JavaScript and the element is then removed while still     in use. This results in a potentially exploitable crash.
    This vulnerability affects Thunderbird < 60.6, Firefox     ESR < 60.6, and Firefox < 66. (CVE-2019-9790)

  - The IonMonkey just-in-time (JIT) compiler can leak an     internal JS_OPTIMIZED_OUT magic value to the running     script during a bailout. This magic value can then be     used by JavaScript to achieve memory corruption, which     results in a potentially exploitable crash. This     vulnerability affects Thunderbird < 60.6, Firefox ESR <     60.6, and Firefox < 66. (CVE-2019-9792)

  - A mechanism was discovered that removes some bounds     checking for string, array, or typed array accesses if     Spectre mitigations have been disabled. This     vulnerability could allow an attacker to create an     arbitrary value in compiled JavaScript, for which the     range analysis will infer a fully controlled, incorrect     range in circumstances where users have explicitly     disabled Spectre mitigations. *Note: Spectre mitigations     are currently enabled for all users by default     settings.*. This vulnerability affects Thunderbird <     60.6, Firefox ESR < 60.6, and Firefox < 66.
    (CVE-2019-9793)

  - A vulnerability where type-confusion in the IonMonkey     just-in-time (JIT) compiler could potentially be used by     malicious JavaScript to trigger a potentially     exploitable crash. This vulnerability affects     Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox <     66. (CVE-2019-9795)

  - A use-after-free vulnerability can occur when the SMIL     animation controller incorrectly registers with the     refresh driver twice when only a single registration is     expected. When a registration is later freed with the     removal of the animation controller element, the refresh     driver incorrectly leaves a dangling pointer to the     driver's observer array. This vulnerability affects     Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox <     66. (CVE-2019-9796)

  - An integer overflow in path handling lead to a use after     free in Skia in Google Chrome prior to 71.0.3578.80     allowed a remote attacker to potentially exploit heap     corruption via a crafted HTML page. (CVE-2018-18356)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for thunderbird is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 60.6.1. (BZ#1692449)

Security Fix(es) :

* Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 (CVE-2019-9788)

* Mozilla: Use-after-free when removing in-use DOM elements (CVE-2019-9790)

* Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey (CVE-2019-9791)

* Mozilla: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script (CVE-2019-9792)

* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)

* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)

* Mozilla: Improper bounds checks when Spectre mitigations are disabled (CVE-2019-9793)

* Mozilla: Type-confusion in IonMonkey JIT compiler (CVE-2019-9795)

* Mozilla: Use-after-free with SMIL animation controller (CVE-2019-9796)

* Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied (CVE-2018-18506)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This update for MozillaThunderbird to version 60.5.1 fixes the following issues :

Security issues fixed :

  - Update to MozillaThunderbird 60.6.1 (bsc#1130262) :

  - CVE-2019-9813: Fixed Ionmonkey type confusion with
    __proto__ mutations

  - CVE-2019-9810: Fixed IonMonkey MArraySlice incorrect     alias information

  - Update to MozillaThunderbird 60.6 (bsc#1129821) :

  - CVE-2018-18506: Fixed an issue with Proxy     Auto-Configuration file 

  - CVE-2019-9801: Fixed an issue which could allow Windows     programs to be exposed to web content

  - CVE-2019-9788: Fixed multiple memory safety bugs

  - CVE-2019-9790: Fixed a Use-after-free vulnerability when     removing in-use DOM elements

  - CVE-2019-9791: Fixed an incorrect Type inference for     constructors entered through on-stack replacement with     IonMonkey

  - CVE-2019-9792: Fixed an issue where IonMonkey leaks     JS_OPTIMIZED_OUT magic value to script

  - CVE-2019-9793: Fixed multiple improper bounds checks     when Spectre mitigations are disabled

  - CVE-2019-9794: Fixed an issue where command line     arguments not discarded during execution

  - CVE-2019-9795: Fixed a Type-confusion vulnerability in     IonMonkey JIT compiler

  - CVE-2019-9796: Fixed a Use-after-free vulnerability in     SMIL animation controller

  - Update to MozillaThunderbird 60.5.1 (bsc#1125330) :

  - CVE-2018-18356: Fixed a use-after-free vulnerability in     the Skia library which can occur when creating a path,     leading to a potentially exploitable crash.

  - CVE-2019-5785: Fixed an integer overflow vulnerability     in the Skia library which can occur after specific     transform operations, leading to a potentially     exploitable crash.

  - CVE-2018-18335: Fixed a buffer overflow vulnerability in     the Skia library which can occur with Canvas 2D     acceleration on macOS. This issue was addressed by     disabling Canvas 2D acceleration in Firefox ESR. Note:
    this does not affect other versions and platforms where     Canvas 2D acceleration is already disabled by default.

  - CVE-2018-18509: Fixed a flaw which during verification     of certain S/MIME signatures showing mistakenly that     emails bring a valid sugnature. Release notes:
    https://www.mozilla.org/en-US/security/advisories/mfsa20     19-12/     https://www.mozilla.org/en-US/security/advisories/mfsa20     19-11/     https://www.mozilla.org/en-US/security/advisories/mfsa20     19-06/

The remote host is affected by the vulnerability described in GLSA-201904-07 (Mozilla Thunderbird and Firefox: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Thunderbird and       Firefox. Please review the referenced Mozilla Foundation Security       Advisories and CVE identifiers below for details.
  Impact :

    Please review the referenced Mozilla Foundation Security Advisories and       CVE identifiers below for details.
  Workaround :

    There is no known workaround at this time.

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 60.6.1.

Security Fix(es) :

* Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 (CVE-2019-9788)

* Mozilla: Use-after-free when removing in-use DOM elements (CVE-2019-9790)

* Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey (CVE-2019-9791)

* Mozilla: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script (CVE-2019-9792)

* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)

* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)

* Mozilla: Improper bounds checks when Spectre mitigations are disabled (CVE-2019-9793)

* Mozilla: Type-confusion in IonMonkey JIT compiler (CVE-2019-9795)

* Mozilla: Use-after-free with SMIL animation controller (CVE-2019-9796)

* Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied (CVE-2018-18506)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

An update for thunderbird is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 60.6.1.

Security Fix(es) :

* Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 (CVE-2019-9788)

* Mozilla: Use-after-free when removing in-use DOM elements (CVE-2019-9790)

* Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey (CVE-2019-9791)

* Mozilla: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script (CVE-2019-9792)

* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)

* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)

* Mozilla: Improper bounds checks when Spectre mitigations are disabled (CVE-2019-9793)

* Mozilla: Type-confusion in IonMonkey JIT compiler (CVE-2019-9795)

* Mozilla: Use-after-free with SMIL animation controller (CVE-2019-9796)

* Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied (CVE-2018-18506)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

From Red Hat Security Advisory 2019:0681 :

An update for thunderbird is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 60.6.1.

Security Fix(es) :

* Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 (CVE-2019-9788)

* Mozilla: Use-after-free when removing in-use DOM elements (CVE-2019-9790)

* Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey (CVE-2019-9791)

* Mozilla: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script (CVE-2019-9792)

* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)

* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)

* Mozilla: Improper bounds checks when Spectre mitigations are disabled (CVE-2019-9793)

* Mozilla: Type-confusion in IonMonkey JIT compiler (CVE-2019-9795)

* Mozilla: Use-after-free with SMIL animation controller (CVE-2019-9796)

* Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied (CVE-2018-18506)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

From Red Hat Security Advisory 2019:0680 :

An update for thunderbird is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 60.6.1.

Security Fix(es) :

* Mozilla: Memory safety bugs fixed in Firefox 66 and Firefox ESR 60.6 (CVE-2019-9788)

* Mozilla: Use-after-free when removing in-use DOM elements (CVE-2019-9790)

* Mozilla: Type inference is incorrect for constructors entered through on-stack replacement with IonMonkey (CVE-2019-9791)

* Mozilla: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script (CVE-2019-9792)

* Mozilla: IonMonkey MArraySlice has incorrect alias information (CVE-2019-9810)

* Mozilla: Ionmonkey type confusion with __proto__ mutations (CVE-2019-9813)

* Mozilla: Improper bounds checks when Spectre mitigations are disabled (CVE-2019-9793)

* Mozilla: Type-confusion in IonMonkey JIT compiler (CVE-2019-9795)

* Mozilla: Use-after-free with SMIL animation controller (CVE-2019-9796)

* Mozilla: Proxy Auto-Configuration file can define localhost access to be proxied (CVE-2018-18506)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This update for MozillaThunderbird to version 60.5.1 fixes the following issues :

Security vulnerabilities addressed (MSFA 2019-03 MSFA 2018-31 MFSA 2019-06 bsc#1122983 bsc#1119105 bsc#1125330) :

  - CVE-2018-18356: Fixed a Use-after-free in Skia.

  - CVE-2019-5785: Fixed an Integer overflow in Skia.

  - CVE-2018-18335: Fixed a Buffer overflow in Skia by     default deactivating Canvas 2D. This issue does not     affect Linuc distributions.

  - CVE-2018-18509: Fixed a flaw which during verification     of certain S/MIME signatures showing mistekenly that     emails bring a valid sugnature. 

  - CVE-2018-18500: Use-after-free parsing HTML5 stream

  - CVE-2018-18505: Privilege escalation through IPC channel     messages

  - CVE-2016-5824 DoS (use-after-free) via a crafted ics     file

  - CVE-2018-18501: Memory safety bugs fixed in Firefox 65     and Firefox ESR 60.5

  - CVE-2018-17466: Buffer overflow and out-of-bounds read     in ANGLE library with TextureStorage11

  - CVE-2018-18492: Use-after-free with select element

  - CVE-2018-18493: Buffer overflow in accelerated 2D canvas     with Skia

  - CVE-2018-18494: Same-origin policy violation using     location attribute and performance.getEntries to steal     cross-origin URLs

  - CVE-2018-18498: Integer overflow when calculating buffer     sizes for images

  - CVE-2018-12405: Memory safety bugs fixed in Firefox 64,     60.4, and Thunderbird 60.4

Other bug fixes and changes :

  - FileLink provider WeTransfer to upload large attachments

  - Thunderbird now allows the addition of OpenSearch search     engines from a local XML file using a minimal user     interface: [+] button to select a file an add, [-] to     remove.

  - More search engines: Google and DuckDuckGo available by     default in some locales

  - During account creation, Thunderbird will now detect     servers using the Microsoft Exchange protocol. It will     offer the installation of a 3rd party add-on (Owl) which     supports that protocol.

  - Thunderbird now compatible with other WebExtension-based     FileLink add-ons like the Dropbox add-on

  - New WebExtensions FileLink API to facilitate add-ons

  - Fix decoding problems for messages with less common     charsets (cp932, cp936)

  - New messages in the drafts folder (and other special or     virtual folders) will no longer be included in the new     messages notification

  - Thunderbird 60 will migrate security databases (key3.db,     cert8.db to key4.db, cert9.db).

  - Address book search and auto-complete slowness

  - Plain text markup with * for bold, / for italics, _ for     underline and | for code did not work when the enclosed     text contained non-ASCII characters

  - While composing a message, a link not removed when link     location was removed in the link properties panel

  - Encoding problems when exporting address books or     messages using the system charset. Messages are now     always exported using the UTF-8 encoding

  - If the 'Date' header of a message was invalid, Jan 1970     or Dec 1969 was displayed. Now using date from     'Received' header instead.

  - Body search/filtering didn't reliably ignore content of     tags

  - Inappropriate warning 'Thunderbird prevented the site     (addons.thunderbird.net) from asking you to install     software on your computer' when installing add-ons

  - Incorrect display of correspondents column since own     email address was not always detected

  - Spurious (encoded newline) inserted into drafts and sent     email

  - Double-clicking on a word in the Write window sometimes     launched the Advanced Property Editor or Link Properties     dialog

  - Fixed Cookie removal

  - 'Download rest of message' was not working if global     inbox was used

  - Fix Encoding problems for users (especially in Poland)     when a file was sent via a folder using 'Sent to > Mail     recipient' due to a problem in the Thunderbird MAPI     interface

  - According to RFC 4616 and RFC 5721, passwords containing     non-ASCII characters are encoded using UTF-8 which can     lead to problems with non-compliant providers, for     example office365.com. The SMTP LOGIN and POP3 USER/PASS     authentication methods are now using a Latin-1 encoding     again to work around this issue

  - Fix shutdown crash/hang after entering an empty IMAP     password

This update was imported from the SUSE:SLE-15:Update update project.

A use-after-free was discovered in libical. If a user were tricked in to opening a specially crafted ICS calendar file, an attacker could potentially exploit this to cause a denial of service. (CVE-2016-5824)

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted message, an attacker could potentially exploit these to cause a denial of service, or execute arbitrary code. (CVE-2018-18356, CVE-2018-18500, CVE-2019-5785)

Multiple security issues were discovered in Thunderbird. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, gain additional privileges by escaping the sandbox, or execute arbitrary code. (CVE-2018-18501, CVE-2018-18505)

An issue was discovered with S/MIME signature verification in some circumstances. An attacker could potentially exploit this by spoofing signatures for arbitrary content. (CVE-2018-18509).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for MozillaThunderbird to version 60.5.1 fixes the following issues :

Security issues fixed (MFSA 2019-06 bsc#1125330): &#9; 

  - CVE-2018-18356: Fixed a Use-after-free in Skia.

  - CVE-2019-5785: Fixed an Integer overflow in Skia.

  - CVE-2018-18335: Fixed a Buffer overflow in Skia by     default deactivating Canvas 2D. This issue does not     affect Linuc distributions.

  - CVE-2018-18509: Fixed a flaw which during verification     of certain S/MIME signatures showing mistekenly that     emails bring a valid sugnature.

The version of Thunderbird installed on the remote Windows host is prior to 60.5.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2019-06 advisory.

  - A buffer overflow vulnerability in the Skia library can     occur with Canvas 2D acceleration on macOS. This issue     was addressed by disabling Canvas 2D acceleration in     Firefox ESR. *Note: this does not affect other     versions and platforms where Canvas 2D acceleration is     already disabled by default. (CVE-2018-18335)

  - A use-after-free vulnerability in the Skia library can     occur when creating a path, leading to a potentially     exploitable crash. (CVE-2018-18356)

  - A flaw during verification of certain S/MIME signatures     causes emails to be shown in Thunderbird as having a     valid digital signature, even if the shown message     contents aren't covered by the signature. The flaw     allows an attacker to reuse a valid S/MIME signature to     craft an email message with arbitrary content.
    (CVE-2018-18509)

  - An integer overflow vulnerability in the Skia library     can occur after specific transform operations, leading     to a potentially exploitable crash. (CVE-2019-5785)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 60.5.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2019-06 advisory.

  - A buffer overflow vulnerability in the Skia library can     occur with Canvas 2D acceleration on macOS. This issue     was addressed by disabling Canvas 2D acceleration in     Firefox ESR. *Note: this does not affect other     versions and platforms where Canvas 2D acceleration is     already disabled by default. (CVE-2018-18335)

  - A use-after-free vulnerability in the Skia library can     occur when creating a path, leading to a potentially     exploitable crash. (CVE-2018-18356)

  - A flaw during verification of certain S/MIME signatures     causes emails to be shown in Thunderbird as having a     valid digital signature, even if the shown message     contents aren't covered by the signature. The flaw     allows an attacker to reuse a valid S/MIME signature to     craft an email message with arbitrary content.
    (CVE-2018-18509)

  - An integer overflow vulnerability in the Skia library     can occur after specific transform operations, leading     to a potentially exploitable crash. (CVE-2019-5785)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Multiple security issues have been found in the Thunderbird mail client, which could lead to the execution of arbitrary code, denial of service or spoofing of S/MIME signatures.

Multiple security issues have been found in the Thunderbird mail client, which could lead to the execution of arbitrary code, denial of service or spoofing of S/MIME signatures.

For Debian 8 'Jessie', these problems have been fixed in version 1:60.5.1-1~deb8u1.

We recommend that you upgrade your thunderbird packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
127579	Oracle Linux 8 : thunderbird (ELSA-2019-1144)	Nessus	Oracle Linux Local Security Checks	high
127459	NewStart CGSL MAIN 4.05 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0169)	Nessus	NewStart CGSL Local Security Checks	high
127319	NewStart CGSL MAIN 4.06 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0095)	Nessus	NewStart CGSL Local Security Checks	high
127257	NewStart CGSL CORE 5.04 / MAIN 5.04 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0062)	Nessus	NewStart CGSL Local Security Checks	high
124845	RHEL 8 : thunderbird (RHSA-2019:1144)	Nessus	Red Hat Local Security Checks	high
123817	openSUSE Security Update : MozillaThunderbird (openSUSE-2019-1162)	Nessus	SuSE Local Security Checks	high
123581	GLSA-201904-07 : Mozilla Thunderbird and Firefox: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
123562	CentOS 7 : thunderbird (CESA-2019:0681)	Nessus	CentOS Local Security Checks	high
123561	CentOS 6 : thunderbird (CESA-2019:0680)	Nessus	CentOS Local Security Checks	high
123488	RHEL 7 : thunderbird (RHSA-2019:0681)	Nessus	Red Hat Local Security Checks	high
123487	RHEL 6 : thunderbird (RHSA-2019:0680)	Nessus	Red Hat Local Security Checks	high
123485	Oracle Linux 7 : thunderbird (ELSA-2019-0681)	Nessus	Oracle Linux Local Security Checks	high
123484	Oracle Linux 6 : thunderbird (ELSA-2019-0680)	Nessus	Oracle Linux Local Security Checks	high
122493	openSUSE Security Update : MozillaThunderbird (openSUSE-2019-251)	Nessus	SuSE Local Security Checks	high
122482	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : Thunderbird vulnerabilities (USN-3897-1)	Nessus	Ubuntu Local Security Checks	high
122470	openSUSE Security Update : MozillaThunderbird (openSUSE-2019-250)	Nessus	SuSE Local Security Checks	medium
122402	Mozilla Thunderbird < 60.5.1	Nessus	Windows	medium
122401	Mozilla Thunderbird < 60.5.1	Nessus	MacOS X Local Security Checks	medium
122269	Debian DSA-4392-1 : thunderbird - security update	Nessus	Debian Local Security Checks	high
122263	Debian DLA-1678-1 : thunderbird security update	Nessus	Debian Local Security Checks	high

CVE-2018-18509

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

medium

medium

medium

high

high