Debian update for thunderbird

Published: 2024-08-08

Risk	High
Patch available	YES
Number of vulnerabilities	7
CVE-ID	CVE-2024-7519 CVE-2024-7521 CVE-2024-7522 CVE-2024-7525 CVE-2024-7526 CVE-2024-7527 CVE-2024-7529
CWE-ID	CWE-125 CWE-416 CWE-264 CWE-908 CWE-450
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Debian Linux Operating systems & Components / Operating system thunderbird (Debian package) Operating systems & Components / Operating system package or component
Vendor	Debian

Security Bulletin

This security bulletin contains information about 7 vulnerabilities.

1) Out-of-bounds read

EUVDB-ID: #VU95422

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-7519

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a boundary error when processing graphics shared memory. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds read and bypass browser sandbox.

Mitigation

Update thunderbird package to one of the following versions: 1:115.14.0-1~deb11u1, 1:115.14.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.14.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://lists.debian.org/debian-security-announce/2024/msg00156.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Use-after-free

EUVDB-ID: #VU95424

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-7521

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in WebAssembly. A remote attacker can trick the victim to visit a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update thunderbird package to one of the following versions: 1:115.14.0-1~deb11u1, 1:115.14.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.14.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://lists.debian.org/debian-security-announce/2024/msg00156.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Out-of-bounds read

EUVDB-ID: #VU95431

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-7522

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a boundary error in editor component. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger an out-of-bounds read and bypass browser sandbox.

Mitigation

Update thunderbird package to one of the following versions: 1:115.14.0-1~deb11u1, 1:115.14.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.14.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://lists.debian.org/debian-security-announce/2024/msg00156.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU95495

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-7525

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due missing permission check when creating a StreamFilter. A web extension with minimal permissions can create a StreamFilter, which can be used to read and modify the response body of requests on any site.

Mitigation

Update thunderbird package to one of the following versions: 1:115.14.0-1~deb11u1, 1:115.14.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.14.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://lists.debian.org/debian-security-announce/2024/msg00156.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Use of uninitialized resource

EUVDB-ID: #VU95496

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-7526

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to usage of uninitialized resources in WebGL ANGLE. A remote attacker can trick the victim to visit a specially crafted website and gain access to sensitive information.

Mitigation

Update thunderbird package to one of the following versions: 1:115.14.0-1~deb11u1, 1:115.14.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.14.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://lists.debian.org/debian-security-announce/2024/msg00156.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Use-after-free

EUVDB-ID: #VU95497

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-7527

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in JavaScript garbage collection. A remote attacker can trick the victim into visiting a specially crafted website, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Update thunderbird package to one of the following versions: 1:115.14.0-1~deb11u1, 1:115.14.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.14.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://lists.debian.org/debian-security-announce/2024/msg00156.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Multiple Interpretations of UI Input

EUVDB-ID: #VU95500

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-7529

CWE-ID: CWE-450 - Multiple Interpretations of UI Input

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exist due to improper handling of the date picker, which can obscure security prompts. A remote attacker use a malicious site to trick a victim into granting permissions.

Mitigation

Update thunderbird package to one of the following versions: 1:115.14.0-1~deb11u1, 1:115.14.0-1~deb12u1.

Vulnerable software versions

Debian Linux: All versions

thunderbird (Debian package): before 1:115.14.0-1~deb12u1

CPE2.3

cpe:2.3:o:debian:debian_linux:*:*:*:*:*:*:*:

External links

http://lists.debian.org/debian-security-announce/2024/msg00156.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.