Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0357-1 Final 1 1 2017-02-01T17:54:52Z current 2017-02-01T17:54:52Z 2017-02-01T17:54:52Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update to Mozilla Thunderbird 45.7.0 fixes security issues and bugs. The following security issues from advisory MFSA 2017-03 were fixed (boo#1021991) In general, these flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts: - CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP (boo#1021814) - CVE-2017-5376: Use-after-free in XSL (boo#1021817) - CVE-2017-5378: Pointer and frame data leakage of Javascript objects (boo#1021818) - CVE-2017-5380: Potential use-after-free during DOM manipulations (boo#1021819) - CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer (boo#1021820) - CVE-2017-5396: Use-after-free with Media Decoder (boo#1021821) - CVE-2017-5383: Location bar spoofing with unicode characters (boo#1021822) - CVE-2017-5373: Memory safety bugs fixed in Thunderbird 45.7 (boo#1021824) The following non-security bugs were fixed: - Message preview pane non-functional after IMAP folder was renamed or moved - 'Move To' button on 'Search Messages' panel not working - Message sent to 'undisclosed recipients' shows no recipient (non-functional since Thunderbird version 38) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2017-188 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1021814 SUSE Bug 1021814 https://bugzilla.suse.com/1021817 SUSE Bug 1021817 https://bugzilla.suse.com/1021818 SUSE Bug 1021818 https://bugzilla.suse.com/1021819 SUSE Bug 1021819 https://bugzilla.suse.com/1021820 SUSE Bug 1021820 https://bugzilla.suse.com/1021821 SUSE Bug 1021821 https://bugzilla.suse.com/1021822 SUSE Bug 1021822 https://bugzilla.suse.com/1021824 SUSE Bug 1021824 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 https://www.suse.com/security/cve/CVE-2017-5373/ SUSE CVE CVE-2017-5373 page https://www.suse.com/security/cve/CVE-2017-5375/ SUSE CVE CVE-2017-5375 page https://www.suse.com/security/cve/CVE-2017-5376/ SUSE CVE CVE-2017-5376 page https://www.suse.com/security/cve/CVE-2017-5378/ SUSE CVE CVE-2017-5378 page https://www.suse.com/security/cve/CVE-2017-5380/ SUSE CVE CVE-2017-5380 page https://www.suse.com/security/cve/CVE-2017-5383/ SUSE CVE CVE-2017-5383 page https://www.suse.com/security/cve/CVE-2017-5390/ SUSE CVE CVE-2017-5390 page https://www.suse.com/security/cve/CVE-2017-5396/ SUSE CVE CVE-2017-5396 page SUSE Package Hub 12 MozillaThunderbird-45.7.0-23.1 MozillaThunderbird-buildsymbols-45.7.0-23.1 MozillaThunderbird-devel-45.7.0-23.1 MozillaThunderbird-translations-common-45.7.0-23.1 MozillaThunderbird-translations-other-45.7.0-23.1 MozillaThunderbird-45.7.0-23.1 as a component of SUSE Package Hub 12 MozillaThunderbird-buildsymbols-45.7.0-23.1 as a component of SUSE Package Hub 12 MozillaThunderbird-devel-45.7.0-23.1 as a component of SUSE Package Hub 12 MozillaThunderbird-translations-common-45.7.0-23.1 as a component of SUSE Package Hub 12 MozillaThunderbird-translations-other-45.7.0-23.1 as a component of SUSE Package Hub 12 Memory safety bugs were reported in Firefox 50.1 and Firefox ESR 45.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5373 SUSE Package Hub 12:MozillaThunderbird-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.7.0-23.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5373.html CVE-2017-5373 https://bugzilla.suse.com/1021824 SUSE Bug 1021824 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 JIT code allocation can allow for a bypass of ASLR and DEP protections leading to potential memory corruption attacks. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5375 SUSE Package Hub 12:MozillaThunderbird-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.7.0-23.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5375.html CVE-2017-5375 https://bugzilla.suse.com/1021814 SUSE Bug 1021814 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 Use-after-free while manipulating XSL in XSLT documents. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5376 SUSE Package Hub 12:MozillaThunderbird-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.7.0-23.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5376.html CVE-2017-5376 https://bugzilla.suse.com/1021817 SUSE Bug 1021817 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 Hashed codes of JavaScript objects are shared between pages. This allows for pointer leaks because an object's address can be discovered through hash codes, and also allows for data leakage of an object's content using these hash codes. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5378 SUSE Package Hub 12:MozillaThunderbird-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.7.0-23.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5378.html CVE-2017-5378 https://bugzilla.suse.com/1021818 SUSE Bug 1021818 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 A potential use-after-free found through fuzzing during DOM manipulation of SVG content. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5380 SUSE Package Hub 12:MozillaThunderbird-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.7.0-23.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5380.html CVE-2017-5380 https://bugzilla.suse.com/1021819 SUSE Bug 1021819 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 URLs containing certain unicode glyphs for alternative hyphens and quotes do not properly trigger punycode display, allowing for domain name spoofing attacks in the location bar. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5383 SUSE Package Hub 12:MozillaThunderbird-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.7.0-23.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5383.html CVE-2017-5383 https://bugzilla.suse.com/1021822 SUSE Bug 1021822 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 The JSON viewer in the Developer Tools uses insecure methods to create a communication channel for copying and viewing JSON or HTTP headers data, allowing for potential privilege escalation. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5390 SUSE Package Hub 12:MozillaThunderbird-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.7.0-23.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5390.html CVE-2017-5390 https://bugzilla.suse.com/1021820 SUSE Bug 1021820 https://bugzilla.suse.com/1021991 SUSE Bug 1021991 A use-after-free vulnerability in the Media Decoder when working with media files when some events are fired after the media elements are freed from memory. This vulnerability affects Thunderbird < 45.7, Firefox ESR < 45.7, and Firefox < 51. CVE-2017-5396 SUSE Package Hub 12:MozillaThunderbird-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-buildsymbols-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-devel-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-common-45.7.0-23.1 SUSE Package Hub 12:MozillaThunderbird-translations-other-45.7.0-23.1 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5396.html CVE-2017-5396 https://bugzilla.suse.com/1021821 SUSE Bug 1021821 https://bugzilla.suse.com/1021991 SUSE Bug 1021991