FS#63169 - [thunderbird] < 60.8: CVE galore, including potential RCE

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Friday, 12 July 2019, 08:13 GMT
Last edited by Antonio Rojas (arojas) - Monday, 15 July 2019, 08:39 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Thunderbird 60.8 fixes a bunch of CVEs (sadly, the reference to the security advisory was omitted from upstream's release notes for unknown reasons):

https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/

CVE-2019-11709 "Memory safety bugs" has been hidden at the bottom of the CVE list, but is marked as "critical" since upstream considers it to be a potential RCE vulnerability.


Also, since this advisory comes again with the well know remark

"In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.",

please consider my "javascript.enabled=false" proposal from https://bugs.archlinux.org/task/62974
This task depends upon

Closed by  Antonio Rojas (arojas)
Monday, 15 July 2019, 08:39 GMT
Reason for closing:  Fixed
Comment by Pascal Ernster (hardfalcon) - Friday, 12 July 2019, 10:07 GMT
Side note to the package maintainer: rust-1.33.patch needs to be modified so the compile run doesn't abort halfway-through due to missing macro documentation comments. I've attached a fixed version of the patch.
   rust-1.33.patch (1.8 KiB)

Loading...