[arch-security] [ASA-201708-18] thunderbird: multiple issues

Levente Polyak anthraxx at archlinux.org
Wed Aug 23 22:42:58 UTC 2017


Arch Linux Security Advisory ASA-201708-18
==========================================

Severity: Critical
Date    : 2017-08-23
CVE-ID  : CVE-2017-7753 CVE-2017-7779 CVE-2017-7784 CVE-2017-7785
          CVE-2017-7786 CVE-2017-7787 CVE-2017-7791 CVE-2017-7792
          CVE-2017-7800 CVE-2017-7801 CVE-2017-7802 CVE-2017-7803
          CVE-2017-7807 CVE-2017-7809
Package : thunderbird
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-385

Summary
=======

The package thunderbird before version 52.3.0-1 is vulnerable to
multiple issues including arbitrary code execution, content spoofing,
information disclosure, same-origin policy bypass and access
restriction bypass.

Resolution
==========

Upgrade to 52.3.0-1.

# pacman -Syu "thunderbird>=52.3.0-1"

The problems have been fixed upstream in version 52.3.0.

Workaround
==========

None.

Description
===========

- CVE-2017-7753 (information disclosure)

An out-of-bounds read  has been found in firefox < 55.0 and thunderbird
< 52.3, when applying style rules to pseudo-elements, such as ::first-
line, using cached style data.

- CVE-2017-7779 (arbitrary code execution)

Several memory safety bugs have been found in firefox < 55.0 and
thunderbird < 52.3. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort that some of these
could be exploited to run arbitrary code.

- CVE-2017-7784 (arbitrary code execution)

A use-after-free issue has been found in firefox < 55.0 and thunderbird
< 52.3, when reading an image observer during frame reconstruction
after the observer has been freed. This results in a potentially
exploitable crash.

- CVE-2017-7785 (arbitrary code execution)

A buffer overflow has been found in firefox < 55.0 and thunderbird <
52.3, when manipulating Accessible Rich Internet Applications (ARIA)
attributes within the DOM. This results in a potentially exploitable
crash.

- CVE-2017-7786 (arbitrary code execution)

A buffer overflow has been found in firefox < 55.0 and thunderbird <
52.3, when the image renderer attempts to paint non-displayable SVG
elements. This results in a potentially exploitable crash.

- CVE-2017-7787 (same-origin policy bypass)

Same-origin policy protections can be bypassed in firefox < 55.0 and
thunderbird < 52.3, on pages with embedded iframes during page reloads,
allowing the iframes to access content on the top level page and
leading to information disclosure.

- CVE-2017-7791 (content spoofing)

A content spoofing issue has been found in firefox < 55.0 and
thunderbird < 52.3. On pages containing an iframe, the data: protocol
can be used to create a modal alert that will render over arbitrary
domains following page navigation, spoofing of the origin of the modal
alert from the iframe content.

- CVE-2017-7792 (arbitrary code execution)

A buffer overflow has been found in firefox < 55.0 and thunderbird <
52.3, when viewing a certificate in the certificate manager if the
certificate has an extremely long object identifier (OID). This results
in a potentially exploitable crash.

- CVE-2017-7800 (arbitrary code execution)

A use-after-free issue has been found in firefox < 55.0 and thunderbird
< 52.3, in WebSockets, when the object holding the connection is freed
before the disconnection operation is finished. This results in an
exploitable crash.

- CVE-2017-7801 (arbitrary code execution)

A use-after-free issue has been found in firefox < 55.0 and thunderbird
< 52.3, while re-computing layout for a marquee element during window
resizing where the updated style object is freed while still in use.
This results in a potentially exploitable crash.

- CVE-2017-7802 (arbitrary code execution)

A use-after-free vulnerability has been found in firefox < 55.0 and
thunderbird < 52.3, when manipulating the DOM during the resize event
of an image element. If these elements have been freed due to a lack of
strong references, a potentially exploitable crash may occur when the
freed elements are accessed.

- CVE-2017-7803 (access restriction bypass)

A security issue has been found in firefox < 55.0 and thunderbird <
52.3. When a page’s content security policy (CSP) header contains a
sandbox directive, other directives are ignored. This results in the
incorrect enforcement of CSP.

- CVE-2017-7807 (content spoofing)

A domain hijacking flaw has been found in firefox < 55.0 and
thunderbird < 52.3. A mechanism that uses AppCache to hijack a URL in a
domain using fallback by serving the files from a sub-path on the
domain. This has been addressed by requiring fallback files be inside
the manifest directory.

- CVE-2017-7809 (arbitrary code execution)

A use-after-free issue has been found in firefox < 55.0 and thunderbird
< 52.3, when an editor DOM node is deleted prematurely during tree
traversal while still bound to the document. This results in a
potentially exploitable crash.

Impact
======

A remote attacker can access sensitive information, bypass security
restrictions, crash the application or execute arbitrary code on the
affected host.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7753
https://bugzilla.mozilla.org/show_bug.cgi?id=1353312
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7779
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1354443%2C1368576%2C1366903%2C1369913%2C1371424%2C1346590%2C1371890%2C1372985%2C1362924%2C1368105%2C1369994%2C1371283%2C1368362%2C1378826%2C1380426%2C1368030%2C1373220%2C1321384%2C1383002
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7784
https://bugzilla.mozilla.org/show_bug.cgi?id=1376087
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7785
https://bugzilla.mozilla.org/show_bug.cgi?id=1356985
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7786
https://bugzilla.mozilla.org/show_bug.cgi?id=1365189
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7787
https://bugzilla.mozilla.org/show_bug.cgi?id=1322896
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7791
https://bugzilla.mozilla.org/show_bug.cgi?id=1365875
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7792
https://bugzilla.mozilla.org/show_bug.cgi?id=1368652
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7800
https://bugzilla.mozilla.org/show_bug.cgi?id=1374047
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7801
https://bugzilla.mozilla.org/show_bug.cgi?id=1371259
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7802
https://bugzilla.mozilla.org/show_bug.cgi?id=1378147
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7803
https://bugzilla.mozilla.org/show_bug.cgi?id=1377426
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7807
https://bugzilla.mozilla.org/show_bug.cgi?id=1376459
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7809
https://bugzilla.mozilla.org/show_bug.cgi?id=1380284
https://security.archlinux.org/CVE-2017-7753
https://security.archlinux.org/CVE-2017-7779
https://security.archlinux.org/CVE-2017-7784
https://security.archlinux.org/CVE-2017-7785
https://security.archlinux.org/CVE-2017-7786
https://security.archlinux.org/CVE-2017-7787
https://security.archlinux.org/CVE-2017-7791
https://security.archlinux.org/CVE-2017-7792
https://security.archlinux.org/CVE-2017-7800
https://security.archlinux.org/CVE-2017-7801
https://security.archlinux.org/CVE-2017-7802
https://security.archlinux.org/CVE-2017-7803
https://security.archlinux.org/CVE-2017-7807
https://security.archlinux.org/CVE-2017-7809

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170824/f7708ba7/attachment.asc>


More information about the arch-security mailing list