Bug 1074046 - (CVE-2017-7829) VUL-1: CVE-2017-7829: MozillaThunderbird: From address with encoded null character is cut off in message header display
(CVE-2017-7829)
VUL-1: CVE-2017-7829: MozillaThunderbird: From address with encoded null char...
Status: RESOLVED FIXED
: 1071236 (view as bug list)
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 42.3
Other Other
: P4 - Low : Minor (vote)
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/197243/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-12-23 21:30 UTC by Andreas Stieger
Modified: 2019-02-19 07:07 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2017-12-23 21:30:52 UTC
It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7829
https://bugzilla.mozilla.org/show_bug.cgi?id=1423432
https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7829
Comment 1 Swamp Workflow Management 2017-12-23 22:50:13 UTC
This is an autogenerated message for OBS integration:
This bug (1074046) was mentioned in
https://build.opensuse.org/request/show/559659 42.2+42.3+Backports:SLE-12 / MozillaThunderbird
Comment 2 Andreas Stieger 2017-12-24 08:34:34 UTC
submitted
Comment 3 Andreas Stieger 2017-12-24 22:29:30 UTC
done
Comment 4 Swamp Workflow Management 2017-12-25 02:07:44 UTC
openSUSE-SU-2017:3433-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1074043,1074044,1074045,1074046
CVE References: CVE-2017-7829,CVE-2017-7846,CVE-2017-7847,CVE-2017-7848
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    MozillaThunderbird-52.5.2-51.1
Comment 5 Swamp Workflow Management 2017-12-25 02:08:17 UTC
openSUSE-SU-2017:3434-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1074043,1074044,1074045,1074046
CVE References: CVE-2017-7829,CVE-2017-7846,CVE-2017-7847,CVE-2017-7848
Sources used:
openSUSE Leap 42.3 (src):    MozillaThunderbird-52.5.2-53.1
openSUSE Leap 42.2 (src):    MozillaThunderbird-52.5.2-41.24.1
Comment 6 Andreas Stieger 2017-12-25 12:45:35 UTC
*** Bug 1071236 has been marked as a duplicate of this bug. ***
Comment 8 Swamp Workflow Management 2018-03-24 10:20:18 UTC
This is an autogenerated message for OBS integration:
This bug (1074046) was mentioned in
https://build.opensuse.org/request/show/590813 42.3 / MozillaThunderbird