Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 660342 (MFSA-2018-18) - <mail-client/thunderbird{,-bin}-52.9.0: multiple vulnerabilities (MFSA-2018-18)
Summary: <mail-client/thunderbird{,-bin}-52.9.0: multiple vulnerabilities (MFSA-2018-18)
Status: RESOLVED FIXED
Alias: MFSA-2018-18
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-04 08:13 UTC by D'juan McDonald (domhnall)
Modified: 2018-11-24 19:52 UTC (History)
2 users (show)

See Also:
Package list:
=mail-client/thunderbird-52.9.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2018-07-04 08:13:18 UTC
Security vulnerabilities fixed in Thunderbird 52.9

Announced
    July 3, 2018
Impact
    critical
Products
    Thunderbird
Fixed in

        Thunderbird 52.9

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2018-12359: Buffer overflow using computed size of canvas element

Reporter
    Nils
Impact
    critical

Description

A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash.
References

    Bug 1459162

#CVE-2018-12360: Use-after-free when using focus()

Reporter
    Nils
Impact
    critical

Description

A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash.
References

    Bug 1459693

#CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML emails

Reporter
    Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk
Impact
    high

Description

Decrypted S/MIME parts, when included in HTML crafted for an attack, can leak plaintext when included in a a HTML reply/forward.
References

    Bug 1419417

#CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward

Reporter
    Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk
Impact
    high

Description

dDecrypted S/MIME parts hidden with CSS or <plaintext> can leak plaintext when included in a HTML reply/forward.
References

    CVE-2018-12373
    Suppress <plaintext> in email messages

#CVE-2018-12362: Integer overflow in SSSE3 scaler

Reporter
    F. Alonso (revskills)
Impact
    high

Description

An integer overflow can occur during graphics operations done by the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in a potentially exploitable crash.
References

    Bug 1452375

#CVE-2018-12363: Use-after-free when appending DOM nodes

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when script uses mutation events to move DOM nodes between documents, resulting in the old document that held the node being freed but the node still having a pointer referencing it. This results in a potentially exploitable crash.
References

    Bug 1464784

#CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins

Reporter
    David Black
Impact
    high

Description

NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks.
References

    Bug 1436241

#CVE-2018-12365: Compromised IPC child process can list local filenames

Reporter
    Alex Gaynor
Impact
    moderate

Description

A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files.
References

    Bug 1459206

#CVE-2018-12366: Invalid data handling during QCMS transformations

Reporter
    OSS-Fuzz
Impact
    moderate

Description

An invalid grid size during QCMS (color profile) transformations can result in the out-of-bounds read interpreted as a float value. This could leak private data into the output.
References

    Bug 1464039

#CVE-2018-12368: No warning when opening executable SettingContent-ms files

Reporter
    Abdulrahman Alqabandi
Impact
    moderate

Description

Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems
Note: this issue only affects Windows operating systems. Other operating systems are unaffected.
References

    Bug 1468217
    The Tale of SettingContent-ms Files

#CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing enter in form field

Reporter
    Hanno Boeck
Impact
    low

Description

Plaintext of decrypted emails can leak through by user submitting an embedded form by pressing enter key within a text input field.
References

    Bug 1462910

#CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety bugs present in Firefox 60, Firefox ESR 60, Firefox ESR 52.8, and Thunderbird 52.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9
Comment 1 Larry the Git Cow gentoo-dev 2018-07-04 17:38:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=619516f953b6e3996c547d3a9914f3e1f72ed128

commit 619516f953b6e3996c547d3a9914f3e1f72ed128
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-07-04 17:37:48 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-07-04 17:38:04 +0000

    mail-client/thunderbird-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/660342
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 mail-client/thunderbird-bin/Manifest               |  58 --------
 .../thunderbird-bin/thunderbird-bin-52.8.0.ebuild  | 164 ---------------------
 2 files changed, 222 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=062f178d70318f572464fc01549ca8be9f5cbbb8

commit 062f178d70318f572464fc01549ca8be9f5cbbb8
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-07-04 17:37:19 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-07-04 17:38:02 +0000

    mail-client/thunderbird-bin: amd64 & x86 stable
    
    Bug: https://bugs.gentoo.org/660342
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 mail-client/thunderbird-bin/thunderbird-bin-52.9.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f9ec87ad944573045c7d120266aebd95db4323b

commit 1f9ec87ad944573045c7d120266aebd95db4323b
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-07-04 17:36:44 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-07-04 17:38:00 +0000

    mail-client/thunderbird-bin: bump to v52.9.0
    
    Bug: https://bugs.gentoo.org/660342
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 mail-client/thunderbird-bin/Manifest               |  58 ++++++++
 .../thunderbird-bin/thunderbird-bin-52.9.0.ebuild  | 164 +++++++++++++++++++++
 2 files changed, 222 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2018-07-04 20:00:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b2b86ec725fa2f9751b5177e16c9105e2ce3ea2b

commit b2b86ec725fa2f9751b5177e16c9105e2ce3ea2b
Author:     Ian Stakenvicius <axs@gentoo.org>
AuthorDate: 2018-07-04 19:38:45 +0000
Commit:     Ian Stakenvicius <axs@gentoo.org>
CommitDate: 2018-07-04 20:00:40 +0000

    mail-client/thunderbird: bump to 52.9 for security bug 660342
    
    Bug: http://bugs.gentoo.org/660342
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 mail-client/thunderbird/Manifest                  |  58 ++++
 mail-client/thunderbird/thunderbird-52.9.0.ebuild | 342 ++++++++++++++++++++++
 2 files changed, 400 insertions(+)
Comment 3 Ian Stakenvicius (RETIRED) gentoo-dev 2018-07-04 20:07:07 UTC
Ebuilds are in gentoo repo, and have been stabilized on amd64, x86 by maintainers.

ppc/ppc64 please stabilize or remove stable keywords.
Comment 4 Manuel Rüger (RETIRED) gentoo-dev 2018-08-21 23:50:58 UTC
Reading https://www.thunderbird.net/en-US/thunderbird/52.9.1/releasenotes/ it looks like CVE-2018-12372 was incomplete: "Complete fix of the EFAIL vulnerability: 1) Removing some HTML crafted to carry out an attack. 2) Optionally: Not decrypting subordinate message parts that otherwise might reveal decrypted content to the attacker. Preference mailnews.p7m_subparts_external needs to be set to true for added security."

Can you bump to 52.9.1?
Comment 5 Manuel Rüger (RETIRED) gentoo-dev 2018-08-21 23:52:19 UTC
(In reply to Manuel Rüger from comment #4)
> Reading https://www.thunderbird.net/en-US/thunderbird/52.9.1/releasenotes/
> it looks like CVE-2018-12372 was incomplete: "Complete fix of the EFAIL
> vulnerability: 1) Removing some HTML crafted to carry out an attack. 2)
> Optionally: Not decrypting subordinate message parts that otherwise might
> reveal decrypted content to the attacker. Preference
> mailnews.p7m_subparts_external needs to be set to true for added security."
> 
My mistake: Deleting or detaching attachments corrupted messages under certain circumstances (not working only in Thunderbird version 52.9.0) was fixed.
> Can you bump to 52.9.1?
I can open a separate bug for this if you like.
Comment 6 Larry the Git Cow gentoo-dev 2018-08-22 02:12:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f94bdcc58b3b1fdbcff246f364533be2ced7ce8

commit 1f94bdcc58b3b1fdbcff246f364533be2ced7ce8
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-08-22 01:43:43 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-08-22 02:12:25 +0000

    mail-client/thunderbird: bump to v52.9.1
    
    Note:
    Lightning version from source doesn't match MOZ_LIGHTNING_VER
    in ebuild but this isn't critical and only affects localizaton
    which wasn't changed.
    
    Bug: https://bugs.gentoo.org/660342
    Package-Manager: Portage-2.3.48, Repoman-2.3.10
    RepoMan-Options: --force

 mail-client/thunderbird/Manifest                   | 114 ++++++++++-----------
 ...ird-52.9.0.ebuild => thunderbird-52.9.1.ebuild} |   0
 2 files changed, 57 insertions(+), 57 deletions(-)
Comment 7 Matt Turner gentoo-dev 2018-09-17 21:19:24 UTC
ppc/ppc64 stable. all arches stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-11-16 10:45:32 UTC
Added to an existing GLSA request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2018-11-24 19:52:37 UTC
This issue was resolved and addressed in
 GLSA 201811-13 at https://security.gentoo.org/glsa/201811-13
by GLSA coordinator Aaron Bauman (b-man).