Linux Security
    Linux Security
    Linux Security

    ArchLinux: 202005-7: thunderbird: multiple issues

    Posted By
    The package thunderbird before version 68.8.0-1 is vulnerable to multiple issues including arbitrary code execution and content spoofing.
    Arch Linux Security Advisory ASA-202005-7
    Severity: Critical
    Date    : 2020-05-09
    CVE-ID  : CVE-2020-6831  CVE-2020-12387 CVE-2020-12392 CVE-2020-12395
    Package : thunderbird
    Type    : multiple issues
    Remote  : Yes
    Link    :
    The package thunderbird before version 68.8.0-1 is vulnerable to
    multiple issues including arbitrary code execution and content
    Upgrade to 68.8.0-1.
    # pacman -Syu "thunderbird>=68.8.0-1"
    The problems have been fixed upstream in version 68.8.0.
    - CVE-2020-6831 (arbitrary code execution)
    A buffer overflow could occur when parsing and validating SCTP chunks
    in WebRTC, in Firefox before 76.0, Thunderbird before 68.8.0 and
    chromium before 81.0.4044.138. This could have led to memory corruption
    and a potentially exploitable crash.
    - CVE-2020-12387 (arbitrary code execution)
    A race condition has been found in Firefox before 76.0 and Thunderbird
    before 68.8.0, when running shutdown code for Web Worker, leading to a
    use-after-free vulnerability. This results in a potentially exploitable
    - CVE-2020-12392 (content spoofing)
    The 'Copy as cURL' feature of Devtools' network tab did not properly
    escape the HTTP POST data of a request in Firefox before 76.0 and
    Thunderbird before 68.8.0, which can be controlled by the website. If a
    user used the 'Copy as cURL' feature and pasted the command into a
    terminal, it could have resulted in the disclosure of local files.
    - CVE-2020-12395 (arbitrary code execution)
    Several memory safety bugs has been found in Firefox before 76.0,
    Firefox ESR before 68.8 and Thunderbird before 68.8.0. Some of these
    bugs showed evidence of memory corruption and Mozilla presumes that
    with enough effort some of these could have been exploited to run
    arbitrary code.
    - CVE-2020-12397 (content spoofing)
    An spoofing email address issue has been found in Thunderbird before
    68.8.0. By encoding Unicode whitespace characters within the From email
    header, an attacker can spoof the sender email address that Thunderbird
    A remote attacker can spoof an e-mail address and execute arbitrary
    code on the affected host.


    LinuxSecurity Poll

    How are you contributing to Open Source?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 4 answer(s).
    [{"id":"127","title":"I'm involved with the development of an open-source project(s).","votes":"1","type":"x","order":"1","pct":100,"resources":[]},{"id":"128","title":"I've reported vulnerabilities I've discovered in open-source code.","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"129","title":"I've provided developers with feedback on their projects.","votes":"0","type":"x","order":"3","pct":0,"resources":[]},{"id":"130","title":"I've helped another community member get started contributing to Open Source.","votes":"0","type":"x","order":"4","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350


    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.