Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:0251-1 Final 1 1 2019-03-23T11:03:55Z current 2019-03-23T11:03:55Z 2019-03-23T11:03:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird to version 60.5.1 fixes the following issues: Security vulnerabilities addressed (MSFA 2019-03 MSFA 2018-31 MFSA 2019-06 bsc#1122983 bsc#1119105 bsc#1125330): - CVE-2018-18356: Fixed a Use-after-free in Skia. - CVE-2019-5785: Fixed an Integer overflow in Skia. - CVE-2018-18335: Fixed a Buffer overflow in Skia by default deactivating Canvas 2D. This issue does not affect Linuc distributions. - CVE-2018-18509: Fixed a flaw which during verification of certain S/MIME signatures showing mistekenly that emails bring a valid sugnature. - CVE-2018-18500: Use-after-free parsing HTML5 stream - CVE-2018-18505: Privilege escalation through IPC channel messages - CVE-2016-5824 DoS (use-after-free) via a crafted ics file - CVE-2018-18501: Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 - CVE-2018-17466: Buffer overflow and out-of-bounds read in ANGLE library with TextureStorage11 - CVE-2018-18492: Use-after-free with select element - CVE-2018-18493: Buffer overflow in accelerated 2D canvas with Skia - CVE-2018-18494: Same-origin policy violation using location attribute and performance.getEntries to steal cross-origin URLs - CVE-2018-18498: Integer overflow when calculating buffer sizes for images - CVE-2018-12405: Memory safety bugs fixed in Firefox 64, 60.4, and Thunderbird 60.4 Other bug fixes and changes: - FileLink provider WeTransfer to upload large attachments - Thunderbird now allows the addition of OpenSearch search engines from a local XML file using a minimal user interface: [+] button to select a file an add, [-] to remove. - More search engines: Google and DuckDuckGo available by default in some locales - During account creation, Thunderbird will now detect servers using the Microsoft Exchange protocol. It will offer the installation of a 3rd party add-on (Owl) which supports that protocol. - Thunderbird now compatible with other WebExtension-based FileLink add-ons like the Dropbox add-on - New WebExtensions FileLink API to facilitate add-ons - Fix decoding problems for messages with less common charsets (cp932, cp936) - New messages in the drafts folder (and other special or virtual folders) will no longer be included in the new messages notification - Thunderbird 60 will migrate security databases (key3.db, cert8.db to key4.db, cert9.db). - Address book search and auto-complete slowness - Plain text markup with * for bold, / for italics, _ for underline and | for code did not work when the enclosed text contained non-ASCII characters - While composing a message, a link not removed when link location was removed in the link properties panel - Encoding problems when exporting address books or messages using the system charset. Messages are now always exported using the UTF-8 encoding - If the 'Date' header of a message was invalid, Jan 1970 or Dec 1969 was displayed. Now using date from 'Received' header instead. - Body search/filtering didn't reliably ignore content of tags - Inappropriate warning 'Thunderbird prevented the site (addons.thunderbird.net) from asking you to install software on your computer' when installing add-ons - Incorrect display of correspondents column since own email address was not always detected - Spurious &#xA; (encoded newline) inserted into drafts and sent email - Double-clicking on a word in the Write window sometimes launched the Advanced Property Editor or Link Properties dialog - Fixed Cookie removal - 'Download rest of message' was not working if global inbox was used - Fix Encoding problems for users (especially in Poland) when a file was sent via a folder using 'Sent to > Mail recipient' due to a problem in the Thunderbird MAPI interface - According to RFC 4616 and RFC 5721, passwords containing non-ASCII characters are encoded using UTF-8 which can lead to problems with non-compliant providers, for example office365.com. The SMTP LOGIN and POP3 USER/PASS authentication methods are now using a Latin-1 encoding again to work around this issue - Fix shutdown crash/hang after entering an empty IMAP password This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-251 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html E-Mail link for openSUSE-SU-2019:0251-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1122983 SUSE Bug 1122983 https://bugzilla.suse.com/1125330 SUSE Bug 1125330 https://www.suse.com/security/cve/CVE-2016-5824/ SUSE CVE CVE-2016-5824 page https://www.suse.com/security/cve/CVE-2018-12405/ SUSE CVE CVE-2018-12405 page https://www.suse.com/security/cve/CVE-2018-17466/ SUSE CVE CVE-2018-17466 page https://www.suse.com/security/cve/CVE-2018-18335/ SUSE CVE CVE-2018-18335 page https://www.suse.com/security/cve/CVE-2018-18356/ SUSE CVE CVE-2018-18356 page https://www.suse.com/security/cve/CVE-2018-18492/ SUSE CVE CVE-2018-18492 page https://www.suse.com/security/cve/CVE-2018-18493/ SUSE CVE CVE-2018-18493 page https://www.suse.com/security/cve/CVE-2018-18494/ SUSE CVE CVE-2018-18494 page https://www.suse.com/security/cve/CVE-2018-18498/ SUSE CVE CVE-2018-18498 page https://www.suse.com/security/cve/CVE-2018-18500/ SUSE CVE CVE-2018-18500 page https://www.suse.com/security/cve/CVE-2018-18501/ SUSE CVE CVE-2018-18501 page https://www.suse.com/security/cve/CVE-2018-18505/ SUSE CVE CVE-2018-18505 page https://www.suse.com/security/cve/CVE-2018-18509/ SUSE CVE CVE-2018-18509 page https://www.suse.com/security/cve/CVE-2019-5785/ SUSE CVE CVE-2019-5785 page openSUSE Leap 15.0 MozillaThunderbird-60.5.1-lp150.3.30.1 MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 MozillaThunderbird-60.5.1-lp150.3.30.1 as a component of openSUSE Leap 15.0 MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 as a component of openSUSE Leap 15.0 MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 as a component of openSUSE Leap 15.0 MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 as a component of openSUSE Leap 15.0 libical 1.0 allows remote attackers to cause a denial of service (use-after-free) via a crafted ics file. CVE-2016-5824 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2016-5824.html CVE-2016-5824 https://bugzilla.suse.com/1015964 SUSE Bug 1015964 https://bugzilla.suse.com/1122983 SUSE Bug 1122983 https://bugzilla.suse.com/986631 SUSE Bug 986631 https://bugzilla.suse.com/986639 SUSE Bug 986639 https://bugzilla.suse.com/986642 SUSE Bug 986642 https://bugzilla.suse.com/986658 SUSE Bug 986658 Mozilla developers and community members reported memory safety bugs present in Firefox 63 and Firefox ESR 60.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-12405 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2018-12405.html CVE-2018-12405 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 Incorrect texture handling in Angle in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2018-17466 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2018-17466.html CVE-2018-17466 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 Heap buffer overflow in Skia in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2018-18335 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2018-18335.html CVE-2018-18335 https://bugzilla.suse.com/1118529 SUSE Bug 1118529 https://bugzilla.suse.com/1125330 SUSE Bug 1125330 An integer overflow in path handling lead to a use after free in Skia in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2018-18356 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2018-18356.html CVE-2018-18356 https://bugzilla.suse.com/1118529 SUSE Bug 1118529 https://bugzilla.suse.com/1125330 SUSE Bug 1125330 https://bugzilla.suse.com/1125396 SUSE Bug 1125396 A use-after-free vulnerability can occur after deleting a selection element due to a weak reference to the select element in the options collection. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-18492 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2018-18492.html CVE-2018-18492 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 A buffer overflow can occur in the Skia library during buffer offset calculations with hardware accelerated canvas 2D actions due to the use of 32-bit calculations instead of 64-bit. This results in a potentially exploitable crash. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-18493 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2018-18493.html CVE-2018-18493 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries(). This is a same-origin policy violation and could allow for data theft. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-18494 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2018-18494.html CVE-2018-18494 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 A potential vulnerability leading to an integer overflow can occur during buffer size calculations for images when a raw value is used instead of the checked value. This leads to a possible out-of-bounds write. This vulnerability affects Thunderbird < 60.4, Firefox ESR < 60.4, and Firefox < 64. CVE-2018-18498 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2018-18498.html CVE-2018-18498 https://bugzilla.suse.com/1112111 SUSE Bug 1112111 https://bugzilla.suse.com/1119105 SUSE Bug 1119105 https://bugzilla.suse.com/1121207 SUSE Bug 1121207 A use-after-free vulnerability can occur while parsing an HTML5 stream in concert with custom HTML elements. This results in the stream parser object being freed while still in use, leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65. CVE-2018-18500 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2018-18500.html CVE-2018-18500 https://bugzilla.suse.com/1122983 SUSE Bug 1122983 https://bugzilla.suse.com/986639 SUSE Bug 986639 Mozilla developers and community members reported memory safety bugs present in Firefox 64 and Firefox ESR 60.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65. CVE-2018-18501 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2018-18501.html CVE-2018-18501 https://bugzilla.suse.com/1122983 SUSE Bug 1122983 https://bugzilla.suse.com/986639 SUSE Bug 986639 An earlier fix for an Inter-process Communication (IPC) vulnerability, CVE-2011-3079, added authentication to communication between IPC endpoints and server parents during IPC process creation. This authentication is insufficient for channels created after the IPC process is started, leading to the authentication not being correctly applied to later channels. This could allow for a sandbox escape through IPC channels due to lack of message validation in the listener process. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65. CVE-2018-18505 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2018-18505.html CVE-2018-18505 https://bugzilla.suse.com/1122983 SUSE Bug 1122983 https://bugzilla.suse.com/986639 SUSE Bug 986639 A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. This vulnerability affects Thunderbird < 60.5.1. CVE-2018-18509 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2018-18509.html CVE-2018-18509 Incorrect convexity calculations in Skia in Google Chrome prior to 72.0.3626.81 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. CVE-2019-5785 openSUSE Leap 15.0:MozillaThunderbird-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-buildsymbols-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-common-60.5.1-lp150.3.30.1 openSUSE Leap 15.0:MozillaThunderbird-translations-other-60.5.1-lp150.3.30.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00069.html https://www.suse.com/security/cve/CVE-2019-5785.html CVE-2019-5785 https://bugzilla.suse.com/1125330 SUSE Bug 1125330 https://bugzilla.suse.com/1125396 SUSE Bug 1125396