Subject: [ASA-201808-8] thunderbird: multiple issues Arch Linux Security Advisory ASA-201808-8 ========================================= Severity: Critical Date : 2018-08-10 CVE-ID : CVE-2018-5156 CVE-2018-5187 CVE-2018-12361 CVE-2018-12367 CVE-2018-12371 Package : thunderbird Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-751 Summary ======= The package thunderbird before version 60.0-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 60.0-1. # pacman -Syu "thunderbird>=60.0-1" The problems have been fixed upstream in version 60.0. Workaround ========== None. Description =========== - CVE-2018-5156 (arbitrary code execution) A vulnerability can occur in Firefox before 61.0 and Thunderbird before 60.0 when capturing a media stream when the media source type is changed as the capture is occurring. This can result in stream data being cast to the wrong type causing a potentially exploitable crash. - CVE-2018-5187 (arbitrary code execution) Several memory safety bugs have been found in Firefox before 61.0 and Thunderbird before 60.0. Some of these bugs showed evidence of memory corruption and Mozilla presumes that with enough effort some of these could be exploited to run arbitrary code. - CVE-2018-12361 (arbitrary code execution) An integer overflow can occur in Firefox before 61.0 and Thunderbird before 60.0 in the SwizzleData code while calculating buffer sizes. The overflowed value is used for subsequent graphics computations when their inputs are not sanitized which results in a potentially exploitable crash. - CVE-2018-12367 (information disclosure) A security issue has been found in Firefox before 61.0 and Thunderbird before 60.0. In the previous mitigations for Spectre, the resolution or precision of various methods was reduced to counteract the ability to measure precise time intervals. In that work, PerformanceNavigationTiming was not adjusted but it was found that it could be used as a precision timer. - CVE-2018-12371 (arbitrary code execution) An integer overflow vulnerability has been found in the Skia library shipped with Firefox before 61.0 and Thunderbird before 60.0, when allocating memory for edge builders on some systems with at least 16 GB of RAM. This results in the use of uninitialized memory, resulting in a potentially exploitable crash. Impact ====== A remote attacker is able to execute arbitrary code or gain information about the Spectre mitigations. References ========== https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5156 https://bugzilla.mozilla.org/show_bug.cgi?id=1453127 https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5187 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1461324%2C1414829%2C1395246%2C1467938%2C1461619%2C1425930%2C1438556%2C1454285%2C1459568%2C1463884 https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12361 https://bugzilla.mozilla.org/show_bug.cgi?id=1463244 https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12367 https://bugzilla.mozilla.org/show_bug.cgi?id=1462891 https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12371 https://bugzilla.mozilla.org/show_bug.cgi?id=1465686 https://security.archlinux.org/CVE-2018-5156 https://security.archlinux.org/CVE-2018-5187 https://security.archlinux.org/CVE-2018-12361 https://security.archlinux.org/CVE-2018-12367 https://security.archlinux.org/CVE-2018-12371