ASB-2018.0208.3 - UPDATE [Win][UNIX/Linux][BSD] Mozilla Thunderbird: Multiple vulnerabilities 2018-10-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2018.0208.3
             Security vulnerabilities fixed in Thunderbird 60
                              5 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Thunderbird
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
                      BSD variants
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Request Forgery      -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-12371 CVE-2018-12368 CVE-2018-12367
                      CVE-2018-12366 CVE-2018-12365 CVE-2018-12364
                      CVE-2018-12363 CVE-2018-12362 CVE-2018-12361
                      CVE-2018-12360 CVE-2018-12359 CVE-2018-5188
                      CVE-2018-5187 CVE-2018-5156 
Member content until: Saturday, October  6 2018
Reference:            ASB-2018.0189
                      ASB-2018.0146
                      ASB-2018.0140
                      ASB-2018.0139

Revision History:     October   5 2018: Updated by Mozilla
                      September 7 2018: Updated by Mozilla
                      September 6 2018: Initial Release

OVERVIEW

        Multiple vulnerabilities have been identified in Mozilla Thunderbird
        prior to version 60. Five of these vulnerabilities have been classified
        as critical. [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerabilities:
        
        "Security vulnerabilities fixed in Thunderbird 60
        
        Announced: August 4, 2018
        Impact: critical
        Products
            Thunderbird
        Fixed in
              + Thunderbird 60
        
        In general, these flaws cannot be exploited through email in the Thunderbird
        product because scripting is disabled when reading mail, but are potentially
        risks in browser or browser-like contexts.
        
        # CVE-2018-12359: Buffer overflow using computed size of canvas element
        
        Reporter: Nils
        Impact: critical
        
        Description
        
        A buffer overflow can occur when rendering canvas content while adjusting the
        height and width of the <canvas> element dynamically, causing data to be
        written outside of the currently computed boundaries. This results in a
        potentially exploitable crash.
        
        # CVE-2018-12360: Use-after-free when using focus()
        
        Reporter: Nils
        Impact: critical
        
        Description
        
        A use-after-free vulnerability can occur when deleting an input element during
        a mutation event handler triggered by focusing that element. This results in a
        potentially exploitable crash.
        
        # CVE-2018-12361: Integer overflow in SwizzleData
        
        Reporter: R
        Impact: critical
        
        Description
        
        An integer overflow can occur in the SwizzleData code while calculating buffer
        sizes. The overflowed value is used for subsequent graphics computations when
        their inputs are not sanitized which results in a potentially exploitable
        crash.
        
        # CVE-2018-12362: Integer overflow in SSSE3 scaler
        
        Reporter: F. Alonso (revskills)
        Impact: high
        
        Description
        
        An integer overflow can occur during graphics operations done by the
        Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in a
        potentially exploitable crash.
        
        # CVE-2018-5156: Media recorder segmentation fault when track type is changed
        during capture
        
        Reporter: Nils
        Impact: high
        
        Description
        
        A vulnerability can occur when capturing a media stream when the media source
        type is changed as the capture is occuring. This can result in stream data
        being cast to the wrong type causing a potentially exploitable crash.
        
        # CVE-2018-12363: Use-after-free when appending DOM nodes
        
        Reporter: Nils
        Impact: high
        
        Description
        
        A use-after-free vulnerability can occur when script uses mutation events to
        move DOM nodes between documents, resulting in the old document that held the
        node being freed but the node still having a pointer referencing it. This
        results in a potentially exploitable crash.
        
        # CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
        
        Reporter: David Black
        Impact: high
        
        Description
        
        NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests,
        bypassing CORS by making a same-origin POST that does a 307 redirect to the
        target site. This allows for a malicious site to engage in cross-site request
        forgery (CSRF) attacks.
        
        # CVE-2018-12365: Compromised IPC child process can list local filenames
        
        Reporter: Alex Gaynor
        Impact: moderate
        
        Description
        
        A compromised IPC child process can escape the content sandbox and list the
        names of arbitrary files on the file system without user consent or
        interaction. This could result in exposure of private local files.
        
        # CVE-2018-12371: Integer overflow in Skia library during edge builder
        allocation
        
        Reporter: anonymous
        Impact: moderate
        
        Description
        
        An integer overflow vulnerability in the Skia library when allocating memory
        for edge builders on some systems with at least 16 GB of RAM. This results in
        the use of uninitialized memory, resulting in a potentially exploitable crash.
        
        # CVE-2018-12366: Invalid data handling during QCMS transformations
        
        Reporter: OSS-Fuzz
        Impact: moderate
        
        Description
        
        An invalid grid size during QCMS (color profile) transformations can result in
        the out-of-bounds read interpreted as a float value. This could leak private
        data into the output.
        
        # CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
        
        Reporter: Andrea Marchesini
        Impact: moderate
        
        Description
        
        In the previous mitigations for Spectre, the resolution or precision of various
        methods was reduced to counteract the ability to measure precise time
        intervals. In that work, PerformanceNavigationTiming was not adjusted but it
        was found that it could be used as a precision timer.
        
        # CVE-2018-12368: No warning when opening executable SettingContent-ms files
        
        Reporter: Abdulrahman Alqabandi
        Impact: moderate
        
        Description
        
        Windows 10 does not warn users before opening executable files with the
        SettingContent-ms extension even when they have been downloaded from the
        internet and have the "Mark of the Web." Without the warning, unsuspecting
        users unfamiliar with this new file type might run an unwanted executable. This
        also allows a WebExtension with the limited downloads.open permission to
        execute arbitrary code without user interaction on Windows 10 systems
        Note: this issue only affects Windows operating systems. Other operating
        systems are unaffected.
        
        # CVE-2018-5187: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and
        Thunderbird 60
        
        Reporter: Mozilla developers and community
        Impact: critical
        
        Description
        
        Mozilla developers and community members Christian Holler, Sebastian Hengst,
        Nils Ohlmeier, Jon Coppeard, Randell Jesup, Ted Campbell, Gary Kwong, and
        Jean-Yves Avenard reported memory safety bugs present in Firefox 60 and Firefox
        ESR 60. Some of these bugs showed evidence of memory corruption and we presume
        that with enough effort that some of these could be exploited to run arbitrary
        code.
        
        # CVE-2018-5188: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1,
        Firefox ESR 52.9, and Thunderbird 60
        
        Reporter: Mozilla developers and community
        Impact: critical
        
        Description
        
        Mozilla developers and community members Alex Gaynor, Christoph Diehl,
        Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron,
        Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety bugs
        present in Firefox 60, Firefox ESR 60, and Firefox ESR 52.8. Some of these bugs
        showed evidence of memory corruption and we presume that with enough effort
        that some of these could be exploited to run arbitrary code." [1]


MITIGATION

        The vendor recommends upgrading to the latest version of Mozilla 
        Thunderbird to address these issues. [1]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2018-19
            https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW7btnmaOgq3Tt24GAQiCsxAAl66pgx1rbd+6FHBsBFm/IosJGMwSGhVv
LxI2CUPdd24DYdm6P0SBuzd0Cl3MtedJaDJADjRCDHD5msq7uvekT5cOKJmGfbVi
+fsgu45+HItIUunbOPCJKT+TQ7TyusOpCMXctS/C4d8oK73FBEPAi1lrgx3100TJ
/FU7D6ji1aNZJIzPTyyA5PZlAltxIhauT3R6bFW1gZ0XRVu3K7gXZmVVjv3H3fEF
n+d2z22vw+optzYmnU6E8uPSJ+s2UEashq61GpcCaZE/c7JQcjwPw5Yx2dpdQhWB
V5VNbZhB6MEUJBiXPA1gC5Y+KZCmZWSVBmV6uPlbWT8/YaK5aYZoYcyTEUsJP+Ee
96UpGS8LLF15FQ94pEmNXvv+i68xkDjsHF36MmAx+z/ohimytU/sQskgTjl5/5WF
DOki2IKbZMsGFtiX2x49T1p+ttlU1G0qh2ZWz0h74KWy/2PQrMSKq6/6pPPVgUSi
hPrJGItmiSI+PvUvEvbAktnBh2UwKlQw6WKXyhYHel01rGyfXOOMtK4k3Z3iXar5
XPdGB/EmcCgpU9ghH2v4ncElqTKVZtxEiW80IO3xUF8syQHG1e/N9Yj4bsLF1FiP
kL6/hAzj90uFBJwd+P3qEW+Y1N8j2kH2r7IFLYMPiMdKoDdPkq2gSLUwdRB/UA0U
iEZ7SVh+FEU=
=AqXN
-----END PGP SIGNATURE-----

« Back to bulletins