ArchLinux: 201904-4: thunderbird: arbitrary code execution

    Date11 Apr 2019
    CategoryArchLinux
    809
    Posted ByLinuxSecurity Advisories
    The package thunderbird before version 60.6.1-1 is vulnerable to arbitrary code execution.
    Arch Linux Security Advisory ASA-201904-4
    =========================================
    
    Severity: Critical
    Date    : 2019-04-06
    CVE-ID  : CVE-2019-9810 CVE-2019-9813
    Package : thunderbird
    Type    : arbitrary code execution
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-947
    
    Summary
    =======
    
    The package thunderbird before version 60.6.1-1 is vulnerable to
    arbitrary code execution.
    
    Resolution
    ==========
    
    Upgrade to 60.6.1-1.
    
    # pacman -Syu "thunderbird>=60.6.1-1"
    
    The problems have been fixed upstream in version 60.6.1.
    
    Workaround
    ==========
    
    None.
    
    Description
    ===========
    
    - CVE-2019-9810 (arbitrary code execution)
    
    An incorrect alias information in the IonMonkey JIT compiler of Firefox
    before 66.0.1 and Thunderbird before 60.6.1 for the
    Array.prototype.slice method may lead to missing bounds check and a
    buffer overflow.
    
    - CVE-2019-9813 (arbitrary code execution)
    
    An incorrect handling of __proto__ mutations may lead to type confusion
    in the IonMonkey JIT code of Firefox before 66.0.1 and Thunderbird
    before 60.6.1, and can be leveraged for arbitrary memory read and
    write.
    
    Impact
    ======
    
    A remote attacker can execute arbitrary code on the affected host.
    
    References
    ==========
    
    https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/
    https://www.mozilla.org/en-US/security/advisories/mfsa2019-09/#CVE-2019-9810
    https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/#CVE-2019-9810
    https://bugzilla.mozilla.org/show_bug.cgi?id=1537924
    https://www.mozilla.org/en-US/security/advisories/mfsa2019-09/#CVE-2019-9813
    https://www.mozilla.org/en-US/security/advisories/mfsa2019-12/#CVE-2019-9813
    https://bugzilla.mozilla.org/show_bug.cgi?id=1538006
    https://security.archlinux.org/CVE-2019-9810
    https://security.archlinux.org/CVE-2019-9813
    
    
    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /component/communitypolls/?task=poll.vote
    12
    radio
    [{"id":"53","title":"Yes","votes":"7","type":"x","order":"1","pct":87.5,"resources":[]},{"id":"54","title":"No","votes":"1","type":"x","order":"2","pct":12.5,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.