Opened 5 years ago
Closed 5 years ago
#12465 closed enhancement (fixed)
seamonkey-2.49.5
| Reported by: | Bruce Dubbs | Owned by: | Bruce Dubbs |
|---|---|---|---|
| Priority: | highest | Milestone: | 9.1 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version.
Change History (4)
comment:1 by , 5 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 5 years ago
comment:3 by , 5 years ago
| Priority: | normal → highest |
|---|
First, here's the Thunderbird release notes that it mentions:
What’s New
changed
Thunderbird will now prompt to compact IMAP folders even if the account is online. Note: Under certain circumstances an incorrect estimate of the expected gain is shown.
fixed
Complete fix of the EFAIL vulnerability: 1) Removing some HTML crafted to carry out an attack. 2) Optionally: Not decrypting subordinate message parts that otherwise might reveal decrypted content to the attacker. Preference mailnews.p7m_subparts_external needs to be set to true for added security.
fixed
Various problems when forwarding messages inline when using "simple" HTML view
fixed
Deleting or detaching attachments corrupted messages under certain circumstances (not working only in Thunderbird version 52.9.0)
fixed
Various security fixes
Here are the security fixes for Thunderbird:
Mozilla Foundation Security Advisory 2018-18
Security vulnerabilities fixed in Thunderbird 52.9
Announced
July 3, 2018
Impact
critical
Products
Thunderbird
Fixed in
Thunderbird 52.9
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2018-12359: Buffer overflow using computed size of canvas element
Reporter
Nils
Impact
critical
Description
A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash.
References
Bug 1459162
#CVE-2018-12360: Use-after-free when using focus()
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash.
References
Bug 1459693
#CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML emails
Reporter
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk
Impact
high
Description
Decrypted S/MIME parts, when included in HTML crafted for an attack, can leak plaintext when included in a a HTML reply/forward.
References
Bug 1419417
#CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward
Reporter
Damian Poddebniak, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, Jörg Schwenk
Impact
high
Description
dDecrypted S/MIME parts hidden with CSS or <plaintext> can leak plaintext when included in a HTML reply/forward.
References
CVE-2018-12373
Suppress <plaintext> in email messages
#CVE-2018-12362: Integer overflow in SSSE3 scaler
Reporter
F. Alonso (revskills)
Impact
high
Description
An integer overflow can occur during graphics operations done by the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in a potentially exploitable crash.
References
Bug 1452375
#CVE-2018-12363: Use-after-free when appending DOM nodes
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when script uses mutation events to move DOM nodes between documents, resulting in the old document that held the node being freed but the node still having a pointer referencing it. This results in a potentially exploitable crash.
References
Bug 1464784
#CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
Reporter
David Black
Impact
high
Description
NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks.
References
Bug 1436241
#CVE-2018-12365: Compromised IPC child process can list local filenames
Reporter
Alex Gaynor
Impact
moderate
Description
A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files.
References
Bug 1459206
#CVE-2018-12366: Invalid data handling during QCMS transformations
Reporter
OSS-Fuzz
Impact
moderate
Description
An invalid grid size during QCMS (color profile) transformations can result in the out-of-bounds read interpreted as a float value. This could leak private data into the output.
References
Bug 1464039
#CVE-2018-12368: No warning when opening executable SettingContent-ms files
Reporter
Abdulrahman Alqabandi
Impact
moderate
Description
Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems
Note: this issue only affects Windows operating systems. Other operating systems are unaffected.
References
Bug 1468217
The Tale of SettingContent-ms Files
#CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing enter in form field
Reporter
Hanno Boeck
Impact
low
Description
Plaintext of decrypted emails can leak through by user submitting an embedded form by pressing enter key within a text input field.
References
Bug 1462910
#CVE-2018-5188: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety bugs present in Firefox 60, Firefox ESR 60, Firefox ESR 52.8, and Thunderbird 52.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9
Now Firefox:
Mozilla Foundation Security Advisory 2018-17
Security vulnerabilities fixed in Firefox ESR 52.9
Announced
June 26, 2018
Impact
critical
Products
Firefox ESR
Fixed in
Firefox ESR 52.9
#CVE-2018-12359: Buffer overflow using computed size of canvas element
Reporter
Nils
Impact
critical
Description
A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash.
References
Bug 1459162
#CVE-2018-12360: Use-after-free when using focus()
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash.
References
Bug 1459693
#CVE-2018-12362: Integer overflow in SSSE3 scaler
Reporter
F. Alonso (revskills)
Impact
high
Description
An integer overflow can occur during graphics operations done by the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in a potentially exploitable crash.
References
Bug 1452375
#CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture
Reporter
Nils
Impact
high
Description
A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occuring. This can result in stream data being cast to the wrong type causing a potentially exploitable crash.
References
Bug 1453127
#CVE-2018-12363: Use-after-free when appending DOM nodes
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when script uses mutation events to move DOM nodes between documents, resulting in the old document that held the node being freed but the node still having a pointer referencing it. This results in a potentially exploitable crash.
References
Bug 1464784
#CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
Reporter
David Black
Impact
high
Description
NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks.
References
Bug 1436241
#CVE-2018-12365: Compromised IPC child process can list local filenames
Reporter
Alex Gaynor
Impact
moderate
Description
A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files.
References
Bug 1459206
#CVE-2018-12366: Invalid data handling during QCMS transformations
Reporter
OSS-Fuzz
Impact
moderate
Description
An invalid grid size during QCMS (color profile) transformations can result in the out-of-bounds read interpreted as a float value. This could leak private data into the output.
References
Bug 1464039
#CVE-2018-12368: No warning when opening executable SettingContent-ms files
Reporter
Abdulrahman Alqabandi
Impact
moderate
Description
Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems
Note: this issue only affects Windows operating systems. Other operating systems are unaffected.
References
Bug 1468217
The Tale of SettingContent-ms Files
#CVE-2018-5188: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety bugs present in Firefox 60, Firefox ESR 60, and Firefox ESR 52.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Firefox ESR 52.9
Note:
See TracTickets
for help on using tickets.
What's New in SeaMonkey 2.49.5
SeaMonkey 2.49.5 contains (among other changes) the following major changes relative to SeaMonkey 2.49.4:
SeaMonkey 2.49.5 uses the same backend as Firefox and contains the relevant Firefox 52.9.0 ESR security fixes.
SeaMonkey 2.49.5 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 52.9.1 release notes for specific changes and security fixes in this release.
Additional security fixes up to ESR 60.2 and a few enhancements have been backported. SeaMonkey-specific changes
and link it to Switch Linux builds to GTK3 with SeaMonkey 2.49. Pleae try another OS theme first. Some of them are buggy and cause problems with SeaMonkey, Thunderbird and Firefox.