The remote NewStart CGSL host, running version MAIN 4.05, has thunderbird packages installed that are affected by multiple vulnerabilities:
A buffer overflow in WebGL triggerable by web content, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5459)
An out-of-bounds read during the processing of glyph widths during text layout. This results in a potentially exploitable crash and could allow an attacker to read otherwise inaccessible memory. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5447)
An out-of-bounds read when an HTTP/2 connection to a servers sends DATA frames with incorrect data content.
This leads to a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5446)
A possibly exploitable crash triggered during layout and manipulation of bidirectional unicode text in concert with CSS animations. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5449)
A use-after-free vulnerability during changes in style when manipulating DOM elements. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5442)
An out-of-bounds write vulnerability while decoding improperly formed BinHex format archives. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5443)
A buffer overflow vulnerability while parsing application/http-index-format format content when the header contains improperly formatted data. This allows for an out-of-bounds read of data from memory. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5444)
A use-after-free vulnerability when holding a selection during scroll events. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5441)
A potential memory corruption and crash when using Skia content when drawing content outside of the bounds of a clipping region. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5467)
A mechanism to bypass file system access protections in the sandbox to use the file picker to access different files than those selected in the file picker through the use of relative paths. This allows for read only access to the local file system. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5454)
A mechanism to spoof the addressbar through the user interaction on the addressbar and the onblur event.
The event could be used by script to affect text display to make the loaded site appear to be different from the one actually loaded within the addressbar. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5451)
A use-after-free vulnerability occurs during certain text input selection resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5432)
A use-after-free vulnerability in frame selection triggered by a combination of malicious script content and key presses by a user. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5460)
During DOM manipulations of the accessibility tree through script, the DOM tree can become out of sync with the accessibility tree, leading to memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5464)
Fixed potential buffer overflows in generated Firefox code due to CVE-2016-6354 issue in Flex. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5469)
An out-of-bounds read while processing SVG content in ConvolvePixel. This results in a crash and also allows for otherwise inaccessible memory being copied into SVG graphic content, which could then displayed. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5465)
If a page is loaded from an original site through a hyperlink and contains a redirect to a data:text/html URL, triggering a reload will run the reloaded data:text/html page with its origin set incorrectly.
This allows for a cross-site scripting (XSS) attack.
This vulnerability affects Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5466)
A use-after-free vulnerability in SMIL animation functions occurs when pointers to animation elements in an array are dropped from the animation controller while still in use. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5433)
A use-after-free vulnerability occurs when redirecting focus handling which results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5434)
A use-after-free vulnerability during XSLT processing due to the result handler being held by a freed handler during handling. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5438)
A use-after-free vulnerability during XSLT processing due to poor handling of template parameters. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5439)
A use-after-free vulnerability occurs during transaction processing in the editor during design mode interactions. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5435)
Memory safety bugs were reported in Thunderbird 45.7.
Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.
(CVE-2017-5398)
JIT-spray targeting asm.js combined with a heap spray allows for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.
(CVE-2017-5400)
A crash triggerable by web content in which an ErrorResult references unassigned memory due to a logic error. The resulting crash may be exploitable.
This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8.
(CVE-2017-5401)
A use-after-free can occur when events are fired for a FontFace object after the object has been already been destroyed while working with fonts. This results in a potentially exploitable crash. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. (CVE-2017-5402)
A use-after-free error can occur when manipulating ranges in selections with one node inside a native anonymous tree and one node outside of it. This results in a potentially exploitable crash. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. (CVE-2017-5404)
Certain response codes in FTP connections can result in the use of uninitialized values for ports in FTP operations. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. (CVE-2017-5405)
Using SVG filters that don’t use the fixed point math implementation on a target iframe, a malicious page can extract pixel values from a targeted user. This can be used to extract history information and read text values across domains. This violates same-origin policy and leads to information disclosure. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. (CVE-2017-5407)
Video files loaded video captions cross-origin without checking for the presence of CORS headers permitting such cross-origin use, leading to potential information disclosure for video captions. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. (CVE-2017-5408)
Memory corruption resulting in a potentially exploitable crash during garbage collection of JavaScript due errors in how incremental sweeping is managed for memory cleanup. This vulnerability affects Firefox < 52, Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird < 45.8. (CVE-2017-5410)
An out-of-bounds read vulnerability with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7758)
A use-after-free vulnerability in IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.
(CVE-2017-7757)
A number of security vulnerabilities in the Graphite 2 library including out-of-bounds reads, buffer overflow reads and writes, and the use of uninitialized memory.
These issues were addressed in Graphite 2 version 1.3.10. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7778)
An out of bounds read vulnerability was found in libevent in the search_make_new function. If an attacker could cause an application using libevent to attempt resolving an empty hostname, an out of bounds read could occur possibly leading to a crash. (CVE-2016-10197)
A vulnerability was found in libevent with the parsing of DNS requests and replies. An attacker could send a forged DNS response to an application using libevent which could lead to reading data out of bounds on the heap, potentially disclosing a small amount of application memory. (CVE-2016-10195)
A vulnerability was found in libevent with the parsing of IPv6 addresses. If an attacker could cause an application using libevent to parse a malformed address in IPv6 notation of more than 2GiB in length, a stack overflow would occur leading to a crash.
(CVE-2016-10196)
A use-after-free vulnerability during video control operations when a element holds a reference to an older window if that window has been replaced in the DOM. This results in a potentially exploitable crash.
This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7750)
A use-after-free and use-after-scope vulnerability when logging errors from headers for XML HTTP Requests (XHR).
This could result in a potentially exploitable crash.
This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7756)
A use-after-free vulnerability when using an incorrect URL during the reloading of a docshell. This results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7749)
A use-after-free vulnerability during specific user interactions with the input method editor (IME) in some languages due to how events are handled. This results in a potentially exploitable crash but would require specific user interaction to trigger. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7752)
A use-after-free vulnerability with content viewer listeners that results in a potentially exploitable crash. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7751)
A use-after-free vulnerability with the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists. This results in a potentially exploitable crash.
This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-5472)
An out-of-bounds read in WebGL with a maliciously crafted ImageInfo object during WebGL operations. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7754)
Memory safety bugs were reported in Firefox 53 and Firefox ESR 52.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-5470)
An out of bounds read flaw related to graphite2::Silf::readGraphite has been reported in graphite2. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. (CVE-2017-7774)
A heap-based buffer overflow flaw related to lz4::decompress (src/Decompressor) has been reported in graphite2. An attacker could exploit this issue to cause a crash or, possibly, execute arbitrary code.
(CVE-2017-7773)
A heap-based buffer overflow flaw related to lz4::decompress has been reported in graphite2. An attacker could exploit this issue to cause a crash or, possibly, execute arbitrary code. (CVE-2017-7772)
An out of bounds read flaw related to graphite2::Pass::readPass has been reported in graphite2. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. (CVE-2017-7771)
The use of uninitialized memory related to graphite2::GlyphCache::Loader::read_glyph has been reported in graphite2. An attacker could possibly exploit this flaw to negatively impact the execution of an application using graphite2 in unknown ways.
(CVE-2017-7777)
An out of bounds read flaw related to graphite2::Silf::getClassGlyph has been reported in graphite2. An attacker could possibly exploit this flaw to disclose potentially sensitive memory or cause an application crash. (CVE-2017-7776)
Characters from the Canadian Syllabics unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw punycode form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from Aspirational Use Scripts such as Canadian Syllabics to be mixed with Latin characters in the moderately restrictive IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as Limited Use Scripts… This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7764)
Memory safety bugs were reported in Firefox 52, Firefox ESR 45.8, Firefox ESR 52, and Thunderbird 52. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5429)
A vulnerability while parsing application/http-index- format format content where uninitialized values are used to create an array. This could allow the reading of uninitialized memory into the arrays affected. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5445)
A use-after-free vulnerability during XSLT processing due to a failure to propagate error conditions during matching while evaluating context, leading to objects being used when they no longer exist. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5440)
An out-of-bounds write in the Graphite 2 library triggered with a maliciously crafted Graphite font. This results in a potentially exploitable crash. This issue was fixed in the Graphite 2 library as well as Mozilla products. This vulnerability affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox < 53. (CVE-2017-5436)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2019-0110. The text
# itself is copyright (C) ZTE, Inc.
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(127347);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/16");
script_cve_id(
"CVE-2016-10195",
"CVE-2016-10196",
"CVE-2016-10197",
"CVE-2017-5398",
"CVE-2017-5400",
"CVE-2017-5401",
"CVE-2017-5402",
"CVE-2017-5404",
"CVE-2017-5405",
"CVE-2017-5407",
"CVE-2017-5408",
"CVE-2017-5410",
"CVE-2017-5429",
"CVE-2017-5432",
"CVE-2017-5433",
"CVE-2017-5434",
"CVE-2017-5435",
"CVE-2017-5436",
"CVE-2017-5438",
"CVE-2017-5439",
"CVE-2017-5440",
"CVE-2017-5441",
"CVE-2017-5442",
"CVE-2017-5443",
"CVE-2017-5444",
"CVE-2017-5445",
"CVE-2017-5446",
"CVE-2017-5447",
"CVE-2017-5449",
"CVE-2017-5451",
"CVE-2017-5454",
"CVE-2017-5459",
"CVE-2017-5460",
"CVE-2017-5464",
"CVE-2017-5465",
"CVE-2017-5466",
"CVE-2017-5467",
"CVE-2017-5469",
"CVE-2017-5470",
"CVE-2017-5472",
"CVE-2017-7749",
"CVE-2017-7750",
"CVE-2017-7751",
"CVE-2017-7752",
"CVE-2017-7754",
"CVE-2017-7756",
"CVE-2017-7757",
"CVE-2017-7758",
"CVE-2017-7764",
"CVE-2017-7771",
"CVE-2017-7772",
"CVE-2017-7773",
"CVE-2017-7774",
"CVE-2017-7776",
"CVE-2017-7777",
"CVE-2017-7778"
);
script_name(english:"NewStart CGSL MAIN 4.05 : thunderbird Multiple Vulnerabilities (NS-SA-2019-0110)");
script_set_attribute(attribute:"synopsis", value:
"The remote machine is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version MAIN 4.05, has thunderbird packages installed that are affected by
multiple vulnerabilities:
- A buffer overflow in WebGL triggerable by web content,
resulting in a potentially exploitable crash. This
vulnerability affects Thunderbird < 52.1, Firefox ESR <
45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5459)
- An out-of-bounds read during the processing of glyph
widths during text layout. This results in a potentially
exploitable crash and could allow an attacker to read
otherwise inaccessible memory. This vulnerability
affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox
ESR < 52.1, and Firefox < 53. (CVE-2017-5447)
- An out-of-bounds read when an HTTP/2 connection to a
servers sends DATA frames with incorrect data content.
This leads to a potentially exploitable crash. This
vulnerability affects Thunderbird < 52.1, Firefox ESR <
45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5446)
- A possibly exploitable crash triggered during layout and
manipulation of bidirectional unicode text in concert
with CSS animations. This vulnerability affects
Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox <
53. (CVE-2017-5449)
- A use-after-free vulnerability during changes in style
when manipulating DOM elements. This results in a
potentially exploitable crash. This vulnerability
affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox
ESR < 52.1, and Firefox < 53. (CVE-2017-5442)
- An out-of-bounds write vulnerability while decoding
improperly formed BinHex format archives. This
vulnerability affects Thunderbird < 52.1, Firefox ESR <
45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5443)
- A buffer overflow vulnerability while parsing
application/http-index-format format content when the
header contains improperly formatted data. This allows
for an out-of-bounds read of data from memory. This
vulnerability affects Thunderbird < 52.1, Firefox ESR <
45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5444)
- A use-after-free vulnerability when holding a selection
during scroll events. This results in a potentially
exploitable crash. This vulnerability affects
Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR <
52.1, and Firefox < 53. (CVE-2017-5441)
- A potential memory corruption and crash when using Skia
content when drawing content outside of the bounds of a
clipping region. This vulnerability affects Thunderbird
< 52.1, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5467)
- A mechanism to bypass file system access protections in
the sandbox to use the file picker to access different
files than those selected in the file picker through the
use of relative paths. This allows for read only access
to the local file system. This vulnerability affects
Thunderbird < 52.1, Firefox ESR < 52.1, and Firefox <
53. (CVE-2017-5454)
- A mechanism to spoof the addressbar through the user
interaction on the addressbar and the onblur event.
The event could be used by script to affect text display
to make the loaded site appear to be different from the
one actually loaded within the addressbar. This
vulnerability affects Thunderbird < 52.1, Firefox ESR <
52.1, and Firefox < 53. (CVE-2017-5451)
- A use-after-free vulnerability occurs during certain
text input selection resulting in a potentially
exploitable crash. This vulnerability affects
Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR <
52.1, and Firefox < 53. (CVE-2017-5432)
- A use-after-free vulnerability in frame selection
triggered by a combination of malicious script content
and key presses by a user. This results in a potentially
exploitable crash. This vulnerability affects
Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR <
52.1, and Firefox < 53. (CVE-2017-5460)
- During DOM manipulations of the accessibility tree
through script, the DOM tree can become out of sync with
the accessibility tree, leading to memory corruption and
a potentially exploitable crash. This vulnerability
affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox
ESR < 52.1, and Firefox < 53. (CVE-2017-5464)
- Fixed potential buffer overflows in generated Firefox
code due to CVE-2016-6354 issue in Flex. This
vulnerability affects Thunderbird < 52.1, Firefox ESR <
45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5469)
- An out-of-bounds read while processing SVG content in
ConvolvePixel. This results in a crash and also allows
for otherwise inaccessible memory being copied into SVG
graphic content, which could then displayed. This
vulnerability affects Thunderbird < 52.1, Firefox ESR <
45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5465)
- If a page is loaded from an original site through a
hyperlink and contains a redirect to a data:text/html
URL, triggering a reload will run the reloaded
data:text/html page with its origin set incorrectly.
This allows for a cross-site scripting (XSS) attack.
This vulnerability affects Thunderbird < 52.1, Firefox
ESR < 52.1, and Firefox < 53. (CVE-2017-5466)
- A use-after-free vulnerability in SMIL animation
functions occurs when pointers to animation elements in
an array are dropped from the animation controller while
still in use. This results in a potentially exploitable
crash. This vulnerability affects Thunderbird < 52.1,
Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox <
53. (CVE-2017-5433)
- A use-after-free vulnerability occurs when redirecting
focus handling which results in a potentially
exploitable crash. This vulnerability affects
Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR <
52.1, and Firefox < 53. (CVE-2017-5434)
- A use-after-free vulnerability during XSLT processing
due to the result handler being held by a freed handler
during handling. This results in a potentially
exploitable crash. This vulnerability affects
Thunderbird < 52.1, Firefox ESR < 45.9, Firefox ESR <
52.1, and Firefox < 53. (CVE-2017-5438)
- A use-after-free vulnerability during XSLT processing
due to poor handling of template parameters. This
results in a potentially exploitable crash. This
vulnerability affects Thunderbird < 52.1, Firefox ESR <
45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5439)
- A use-after-free vulnerability occurs during transaction
processing in the editor during design mode
interactions. This results in a potentially exploitable
crash. This vulnerability affects Thunderbird < 52.1,
Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox <
53. (CVE-2017-5435)
- Memory safety bugs were reported in Thunderbird 45.7.
Some of these bugs showed evidence of memory corruption
and we presume that with enough effort that some of
these could be exploited to run arbitrary code. This
vulnerability affects Firefox < 52, Firefox ESR < 45.8,
Thunderbird < 52, and Thunderbird < 45.8.
(CVE-2017-5398)
- JIT-spray targeting asm.js combined with a heap spray
allows for a bypass of ASLR and DEP protections leading
to potential memory corruption attacks. This
vulnerability affects Firefox < 52, Firefox ESR < 45.8,
Thunderbird < 52, and Thunderbird < 45.8.
(CVE-2017-5400)
- A crash triggerable by web content in which an
ErrorResult references unassigned memory due to a
logic error. The resulting crash may be exploitable.
This vulnerability affects Firefox < 52, Firefox ESR <
45.8, Thunderbird < 52, and Thunderbird < 45.8.
(CVE-2017-5401)
- A use-after-free can occur when events are fired for a
FontFace object after the object has been already been
destroyed while working with fonts. This results in a
potentially exploitable crash. This vulnerability
affects Firefox < 52, Firefox ESR < 45.8, Thunderbird <
52, and Thunderbird < 45.8. (CVE-2017-5402)
- A use-after-free error can occur when manipulating
ranges in selections with one node inside a native
anonymous tree and one node outside of it. This results
in a potentially exploitable crash. This vulnerability
affects Firefox < 52, Firefox ESR < 45.8, Thunderbird <
52, and Thunderbird < 45.8. (CVE-2017-5404)
- Certain response codes in FTP connections can result in
the use of uninitialized values for ports in FTP
operations. This vulnerability affects Firefox < 52,
Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird <
45.8. (CVE-2017-5405)
- Using SVG filters that don't use the fixed point math
implementation on a target iframe, a malicious page can
extract pixel values from a targeted user. This can be
used to extract history information and read text values
across domains. This violates same-origin policy and
leads to information disclosure. This vulnerability
affects Firefox < 52, Firefox ESR < 45.8, Thunderbird <
52, and Thunderbird < 45.8. (CVE-2017-5407)
- Video files loaded video captions cross-origin without
checking for the presence of CORS headers permitting
such cross-origin use, leading to potential information
disclosure for video captions. This vulnerability
affects Firefox < 52, Firefox ESR < 45.8, Thunderbird <
52, and Thunderbird < 45.8. (CVE-2017-5408)
- Memory corruption resulting in a potentially exploitable
crash during garbage collection of JavaScript due errors
in how incremental sweeping is managed for memory
cleanup. This vulnerability affects Firefox < 52,
Firefox ESR < 45.8, Thunderbird < 52, and Thunderbird <
45.8. (CVE-2017-5410)
- An out-of-bounds read vulnerability with the Opus
encoder when the number of channels in an audio stream
changes while the encoder is in use. This vulnerability
affects Firefox < 54, Firefox ESR < 52.2, and
Thunderbird < 52.2. (CVE-2017-7758)
- A use-after-free vulnerability in IndexedDB when one of
its objects is destroyed in memory while a method on it
is still being executed. This results in a potentially
exploitable crash. This vulnerability affects Firefox <
54, Firefox ESR < 52.2, and Thunderbird < 52.2.
(CVE-2017-7757)
- A number of security vulnerabilities in the Graphite 2
library including out-of-bounds reads, buffer overflow
reads and writes, and the use of uninitialized memory.
These issues were addressed in Graphite 2 version
1.3.10. This vulnerability affects Firefox < 54, Firefox
ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7778)
- An out of bounds read vulnerability was found in
libevent in the search_make_new function. If an attacker
could cause an application using libevent to attempt
resolving an empty hostname, an out of bounds read could
occur possibly leading to a crash. (CVE-2016-10197)
- A vulnerability was found in libevent with the parsing
of DNS requests and replies. An attacker could send a
forged DNS response to an application using libevent
which could lead to reading data out of bounds on the
heap, potentially disclosing a small amount of
application memory. (CVE-2016-10195)
- A vulnerability was found in libevent with the parsing
of IPv6 addresses. If an attacker could cause an
application using libevent to parse a malformed address
in IPv6 notation of more than 2GiB in length, a stack
overflow would occur leading to a crash.
(CVE-2016-10196)
- A use-after-free vulnerability during video control
operations when a element holds a reference to
an older window if that window has been replaced in the
DOM. This results in a potentially exploitable crash.
This vulnerability affects Firefox < 54, Firefox ESR <
52.2, and Thunderbird < 52.2. (CVE-2017-7750)
- A use-after-free and use-after-scope vulnerability when
logging errors from headers for XML HTTP Requests (XHR).
This could result in a potentially exploitable crash.
This vulnerability affects Firefox < 54, Firefox ESR <
52.2, and Thunderbird < 52.2. (CVE-2017-7756)
- A use-after-free vulnerability when using an incorrect
URL during the reloading of a docshell. This results in
a potentially exploitable crash. This vulnerability
affects Firefox < 54, Firefox ESR < 52.2, and
Thunderbird < 52.2. (CVE-2017-7749)
- A use-after-free vulnerability during specific user
interactions with the input method editor (IME) in some
languages due to how events are handled. This results in
a potentially exploitable crash but would require
specific user interaction to trigger. This vulnerability
affects Firefox < 54, Firefox ESR < 52.2, and
Thunderbird < 52.2. (CVE-2017-7752)
- A use-after-free vulnerability with content viewer
listeners that results in a potentially exploitable
crash. This vulnerability affects Firefox < 54, Firefox
ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-7751)
- A use-after-free vulnerability with the frameloader
during tree reconstruction while regenerating CSS layout
when attempting to use a node in the tree that no longer
exists. This results in a potentially exploitable crash.
This vulnerability affects Firefox < 54, Firefox ESR <
52.2, and Thunderbird < 52.2. (CVE-2017-5472)
- An out-of-bounds read in WebGL with a maliciously
crafted ImageInfo object during WebGL operations. This
vulnerability affects Firefox < 54, Firefox ESR < 52.2,
and Thunderbird < 52.2. (CVE-2017-7754)
- Memory safety bugs were reported in Firefox 53 and
Firefox ESR 52.1. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort
that some of these could be exploited to run arbitrary
code. This vulnerability affects Firefox < 54, Firefox
ESR < 52.2, and Thunderbird < 52.2. (CVE-2017-5470)
- An out of bounds read flaw related to
graphite2::Silf::readGraphite has been reported in
graphite2. An attacker could possibly exploit this flaw
to disclose potentially sensitive memory or cause an
application crash. (CVE-2017-7774)
- A heap-based buffer overflow flaw related to
lz4::decompress (src/Decompressor) has been reported
in graphite2. An attacker could exploit this issue to
cause a crash or, possibly, execute arbitrary code.
(CVE-2017-7773)
- A heap-based buffer overflow flaw related to
lz4::decompress has been reported in graphite2. An
attacker could exploit this issue to cause a crash or,
possibly, execute arbitrary code. (CVE-2017-7772)
- An out of bounds read flaw related to
graphite2::Pass::readPass has been reported in
graphite2. An attacker could possibly exploit this flaw
to disclose potentially sensitive memory or cause an
application crash. (CVE-2017-7771)
- The use of uninitialized memory related to
graphite2::GlyphCache::Loader::read_glyph has been
reported in graphite2. An attacker could possibly
exploit this flaw to negatively impact the execution of
an application using graphite2 in unknown ways.
(CVE-2017-7777)
- An out of bounds read flaw related to
graphite2::Silf::getClassGlyph has been reported in
graphite2. An attacker could possibly exploit this flaw
to disclose potentially sensitive memory or cause an
application crash. (CVE-2017-7776)
- Characters from the Canadian Syllabics unicode block
can be mixed with characters from other unicode blocks
in the addressbar instead of being rendered as their raw
punycode form, allowing for domain name spoofing
attacks through character confusion. The current Unicode
standard allows characters from Aspirational Use
Scripts such as Canadian Syllabics to be mixed with
Latin characters in the moderately restrictive IDN
profile. We have changed Firefox behavior to match the
upcoming Unicode version 10.0 which removes this
category and treats them as Limited Use Scripts.. This
vulnerability affects Firefox < 54, Firefox ESR < 52.2,
and Thunderbird < 52.2. (CVE-2017-7764)
- Memory safety bugs were reported in Firefox 52, Firefox
ESR 45.8, Firefox ESR 52, and Thunderbird 52. Some of
these bugs showed evidence of memory corruption and we
presume that with enough effort that some of these could
be exploited to run arbitrary code. This vulnerability
affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox
ESR < 52.1, and Firefox < 53. (CVE-2017-5429)
- A vulnerability while parsing application/http-index-
format format content where uninitialized values are
used to create an array. This could allow the reading of
uninitialized memory into the arrays affected. This
vulnerability affects Thunderbird < 52.1, Firefox ESR <
45.9, Firefox ESR < 52.1, and Firefox < 53.
(CVE-2017-5445)
- A use-after-free vulnerability during XSLT processing
due to a failure to propagate error conditions during
matching while evaluating context, leading to objects
being used when they no longer exist. This results in a
potentially exploitable crash. This vulnerability
affects Thunderbird < 52.1, Firefox ESR < 45.9, Firefox
ESR < 52.1, and Firefox < 53. (CVE-2017-5440)
- An out-of-bounds write in the Graphite 2 library
triggered with a maliciously crafted Graphite font. This
results in a potentially exploitable crash. This issue
was fixed in the Graphite 2 library as well as Mozilla
products. This vulnerability affects Thunderbird < 52.1,
Firefox ESR < 45.9, Firefox ESR < 52.1, and Firefox <
53. (CVE-2017-5436)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0110");
script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL thunderbird packages. Note that updated packages may not be available yet. Please contact
ZTE for more information.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5398");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/15");
script_set_attribute(attribute:"patch_publication_date", value:"2019/07/17");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
script_set_attribute(attribute:"plugin_type", value:"local");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"NewStart CGSL Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2019-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/ZTE-CGSL/release");
if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux");
if (release !~ "CGSL MAIN 4.05")
audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.05');
if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu);
flag = 0;
pkgs = {
"CGSL MAIN 4.05": [
"thunderbird-52.2.0-1.el6.centos"
]
};
pkg_list = pkgs[release];
foreach (pkg in pkg_list)
if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "thunderbird");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10195
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10196
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10197
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5398
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5400
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5401
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5402
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5404
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5405
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5407
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5408
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5410
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5429
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5432
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5433
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5434
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5435
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5436
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5438
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5439
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5440
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5441
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5442
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5443
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5444
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5445
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5446
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5447
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5449
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5451
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5454
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5459
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5460
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5464
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5465
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5466
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5467
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5469
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5470
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5472
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7749
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7750
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7751
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7752
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7754
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7756
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7757
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7758
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7764
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7771
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7772
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7773
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7774
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7776
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7777
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7778
security.gd-linux.com/notice/NS-SA-2019-0110