安全公告详情

NS-SA-2021-0025

2021-03-09 13:05:16

简介

critical: kernel/thunderbird security update

严重级别

critical

主题

An update for kernel/thunderbird is now available for NewStart CGSL MAIN 5.04/CGSL CORE 5.04.
NewStart Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

kernel: This package provides kernel headers and makefiles sufficient to build modules against the kernel package.
thunderbird: Mozilla Thunderbird is a standalone mail and newsgroup client.


Security Fix(es):
kernel: A vulnerability was found in the Linux kernel. The Zr364xx USB device driver is susceptible to malicious USB devices. An attacker able to add a specific USB device could cause a crash leading to a denial of service.(CVE-2019-15217)
kernel: A vulnerability was discovered in the Linux kernel's AF_IEEE802154 networking module where permissions checks are not enforced. This can allow an unprivileged user to create raw sockets for this protocol leading to the potential for data leaks or system unavailability.(CVE-2019-17053)
kernel: A vulnerability was found in the Linux kernel’s implementation of the AF_ISDN protocol, which does not enforce the CAP_NET_RAW capability. This flaw can allow unprivileged users to create a raw socket for this protocol. This could further allow the user to control the availability of an existing ISDN circuit.(CVE-2019-17055)
kernel: A flaw was found in the AMD Cryptographic Co-processor driver in the Linux kernel. An attacker, able to send invalid SHA type commands, could cause the system to crash. The highest threat from this vulnerability is to system availability.(CVE-2019-18808)
kernel: A flaw was found in the Linux kernel. The crypto_report function mishandles resource cleanup on error. A local attacker able to induce the error conditions could use this flaw to crash the system. The highest threat from this vulnerability is to system availability.(CVE-2019-19062)
kernel: An out-of-bounds memory write issue was found in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service.(CVE-2019-19332)
kernel: A flaw was found in the Linux kernel’s implementation for ADU devices from Ontrak Control Systems, where an attacker with administrative privileges and access to a local account could pre-groom the memory and physically disconnect or unload a module. The attacker must be able to access either of these two events to trigger the use-after-free, and then race the access to the use-after-free, to create a situation where key USB structs can be manipulated into corrupting memory.(CVE-2019-19523)
kernel: A use-after-free flaw was found in the Linux kernel’s input device driver functionality when unplugging a device. A user with physical access could use this flaw to crash the system.(CVE-2019-19524)
kernel: A use-after-free flaw was found in the acm_probe USB subsystem in the Linux kernel. A race condition occurs when a destroy() procedure is initiated allowing the refcount to decrement on the interface so early that it is never under counted. A malicious USB device is required for exploit. System availability is the largest threat from the vulnerability, however data integrity and confidentiality are also threatened.(CVE-2019-19530)
kernel: An information-leak flaw was found in the Linux kernel's pcan USB driver. When a device using this driver connects to the system, the stack information is leaked to the CAN bus, a controller area network for automobiles. The highest threat with this vulnerability is breach of data confidentiality.(CVE-2019-19534)
kernel: A flaw was found in the Linux kernel, where there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer. An attacker who can hotplug at least two devices of this class can cause a use-after-free situation.(CVE-2019-19537)
kernel: A flaw was found in the Linux kernel's video driver. A race condition, leading to a use-after-free, could lead to a local privilege escalation. User interaction is not needed for exploitation.(CVE-2019-9458)
kernel: An out-of-bounds write flaw was found in the Linux kernel. An empty nodelist in mempolicy.c is mishandled durig mount option parsing leading to a stack-based out-of-bounds write. The highest threat from this vulnerability is to system availability.(CVE-2020-11565)
kernel: A flaw was found in the Linux kernel’s implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-14331)
kernel: A flaw was found in the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled. In the instruction emulation, the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor. An L2 guest could use this flaw to potentially access information of the L1 hypervisor.(CVE-2020-2732)
kernel: A flaw was found in the Linux kernel’s virtual console resize functionality. An attacker with local access to virtual consoles can use the virtual console resizing code to gather kernel internal data structures.(CVE-2020-8647)
kernel: A flaw was found in the Linux kernel’s implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console. An out-of-bounds read can occur, leaking information to the console.(CVE-2020-8649)
kernel: An out-of-bounds (OOB) memory access flaw was found in the floppy driver module in the Linux kernel. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The highest threat from this vulnerability is to system availability.(CVE-2020-9383)
kernel: bugfix
thunderbird: In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. This vulnerability affects Firefox < 82.0.3, Firefox ESR < 78.4.1, and Thunderbird < 78.4.2.(CVE-2020-26950)
thunderbird: By holding a reference to the eval() function from an about:blank window, a malicious webpage could have gained access to the InstallTrigger object which would allow them to prompt the user to install an extension. Combined with user confusion, this could result in an unintended or malicious extension being installed. This vulnerability affects Firefox < 80, Thunderbird < 78.2, Thunderbird < 68.12, Firefox ESR < 68.12, Firefox ESR < 78.2, and Firefox for Android < 80.(CVE-2020-15664)
thunderbird: When aborting an operation, such as a fetch, an abort signal may be deleted while alerting the objects to be notified. This results in a use-after-free and we presume that with enough effort it could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.12 and Thunderbird < 68.12.(CVE-2020-15669)
thunderbird: The Mozilla Foundation Security Advisory describes this flaw as: By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from.(CVE-2020-15677)
thunderbird: The Mozilla Foundation Security Advisory describes this flaw as: Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element.(CVE-2020-15676)
thunderbird: The Mozilla Foundation Security Advisory describes this flaw as: When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function `APZCTreeManager::ComputeClippedCompositionBounds` did not follow iterator invalidation rules.(CVE-2020-15678)
thunderbird: The Mozilla Foundation Security Advisory describes this flaw as: Mozilla developer reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.(CVE-2020-15673)
thunderbird: Mozilla developers and community members reported memory safety bugs present in Firefox 81 and Firefox ESR 78.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 78.4, Firefox < 82, and Thunderbird < 78.4.(CVE-2020-15683)
thunderbird: Use after free in WebRTC in Google Chrome prior to 86.0.4240.75 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.(CVE-2020-15969)
thunderbird: A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.(CVE-2020-26951)
thunderbird: Side-channel information leakage in graphics in Google Chrome prior to 87.0.4280.66 allowed a remote attacker to leak cross-origin data via a crafted HTML page.(CVE-2020-16012)
thunderbird: It was possible to cause the browser to enter fullscreen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.(CVE-2020-26953)
thunderbird: In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.(CVE-2020-26956)
thunderbird: Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.(CVE-2020-26958)
thunderbird: During browser shutdown, reference decrementing could have occured on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.(CVE-2020-26959)
thunderbird: If the Compact() method was called on an nsTArray, the array could have been reallocated without updating other pointers, leading to a potential use-after-free and exploitable crash. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.(CVE-2020-26960)
thunderbird: When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.(CVE-2020-26961)
thunderbird: Mozilla developers reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.(CVE-2020-26968)
thunderbird: Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was changed, resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed password. This vulnerability affects Firefox < 83, Firefox ESR < 78.5, and Thunderbird < 78.5.(CVE-2020-26965)
thunderbird: The Mozilla Foundation Security Advisory describes this flaw as: Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers.(CVE-2020-26971)
thunderbird: The Mozilla Foundation Security Advisory describes this flaw as: Certain input to the CSS Sanitizer confused it, resulting in incorrect components being removed. This could have been used as a sanitizer bypass.(CVE-2020-26973)
thunderbird: The Mozilla Foundation Security Advisory describes this flaw as: When `flex-basis` was used on a table wrapper, a `StyleGenericFlexBasis` object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially exploitable crash.(CVE-2020-26974)
thunderbird: The Mozilla Foundation Security Advisory describes this flaw as: Using techniques that built on the slipstream research, a malicious webpage could have exposed both an internal network's hosts as well as services running on the user's local machine.(CVE-2020-26978)
thunderbird: The Mozilla Foundation Security Advisory describes this flaw as: When a BigInt was right-shifted the backing store was not properly cleared, allowing uninitialized memory to be read.(CVE-2020-16042)
thunderbird: When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Depending on processor architecture and stack layout, this leads to stack corruption that may be exploitable. This vulnerability affects Thunderbird < 78.5.1.(CVE-2020-26970)
thunderbird: The Mozilla Foundation Security Advisory describes this flaw as: When an extension with the proxy permission registered to receive ``, the proxy.onRequest callback was not triggered for view-source URLs. While web content cannot navigate to such URLs, a user opening View Source could have inadvertently leaked their IP address.(CVE-2020-35111)
thunderbird: The Mozilla Foundation Security Advisory describes this flaw as: Mozilla developer reported memory safety bugs present in Firefox 83 and Firefox ESR 78.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.(CVE-2020-35113)
thunderbird: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.04.F29B5.

影响组件

  • kernel
  • thunderbird

影响产品

  • CGSL MAIN 5.04
  • CGSL CORE 5.04

更新包

{"fix":[{"product":"CGSL MAIN 5.04","pkgs":[{"binary":["kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","kernel-sign-keys-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","kernel-debug-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","python-perf-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","kernel-doc-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.noarch.rpm","kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","kernel-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","perf-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.x86_64.rpm","kernel-abi-whitelists-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.noarch.rpm"],"source":"kernel-3.10.0-693.21.1.el7.cgslv5_4.52.955.gcf9f7ff.src.rpm"},{"binary":["thunderbird-78.6.0-1.el7.centos.x86_64.rpm"],"source":"thunderbird-78.6.0-1.el7.centos.src.rpm"}]},{"product":"CGSL CORE 5.04","pkgs":[{"binary":["kernel-debug-modules-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-debug-devel-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","python-perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","python-perf-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-tools-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-tools-libs-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-debug-core-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-sign-keys-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-debuginfo-common-x86_64-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-headers-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-core-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-modules-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-debug-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","perf-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","perf-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-tools-debuginfo-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-tools-libs-devel-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm","kernel-devel-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.x86_64.rpm"],"source":"kernel-3.10.0-693.21.1.el7.cgslv5_4.54.913.g2925469.lite.src.rpm"},{"binary":["thunderbird-78.6.0-1.el7.centos.x86_64.rpm"],"source":"thunderbird-78.6.0-1.el7.centos.src.rpm"}]}]}

CVE

参考