Operating System:

[WIN][UNIX/Linux]

Published:

14 June 2019

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ASB-2019.0165 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0165
     MFSA 2019-17 Security vulnerabilities fixed in Thunderbird 60.7.1
                               14 June 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Thunderbird
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-11706 CVE-2019-11705 CVE-2019-11704
                      CVE-2019-11703  
Member content until: Sunday, July 14 2019

OVERVIEW

        A vulnerability has been identified in Mozilla Thunderbird 
        versions prior to 60.7.1. [1]


IMPACT

        Mozilla has given the following information regarding these 
        vulnerabilities:
        
        "Announced
            June 13, 2019
        Impact
            critical
        Products
            Thunderbird
        Fixed in
               Thunderbird 60.7.1
        
        # CVE-2019-11703: Heap buffer overflow in icalparser.c
        
        Reporter
            Luis Merino of X41 D-Sec
        Impact
            high
        
        Description
        
        A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in
        parser_get_next_char when processing certain email messages, resulting in a
        potentially exploitable crash.
        
        References
        
          o Bug 1553820
        
        # CVE-2019-11704: Heap buffer overflow in icalvalue.c
        
        Reporter
            Luis Merino of X41 D-Sec
        Impact
            high
        
        Description
        
        A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in
        icalmemory_strdup_and_dequote when processing certain email messages, resulting
        in a potentially exploitable crash.
        
        References
        
          o Bug 1553814
        
        # CVE-2019-11705: Stack buffer overflow in icalrecur.c
        
        Reporter
            Luis Merino of X41 D-Sec
        Impact
            high
        
        Description
        
        A flaw in Thunderbird's implementation of iCal causes a stack buffer overflow
        in icalrecur_add_bydayrules when processing certain email messages, resulting
        in a potentially exploitable crash.
        
        References
        
          o Bug 1553808
        
        # CVE-2019-11706: Type confusion in icalproperty.c
        
        Reporter
            Luis Merino of X41 D-Sec
        Impact
            low
        
        Description
        
        A flaw in Thunderbird's implementation of iCal causes a type confusion in
        icaltimezone_get_vtimezone_properties when processing certain email messages,
        resulting in a crash.
        
        References
        
          o Bug 1555646" [1]


MITIGATION

        Mozilla recommends upgrading Thunderbird to the latest version.


REFERENCES

        [1] MFSA 2019-17 Security vulnerabilities fixed in Thunderbird 60.7.1
            https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXQM0IWaOgq3Tt24GAQh+5RAAz5vTVm0YvLkzN4Um5fYCr6oeyhOVHETX
rlFfWwkRkQH6nLRQXbFfuRQPoKl/xlDfF1si0gMpGrnba2F0+oXF9tjoBsynXfJh
d3vA/+jY3fk98DXqmLfMMcKHczKcSGcK91rCUVn/PSXyH96Wate4e9J+AhuiHhX1
w2eudD3ZcukNfCJ/cAw2Akotw2a5YpVQ1otJlq/IDRcpoS8mzR040nAlMx0HMbCa
0C/qDTrqhpP1Fv1xYHHQjs3Ue2kc8YAAIYRHXLwcoMUnsBqw9QOZhrccHFLqDKEl
iqqq4P6ljzhwew1Xe8/xnusTPk6D23hz9kjyboa24vLhsA9DpF4ixfAXH9hGU4rH
kilEu0Aq20YsD7+tkfsY5R99Fzqh3VHTjsxhrPrnOk4YKaVVzKzlN4ksUYATIOQW
t+ZMQhLOc6WGIF6ar0s3Vi/14eOXRMtfd5UHSjjDw4O5kOPUfphhPakylKYTSqas
H8y1J/kT7HlEWXNMcUriWo+m4+I9z6oUxq+qck8IlJXlxGnkY+tcdY+1638G3Nkn
lV1hJptcElP23pqF47I2KFPsM1rhkBCg8PpBxEMnFyB0W6urPDbTy0KF1mxiPzEJ
pF9ccAWN/ycpUe8Mq7pZnC8jHbZLz8dpGR5hQMQrQ9lM7ePDmi50KLXM+6lQSZLB
qZp9j/Rqep8=
=GqhR
-----END PGP SIGNATURE-----