FS#63169 - [thunderbird] < 60.8: CVE galore, including potential RCE
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Friday, 12 July 2019, 08:13 GMT
Last edited by Antonio Rojas (arojas) - Monday, 15 July 2019, 08:39 GMT
Opened by Pascal Ernster (hardfalcon) - Friday, 12 July 2019, 08:13 GMT
Last edited by Antonio Rojas (arojas) - Monday, 15 July 2019, 08:39 GMT
|
Details
Thunderbird 60.8 fixes a bunch of CVEs (sadly, the reference
to the security advisory was omitted from upstream's release
notes for unknown reasons):
https://www.mozilla.org/en-US/security/advisories/mfsa2019-23/ CVE-2019-11709 "Memory safety bugs" has been hidden at the bottom of the CVE list, but is marked as "critical" since upstream considers it to be a potential RCE vulnerability. Also, since this advisory comes again with the well know remark "In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.", please consider my "javascript.enabled=false" proposal from https://bugs.archlinux.org/task/62974 |
This task depends upon
Comment by
Pascal Ernster (hardfalcon) -
Friday, 12 July 2019, 10:07 GMT
Side note to the package maintainer: rust-1.33.patch needs to be
modified so the compile run doesn't abort halfway-through due to
missing macro documentation comments. I've attached a fixed
version of the patch.