Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 643842 (CVE-2017-7829, CVE-2017-7846, CVE-2017-7847, CVE-2017-7848) - <mail-client/thunderbird{,-bin}-52.5.2: multiple vulnerabilities (CVE-2017-{7829,7846,7847,7848})
Summary: <mail-client/thunderbird{,-bin}-52.5.2: multiple vulnerabilities (CVE-2017-{7...
Status: RESOLVED FIXED
Alias: CVE-2017-7829, CVE-2017-7846, CVE-2017-7847, CVE-2017-7848
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: B2 [glsa+ cve blocked]
Keywords:
Depends on: MFSA-2018-04
Blocks:
  Show dependency tree
 
Reported: 2018-01-08 00:08 UTC by GLSAMaker/CVETool Bot
Modified: 2018-03-28 18:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-01-08 00:08:24 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-01-08 00:13:27 UTC
CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin

Impact
    high

Description

It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via “View -> Feed article -> Website” or in the standard format of “View -> Feed article -> default format”.
References


CVE-2017-7847: Local path string can be leaked from RSS feed

Impact
    high

Description

Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name.
References


CVE-2017-7848: RSS Feed vulnerable to new line Injection

Impact
    moderate

Description

RSS fields can inject new lines into the created email structure, modifying the message body.
References


CVE-2017-7829: Mailsploit part 1: From address with encoded null character is cut off in message header display

Impact
    low

Description

It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string.
Comment 2 Ian Stakenvicius gentoo-dev 2018-01-08 16:37:12 UTC
Ebuild is in the repo.  

I've just stabilized for amd64 after my own testing against regressions in the last 2 days.  CC'd Arch Teams, please stabilize.

ppc / ppc64 Arch Teams, please let me know if we should drop stable keywords from thunderbird; so far none of the 52.x series has been stabilized yet.
Comment 3 Larry the Git Cow gentoo-dev 2018-01-08 16:37:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85e9451778f05981d17ad82c4054e569bf634daf

commit 85e9451778f05981d17ad82c4054e569bf634daf
Author:     Ian Stakenvicius <axs@gentoo.org>
AuthorDate: 2018-01-08 16:36:56 +0000
Commit:     Ian Stakenvicius <axs@gentoo.org>
CommitDate: 2018-01-08 16:37:22 +0000

    mail-client/thunderbird: stabilize for amd64, security bug 643842
    
    Stabilized by maintainer
    
    Bug:  http://bugs.gentoo.org/643842
    Package-Manager: Portage-2.3.13, Repoman-2.3.3

 mail-client/thunderbird/thunderbird-52.5.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 4 Ian Stakenvicius gentoo-dev 2018-01-08 16:38:07 UTC
mail-client/thunderbird-bin-52.5.2 has been pushed directly to stable by maintainers.
Comment 5 Thomas Deutschmann gentoo-dev Security 2018-01-08 22:52:16 UTC
x86 stable
Comment 6 Sergei Trofimovich gentoo-dev 2018-03-19 09:19:43 UTC
ppc stable
Comment 7 Thomas Deutschmann gentoo-dev Security 2018-03-25 15:31:01 UTC
Superseded by bug 645820. Please continue in bug 645820.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2018-03-28 18:25:08 UTC
This issue was resolved and addressed in
 GLSA 201803-14 at https://security.gentoo.org/glsa/201803-14
by GLSA coordinator Aaron Bauman (b-man).