-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0191
      MFSA 2019-23 Security vulnerabilities fixed in Thunderbird 60.8
                               12 July 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Thunderbird
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Cross-site Request Forgery      -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
                      Provide Misleading Information  -- Remote with User Interaction
                      Access Confidential Data        -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-11730 CVE-2019-11729 CVE-2019-11719
                      CVE-2019-11717 CVE-2019-11715 CVE-2019-11713
                      CVE-2019-11712 CVE-2019-11711 CVE-2019-11709
                      CVE-2019-9811  
Member content until: Sunday, August 11 2019
Reference:            ASB-2019.0190
                      ESB-2019.2569
                      ESB-2019.2566

OVERVIEW

        Mozilla has published a nedw version of Thunderbird to address multiple 
        vulnerabilities in versions prior to 60.8 [1]


IMPACT

        Mozilla has provided the following information:
        
        "# CVE-2019-9811: Sandbox escape via installation of malicious language pack
        
        Reporter
            Niklas Baumstark
        Impact
            high
        
        Description
        
        As part of his winning Pwn2Own entry, Niklas Baumstark demonstrated a sandbox
        escape by installing a malicious language pack and then opening a browser
        feature that used the compromised translation.
        
        References
        
          o Bug 1538007
          o Bug 1539598
          o Bug 1563327
        
        # CVE-2019-11711: Script injection within domain through inner window reuse
        
        Reporter
            Boris Zbarsky
        Impact
            high
        
        Description
        
        When an inner window is reused, it does not consider the use of document.domain
        for cross-origin protections. If pages on different subdomains ever
        cooperatively use document.domain , then either page can abuse this to inject
        script into arbitrary pages on the other subdomain, even those that did not use
        document.domain to relax their origin security.
        
        References
        
          o Bug 1552541
        
        # CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by
        following 308 redirects
        
        Reporter
            Gregory Smiley of Security Compass
        Impact
            high
        
        Description
        
        POST requests made by NPAPI plugins, such as Flash, that receive a status 308
        redirect response can bypass CORS requirements. This can allow an attacker to
        perform Cross-Site Request Forgery (CSRF) attacks.
        
        References
        
          o Bug 1543804
        
        # CVE-2019-11713: Use-after-free with HTTP/2 cached stream
        
        Reporter
            Hanno Bock
        Impact
            high
        
        Description
        
        A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream
        is closed while still in use, resulting in a potentially exploitable crash.
        
        References
        
          o Bug 1528481
        
        # CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a
        segmentation fault
        
        Reporter
            Jonas Allmann
        Impact
            moderate
        
        Description
        
        Empty or malformed p256-ECDH public keys may trigger a segmentation fault due
        values being improperly sanitized before being copied into memory and used.
        
        References
        
          o Bug 1515342
        
        # CVE-2019-11715: HTML parsing error can contribute to content XSS
        
        Reporter
            Linus Sarud
        Impact
            moderate
        
        Description
        
        Due to an error while parsing page content, it is possible for properly
        sanitized user input to be misinterpreted and lead to XSS hazards on web sites
        in certain circumstances.
        
        References
        
          o Bug 1555523
        
        # CVE-2019-11717: Caret character improperly escaped in origins
        
        Reporter
            Tyson Smith
        Impact
            moderate
        
        Description
        
        A vulnerability exists where the caret ("^") character is improperly escaped
        constructing some URIs due to it being used as a separator, allowing for
        possible spoofing of origin attributes.
        
        References
        
          o Bug 1548306
        
        # CVE-2019-11719: Out-of-bounds read when importing curve25519 private key
        
        Reporter
            Henry Corrigan-Gibbs
        Impact
            moderate
        
        Description
        
        When importing a curve25519 private key in PKCS#8format with leading 0x00
        bytes, it is possible to trigger an out-of-bounds read in the Network Security
        Services (NSS) library. This could lead to information disclosure.
        
        References
        
          o Bug 1540541
        
        # CVE-2019-11730: Same-origin policy treats all files in a directory as having
        the same-origin
        
        Reporter
            Luigi Gubello
        Impact
            moderate
        
        Description
        
        A vulnerability exists where if a user opens a locally saved HTML file, this
        file can use file: URIs to access other files in the same directory or
        sub-directories if the names are known or guessed. The Fetch API can then be
        used to read the contents of any files stored in these directories and they may
        uploaded to a server. Luigi Gubello demonstrated that in combination with a
        popular Android messaging app, if a malicious HTML attachment is sent to a user
        and they opened that attachment in Firefox, due to that app's predictable
        pattern for locally-saved file names, it is possible to read attachments the
        victim received from other correspondents.
        
        References
        
          o Bug 1558299
        
        # CVE-2019-11709: Memory safety bugs fixed in Firefox 68, Firefox ESR 60.8, and
        Thunderbird 60.8
        
        Reporter
            Mozilla developers and community
        Impact
            critical
        
        Description
        
        Mozilla developers and community members Andreea Pavel, Christian Holler, Honza
        Bambas, Jason Kratzer, and Jeff Gilbert reported memory safety bugs present in
        Firefox 67, Firefox ESR 60.7, and Thunderbird 60.7. Some of these bugs showed
        evidence of memory corruption and we presume that with enough effort that some
        of these could be exploited to run arbitrary code."


MITIGATION

        Mozilla advises upgrading to Thunderbird 60.8 to address these 
        vulnerabilities [1]


REFERENCES

        [1] Mozilla Foundation Security Advisory 2019-23 - Security
            vulnerabilities fixed in Thunderbird 60.8
            https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXSgjMGaOgq3Tt24GAQhpMA//Vfq98oa1vbPmIBUWBj1ShnvidaZ82f3y
fH9Pw+r7jRh9d/Yq7C2UJRsnZaPhpoKU3+vLLfw5teumADuEuCIg82Uv8B7wuAKg
o3+bAsEVkA871FYB/ScO/DlNN8jJTtvVGcpDbur0jvNEdyKgTu6LBbHktJxjpVl+
kxUcZ0cq0aSnb/+JmwrSPD2KmABifXB/XyWrbi/nORK9JqziAWDBSy2OdnRJ8N+O
moFFTeSVxw/QiYEjENkLmZSdojBr8TpTj9e4ghRJYFHbPs9ChYsG4Nqbq1AN5kL2
UkjvKztDr2LGHJU7u2AzegLgcbfC25pF4SID9OzbCdV0gs0LFqAapDM54b5Xak8t
i2rQViWDmE0eY7PugT0Y3SrUV9bO3CkKdLNoFJMP7uAjR0VRtRSEmnPgyhAUE8JU
u1QlPyopaR9opqql2vi9OeXevYo3RSZfk/Eiv6arvlgeNQgjnC2MUy/3JurFHeuF
bUKX16jA0ohs6VAcI6U3W/oSl71pV3wIMZKHBKlTtXObdxpbKtEKv2Wip0h+lA51
PGQDcB1CU+WSRW04DPOBP6+sC6EgZyf9l0e/R1WK5lC2KQCIBnLypwrRy6o3tdpQ
1lJ4Rf2GwFtfhDZHNzHQzbJdhUYXRvyfOpdM+twNvSjSQB5TMzR6ZoDk+tQcD3m0
98DFQnMS9HA=
=Nb08
-----END PGP SIGNATURE-----