Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0250-1 Final 1 1 2019-02-26T09:44:50Z current 2019-02-26T09:44:50Z 2019-02-26T09:44:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird to version 60.5.1 fixes the following issues: Security issues fixed (MFSA 2019-06 bsc#1125330): - CVE-2018-18356: Fixed a Use-after-free in Skia. - CVE-2019-5785: Fixed an Integer overflow in Skia. - CVE-2018-18335: Fixed a Buffer overflow in Skia by default deactivating Canvas 2D. This issue does not affect Linuc distributions. - CVE-2018-18509: Fixed a flaw which during verification of certain S/MIME signatures showing mistekenly that emails bring a valid sugnature. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00066.html E-Mail link for openSUSE-SU-2019:0250-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 MozillaThunderbird-60.5.1-86.1 MozillaThunderbird-buildsymbols-60.5.1-86.1 MozillaThunderbird-translations-common-60.5.1-86.1 MozillaThunderbird-translations-other-60.5.1-86.1 MozillaThunderbird-60.5.1-86.1 as a component of openSUSE Leap 42.3 MozillaThunderbird-buildsymbols-60.5.1-86.1 as a component of openSUSE Leap 42.3 MozillaThunderbird-translations-common-60.5.1-86.1 as a component of openSUSE Leap 42.3 MozillaThunderbird-translations-other-60.5.1-86.1 as a component of openSUSE Leap 42.3 Heap buffer overflow in Skia in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2018-18335 openSUSE Leap 42.3:MozillaThunderbird-60.5.1-86.1 openSUSE Leap 42.3:MozillaThunderbird-buildsymbols-60.5.1-86.1 openSUSE Leap 42.3:MozillaThunderbird-translations-common-60.5.1-86.1 openSUSE Leap 42.3:MozillaThunderbird-translations-other-60.5.1-86.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00066.html https://www.suse.com/security/cve/CVE-2018-18335.html CVE-2018-18335 https://bugzilla.suse.com/1118529 SUSE Bug 1118529 https://bugzilla.suse.com/1125330 SUSE Bug 1125330 An integer overflow in path handling lead to a use after free in Skia in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2018-18356 openSUSE Leap 42.3:MozillaThunderbird-60.5.1-86.1 openSUSE Leap 42.3:MozillaThunderbird-buildsymbols-60.5.1-86.1 openSUSE Leap 42.3:MozillaThunderbird-translations-common-60.5.1-86.1 openSUSE Leap 42.3:MozillaThunderbird-translations-other-60.5.1-86.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00066.html https://www.suse.com/security/cve/CVE-2018-18356.html CVE-2018-18356 https://bugzilla.suse.com/1118529 SUSE Bug 1118529 https://bugzilla.suse.com/1125330 SUSE Bug 1125330 https://bugzilla.suse.com/1125396 SUSE Bug 1125396 A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1. CVE-2018-18509 openSUSE Leap 42.3:MozillaThunderbird-60.5.1-86.1 openSUSE Leap 42.3:MozillaThunderbird-buildsymbols-60.5.1-86.1 openSUSE Leap 42.3:MozillaThunderbird-translations-common-60.5.1-86.1 openSUSE Leap 42.3:MozillaThunderbird-translations-other-60.5.1-86.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00066.html https://www.suse.com/security/cve/CVE-2018-18509.html CVE-2018-18509 Incorrect convexity calculations in Skia in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. CVE-2019-5785 openSUSE Leap 42.3:MozillaThunderbird-60.5.1-86.1 openSUSE Leap 42.3:MozillaThunderbird-buildsymbols-60.5.1-86.1 openSUSE Leap 42.3:MozillaThunderbird-translations-common-60.5.1-86.1 openSUSE Leap 42.3:MozillaThunderbird-translations-other-60.5.1-86.1 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00066.html https://www.suse.com/security/cve/CVE-2019-5785.html CVE-2019-5785 https://bugzilla.suse.com/1125330 SUSE Bug 1125330 https://bugzilla.suse.com/1125396 SUSE Bug 1125396