ASB-2018.0038 - [Win][UNIX/Linux] Mozilla Thunderbird: Multiple vulnerabilities 2018-01-30

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0038
               Mozilla Foundation Security Advisory 2018-04
                              30 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Thunderbird
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-5117 CVE-2018-5104 CVE-2018-5103
                      CVE-2018-5102 CVE-2018-5099 CVE-2018-5098
                      CVE-2018-5097 CVE-2018-5096 CVE-2018-5095
                      CVE-2018-5089  
Member content until: Thursday, March  1 2018
Reference:            ASB-2018.0036
                      ESB-2018.0260
                      ESB-2018.0258

OVERVIEW

        Multiple critical vulnerabilities have been identified in Mozilla 
        Thunderbird prior to version 52.6 [1]


IMPACT

        Mozilla have provided the following details regarding the 
        vulnerabilities:
        
        "CVE-2018-5095: Integer overflow in Skia library during edge builder allocation
        
        REPORTER Anonymous
        IMPACT HIGH
        
        Description
        
        An integer overflow vulnerability in the Skia library when allocating 
        memory for edge builders on some systems with at least 8 GB of RAM. This
        results in the use of uninitialized memory, resulting in a potentially 
        exploitable crash.
        
        
        CVE-2018-5096: Use-after-free while editing form elements
        
        REPORTER Nils
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur while editing events in form 
        elements on a page, resulting in a potentially exploitable crash.
        
        
        CVE-2018-5097: Use-after-free when source document is manipulated during 
        XSLT
        
        REPORTER Nils
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur during XSL transformations when 
        the source document for the transformation is manipulated by script 
        content during the transformation. This results in a potentially 
        exploitable crash.
        
        
        CVE-2018-5098: Use-after-free while manipulating form input elements
        
        REPORTER Nils
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur when form input elements, 
        focus, and selections are manipulated by script content. This 
        results in a potentially exploitable crash.
        
        
        CVE-2018-5099: Use-after-free with widget listener
        
        REPORTER Nils
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur when the widget listener is 
        holding strong references to browser objects that have previously been
        freed, resulting in a potentially exploitable crash when these references 
        are used.
        
        
        CVE-2018-5102: Use-after-free in HTML media elements
        
        REPORTER Nils
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur when manipulating HTML media 
        elements with media streams, resulting in a potentially exploitable crash.
        
        
        CVE-2018-5103: Use-after-free during mouse event handling
        
        REPORTER Nils
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur during mouse event handling 
        due to issues with multiprocess support. This results in a potentially 
        exploitable crash.
        
        
        CVE-2018-5104: Use-after-free during font face manipulation
        
        REPORTER Nils
        IMPACT HIGH
        
        Description
        
        A use-after-free vulnerability can occur during font face manipulation
        when a font face is freed while still in use, resulting in a 
        potentially exploitable crash.
        
        
        CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right
        
        REPORTER xisigr of Tencent's Xuanwu Lab
        IMPACT MODERATE
        
        Description
        
        If right-to-left text is used in the addressbar with left-to-right
        alignment, it is possible in some circumstances to scroll this text to 
        spoof the displayed URL. This issue could result in the wrong URL being
        displayed as a location, which can mislead users to believe they are on
        a different site than the one loaded.
        
        
        CVE-2018-5089: Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6,
        and Thunderbird 52.6
        
        REPORTER Mozilla developers and community
        IMPACT CRITICAL
        
        Description
        
        Mozilla developers and community members Christian Holler, Jason Kratzer, 
        Marcia Knous, Nathan Froyd, Oriol Brufau, Ronald Crane, Randell Jesup, 
        Tyson Smith, Emilio Cobos Álvarez, Ryan VanderMeulen, Sebastian Hengst, 
        Karl Tomlinson, Xidorn Quan, Ludovic Hirlimann, and Jason Orendorff 
        reported memory safety bugs present in Firefox 57 and Firefox ESR 52.5.
        Some of these bugs showed evidence of memory corruption and we presume 
        that with enough effort that some of these could be exploited to run 
        arbitrary code."


MITIGATION

        Users are advised to update to the latest versions to address these 
        issues. [1]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2018-04
            https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWm/ckox+lLeg9Ub1AQgd3A//UXeTVjv7YH2mLjw6kvjDLpKmwdSxuSJ0
cAFxBQ3kFQntGLbjx/WGibwvzZwDuDpW05LXefsPkDVr5vF9V0XLer1EjhIxO2jR
ThNb5fUWq0s5JuWU53PLk/Lvi9iqF2cpuoIcQhIKmoQX2FsMe00B0zs8z3hRrZKQ
hlgefsqIO+IiFZlKGA1oBOQc2PpvROUvCWTp9K3XCJiqOcxRjFCRWTLM0DoR2FfC
Bet0PhTDwpLnPZZO6X6+/ysQnzn62T5zKcFpLV/mmM6b5n2a5Yqww7hOssKoAT1u
ZaB/55rnNIMjHNCtYHIi7xAi/udwTl3vSe5k292GvDTp7yL94R8Xiq+YWZvHc4u3
w+D+jhwJWrdDGZXC9AnqK1mxEcL4Q8Fm539yjxZpcpg042FFx3xw/Yny2548VSQ5
ib+1XdZu52vV8Z1FfaDflyZA7b7k9W65v7ospSR3I5xcs81ED8IeoaQs2SyguqyW
Z3uDrcL7iCD5aqxWNWz16oERgR6gLJPl/R+YTKdkl5M+0MGDssf+n2/VFgpC3bzg
P01tIOSO42E1EBmm2f9i/dd5htpGGPYNPIYBcr9bANqpWWkab+skvyOZq91UWbU0
iK76MuDbcmJlC5hwISfOMZsdUDzTYrUzsyFOxQHDTHLMVji3M709PAG9ydcIllcY
XyJwuWArlAk=
=juXP
-----END PGP SIGNATURE-----

« Back to bulletins