MGASA-2018-0480 - Updated thunderbird packages fix security issues & bugs

Publication date: 15 Dec 2018
URL: https://advisories.mageia.org/MGASA-2018-0480.html
Type: security
Affected Mageia releases: 6
CVE: CVE-2017-16541,
     CVE-2018-5156,
     CVE-2018-5187,
     CVE-2018-5188,
     CVE-2018-12359,
     CVE-2018-12360,
     CVE-2018-12361,
     CVE-2018-12362,
     CVE-2018-12363,
     CVE-2018-12364,
     CVE-2018-12365,
     CVE-2018-12366,
     CVE-2018-12367,
     CVE-2018-12368,
     CVE-2018-12371,
     CVE-2018-12376,
     CVE-2018-12377,
     CVE-2018-12378,
     CVE-2018-12379,
     CVE-2018-12383,
     CVE-2018-12385,
     CVE-2018-12389,
     CVE-2018-12390,
     CVE-2018-12391,
     CVE-2018-12392,
     CVE-2018-12393

- Buffer overflow using computed size of canvas element. (CVE-2018-12359)

- Use-after-free when using focus(). (CVE-2018-12360)

- Integer overflow in SwizzleData. (CVE-2018-12361)

- Integer overflow in SSSE3 scaler. (CVE-2018-12362)

- Media recorder segmentation fault when track type is changed during
capture. (CVE-2018-5156)

- Use-after-free when appending DOM nodes. (CVE-2018-12363)

- CSRF attacks through 307 redirects and NPAPI plugins. (CVE-2018-12364)

- Compromised IPC child process can list local filenames.
(CVE-2018-12365)

- Integer overflow in Skia library during edge builder allocation.
(CVE-2018-12371)

- Invalid data handling during QCMS transformations. (CVE-2018-12366)

- Timing attack mitigation of PerformanceNavigationTiming.
(CVE-2018-12367)

- No warning when opening executable SettingContent-ms files.
(CVE-2018-12368)

- Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and
Thunderbird 60. (CVE-2018-5187)

- Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox
ESR 52.9, and Thunderbird 60. (CVE-2018-5188)

- Use-after-free in refresh driver timers. (CVE-2018-12377)

- Use-after-free in IndexedDB. (CVE-2018-12378)

- Out-of-bounds write with malicious MAR file. (CVE-2018-12379)

- Proxy bypass using automount and autofs. (CVE-2017-16541)

- Crash in TransportSecurityInfo due to cached data. (CVE-2018-12385)

- Setting a master password post-Firefox 58 does not delete unencrypted
previously stored passwords. (CVE-2018-12383)

- Memory safety bugs fixed in Firefox 62, Firefox ESR 60.2, and
Thunderbird 60.2.1. (CVE-2018-12376)

- HTTP Live Stream audio data is accessible cross-origin.
(CVE-2018-12391)

- Crash with nested event loops. (CVE-2018-12392)

- Integer overflow during Unicode conversion while loading JavaScript.
(CVE-2018-12393)

- Memory safety bugs fixed in Firefox ESR 60.3 and Thunderbird 60.3.
(CVE-2018-12389)

- Memory safety bugs fixed in Firefox 63, Firefox ESR 60.3, and
Thunderbird 60.3. (CVE-2018-12390)

References:
- https://bugs.mageia.org/show_bug.cgi?id=23706
- https://www.thunderbird.net/en-US/thunderbird/60.3.0/releasenotes/
- https://www.thunderbird.net/en-US/thunderbird/60.3.1/releasenotes/
- https://www.thunderbird.net/en-US/thunderbird/60.3.2/releasenotes/
- https://www.thunderbird.net/en-US/thunderbird/60.3.3/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/
- https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/
- https://www.debian.org/security/2018/dsa-4327
- https://access.redhat.com/errata/RHSA-2018:3458
- - https://access.redhat.com/errata/RHSA-2018:3532
- https://www.debian.org/security/2018/dsa-4337
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16541
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5156
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5187
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5188
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12359
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12360
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12361
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12362
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12363
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12364
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12365
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12366
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12367
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12368
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12371
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12376
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12377
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12378
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12379
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12383
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12385
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12389
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12390
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12391
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12392
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12393

SRPMS:
- 6/core/thunderbird-60.3.3-3.mga6
- 6/core/thunderbird-l10n-60.3.3-1.mga6

Mageia 2018-0480: thunderbird security update

- Buffer overflow using computed size of canvas element

Summary

- Buffer overflow using computed size of canvas element. (CVE-2018-12359)
- Use-after-free when using focus(). (CVE-2018-12360)
- Integer overflow in SwizzleData. (CVE-2018-12361)
- Integer overflow in SSSE3 scaler. (CVE-2018-12362)
- Media recorder segmentation fault when track type is changed during capture. (CVE-2018-5156)
- Use-after-free when appending DOM nodes. (CVE-2018-12363)
- CSRF attacks through 307 redirects and NPAPI plugins. (CVE-2018-12364)
- Compromised IPC child process can list local filenames. (CVE-2018-12365)
- Integer overflow in Skia library during edge builder allocation. (CVE-2018-12371)
- Invalid data handling during QCMS transformations. (CVE-2018-12366)
- Timing attack mitigation of PerformanceNavigationTiming. (CVE-2018-12367)
- No warning when opening executable SettingContent-ms files. (CVE-2018-12368)
- Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and Thunderbird 60. (CVE-2018-5187)
- Memory safety bugs fixed in Firefox 61, Firefox ESR 60...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=23706

- https://www.thunderbird.net/en-US/thunderbird/60.3.0/releasenotes/

- https://www.thunderbird.net/en-US/thunderbird/60.3.1/releasenotes/

- https://www.thunderbird.net/en-US/thunderbird/60.3.2/releasenotes/

- https://www.thunderbird.net/en-US/thunderbird/60.3.3/releasenotes/

- https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/

- https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/

- https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/

- https://www.debian.org/security/2018/dsa-4327

- https://access.redhat.com/errata/RHSA-2018:3458

- - https://access.redhat.com/errata/RHSA-2018:3532

- https://www.debian.org/security/2018/dsa-4337

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16541

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5156

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5187

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5188

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12359

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12360

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12361

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12362

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12363

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12364

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12365

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12366

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12367

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12368

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12371

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12376

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12377

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12378

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12379

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12383

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12385

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12389

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12390

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12391

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12392

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12393

Resolution

MGASA-2018-0480 - Updated thunderbird packages fix security issues & bugs

SRPMS

- 6/core/thunderbird-60.3.3-3.mga6

- 6/core/thunderbird-l10n-60.3.3-1.mga6

Severity
Publication date: 15 Dec 2018
URL: https://advisories.mageia.org/MGASA-2018-0480.html
Type: security
CVE: CVE-2017-16541, CVE-2018-5156, CVE-2018-5187, CVE-2018-5188, CVE-2018-12359, CVE-2018-12360, CVE-2018-12361, CVE-2018-12362, CVE-2018-12363, CVE-2018-12364, CVE-2018-12365, CVE-2018-12366, CVE-2018-12367, CVE-2018-12368, CVE-2018-12371, CVE-2018-12376, CVE-2018-12377, CVE-2018-12378, CVE-2018-12379, CVE-2018-12383, CVE-2018-12385, CVE-2018-12389, CVE-2018-12390, CVE-2018-12391, CVE-2018-12392, CVE-2018-12393

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved