ArchLinux: 201811-10: thunderbird: arbitrary code execution
Summary
- CVE-2018-12389 (arbitrary code execution)
Several memory safety bugs have been found in Thunderbird versions
prior to 63.0. Some of these bugs showed evidence of memory corruption
and Mozilla engineers presume that with enough effort some of these
could be exploited to run arbitrary code.
- CVE-2018-12390 (arbitrary code execution)
Several memory safety bugs have been found in Firefox and Thunderbird
versions prior to 63.0. Some of these bugs showed evidence of memory
corruption and Mozilla engineers presume that with enough effort some
of these could be exploited to run arbitrary code.
- CVE-2018-12392 (arbitrary code execution)
A security issue has been found in Firefox and Thunderbird versions
prior to 63.0. When manipulating user events in nested loops while
opening a document through script, it is possible to trigger a
potentially exploitable crash due to poor event handling.
Resolution
Upgrade to 60.3.0-1.
# pacman -Syu "thunderbird>=60.3.0-1"
The problems have been fixed upstream in version 60.3.0.
References
https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/#CVE-2018-12390 https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12390 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1487098%2C1487660%2C1490234%2C1496159%2C1443748%2C1496340%2C1483905%2C1493347%2C1488803%2C1498701%2C1498482%2C1442010%2C1495245%2C1483699%2C1469486%2C1484905%2C1490561%2C1492524%2C1481844 https://www.mozilla.org/en-US/security/advisories/mfsa2018-26/#CVE-2018-12392 https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/#CVE-2018-12392 https://bugzilla.mozilla.org/show_bug.cgi?id=1492823 https://security.archlinux.org/CVE-2018-12389 https://security.archlinux.org/CVE-2018-12390 https://security.archlinux.org/CVE-2018-12392
Workaround
None.