Arch Linux: 201706-20 Critical Advisory for Thunderbird Issues

The package thunderbird before version 52.2.0-1 is vulnerable to multiple issues including arbitrary code execution, denial of service, information disclosure and content spoofing.

Arch Linux Security Advisory ASA-201706-20
=========================================
Severity: Critical
Date    : 2017-06-16
CVE-ID  : CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750
          CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7756
          CVE-2017-7757 CVE-2017-7758 CVE-2017-7764 CVE-2017-7771
          CVE-2017-7772 CVE-2017-7773 CVE-2017-7774 CVE-2017-7775
          CVE-2017-7776 CVE-2017-7777 CVE-2017-7778
Package : thunderbird
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-303

Summary
======
The package thunderbird before version 52.2.0-1 is vulnerable to
multiple issues including arbitrary code execution, denial of service,
information disclosure and content spoofing.

Resolution
=========
Upgrade to 52.2.0-1.

# pacman -Syu "thunderbird>=52.2.0-1"

The problems have been fixed upstream in version 52.2.0.

Workaround
=========
None.

Description
==========
- CVE-2017-5470 (arbitrary code execution)

Several memory safety issues leading to arbitrary code execution have
been found in Firefox < 54.0 and Thunderbird < 52.2.

- CVE-2017-5472 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox < 54.0 and
Thunderbird < 52.2, in the frameloader during tree reconstruction while
regenerating CSS layout when attempting to use a node in the tree that
no longer exists.

- CVE-2017-7749 (arbitrary code execution)

A user-after-free has been found in Firefox < 54.0 and Thunderbird <
52.2, when using an incorrect URL during the reloading of a docshell.

- CVE-2017-7750 (arbitrary code execution)

A use-after-free has been found in Firefox < 54.0 and Thunderbird <
52.2, during video control operations when a  element holds a
reference to an older window if that window has been replaced in the
DOM.

- CVE-2017-7751 (arbitrary code execution)

A use-after-free has been found in Firefox < 54.0 and Thunderbird <
52.2, in content viewer listeners.

- CVE-2017-7752 (arbitrary code execution)

A use-after-free has been found in Firefox < 54.0 and Thunderbird <
52.2, during specific user interactions with the input method editor
(IME) in some languages due to how events are handled. This results in
a potentially exploitable crash but would require specific user
interaction to trigger.

- CVE-2017-7754 (information disclosure)

An out-of-bounds read has been found in Firefox < 54.0 and Thunderbird
< 52.2, with a maliciously crafted ImageInfo object during WebGL
operations.

- CVE-2017-7756 (arbitrary code execution)

A use after-free and use-after-scope vulnerability has been found in
Firefox < 54.0 and Thunderbird < 52.2, when logging errors from headers
for XML HTTP Requests (XHR).

- CVE-2017-7757 (arbitrary code execution)

A use after-free vulnerability has been found in Firefox < 54.0 and
Thunderbird < 52.2, in IndexedDB when one of its objects is destroyed
in memory while a method on it is still being executed.

- CVE-2017-7758 (information disclosure)

An out-of-bounds read vulnerability has been found in Firefox < 54.0
and Thunderbird < 52.2, with the Opus encoder when the number of
channels in an audio stream changes while the encoder is in use.

- CVE-2017-7764 (content spoofing)

A security issue has been found in Firefox < 54.0 and Thunderbird <
52.2, where characters from the "Canadian Syllabics" unicode block can
be mixed with characters from other unicode blocks in the addressbar
instead of being rendered as their raw "punycode" form, allowing for
domain name spoofing attacks through character confusion. The current
Unicode standard allows characters from "Aspirational Use Scripts" such
as Canadian Syllabics to be mixed with Latin characters in the
"moderately restrictive" IDN profile. Firefox and Thunderbird behavior
has been changed to match the upcoming Unicode version 10.0 which
removes this category and treats them as "Limited Use Scripts."

- CVE-2017-7771 (information disclosure)

An out-of-bounds read has been found in the Graphite 2 library used in
Firefox < 54.0 and Thunderbird < 52.2, in Pass::readPass.

- CVE-2017-7772 (arbitrary code execution)

A heap-buffer-overflow write has been found in the Graphite 2 library
used in Firefox < 54.0 and Thunderbird < 52.2, in lz4::decompress.

- CVE-2017-7773 (arbitrary code execution)

A heap-buffer-overflow write has been found in the Graphite 2 library
used in Firefox < 54.0 and Thunderbird < 52.2, in lz4::decompress.

- CVE-2017-7774 (information disclosure)

An out-of-bounds read has been found in the Graphite 2 library used in
Firefox < 54.0 and Thunderbird < 52.2, in Silf::readGraphite.

- CVE-2017-7775 (denial of service)

An assertion failure has been found in the Graphite 2 library used in
Firefox < 54.0 and Thunderbird < 52.2.

- CVE-2017-7776 (information disclosure)

A heap-buffer-overflow read has been found in the Graphite 2 library
used in Firefox < 54.0 and Thunderbird < 52.2, in Silf::getClassGlyph.

- CVE-2017-7777 (information disclosure)

An use of initialized memory has been found in the Graphite 2 library
used in Firefox < 54.0 and Thunderbird < 52.2, in
GlyphCache::Loader::read_glyph.

- CVE-2017-7778 (arbitrary code execution)

An out-of-bounds write has been found in the Graphite 2 library used in
Firefox < 54.0 and Thunderbird < 52.2, in lz4::decompress.

Impact
=====
A remote attacker may be able to crash Thunderbird, access sensitive
information, spoof content to trick the user into performing an
unwanted action and execute arbitrary code on the affected host.

References
=========
https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-5470
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1359639%2C1349595%2C1352295%2C1352556%2C1342552%2C1342567%2C1346012%2C1366140%2C1368732%2C1297111%2C1362590%2C1357462%2C1363280%2C1349266%2C1352093%2C1348424%2C1347748%2C1356025%2C1325513%2C1367692
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-5472
https://bugzilla.mozilla.org/show_bug.cgi?id=1365602
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7749
https://bugzilla.mozilla.org/show_bug.cgi?id=1355039
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7750
https://bugzilla.mozilla.org/show_bug.cgi?id=1356558
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7751
https://bugzilla.mozilla.org/show_bug.cgi?id=1363396
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7752
https://bugzilla.mozilla.org/show_bug.cgi?id=1359547
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7754
https://bugzilla.mozilla.org/show_bug.cgi?id=1357090
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7756
https://bugzilla.mozilla.org/show_bug.cgi?id=1366595
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7757
https://bugzilla.mozilla.org/show_bug.cgi?id=1356824
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7758
https://bugzilla.mozilla.org/show_bug.cgi?id=1368490
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7764
https://bugzilla.mozilla.org/show_bug.cgi?id=1364283
http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_Scripts
https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7778
https://bugzilla.mozilla.org/show_bug.cgi?id=1350047
https://bugzilla.mozilla.org/show_bug.cgi?id=1352745
https://bugzilla.mozilla.org/show_bug.cgi?id=1352747
https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7778
https://bugzilla.mozilla.org/show_bug.cgi?id=1355174
https://bugzilla.mozilla.org/show_bug.cgi?id=1355182
https://bugzilla.mozilla.org/show_bug.cgi?id=1356607
https://bugzilla.mozilla.org/show_bug.cgi?id=1358551
https://bugzilla.mozilla.org/show_bug.cgi?id=1349310
https://security.archlinux.org/CVE-2017-5470
https://security.archlinux.org/CVE-2017-5472
https://security.archlinux.org/CVE-2017-7749
https://security.archlinux.org/CVE-2017-7750
https://security.archlinux.org/CVE-2017-7751
https://security.archlinux.org/CVE-2017-7752
https://security.archlinux.org/CVE-2017-7754
https://security.archlinux.org/CVE-2017-7756
https://security.archlinux.org/CVE-2017-7757
https://security.archlinux.org/CVE-2017-7758
https://security.archlinux.org/CVE-2017-7764
https://security.archlinux.org/CVE-2017-7771
https://security.archlinux.org/CVE-2017-7772
https://security.archlinux.org/CVE-2017-7773
https://security.archlinux.org/CVE-2017-7774
https://security.archlinux.org/CVE-2017-7775
https://security.archlinux.org/CVE-2017-7776
https://security.archlinux.org/CVE-2017-7777
https://security.archlinux.org/CVE-2017-7778