Debian update for thunderbird

1) Buffer overflow

EUVDB-ID: #VU23377

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17012

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a memory corruption when processing HTML content. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a buffer overflow and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected package to version: 1:68.3.0-2~deb9u1, 1:68.3.0-2~deb10u1.

Vulnerable software versions

thunderbird (Debian package): 1:52.4.0-1~deb9u1 - 1:68.2.2-1~deb10u1

External links

http://www.debian.org/security/2019/dsa-4585

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use-after-free

EUVDB-ID: #VU23376

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17011

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when retrieving a document from a DocShell in the antitracking code. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a race condition that will results in a use-after-free error.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected package to version: 1:68.3.0-2~deb9u1, 1:68.3.0-2~deb10u1.

Vulnerable software versions

thunderbird (Debian package): 1:52.4.0-1~deb9u1 - 1:68.2.2-1~deb10u1

External links

http://www.debian.org/security/2019/dsa-4585

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Use-after-free

EUVDB-ID: #VU23374

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17010

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error  when checking the Resist Fingerprinting preference during device orientation checks. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a race condition that will results in a use-after-free error.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected package to version: 1:68.3.0-2~deb9u1, 1:68.3.0-2~deb10u1.

Vulnerable software versions

thunderbird (Debian package): 1:52.4.0-1~deb9u1 - 1:68.2.2-1~deb10u1

External links

http://www.debian.org/security/2019/dsa-4585

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use-after-free

EUVDB-ID: #VU23370

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17008

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error during worker destruction. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger a use-after-free error and crash the application or execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected package to version: 1:68.3.0-2~deb9u1, 1:68.3.0-2~deb10u1.

Vulnerable software versions

thunderbird (Debian package): 1:52.4.0-1~deb9u1 - 1:68.2.2-1~deb10u1

External links

http://www.debian.org/security/2019/dsa-4585

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Buffer overflow

EUVDB-ID: #VU23375

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-17005

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a memory corruption in plain text serializer. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a buffer overflow and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update the affected package to version: 1:68.3.0-2~deb9u1, 1:68.3.0-2~deb10u1.

Vulnerable software versions

thunderbird (Debian package): 1:52.4.0-1~deb9u1 - 1:68.2.2-1~deb10u1

External links

http://www.debian.org/security/2019/dsa-4585

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.