{"id":"MGASA-2017-0477","summary":"Updated thunderbird packages fix security vulnerabilities","details":"Multiple vulnerabilies have been fixed in thunderbird.\n* JavaScript Execution via RSS in mailbox:// origin (CVE-2017-7846).\n* Local path string can be leaked from RSS feed (CVE-2017-7847).\n* RSS Feed vulnerable to new line Injection (CVE-2017-7848).\n* Mailsploit From address with encoded null character is cut off in\nmessage header display (CVE-2017-7829).\n\nMultiple vulnerabilies have been fixed in the bundled enigmail package.\n* An issue was discovered that allows remote attackers to trigger use of\nan intended public key for encryption, because incorrect regular\nexpressions are used for extraction of an e-mail address from a\ncomma-separated list (CVE-2017-17843).\n* A remote attacker can obtain cleartext content by sending an encrypted\ndata block to a victim, and relying on the victim to automatically\ndecrypt that block and then send it back to the attacker as quoted text\n(CVE-2017-17844).\n* An issue was discovered where Improper Random Secret Generation occurs\nbecause Math.Random() is used by pretty Easy privacy (pEp)\n(CVE-2017-17845).\n* An issue was discovered where regular expressions are exploitable for\nDenial of Service, because of attempts to match arbitrarily long strings\n(CVE-2017-17846).\n* An issue was discovered that signature spoofing is possible because\nthe UI does not properly distinguish between an attachment signature,\nand a signature that applies to the entire containing message\n(CVE-2017-17847).\n* In a variant of CVE-2017-17847, signature spoofing is possible for\nmultipart/related messages because a signed message part can be\nreferenced with a cid: URI but not actually displayed (CVE-2017-17848)\n","modified":"2026-02-04T03:56:58.729343Z","published":"2017-12-31T00:10:15Z","related":["CVE-2017-17843","CVE-2017-17844","CVE-2017-17845","CVE-2017-17846","CVE-2017-17847","CVE-2017-17848","CVE-2017-7829","CVE-2017-7846","CVE-2017-7847","CVE-2017-7848"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2017-0477.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=22251"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/thunderbird?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"52.5.2-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0477.json"}},{"package":{"name":"thunderbird-l10n","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/thunderbird-l10n?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"52.5.2-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0477.json"}},{"package":{"name":"thunderbird","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/thunderbird?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"52.5.2-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0477.json"}},{"package":{"name":"thunderbird-l10n","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/thunderbird-l10n?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"52.5.2-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0477.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}