[MFSA-2019-06] Security vulnerabilities fixed in Thunderbird 60.5.1
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
CVE-2018-18335: Buffer overflow in Skia with accelerated Canvas 2D (high)
A buffer overflow vulnerability in the Skia library can occur with Canvas 2D acceleration on macOS. This issue was addressed by disabling Canvas 2D acceleration in Firefox ESR.
Note: this does not affect other versions and platforms where Canvas 2D acceleration is already disabled by default.CVE-2018-18356: Use-after-free in Skia (high)
A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash.CVE-2018-18509: S/MIME signature spoofing (high)
A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content.CVE-2019-5785: Integer overflow in Skia (high)
An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash.
| Package | Affected Version |
|---|---|
 pkg:mozilla/Thunderbird
|
< 60.5.1 |
| Package | Fixed Version |
|---|---|
|
pkg:mozilla/Thunderbird
|
= 60.5.1 |
- ID
- MFSA-2019-06
- Severity
- high
- URL
- https://www.mozilla.org/en-US/security/advisories/mfsa2019-06
- Published
-
2019-02-14T00:00:00
(5 years ago) - Modified
-
2019-02-14T00:00:00
(5 years ago) - Other Advisories
-
-
ALPINE:CVE-2018-18335
-
ALPINE:CVE-2018-18356
-
ALPINE:CVE-2019-5785
-
ASA-201812-2
-
ASA-201902-16
-
ASA-201902-23
-
DSA-4352-1
-
DSA-4391-1
-
DSA-4392-1
-
ELSA-2019-0373
-
ELSA-2019-0374
-
FEDORA-2019-348547a32d
-
FEDORA-2019-859384e002
-
FREEBSD:18211552-F650-4D86-BA4F-E6D5CBFCDBEB
-
FREEBSD:546D4DD4-10EA-11E9-B407-080027EF1A23
-
GLSA-201903-04
-
GLSA-201904-07
-
GLSA-201908-18
-
MFSA-2019-04
-
MFSA-2019-05
-
openSUSE-SU-2018:4143-1
-
openSUSE-SU-2019:0248-1
-
openSUSE-SU-2019:0249-1
-
openSUSE-SU-2019:0251-1
-
openSUSE-SU-2019:1126-1
-
openSUSE-SU-2019:1162-1
-
RHSA-2018:3803
-
RHSA-2019:0373
-
RHSA-2019:0374
-
RHSA-2019:0680
-
RHSA-2019:0681
-
RHSA-2019:1144
-
SSA:2019-044-01
-
SSA:2019-045-01
-
SUSE-SU-2019:0469-1
-
SUSE-SU-2019:0852-1
-
SUSE-SU-2019:0853-1
-
SUSE-SU-2019:0871-1
-
USN-3896-1
-
USN-3897-1
-
| Source | # ID | Name | URL |
|---|---|---|---|
| Bugzilla | 1525815 |
|
|
| Bugzilla | 1525817 |
|
|
| Bugzilla | 1507218 |
|
|
| Bugzilla | 1525433 |
|
|
| The Curious Case of Convexity Confusion |
 https://googleprojectzero.blogspot.com/2019/02/the-curious-case-of-convexity-confusion.html
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:mozilla/Thunderbird |
Thunderbird
|
< 60.5.1 | ||||
| Fixed | pkg:mozilla/Thunderbird |
Thunderbird
|
= 60.5.1 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |