The package thunderbird before version 52.9.1-1 is vulnerable to multiple issues including arbitrary code execution, cross-site request forgery and information disclosure.
Arch Linux Security Advisory ASA-201807-4
========================================
Severity: Critical
Date : 2018-07-16
CVE-ID : CVE-2018-5188 CVE-2018-12359 CVE-2018-12360 CVE-2018-12362
CVE-2018-12363 CVE-2018-12364 CVE-2018-12365 CVE-2018-12366
CVE-2018-12372 CVE-2018-12373 CVE-2018-12374
Package : thunderbird
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-728
Summary
======
The package thunderbird before version 52.9.1-1 is vulnerable to
multiple issues including arbitrary code execution, cross-site request
forgery and information disclosure.
Resolution
=========
Upgrade to 52.9.1-1.
# pacman -Syu "thunderbird>=52.9.1-1"
The problems have been fixed upstream in version 52.9.1.
Workaround
=========
None.
Description
==========
- CVE-2018-5188 (arbitrary code execution)
Several memory safety bugs have been found in Firefox before 61.0 and
Thunderbird before 52.9. Some of these bugs showed evidence of memory
corruption and Mozilla presumes that with enough effort some of these
could be exploited to run arbitrary code.
- CVE-2018-12359 (arbitrary code execution)
A buffer overflow can occur in Firefox before 61.0 and Thunderbird
before 52.9 when rendering canvas content while adjusting the height
and width of the