Debian update for thunderbird

Published: 2023-11-27

Risk	High
Patch available	YES
Number of vulnerabilities	7
CVE-ID	CVE-2023-6212 CVE-2023-6209 CVE-2023-6208 CVE-2023-6207 CVE-2023-6206 CVE-2023-6205 CVE-2023-6204
CWE-ID	CWE-119 CWE-20 CWE-200 CWE-416 CWE-450 CWE-787
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Debian Linux Operating systems & Components / Operating system thunderbird (Debian package) Operating systems & Components / Operating system package or component
Vendor	Debian

Security Bulletin

This security bulletin contains information about 7 vulnerabilities.

1) Memory corruption

EUVDB-ID: #VU83373

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6212

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can trick the victim ti visit a specially crafted website, trigger a memory corruption and execute arbitrary code on the target system.

Mitigation

Update thunderbird package to one of the following versions: 1:115.5.0-1~deb11u1, 1:115.5.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.5.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://www.debian.org/security/2023/dsa-5566

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU83372

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6209

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to manipulate data on websites.

The vulnerability exists due to insufficient validation of user-supplied input when parsing relative URLs that start with a triple slash, e.g. "///". A remote attacker can use a path-traversal "/../" part in the path to override the specified host.

Mitigation

Update thunderbird package to one of the following versions: 1:115.5.0-1~deb11u1, 1:115.5.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.5.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://www.debian.org/security/2023/dsa-5566

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Information disclosure

EUVDB-ID: #VU83371

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6208

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the Selection API copies text by mistake into the primary selection, a temporary storage not unlike the clipboard, when using on X11. A local user can gain access to potentially sensitive information.

Note, the vulnerability affects only Firefox installations on X11.

Mitigation

Update thunderbird package to one of the following versions: 1:115.5.0-1~deb11u1, 1:115.5.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.5.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://www.debian.org/security/2023/dsa-5566

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use-after-free

EUVDB-ID: #VU83370

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6207

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the ReadableByteStreamQueueEntry::Buffer() method. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update thunderbird package to one of the following versions: 1:115.5.0-1~deb11u1, 1:115.5.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.5.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://www.debian.org/security/2023/dsa-5566

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Multiple Interpretations of UI Input

EUVDB-ID: #VU83369

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6206

CWE-ID: CWE-450 - Multiple Interpretations of UI Input

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform clickjacking attack.

The vulnerability exists due to the black fade animation when exiting fullscreen is roughly the length of the anti-clickjacking delay on permission prompts. A remote attacker can perform clickjacking attack and trick the victim into pressing the permissions grant button.

Mitigation

Update thunderbird package to one of the following versions: 1:115.5.0-1~deb11u1, 1:115.5.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.5.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://www.debian.org/security/2023/dsa-5566

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Use-after-free

EUVDB-ID: #VU83368

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6205

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the MessagePort::Entangled() method. A remote attacker can trick the victim to open a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update thunderbird package to one of the following versions: 1:115.5.0-1~deb11u1, 1:115.5.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.5.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://www.debian.org/security/2023/dsa-5566

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Out-of-bounds write

EUVDB-ID: #VU83367

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-6204

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing HTML content in in WebGL2 blitFramebuffer. A remote attacker can trick the victim ti visit a specially crafted website, trigger an out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Update thunderbird package to one of the following versions: 1:115.5.0-1~deb11u1, 1:115.5.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.5.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://www.debian.org/security/2023/dsa-5566

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.