[Stable Update] 2017-08-24 thunderbird security update

update
stable
security

#1

Summary

The package thunderbird before version 52.3.0-0.91 is vulnerable to multiple issues including arbitrary code execution, content spoofing, information disclosure, same-origin policy bypass and access restriction bypass.

This was built in a slightly different way to newsbeuter, please let me know of any issues.

Resolution

Upgrade to 52.3.0-0.91 (and 52.3.0-1 when it becomes available).

# pacman -Syu "thunderbird>=52.3.0-0.91"

The problems have been fixed upstream in version 52.3.0.

Workaround

None.

Description

  • CVE-2017-7753 (information disclosure)

An out-of-bounds read has been found in firefox < 55.0 and thunderbird < 52.3, when applying style rules to pseudo-elements, such as ::first-line, using cached style data.

  • CVE-2017-7779 (arbitrary code execution)

Several memory safety bugs have been found in firefox < 55.0 and thunderbird < 52.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

  • CVE-2017-7784 (arbitrary code execution)

A use-after-free issue has been found in firefox < 55.0 and thunderbird < 52.3, when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash.

  • CVE-2017-7785 (arbitrary code execution)

A buffer overflow has been found in firefox < 55.0 and thunderbird < 52.3, when manipulating Accessible Rich Internet Applications (ARIA) attributes within the DOM. This results in a potentially exploitable crash.

  • CVE-2017-7786 (arbitrary code execution)

A buffer overflow has been found in firefox < 55.0 and thunderbird < 52.3, when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash.

  • CVE-2017-7787 (same-origin policy bypass)

Same-origin policy protections can be bypassed in firefox < 55.0 and thunderbird < 52.3, on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page and leading to information disclosure.

  • CVE-2017-7791 (content spoofing)

A content spoofing issue has been found in firefox < 55.0 and thunderbird < 52.3. On pages containing an iframe, the data: protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content.

  • CVE-2017-7792 (arbitrary code execution)

A buffer overflow has been found in firefox < 55.0 and thunderbird < 52.3, when viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). This results in a potentially exploitable crash.

  • CVE-2017-7800 (arbitrary code execution)

A use-after-free issue has been found in firefox < 55.0 and thunderbird < 52.3, in WebSockets, when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash.

  • CVE-2017-7801 (arbitrary code execution)

A use-after-free issue has been found in firefox < 55.0 and thunderbird < 52.3, while re-computing layout for a marquee element during window resizing where the updated style object is freed while still in use. This results in a potentially exploitable crash.

  • CVE-2017-7802 (arbitrary code execution)

A use-after-free vulnerability has been found in firefox < 55.0 and thunderbird < 52.3, when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed.

  • CVE-2017-7803 (access restriction bypass)

A security issue has been found in firefox < 55.0 and thunderbird < 52.3. When a page’s content security policy (CSP) header contains a sandbox directive, other directives are ignored. This results in the incorrect enforcement of CSP.

  • CVE-2017-7807 (content spoofing)

A domain hijacking flaw has been found in firefox < 55.0 and thunderbird < 52.3. A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory.

  • CVE-2017-7809 (arbitrary code execution)

A use-after-free issue has been found in firefox < 55.0 and thunderbird < 52.3, when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash.

Impact

A remote attacker can access sensitive information, bypass security restrictions, crash the application or execute arbitrary code on the affected host.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7753
https://bugzilla.mozilla.org/show_bug.cgi?id=1353312
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7779
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1354443%2C1368576%2C1366903%2C1369913%2C1371424%2C1346590%2C1371890%2C1372985%2C1362924%2C1368105%2C1369994%2C1371283%2C1368362%2C1378826%2C1380426%2C1368030%2C1373220%2C1321384%2C1383002
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7784
https://bugzilla.mozilla.org/show_bug.cgi?id=1376087
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7785
https://bugzilla.mozilla.org/show_bug.cgi?id=1356985
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7786
https://bugzilla.mozilla.org/show_bug.cgi?id=1365189
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7787
https://bugzilla.mozilla.org/show_bug.cgi?id=1322896
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7791
https://bugzilla.mozilla.org/show_bug.cgi?id=1365875
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7792
https://bugzilla.mozilla.org/show_bug.cgi?id=1368652
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7800
https://bugzilla.mozilla.org/show_bug.cgi?id=1374047
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7801
https://bugzilla.mozilla.org/show_bug.cgi?id=1371259
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7802
https://bugzilla.mozilla.org/show_bug.cgi?id=1378147
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7803
https://bugzilla.mozilla.org/show_bug.cgi?id=1377426
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7807
https://bugzilla.mozilla.org/show_bug.cgi?id=1376459
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7809
https://bugzilla.mozilla.org/show_bug.cgi?id=1380284
https://security.archlinux.org/CVE-2017-7753
https://security.archlinux.org/CVE-2017-7779
https://security.archlinux.org/CVE-2017-7784
https://security.archlinux.org/CVE-2017-7785
https://security.archlinux.org/CVE-2017-7786
https://security.archlinux.org/CVE-2017-7787
https://security.archlinux.org/CVE-2017-7791
https://security.archlinux.org/CVE-2017-7792
https://security.archlinux.org/CVE-2017-7800
https://security.archlinux.org/CVE-2017-7801
https://security.archlinux.org/CVE-2017-7802
https://security.archlinux.org/CVE-2017-7803
https://security.archlinux.org/CVE-2017-7807
https://security.archlinux.org/CVE-2017-7809

  • Working fine
  • I have an issue (post below)

0 voters


#2

US-CERT issued an alert on August 21.
https://www.us-cert.gov/ncas/current-activity/2017/08/21/Mozilla-Releases-Security-Update


#3

This update is available in Stable and not Testing.


#4

This might be a stupid question, but will we see this in the Testing branch too, or do we need to temporarily switch to Stable?


#5

While installing the update I have a conflict with thunderbird-kde, the default thunderbird in Manjaro-KDE. Will there be an updated thunderbird-kde or do I need to change now? HOw much different is the kde version from the not kde version?


#6

The KDE version just uses KDE’s file dialogs instead of GTK file dialogs.


#7

So it will look different? Or what is different: file dialogs??? What exactly does that mean?


#8

KDE file dialog:

GTK file dialog:


#9

This is utterly wrong doing it like this. With today´s update it will be reverted anyway. If there is a thunderbird issue we have to conclude all packages, including i18n and kde version. @jonathon: please consult other packagers first in that regard.


#10

Since we have a lot of dependecies with this one, we have to consider on how we handle thunderbird updates. Version v52.3.0-1 will be added with all translations and also kde version today to testing branch.


#11

Steps on how to test if current thunderbird version works for stable branch:

  • check which packages you have installed with: pacman -Qq | grep thunderbird

  • install the needed packages with sudo pacman -U <path/to/server>/<package-name> <path/to/server>/<package-name>

  • Replace <path/to/server> with http://repo.manjaro.org.uk/pool/overlay/ for firefox packages.

  • Replace <path/to/server> with http://repo.manjaro.org.uk/pool/sync/ for firefox-i18n packages.

  • Replace <package-name> with firefox or firefox-i18n package names like:

thunderbird-kde-52.3.0-1-i686.pkg.tar.xz or thunderbird-kde-52.3.0-1-x86_64.pkg.tar.xz
thunderbird-52.3.0-1-i686.pkg.tar.xz or thunderbird-52.3.0-1-x86_64.pkg.tar.xz
thunderbird-i18n-en-gb-52.3.0-1-any.pkg.tar.xz

When we have enough positive feedback from the community, we can move those packages 1:1 also to our stable branch.


#12

I have followed your advice Lisa and checked which packages I have:

pacman -Qq | grep thunderbird
thunderbird-kde
$ ~ >

I then installed the KDE update:

sudo pacman -U http://repo.manjaro.org.uk/pool/overlay/thunderbird-kde-52.3.0-1-x86_64.pkg.tar.xz
[sudo] password for jan: 
 thunderbird-kde-52.3.0-1-x86_64                                        40.7 MiB   317K/s 02:11 [########################################################] 100%
 thunderbird-kde-52.3.0-1-x86_64.sig                                   566.0   B  0.00B/s 00:00 [########################################################] 100%
loading packages...
resolving dependencies...
looking for conflicting packages...

Packages (1) thunderbird-kde-52.3.0-1

Total Installed Size:  106.17 MiB
Net Upgrade Size:        0.84 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                                                                  [########################################################] 100%
(1/1) checking package integrity                                                                [########################################################] 100%
(1/1) loading package files                                                                     [########################################################] 100%
(1/1) checking for file conflicts                                                               [########################################################] 100%
(1/1) checking available disk space                                                             [########################################################] 100%
:: Processing package changes...
(1/1) upgrading thunderbird-kde                                                                 [########################################################] 100%
:: Running post-transaction hooks...
(1/3) Updating icon theme caches...
(2/3) Arming ConditionNeedsUpdate...
(3/3) Updating the desktop file MIME type cache...
$ ~ >

Now I am using the latest Thunderbird-KDE version and things look okay. I am on Stable, btw. I will keep “playing” with it to see if I find something which works differently or not at all.


#13

I have done the installation instructions. As a DE I use Cinnamon. Since I need the German language pack, the second step did not work. However Thunderbird runs nevertheless in the 52.3 version in German language. The language files from the 52.2 version may be the same.


#14

You should also install the correct thunderbird-i18n package for your language.


#15

When I did this:

pacman -Qq | grep thunderbird
thunderbird-kde

There was only one package, the main Thunderbird package. I use the English version, as I do with every piece of software. Is it also necessary then, and if so what is the name of the package I should install as well?


#16

I use thunderbird-i18n-en-us

sudo pacman -U http://repo.stdout.net/manjaro/pool/sync/thunderbird-i18n-en-us-52.3.0-1-any.pkg.tar.xz

#17

I have now installed the right language-pack. For German it means:
“Sudo pacman -U http://repo.stdout.net/manjaro/pool/sync/thunderbird-i18n-de-52.3.0-1-any.pkg.tar.xz


#18

I have tried, but had no response: https://forum.manjaro.org/t/security-process-and-policy/29515

If other packagers were on top of security updates that would be even better.

Is a different package and does not depend on thunderbird.

For ‘critical’ etc. updates two days is too long, even though thunderbird is still 52.2.1 in e.g. Ubuntu.

But let’s discuss this in the other thread.


#19

I have checked here
https://forum.manjaro.org/t/pushing-security-update-to-stable-newsbeuter/29644/6?source_topic_id=29811
where advice to not pushing only in stable but in all branch … better if push in unstable and testing and after two day ( i think is reasonable two day in testing ) move to stable …


#20

agree :wink: