Mozilla Foundation Security Advisory 2019-06
Security vulnerabilities fixed in Thunderbird 60.5.1
- Announced
- February 14, 2019
- Impact
- high
- Products
- Thunderbird
- Fixed in
-
- Thunderbird 60.5.1
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2018-18356: Use-after-free in Skia
- Reporter
- Tran Tien Hung of Viettel Cyber Security
- Impact
- high
Description
A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash.
References
#CVE-2019-5785: Integer overflow in Skia
- Reporter
- Ivan Fratric of Google Project Zero
- Impact
- high
Description
An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash.
References
#CVE-2018-18335: Buffer overflow in Skia with accelerated Canvas 2D
- Reporter
- Anonymous
- Impact
- high
Description
A buffer overflow vulnerability in the Skia library can occur with Canvas 2D acceleration on macOS. This issue was addressed by disabling Canvas 2D acceleration in Firefox ESR.
Note: this does not affect other versions and platforms where Canvas 2D acceleration is already disabled by default.
References
#CVE-2018-18509: S/MIME signature spoofing
- Reporter
- Damian Poddebniak
- Impact
- high
Description
A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content.