Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0058 MFSA 2019-06 Security vulnerabilities fixed in Thunderbird 60.5.1 15 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Thunderbird Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-5785 CVE-2018-18509 CVE-2018-18356 CVE-2018-18335 Member content until: Sunday, March 17 2019 OVERVIEW A vulnerability has been identified in Mozilla Thunderbird versions prior to 60.5.1. [1] IMPACT Mozilla has given the following information regarding these vulnerabilities: "CVE-2019-5785: Integer overflow in Skia Reporter Ivan Fratric of Google Project Zero Impact high Description An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash. References o Bug 1525817 ---------------------------------------------------------------------- # CVE-2018-18335: Buffer overflow in Skia with accelerated Canvas 2D Reporter Anonymous Impact high Description A buffer overflow vulnerability in the Skia library can occur with Canvas 2D acceleration on macOS. This issue was addressed by disabling Canvas 2D acceleration in Firefox ESR. Note: this does not affect other versions and platforms where Canvas 2D acceleration is already disabled by default. References o Bug 1525433 o The Curious Case of Convexity Confusion ---------------------------------------------------------------------- # CVE-2018-18509: S/MIME signature spoofing Reporter Damian Poddebniak Impact high Description A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. References o Bug 1525815 ---------------------------------------------------------------------- # CVE-2018-18356: Use-after-free in Skia Reporter Tran Tien Hung of Viettel Cyber Security Impact high Description A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash. References o Bug 1525817" [1] MITIGATION Mozilla recommends upgrading Thunderbird to the latest versions. REFERENCES [1] MFSA 2019-06 Security vulnerabilities fixed in Thunderbird 60.5.1 https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXGZBX2aOgq3Tt24GAQhxWw//QgkOenDHIYMEfX7uVz1kdZdIqMUInEZh rIn/OR6gmkdRWcN1cAvCexK+bjF2WfdKrFmmn/HT8UzwEjaeiNDF2FM+oviv8J8m FVaY/DVR158P7PeUONPbJSkAGQ0QY25QO7WPkO6pBV3VI0Az/nkuyPM0tEvbvomQ sgQOGafraMlpRkYMxyFtiTvofGwL43+Q7KTMcKKCGF5sh3F4bRNRQ4phsIOED+Np ScmDXvA98a2Qrgrw5FsPYHDejsp+U/dVCMjHkfWgYR3aE56gwHQpL5L0iENe4aTy FahpBozDH13eBZX6eUhrVf0esjWETGcNMmyjyKJ65aklirkV/fXJwfaQD9T6vNRR kbv7vR2PXzkHdiVdNR6lb3Di6cexDzbHhwcaUKuc2TdUJmZF8CUSGQts2NFKhnhd QJtoFL03VlHqrZFp1P7DJ4TrOWRCD0EMOypALof08Wchi+7YOdFY/bR8y1XvVqds Q8jRsIaY+QM/bAC0OZOqcOzpZbSv8IdGyfJiIHxdc3+KVgxmHM36XxLd6u8lLypr /IXPcPw2oA4knSj3JSZxNACNt1zK7vFOhu+r3BbdT5uwtGSaOCnbK/XD/eH6GD/7 vhbXqsHS8Z7cr01d2+Scr5IcdoC/XDY9m6nrPZT79o7zB1327objh/gTYKCrf+da J/G3AQMgW5g= =tyGq -----END PGP SIGNATURE-----