====================================================================

                             CERT-Renater

                 Note d'Information No. 2018/VULN193
_____________________________________________________________________

DATE                : 22/05/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Thunderbird versions prior to 52.8.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/
_____________________________________________________________________


Mozilla Foundation Security Advisory 2018-13
Security vulnerabilities fixed in Thunderbird 52.8

Announced      May 18, 2018
Impact         critical
Products       Thunderbird

Fixed in
        Thunderbird 52.8

In general, these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled when reading mail, but
are potentially risks in browser or browser-like contexts.

#CVE-2018-5183: Backport critical security fixes in Skia

Reporter      Mozilla Developers
Impact        critical

Description

Mozilla developers backported selected changes in the Skia library.
These changes correct memory corruption issues including invalid buffer
reads and writes during graphic operations.

References
Bug 1454692


#CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext
attack

Reporter        Damian Poddebniak, Christian Dresen, Jens Müller,
         Fabian Ising, Sebastian Schinzel, Simon Friedberger,
     Juraj Somorovsky, Jörg Schwenk
Impact          high

Description

Using remote content in encrypted messages can lead to the disclosure of
plaintext.

References
Bug 1411592


#CVE-2018-5154: Use-after-free with SVG animations and clip paths

Reporter       Nils
Impact         high

Description

A use-after-free vulnerability can occur while enumerating attributes
during SVG animations with clip paths. This results in a potentially
exploitable crash.

References
Bug 1443092


#CVE-2018-5155: Use-after-free with SVG animations and text paths

Reporter       Nils
Impact         high

Description

A use-after-free vulnerability can occur while adjusting layout during
SVG animations with text paths. This results in a potentially
exploitable crash.

References
Bug 1448774


#CVE-2018-5159: Integer overflow and out-of-bounds write in Skia

Reporter       Ivan Fratric
Impact         high

Description

An integer overflow can occur in the Skia library due to 32-bit integer
use in an array without integer overflow checks, resulting in possible
out-of-bounds writes. This could lead to a potentially exploitable crash
triggerable by web content.

References
Bug 1441941


#CVE-2018-5161: Hang via malformed headers

Reporter        cure53
Impact          moderate

Description

Crafted message headers can cause a Thunderbird process to hang on
receiving the message.

References
Bug 1411720


#CVE-2018-5162: Encrypted mail leaks plaintext through src attribute

Reporter        Damian Poddebniak, Christian Dresen, Jens Müller, Fabian
Ising,                 Sebastian Schinzel, Simon Friedberger, Juraj
Somorovsky,                 Jörg Schwenk
Impact          moderate

Description

Plaintext of decrypted emails can leak through the src attribute of
remote images, or links.

References
Bug 1457721


#CVE-2018-5170: Filename spoofing for external attachments

Reporter        cure53
Impact          moderate

Description

It is possible to spoof the filename of an attachment and display an
arbitrary attachment name. This could lead to a user opening a remote
attachment which is a different file type than expected.

References
Bug 1411732


#CVE-2018-5168: Lightweight themes can be installed without user interaction

Reporter        Wladimir Palant
Impact          moderate

Description

Sites can bypass security checks on permissions to install lightweight
themes by manipulating the baseURI property of the theme element. This
could allow a malicious site to install a theme without user interaction
which could contain offensive or embarrassing images.

References
Bug 1449548


#CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure
behavior for downloaded files in Windows 10 April 2018 Update

Reporter       Jimmy
Impact         moderate

Description

In the Windows 10 April 2018 Update, Windows Defender SmartScreen honors
the SEE_MASK_FLAG_NO_UI flag associated with downloaded files and will
not show any UI. Files that are unknown and potentially dangerous will
be allowed to run because SmartScreen will not prompt the user for a
decision, and if the user is offline all files will be allowed to be
opened because Windows won’t prompt the user to ask what to do. Firefox
incorrectly sets this flag when downloading files, leading to less
secure behavior from SmartScreen.
Note: this issue only affects Windows 10 users running the April 2018
update or later. It does not affect other Windows users or other
operating systems.

References
Bug 1447080


#CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string
conversion through legacy extension

Reporter       Root Object
Impact         moderate

Description

A buffer overflow was found during UTF8 to Unicode string conversion
within JavaScript with extremely large amounts of data. This
vulnerability requires the use of a malicious or vulnerable legacy
extension in order to occur.

References
Bug 1443891


#CVE-2018-5185: Leaking plaintext through HTML forms

Reporter       Damian Poddebniak, Christian Dresen, Jens Müller,
       Fabian Ising, Sebastian Schinzel, Simon Friedberger,
  Juraj Somorovsky, Jörg Schwenk
Impact         low

Description

Plaintext of decrypted emails can leak through by user submitting an
embedded form.

References
Bug 1450345


#CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR
52.8, and Thunderbird 52.8

Reporter        Mozilla developers and community
Impact          critical

Description

Mozilla developers and community members Christoph Diehl, Randell Jesup,
Tyson Smith, Alex Gaynor, Ronald Crane, Julian Hector, Kannan Vijayan,
and Jason Kratzer reported memory safety bugs present in Firefox 59,
Firefox ESR 52.7, and Thunderbird 52.7. Some of these bugs showed
evidence of memory corruption and we presume that with enough effort
that some of these could be exploited to run arbitrary code.

References
Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8, and
Thunderbird 52.8



===============================================================
+ CERT-RENATER               | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel         | fax : 01-53-94-20-41           +
+ 75013 Paris                | email: cert@support.renater.fr +
===============================================================