[ASA-201912-2] thunderbird: arbitrary code execution

Remi Gacogne rgacogne at archlinux.org
Wed Dec 11 08:48:19 UTC 2019


Arch Linux Security Advisory ASA-201912-2
=========================================

Severity: Critical
Date    : 2019-12-06
CVE-ID  : CVE-2019-11745 CVE-2019-17005 CVE-2019-17008 CVE-2019-17010
          CVE-2019-17011 CVE-2019-17012
Package : thunderbird
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1072

Summary
=======

The package thunderbird before version 68.3.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 68.3.0-1.

# pacman -Syu "thunderbird>=68.3.0-1"

The problems have been fixed upstream in version 68.3.0.

Workaround
==========

None.

Description
===========

- CVE-2019-11745 (arbitrary code execution)

An out-of-bounds write vulnerability has been found in the NSS
component of Firefox before 71.0 and Thunderbird before 68.3. When
encrypting with a block cipher, if a call to NSC_EncryptUpdate was made
with data smaller than the block size, a small out of bounds write
could occur. This could have caused heap corruption and a potentially
exploitable crash.

- CVE-2019-17005 (arbitrary code execution)

An out-of-bounds write vulnerability has been found in Firefox before
71.0 and Thunderbird before 68.3 where the plain text serializer used a
fixed-size array for the number of elements it could process; however
it was possible to overflow the static-sized array leading to memory
corruption and a potentially exploitable crash.

- CVE-2019-17008 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox before 71.0
and Thunderbird before 68.3. When using nested workers, a use-after-
free could occur during worker destruction. This resulted in a
potentially exploitable crash.

- CVE-2019-17010 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox before 71.0
and Thunderbird before 68.3. Under certain conditions, when checking
the Resist Fingerprinting preference during device orientation checks,
a race condition could have caused a use-after-free and a potentially
exploitable crash.

- CVE-2019-17011 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox before 71.0
and Thunderbird before 68.3. Under certain conditions, when retrieving
a document from a DocShell in the antitracking code, a race condition
could cause a use-after-free condition and a potentially exploitable
crash.

- CVE-2019-17012 (arbitrary code execution)

Several memory safety bugs have been found in Firefox before 71.0 and
Thunderbird before 68.3. Some of these bugs showed evidence of memory
corruption and Mozilla presumes that with enough effort some of these
could have been exploited to run arbitrary code.

Impact
======

A remote attacker can execute arbitrary code on the affected host.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-11745
https://bugzilla.mozilla.org/show_bug.cgi?id=1586176
https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17005
https://bugzilla.mozilla.org/show_bug.cgi?id=1584170
https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17008
https://bugzilla.mozilla.org/show_bug.cgi?id=1546331
https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17010
https://bugzilla.mozilla.org/show_bug.cgi?id=1581084
https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17011
https://bugzilla.mozilla.org/show_bug.cgi?id=1591334
https://www.mozilla.org/en-US/security/advisories/mfsa2019-36/#CVE-2019-17012
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1449736%2C1533957%2C1560667%2C1567209%2C1580288%2C1585760%2C1592502
https://security.archlinux.org/CVE-2019-11745
https://security.archlinux.org/CVE-2019-17005
https://security.archlinux.org/CVE-2019-17008
https://security.archlinux.org/CVE-2019-17010
https://security.archlinux.org/CVE-2019-17011
https://security.archlinux.org/CVE-2019-17012

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20191211/dd83ca77/attachment.sig>


More information about the arch-security mailing list