ArchLinux: 201708-18: thunderbird: multiple issues
Summary
- CVE-2017-7753 (information disclosure)
An out-of-bounds read has been found in firefox < 55.0 and thunderbird
< 52.3, when applying style rules to pseudo-elements, such as ::first-line, using cached style data.
- CVE-2017-7779 (arbitrary code execution)
Several memory safety bugs have been found in firefox < 55.0 and
thunderbird < 52.3. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort that some of these
could be exploited to run arbitrary code.
- CVE-2017-7784 (arbitrary code execution)
A use-after-free issue has been found in firefox < 55.0 and thunderbird
< 52.3, when reading an image observer during frame reconstruction
after the observer has been freed. This results in a potentially
exploitable crash.
- CVE-2017-7785 (arbitrary code execution)
A buffer overflow has been found in firefox < 55.0 and thunderbird <
52.3, when manipulating Accessible Rich Internet Applications (ARIA)
attributes within the DOM. This results in a potentially exploitable
crash.
- CVE-2017-7786 (arbitrary code execution)
A buffer overflow has been found in firefox < 55.0 and thunderbird <
52.3, when the image renderer attempts to paint non-displayable SVG
elements. This results in a potentially exploitable crash.
- CVE-2017-7787 (same-origin policy bypass)
Same-origin policy protections can be bypassed in firefox < 55.0 and
thunderbird < 52.3, on pages with embedded iframes during page reloads,
allowing the iframes to access content on the top level page and
leading to information disclosure.
- CVE-2017-7791 (content spoofing)
A content spoofing issue has been found in firefox < 55.0 and
thunderbird < 52.3. On pages containing an iframe, the data: protocol
can be used to create a modal alert that will render over arbitrary
domains following page navigation, spoofing of the origin of the modal
alert from the iframe content.
- CVE-2017-7792 (arbitrary code execution)
A buffer overflow has been found in firefox < 55.0 and thunderbird <
52.3, when viewing a certificate in the certificate manager if the
certificate has an extremely long object identifier (OID). This results
in a potentially exploitable crash.
- CVE-2017-7800 (arbitrary code execution)
A use-after-free issue has been found in firefox < 55.0 and thunderbird
< 52.3, in WebSockets, when the object holding the connection is freed
before the disconnection operation is finished. This results in an
exploitable crash.
- CVE-2017-7801 (arbitrary code execution)
A use-after-free issue has been found in firefox < 55.0 and thunderbird
< 52.3, while re-computing layout for a marquee element during window
resizing where the updated style object is freed while still in use.
This results in a potentially exploitable crash.
- CVE-2017-7802 (arbitrary code execution)
A use-after-free vulnerability has been found in firefox < 55.0 and
thunderbird < 52.3, when manipulating the DOM during the resize event
of an image element. If these elements have been freed due to a lack of
strong references, a potentially exploitable crash may occur when the
freed elements are accessed.
- CVE-2017-7803 (access restriction bypass)
A security issue has been found in firefox < 55.0 and thunderbird <
52.3. When a page’s content security policy (CSP) header contains a
sandbox directive, other directives are ignored. This results in the
incorrect enforcement of CSP.
- CVE-2017-7807 (content spoofing)
A domain hijacking flaw has been found in firefox < 55.0 and
thunderbird < 52.3. A mechanism that uses AppCache to hijack a URL in a
domain using fallback by serving the files from a sub-path on the
domain. This has been addressed by requiring fallback files be inside
the manifest directory.
- CVE-2017-7809 (arbitrary code execution)
A use-after-free issue has been found in firefox < 55.0 and thunderbird
< 52.3, when an editor DOM node is deleted prematurely during tree
traversal while still bound to the document. This results in a
potentially exploitable crash.
Resolution
Upgrade to 52.3.0-1.
# pacman -Syu "thunderbird>=52.3.0-1"
The problems have been fixed upstream in version 52.3.0.
References
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7753 https://bugzilla.mozilla.org/show_bug.cgi?id=1353312 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7779 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1354443%2C1368576%2C1366903%2C1369913%2C1371424%2C1346590%2C1371890%2C1372985%2C1362924%2C1368105%2C1369994%2C1371283%2C1368362%2C1378826%2C1380426%2C1368030%2C1373220%2C1321384%2C1383002 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7784 https://bugzilla.mozilla.org/show_bug.cgi?id=1376087 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7785 https://bugzilla.mozilla.org/show_bug.cgi?id=1356985 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7786 https://bugzilla.mozilla.org/show_bug.cgi?id=1365189 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7787 https://bugzilla.mozilla.org/show_bug.cgi?id=1322896 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7791 https://bugzilla.mozilla.org/show_bug.cgi?id=1365875 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7792 https://bugzilla.mozilla.org/show_bug.cgi?id=1368652 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7800 https://bugzilla.mozilla.org/show_bug.cgi?id=1374047 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7801 https://bugzilla.mozilla.org/show_bug.cgi?id=1371259 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7802 https://bugzilla.mozilla.org/show_bug.cgi?id=1378147 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7803 https://bugzilla.mozilla.org/show_bug.cgi?id=1377426 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7807 https://bugzilla.mozilla.org/show_bug.cgi?id=1376459 https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7809 https://bugzilla.mozilla.org/show_bug.cgi?id=1380284 https://security.archlinux.org/CVE-2017-7753 https://security.archlinux.org/CVE-2017-7779 https://security.archlinux.org/CVE-2017-7784 https://security.archlinux.org/CVE-2017-7785 https://security.archlinux.org/CVE-2017-7786 https://security.archlinux.org/CVE-2017-7787 https://security.archlinux.org/CVE-2017-7791 https://security.archlinux.org/CVE-2017-7792 https://security.archlinux.org/CVE-2017-7800 https://security.archlinux.org/CVE-2017-7801 https://security.archlinux.org/CVE-2017-7802 https://security.archlinux.org/CVE-2017-7803 https://security.archlinux.org/CVE-2017-7807 https://security.archlinux.org/CVE-2017-7809
Workaround
None.