Vulnerability CVE-2017-7764: Information

Description

Characters from the "Canadian Syllabics" unicode block can be mixed with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form, allowing for domain name spoofing attacks through character confusion. The current Unicode standard allows characters from "Aspirational Use Scripts" such as Canadian Syllabics to be mixed with Latin characters in the "moderately restrictive" IDN profile. We have changed Firefox behavior to match the upcoming Unicode version 10.0 which removes this category and treats them as "Limited Use Scripts.". This vulnerability affects Firefox < 54, Firefox ESR < 52.2, and Thunderbird < 52.2.

Severity: MEDIUM (5.3) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2017-7764
Published: June 12, 2018
Modified: Aug. 13, 2018
Error type identifier: CWE-20

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
firefoxsisyphus54.0.1-alt1126.0.1-alt1ALT-PU-2017-1886-1185325Fixed
firefoxp1054.0.1-alt1118.0.2-alt0.p10.1ALT-PU-2017-1886-1185325Fixed
firefoxp954.0.1-alt1105.0.1-alt0.c9.1ALT-PU-2017-1886-1185325Fixed
firefoxp854.0.1-alt0.M80P.168.0.1-alt0.M80P.1ALT-PU-2017-1981-1185512Fixed
firefoxc10f154.0.1-alt1112.0.2-alt0.p10.1ALT-PU-2017-1886-1185325Fixed
firefoxc9f254.0.1-alt1105.0.1-alt0.c9.1ALT-PU-2017-1886-1185325Fixed
firefoxc752.5.3-alt0.M70C.160.8.0-alt0.M70C.1ALT-PU-2018-1225-1200642Fixed
firefoxp1154.0.1-alt1126.0.1-alt1ALT-PU-2017-1886-1185325Fixed
firefox-esrsisyphus52.2.0-alt1115.11.0-alt1ALT-PU-2017-1770-1184555Fixed
firefox-esrp1052.2.0-alt1115.11.0-alt1ALT-PU-2017-1770-1184555Fixed
firefox-esrp952.2.0-alt1102.11.0-alt0.c9.1ALT-PU-2017-1770-1184555Fixed
firefox-esrp852.3.0-alt0.M80P.168.4.1-alt0.M80P.1ALT-PU-2017-2230-1188380Fixed
firefox-esrc10f152.2.0-alt1115.9.1-alt0.c10.1ALT-PU-2017-1770-1184555Fixed
firefox-esrc9f252.2.0-alt1102.12.0-alt0.c9.1ALT-PU-2017-1770-1184555Fixed
firefox-esrp1152.2.0-alt1115.11.0-alt1ALT-PU-2017-1770-1184555Fixed
thunderbirdsisyphus52.2.0-alt1115.9.0-alt1ALT-PU-2017-1777-1184645Fixed
thunderbirdp1052.2.0-alt1115.9.0-alt1ALT-PU-2017-1777-1184645Fixed
thunderbirdp952.2.0-alt1102.11.0-alt0.c9.1ALT-PU-2017-1777-1184645Fixed
thunderbirdp852.3.0-alt0.M80P.160.8.0-alt0.M80P.1ALT-PU-2017-2238-1188382Fixed
thunderbirdc10f152.2.0-alt1115.9.0-alt0.c10.1ALT-PU-2017-1777-1184645Fixed
thunderbirdc9f252.2.0-alt1102.11.0-alt0.c9.1ALT-PU-2017-1777-1184645Fixed
thunderbirdc760.8.0-alt0.M70C.160.8.0-alt0.M70C.1ALT-PU-2019-2345-1234994Fixed
thunderbirdp1152.2.0-alt1115.9.0-alt1ALT-PU-2017-1777-1184645Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.mozilla.org/security/advisories/mfsa2017-17/
  • Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-16/
  • Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2017-15/
  • Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1364283
  • Exploit
  • Issue Tracking
  • Vendor Advisory
http://www.unicode.org/reports/tr31/tr31-26.html#Aspirational_Use_Scripts
  • Third Party Advisory
DSA-3918
  • Third Party Advisory
DSA-3881
  • Third Party Advisory
RHSA-2017:1561
  • Third Party Advisory
RHSA-2017:1440
  • Third Party Advisory
1038689
  • Third Party Advisory
  • VDB Entry
99057
  • Third Party Advisory
  • VDB Entry

    1. Configuration 1

      cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
      End excliding
      54.0
      cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
      End excliding
      52.2.0
      cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
      End excliding
      52.2.0

      Configuration 2

      cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
      cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top