thunderbird-60.7.2-2.AXS4

エラータID: AXSA:2019-3916:03

Release date: 
Thursday, June 27, 2019 - 15:49
Subject: 
thunderbird-60.7.2-2.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
High
Description: 

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 60.7.2.

Security Fix(es):

* Mozilla: Type confusion in Array.pop (CVE-2019-11707)

* thunderbird: Stack buffer overflow in icalrecur_add_bydayrules in icalrecur.c (CVE-2019-11705)

* Mozilla: Sandbox escape using Prompt:Open (CVE-2019-11708)

* thunderbird: Heap buffer over read in icalparser.c parser_get_next_char (CVE-2019-11703)

* thunderbird: Heap buffer overflow in icalmemory_strdup_and_dequote function in icalvalue.c (CVE-2019-11704)

* thunderbird: Type confusion in icaltimezone_get_vtimezone_properties function in icalproperty.c (CVE-2019-11706)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-11703
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-11704
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-11705
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-11706
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-11707
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-11708
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2019-11703
A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in parser_get_next_char when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1.
CVE-2019-11704
A flaw in Thunderbird's implementation of iCal causes a heap buffer overflow in icalmemory_strdup_and_dequote when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1.
CVE-2019-11705
A flaw in Thunderbird's implementation of iCal causes a stack buffer overflow in icalrecur_add_bydayrules when processing certain email messages, resulting in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.7.1.
CVE-2019-11706
A flaw in Thunderbird's implementation of iCal causes a type confusion in icaltimezone_get_vtimezone_properties when processing certain email messages, resulting in a crash. This vulnerability affects Thunderbird < 60.7.1.
CVE-2019-11707
A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop. This can allow for an exploitable crash. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 60.7.1, Firefox < 67.0.3, and Thunderbird < 60.7.2.
CVE-2019-11708
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes can result in the non-sandboxed parent process opening web content chosen by a compromised child process. When combined with additional vulnerabilities this could result in executing arbitrary code on the user's computer. This vulnerability affects Firefox ESR < 60.7.2, Firefox < 67.0.4, and Thunderbird < 60.7.2.
Additional Info: 

N/A

Download: 

SRPMS
  1. thunderbird-60.7.2-2.AXS4.src.rpm
    MD5: 5783f603f400db623abb5e14c7a70d64
    SHA-256: 59f5fa3a9ef47fc29c5ea669ff20bc8354e2c87f5d4557eae9e543099c05467f
    Size: 420.41 MB

Asianux Server 4 for x86
  1. thunderbird-60.7.2-2.AXS4.i686.rpm
    MD5: dbc45da7c0ab991724e6f33e42847fb9
    SHA-256: 770d2767ce208f9de6a7e05bbe250abb91741ae21ffdf54172b6332e9afc9fbb
    Size: 100.78 MB

Asianux Server 4 for x86_64
  1. thunderbird-60.7.2-2.AXS4.x86_64.rpm
    MD5: 868bf028634a222eb9266619546c0eb8
    SHA-256: 4f50540a795fee991fab11c8ee5698a5f64635a0d8f5a2b8642ff71658d79508
    Size: 100.55 MB