Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.0267
Thunderbird vulnerabilities
31 January 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: thunderbird
Publisher: Ubuntu
Operating System: Ubuntu
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-5396 CVE-2017-5390 CVE-2017-5383
CVE-2017-5380 CVE-2017-5378 CVE-2017-5376
CVE-2017-5375 CVE-2017-5373 CVE-2016-9905
CVE-2016-9904 CVE-2016-9900 CVE-2016-9899
CVE-2016-9898 CVE-2016-9897 CVE-2016-9895
CVE-2016-9893
Reference: ASB-2017.0010
ASB-2017.0007
ESB-2017.0225
ESB-2017.0224
ESB-2017.0081
ASB-2016.0119
Original Bulletin:
http://www.ubuntu.com/usn/usn-3165-1
- --------------------------BEGIN INCLUDED TEXT--------------------
==========================================================================
Ubuntu Security Notice USN-3165-1
January 28, 2017
thunderbird vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- - Ubuntu 16.10
- - Ubuntu 16.04 LTS
- - Ubuntu 14.04 LTS
- - Ubuntu 12.04 LTS
Summary:
Several security issues were fixed in Thunderbird.
Software Description:
- - thunderbird: Mozilla Open Source mail and newsgroup client
Details:
Multiple memory safety issues were discovered in Thunderbird. If a user were
tricked in to opening a specially crafted message, an attacker could
potentially exploit these to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2016-9893, CVE-2017-5373)
Andrew Krasichkov discovered that event handlers on <marquee> elements
were executed despite a Content Security Policy (CSP) that disallowed
inline JavaScript. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to conduct cross-site scripting (XSS) attacks.
(CVE-2016-9895)
A memory corruption issue was discovered in WebGL in some circumstances.
If a user were tricked in to opening a specially crafted website in a
browsing context, an attacker could potentially exploit this to cause a
denial of service via application crash, or execute arbitrary code.
(CVE-2016-9897)
A use-after-free was discovered when manipulating DOM subtrees in the
Editor. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9898)
A use-after-free was discovered when manipulating DOM events and audio
elements. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
cause a denial of service via application crash, or execute arbitrary
code. (CVE-2016-9899)
It was discovered that external resources that should be blocked when
loading SVG images can bypass security restrictions using data: URLs. An
attacker could potentially exploit this to obtain sensitive information.
(CVE-2016-9900)
Jann Horn discovered that JavaScript Map/Set were vulnerable to timing
attacks. If a user were tricked in to opening a specially crafted website
in a browsing context, an attacker could potentially exploit this to
obtain sensitive information across domains. (CVE-2016-9904)
A crash was discovered in EnumerateSubDocuments while adding or removing
sub-documents. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to execute arbitrary code. (CVE-2016-9905)
JIT code allocation can allow a bypass of ASLR protections in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5375)
Nicolas Grégoire discovered a use-after-free when manipulating XSL in
XSLT documents in some circumstances. If a user were tricked in to opening
a specially crafted website in a browsing context, an attacker could
potentially exploit this to cause a denial of service via application
crash, or execute arbitrary code. (CVE-2017-5376)
Jann Horn discovered that an object's address could be discovered through
hashed codes of JavaScript objects shared between pages. If a user were
tricked in to opening a specially crafted website in a browsing context,
an attacker could potentially exploit this to obtain sensitive
information. (CVE-2017-5378)
A use-after-free was discovered during DOM manipulation of SVG content in
some circumstances. If a user were tricked in to opening a specially
crafted website in a browsing context, an attacker could potentially
exploit this to cause a denial of service via application crash, or
execute arbitrary code. (CVE-2017-5380)
Armin Razmjou discovered that certain unicode glyphs do not trigger
punycode display. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to spoof the URL bar contents. (CVE-2017-5383)
Jerri Rice discovered insecure communication methods in the Dev Tools JSON
Viewer. An attacker could potentially exploit this to gain additional
privileges. (CVE-2017-5390)
Filipe Gomes discovered a use-after-free in the media decoder in some
circumstances. If a user were tricked in to opening a specially crafted
website in a browsing context, an attacker could potentially exploit this
to cause a denial of service via application crash, or execute arbitrary
code. (CVE-2017-5396)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
thunderbird 1:45.7.0+build1-0ubuntu0.16.10.1
Ubuntu 16.04 LTS:
thunderbird 1:45.7.0+build1-0ubuntu0.16.04.1
Ubuntu 14.04 LTS:
thunderbird 1:45.7.0+build1-0ubuntu0.14.04.1
Ubuntu 12.04 LTS:
thunderbird 1:45.7.0+build1-0ubuntu0.12.04.1
After a standard system update you need to restart Thunderbird to make
all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3165-1
CVE-2016-9893, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898,
CVE-2016-9899, CVE-2016-9900, CVE-2016-9904, CVE-2016-9905,
CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378,
CVE-2017-5380, CVE-2017-5383, CVE-2017-5390, CVE-2017-5396
Package Information:
https://launchpad.net/ubuntu/+source/thunderbird/1:45.7.0+build1-0ubuntu0.16.10.1
https://launchpad.net/ubuntu/+source/thunderbird/1:45.7.0+build1-0ubuntu0.16.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:45.7.0+build1-0ubuntu0.14.04.1
https://launchpad.net/ubuntu/+source/thunderbird/1:45.7.0+build1-0ubuntu0.12.04.1
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWI/co4x+lLeg9Ub1AQgjFhAApOKWQ9vI1z0H4rg5pyjHH9dJjdPmgHo7
S/wDZuHrtqs6oAu/2C7Bc3ZSO8NVUKY62oHgBC6o+tbyG9T+0B9lyt3OE1iWrmmD
/aIaQ/KYGyoIwTlenBBPdw+/b16rbK52b0c1DBznY7e66Dmzq2WHHVoaMO3qJPPG
SJ1F/M7ucsSSsaOsItXA8jBbTqcLFrDEjCte4O+5/+dUNaTPgP52Uau2ISTAV4ns
bphXnEBRoXtKfNovawiTOxu33QfUJtrDrgpkbYeEuIJbLAZAtB38O4dRhNttlfEW
r1aYsfXI4SEMaWCFgZgTVU/tizy0WOXfgYucIN+kRVq6l599n2puXCqt7ueSpcTN
vrQ5hVGxIM+lmza50+W2lEwH/BJcLnAoULr49Y9/1pjcYAxFeObnrPmSv4nV2hCD
p7im7zx5EBCG9PBddnBFdPBjjqr20mB1Zr5hF4tU5vpPN72G8vh7rJwMYu5R5GGB
UdHxiMQPugTN/Pbie8AZwx+2ihGNKosqa2UZVXYG7NYmARZCdAcVemAcZNWMl23x
LH1wEM93YmUQQIEEVWgsGuH8q1olVexRDUU49w2iQU5DzfrKcc3GEBiLMRjLFSGJ
WuTJJYO0Cu0yuBIJM3Ayj0LuxhrLe1gmDvMOGQ1NseEm86PU/CR14A9STdXwFzlt
/0Jz1tdmkCw=
=y/LF
-----END PGP SIGNATURE-----