Security update for MozillaThunderbird SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0643-1 Final 1 1 2020-05-09T22:21:15Z current 2020-05-09T22:21:15Z 2020-05-09T22:21:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaThunderbird This update for MozillaThunderbird fixes the following issues: - Update to 68.8.0 ESR MFSA 2020-18 (bsc#1171186) * CVE-2020-12397 (bmo#1617370) Sender Email Address Spoofing using encoded Unicode characters * CVE-2020-12387 (bmo#1545345) Use-after-free during worker shutdown * CVE-2020-6831 (bmo#1632241) Buffer overflow in SCTP chunk input validation * CVE-2020-12392 (bmo#1614468) Arbitrary local file access with 'Copy as cURL' * CVE-2020-12393 (bmo#1615471) Devtools' 'Copy as cURL' feature did not fully escape website-controlled data, potentially leading to command injection * CVE-2020-12395 (bmo#1595886, bmo#1611482, bmo#1614704, bmo#1624098, bmo#1625749, bmo#1626382, bmo#1628076, bmo#1631508) Memory safety bugs fixed in Thunderbird 68.8.0 This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-643 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5YQSDU3MFHQWYW5DLTHJ4JOYHWTHCHMN/ E-Mail link for openSUSE-SU-2020:0643-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1171186 SUSE Bug 1171186 https://www.suse.com/security/cve/CVE-2020-12387/ SUSE CVE CVE-2020-12387 page https://www.suse.com/security/cve/CVE-2020-12392/ SUSE CVE CVE-2020-12392 page https://www.suse.com/security/cve/CVE-2020-12393/ SUSE CVE CVE-2020-12393 page https://www.suse.com/security/cve/CVE-2020-12395/ SUSE CVE CVE-2020-12395 page https://www.suse.com/security/cve/CVE-2020-12397/ SUSE CVE CVE-2020-12397 page https://www.suse.com/security/cve/CVE-2020-6831/ SUSE CVE CVE-2020-6831 page openSUSE Leap 15.1 MozillaThunderbird-68.8.0-lp151.2.38.2 MozillaThunderbird-translations-common-68.8.0-lp151.2.38.2 MozillaThunderbird-translations-other-68.8.0-lp151.2.38.2 MozillaThunderbird-68.8.0-lp151.2.38.2 as a component of openSUSE Leap 15.1 MozillaThunderbird-translations-common-68.8.0-lp151.2.38.2 as a component of openSUSE Leap 15.1 MozillaThunderbird-translations-other-68.8.0-lp151.2.38.2 as a component of openSUSE Leap 15.1 A race condition when running shutdown code for Web Worker led to a use-after-free vulnerability. This resulted in a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. CVE-2020-12387 openSUSE Leap 15.1:MozillaThunderbird-68.8.0-lp151.2.38.2 openSUSE Leap 15.1:MozillaThunderbird-translations-common-68.8.0-lp151.2.38.2 openSUSE Leap 15.1:MozillaThunderbird-translations-other-68.8.0-lp151.2.38.2 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5YQSDU3MFHQWYW5DLTHJ4JOYHWTHCHMN/ https://www.suse.com/security/cve/CVE-2020-12387.html CVE-2020-12387 https://bugzilla.suse.com/1171186 SUSE Bug 1171186 The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP POST data of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in the disclosure of local files. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. CVE-2020-12392 openSUSE Leap 15.1:MozillaThunderbird-68.8.0-lp151.2.38.2 openSUSE Leap 15.1:MozillaThunderbird-translations-common-68.8.0-lp151.2.38.2 openSUSE Leap 15.1:MozillaThunderbird-translations-other-68.8.0-lp151.2.38.2 important 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5YQSDU3MFHQWYW5DLTHJ4JOYHWTHCHMN/ https://www.suse.com/security/cve/CVE-2020-12392.html CVE-2020-12392 https://bugzilla.suse.com/1171186 SUSE Bug 1171186 The 'Copy as cURL' feature of Devtools' network tab did not properly escape the HTTP method of a request, which can be controlled by the website. If a user used the 'Copy as cURL' feature and pasted the command into a terminal, it could have resulted in command injection and arbitrary command execution. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. CVE-2020-12393 openSUSE Leap 15.1:MozillaThunderbird-68.8.0-lp151.2.38.2 openSUSE Leap 15.1:MozillaThunderbird-translations-common-68.8.0-lp151.2.38.2 openSUSE Leap 15.1:MozillaThunderbird-translations-other-68.8.0-lp151.2.38.2 important 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5YQSDU3MFHQWYW5DLTHJ4JOYHWTHCHMN/ https://www.suse.com/security/cve/CVE-2020-12393.html CVE-2020-12393 https://bugzilla.suse.com/1171186 SUSE Bug 1171186 Mozilla developers and community members reported memory safety bugs present in Firefox 75 and Firefox ESR 68.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. CVE-2020-12395 openSUSE Leap 15.1:MozillaThunderbird-68.8.0-lp151.2.38.2 openSUSE Leap 15.1:MozillaThunderbird-translations-common-68.8.0-lp151.2.38.2 openSUSE Leap 15.1:MozillaThunderbird-translations-other-68.8.0-lp151.2.38.2 important 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5YQSDU3MFHQWYW5DLTHJ4JOYHWTHCHMN/ https://www.suse.com/security/cve/CVE-2020-12395.html CVE-2020-12395 https://bugzilla.suse.com/1171186 SUSE Bug 1171186 By encoding Unicode whitespace characters within the From email header, an attacker can spoof the sender email address that Thunderbird displays. This vulnerability affects Thunderbird < 68.8.0. CVE-2020-12397 openSUSE Leap 15.1:MozillaThunderbird-68.8.0-lp151.2.38.2 openSUSE Leap 15.1:MozillaThunderbird-translations-common-68.8.0-lp151.2.38.2 openSUSE Leap 15.1:MozillaThunderbird-translations-other-68.8.0-lp151.2.38.2 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5YQSDU3MFHQWYW5DLTHJ4JOYHWTHCHMN/ https://www.suse.com/security/cve/CVE-2020-12397.html CVE-2020-12397 https://bugzilla.suse.com/1171186 SUSE Bug 1171186 A buffer overflow could occur when parsing and validating SCTP chunks in WebRTC. This could have led to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox ESR < 68.8, Firefox < 76, and Thunderbird < 68.8.0. CVE-2020-6831 openSUSE Leap 15.1:MozillaThunderbird-68.8.0-lp151.2.38.2 openSUSE Leap 15.1:MozillaThunderbird-translations-common-68.8.0-lp151.2.38.2 openSUSE Leap 15.1:MozillaThunderbird-translations-other-68.8.0-lp151.2.38.2 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5YQSDU3MFHQWYW5DLTHJ4JOYHWTHCHMN/ https://www.suse.com/security/cve/CVE-2020-6831.html CVE-2020-6831 https://bugzilla.suse.com/1171186 SUSE Bug 1171186 https://bugzilla.suse.com/1171247 SUSE Bug 1171247