-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2018.0208.5
             Security vulnerabilities fixed in Thunderbird 60
                              1 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Mozilla Thunderbird
Operating System: UNIX variants (UNIX, Linux, OSX)
                  Windows
                  BSD variants
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
                  Cross-site Request Forgery      -- Remote with User Interaction
                  Denial of Service               -- Remote with User Interaction
                  Access Confidential Data        -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2018-12371 CVE-2018-12368 CVE-2018-12367
                  CVE-2018-12366 CVE-2018-12365 CVE-2018-12364
                  CVE-2018-12363 CVE-2018-12362 CVE-2018-12361
                  CVE-2018-12360 CVE-2018-12359 CVE-2018-5188
                  CVE-2018-5187 CVE-2018-5156 
Reference:        ASB-2018.0189
                  ASB-2018.0146
                  ASB-2018.0140
                  ASB-2018.0139

Revision History: November   1 2018: Mitigating factors added
                  October   24 2018: Updated by Mozilla
                  October    5 2018: Updated by Mozilla
                  September  7 2018: Updated by Mozilla
                  September  6 2018: Initial Release

OVERVIEW

        Multiple vulnerabilities have been identified in Mozilla Thunderbird
        prior to version 60. Five of these vulnerabilities have been classified
        as critical. [1]


IMPACT

        The vendor has provided the following details regarding the 
        vulnerabilities:
        
        "#CVE-2018-12359: Buffer overflow using computed size of canvas 
        element
        
        Reporter
        
        Nils
        
        Impact
        
        critical
        
        Description
        
        A buffer overflow can occur when rendering canvas content while 
        adjusting the height and width of the <canvas> element dynamically,
        causing data to be written outside of the currently computed 
        boundaries. This results in a potentially exploitable crash.
        
        References
        
        Bug 1459162
        
        #CVE-2018-12360: Use-after-free when using focus()
        
        Reporter
        
        Nils
        
        Impact
        
        critical
        
        Description
        
        A use-after-free vulnerability can occur when deleting an input 
        element during a mutation event handler triggered by focusing that 
        element. This results in a potentially exploitable crash.
        
        References
        
        Bug 1459693
        
        #CVE-2018-12361: Integer overflow in SwizzleData
        
        Reporter
        
        R
        
        Impact
        
        critical
        
        Description
        
        An integer overflow can occur in the SwizzleData code while 
        calculating buffer sizes. The overflowed value is used for 
        subsequent graphics computations when their inputs are not sanitized
        which results in a potentially exploitable crash.
        
        References
        
        Bug 1463244
        
        #CVE-2018-12362: Integer overflow in SSSE3 scaler
        
        Reporter
        
        F. Alonso (revskills)
        
        Impact
        
        high
        
        Description
        
        An integer overflow can occur during graphics operations done by the
        Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting 
        in a potentially exploitable crash.
        
        References
        
        Bug 1452375
        
        #CVE-2018-5156: Media recorder segmentation fault when track type is
        changed during capture
        
        Reporter
        
        Nils
        
        Impact
        
        high
        
        Description
        
        A vulnerability can occur when capturing a media stream when the 
        media source type is changed as the capture is occuring. This can 
        result in stream data being cast to the wrong type causing a 
        potentially exploitable crash.
        
        References
        
        Bug 1453127
        
        #CVE-2018-12363: Use-after-free when appending DOM nodes
        
        Reporter
        
        Nils
        
        Impact
        
        high
        
        Description
        
        A use-after-free vulnerability can occur when script uses mutation 
        events to move DOM nodes between documents, resulting in the old 
        document that held the node being freed but the node still having a
        pointer referencing it. This results in a potentially exploitable 
        crash.
        
        References
        
        Bug 1464784
        
        #CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI 
        plugins
        
        Reporter
        
        David Black
        
        Impact
        
        high
        
        Description
        
        NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin
        requests, bypassing CORS by making a same-origin POST that does a 
        307 redirect to the target site. This allows for a malicious site to
        engage in cross-site request forgery (CSRF) attacks.
        
        References
        
        Bug 1436241
        
        #CVE-2018-12365: Compromised IPC child process can list local 
        filenames
        
        Reporter
        
        Alex Gaynor
        
        Impact
        
        moderate
        
        Description
        
        A compromised IPC child process can escape the content sandbox and 
        list the names of arbitrary files on the file system without user 
        consent or interaction. This could result in exposure of private 
        local files.
        
        References
        
        Bug 1459206
        
        #CVE-2018-12371: Integer overflow in Skia library during edge 
        builder allocation
        
        Reporter
        
        anonymous
        
        Impact
        
        moderate
        
        Description
        
        An integer overflow vulnerability in the Skia library when 
        allocating memory for edge builders on some systems with at least 16
        GB of RAM. This results in the use of uninitialized memory, 
        resulting in a potentially exploitable crash.
        
        References
        
        Bug 1465686
        
        #CVE-2018-12366: Invalid data handling during QCMS transformations
        
        Reporter
        
        OSS-Fuzz
        
        Impact
        
        moderate
        
        Description
        
        An invalid grid size during QCMS (color profile) transformations can
        result in the out-of-bounds read interpreted as a float value. This
        could leak private data into the output.
        
        References
        
        Bug 1464039
        
        #CVE-2018-12367: Timing attack mitigation of 
        PerformanceNavigationTiming
        
        Reporter
        
        Andrea Marchesini
        
        Impact
        
        moderate
        
        Description
        
        In the previous mitigations for Spectre, the resolution or precision
        of various methods was reduced to counteract the ability to measure
        precise time intervals. In that work, PerformanceNavigationTiming 
        was not adjusted but it was found that it could be used as a 
        precision timer.
        
        References
        
        Bug 1462891
        
        #CVE-2018-12368: No warning when opening executable 
        SettingContent-ms files
        
        Reporter
        
        Abdulrahman Alqabandi
        
        Impact
        
        moderate
        
        Description
        
        Windows 10 does not warn users before opening executable files with
        the SettingContent-ms extension even when they have been downloaded
        from the internet and have the "Mark of the Web." Without the 
        warning, unsuspecting users unfamiliar with this new file type might
        run an unwanted executable. This also allows a WebExtension with the
        limited downloads.open permission to execute arbitrary code without
        user interaction on Windows 10 systems
        
        Note: this issue only affects Windows operating systems. Other 
        operating systems are unaffected.
        
        References
        
        Bug 1468217
        
        The Tale of SettingContent-ms Files
        
        #CVE-2018-5187: Memory safety bugs fixed in Firefox 61, Firefox ESR
        60.1, and Thunderbird 60
        
        Reporter
        
        Mozilla developers and community
        
        Impact
        
        critical
        
        Description
        
        Mozilla developers and community members Christian Holler, Sebastian
        Hengst, Nils Ohlmeier, Jon Coppeard, Randell Jesup, Ted Campbell, 
        Gary Kwong, and Jean-Yves Avenard reported memory safety bugs 
        present in Firefox 60 and Firefox ESR 60. Some of these bugs showed
        evidence of memory corruption and we presume that with enough effort
        that some of these could be exploited to run arbitrary code.
        
        References
        
        Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and 
        Thunderbird 60
        
        #CVE-2018-5188: Memory safety bugs fixed in Firefox 61, Firefox ESR
        60.1, Firefox ESR 52.9, and Thunderbird 60
        
        Reporter
        
        Mozilla developers and community
        
        Impact
        
        critical
        
        Description
        
        Mozilla developers and community members Alex Gaynor, Christoph 
        Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, 
        Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane 
        reported memory safety bugs present in Firefox 60, Firefox ESR 60, 
        and Firefox ESR 52.8. Some of these bugs showed evidence of memory 
        corruption and we presume that with enough effort that some of these
        could be exploited to run arbitrary code.
        
        References
        
        Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox 
        ESR 52.9, and Thunderbird 60" [1]


MITIGATION

        The vendor recommends upgrading to the latest version of Mozilla 
        Thunderbird to address these issues. [1]
        
        The vendor also advises:
        
        "In general, these flaws cannot be exploited through email in the 
        Thunderbird product because scripting is disabled when reading mail,
        but are potentially risks in browser or browser-like contexts." [1]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2018-19
            https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW9qHpWaOgq3Tt24GAQhP/A/8Cbb2F1eTjBDPfC/SFwjxhVvAWSJxSrJG
ZoOZ/8yUmEzp69yw0qGxIJtnNKlWIlDXfeXQCnLVWg4S2qeHP6YrV2V5RqZnkM+V
U8lo2CGzntUEqo+3ZwpKc8fCJzlt0uZs/W9zYn2Wy6Cx5VAqBRqbyV3G+zqc1wDb
ViexuSg/0Jj0vb7t9KABW3C6QoQN/U/9TwPsAW59ZtTmviCZzclM+bsR2x8Bvkbj
gCTLwxW1HAI/67oeQI6y/5JWtv6+m6H7DZoVOpPJ0KVelJUlVJPOQZJv257whSEv
r9Ei7B1VXahuGEi/85fZeezDnOExjrbbQLaTNYsrlhl9CdN1CgyRJUhYjRQXpS3V
NaARSJwwgRaMbzDUh2gIBuCyNbppXO57jhGem7G8R+hErvFZZ9AU/PoAuJQHHnxg
4RavgmgxZMP+hzG0vcAihGexAQHeqGEzzbgRg9vdluvoIDnaom3JVxhpfNuDW7Jj
KgHLJ76fTco1jTPKX90PXHf0ABPqsNlgPi8PrsGXcTt+RWv2bei9FB30M542KJQk
Pg0TupdwE7QBsapPx0HBIWFiRZDPkkGiYoLlBS9n0K79WEUFKigMcZ1vm+h/lELB
PN3qPPHOqIPY8W256cZi6+jFKsD/nGjCLYdtjt1OIzdsqTA8eP5gdZ2PmxcNBfyI
/z4XCOnRe+c=
=Yzn7
-----END PGP SIGNATURE-----