[ASA-201708-18] thunderbird: multiple issues

2017-08-23T00:00:00
ID ASA-201708-18
Type archlinux
Reporter ArchLinux
Modified 2017-08-23T00:00:00

Description

Arch Linux Security Advisory ASA-201708-18

Severity: Critical Date : 2017-08-23 CVE-ID : CVE-2017-7753 CVE-2017-7779 CVE-2017-7784 CVE-2017-7785 CVE-2017-7786 CVE-2017-7787 CVE-2017-7791 CVE-2017-7792 CVE-2017-7800 CVE-2017-7801 CVE-2017-7802 CVE-2017-7803 CVE-2017-7807 CVE-2017-7809 Package : thunderbird Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-385

Summary

The package thunderbird before version 52.3.0-1 is vulnerable to multiple issues including arbitrary code execution, content spoofing, information disclosure, same-origin policy bypass and access restriction bypass.

Resolution

Upgrade to 52.3.0-1.

pacman -Syu "thunderbird>=52.3.0-1"

The problems have been fixed upstream in version 52.3.0.

Workaround

None.

Description

  • CVE-2017-7753 (information disclosure)

An out-of-bounds read has been found in firefox < 55.0 and thunderbird < 52.3, when applying style rules to pseudo-elements, such as ::first- line, using cached style data.

  • CVE-2017-7779 (arbitrary code execution)

Several memory safety bugs have been found in firefox < 55.0 and thunderbird < 52.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

  • CVE-2017-7784 (arbitrary code execution)

A use-after-free issue has been found in firefox < 55.0 and thunderbird < 52.3, when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash.

  • CVE-2017-7785 (arbitrary code execution)

A buffer overflow has been found in firefox < 55.0 and thunderbird < 52.3, when manipulating Accessible Rich Internet Applications (ARIA) attributes within the DOM. This results in a potentially exploitable crash.

  • CVE-2017-7786 (arbitrary code execution)

A buffer overflow has been found in firefox < 55.0 and thunderbird < 52.3, when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash.

  • CVE-2017-7787 (same-origin policy bypass)

Same-origin policy protections can be bypassed in firefox < 55.0 and thunderbird < 52.3, on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page and leading to information disclosure.

  • CVE-2017-7791 (content spoofing)

A content spoofing issue has been found in firefox < 55.0 and thunderbird < 52.3. On pages containing an iframe, the data: protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content.

  • CVE-2017-7792 (arbitrary code execution)

A buffer overflow has been found in firefox < 55.0 and thunderbird < 52.3, when viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). This results in a potentially exploitable crash.

  • CVE-2017-7800 (arbitrary code execution)

A use-after-free issue has been found in firefox < 55.0 and thunderbird < 52.3, in WebSockets, when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash.

  • CVE-2017-7801 (arbitrary code execution)

A use-after-free issue has been found in firefox < 55.0 and thunderbird < 52.3, while re-computing layout for a marquee element during window resizing where the updated style object is freed while still in use. This results in a potentially exploitable crash.

  • CVE-2017-7802 (arbitrary code execution)

A use-after-free vulnerability has been found in firefox < 55.0 and thunderbird < 52.3, when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed.

  • CVE-2017-7803 (access restriction bypass)

A security issue has been found in firefox < 55.0 and thunderbird < 52.3. When a page’s content security policy (CSP) header contains a sandbox directive, other directives are ignored. This results in the incorrect enforcement of CSP.

  • CVE-2017-7807 (content spoofing)

A domain hijacking flaw has been found in firefox < 55.0 and thunderbird < 52.3. A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory.

  • CVE-2017-7809 (arbitrary code execution)

A use-after-free issue has been found in firefox < 55.0 and thunderbird < 52.3, when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash.

Impact

A remote attacker can access sensitive information, bypass security restrictions, crash the application or execute arbitrary code on the affected host.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7753 https://bugzilla.mozilla.org/show_bug.cgi?id=1353312 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7779 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1354443%2C1368576%2C1366903%2C1369913%2C1371424%2C1346590%2C1371890%2C1372985%2C1362924%2C1368105%2C1369994%2C1371283%2C1368362%2C1378826%2C1380426%2C1368030%2C1373220%2C1321384%2C1383002 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7784 https://bugzilla.mozilla.org/show_bug.cgi?id=1376087 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7785 https://bugzilla.mozilla.org/show_bug.cgi?id=1356985 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7786 https://bugzilla.mozilla.org/show_bug.cgi?id=1365189 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7787 https://bugzilla.mozilla.org/show_bug.cgi?id=1322896 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7791 https://bugzilla.mozilla.org/show_bug.cgi?id=1365875 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7792 https://bugzilla.mozilla.org/show_bug.cgi?id=1368652 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7800 https://bugzilla.mozilla.org/show_bug.cgi?id=1374047 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7801 https://bugzilla.mozilla.org/show_bug.cgi?id=1371259 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7802 https://bugzilla.mozilla.org/show_bug.cgi?id=1378147 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7803 https://bugzilla.mozilla.org/show_bug.cgi?id=1377426 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7807 https://bugzilla.mozilla.org/show_bug.cgi?id=1376459 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7809 https://bugzilla.mozilla.org/show_bug.cgi?id=1380284 https://security.archlinux.org/CVE-2017-7753 https://security.archlinux.org/CVE-2017-7779 https://security.archlinux.org/CVE-2017-7784 https://security.archlinux.org/CVE-2017-7785 https://security.archlinux.org/CVE-2017-7786 https://security.archlinux.org/CVE-2017-7787 https://security.archlinux.org/CVE-2017-7791 https://security.archlinux.org/CVE-2017-7792 https://security.archlinux.org/CVE-2017-7800 https://security.archlinux.org/CVE-2017-7801 https://security.archlinux.org/CVE-2017-7802 https://security.archlinux.org/CVE-2017-7803 https://security.archlinux.org/CVE-2017-7807 https://security.archlinux.org/CVE-2017-7809