-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0309
      MFSA 2019-35 Security vulnerabilities fixed in Thunderbird 68.2
                              25 October 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Mozilla Thunderbird
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Access Privileged Data          -- Remote with User Interaction
                      Cross-site Scripting            -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-15903 CVE-2019-11764 CVE-2019-11763
                      CVE-2019-11762 CVE-2019-11761 CVE-2019-11760
                      CVE-2019-11759 CVE-2019-11758 CVE-2019-11757
Member content until: Sunday, November 24 2019
Reference:            ASB-2019.0307

OVERVIEW

        Mozilla has published a new version of Thunderbird to address multiple 
        vulnerabilities in versions prior to 68.2 [1]


IMPACT

        Mozilla has provided the following information:
        
        "# CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber
        
        Reporter
            Sebastian Pipping
        Impact
            high
        
        Description
        
        In libexpat before 2.2.8, crafted XML input could fool the parser into changing
        from DTD parsing to document parsing too early. A subsequent call to
        XML_GetCurrentLineNumber or XML_GetCurrentColumnNumber then resulted in a
        heap-based buffer over-read.
        
        References
        
          o Bug 1584907
        
        # CVE-2019-11757: Use-after-free when creating index updates in IndexedDB
        
        Reporter
            Zhanjia Song
        Impact
            high
        
        Description
        
        When following the value's prototype chain, it was possible to retain a
        reference to a locale, delete it, and subsequently reference it. This resulted
        in a use-after-free and a potentially exploitable crash.
        
        References
        
          o Bug 1577107
        
        # CVE-2019-11758: Potentially exploitable crash due to 360 Total Security
        
        Reporter
            Mozilla developers and community
        Impact
            high
        
        Description
        
        Mozilla community member Philipp reported a memory safety bug present in
        Firefox 68 when 360 Total Security was installed. This bug showed evidence of
        memory corruption in the accessibility engine and we presume that with enough
        effort that it could be exploited to run arbitrary code.
        
        References
        
          o Bug 1536227
        
        # CVE-2019-11759: Stack buffer overflow in HKDF output
        
        Reporter
            Guido Vranken
        Impact
            moderate
        
        Description
        
        An attacker could have caused 4 bytes of HMAC output to be written past the end
        of a buffer stored on the stack. This could be used by an attacker to execute
        arbitrary code or more likely lead to a crash.
        
        References
        
          o Bug 1577953
        
        # CVE-2019-11760: Stack buffer overflow in WebRTC networking
        
        Reporter
            Nils
        Impact
            moderate
        
        Description
        
        A fixed-size stack buffer could overflow in nrappkit when doing WebRTC
        signaling. This resulted in a potentially exploitable crash in some instances.
        
        References
        
          o Bug 1577719
        
        # CVE-2019-11761: Unintended access to a privileged JSONView object
        
        Reporter
            Cody Crews
        Impact
            moderate
        
        Description
        
        By using a form with a data URI it was possible to gain access to the
        privileged JSONView object that had been cloned into content. Impact from
        exposing this object appears to be minimal, however it was a bypass of existing
        defense in depth mechanisms.
        
        References
        
          o Bug 1561502
        
        # CVE-2019-11762: document.domain-based origin isolation has
        same-origin-property violation
        
        Reporter
            Kris Maglione
        Impact
            moderate
        
        Description
        
        If two same-origin documents set document.domain differently to become
        cross-origin, it was possible for them to call arbitrary DOM methods/getters/
        setters on the now-cross-origin window.
        
        References
        
          o Bug 1582857
        
        # CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique
        
        Reporter
            Gareth Heyes
        Impact
            moderate
        
        Description
        
        Failure to correctly handle null bytes when processing HTML entities resulted
        in Firefox incorrectly parsing these entities. This could have led to HTML
        comment text being treated as HTML which could have led to XSS in a web
        application under certain conditions. It could have also led to HTML entities
        being masked from filters - enabling the use of entities to mask the actual
        characters of interest from filters.
        
        References
        
          o Bug 1584216
        
        # CVE-2019-11764: Memory safety bugs fixed in Thunderbird 68.2
        
        Reporter
            Mozilla developers and community
        Impact
            critical
        
        Description
        
        Mozilla developers and community members Bob Clary, Jason Kratzer, Aaron Klotz,
        Iain Ireland, Tyson Smith, Christian Holler, Steve Fink, Honza Bambas, Byron
        Campen, and Cristian Brindusan reported memory safety bugs present in Firefox
        69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory
        corruption and we presume that with enough effort some of these could be
        exploited to run arbitrary code.
        
        References
        
          o Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2"
        
        [1]


MITIGATION

        Mozilla advises updating to Thunderbird version 68.2 to address these
        vulnerabilities. [1]


REFERENCES

        [1] Security vulnerabilities fixed in - Thunderbird 68.2
            https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXbJcV2aOgq3Tt24GAQjZwhAAm5aQ2ZQMA7xU+rVeI8NEiyIHH7DutlMW
s2USN1jqBulsC8xNoqqCR++oxc8YFG3x/54/qxPhwf9oeGcJfTwp8aIxkkCU/EKr
RtTTwfROUOlqimKeswycUaOvUErBcfXUmz8Jbm9k8pvVUKC8/s9GwMJC6TFFyJJ9
i3QOWGqG9j+LE4mkmPp52kZBFh7Xz8a2qpt90xDhH6A7mI9OxhE8GE5z6DzUfkWf
UeUrE5lMzDXDYQ4TxscfOTUci8Is9ny3GlnHgxQYJk8180WqZy2sII43wA9zvHK1
nxXRH5TpXjgaqNPlZbxvSVLnG2MOapiSItAmQbchF6fhOvj7dQRJLfZhLlIQS08t
SlieNkywof38QgMCfafeLtsK4shUQVMneVvEXxmmgJ0i761ocqIXI1BX+b0+r88r
/rj++4ifzbxgSDvzojIZEi4Ge3DP9kz146C2hv6+Xr2uoVr7ffThENa2kccQINsX
lxI/Z+lCyKQvP0ojAmIHxkMMxGFoZ9SUQH01Y3ZBbA1Gm84SRXXmk3qBvlFyq4yT
/5F2aYBMjUAiCoFOy4jayGob+XFaBM/iKyX13FtZ2tPN4Cpk2MH6tEXgbHEI5HEb
4Q7iXI1bGyiT/8tHGfVjjKIUlrqnboq7cOU+BfpVwOdbuPLX2/hO5D4KvxNOvJnc
bXncnh/1Bsw=
=oKYe
-----END PGP SIGNATURE-----