Vulnerabilities > CVE-2017-5436 - Out-of-bounds Write vulnerability in multiple products

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(101460);
  script_version("1.9");
  script_cvs_date("Date: 2018/11/27 13:31:33");

  script_cve_id(
    "CVE-2016-10195",
    "CVE-2016-10196",
    "CVE-2016-10197",
    "CVE-2017-5429",
    "CVE-2017-5432",
    "CVE-2017-5433",
    "CVE-2017-5434",
    "CVE-2017-5435",
    "CVE-2017-5436",
    "CVE-2017-5438",
    "CVE-2017-5439",
    "CVE-2017-5440",
    "CVE-2017-5441",
    "CVE-2017-5442",
    "CVE-2017-5443",
    "CVE-2017-5444",
    "CVE-2017-5445",
    "CVE-2017-5446",
    "CVE-2017-5447",
    "CVE-2017-5449",
    "CVE-2017-5451",
    "CVE-2017-5454",
    "CVE-2017-5459",
    "CVE-2017-5460",
    "CVE-2017-5464",
    "CVE-2017-5465",
    "CVE-2017-5466",
    "CVE-2017-5467",
    "CVE-2017-5469"
  );

  script_name(english:"Virtuozzo 6 : thunderbird (VZLSA-2017-1201)");
  script_summary(english:"Checks the rpm output for the updated package.");

  script_set_attribute(attribute:"synopsis", value:
"The remote Virtuozzo host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"An update for thunderbird is now available for Red Hat Enterprise
Linux 6 and Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.

Mozilla Thunderbird is a standalone mail and newsgroup client.

This update upgrades Thunderbird to version 52.1.0.

Security Fix(es) :

* Multiple flaws were found in the processing of malformed web
content. A web page containing malicious content could cause
Thunderbird to crash or, potentially, execute arbitrary code with the
privileges of the user running Thunderbird. (CVE-2017-5429,
CVE-2017-5433, CVE-2017-5435, CVE-2017-5436, CVE-2017-5459,
CVE-2017-5466, CVE-2017-5432, CVE-2017-5434, CVE-2017-5438,
CVE-2017-5439, CVE-2017-5440, CVE-2017-5441, CVE-2017-5442,
CVE-2017-5443, CVE-2017-5444, CVE-2017-5446, CVE-2017-5447,
CVE-2017-5454, CVE-2017-5460, CVE-2017-5464, CVE-2017-5465,
CVE-2017-5469, CVE-2016-10195, CVE-2016-10196, CVE-2017-5445,
CVE-2017-5449, CVE-2017-5451, CVE-2017-5467, CVE-2016-10197)

Red Hat would like to thank the Mozilla project for reporting these
issues. Upstream acknowledges Petr Cerny, Nils, Ivan Fratric (Google
Project Zero), Takeshi Terada, Heather Miller (Google Skia team), Chun
Han Hsiao, Chamal De Silva, Nicolas GrA(c)goire, Holger Fuhrmannek, Atte
Kettunen, Haik Aftandilian, and Jordi Chancel as the original
reporters.

Note that Tenable Network Security has attempted to extract the
preceding description block directly from the corresponding Red Hat
security advisory. Virtuozzo provides no description for VZLSA
advisories. Tenable has attempted to automatically clean and format
it as much as possible without introducing additional issues.");
  # http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2017-1201.json
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?82d44bae");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2017-1201");
  script_set_attribute(attribute:"solution", value:
"Update the affected thunderbird package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:thunderbird");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:virtuozzo:virtuozzo:6");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Virtuozzo Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Virtuozzo/release", "Host/Virtuozzo/rpm-list");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/Virtuozzo/release");
if (isnull(release) || "Virtuozzo" >!< release) audit(AUDIT_OS_NOT, "Virtuozzo");
os_ver = pregmatch(pattern: "Virtuozzo Linux release ([0-9]+\.[0-9])(\D|$)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Virtuozzo");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Virtuozzo 6.x", "Virtuozzo " + os_ver);

if (!get_kb_item("Host/Virtuozzo/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Virtuozzo", cpu);

flag = 0;

pkgs = ["thunderbird-52.1.0-1.vl6"];

foreach (pkg in pkgs)
  if (rpm_check(release:"Virtuozzo-6", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "thunderbird");
}

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(99629);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id(
    "CVE-2016-6354",
    "CVE-2016-10195",
    "CVE-2016-10196",
    "CVE-2016-10197",
    "CVE-2017-5429",
    "CVE-2017-5430",
    "CVE-2017-5432",
    "CVE-2017-5433",
    "CVE-2017-5434",
    "CVE-2017-5435",
    "CVE-2017-5436",
    "CVE-2017-5437",
    "CVE-2017-5438",
    "CVE-2017-5439",
    "CVE-2017-5440",
    "CVE-2017-5441",
    "CVE-2017-5442",
    "CVE-2017-5443",
    "CVE-2017-5444",
    "CVE-2017-5445",
    "CVE-2017-5446",
    "CVE-2017-5447",
    "CVE-2017-5448",
    "CVE-2017-5449",
    "CVE-2017-5451",
    "CVE-2017-5453",
    "CVE-2017-5454",
    "CVE-2017-5455",
    "CVE-2017-5456",
    "CVE-2017-5458",
    "CVE-2017-5459",
    "CVE-2017-5460",
    "CVE-2017-5461",
    "CVE-2017-5462",
    "CVE-2017-5464",
    "CVE-2017-5465",
    "CVE-2017-5466",
    "CVE-2017-5467",
    "CVE-2017-5468",
    "CVE-2017-5469"
  );
  script_bugtraq_id(92141, 96014, 97940);
  script_xref(name:"MFSA", value:"2017-10");

  script_name(english:"Mozilla Firefox < 53 Multiple Vulnerabilities (macOS)");
  script_summary(english:"Checks the version of Firefox.");

  script_set_attribute(attribute:"synopsis", value:
"The remote macOS or Mac OS X host contains a web browser that is
affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of Mozilla Firefox installed on the remote macOS or Mac
OS X host is prior to 53. It is, therefore, affected by the following
vulnerabilities :

  - Multiple buffer overflow conditions exist in the FLEX
    generated code due to improper validation of certain
    input. An unauthenticated, remote attacker can exploit
    these to execute arbitrary code. (CVE-2016-6354,
    CVE-2017-5469)

  - Multiple flaws exist in the Libevent library, within
    files evdns.c and evutil.c, due to improper validation
    of input when handling IP address strings, empty base
    name strings, and DNS packets. An unauthenticated,
    remote attacker can exploit these to cause a denial of
    service condition or the execution of arbitrary code.
    (CVE-2016-10195, CVE-2016-10196, CVE-2016-10197,
    CVE-2017-5437)

  - Multiple memory corruption issues exist that allow an
    unauthenticated, remote attacker to execute arbitrary
    code. (CVE-2017-5429, CVE-2017-5430)

  - A use-after-free error exists in input text selection
    that allows an unauthenticated, remote attacker to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2017-5432)

  - A use-after-free error exists in the SMIL animation
    functions when handling animation elements. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2017-5433)

  - A use-after-free error exists when redirecting focus
    handling that allows an unauthenticated, remote attacker
    to cause a denial of service condition or the execution
    of arbitrary code. (CVE-2017-5434)

  - A use-after-free error exists in design mode
    interactions when handling transaction processing in
    the editor. An unauthenticated, remote attacker can
    exploit this to cause a denial of service condition or
    the execution of arbitrary code. (CVE-2017-5435)

  - An out-of-bounds write error exists in the Graphite 2
    library when handling specially crafted Graphite fonts.
    An unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2017-5436)

  - A use-after-free error exists in the nsAutoPtr()
    function during XSLT processing due to the result
    handler being held by a freed handler. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2017-5438)

  - A use-after-free error exists in the Length() function
    in nsTArray when handling template parameters during
    XSLT processing. An unauthenticated, remote attacker can
    exploit this to cause a denial of service condition or
    the execution of arbitrary code. (CVE-2017-5439)

  - A use-after-free error exists in the txExecutionState
    destructor when processing XSLT content. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2017-5440)

  - A use-after-free error exists when holding a selection
    during scroll events. An unauthenticated, remote
    attacker can exploit this to cause a denial of service
    condition or the execution of arbitrary code.
    (CVE-2017-5441)

  - A use-after-free error exists when changing styles in
    DOM elements that allows an unauthenticated, remote
    attacker to cause a denial of service condition or the
    execution of arbitrary code. (CVE-2017-5442)

  - An out-of-bounds write error exists while decoding
    improperly formed BinHex format archives that allows an
    unauthenticated, remote attacker to cause a denial of
    service condition or the execution of arbitrary code.
    (CVE-2017-5443)

  - A buffer overflow condition exists while parsing
    application/http-index-format format content due to
    improper validation of user-supplied input. An
    unauthenticated, remote attacker can exploit this, via
    improperly formatted data, to disclose out-of-bounds
    memory content. (CVE-2017-5444)

  - A flaw exists in nsDirIndexParser.cpp when parsing
    application/http-index-format format content in which
    uninitialized values are used to create an array. An
    unauthenticated, remote attacker can exploit this to
    disclose memory contents. (CVE-2017-5445)

  - An out-of-bounds read error exists when handling HTTP/2
    DATA connections to a server that sends DATA frames with
    incorrect content. An unauthenticated, remote attacker
    can exploit to cause a denial of service condition or
    the disclosure of memory contents. (CVE-2017-5446)

  - An out-of-bounds read error exists when processing glyph
    widths during text layout. An unauthenticated, remote
    attacker can exploit this to cause a denial of service
    condition or the disclosure of memory contents.
    (CVE-2017-5447)

  - An out-of-bounds write error exists in the
    ClearKeyDecryptor::Decrypt() function within file
    ClearKeyDecryptionManager.cpp when decrypting
    Clearkey-encrypted media content. An unauthenticated,
    remote attacker can exploit this to cause a denial of
    service condition or the execution of arbitrary code.
    This vulnerability can only be exploited if a secondary
    mechanism can be used to escape the Gecko Media Plugin
    (GMP) sandbox. (CVE-2017-5448)

  - A flaw exists when handling bidirectional Unicode text
    in conjunction with CSS animations that allows an
    unauthenticated, remote attacker to cause a denial of
    service condition or the execution or arbitrary code.
    (CVE-2017-5449)

  - A flaw exists in the handling of specially crafted
    'onblur' events. An unauthenticated, remote attacker can
    exploit this, via a specially crafted event, to spoof
    the address bar, making the loaded site appear to be
    different from the one actually loaded. (CVE-2017-5451)

  - A flaw exists in the RSS reader preview page due to
    improper sanitization of URL parameters for a feed's
    TITLE element. An unauthenticated, remote attacker can
    exploit this to spoof the TITLE element. However, no
    scripted content can be run. (CVE-2017-5453)

  - A flaw exists in the FileSystemSecurity::Forget()
    function within file FileSystemSecurity.cpp when using
    the File Picker due to improper sanitization of input
    containing path traversal sequences. An unauthenticated,
    remote attacker can exploit this to bypass file system
    access protections in the sandbox and read arbitrary
    files on the local file system. (CVE-2017-5454)

  - An unspecified flaw exists in the internal feed reader
    APIs when handling messages. An unauthenticated, remote
    attacker can exploit this to escape the sandbox and
    gain elevated privileges if it can be combined with
    another vulnerability that allows remote code execution
    inside the sandboxed process. (CVE-2017-5455)

  - A flaw exists in the Entries API when using a file
    system request constructor through an IPC message. An
    unauthenticated, remote attacker can exploit this to
    bypass file system access protections in the sandbox
    and gain read and write access to the local file system.
    (CVE-2017-5456)

  - A reflected cross-site scripting (XSS) vulnerability
    exists when dragging and dropping a 'javascript:' URL
    into the address bar due to improper validation of
    input. An unauthenticated, remote attacker can exploit
    this to execute arbitrary script code in a user's
    browser session. (CVE-2017-5458)

  - A buffer overflow condition exists in WebGL when
    handling web content due to improper validation of
    certain input. An unauthenticated, remote attacker can
    exploit this to cause a denial of service condition or
    the execution of arbitrary code. (CVE-2017-5459)

  - A use-after-free error exists in frame selection when
    handling a specially crafted combination of script
    content and key presses by the user. An unauthenticated,
    remote attacker can exploit this to cause a denial of
    service condition or the execution of arbitrary code.
    (CVE-2017-5460)

  - An out-of-bounds write error exists in the Network
    Security Services (NSS) library during Base64 decoding
    operations due to insufficient memory being allocated to
    a buffer. An unauthenticated, remote attacker can
    exploit this to cause a denial of service condition or
    the execution of arbitrary code. (CVE-2017-5461)

  - A flaw exists in the Network Security Services (NSS)
    library during DRBG number generation due to the
    internal state V not correctly carrying bits over. An
    unauthenticated, remote attacker can exploit this to
    potentially cause predictable random number generation.
    (CVE-2017-5462)

  - A flaw exists when making changes to DOM content in the
    accessibility tree due to improper validation of certain
    input, which can lead to the DOM tree becoming out of
    sync with the accessibility tree. An unauthenticated,
    remote attacker can exploit this to corrupt memory,
    resulting in a denial of service condition or the
    execution of arbitrary code. (CVE-2017-5464)

  - An out-of-bounds read error exists in ConvolvePixel when
    processing SVG content, which allows for otherwise
    inaccessible memory being copied into SVG graphic
    content. An unauthenticated, remote attacker can exploit
    this to disclose memory contents or cause a denial of
    service condition. (CVE-2017-5465)

  - A cross-site script (XSS) vulnerability exists due to
    improper handling of data:text/html URL redirects when
    a reload is triggered, which causes the reloaded
    data:text/html page to have its origin set incorrectly.
    An unauthenticated, remote attacker can exploit this,
    via a specially crafted request, to execute arbitrary
    script code in a user's browser session. (CVE-2017-5466)

  - A memory corruption issue exists when rendering Skia
    content outside of the bounds of a clipping region due
    to improper validation of certain input. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2017-5467)

  - A flaw exists in the developer tools due to an incorrect
    ownership model of privateBrowsing information. An
    unauthenticated, remote attacker can exploit this to
    cause a denial of service condition. (CVE-2017-5468)");
  script_set_attribute(attribute:"see_also", value:"https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Mozilla Firefox version 53 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5469");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/24");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mozilla:firefox");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_firefox_installed.nasl");
  script_require_keys("MacOSX/Firefox/Installed");

  exit(0);
}

include("mozilla_version.inc");

kb_base = "MacOSX/Firefox";
get_kb_item_or_exit(kb_base+"/Installed");

version = get_kb_item_or_exit(kb_base+"/Version", exit_code:1);
path = get_kb_item_or_exit(kb_base+"/Path", exit_code:1);

if (get_kb_item(kb_base + '/is_esr')) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');

mozilla_check_version(product:'firefox', version:version, path:path, esr:FALSE, fix:'53', severity:SECURITY_HOLE);

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 201802-03.
#
# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike 
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include("compat.inc");

if (description)
{
  script_id(106884);
  script_version("3.4");
  script_cvs_date("Date: 2019/04/05 23:25:06");

  script_cve_id("CVE-2016-10195", "CVE-2016-10196", "CVE-2016-10197", "CVE-2016-6354", "CVE-2017-5429", "CVE-2017-5432", "CVE-2017-5433", "CVE-2017-5434", "CVE-2017-5435", "CVE-2017-5436", "CVE-2017-5437", "CVE-2017-5438", "CVE-2017-5439", "CVE-2017-5440", "CVE-2017-5441", "CVE-2017-5442", "CVE-2017-5443", "CVE-2017-5444", "CVE-2017-5445", "CVE-2017-5446", "CVE-2017-5447", "CVE-2017-5448", "CVE-2017-5459", "CVE-2017-5460", "CVE-2017-5461", "CVE-2017-5462", "CVE-2017-5464", "CVE-2017-5465", "CVE-2017-5469", "CVE-2017-5470", "CVE-2017-5472", "CVE-2017-7749", "CVE-2017-7750", "CVE-2017-7751", "CVE-2017-7752", "CVE-2017-7753", "CVE-2017-7754", "CVE-2017-7756", "CVE-2017-7757", "CVE-2017-7758", "CVE-2017-7764", "CVE-2017-7771", "CVE-2017-7772", "CVE-2017-7773", "CVE-2017-7774", "CVE-2017-7775", "CVE-2017-7776", "CVE-2017-7777", "CVE-2017-7778", "CVE-2017-7779", "CVE-2017-7784", "CVE-2017-7785", "CVE-2017-7786", "CVE-2017-7787", "CVE-2017-7791", "CVE-2017-7792", "CVE-2017-7793", "CVE-2017-7798", "CVE-2017-7800", "CVE-2017-7801", "CVE-2017-7802", "CVE-2017-7803", "CVE-2017-7805", "CVE-2017-7807", "CVE-2017-7809", "CVE-2017-7810", "CVE-2017-7814", "CVE-2017-7818", "CVE-2017-7819", "CVE-2017-7823", "CVE-2017-7824", "CVE-2017-7843", "CVE-2017-7844", "CVE-2018-5089", "CVE-2018-5091", "CVE-2018-5095", "CVE-2018-5096", "CVE-2018-5097", "CVE-2018-5098", "CVE-2018-5099", "CVE-2018-5102", "CVE-2018-5103", "CVE-2018-5104", "CVE-2018-5117");
  script_xref(name:"GLSA", value:"201802-03");

  script_name(english:"GLSA-201802-03 : Mozilla Firefox: Multiple vulnerabilities");
  script_summary(english:"Checks for updated package(s) in /var/db/pkg");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Gentoo host is missing one or more security-related
patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote host is affected by the vulnerability described in GLSA-201802-03
(Mozilla Firefox: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Mozilla Firefox. Please
      review the referenced CVE identifiers for details.
  
Impact :

    A remote attacker could entice a user to view a specially crafted web
      page, possibly resulting in the execution of arbitrary code with the
      privileges of the process or a Denial of Service condition. Furthermore,
      a remote attacker may be able to perform Man-in-the-Middle attacks,
      obtain sensitive information, spoof the address bar, conduct clickjacking
      attacks, bypass security restrictions and protection mechanisms, or have
      other unspecified impact.
  
Workaround :

    There is no known workaround at this time."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security.gentoo.org/glsa/201802-03"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"All Mozilla Firefox users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=www-client/firefox-52.6.0'
    All Mozilla Firefox binary users should upgrade to the latest version:
      # emerge --sync
      # emerge --ask --oneshot --verbose '>=www-client/firefox-bin-52.6.0'"
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:firefox");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:firefox-bin");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/02/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/20");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Gentoo Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;

if (qpkg_check(package:"www-client/firefox-bin", unaffected:make_list("ge 52.6.0"), vulnerable:make_list("lt 52.6.0"))) flag++;
if (qpkg_check(package:"www-client/firefox", unaffected:make_list("ge 52.6.0"), vulnerable:make_list("lt 52.6.0"))) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Mozilla Firefox");
}

#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2017-545.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(100020);
  script_version("3.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2017-5398", "CVE-2017-5399", "CVE-2017-5400", "CVE-2017-5401", "CVE-2017-5402", "CVE-2017-5403", "CVE-2017-5404", "CVE-2017-5405", "CVE-2017-5406", "CVE-2017-5407", "CVE-2017-5408", "CVE-2017-5410", "CVE-2017-5412", "CVE-2017-5413", "CVE-2017-5414", "CVE-2017-5416", "CVE-2017-5418", "CVE-2017-5419", "CVE-2017-5421", "CVE-2017-5422", "CVE-2017-5426", "CVE-2017-5429", "CVE-2017-5430", "CVE-2017-5432", "CVE-2017-5433", "CVE-2017-5434", "CVE-2017-5435", "CVE-2017-5436", "CVE-2017-5437", "CVE-2017-5438", "CVE-2017-5439", "CVE-2017-5440", "CVE-2017-5441", "CVE-2017-5442", "CVE-2017-5443", "CVE-2017-5444", "CVE-2017-5445", "CVE-2017-5446", "CVE-2017-5447", "CVE-2017-5449", "CVE-2017-5451", "CVE-2017-5454", "CVE-2017-5459", "CVE-2017-5460", "CVE-2017-5461", "CVE-2017-5462", "CVE-2017-5464", "CVE-2017-5465", "CVE-2017-5466", "CVE-2017-5467", "CVE-2017-5469");

  script_name(english:"openSUSE Security Update : MozillaThunderbird (openSUSE-2017-545)");
  script_summary(english:"Check for the openSUSE-2017-545 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update to MozillaThunderbird 51.1.0 fixes security issues and
bugs.

In general, these flaws cannot be exploited through email because
scripting is disabled when reading mail, but are potentially risks in
browser or browser-like contexts.

The following vulnerabilities were fixed: boo#1035082, MFSA 2017-13,
boo#1028391, MFSA 2017-09)

  - CVE-2017-5443: Out-of-bounds write during BinHex
    decoding

  - CVE-2017-5429: Memory safety bugs fixed in Firefox 53,
    Firefox ESR 45.9, and Firefox ESR 52.1

  - CVE-2017-5464: Memory corruption with accessibility and
    DOM manipulation

  - CVE-2017-5465: Out-of-bounds read in ConvolvePixel

  - CVE-2017-5466: Origin confusion when reloading isolated
    data:text/html URL

  - CVE-2017-5467: Memory corruption when drawing Skia
    content

  - CVE-2017-5460: Use-after-free in frame selection

  - CVE-2017-5449: Crash during bidirectional unicode
    manipulation with animation

  - CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA
    frames are sent with incorrect data

  - CVE-2017-5447: Out-of-bounds read during glyph
    processing

  - CVE-2017-5444: Buffer overflow while parsing
    application/http-index-format content

  - CVE-2017-5445: Uninitialized values used while parsing
    application/http-index-format content

  - CVE-2017-5442: Use-after-free during style changes

  - CVE-2017-5469: Potential Buffer overflow in
    flex-generated code

  - CVE-2017-5440: Use-after-free in txExecutionState
    destructor during XSLT processing

  - CVE-2017-5441: Use-after-free with selection during
    scroll events

  - CVE-2017-5439: Use-after-free in nsTArray Length()
    during XSLT processing

  - CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT
    processing

  - CVE-2017-5437: Vulnerabilities in Libevent library

  - CVE-2017-5436: Out-of-bounds write with malicious font
    in Graphite 2

  - CVE-2017-5435: Use-after-free during transaction
    processing in the editor

  - CVE-2017-5434: Use-after-free during focus handling

  - CVE-2017-5433: Use-after-free in SMIL animation
    functions

  - CVE-2017-5432: Use-after-free in text input selection

  - CVE-2017-5430: Memory safety bugs fixed in Firefox 53
    and Firefox ESR 52.1

  - CVE-2017-5459: Buffer overflow in WebGL

  - CVE-2017-5454; Sandbox escape allowing file system read
    access through file picker

  - CVE-2017-5451: Addressbar spoofing with onblur event

  - CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP

  - CVE-2017-5401: Memory Corruption when handling
    ErrorResult

  - CVE-2017-5402: Use-after-free working with events in
    FontFace objects

  - CVE-2017-5403: Use-after-free using addRange to add
    range to an incorrect root object

  - CVE-2017-5404: Use-after-free working with ranges in
    selections

  - CVE-2017-5406: Segmentation fault in Skia with canvas
    operations 

  - CVE-2017-5407: Pixel and history stealing via
    floating-point timing side channel with SVG filters

  - CVE-2017-5410: Memory corruption during JavaScript
    garbage collection incremental sweeping

  - CVE-2017-5408: Cross-origin reading of video captions in
    violation of CORS

  - CVE-2017-5412: Buffer overflow read in SVG filters

  - CVE-2017-5413: Segmentation fault during bidirectional
    operations

  - CVE-2017-5414: File picker can choose incorrect default
    directory

  - CVE-2017-5416: Null dereference crash in HttpChannel

  - CVE-2017-5426: Gecko Media Plugin sandbox is not started
    if seccomp-bpf filter is running

  - CVE-2017-5418: Out of bounds read when parsing HTTP
    digest authorization responses

  - CVE-2017-5419: Repeated authentication prompts lead to
    DOS attack

  - CVE-2017-5405: FTP response codes can cause use of
    uninitialized values for ports

  - CVE-2017-5421: Print preview spoofing

  - CVE-2017-5422: DOS attack by using view-source: protocol
    repeatedly in one hyperlink

  - CVE-2017-5399: Memory safety bugs fixed in Thunderbird
    52

  - CVE-2017-5398: Memory safety bugs fixed in Thunderbird
    52 and Thunderbird 45.8

The following non-security changes are included :

  - Background images not working and other issues related
    to embedded images when composing email have been fixed

  - Google Oauth setup can sometimes not progress to the
    next step

  - Clicking on a link in an email may not open this link in
    the external browser

  - addon blocklist updates

  - enable ALSA for systems without PulseAudio

  - Optionally remove corresponding data files when removing
    an account

  - Possibility to copy message filter

  - Calendar: Event can now be created and edited in a tab

  - Calendar: Processing of received invitation counter
    proposals

  - Chat: Support Twitter Direct Messages

  - Chat: Liking and favoriting in Twitter

  - Chat: Removed Yahoo! Messenger support"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1028391"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1035082"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected MozillaThunderbird packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-buildsymbols");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:MozillaThunderbird-translations-other");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/08");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE42\.1|SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1 / 42.2", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaThunderbird-52.1.0-42.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaThunderbird-buildsymbols-52.1.0-42.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaThunderbird-debuginfo-52.1.0-42.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaThunderbird-debugsource-52.1.0-42.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaThunderbird-devel-52.1.0-42.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaThunderbird-translations-common-52.1.0-42.1") ) flag++;
if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"MozillaThunderbird-translations-other-52.1.0-42.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-52.1.0-41.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-buildsymbols-52.1.0-41.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-debuginfo-52.1.0-41.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-debugsource-52.1.0-41.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-devel-52.1.0-41.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-translations-common-52.1.0-41.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.2", reference:"MozillaThunderbird-translations-other-52.1.0-41.3.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MozillaThunderbird / MozillaThunderbird-buildsymbols / etc");
}