1. Home
  2. Security Advisories
  3. Mozilla
  4. MFSA-2017-26

[MFSA-2017-26] Security vulnerabilities fixed in Thunderbird 52.5

Severity Critical
Affected Packages 1
Fixed Packages 1
CVEs 3
Info Packages References Vulnerabilities

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

  • CVE-2017-7826: Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 (critical)
    Mozilla developers and community members Christian Holler, David Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer, Philipp, Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary, Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen reported memory safety bugs present in Firefox 56, Firefox ESR 52.4, and Thunderbird 52.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.

  • CVE-2017-7828: Use-after-free of PressShell while restyling layout (critical)
    A use-after-free vulnerability can occur when flushing and resizing layout because the <code>PressShell</code> object has been freed while still in use. This results in a potentially exploitable crash during these operations.

  • CVE-2017-7830: Cross-origin URL information leak through Resource Timing API (high)
    The Resource Timing API incorrectly revealed navigations in cross-origin iframes. This is a same-origin policy violation and could allow for data theft of URLs loaded by users.

Package Affected Version
pkg:mozilla/Thunderbird < 52.5
Package Fixed Version
pkg:mozilla/Thunderbird = 52.5
ID
MFSA-2017-26
Severity
critical
URL
https://www.mozilla.org/en-US/security/advisories/mfsa2017-26
Published
2017-11-23T00:00:00
(6 years ago)
Modified
2017-11-23T00:00:00
(6 years ago)
Other Advisories
Source # ID Name URL
Bugzilla 1394530 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1394530
Bugzilla 1369561 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1369561
Bugzilla 1411458 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1411458
Bugzilla 1400003 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1400003
Bugzilla 1395138 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1395138
Bugzilla 1408412 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1408412
Bugzilla 1393840 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1393840
Bugzilla 1400763 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1400763
Bugzilla 1339259 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1339259
Bugzilla 1394265 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1394265
Bugzilla 1407740 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1407740
Bugzilla 1407751 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1407751
Bugzilla 1408005 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1408005
Bugzilla 1406398 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1406398
Bugzilla 1387799 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1387799
Bugzilla 1261175 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1261175
Bugzilla 1400554 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1400554
Bugzilla 1375146 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1375146
Bugzilla 1397811 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1397811
Bugzilla 1404636 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1404636
Bugzilla 1401804 Memory safety bugs fixed in Firefox 57, Firefox ESR 52.5, and Thunderbird 52.5 https://bugzilla.mozilla.org/show_bug.cgi?id=1401804
Bugzilla 1406750 https://bugzilla.mozilla.org/show_bug.cgi?id=1406750
Bugzilla 1412252 https://bugzilla.mozilla.org/show_bug.cgi?id=1412252
Bugzilla 1408990 https://bugzilla.mozilla.org/show_bug.cgi?id=1408990
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:mozilla/Thunderbird Thunderbird < 52.5
Fixed pkg:mozilla/Thunderbird Thunderbird = 52.5
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date