seamonkey-2.53.6

[Douglas R. Reno]

New point version

Contains security fixes from Firefox-78.6 and Thunderbird-78.6

[Douglas R. Reno]

What's New in SeaMonkey 2.53.6

SeaMonkey 2.53.6 contains (among other changes) the following major changes relative to SeaMonkey 2.53.5.1:

    Improve usability of multiple mailboxes/folders selectionbug 1600103.
    Add Greek localisation (el).
    Remove more RDF from mailnews code.
    Switch to mozilla as topsrcdir and component for building is comm/suite now.
    Rust support is now up to 1.48 and official build is now using 1.47.0
    Various security and general platform fixes.

SeaMonkey 2.53.6 contains (among other changes) the following major changes relative to SeaMonkey 2.49.5:

    The Bookmarks Manager has switched its name to Library, and now also includes the History list. When invoking History, the Library will be shown with the History list selected. The extensive modifications were needed because of Mozilla Gecko platform API changes.
    Download Manager has been migrated to a new API. Although it looks pretty much the same as before, the search option is missing and some other minor details work differently. The previous downloads history is removed during the upgrade.
    The layout panel was added to the CSS Grid tools.
    TLS 1.3 is the default SSL version now.
    The only NPAPI plugin which will work with SeaMonkey 2.53.6 is Flash. Support for other NPAPI plugins like Java and Silverlight has been removed. For displaying pdf files in the browser you can use pdf.js-seamonkey from Isaac Schemm.
    SeaMonkey now uses a new api for formatting regional data like time and date. Default is to use the application locale of the current SeaMonkey build. If you use a language pack or a different OS formatting this is usually not desired. You can change the formatting from the application locale to the regional settings locale (OS) in the preferences dialog under "Appearance".

SeaMonkey 2.53.6 uses the same backend as Firefox and contains the relevant Firefox 60.8 security fixes.

SeaMonkey 2.53.6 shares most parts of the mail and news code with Thunderbird. Please read the Thunderbird 60.0 release notes for specific changes and security fixes in this release.

Additional important security fixes up to Current Firefox 78.6 ESR and a few enhancements have been backported. We will continue to enhance SeaMonkey security in subsequent 2.53.x beta and release versions as fast as we are able to. 

Ken, it's worth noting that this should be compatible with rust-1.48.0 should we need to upgrade anytime soon

On that note, it's time for some security fixes. The previous version of seamonkey, 2.53.5.1, included fixes from Firefox and Thunderbird 78.4.0esr.

Security fixes from Firefox-78.4.1esr:

CVE-2020-26950: Write side effects in MCallGetProperty opcode not accounted for

Reporter
    360政企安全漏洞研究院 in Tianfu Cup 2020 International Cybersecurity Contest
Impact
    critical

Description

In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition.
References

    Bug 1675905

Security fixes from Firefox-78.5.0esr:

#CVE-2020-26951: Parsing mismatches could confuse and bypass security sanitizer for chrome privileged code

Reporter
    Irvan Kurniawan (@sourc7)
Impact
    high

Description

A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer.
References

    Bug 1667113

#CVE-2020-16012: Variable time processing of cross-origin images during drawImage calls

Reporter
    Aleksejs Popovs
Impact
    moderate

Description

When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function took a variable amount of time depending on the content of the underlying image. This resulted in potential cross-origin information exposure of image content through timing side-channel attacks.
References

    Bug 1642028

#CVE-2020-26953: Fullscreen could be enabled without displaying the security UI

Reporter
    Abdulrahman Alqabandi of Microsoft Browser Vulnerability Research
Impact
    moderate

Description

It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user.
References

    Bug 1656741

#CVE-2020-26956: XSS through paste (manual and clipboard API)

Reporter
    Irvan Kurniawan (@sourc7)
Impact
    moderate

Description

In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS.
References

    Bug 1666300

#CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME type restrictions

Reporter
    Moti Harmats
Impact
    moderate

Description

Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass.
References

    Bug 1669355

#CVE-2020-26959: Use-after-free in WebRequestService

Reporter
    Bharadwaj Machiraju
Impact
    moderate

Description

During browser shutdown, reference decrementing could have occured on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash.
References

    Bug 1669466

#CVE-2020-26960: Potential use-after-free in uses of nsTArray

Reporter
    Zijie Zhao
Impact
    moderate

Description

If the Compact() method was called on an nsTArray, the array could have been reallocated without updating other pointers, leading to a potential use-after-free and exploitable crash.
References

    Bug 1670358

#CVE-2020-15999: Heap buffer overflow in freetype

Reporter
    Sergei Glazunov of Google Project Zero
Impact
    moderate

Description

In Freetype, if PNG images were embedded into fonts, the Load_SBit_Png function contained an integer overflow that led to a heap buffer overflow, memory corruption, and an exploitable crash.
Note: While Project Zero did discover instances of this vulnerability being exploited in the wild against Chrome, in Firefox this vulnerability is only triggerable if a rarely-used, hidden preference is toggled, and only affected Linux and Android operating systems. Other operating systems are unaffected; and Linux and Android are unaffected in the default configuration.
References

    Bug 1672223

#CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses

Reporter
    Gabriel Corona
Impact
    moderate

Description

When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack.
References

    Bug 1672528

#CVE-2020-26965: Software keyboards may have remembered typed passwords

Reporter
    Makoto Kato
Impact
    low

Description

Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was changed, resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed password.
References

    Bug 1661617

#CVE-2020-26966: Single-word search queries were also broadcast to local network

Reporter
    tiebuchen
Impact
    low

Description

Searching for a single word from the address bar caused an mDNS request to be sent on the local network searching for a hostname consisting of that string; resulting in an information leak.
Note: This issue only affected Windows operating systems. Other operating systems are unaffected.
References

    Bug 1663571

#CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5

Reporter
    Mozilla developers and community
Impact
    high

Description

Mozilla developers Steve Fink, Jason Kratzer, Randell Jesup, Christian Holler, and Byron Campen reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5

Security fixes from Firefox-78.6.0esr (NOTE: 78.6.1esr SCTP fix doesn't seem to be included :-( ):

#CVE-2020-16042: Operations on a BigInt could have caused uninitialized memory to be exposed

Reporter
    André Bargull
Impact
    critical

Description

When a BigInt was right-shifted the backing store was not properly cleared, allowing uninitialized memory to be read.
References

    Bug 1679003

#CVE-2020-26971: Heap buffer overflow in WebGL

Reporter
    Omair, Abraruddin Khan
Impact
    high

Description

Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers.
References

    Bug 1663466

#CVE-2020-26973: CSS Sanitizer performed incorrect sanitization

Reporter
    Kai Engert
Impact
    high

Description

Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This could have been used as a sanitizer bypass.
References

    Bug 1680084

#CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free

Reporter
    Pham Bao of VinCSS (Member of Vingroup)
Impact
    high

Description

When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially exploitable crash.
References

    Bug 1681022

#CVE-2020-26978: Internal network hosts could have been probed by a malicious webpage

Reporter
    Samy Kamkar, Ben Seri, and Gregory Vishnepolsky
Impact
    moderate

Description

Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine.
References

    Bug 1677047

#CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs

Reporter
    Yassine Tioual
Impact
    low

Description

When an extension with the proxy permission registered to receive <all_urls>, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address.
References

    Bug 1657916

#CVE-2020-35112: Opening an extension-less download may have inadvertently launched an executable instead

Reporter
    Samuel Attard via the Chrome Security Team
Impact
    low

Description

If a user downloaded a file lacking an extension on Windows, and then "Open"-ed it from the downloads panel, if there was an executable file in the downloads directory with the same name but with an executable extension (such as .bat or .exe) that executable would have been launched instead.
Note: This issue only affected Windows operating systems. Other operating systems are unaffected.
References

    Bug 1661365

#CVE-2020-35113: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6

Reporter
    Christian Holler
Impact
    high

Description

Mozilla developer Christian Holler reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6

Thunderbird's SMTP 0day has been included in this as well:

#CVE-2020-26970: Stack overflow due to incorrect parsing of SMTP server response codes

Reporter
    Chiaki Ishikawa
Impact
    high

Description

When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Depending on processor architecture and stack layout, this leads to stack corruption that may be exploitable.
References

    Bug 1677338

[Douglas R. Reno]

A couple build system changes:

--with-pthreads is no longer recognized

--enable-application=suite needs to become --enable-application=comm/suite

[Douglas R. Reno]

Fixed at r24141

[ken@…]

Replying to renodr:

Ken, it's worth noting that this should be compatible with rust-1.48.0 should we need to upgrade anytime soon

I've just looked at firefox-86.0beta1, and that still requires rust >= 1.47.0. ff87 (beta due after 23rd Feb) will want 1.48. But until we move to the next firefox esr series (91, due 13th July) or until librsvg forces us, for the moment no reason to change.

My (unmeasured) impression is that each newer version of rust takes longer to build firefox.