{"id":1410,"date":"2019-06-17T15:11:39","date_gmt":"2019-06-17T20:11:39","guid":{"rendered":"https:\/\/cert.pa\/?p=1410"},"modified":"2019-06-17T15:57:51","modified_gmt":"2019-06-17T20:57:51","slug":"titulo-csirt-panama-aviso-2019-06-17-vulnerabilidad-alta-en-cliente-de-correo-thunderbird","status":"publish","type":"post","link":"https:\/\/cert.pa\/?p=1410","title":{"rendered":"T\u00edtulo: CSIRT Panam\u00e1 Aviso 2019-06-17 Vulnerabilidad Alta en Cliente de Correo Thunderbird."},"content":{"rendered":"\n<p>La Fundaci\u00f3n Mozilla public\u00f3 aviso de seguridad 2019-17, donde solventa 4 fallos en su popular cliente de correo, Thunderbird. Tres de estas vulnerabilidades han sido clasificadas de gravedad alta.<br> Thunderbird es un cliente de correo electr\u00f3nico multiplataforma de c\u00f3digo abierto y libre, cliente de noticias, cliente de RSS y de chat desarrollado por la Fundaci\u00f3n Mozilla.<\/p>\n\n\n\n<p><br> <strong>Las vulnerabilidades presentadas son las siguientes:<\/strong><br> \u2022 CVE-2019-11703: un desbordamiento de memoria en la funci\u00f3n \u2018parser_get_next_char\u2019 localizada en el fichero \u2018icalparser.c\u2019 al procesar un calendario adjunto podr\u00eda permitir la ejecuci\u00f3n de c\u00f3digo remoto. (CVE-2019-11703: Heap buffer overflow in icalparser.c<br> <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2019-17\/#CVE-2019-11703)\">https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2019-17\/#CVE-2019-11703)<\/a> <br> \u2022 <strong>CVE-2019-11704<\/strong>: una falta de comprobaci\u00f3n de l\u00edmites en la funci\u00f3n \u2018icalmemory_strdup_and_dequote\u2019en \u2018icalvalue.c\u2019 cuando la cadena de entrada finaliza con el car\u00e1cter \u2018\\\u2019 podr\u00eda provocar la lectura y escritura fuera de l\u00edmites de la memoria, de referencia a puntero nulo, y corrupci\u00f3n de la memoria. La explotaci\u00f3n exitosa de este fallo de seguridad podr\u00eda permitir la ejecuci\u00f3n de c\u00f3digo remoto. (CVE-2019-11704: Heap buffer overflow in icalvalue.c<br> <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2019-17\/#CVE-2019-11704)\">https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2019-17\/#CVE-2019-11704)<\/a> <br> \u2022 <strong>CVE-2019-11705:<\/strong> una validaci\u00f3n incorrecta en la funci\u00f3n \u2018icalrecuradd_bydayrules\u2019 localizada en \u2018icalrecur.c\u2019 podr\u00eda permitir la ejecuci\u00f3n de c\u00f3digo remoto. (CVE-2019-11705: Stack buffer overflow in icalrecur.c<br> <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2019-17\/#CVE-2019-11705)\">https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2019-17\/#CVE-2019-11705)<\/a> <br> \u2022 <strong>CVE-2019-11706:<\/strong> una confusi\u00f3n de tipos en la funci\u00f3n \u2018icaltimezone_get_vtimezone_properties\u2019 en \u2018icalproperty.c\u2019 al analizar un archivo adjunto de calendario con formato incorrecto podr\u00eda ser aprovechada para revelar informaci\u00f3n sensible. (CVE-2019-11706: Type confusion in icalproperty.c<br> <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2019-17\/#CVE-2019-11706)\">https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2019-17\/#CVE-2019-11706)<\/a> <\/p>\n\n\n\n<p><br> Todas las vulnerabilidades expuestas, se corrigen mediante el Thunderbird 60.7.1, que est\u00e1 disponible para su <strong>descarga desde la p\u00e1gina oficial<\/strong> (<a href=\"https:\/\/www.thunderbird.net\/en-US\/thunderbird\/60.7.1\/releasenotes\/\">https:\/\/www.thunderbird.net\/en-US\/thunderbird\/60.7.1\/releasenotes\/<\/a>). <\/p>\n\n\n\n<p><br> Estos fallos de seguridad han sido reportados por Luis Merino de X41 D-SEC, quien adem\u00e1s ha proporcionado pruebas de concepto para cada uno de ellos en GitHub.<\/p>\n\n\n\n<p><br> <strong>Informaci\u00f3n detallada:<\/strong><br> \u2022 Advisory X41-2019-001: Heap-based buffer overflow in Thunderbird<br> <a href=\"https:\/\/www.x41-dsec.de\/lab\/advisories\/x41-2019-001-thunderbird\/\">https:\/\/www.x41-dsec.de\/lab\/advisories\/x41-2019-001-thunderbird\/<\/a><br> \u2022 Advisory X41-2019-002: Heap-based buffer overflow in Thunderbird<br> <a href=\"https:\/\/www.x41-dsec.de\/lab\/advisories\/x41-2019-002-thunderbird\/\">https:\/\/www.x41-dsec.de\/lab\/advisories\/x41-2019-002-thunderbird\/<\/a><br> \u2022 Advisory X41-2019-003: Stack-based buffer overflow in Thunderbird<br> <a href=\"https:\/\/www.x41-dsec.de\/lab\/advisories\/x41-2019-003-thunderbird\/\">https:\/\/www.x41-dsec.de\/lab\/advisories\/x41-2019-003-thunderbird\/<\/a><br> \u2022 Advisory X41-2019-004: Type confusion in Thunderbird<br> <a href=\"https:\/\/www.x41-dsec.de\/lab\/advisories\/x41-2019-004-thunderbird\/\">https:\/\/www.x41-dsec.de\/lab\/advisories\/x41-2019-004-thunderbird\/<\/a><\/p>\n\n\n\n<p>Fuentes: <\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Mozilla Foundation Security Advisory 2019-17. Mozilla Foundation. 2019. Recopilado en: <a href=\"https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2019-17\/#CVE-2019-11703\">https:\/\/www.mozilla.org\/en-US\/security\/advisories\/mfsa2019-17\/#CVE-2019-11703<\/a><\/li><li>Vulnerabilidades en Thunderbird. una al d\u00eda, Hispasec. 15 de junio, 2019. Recopilado en: <a href=\"https:\/\/unaaldia.hispasec.com\/2019\/06\/vulnerabilidades-en-thunderbird.html\">https:\/\/unaaldia.hispasec.com\/2019\/06\/vulnerabilidades-en-thunderbird.html<\/a><\/li><\/ol>\n","protected":false},"excerpt":{"rendered":"<p>La Fundaci\u00f3n Mozilla public\u00f3 aviso de seguridad 2019-17, donde solventa 4 fallos en su popular cliente de correo, Thunderbird. Tres de estas vulnerabilidades han sido clasificadas de gravedad alta. Thunderbird es un cliente de correo&#8230;<\/p>\n","protected":false},"author":4,"featured_media":1411,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-1410","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-avisos-de-seguridad"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/1410","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1410"}],"version-history":[{"count":3,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/1410\/revisions"}],"predecessor-version":[{"id":1415,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/posts\/1410\/revisions\/1415"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=\/wp\/v2\/media\/1411"}],"wp:attachment":[{"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cert.pa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}