[manjaro-security] [arch-security] [ASA-201603-21] thunderbird: multiple issues

[Remi Gacogne]

Arch Linux Security Advisory ASA-201603-21
==========================================

Severity: Critical
Date    : 2016-03-20
CVE-ID  : CVE-2016-1952 CVE-2016-1953 CVE-2016-1954 CVE-2016-1957
CVE-2016-1960 CVE-2016-1961 CVE-2016-1964 CVE-2016-1966 CVE-2016-1974
CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792 CVE-2016-2793
CVE-2016-2794 CVE-2016-2795 CVE-2016-2796 CVE-2016-2797 CVE-2016-2798
CVE-2016-2799 CVE-2016-2800 CVE-2016-2801 CVE-2016-2802
Package : thunderbird
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package thunderbird before version 38.7.0-1 is vulnerable to
multiple issues.

Resolution
==========

Upgrade to 38.7.0-1.

# pacman -Syu "thunderbird>=38.7.0-1"

The problem has been fixed upstream in version 38.7.0.

Workaround
==========

None.

Description
===========

- CVE-2016-1952 CVE-2016-1953 (arbitrary code execution):

Mozilla developers fixed several memory safety bugs in the browser
engine used in Firefox and other Mozilla-based products. Some of these
bugs showed evidence of memory corruption under certain circumstances,
and we presume that with enough effort at least some of these could be
exploited to run arbitrary code.

- CVE-2016-1954 (privilege escalation):

Security researcher Nicolas Golubovic reported that a malicious page can
overwrite files on the user's machine using Content Security Policy
(CSP) violation reports. The file contents are restricted to the JSON
format of the report. In many cases overwriting a local file may simply
be destructive, breaking the functionality of that file. The CSP error
reports can include HTML fragments which could be rendered by browsers.
If a user has disabled add-on signing and has installed an "unpacked"
add-on, a malicious page could overwrite one of the add-on resources.
Depending on how this resource is used, this could lead to privilege
escalation.

In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a
risk in browser or browser-like contexts.

- CVE-2016-1957 (resource consumption):

Security researchers Jose Martinez and Romina Santillan reported a
memory leak in the libstagefright library when array destruction occurs
during MPEG4 video file processing.

In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a
risk in browser or browser-like contexts.

- CVE-2016-1960 (arbitrary code execution):

Security researcher ca0nguyen, working with HP's Zero Day Initiative,
reported a use-after-free issue in the HTML5 string parser when parsing
a particular set of table-related tags in a foreign fragment context
such as SVG. This results in a potentially exploitable crash.

In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a
risk in browser or browser-like contexts.

- CVE-2016-1961 (arbitrary code execution):

Security researcher lokihardt, working with HP's Zero Day Initiative,
reported a use-after-free issue in the SetBody function of HTMLDocument.
This results in a potentially exploitable crash.

In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a
risk in browser or browser-like contexts.

- CVE-2016-1964 (arbitrary code execution):

Security researcher Nicolas Grégoire used the Address Sanitizer to find
a use-after-free during XML transformation operations. This results in a
potentially exploitable crash triggerable by web content.

In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a
risk in browser or browser-like contexts.

- CVE-2016-1966 (remote code execution):

The Communications Electronics Security Group (UK) of the GCHQ reported
a dangling pointer dereference within the Netscape Plugin Application
Programming Interface (NPAPI) that could lead to the NPAPI subsystem
crashing. This issue requires a maliciously crafted NPAPI plugin in
concert with scripted web content, resulting in a potentially
exploitable crash when triggered.

In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a
risk in browser or browser-like contexts.

- CVE-2016-1974 (denial of service):

Security researcher Ronald Crane reported an out-of-bounds read
following a failed allocation in the HTML parser while working with
unicode strings. This can also affect the parsing of XML and SVG format
data. This leads to a potentially exploitable crash.

In general this flaw cannot be exploited through email in the
Thunderbird product because scripting is disabled, but is potentially a
risk in browser or browser-like contexts.

- CVE-2016-1977 CVE-2016-2790 CVE-2016-2791 CVE-2016-2792 CVE-2016-2793
CVE-2016-2794 CVE-2016-2795 CVE-2016-2796 CVE-2016-2797 CVE-2016-2798
CVE-2016-2799 CVE-2016-2800 CVE-2016-2801 CVE-2016-2802 (buffer overflow):

Security researcher Holger Fuhrmannek and Mozilla security engineer
Tyson Smith reported a number of security vulnerabilities in the
Graphite 2 library affecting version 1.3.5.

The issue reported by Holger Fuhrmannek is a mechanism to induce stack
corruption with a malicious graphite font. This leads to a potentially
exploitable crash when the font is loaded.

Tyson Smith used the Address Sanitizer tool in concert with a custom
software fuzzer to find a series of uninitialized memory, out-of-bounds
read, and out-of-bounds write errors when working with fuzzed graphite
fonts.

Impact
======

A remote attacker can execute arbitrary code on the affected host.

References
==========

https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird38.7
https://www.mozilla.org/en-US/security/advisories/mfsa2016-16/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-17/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-20/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-23/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-24/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-27/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-31/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-34/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-37/
https://access.redhat.com/security/cve/CVE-2016-1952
https://access.redhat.com/security/cve/CVE-2016-1953
https://access.redhat.com/security/cve/CVE-2016-1954
https://access.redhat.com/security/cve/CVE-2016-1957
https://access.redhat.com/security/cve/CVE-2016-1960
https://access.redhat.com/security/cve/CVE-2016-1961
https://access.redhat.com/security/cve/CVE-2016-1964
https://access.redhat.com/security/cve/CVE-2016-1966
https://access.redhat.com/security/cve/CVE-2016-1974
https://access.redhat.com/security/cve/CVE-2016-1977
https://access.redhat.com/security/cve/CVE-2016-2790
https://access.redhat.com/security/cve/CVE-2016-2791
https://access.redhat.com/security/cve/CVE-2016-2792
https://access.redhat.com/security/cve/CVE-2016-2793
https://access.redhat.com/security/cve/CVE-2016-2794
https://access.redhat.com/security/cve/CVE-2016-2795
https://access.redhat.com/security/cve/CVE-2016-2796
https://access.redhat.com/security/cve/CVE-2016-2797
https://access.redhat.com/security/cve/CVE-2016-2798
https://access.redhat.com/security/cve/CVE-2016-2799
https://access.redhat.com/security/cve/CVE-2016-2800
https://access.redhat.com/security/cve/CVE-2016-2801
https://access.redhat.com/security/cve/CVE-2016-2802

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20160320/62e4e0aa/attachment.pgp>