Good morning folks,
Last week, critical security vulnerabilities were unveiled in Mozilla
Firefox and Mozilla Thunderbird [1]. These vulnerabilities allowed for
arbitrary code execution, sandbox escape, and denial of service. The
problem with these vulnerabilities is that they are being actively
exploited against users in the wild, as noted by several different
security companies. As a result, we highly recommend updating
immediately to Firefox 67.0.4 and Thunderbird-60.7.2.
In addition to the two in Firefox [2] [3], there were two sets
discovered in Thunderbird as well [4] [5] [6] [7]. Two of the
vulnerabilities pertain to the Gecko rendering engine, which contains
the security fixes from Firefox. Four of them are new 0days that were
found in the libical implementation in Thunderbird. By receiving an
email with a corrupted .ics file with a payload in it, a heap-based
buffer overflow will occur [8] [9] [10] [11] or type confusion will
occur, leading to an exploitable crash, possible arbitrary code
execution, and complete destruction of the user's Thunderbird Email
profile. This is because of the way that Thunderbird indexes email as it
receives it. When Thunderbird processes these emails, it will attempt to
index the .ics file, and in the process of opening it to read it's
contents, will crash. Upon launching Thunderbird again, it will once
again attempt to download the mail and index it, and crash repeatedly as
a result. These vulnerabilities were reported to Mozilla in 2016
(2016-06-19) and were never fixed by Mozilla even after they were fixed
in libical upstream (2016 as well). A recent development has made it so
that PoCs are available and the vulnerabilities are being exploited in
the wild.
When upgrading Thunderbird, no new package updates will be required if
you are running BLFS 8.4. I did not attempt to upgrade an 8.3, 8.2, 8.1,
or 8.0 system because I do not have them around at the moment.
Unfortunately, if you are upgrading Firefox on a stock 8.4 system, some
upgrades need to be done:
- NSS (I recommend 3.44, it's got a new root certificate installed)
- NSPR (4.21 at minimum, I recommend the latest)
- cbindgen (0.8.2 at minimum, I recommend the latest)
- SQLite (3.27.2 at minimum, 3.28 is recommended)
- Recommended but not required to fix a security flaw: Node.JS to 10.16.0
- Recommended but not required to fix a set of security flaws: wget to
1.200.3
- Recommended but not required to fix another set of security flaws:
cURL to 7.65.1
Thank you,
Douglas R. Reno
LINKS:
[1]: https://thehackernews.com/2019/06/firefox-0day-vulnerability.html
[2]: https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/
[3]: https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
[4]: https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/
[5]: https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/
[6]: https://www.thunderbird.net/en-US/thunderbird/60.7.2/releasenotes/
[7]: https://www.thunderbird.net/en-US/thunderbird/60.7.1/releasenotes/
[8]: https://seclists.org/oss-sec/2019/q2/157
[9]: https://seclists.org/oss-sec/2019/q2/158
[10]: https://seclists.org/oss-sec/2019/q2/159
[11]: https://seclists.org/oss-sec/2019/q2/160
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
