Arch Linux Security Advisory ASA-202004-12
=========================================
Severity: Critical
Date    : 2020-04-13
CVE-ID  : CVE-2020-6815 CVE-2020-6819 CVE-2020-6820 CVE-2020-6821
Package : thunderbird
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1132

Summary
======
The package thunderbird before version 68.7.0-1 is vulnerable to
multiple issues including arbitrary code execution and information
disclosure.

Resolution
=========
Upgrade to 68.7.0-1.

# pacman -Syu "thunderbird>=68.7.0-1"

The problems have been fixed upstream in version 68.7.0.

Workaround
=========
None.

Description
==========
- CVE-2020-6815 (arbitrary code execution)

Several memory safety and script safety bugs have been found in Firefox
before 74 and Thunderbird before 68.7.0. Some of these bugs showed
evidence of memory corruption or escalation of privilege and Mozilla
presumes that with enough effort some of these could have been
exploited to run arbitrary code.

- CVE-2020-6819 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox before 74.0.1
and Thunderbird before 68.7.0 where under certain conditions, when
running the nsDocShell destructor, a race condition can cause a use-
after-free. Mozilla is aware of targeted attacks in the wild abusing
this flaw.

- CVE-2020-6820 (arbitrary code execution)

A use-after-free vulnerability has been found in Firefox before 74.0.1
and Thunderbird before 68.7.0 where, under certain conditions, when
handling a ReadableStream, a race condition can cause a use-after-free.
Mozilla is aware of targeted attacks in the wild abusing this flaw.

- CVE-2020-6821 (information disclosure)

An information disclosure issue has been found in Firefox before 75.0
and Thunderbird before 68.7.0. When reading from areas partially or
fully outside the source resource with WebGL's copyTexSubImage method,
the specification requires the returned values be zero. Previously,
this memory was uninitialized, leading to potentially sensitive data
disclosure.

Impact
=====
A remote attacker can access sensitive information or execute arbitrary
code on the affected host.

References
=========
https://www.mozilla.org/en-US/security/advisories/mfsa2020-14/
https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6815
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1181957%2C1557732%2C1557739%2C1611457%2C1612431
https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/#CVE-2020-6819
https://bugzilla.mozilla.org/show_bug.cgi?id=1620818
https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/#CVE-2020-6820
https://bugzilla.mozilla.org/show_bug.cgi?id=1626728
https://www.mozilla.org/en-US/security/advisories/mfsa2020-12/#CVE-2020-6821
https://bugzilla.mozilla.org/show_bug.cgi?id=1625404
https://security.archlinux.org/CVE-2020-6815
https://security.archlinux.org/CVE-2020-6819
https://security.archlinux.org/CVE-2020-6820
https://security.archlinux.org/CVE-2020-6821

ArchLinux: 202004-12: thunderbird: multiple issues

April 13, 2020

Summary

- CVE-2020-6815 (arbitrary code execution) Several memory safety and script safety bugs have been found in Firefox before 74 and Thunderbird before 68.7.0. Some of these bugs showed evidence of memory corruption or escalation of privilege and Mozilla presumes that with enough effort some of these could have been exploited to run arbitrary code.
- CVE-2020-6819 (arbitrary code execution)
A use-after-free vulnerability has been found in Firefox before 74.0.1 and Thunderbird before 68.7.0 where under certain conditions, when running the nsDocShell destructor, a race condition can cause a use- after-free. Mozilla is aware of targeted attacks in the wild abusing this flaw.
- CVE-2020-6820 (arbitrary code execution)
A use-after-free vulnerability has been found in Firefox before 74.0.1 and Thunderbird before 68.7.0 where, under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. Mozilla is aware of targeted attacks in the wild abusing this flaw.
- CVE-2020-6821 (information disclosure)
An information disclosure issue has been found in Firefox before 75.0 and Thunderbird before 68.7.0. When reading from areas partially or fully outside the source resource with WebGL's copyTexSubImage method, the specification requires the returned values be zero. Previously, this memory was uninitialized, leading to potentially sensitive data disclosure.

Resolution

Upgrade to 68.7.0-1. # pacman -Syu "thunderbird>=68.7.0-1"
The problems have been fixed upstream in version 68.7.0.

References

https://www.mozilla.org/en-US/security/advisories/mfsa2020-14/ https://www.mozilla.org/en-US/security/advisories/mfsa2020-08/#CVE-2020-6815 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1181957%2C1557732%2C1557739%2C1611457%2C1612431 https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/#CVE-2020-6819 https://bugzilla.mozilla.org/show_bug.cgi?id=1620818 https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/#CVE-2020-6820 https://bugzilla.mozilla.org/show_bug.cgi?id=1626728 https://www.mozilla.org/en-US/security/advisories/mfsa2020-12/#CVE-2020-6821 https://bugzilla.mozilla.org/show_bug.cgi?id=1625404 https://security.archlinux.org/CVE-2020-6815 https://security.archlinux.org/CVE-2020-6819 https://security.archlinux.org/CVE-2020-6820 https://security.archlinux.org/CVE-2020-6821

Severity
Package : thunderbird
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1132

Workaround

None.

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved