[ASA-201811-10] thunderbird: arbitrary code execution
Jelle van der Waa
jelle at archlinux.org
Sun Nov 11 20:51:06 UTC 2018
Arch Linux Security Advisory ASA-201811-10
Date : 2018-11-06
CVE-ID : CVE-2018-12389 CVE-2018-12390 CVE-2018-12392
Package : thunderbird
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-803
The package thunderbird before version 60.3.0-1 is vulnerable to
arbitrary code execution.
Upgrade to 60.3.0-1.
# pacman -Syu "thunderbird>=60.3.0-1"
The problems have been fixed upstream in version 60.3.0.
- CVE-2018-12389 (arbitrary code execution)
Several memory safety bugs have been found in Thunderbird versions
prior to 63.0. Some of these bugs showed evidence of memory corruption
and Mozilla engineers presume that with enough effort some of these
could be exploited to run arbitrary code.
- CVE-2018-12390 (arbitrary code execution)
Several memory safety bugs have been found in Firefox and Thunderbird
versions prior to 63.0. Some of these bugs showed evidence of memory
corruption and Mozilla engineers presume that with enough effort some
of these could be exploited to run arbitrary code.
- CVE-2018-12392 (arbitrary code execution)
A security issue has been found in Firefox and Thunderbird versions
prior to 63.0. When manipulating user events in nested loops while
opening a document through script, it is possible to trigger a
potentially exploitable crash due to poor event handling.
A remote attacker is able to execute arbitrary code via a specially
crafted HTML document.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: not available
More information about the arch-security