seamonkey-2.53.2

[Bruce Dubbs]

New point version.

[Douglas R. Reno]

What's New in SeaMonkey 2.53.2

SeaMonkey 2.53.2 contains (among other changes) the following major changes relative to SeaMonkey 2.53.1:

    Scrollbars have been switched over to the native gtk3 theme in bug 1625754. If your theme does not show scrollbar buttons and you would like to see them try editing ~/.config/gtk-3.0/gtk.css and adding the following:

        * {
          -GtkScrollbar-has-backward-stepper: 1;
          -GtkScrollbar-has-forward-stepper: 1;
        }

    The download progress dialog has been fixed and is now showing the correct status for downloads. Some downloads may not show the transferred count. This problem is under investigation.
    SeaMonkey is now translated and available in Finnish and Georgian.
    Because of website compatibility issues and privacy concerns the Lightning version is no longer appended to the user agent string and has been removed from the preferences dialog.
    Advanced Layers has been activated on Windows. This should boost performance on some websites. If you experience graphics problems please disable it by setting the pref "layers.mlgpu.enabled" to false.
    Whether the native app chooser is used in Linux is now controlled via a preference setting in the Helper Applications preference pane.
    In the Modern theme, popup notifications have improved styling and column headers now display sort direction arrows.
    The column picker and folder view have been reinstated for the bookmarks panel.
    Introduced the ability to close all tabs to the right of the current tab.
    Whether mailnews tabs open in the background is controlled by a separate preference to browser tabs via General Settings section of main Mail & Newsgroups preference pane.
    Fixed an issue with the recipient being missing when using Reply to Sender and Group button in Newsgroup discussions.
    SeaMonkey now prevents address books from having duplicate names.

SeaMonkey 2.53.2 contains (among other changes) the following major changes relative to SeaMonkey 2.49.5:

    The Bookmarks Manager has switched its name to Library, and now also includes the History list. When invoking History, the Library will be shown with the History list selected. The extensive modifications were needed because of Mozilla Gecko platform API changes.
    Download Manager has been migrated to a new API. Although it looks pretty much the same as before, the search option is missing and some other minor details work differently. The previous downloads history is removed during the upgrade.
    The layout panel was added to the CSS Grid tools.
    TLS 1.3 is the default SSL version now.
    The only NPAPI plugin which will work with SeaMonkey 2.53.2 is Flash. Support for other NPAPI plugins like Java and Silverlight has been removed.
    SeaMonkey now uses a new api for formatting regional data like time and date. Default is to use the application locale of the current SeaMonkey build. If you use a language pack or a different OS formatting this is usually not desired. You can change the formatting from the application locale to the regional settings locale (OS) in the preferences dialog under "Appearance".

SeaMonkey 2.53.2 uses the same backend as Firefox and contains the relevant Firefox 60.3 security fixes.

SeaMonkey 2.53.2 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.0 release notes for specific changes and security fixes in this release.

Additional important security fixes up to Current Firefox 74 and a few enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to.
SeaMonkey-specific changes

    SeaMonkey now uses gtk3 on Linux. If you experience a problem because of this please file a bug and link it to bug 1367257. Please try another OS theme first. Some of them are buggy and cause problems with SeaMonkey, Thunderbird and Firefox.

This includes 14 major releases worth of Firefox security vulnerabilities, all the way up to 74. That's 150+ security fixes in this release, a bunch of them are likely high or critical. This is my first priority for the day, and I'm going to mark it as "Highest" as a result.

The rustc patch has been applied upstream.

[Douglas R. Reno]

The glibc fix can be removed too!

[Douglas R. Reno]

The Firefox 60.3esr security advisory linked above

Announced
    October 23, 2018
Impact
    critical
Products
    Firefox ESR
Fixed in

        Firefox ESR 60.3
#CVE-2018-12391: HTTP Live Stream audio data is accessible cross-origin

Reporter
    Jun Kokatsu
Impact
    high

Description

During HTTP Live Stream playback on Firefox for Android, audio data can be accessed across origins in violation of security policies. Because the problem is in the underlying Android service, this issue is addressed by treating all HLS streams as cross-origin and opaque to access.
Note: this issue only affects Firefox for Android. Desktop versions of Firefox are unaffected.
References

    Bug 1478843

#CVE-2018-12392: Crash with nested event loops

Reporter
    Nils
Impact
    high

Description

When manipulating user events in nested loops while opening a document through script, it is possible to trigger a potentially exploitable crash due to poor event handling.
References

    Bug 1492823

#CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript

Reporter
    R at Zero Day LLC
Impact
    high

Description

A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write.
Note: 64-bit builds are not vulnerable to this issue.
References

    Bug 1495011

#CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting

Reporter
    Rob Wu, Andrew Swan
Impact
    moderate

Description

By rewriting the Host request headers using the webRequest API, a WebExtension can bypass domain restrictions through domain fronting. This would allow access to domains that share a host that are otherwise restricted.
References

    Bug 1467523

#CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts

Reporter
    Rob Wu
Impact
    moderate

Description

A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run.
References

    Bug 1483602

#CVE-2018-12397: Missing warning prompt when WebExtension requests local file access

Reporter
    Rob Wu
Impact
    moderate

Description

A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened.
References

    Bug 1487478

#CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3

Reporter
    Mozilla developers and community
Impact
    low

Description

Mozilla developers and community members Daniel Veditz and Philipp reported memory safety bugs present in Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox ESR 60.3

#CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Christian Holler, Bob Owen, Boris Zbarsky, Calixte Denizet, Jason Kratzer, Jed Davis, Taegeon Lee, Philipp, Ronald Crane, Raul Gurzau, Gary Kwong, Tyson Smith, Raymond Forbes, and Bogdan Tara reported memory safety bugs present in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3

[Douglas R. Reno]

The Thunderbird Advisory linked above

Mozilla Foundation Security Advisory 2018-19
Security vulnerabilities fixed in Thunderbird 60

Announced
    August 1, 2018
Impact
    critical
Products
    Thunderbird
Fixed in

        Thunderbird 60

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2018-12359: Buffer overflow using computed size of canvas element

Reporter
    Nils
Impact
    critical

Description

A buffer overflow can occur when rendering canvas content while adjusting the height and width of the <canvas> element dynamically, causing data to be written outside of the currently computed boundaries. This results in a potentially exploitable crash.
References

    Bug 1459162

#CVE-2018-12360: Use-after-free when using focus()

Reporter
    Nils
Impact
    critical

Description

A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element. This results in a potentially exploitable crash.
References

    Bug 1459693

#CVE-2018-12361: Integer overflow in SwizzleData

Reporter
    R at Zero Day LLC
Impact
    critical

Description

An integer overflow can occur in the SwizzleData code while calculating buffer sizes. The overflowed value is used for subsequent graphics computations when their inputs are not sanitized which results in a potentially exploitable crash.
References

    Bug 1463244

#CVE-2018-12362: Integer overflow in SSSE3 scaler

Reporter
    F. Alonso (revskills)
Impact
    high

Description

An integer overflow can occur during graphics operations done by the Supplemental Streaming SIMD Extensions 3 (SSSE3) scaler, resulting in a potentially exploitable crash.
References

    Bug 1452375

#CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture

Reporter
    Nils
Impact
    high

Description

A vulnerability can occur when capturing a media stream when the media source type is changed as the capture is occuring. This can result in stream data being cast to the wrong type causing a potentially exploitable crash.
References

    Bug 1453127

#CVE-2018-12363: Use-after-free when appending DOM nodes

Reporter
    Nils
Impact
    high

Description

A use-after-free vulnerability can occur when script uses mutation events to move DOM nodes between documents, resulting in the old document that held the node being freed but the node still having a pointer referencing it. This results in a potentially exploitable crash.
References

    Bug 1464784

#CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins

Reporter
    David Black
Impact
    high

Description

NPAPI plugins, such as Adobe Flash, can send non-simple cross-origin requests, bypassing CORS by making a same-origin POST that does a 307 redirect to the target site. This allows for a malicious site to engage in cross-site request forgery (CSRF) attacks.
References

    Bug 1436241

#CVE-2018-12365: Compromised IPC child process can list local filenames

Reporter
    Alex Gaynor
Impact
    moderate

Description

A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files.
References

    Bug 1459206

#CVE-2018-12371: Integer overflow in Skia library during edge builder allocation

Reporter
    anonymous
Impact
    moderate

Description

An integer overflow vulnerability in the Skia library when allocating memory for edge builders on some systems with at least 16 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially exploitable crash.
References

    Bug 1465686

#CVE-2018-12366: Invalid data handling during QCMS transformations

Reporter
    OSS-Fuzz
Impact
    moderate

Description

An invalid grid size during QCMS (color profile) transformations can result in the out-of-bounds read interpreted as a float value. This could leak private data into the output.
References

    Bug 1464039

#CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming

Reporter
    Andrea Marchesini
Impact
    moderate

Description

In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work, PerformanceNavigationTiming was not adjusted but it was found that it could be used as a precision timer.
References

    Bug 1462891

#CVE-2018-12368: No warning when opening executable SettingContent-ms files

Reporter
    Abdulrahman Alqabandi
Impact
    moderate

Description

Windows 10 does not warn users before opening executable files with the SettingContent-ms extension even when they have been downloaded from the internet and have the "Mark of the Web." Without the warning, unsuspecting users unfamiliar with this new file type might run an unwanted executable. This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems
Note: this issue only affects Windows operating systems. Other operating systems are unaffected.
References

    Bug 1468217
    The Tale of SettingContent-ms Files

#CVE-2018-5187: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Thunderbird 60

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Christian Holler, Sebastian Hengst, Nils Ohlmeier, Jon Coppeard, Randell Jesup, Ted Campbell, Gary Kwong, and Jean-Yves Avenard reported memory safety bugs present in Firefox 60 and Firefox ESR 60. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Thunderbird 60

#CVE-2018-5188: Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 60

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Alex Gaynor, Christoph Diehl, Christian Holler, Jason Kratzer, David Major, Jon Coppeard, Nicolas B. Pierron, Jason Kratzer, Marcia Knous, and Ronald Crane reported memory safety bugs present in Firefox 60, Firefox ESR 60, and Firefox ESR 52.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 60

[Douglas R. Reno]

That's not including the vulnerability fixes from Firefox-60.1esr all the way up to Firefox-74...

[Bruce Dubbs]

Replying to renodr:

What's New in SeaMonkey 2.53.2

Scrollbars have been switched over to the native gtk3 theme in bug 1625754. If your theme does not show scrollbar buttons and you would like to see them try editing ~/.config/gtk-3.0/gtk.css and adding the following:

       * {
         -GtkScrollbar-has-backward-stepper: 1;
         -GtkScrollbar-has-forward-stepper:  1;
       }

I love this. Lets add it to the gtk3 configuration section.

[Douglas R. Reno]

Fixed at r23070

[Bruce Dubbs]

Milestone renamed

[Bruce Dubbs]

Milestone renamed