[arch-security] [ASA-201710-19] thunderbird: multiple issues

Remi Gacogne rgacogne at archlinux.org
Fri Oct 13 08:01:24 UTC 2017


Arch Linux Security Advisory ASA-201710-19
==========================================

Severity: Critical
Date    : 2017-10-12
CVE-ID  : CVE-2017-7793 CVE-2017-7805 CVE-2017-7810 CVE-2017-7814
          CVE-2017-7818 CVE-2017-7819 CVE-2017-7823 CVE-2017-7824
Package : thunderbird
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-441

Summary
=======

The package thunderbird before version 52.4.0-1 is vulnerable to
multiple issues including arbitrary code execution, access restriction
bypass and cross-site scripting.

Resolution
==========

Upgrade to 52.4.0-1.

# pacman -Syu "thunderbird>=52.4.0-1"

The problems have been fixed upstream in version 52.4.0.

Workaround
==========

None.

Description
===========

- CVE-2017-7793 (arbitrary code execution)

A use-after-free vulnerability can occur in the Fetch API of
Thunderbird < 52.4, when the worker or the associated window are freed
when still in use, resulting in a potentially exploitable crash.

- CVE-2017-7805 (arbitrary code execution)

A security issue has been found in Thunderbird < 52.4. During TLS 1.2
exchanges, handshake hashes are generated which point to a message
buffer. This saved data is used for later messages but in some cases,
the handshake transcript can exceed the space available in the current
buffer, causing the allocation of a new buffer. This leaves a pointer
pointing to the old, freed buffer, resulting in a use-after-free when
handshake hashes are then calculated afterwards. This can result in a
potentially exploitable crash.

- CVE-2017-7810 (arbitrary code execution)

Mozilla developers and community members Christoph Diehl, Jan de Mooij,
Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian
Hengst reported memory safety bugs present in Firefox <= 55, Firefox
ESR <= 52.3, and Thunderbird <= 52.3. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort
that some of these could be exploited to run arbitrary code.

- CVE-2017-7814 (access restriction bypass)

A security issue has been found in Thunderbird < 52.4. File downloads
encoded with blob: and data: URL elements bypassed normal file download
checks though the Phishing and Malware Protection feature and its block
lists of suspicious sites and files. This would allow malicious sites
to lure users into downloading executables that would otherwise be
detected as suspicious.

- CVE-2017-7818 (arbitrary code execution)

A use-after-free vulnerability can occur when manipulating arrays of
Accessible Rich Internet Applications (ARIA) elements within containers
through the DOM, in Thunderbird < 52.4. This results in a potentially
exploitable crash.

- CVE-2017-7819 (arbitrary code execution)

A use-after-free vulnerability can occur in design mode when image
objects are resized if objects referenced during the resizing have been
freed from memory, in Thunderbird < 52.4. This results in a potentially
exploitable crash.

- CVE-2017-7823 (cross-site scripting)

The content security policy (CSP) sandbox directive in Thunderbird <
52.4  did not create a unique origin for the document, causing it to
behave as if the allow-same-origin keyword were always specified. This
could allow a Cross-Site Scripting (XSS) attack to be launched from
unsafe content.

- CVE-2017-7824 (arbitrary code execution)

A buffer overflow occurs when drawing and validating elements with the
ANGLE graphics library, used for WebGL content in Thunderbird < 52.4.
This is due to an incorrect value being passed within the library
during checks and results in a potentially exploitable crash.

Impact
======

A remote attacker can bypass security measures like the phishing and
malware protection or a content security policy, and execute arbitrary
code on the affected host.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2017-23
https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7793
https://bugzilla.mozilla.org/show_bug.cgi?id=1371889
https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7805
https://bugzilla.mozilla.org/show_bug.cgi?id=1377618
https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7810
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1386787%2C1389974%2C1371657%2C1360334%2C1390550%2C1380824%2C1387918%2C1395598
https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7814
https://bugzilla.mozilla.org/show_bug.cgi?id=1376036
https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7818
https://bugzilla.mozilla.org/show_bug.cgi?id=1363723
https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7819
https://bugzilla.mozilla.org/show_bug.cgi?id=1380292
https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7823
https://bugzilla.mozilla.org/show_bug.cgi?id=1396320
https://www.mozilla.org/en-US/security/advisories/mfsa2017-23/#CVE-2017-7824
https://bugzilla.mozilla.org/show_bug.cgi?id=1398381
https://security.archlinux.org/CVE-2017-7793
https://security.archlinux.org/CVE-2017-7805
https://security.archlinux.org/CVE-2017-7810
https://security.archlinux.org/CVE-2017-7814
https://security.archlinux.org/CVE-2017-7818
https://security.archlinux.org/CVE-2017-7819
https://security.archlinux.org/CVE-2017-7823
https://security.archlinux.org/CVE-2017-7824

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20171013/6569d2dc/attachment.asc>


More information about the arch-security mailing list