Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0309 MFSA 2019-35 Security vulnerabilities fixed in Thunderbird 68.2 25 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Thunderbird Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Access Privileged Data -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-15903 CVE-2019-11764 CVE-2019-11763 CVE-2019-11762 CVE-2019-11761 CVE-2019-11760 CVE-2019-11759 CVE-2019-11758 CVE-2019-11757 Member content until: Sunday, November 24 2019 Reference: ASB-2019.0307 OVERVIEW Mozilla has published a new version of Thunderbird to address multiple vulnerabilities in versions prior to 68.2 [1] IMPACT Mozilla has provided the following information: "# CVE-2019-15903: Heap overflow in expat library in XML_GetCurrentLineNumber Reporter Sebastian Pipping Impact high Description In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early. A subsequent call to XML_GetCurrentLineNumber or XML_GetCurrentColumnNumber then resulted in a heap-based buffer over-read. References o Bug 1584907 # CVE-2019-11757: Use-after-free when creating index updates in IndexedDB Reporter Zhanjia Song Impact high Description When following the value's prototype chain, it was possible to retain a reference to a locale, delete it, and subsequently reference it. This resulted in a use-after-free and a potentially exploitable crash. References o Bug 1577107 # CVE-2019-11758: Potentially exploitable crash due to 360 Total Security Reporter Mozilla developers and community Impact high Description Mozilla community member Philipp reported a memory safety bug present in Firefox 68 when 360 Total Security was installed. This bug showed evidence of memory corruption in the accessibility engine and we presume that with enough effort that it could be exploited to run arbitrary code. References o Bug 1536227 # CVE-2019-11759: Stack buffer overflow in HKDF output Reporter Guido Vranken Impact moderate Description An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an attacker to execute arbitrary code or more likely lead to a crash. References o Bug 1577953 # CVE-2019-11760: Stack buffer overflow in WebRTC networking Reporter Nils Impact moderate Description A fixed-size stack buffer could overflow in nrappkit when doing WebRTC signaling. This resulted in a potentially exploitable crash in some instances. References o Bug 1577719 # CVE-2019-11761: Unintended access to a privileged JSONView object Reporter Cody Crews Impact moderate Description By using a form with a data URI it was possible to gain access to the privileged JSONView object that had been cloned into content. Impact from exposing this object appears to be minimal, however it was a bypass of existing defense in depth mechanisms. References o Bug 1561502 # CVE-2019-11762: document.domain-based origin isolation has same-origin-property violation Reporter Kris Maglione Impact moderate Description If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/ setters on the now-cross-origin window. References o Bug 1582857 # CVE-2019-11763: Incorrect HTML parsing results in XSS bypass technique Reporter Gareth Heyes Impact moderate Description Failure to correctly handle null bytes when processing HTML entities resulted in Firefox incorrectly parsing these entities. This could have led to HTML comment text being treated as HTML which could have led to XSS in a web application under certain conditions. It could have also led to HTML entities being masked from filters - enabling the use of entities to mask the actual characters of interest from filters. References o Bug 1584216 # CVE-2019-11764: Memory safety bugs fixed in Thunderbird 68.2 Reporter Mozilla developers and community Impact critical Description Mozilla developers and community members Bob Clary, Jason Kratzer, Aaron Klotz, Iain Ireland, Tyson Smith, Christian Holler, Steve Fink, Honza Bambas, Byron Campen, and Cristian Brindusan reported memory safety bugs present in Firefox 69 and Firefox ESR 68.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could be exploited to run arbitrary code. References o Memory safety bugs fixed in Firefox 70 and Firefox ESR 68.2" [1] MITIGATION Mozilla advises updating to Thunderbird version 68.2 to address these vulnerabilities. [1] REFERENCES [1] Security vulnerabilities fixed in - Thunderbird 68.2 https://www.mozilla.org/en-US/security/advisories/mfsa2019-35/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXbJcV2aOgq3Tt24GAQjZwhAAm5aQ2ZQMA7xU+rVeI8NEiyIHH7DutlMW s2USN1jqBulsC8xNoqqCR++oxc8YFG3x/54/qxPhwf9oeGcJfTwp8aIxkkCU/EKr RtTTwfROUOlqimKeswycUaOvUErBcfXUmz8Jbm9k8pvVUKC8/s9GwMJC6TFFyJJ9 i3QOWGqG9j+LE4mkmPp52kZBFh7Xz8a2qpt90xDhH6A7mI9OxhE8GE5z6DzUfkWf UeUrE5lMzDXDYQ4TxscfOTUci8Is9ny3GlnHgxQYJk8180WqZy2sII43wA9zvHK1 nxXRH5TpXjgaqNPlZbxvSVLnG2MOapiSItAmQbchF6fhOvj7dQRJLfZhLlIQS08t SlieNkywof38QgMCfafeLtsK4shUQVMneVvEXxmmgJ0i761ocqIXI1BX+b0+r88r /rj++4ifzbxgSDvzojIZEi4Ge3DP9kz146C2hv6+Xr2uoVr7ffThENa2kccQINsX lxI/Z+lCyKQvP0ojAmIHxkMMxGFoZ9SUQH01Y3ZBbA1Gm84SRXXmk3qBvlFyq4yT /5F2aYBMjUAiCoFOy4jayGob+XFaBM/iKyX13FtZ2tPN4Cpk2MH6tEXgbHEI5HEb 4Q7iXI1bGyiT/8tHGfVjjKIUlrqnboq7cOU+BfpVwOdbuPLX2/hO5D4KvxNOvJnc bXncnh/1Bsw= =oKYe -----END PGP SIGNATURE-----