Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1313
MFSA 2021-14 Security Vulnerabilities fixed in Thunderbird 78.10
20 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Thunderbird
Publisher: Mozilla
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-29948 CVE-2021-29946 CVE-2021-29945
CVE-2021-24002 CVE-2021-23999 CVE-2021-23998
CVE-2021-23995 CVE-2021-23994 CVE-2021-23961
Reference: ESB-2021.0350
ESB-2021.0291
Original Bulletin:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Foundation Security Advisory 2021-14
Security Vulnerabilities fixed in Thunderbird 78.10
Announced: April 19, 2021
Impact: high
Products: Thunderbird
Fixed in: Thunderbird 78.10
In general, these flaws cannot be exploited through email in the Thunderbird
product because scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts.
# CVE-2021-23994: Out of bound write due to lazy initialization
Reporter: Abraruddin Khan and Omair
Impact: high
Description
A WebGL framebuffer was not initialized early enough, resulting in memory
corruption and an out of bound write.
References
o Bug 1699077
# CVE-2021-23995: Use-after-free in Responsive Design Mode
Reporter: Irvan Kurniawan
Impact: high
Description
When Responsive Design Mode was enabled, it used references to objects that
were previously freed. We presume that with enough effort this could have been
exploited to run arbitrary code.
References
o Bug 1699835
# CVE-2021-23998: Secure Lock icon could have been spoofed
Reporter: Jordi Chancel
Impact: moderate
Description
Through complicated navigations with new windows, an HTTP page could have
inherited a secure lock icon from an HTTPS page.
References
o Bug 1667456
# CVE-2021-23961: More internal network hosts could have been probed by a
malicious webpage
Reporter: Samy Kamkar, Ben Seri, and Gregory Vishnepolsky
Impact: moderate
Description
Further techniques that built on the slipstream research combined with a
malicious webpage could have exposed both an internal network's hosts as well
as services running on the user's local machine.
References
o Bug 1677940
# CVE-2021-23999: Blob URLs may have been granted additional privileges
Reporter: Nika Layzell
Impact: moderate
Description
If a Blob URL was loaded through some unusual user interaction, it could have
been loaded by the System Principal and granted additional privileges that
should not be granted to web content.
References
o Bug 1691153
# CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an
encoded URL
Reporter: Daniel Santos
Impact: moderate
Description
When a user clicked on an FTP URL containing encoded newline characters (%0A
and %0D), the newlines would have been interpreted as such and allowed
arbitrary commands to be sent to the FTP server.
References
o Bug 1702374
# CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to
null-reads
Reporter: Christian Holler
Impact: moderate
Description
The WebAssembly JIT could miscalculate the size of a return type, which could
lead to a null read and result in a crash.
Note: This issue only affected x86-32 platforms. Other platforms are
unaffected.
References
o Bug 1700690
# CVE-2021-29946: Port blocking could be bypassed
Reporter: Frederik Braun
Impact: low
Description
Ports that were written as an integer overflow above the bounds of a 16-bit
integer could have bypassed port blocking restrictions when used in the Alt-Svc
header.
References
o Bug 1698503
# CVE-2021-29948: Race condition when reading from disk while verifying
signatures
Reporter: Cure53
Impact: low
Description
Signatures are written to disk before and read during verification, which might
be subject to a race condition when a malicious local process or user is
replacing the file.
References
o Bug 1692899
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYH4s6eNLKJtyKPYoAQgBmA/+KMY1o/ACyUSTOf3/v8/YgQFoIf9Pn1mB
UOOQPjd3TTDRSQxUIASKhgtFvymF8rHCpfhgM4TzVEe8ZB0NQ/we9nonTuuaSY+6
K7AKSlcQmYfH5H2rnnGTtYtVsc/jWDjwSe3mC7Wu4pMjDVlBiIsZMjoveTQ2nCHX
Gn1Tb9PBDK8PcttWNvvRQ4KBmCxV2OwHGc81yjQMnF7WDsd6kJS/4DDnukZJuLNe
+2kCOZs7/UgRqUfDA2edOs3XQkpcb8uU4CGOajUQ6wxyJ7ayAVgmC3+NLfUzy5AG
IxdC4POopRzXpXKXboImjmO2VEGV/xDr73NsNx77av0+82KFc/J/hbc8QxfkW4KD
JwryMCJAhNEZfGjTAkTuIO2JEIOGyEtOdC/sTzl1aM0EWzxlabtjaZVWamwCCjrl
Jw8xKwWUUfE74XS4L7KTLDTqSM3aHz1sfcQCPwPmEukZzf3Fabv++Z9HUklpOrXr
6vmRkKB15U21/ffx0hKCfpoOHGj5AWeFFM1i4z75CTT+rd9MO3FQaBSdtceZTlwH
dIW0/AqC6GswxpLity8nJU+oNfhTWgC9YZHfO/2KnVVWMojoufEtiteNpcW7/e9I
I7OUuTuT1azMIKieQVMO5KMRU3fmhpco9mH9mlT/w2Gs8UOMtJRAEHLFvsSq1ddd
LsyrINo9enI=
=NgB5
-----END PGP SIGNATURE-----