[ASA-201703-2] thunderbird: multiple issues

ID ASA-201703-2
Type archlinux
Reporter ArchLinux
Modified 2017-03-10T00:00:00


Arch Linux Security Advisory ASA-201703-2

Severity: Critical Date : 2017-03-10 CVE-ID : CVE-2017-5398 CVE-2017-5400 CVE-2017-5401 CVE-2017-5402 CVE-2017-5404 CVE-2017-5405 CVE-2017-5407 CVE-2017-5408 CVE-2017-5410 Package : thunderbird Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-193


The package thunderbird before version 45.8.0-1 is vulnerable to multiple issues including arbitrary code execution, information disclosure and content spoofing.


Upgrade to 45.8.0-1.

pacman -Syu "thunderbird>=45.8.0-1"

The problems have been fixed upstream in version 45.8.0.




  • CVE-2017-5398 (arbitrary code execution)

Several memory safety bugs, some of them leading to memory corruption issues have been found in Firefox < 52 and Thunderbird < 45.8.

  • CVE-2017-5400 (arbitrary code execution)

JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks.

  • CVE-2017-5401 (arbitrary code execution)

A crash triggerable by web content in which an ErrorResult references unassigned memory due to a logic error.

  • CVE-2017-5402 (arbitrary code execution)

A use-after-free can occur when events are fired for a FontFace object after the object has been already been destroyed while working with fonts.

  • CVE-2017-5404 (arbitrary code execution)

A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This results in a potentially exploitable crash.

  • CVE-2017-5405 (content spoofing)

Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations.

  • CVE-2017-5407 (information disclosure)

Using SVG filters that don't use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. This can be used to extract history information and read text values across domains. This violates same-origin policy and leads to information disclosure.

  • CVE-2017-5408 (information disclosure)

Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading to potential information disclosure for video captions.

  • CVE-2017-5410 (arbitrary code execution)

Memory corruption resulting in a potentially exploitable crash during garbage collection of JavaScript due errors in how incremental sweeping is managed for memory cleanup.


A remote attacker can access sensitive information, force a user to connect to a spoofed FTP port or execute arbitrary code on the affected host.


https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/ https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5398 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1332550%2C1332597%2C1338383%2C1321612%2C1322971%2C1333568%2C1333887%2C1335450%2C1325052%2C1324379%2C1336510 https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5400 https://bugzilla.mozilla.org/show_bug.cgi?id=1334933 https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5401 https://bugzilla.mozilla.org/show_bug.cgi?id=1328861 https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5402 https://bugzilla.mozilla.org/show_bug.cgi?id=1334876 https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5404 https://bugzilla.mozilla.org/show_bug.cgi?id=1340138 https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5405 https://bugzilla.mozilla.org/show_bug.cgi?id=1336699 https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/#CVE-2017-5407 https://bugzilla.mozilla.org/show_bug.cgi?id=1336622 https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5408 https://bugzilla.mozilla.org/show_bug.cgi?id=1313711 https://www.mozilla.org/en-US/security/advisories/mfsa2017-07/#CVE-2017-5410 https://bugzilla.mozilla.org/show_bug.cgi?id=1330687 https://security.archlinux.org/CVE-2017-5398 https://security.archlinux.org/CVE-2017-5400 https://security.archlinux.org/CVE-2017-5401 https://security.archlinux.org/CVE-2017-5402 https://security.archlinux.org/CVE-2017-5404 https://security.archlinux.org/CVE-2017-5405 https://security.archlinux.org/CVE-2017-5407 https://security.archlinux.org/CVE-2017-5408 https://security.archlinux.org/CVE-2017-5410