Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0165 MFSA 2019-17 Security vulnerabilities fixed in Thunderbird 60.7.1 14 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Thunderbird Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-11706 CVE-2019-11705 CVE-2019-11704 CVE-2019-11703 Member content until: Sunday, July 14 2019 OVERVIEW A vulnerability has been identified in Mozilla Thunderbird versions prior to 60.7.1. [1] IMPACT Mozilla has given the following information regarding these vulnerabilities: "Announced June 13, 2019 Impact critical Products Thunderbird Fixed in Thunderbird 60.7.1 # CVE-2019-11703: Heap buffer overflow in icalparser.c Reporter Luis Merino of X41 D-Sec Impact high Description A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in parser_get_next_char when processing certain email messages, resulting in a potentially exploitable crash. References o Bug 1553820 # CVE-2019-11704: Heap buffer overflow in icalvalue.c Reporter Luis Merino of X41 D-Sec Impact high Description A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in icalmemory_strdup_and_dequote when processing certain email messages, resulting in a potentially exploitable crash. References o Bug 1553814 # CVE-2019-11705: Stack buffer overflow in icalrecur.c Reporter Luis Merino of X41 D-Sec Impact high Description A flaw in Thunderbird's implementation of iCal causes a stack buffer overflow in icalrecur_add_bydayrules when processing certain email messages, resulting in a potentially exploitable crash. References o Bug 1553808 # CVE-2019-11706: Type confusion in icalproperty.c Reporter Luis Merino of X41 D-Sec Impact low Description A flaw in Thunderbird's implementation of iCal causes a type confusion in icaltimezone_get_vtimezone_properties when processing certain email messages, resulting in a crash. References o Bug 1555646" [1] MITIGATION Mozilla recommends upgrading Thunderbird to the latest version. REFERENCES [1] MFSA 2019-17 Security vulnerabilities fixed in Thunderbird 60.7.1 https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXQM0IWaOgq3Tt24GAQh+5RAAz5vTVm0YvLkzN4Um5fYCr6oeyhOVHETX rlFfWwkRkQH6nLRQXbFfuRQPoKl/xlDfF1si0gMpGrnba2F0+oXF9tjoBsynXfJh d3vA/+jY3fk98DXqmLfMMcKHczKcSGcK91rCUVn/PSXyH96Wate4e9J+AhuiHhX1 w2eudD3ZcukNfCJ/cAw2Akotw2a5YpVQ1otJlq/IDRcpoS8mzR040nAlMx0HMbCa 0C/qDTrqhpP1Fv1xYHHQjs3Ue2kc8YAAIYRHXLwcoMUnsBqw9QOZhrccHFLqDKEl iqqq4P6ljzhwew1Xe8/xnusTPk6D23hz9kjyboa24vLhsA9DpF4ixfAXH9hGU4rH kilEu0Aq20YsD7+tkfsY5R99Fzqh3VHTjsxhrPrnOk4YKaVVzKzlN4ksUYATIOQW t+ZMQhLOc6WGIF6ar0s3Vi/14eOXRMtfd5UHSjjDw4O5kOPUfphhPakylKYTSqas H8y1J/kT7HlEWXNMcUriWo+m4+I9z6oUxq+qck8IlJXlxGnkY+tcdY+1638G3Nkn lV1hJptcElP23pqF47I2KFPsM1rhkBCg8PpBxEMnFyB0W6urPDbTy0KF1mxiPzEJ pF9ccAWN/ycpUe8Mq7pZnC8jHbZLz8dpGR5hQMQrQ9lM7ePDmi50KLXM+6lQSZLB qZp9j/Rqep8= =GqhR -----END PGP SIGNATURE-----