Arch Linux Security Advisory ASA-201706-20 ========================================== Severity: Critical Date : 2017-06-16 CVE-ID : CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750 CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7756 CVE-2017-7757 CVE-2017-7758 CVE-2017-7764 CVE-2017-7771 CVE-2017-7772 CVE-2017-7773 CVE-2017-7774 CVE-2017-7775 CVE-2017-7776 CVE-2017-7777 CVE-2017-7778 Package : thunderbird Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-303 Summary ======= The package thunderbird before version 52.2.0-1 is vulnerable to multiple issues including arbitrary code execution, denial of service, information disclosure and content spoofing. Resolution ========== Upgrade to 52.2.0-1. # pacman -Syu "thunderbird>=52.2.0-1" The problems have been fixed upstream in version 52.2.0. Workaround ========== None. Description =========== - CVE-2017-5470 (arbitrary code execution) Several memory safety issues leading to arbitrary code execution have been found in Firefox < 54.0 and Thunderbird < 52.2. - CVE-2017-5472 (arbitrary code execution) A use-after-free vulnerability has been found in Firefox < 54.0 and Thunderbird < 52.2, in the frameloader during tree reconstruction while regenerating CSS layout when attempting to use a node in the tree that no longer exists. - CVE-2017-7749 (arbitrary code execution) A user-after-free has been found in Firefox < 54.0 and Thunderbird < 52.2, when using an incorrect URL during the reloading of a docshell. - CVE-2017-7750 (arbitrary code execution) A use-after-free has been found in Firefox < 54.0 and Thunderbird < 52.2, during video control operations when a element holds a reference to an older window if that window has been replaced in the DOM. - CVE-2017-7751 (arbitrary code execution) A use-after-free has been found in Firefox < 54.0 and Thunderbird < 52.2, in content viewer listeners. - CVE-2017-7752 (arbitrary code execution) A use-after-free has been found in Firefox < 54.0 and Thunderbird < 52.2, during specific user interactions with the input method editor (IME) in some languages due to how events are handled. This results in a potentially exploitable crash but would require specific user interaction to trigger. - CVE-2017-7754 (information disclosure) An out-of-bounds read has been found in Firefox < 54.0 and Thunderbird < 52.2, with a maliciously crafted ImageInfo object during WebGL operations. - CVE-2017-7756 (arbitrary code execution) A use after-free and use-after-scope vulnerability has been found in Firefox < 54.0 and Thunderbird < 52.2, when logging errors from headers for XML HTTP Requests (XHR). - CVE-2017-7757 (arbitrary code execution) A use after-free vulnerability has been found in Firefox < 54.0 and Thunderbird < 52.2, in IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed. - CVE-2017-7758 (information disclosure) An out-of-bounds read vulnerability has been found in Firefox < 54.0 and Thunderbird < 52.2, with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use. - CVE-2017-7764 (content spoofing) A security issue has been found in Firefox < 54.0 and Thunderbird < 52.2, where characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. Firefox and Thunderbird behavior has been changed to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts." - CVE-2017-7771 (information disclosure) An out-of-bounds read has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in Pass::readPass. - CVE-2017-7772 (arbitrary code execution) A heap-buffer-overflow write has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in lz4::decompress. - CVE-2017-7773 (arbitrary code execution) A heap-buffer-overflow write has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in lz4::decompress. - CVE-2017-7774 (information disclosure) An out-of-bounds read has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in Silf::readGraphite. - CVE-2017-7775 (denial of service) An assertion failure has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2. - CVE-2017-7776 (information disclosure) A heap-buffer-overflow read has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in Silf::getClassGlyph. - CVE-2017-7777 (information disclosure) An use of initialized memory has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in GlyphCache::Loader::read_glyph. - CVE-2017-7778 (arbitrary code execution) An out-of-bounds write has been found in the Graphite 2 library used in Firefox < 54.0 and Thunderbird < 52.2, in lz4::decompress. Impact ====== A remote attacker may be able to crash Thunderbird, access sensitive information, spoof content to trick the user into performing an unwanted action and execute arbitrary code on the affected host. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/ https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-5470 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1359639%2C1349595%2C1352295%2C1352556%2C1342552%2C1342567%2C1346012%2C1366140%2C1368732%2C1297111%2C1362590%2C1357462%2C1363280%2C1349266%2C1352093%2C1348424%2C1347748%2C1356025%2C1325513%2C1367692 https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-5472 https://bugzilla.mozilla.org/show_bug.cgi?id=1365602 https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7749 https://bugzilla.mozilla.org/show_bug.cgi?id=1355039 https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7750 https://bugzilla.mozilla.org/show_bug.cgi?id=1356558 https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7751 https://bugzilla.mozilla.org/show_bug.cgi?id=1363396 https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7752 https://bugzilla.mozilla.org/show_bug.cgi?id=1359547 https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7754 https://bugzilla.mozilla.org/show_bug.cgi?id=1357090 https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7756 https://bugzilla.mozilla.org/show_bug.cgi?id=1366595 https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7757 https://bugzilla.mozilla.org/show_bug.cgi?id=1356824 https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7758 https://bugzilla.mozilla.org/show_bug.cgi?id=1368490 https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7764 https://bugzilla.mozilla.org/show_bug.cgi?id=1364283 http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_Scripts https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/#CVE-2017-7778 https://bugzilla.mozilla.org/show_bug.cgi?id=1350047 https://bugzilla.mozilla.org/show_bug.cgi?id=1352745 https://bugzilla.mozilla.org/show_bug.cgi?id=1352747 https://www.mozilla.org/en-US/security/advisories/mfsa2017-17/#CVE-2017-7778 https://bugzilla.mozilla.org/show_bug.cgi?id=1355174 https://bugzilla.mozilla.org/show_bug.cgi?id=1355182 https://bugzilla.mozilla.org/show_bug.cgi?id=1356607 https://bugzilla.mozilla.org/show_bug.cgi?id=1358551 https://bugzilla.mozilla.org/show_bug.cgi?id=1349310 https://security.archlinux.org/CVE-2017-5470 https://security.archlinux.org/CVE-2017-5472 https://security.archlinux.org/CVE-2017-7749 https://security.archlinux.org/CVE-2017-7750 https://security.archlinux.org/CVE-2017-7751 https://security.archlinux.org/CVE-2017-7752 https://security.archlinux.org/CVE-2017-7754 https://security.archlinux.org/CVE-2017-7756 https://security.archlinux.org/CVE-2017-7757 https://security.archlinux.org/CVE-2017-7758 https://security.archlinux.org/CVE-2017-7764 https://security.archlinux.org/CVE-2017-7771 https://security.archlinux.org/CVE-2017-7772 https://security.archlinux.org/CVE-2017-7773 https://security.archlinux.org/CVE-2017-7774 https://security.archlinux.org/CVE-2017-7775 https://security.archlinux.org/CVE-2017-7776 https://security.archlinux.org/CVE-2017-7777 https://security.archlinux.org/CVE-2017-7778