-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
MFSA 2019-15 Security vulnerabilities fixed in Thunderbird 60.7
23 May 2019
AusCERT Security Bulletin Summary
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
CVE Names: CVE-2019-11698 CVE-2019-11694 CVE-2019-11693
CVE-2019-11692 CVE-2019-11691 CVE-2019-9820
CVE-2019-9819 CVE-2019-9818 CVE-2019-9817
CVE-2019-9816 CVE-2019-9815 CVE-2019-9800
CVE-2019-9797 CVE-2019-7317 CVE-2019-5798
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Foundation Security Advisory 2019-15
Security vulnerabilities fixed in Thunderbird 60.7
May 21, 2019
In general, these flaws cannot be exploited through email in the Thunderbird
product because scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts.
Multiple independent researchers
If hyperthreading is not disabled, a timing attack vulnerability exists,
similar to previous Spectre attacks. Apple has shipped macOS 10.14.5 with an
option to disable hyperthreading in applications running untrusted code in a
thread through a new sysctl. Firefox now makes use of it on the main thread and
any worker threads.
Note: users need to update to macOS 10.14.5 in order to take advantage of this
o Bug 1546544
o RIDL and Fallout: MDS attacks
# CVE-2019-9816: Type confusion with object groups and UnboxedObjects
Samuel Gross of Google Project Zero
A possible vulnerability exists where type confusion can occur when
security checks within these groups.
Note: this vulnerability has only been demonstrated with UnboxedObjects , which
are disabled by default on all supported releases.
o Bug 1536768
# CVE-2019-9817: Stealing of cross-domain images using canvas
Images from a different domain can be read using a canvas object in some
circumstances. This could be used to steal image data from a different site in
violation of same-origin policy.
o Bug 1540221
# CVE-2019-9818: Use-after-free in crash generation server
A race condition is present in the crash generation server used to generate
data for the crash reporter. This issue can lead to a use-after-free in the
main process, resulting in a potentially exploitable crash and a sandbox
Note: this vulnerability only affects Windows. Other operating systems are
o Bug 1542581
# CVE-2019-9819: Compartment mismatch with fetch API
with the fetch API, resulting in a potentially exploitable crash.
o Bug 1532553
# CVE-2019-9820: Use-after-free of ChromeEventHandler by DocShell
A use-after-free vulnerability can occur in the chrome event handler when it is
freed while still in use. This results in a potentially exploitable crash.
o Bug 1536405
# CVE-2019-11691: Use-after-free in XMLHttpRequest
A use-after-free vulnerability can occur when working with XMLHttpRequest (XHR)
in an event loop, causing the XHR main thread to be called after it has been
freed. This results in a potentially exploitable crash.
o Bug 1542465
# CVE-2019-11692: Use-after-free removing listeners in the event listener
A use-after-free vulnerability can occur when listeners are removed from the
event listener manager while still in use, resulting in a potentially
o Bug 1544670
# CVE-2019-11693: Buffer overflow in WebGL bufferdata on Linux
The bufferdata function in WebGL is vulnerable to a buffer overflow with
specific graphics drivers on Linux. This could result in malicious content
freezing a tab or triggering a potentially exploitable crash.
Note: this issue only occurs on Linux. Other operating systems are unaffected.
o Bug 1532525
# CVE-2019-7317: Use-after-free in png_image_free of libpng library
A use-after-free vulnerability was discovered in the png_image_free function in
the libpng library. This could lead to denial of service or a potentially
exploitable crash when a malformed image is processed.
o Bug 1542829
# CVE-2019-9797: Cross-origin theft of images with createImageBitmap
Cross-origin images can be read in violation of the same-origin policy by
exporting an image after using createImageBitmap to read the image and then
rendering the resulting bitmap image within a canvas element.
o Bug 1528909
# CVE-2018-18511: Cross-origin theft of images with ImageBitmapRenderingContext
Cross-origin images can be read from a canvas element in violation of the
same-origin policy using the transferFromImageBitmap method.
o Bug 1526218
# CVE-2019-11694: Uninitialized memory memory leakage in Windows sandbox
Jeremy Fetiveau of SSD Secure Disclosure
A vulnerability exists in the Windows sandbox where an uninitialized value in
memory can be leaked to a renderer from a broker when making a call to access
an otherwise unavailable file. This results in the potential leaking of
information stored at that memory location.
Note: this issue only occurs on Windows. Other operating systems are
o Bug 1534196
# CVE-2019-11698: Theft of user history data through drag and drop of
hyperlinks to and from bookmarks
If a crafted hyperlink is dragged and dropped to the bookmark bar or sidebar
and the resulting bookmark is subsequently dragged and dropped into the web
content area, an arbitrary query of a user's browser history can be run and
transmitted to the content page via drop event data. This allows for the theft
of browser history by a malicious site.
o Bug 1543191
# CVE-2019-5798: Out-of-bounds read in Skia
Tran Tien Hung of Viettel Cyber Security
An out-of-bounds read can occur in the Skia library during path
transformations. This could result in the exposure of data stored in memory.
o Bug 1535518
# CVE-2019-9800: Memory safety bugs fixed in Firefox 67, Firefox ESR 60.7, and
Mozilla developers and community
Mozilla developers and community members Olli Pettay, Bogdan Tara, Jan de
Mooij, Jason Kratzer, Jan Varga, Gary Kwong, Tim Guan-tin Chien, Tyson Smith,
Ronald Crane, and Ted Campbell reported memory safety bugs present in Firefox
66, Firefox ESR 60.6, and Thunderbird 60.6. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort that some of these
could be exploited to run arbitrary code.
o Memory safety bugs fixed in Firefox 67, Firefox ESR 60.7, and Thunderbird
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----