Security vulnerabilities fixed in Thunderbird 52.9 Announced July 3, 2018 Impact critical Products Thunderbird Fixed in Thunderbird 52.9 In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. #CVE-2018-12359: Buffer overflow using computed size of canvas element Reporter Nils Impact critical Description A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash. References Bug 1459162 #CVE-2018-12360: Use-after-free when using focus() Reporter Nils Impact critical Description A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash. References Bug 1459693 #CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML emails Reporter Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk Impact high Description Decrypted S/MIME parts, when included in HTML crafted for an attack, can leak plaintext when included in a a HTML reply/forward. References Bug 1419417 #CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward Reporter Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk Impact high Description dDecrypted S/MIME parts hidden with CSS or <plaintext> can leak plaintext when included in a HTML reply/forward. References CVE-2018-12373 Suppress <plaintext> in email messages #CVE-2018-12362: Integer overflow in SSSE3 scaler Reporter F. Alonso (revskills) Impact high Description An integer overflow can occur during graphics operations done by the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in a potentially exploitable crash. References Bug 1452375 #CVE-2018-12363: Use-after-free when appending DOM nodes Reporter Nils Impact high Description A use-after-free vulnerability can occur when script uses mutation events to move DOM nodes between documents, resulting in the old document that held the node being freed but the node still having a pointer referencing it. This results in a potentially exploitable crash. References Bug 1464784 #CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins Reporter David Black Impact high Description NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks. References Bug 1436241 #CVE-2018-12365: Compromised IPC child process can list local filenames Reporter Alex Gaynor Impact moderate Description A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. References Bug 1459206 #CVE-2018-12366: Invalid data handling during QCMS transformations Reporter OSS-Fuzz Impact moderate Description An invalid grid size during QCMS (color profile) transformations can result in the out-of-bounds read interpreted as a float value. This could leak private data into the output. References Bug 1464039 #CVE-2018-12368: No warning when opening executable SettingContent-ms files Reporter Abdulrahman Alqabandi Impact moderate Description Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems Note: this issue only affects Windows operating systems. Other operating systems are unaffected. References Bug 1468217 The Tale of SettingContent-ms Files #CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing enter in form field Reporter Hanno Boeck Impact low Description Plaintext of decrypted emails can leak through by user submitting an embedded form by pressing enter key within a text input field. References Bug 1462910 #CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety bugs present in Firefox 60, Firefox ESR 60, Firefox ESR 52.8, and Thunderbird 52.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. References Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=619516f953b6e3996c547d3a9914f3e1f72ed128 commit 619516f953b6e3996c547d3a9914f3e1f72ed128 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-07-04 17:37:48 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-07-04 17:38:04 +0000 mail-client/thunderbird-bin: security cleanup Bug: https://bugs.gentoo.org/660342 Package-Manager: Portage-2.3.40, Repoman-2.3.9 mail-client/thunderbird-bin/Manifest | 58 -------- .../thunderbird-bin/thunderbird-bin-52.8.0.ebuild | 164 --------------------- 2 files changed, 222 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=062f178d70318f572464fc01549ca8be9f5cbbb8 commit 062f178d70318f572464fc01549ca8be9f5cbbb8 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-07-04 17:37:19 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-07-04 17:38:02 +0000 mail-client/thunderbird-bin: amd64 & x86 stable Bug: https://bugs.gentoo.org/660342 Package-Manager: Portage-2.3.40, Repoman-2.3.9 mail-client/thunderbird-bin/thunderbird-bin-52.9.0.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f9ec87ad944573045c7d120266aebd95db4323b commit 1f9ec87ad944573045c7d120266aebd95db4323b Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-07-04 17:36:44 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-07-04 17:38:00 +0000 mail-client/thunderbird-bin: bump to v52.9.0 Bug: https://bugs.gentoo.org/660342 Package-Manager: Portage-2.3.40, Repoman-2.3.9 mail-client/thunderbird-bin/Manifest | 58 ++++++++ .../thunderbird-bin/thunderbird-bin-52.9.0.ebuild | 164 +++++++++++++++++++++ 2 files changed, 222 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2b86ec725fa2f9751b5177e16c9105e2ce3ea2b commit b2b86ec725fa2f9751b5177e16c9105e2ce3ea2b Author: Ian Stakenvicius <axs@gentoo.org> AuthorDate: 2018-07-04 19:38:45 +0000 Commit: Ian Stakenvicius <axs@gentoo.org> CommitDate: 2018-07-04 20:00:40 +0000 mail-client/thunderbird: bump to 52.9 for security bug 660342 Bug: http://bugs.gentoo.org/660342 Package-Manager: Portage-2.3.40, Repoman-2.3.9 mail-client/thunderbird/Manifest | 58 ++++ mail-client/thunderbird/thunderbird-52.9.0.ebuild | 342 ++++++++++++++++++++++ 2 files changed, 400 insertions(+)
Ebuilds are in gentoo repo, and have been stabilized on amd64, x86 by maintainers. ppc/ppc64 please stabilize or remove stable keywords.
Reading https://www.thunderbird.net/en-US/thunderbird/52.9.1/releasenotes/ it looks like CVE-2018-12372 was incomplete: "Complete fix of the EFAIL vulnerability: 1) Removing some HTML crafted to carry out an attack. 2) Optionally: Not decrypting subordinate message parts that otherwise might reveal decrypted content to the attacker. Preference mailnews.p7m_subparts_external needs to be set to true for added security." Can you bump to 52.9.1?
(In reply to Manuel Rüger from comment #4) > Reading https://www.thunderbird.net/en-US/thunderbird/52.9.1/releasenotes/ > it looks like CVE-2018-12372 was incomplete: "Complete fix of the EFAIL > vulnerability: 1) Removing some HTML crafted to carry out an attack. 2) > Optionally: Not decrypting subordinate message parts that otherwise might > reveal decrypted content to the attacker. Preference > mailnews.p7m_subparts_external needs to be set to true for added security." > My mistake: Deleting or detaching attachments corrupted messages under certain circumstances (not working only in Thunderbird version 52.9.0) was fixed. > Can you bump to 52.9.1? I can open a separate bug for this if you like.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f94bdcc58b3b1fdbcff246f364533be2ced7ce8 commit 1f94bdcc58b3b1fdbcff246f364533be2ced7ce8 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-08-22 01:43:43 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-08-22 02:12:25 +0000 mail-client/thunderbird: bump to v52.9.1 Note: Lightning version from source doesn't match MOZ_LIGHTNING_VER in ebuild but this isn't critical and only affects localizaton which wasn't changed. Bug: https://bugs.gentoo.org/660342 Package-Manager: Portage-2.3.48, Repoman-2.3.10 RepoMan-Options: --force mail-client/thunderbird/Manifest | 114 ++++++++++----------- ...ird-52.9.0.ebuild => thunderbird-52.9.1.ebuild} | 0 2 files changed, 57 insertions(+), 57 deletions(-)
ppc/ppc64 stable. all arches stable
Added to an existing GLSA request.
This issue was resolved and addressed in GLSA 201811-13 at https://security.gentoo.org/glsa/201811-13 by GLSA coordinator Aaron Bauman (b-man).