-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0119
            Security vulnerabilities fixed in Thunderbird 52.8
                                21 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Thunderbird
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
                      Unauthorised Access             -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-5185 CVE-2018-5184 CVE-2018-5183
                      CVE-2018-5178 CVE-2018-5174 CVE-2018-5170
                      CVE-2018-5168 CVE-2018-5162 CVE-2018-5161
                      CVE-2018-5159 CVE-2018-5155 CVE-2018-5154
                      CVE-2018-5150  
Member content until: Wednesday, June 20 2018
Reference:            ASB-2018.0110
                      ASB-2018.0109
                      ESB-2018.1460
                      ESB-2018.1442

OVERVIEW

        Multiple security vulnerabilities have been identified in Mozilla
        Thunderbird prior to version 52.8. [1]


IMPACT

        The vendor has provided the following details regarding the
        vulnerabilities:
        
        "In general, these flaws cannot be exploited through email in the Thunderbird
        product because scripting is disabled when reading mail, but are potentially
        risks in browser or browser-like contexts.
        
        CVE-2018-5183: Backport critical security fixes in Skia
        
        Reporter
            Mozilla Developers
        Impact
            critical
        
        Description
        
        Mozilla developers backported selected changes in the Skia library. These
        changes correct memory corruption issues including invalid buffer reads and
        writes during graphic operations.
        
        References
        
          * Bug 1454692
        
        CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack
        
        Reporter
            Damian Poddebniak, Christian Dresen, Jens M?ller, Fabian Ising, Sebastian
            Schinzel, Simon Friedberger, Juraj Somorovsky, J?rg Schwenk
        Impact
            high
        
        Description
        
        Using remote content in encrypted messages can lead to the disclosure of
        plaintext.
        
        References
        
          * Bug 1411592
        
        CVE-2018-5154: Use-after-free with SVG animations and clip paths
        
        Reporter
            Nils
        Impact
            high
        
        Description
        
        A use-after-free vulnerability can occur while enumerating attributes during
        SVG animations with clip paths. This results in a potentially exploitable
        crash.
        
        References
        
          * Bug 1443092
        
        CVE-2018-5155: Use-after-free with SVG animations and text paths
        
        Reporter
            Nils
        Impact
            high
        
        Description
        
        A use-after-free vulnerability can occur while adjusting layout during SVG
        animations with text paths. This results in a potentially exploitable crash.
        
        References
        
          * Bug 1448774
        
        CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
        
        Reporter
            Ivan Fratric
        Impact
            high
        
        Description
        
        An integer overflow can occur in the Skia library due to 32-bit integer use in
        an array without integer overflow checks, resulting in possible out-of-bounds
        writes. This could lead to a potentially exploitable crash triggerable by web
        content.
        
        References
        
          * Bug 1441941
        
        CVE-2018-5161: Hang via malformed headers
        
        Reporter
            cure53
        Impact
            moderate
        
        Description
        
        Crafted message headers can cause a Thunderbird process to hang on receiving
        the message.
        
        References
        
          * Bug 1411720
        
        CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
        
        Reporter
            Damian Poddebniak, Christian Dresen, Jens M?ller, Fabian Ising, Sebastian
            Schinzel, Simon Friedberger, Juraj Somorovsky, J?rg Schwenk
        Impact
            moderate
        
        Description
        
        Plaintext of decrypted emails can leak through the src attribute of remote
        images, or links.
        
        References
        
          * Bug 1457721
        
        CVE-2018-5170: Filename spoofing for external attachments
        
        Reporter
            cure53
        Impact
            moderate
        
        Description
        
        It is possible to spoof the filename of an attachment and display an arbitrary
        attachment name. This could lead to a user opening a remote attachment which is
        a different file type than expected.
        
        References
        
          * Bug 1411732
        
        CVE-2018-5168: Lightweight themes can be installed without user interaction
        
        Reporter
            Wladimir Palant
        Impact
            moderate
        
        Description
        
        Sites can bypass security checks on permissions to install lightweight themes
        by manipulating the baseURI property of the theme element. This could allow a
        malicious site to install a theme without user interaction which could contain
        offensive or embarrassing images.
        
        References
        
          * Bug 1449548
        
        CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior
        for downloaded files in Windows 10 April 2018 Update
        
        Reporter
            Jimmy
        Impact
            moderate
        
        Description
        
        In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors the
        SEE_MASK_FLAG_NO_UI flag associated with downloaded files and will not show any
        UI. Files that are unknown and potentially dangerous will be allowed to run
        because SmartScreen will not prompt the user for a decision, and if the user is
        offline all files will be allowed to be opened because Windows won?t prompt the
        user to ask what to do. Firefox incorrectly sets this flag when downloading
        files, leading to less secure behavior from SmartScreen.
        Note: this issue only affects Windows 10 users running the April 2018 update or
        later. It does not affect other Windows users or other operating systems.
        
        References
        
          * Bug 1447080
        
        CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
        through legacy extension
        
        Reporter
            Root Object
        Impact
            moderate
        
        Description
        
        A buffer overflow was found during UTF8 to Unicode string conversion within
        JavaScript with extremely large amounts of data. This vulnerability requires
        the use of a malicious or vulnerable legacy extension in order to occur.
        
        References
        
          * Bug 1443891
        
        CVE-2018-5185: Leaking plaintext through HTML forms
        
        Reporter
            Damian Poddebniak, Christian Dresen, Jens M?ller, Fabian Ising, Sebastian
            Schinzel, Simon Friedberger, Juraj Somorovsky, J?rg Schwenk
        Impact
            low
        
        Description
        
        Plaintext of decrypted emails can leak through by user submitting an embedded
        form.
        
        References
        
          * Bug 1450345
        
        CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8, and
        Thunderbird 52.8
        
        Reporter
            Mozilla developers and community
        Impact
            critical
        
        Description
        
        Mozilla developers and community members Christoph Diehl, Randell Jesup, Tyson
        Smith, Alex Gaynor, Ronald Crane, Julian Hector, Kannan Vijayan, and Jason
        Kratzer reported memory safety bugs present in Firefox 59, Firefox ESR 52.7,
        and Thunderbird 52.7. Some of these bugs showed evidence of memory corruption
        and we presume that with enough effort that some of these could be exploited to
        run arbitrary code." [1]


MITIGATION

        Mozilla advises upgrading to Thunderbird version 52.8. [1]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2018-13
            https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWwIJz4x+lLeg9Ub1AQhqoxAAgFETQOP0b6Z4tkpFO26z/uHby9/i0Q86
sb2UqHdiKdOV7cR/IMJm2lX94gt1WJlAUHZHArCS5I4GcOSoGvuXM1q9SR4JpuuU
uWDccmv5SOmKMsTi/i3Y0LIzUX1b6wRPnprX7glFdoyowBbO/uBhe4FfiphMNWYz
Yt3b4DdblRtguQNkmnqHrlBeN6VK9cP+oishYIjVaE8IwaGCuhQeDizcBgLii/gc
W+MFuNMk5f1uqYmsX1zpjgtAeIS/jCfEMb403MO0/ixTgjFbNN6rhmu4DFADnG13
7/pCnpArxf6ggKFsVqNDlJC4DtZIUnBILnI2zRRvm3l6MKNxTF/hzzkaw0WDBphU
kp5ZHpIlbsrBwBCRju+M7aT8/deI3YP1OYRdLx/7hd/ih0VK7YOmWhBoh+5Myzgy
JWhWkcf7BFmIwzGyHLKQn/9hmkvmrSxAkszbfNPYd29yeTOEIVju3XczWA8kK1YE
VR/WSSKGXxbGAHSzeZkInr32AiODQw/W21/azF5R66XjTeMYYPe6ll1e+ElGHwT1
ifOA7EmHV9NSLA4DeuNJ38MzJn1alZU8r0rsPI7Cv50peUNbd2kZMWUu2C0aRPOU
nlW0I0SzjKkYqZk+7uldi0v2/Tvb74NgoZGmoWI9CKVColU3wPbu3w+kc25aQ8Et
xjjIkN07JyA=
=6sxW
-----END PGP SIGNATURE-----