{"id":"MGASA-2018-0480","summary":"Updated thunderbird packages fix security issues & bugs","details":"- Buffer overflow using computed size of canvas element. (CVE-2018-12359)\n\n- Use-after-free when using focus(). (CVE-2018-12360)\n\n- Integer overflow in SwizzleData. (CVE-2018-12361)\n\n- Integer overflow in SSSE3 scaler. (CVE-2018-12362)\n\n- Media recorder segmentation fault when track type is changed during\ncapture. (CVE-2018-5156)\n\n- Use-after-free when appending DOM nodes. (CVE-2018-12363)\n\n- CSRF attacks through 307 redirects and NPAPI plugins. (CVE-2018-12364)\n\n- Compromised IPC child process can list local filenames.\n(CVE-2018-12365)\n\n- Integer overflow in Skia library during edge builder allocation.\n(CVE-2018-12371)\n\n- Invalid data handling during QCMS transformations. (CVE-2018-12366)\n\n- Timing attack mitigation of PerformanceNavigationTiming.\n(CVE-2018-12367)\n\n- No warning when opening executable SettingContent-ms files.\n(CVE-2018-12368)\n\n- Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, and\nThunderbird 60. (CVE-2018-5187)\n\n- Memory safety bugs fixed in Firefox 61, Firefox ESR 60.1, Firefox\nESR 52.9, and Thunderbird 60. (CVE-2018-5188)\n\n- Use-after-free in refresh driver timers. (CVE-2018-12377)\n\n- Use-after-free in IndexedDB. (CVE-2018-12378)\n\n- Out-of-bounds write with malicious MAR file. (CVE-2018-12379)\n\n- Proxy bypass using automount and autofs. (CVE-2017-16541)\n\n- Crash in TransportSecurityInfo due to cached data. (CVE-2018-12385)\n\n- Setting a master password post-Firefox 58 does not delete unencrypted\npreviously stored passwords. (CVE-2018-12383)\n\n- Memory safety bugs fixed in Firefox 62, Firefox ESR 60.2, and\nThunderbird 60.2.1. (CVE-2018-12376)\n\n- HTTP Live Stream audio data is accessible cross-origin.\n(CVE-2018-12391)\n\n- Crash with nested event loops. (CVE-2018-12392)\n\n- Integer overflow during Unicode conversion while loading JavaScript.\n(CVE-2018-12393)\n\n- Memory safety bugs fixed in Firefox ESR 60.3 and Thunderbird 60.3.\n(CVE-2018-12389)\n\n- Memory safety bugs fixed in Firefox 63, Firefox ESR 60.3, and\nThunderbird 60.3. (CVE-2018-12390)\n","modified":"2026-02-04T04:16:18.176964Z","published":"2018-12-15T21:29:48Z","related":["CVE-2017-16541","CVE-2018-12359","CVE-2018-12360","CVE-2018-12361","CVE-2018-12362","CVE-2018-12363","CVE-2018-12364","CVE-2018-12365","CVE-2018-12366","CVE-2018-12367","CVE-2018-12368","CVE-2018-12371","CVE-2018-12376","CVE-2018-12377","CVE-2018-12378","CVE-2018-12379","CVE-2018-12383","CVE-2018-12385","CVE-2018-12389","CVE-2018-12390","CVE-2018-12391","CVE-2018-12392","CVE-2018-12393","CVE-2018-5156","CVE-2018-5187","CVE-2018-5188"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0480.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23706"},{"type":"REPORT","url":"https://www.thunderbird.net/en-US/thunderbird/60.3.0/releasenotes/"},{"type":"REPORT","url":"https://www.thunderbird.net/en-US/thunderbird/60.3.1/releasenotes/"},{"type":"REPORT","url":"https://www.thunderbird.net/en-US/thunderbird/60.3.2/releasenotes/"},{"type":"REPORT","url":"https://www.thunderbird.net/en-US/thunderbird/60.3.3/releasenotes/"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2018-19/"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/"},{"type":"REPORT","url":"https://www.debian.org/security/2018/dsa-4327"},{"type":"REPORT","url":"https://access.redhat.com/errata/RHSA-2018:3458"},{"type":"REPORT","url":"https://lists.opensuse.org/opensuse-updates/2018-11/msg00009.html"},{"type":"REPORT","url":"https://access.redhat.com/errata/RHSA-2018:3532"},{"type":"REPORT","url":"https://www.debian.org/security/2018/dsa-4337"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/thunderbird?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"60.3.3-3.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0480.json"}},{"package":{"name":"thunderbird-l10n","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/thunderbird-l10n?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"60.3.3-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0480.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}