openSUSE-SU-2020:0060

http://packetstormsecurity.com/files/155912/Slackware-Security-Advisory-mozilla-thunderbird-Updates.html

https://bugzilla.mozilla.org/show_bug.cgi?id=1599008

20200112 [slackware-security] mozilla-thunderbird (SSA:2020-010-01)

https://www.mozilla.org/security/advisories/mfsa2020-01/

https://www.mozilla.org/security/advisories/mfsa2020-02/

This update for MozillaThunderbird to version 68.4.1 fixes the following issues :

Security issues fixed :

  - CVE-2019-17026: IonMonkey type confusion with     StoreElementHole and FallibleStoreElement

  - CVE-2019-17016: Bypass of @namespace CSS sanitization     during pasting

  - CVE-2019-17017: Type Confusion in XPCVariant.cpp

  - CVE-2019-17022: CSS sanitization does not escape HTML     tags

  - CVE-2019-17024: multiple Memory safety bugs fixed

Non-security issues fixed :

  - Various improvements when setting up an account for a     Microsoft Exchange server. For example better detection     for Office 365 accounts.

This update was imported from the SUSE:SLE-15:Update update project.

This update for MozillaFirefox fixes the following issues :

  - Firefox Extended Support Release 68.4.1 ESR

  - Fixed: Security fix MFSA 2020-03 (bsc#1160498)

  - CVE-2019-17026 (bmo#1607443) IonMonkey type confusion     with StoreElementHole and FallibleStoreElement 

  - Firefox Extended Support Release 68.4.0 ESR

  - Fixed: Various security fixes MFSA 2020-02 (bsc#1160305)

  - CVE-2019-17015 (bmo#1599005) Memory corruption in parent     process during new content process initialization on     Windows

  - CVE-2019-17016 (bmo#1599181) Bypass of @namespace CSS     sanitization during pasting

  - CVE-2019-17017 (bmo#1603055) Type Confusion in     XPCVariant.cpp

  - CVE-2019-17021 (bmo#1599008) Heap address disclosure in     parent process during content process initialization on     Windows

  - CVE-2019-17022 (bmo#1602843) CSS sanitization does not     escape HTML tags

  - CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605,     bmo#1601826) Memory safety bugs fixed in Firefox 72 and     Firefox ESR 68.4

This update was imported from the SUSE:SLE-15:Update update project.

This update for MozillaFirefox fixes the following issues :

Firefox Extended Support Release 68.4.1 ESR

  - Fixed: Security fix MFSA 2020-03 (bsc#1160498)

  - CVE-2019-17026 (bmo#1607443) IonMonkey type confusion     with StoreElementHole and FallibleStoreElement

Firefox Extended Support Release 68.4.0 ESR

  - Fixed: Various security fixes MFSA 2020-02 (bsc#1160305)

  - CVE-2019-17015 (bmo#1599005) Memory corruption in parent     process during new content process initialization on     Windows

  - CVE-2019-17016 (bmo#1599181) Bypass of @namespace CSS     sanitization during pasting

  - CVE-2019-17017 (bmo#1603055) Type Confusion in     XPCVariant.cpp

  - CVE-2019-17021 (bmo#1599008) Heap address disclosure in     parent process during content process initialization on     Windows

  - CVE-2019-17022 (bmo#1602843) CSS sanitization does not     escape HTML tags

  - CVE-2019-17024 (bmo#1507180, bmo#1595470, bmo#1598605,     bmo#1601826) Memory safety bugs fixed in Firefox 72 and     Firefox ESR 68.4

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New mozilla-thunderbird packages are available for Slackware 14.2 and
-current to fix security issues.

The version of Thunderbird installed on the remote Windows host is prior to 68.4.1. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2020-04 advisory.

  - During the initialization of a new content process, a     pointer offset can be manipulated leading to memory     corruption and a potentially exploitable crash in the     parent process. *Note: this issue only occurs on     Windows. Other operating systems are unaffected.*. This     vulnerability affects Thunderbird < 68.4. (CVE-2019-17015)

  - When pasting a <style> tag from the clipboard into     a rich text editor, the CSS sanitizer incorrectly     rewrites a @namespace rule. This could allow for     injection into certain types of websites resulting in     data exfiltration. This vulnerability affects     Thunderbird < 68.4. (CVE-2019-17016)

  - Due to a missing case handling object types, a type     confusion vulnerability could occur, resulting in a     crash. We presume that with enough effort that it could     be exploited to run arbitrary code. This vulnerability     affects Thunderbird < 68.4. (CVE-2019-17017)

  - During the initialization of a new content process, a     race condition occurs that can allow a content process     to disclose heap addresses from the parent process.
    *Note: this issue only occurs on Windows. Other     operating systems are unaffected.*. This vulnerability     affects Thunderbird < 68.4. (CVE-2019-17021)

  - When pasting a <style> tag from the clipboard into     a rich text editor, the CSS sanitizer does not escape     < and > characters. Because the resulting string     is pasted directly into the text node of the element     this does not result in a direct injection into the     webpage; however, if a webpage subsequently copies the     node's innerHTML, assigning it to another innerHTML,     this would result in an XSS vulnerability. Two WYSIWYG     editors were identified with this behavior, more may     exist. This vulnerability affects Thunderbird < 68.4.
    (CVE-2019-17022)

    Mozilla developers Jason Kratzer, Christian Holler, and     Bob Clary reported memory safety bugs present in     Thunderbird 68.3. Some of these bugs showed evidence of     memory corruption and we presume that with enough effort     some of these could have been exploited to run arbitrary     code. (CVE-2019-17024)

  - Incorrect alias information in IonMonkey JIT compiler for     setting array elements could lead to a type confusion. We     are aware of targeted attacks in the wild abusing this flaw.
    (CVE-2019-17026)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Firefox ESR installed on the remote Windows host is prior to 68.4. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2020-02 advisory.

  - During the initialization of a new content process, a     pointer offset can be manipulated leading to memory     corruption and a potentially exploitable crash in the     parent process. Note: this issue only occurs on     Windows. Other operating systems are unaffected.
    (CVE-2019-17015)

  - When pasting a <style> tag from the     clipboard into a rich text editor, the CSS sanitizer     incorrectly rewrites a @namespace rule. This could allow     for injection into certain types of websites resulting     in data exfiltration. (CVE-2019-17016)

  - Due to a missing case handling object types, a type     confusion vulnerability could occur, resulting in a     crash. We presume that with enough effort that it could     be exploited to run arbitrary code. (CVE-2019-17017)

  - During the initialization of a new content process, a     race condition occurs that can allow a content process     to disclose heap addresses from the parent process.
    Note: this issue only occurs on Windows. Other     operating systems are unaffected. (CVE-2019-17021)

  - When pasting a <style> tag from the     clipboard into a rich text editor, the CSS sanitizer     does not escape < and > characters. Because the     resulting string is pasted directly into the text node     of the element this does not result in a direct     injection into the webpage; however, if a webpage     subsequently copies the node's innerHTML, assigning it     to another innerHTML, this would result in an XSS     vulnerability. Two WYSIWYG editors were identified with     this behavior, more may exist. (CVE-2019-17022)

  - Mozilla developers Jason Kratzer, Christian Holler, and     Bob Clary reported memory safety bugs present in Firefox     71 and Firefox ESR 68.3. Some of these bugs showed     evidence of memory corruption and we presume that with     enough effort some of these could have been exploited to     run arbitrary code. (CVE-2019-17024)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Firefox installed on the remote Windows host is prior to 72.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2020-01 advisory, including the following:

  - During the initialization of a new content process, a pointer offset can be manipulated leading to     memory corruption and a potentially exploitable crash in the parent process. (CVE-2019-17015)

  - When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly     rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in     data exfiltration. (CVE-2019-17016)

  - Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a     crash. We presume that with enough effort that it could be exploited to run arbitrary code.
    (CVE-2019-17017)

  - When in Private Browsing Mode on Windows 10, the Windows keyboard may retain word suggestions to improve     the accuracy of the keyboard. (CVE-2019-17018)

  - When Python was installed on Windows, a python file being served with the MIME type of text/plain could     be executed by Python instead of being opened as a text file when the Open option was selected upon     download. (CVE-2019-17019)

  - If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the     Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g.
    includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to     the XML document. (CVE-2019-17020)

  - During the initialization of a new content process, a race condition occurs that can allow a content     process to disclose heap addresses from the parent process. (CVE-2019-17021)

  - When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape     < and > characters. Because the resulting string is pasted directly into the text node of the element     this does not result in a direct injection into the webpage; however, if a webpage subsequently copies     the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two     WYSIWYG editors were identified with this behavior, more may exist. (CVE-2019-17022)     
  - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3,     resulting in an invalid state transition in the TLS State Machine. If the client gets into this state,     incoming Application Data records will be ignored. (CVE-2019-17023)

  - Mozilla developers Jason Kratzer, Christian Holler, and Bob Clary reported memory safety bugs present in     Firefox 71 and Firefox ESR 68.3. Some of these bugs showed evidence of memory corruption and we presume     that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2019-17024)

  - Mozilla developers Karl Tomlinson, Jason Kratzer, Tyson Smith, Jon Coppeard, and Christian Holler     reported memory safety bugs present in Firefox 71. Some of these bugs showed evidence of memory     corruption and we presume that with enough effort some of these could have been exploited to run     arbitrary code. (CVE-2019-17025)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
133199	openSUSE Security Update : MozillaThunderbird (openSUSE-2020-94)	Nessus	SuSE Local Security Checks	medium
132949	openSUSE Security Update : MozillaFirefox (openSUSE-2020-60)	Nessus	SuSE Local Security Checks	medium
132921	SUSE SLED15 / SLES15 Security Update : MozillaFirefox (SUSE-SU-2020:0078-1)	Nessus	SuSE Local Security Checks	medium
132852	SUSE SLED12 / SLES12 Security Update : MozillaFirefox (SUSE-SU-2020:0068-1)	Nessus	SuSE Local Security Checks	medium
132847	Slackware 14.2 / current : mozilla-thunderbird (SSA:2020-010-01)	Nessus	Slackware Local Security Checks	medium
132774	Mozilla Thunderbird < 68.4.1	Nessus	Windows	medium
132711	Mozilla Firefox ESR < 68.4 Multiple Vulnerabilities	Nessus	Windows	medium
132709	Mozilla Firefox < 72.0 Multiple Vulnerabilities	Nessus	Windows	medium

CVE-2019-17021

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins