[arch-security] [ASA-201602-16] thunderbird: multiple issues
Remi Gacogne
rgacogne at archlinux.org
Sun Feb 21 13:21:20 UTC 2016
Arch Linux Security Advisory ASA-201602-16
==========================================
Severity: Critical
Date : 2016-02-21
CVE-ID : CVE-2015-7575 CVE-2016-1523 CVE-2016-1930 CVE-2016-1931
CVE-2016-1935
Package : thunderbird
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package thunderbird before version 38.6.0-1 is vulnerable to
multiple issues.
Resolution
==========
Upgrade to 38.6.0-1.
# pacman -Syu "thunderbird>=38.6.0-1"
The problem has been fixed upstream in version 38.6.0.
Workaround
==========
None.
Description
===========
- CVE-2015-7575 (man-in-the-middle):
Security researcher Karthikeyan Bhargavan reported an issue in Network
Security Services (NSS) where MD5 signatures in the server signature
within the TLS 1.2 ServerKeyExchange message are still accepted. This is
an issue since NSS has officially disallowed the accepting MD5 as a hash
algorithm in signatures since 2011. This issues exposes NSS based
clients such as Firefox to theoretical collision-based forgery attacks.
This issue was fixed in NSS version 3.20.2.
- CVE-2016-1523 (remote code execution):
Security researcher Holger Fuhrmannek reported that a malicious Graphite
"smart font" could circumvent the validation of internal instruction
parameters in the Graphite 2 library using special CNTXT_ITEM
instructions. This could result in arbitrary code execution.
In general this flaw cannot be exploited through email in the
Thunderbird product, but is potentially a risk in browser or
browser-like contexts.
- CVE-2016-1930 (remote code execution):
Bob Clary, Christian Holler, Nils Ohlmeier, Gary Kwong, Jesse Ruderman,
Carsten Book, and Randell Jesup reported memory safety problems and crashes.
In general these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled, but are potentially a
risk in browser or browser-like contexts.
- CVE-2016-1931 (remote code execution):
Bob Clary, Carsten Book, Christian Holler, Nicolas Pierron, Eric
Rescorla, Tyson Smith, Gabor Krizsanits, and Randell Jesup reported
memory safety problems and crashes.
In general these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled, but are potentially a
risk in browser or browser-like contexts.
- CVE-2016-1935 (remote code execution):
Security researcher Aki Helin used the Address Sanitizer tool to find a
buffer overflow write when rendering some WebGL content. This leads to a
potentially exploitable crash.
In general this flaw cannot be exploited through email in the
Thunderbird product, but is potentially a risk in browser or
browser-like contexts.
Impact
======
A remote attacker might be able to access sensitive information by
performing a man-in-the-middle attack, or execute arbitrary code on the
affected host.
References
==========
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird38.6
https://www.mozilla.org/en-US/security/advisories/mfsa2015-150/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-03/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/
https://access.redhat.com/security/cve/CVE-2015-7575
https://access.redhat.com/security/cve/CVE-2016-1523
https://access.redhat.com/security/cve/CVE-2016-1930
https://access.redhat.com/security/cve/CVE-2016-1931
https://access.redhat.com/security/cve/CVE-2016-1935
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20160221/816c431f/attachment.asc>
More information about the arch-security
mailing list