Arch Linux Security Advisory ASA-201808-8
=========================================

Severity: Critical
Date    : 2018-08-10
CVE-ID  : CVE-2018-5156  CVE-2018-5187 CVE-2018-12361 CVE-2018-12367
          CVE-2018-12371
Package : thunderbird
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-751

Summary
=======

The package thunderbird before version 60.0-1 is vulnerable to multiple
issues including arbitrary code execution and information disclosure.

Resolution
==========

Upgrade to 60.0-1.

# pacman -Syu "thunderbird>=60.0-1"

The problems have been fixed upstream in version 60.0.

Workaround
==========

None.

Description
===========

- CVE-2018-5156 (arbitrary code execution)

A vulnerability can occur in Firefox before 61.0  and Thunderbird
before 60.0 when capturing a media stream when the media source type is
changed as the capture is occurring. This can result in stream data
being cast to the wrong type causing a potentially exploitable crash.

- CVE-2018-5187 (arbitrary code execution)

Several memory safety bugs have been found in Firefox before 61.0 and
Thunderbird before 60.0. Some of these bugs showed evidence of memory
corruption and Mozilla presumes that with enough effort some of these
could be exploited to run arbitrary code.

- CVE-2018-12361 (arbitrary code execution)

An integer overflow can occur in Firefox before 61.0 and Thunderbird
before 60.0 in the SwizzleData code while calculating buffer sizes. The
overflowed value is used for subsequent graphics computations when
their inputs are not sanitized which results in a potentially
exploitable crash.

- CVE-2018-12367 (information disclosure)

A security issue has been found in Firefox before 61.0 and Thunderbird
before 60.0. In the previous mitigations for Spectre, the resolution or
precision of various methods was reduced to counteract the ability to
measure precise time intervals. In that work,
PerformanceNavigationTiming was not adjusted but it was found that it
could be used as a precision timer.

- CVE-2018-12371 (arbitrary code execution)

An integer overflow vulnerability has been found in the Skia library
shipped with Firefox before 61.0  and Thunderbird before 60.0, when
allocating memory for edge builders on some systems with at least 16 GB
of RAM. This results in the use of uninitialized memory, resulting in a
potentially exploitable crash.

Impact
======

A remote attacker is able to execute arbitrary code or gain information
about the Spectre mitigations.

References
==========

https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5156
https://bugzilla.mozilla.org/show_bug.cgi?id=1453127
https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-5187
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1461324%2C1414829%2C1395246%2C1467938%2C1461619%2C1425930%2C1438556%2C1454285%2C1459568%2C1463884
https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12361
https://bugzilla.mozilla.org/show_bug.cgi?id=1463244
https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12367
https://bugzilla.mozilla.org/show_bug.cgi?id=1462891
https://www.mozilla.org/en-US/security/advisories/mfsa2018-15/#CVE-2018-12371
https://bugzilla.mozilla.org/show_bug.cgi?id=1465686
https://security.archlinux.org/CVE-2018-5156
https://security.archlinux.org/CVE-2018-5187
https://security.archlinux.org/CVE-2018-12361
https://security.archlinux.org/CVE-2018-12367
https://security.archlinux.org/CVE-2018-12371