ArchLinux: 202104-4: thunderbird: multiple issues

Advisories

Arch Linux Security Advisory ASA-202104-4
=========================================

Severity: High
Date    : 2021-04-29
CVE-ID  : CVE-2021-23961 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998
          CVE-2021-23999 CVE-2021-24002 CVE-2021-29946 CVE-2021-29948
Package : thunderbird
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1836

Summary
=======

The package thunderbird before version 78.10.0-1 is vulnerable to
multiple issues including arbitrary code execution, arbitrary command
execution, content spoofing, information disclosure, sandbox escape,
access restriction bypass and signature forgery.

Resolution
==========

Upgrade to 78.10.0-1.

# pacman -Syu "thunderbird>=78.10.0-1"

The problems have been fixed upstream in version 78.10.0.

Workaround
==========

None.

Description
===========

- CVE-2021-23961 (information disclosure)

A security issue was found in Firefox before version 85.0. Further
techniques that built on the slipstream research combined with a
malicious webpage could have exposed both an internal network's hosts
as well as services running on the user's local machine.

- CVE-2021-23994 (arbitrary code execution)

A security issue has been found in Firefox before version 88 and
Thunderbird before version 78.10. A WebGL framebuffer was not
initialized early enough, resulting in memory corruption and an out of
bounds write.

- CVE-2021-23995 (arbitrary code execution)

A security issue has been found in Firefox before version 88 and
Thunderbird before version 78.10. When Responsive Design Mode was
enabled, it used references to objects that were previously freed.
Mozilla presumes that with enough effort this could have been exploited
to run arbitrary code.

- CVE-2021-23998 (content spoofing)

A security issue has been found in Firefox before version 88 and
Thunderbird before version 78.10. Through complicated navigations with
new windows, an HTTP page could have inherited a secure lock icon from
an HTTPS page.

- CVE-2021-23999 (sandbox escape)

A security issue has been found in Firefox before version 88 and
Thunderbird before version 78.10. If a Blob URL was loaded through some
unusual user interaction, it could have been loaded by the System
Principal and granted additional privileges that should not be granted
to web content.

- CVE-2021-24002 (arbitrary command execution)

A security issue has been found in Firefox before version 88 and
Thunderbird before version 78.10. When a user clicked on an FTP URL
containing encoded newline characters (%0A and %0D), the newlines would
have been interpreted as such and allowed arbitrary commands to be sent
to the FTP server.

- CVE-2021-29946 (access restriction bypass)

A security issue has been found in Firefox before version 88 and
Thunderbird before version 78.10. Ports that were written as an integer
overflow above the bounds of a 16-bit integer could have bypassed port
blocking restrictions when used in the Alt-Svc header.

- CVE-2021-29948 (signature forgery)

A security issue has been found in Thunderbird before version 78.10.
Signatures are written to disk before and read during verification,
which might be subject to a race condition when a malicious local
process or user is replacing the file.

Impact
======

An attacker is able to execute arbitrary code, spoof context, escape
the sandbox, and bypass port blocking restrictions through various
means. In addition a local attacker might spoof the verification of
emails signed using PGP by winning a race condition.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2021-03/#CVE-2021-23961
https://bugzilla.mozilla.org/show_bug.cgi?id=1677940
https://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-23994
https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-23994
https://bugzilla.mozilla.org/show_bug.cgi?id=1699077
https://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-23995
https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-23995
https://bugzilla.mozilla.org/show_bug.cgi?id=1699835
https://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-23998
https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-23998
https://bugzilla.mozilla.org/show_bug.cgi?id=1667456
https://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-23999
https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-23999
https://bugzilla.mozilla.org/show_bug.cgi?id=1691153
https://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-24002
https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-24002
https://bugzilla.mozilla.org/show_bug.cgi?id=1702374
https://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-29946
https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-29946
https://bugzilla.mozilla.org/show_bug.cgi?id=1698503
https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-29948
https://bugzilla.mozilla.org/show_bug.cgi?id=1692899
https://security.archlinux.org/CVE-2021-23961
https://security.archlinux.org/CVE-2021-23994
https://security.archlinux.org/CVE-2021-23995
https://security.archlinux.org/CVE-2021-23998
https://security.archlinux.org/CVE-2021-23999
https://security.archlinux.org/CVE-2021-24002
https://security.archlinux.org/CVE-2021-29946
https://security.archlinux.org/CVE-2021-29948

ArchLinux: 202104-4: thunderbird: multiple issues

April 29, 2021
The package thunderbird before version 78.10.0-1 is vulnerable to multiple issues including arbitrary code execution, arbitrary command execution, content spoofing, information dis...

Summary

- CVE-2021-23961 (information disclosure)
A security issue was found in Firefox before version 85.0. Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine.
- CVE-2021-23994 (arbitrary code execution)
A security issue has been found in Firefox before version 88 and Thunderbird before version 78.10. A WebGL framebuffer was not initialized early enough, resulting in memory corruption and an out of bounds write.
- CVE-2021-23995 (arbitrary code execution)
A security issue has been found in Firefox before version 88 and Thunderbird before version 78.10. When Responsive Design Mode was enabled, it used references to objects that were previously freed. Mozilla presumes that with enough effort this could have been exploited to run arbitrary code.
- CVE-2021-23998 (content spoofing)
A security issue has been found in Firefox before version 88 and Thunderbird before version 78.10. Through complicated navigations with new windows, an HTTP page could have inherited a secure lock icon from an HTTPS page.
- CVE-2021-23999 (sandbox escape)
A security issue has been found in Firefox before version 88 and Thunderbird before version 78.10. If a Blob URL was loaded through some unusual user interaction, it could have been loaded by the System Principal and granted additional privileges that should not be granted to web content.
- CVE-2021-24002 (arbitrary command execution)
A security issue has been found in Firefox before version 88 and Thunderbird before version 78.10. When a user clicked on an FTP URL containing encoded newline characters (%0A and %0D), the newlines would have been interpreted as such and allowed arbitrary commands to be sent to the FTP server.
- CVE-2021-29946 (access restriction bypass)
A security issue has been found in Firefox before version 88 and Thunderbird before version 78.10. Ports that were written as an integer overflow above the bounds of a 16-bit integer could have bypassed port blocking restrictions when used in the Alt-Svc header.
- CVE-2021-29948 (signature forgery)
A security issue has been found in Thunderbird before version 78.10. Signatures are written to disk before and read during verification, which might be subject to a race condition when a malicious local process or user is replacing the file.

Resolution

Upgrade to 78.10.0-1.
# pacman -Syu "thunderbird>=78.10.0-1"
The problems have been fixed upstream in version 78.10.0.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2021-03/#CVE-2021-23961 https://bugzilla.mozilla.org/show_bug.cgi?id=1677940 https://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-23994 https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-23994 https://bugzilla.mozilla.org/show_bug.cgi?id=1699077 https://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-23995 https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-23995 https://bugzilla.mozilla.org/show_bug.cgi?id=1699835 https://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-23998 https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-23998 https://bugzilla.mozilla.org/show_bug.cgi?id=1667456 https://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-23999 https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-23999 https://bugzilla.mozilla.org/show_bug.cgi?id=1691153 https://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-24002 https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-24002 https://bugzilla.mozilla.org/show_bug.cgi?id=1702374 https://www.mozilla.org/en-US/security/advisories/mfsa2021-16/#CVE-2021-29946 https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-29946 https://bugzilla.mozilla.org/show_bug.cgi?id=1698503 https://www.mozilla.org/en-US/security/advisories/mfsa2021-14/#CVE-2021-29948 https://bugzilla.mozilla.org/show_bug.cgi?id=1692899 https://security.archlinux.org/CVE-2021-23961 https://security.archlinux.org/CVE-2021-23994 https://security.archlinux.org/CVE-2021-23995 https://security.archlinux.org/CVE-2021-23998 https://security.archlinux.org/CVE-2021-23999 https://security.archlinux.org/CVE-2021-24002 https://security.archlinux.org/CVE-2021-29946 https://security.archlinux.org/CVE-2021-29948

Severity
CVE-ID : CVE-2021-23961 CVE-2021-23994 CVE-2021-23995 CVE-2021-23998
CVE-2021-23999 CVE-2021-24002 CVE-2021-29946 CVE-2021-29948
Package : thunderbird
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1836

Impact

An attacker is able to execute arbitrary code, spoof context, escape the sandbox, and bypass port blocking restrictions through various means. In addition a local attacker might spoof the verification of emails signed using PGP by winning a race condition.

Workaround

None.

Related News

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.