{"id":"MGASA-2020-0091","summary":"Updated thunderbird packages fix security vulnerabilities","details":"Updated thunderbird packages fix security vulnerabilities:\n\nWhen deriving an identifier for an email message, uninitialized memory was\nused in addition to the message contents (CVE-2020-6792).\n\nWhen processing an email message with an ill-formed envelope, Thunderbird\ncould read data from a random memory location (CVE-2020-6793).\n\nIf a user saved passwords before Thunderbird 60 and then later set a master\npassword, an unencrypted copy of these passwords is still accessible. This\nis because the older stored password file was not deleted when the data was\ncopied to a new format starting in Thunderbird 60. The new master password is\nadded only on the new file. This could allow the exposure of stored password\ndata outside of user expectations (CVE-2020-6794).\n\nWhen processing a message that contains multiple S/MIME signatures, a bug in\nthe MIME processing code caused a null pointer dereference, leading to an\nunexploitable crash (CVE-2020-6795).\n\nIf a \u003ctemplate\u003e tag was used in a \u003cselect\u003e tag, the parser could be confused\nand allow JavaScript parsing and execution when it should not be allowed. A\nsite that relied on the browser behaving correctly could suffer a cross-site\nscripting vulnerability as a result (CVE-2020-6798).\n\nMemory safety bugs present in Thunderbird ESR 68.4. Some of these bugs showed\nevidence of memory corruption and presumably some of these could have been\nexploited to run arbitrary code (CVE-2020-6800).\n","modified":"2026-04-16T04:42:21.044361131Z","published":"2020-02-18T14:05:53Z","upstream":["CVE-2020-6792","CVE-2020-6793","CVE-2020-6794","CVE-2020-6795","CVE-2020-6798","CVE-2020-6800"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0091.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=26188"},{"type":"ADVISORY","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/"},{"type":"WEB","url":"https://www.thunderbird.net/en-US/thunderbird/68.5.0/releasenotes/"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/thunderbird?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"68.5.0-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0091.json"}},{"package":{"name":"thunderbird-l10n","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/thunderbird-l10n?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"68.5.0-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0091.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}