Advisories ยป MGASA-2019-0190

Updated thunderbird packages fix security vulnerabilities

Publication date: 10 Jun 2019
Type: security
Affected Mageia releases : 6
CVE: CVE-2018-18511 , CVE-2019-5798 , CVE-2019-7317 , CVE-2019-9797 , CVE-2019-9800 , CVE-2019-9816 , CVE-2019-9817 , CVE-2019-9818 , CVE-2019-9819 , CVE-2019-9820 , CVE-2019-11691 , CVE-2019-11692 , CVE-2019-11693 , CVE-2019-11698


Updated thunderbird packages fixes bugs and security vulnerabilities:

Cross-origin theft of images with ImageBitmapRenderingContext.

Out-of-bounds read in Skia. (CVE-2019-5798)

Use-after-free in png_image_free of libpng library. (CVE-2019-7317)

Cross-origin theft of images with createImageBitmap. (CVE-2019-9797)

Memory safety bugs fixed in Thunderbird 60.7. (CVE-2019-9800)

Type confusion with object groups and UnboxedObjects. (CVE-2019-9816)

Stealing of cross-domain images using canvas. (CVE-2019-9817)

Use-after-free in crash generation server. (CVE-2019-9818)

Compartment mismatch with fetch API. (CVE-2019-9819)

Use-after-free of ChromeEventHandler by DocShell. (CVE-2019-9820)

Use-after-free in XMLHttpRequest. (CVE-2019-11691)

Use-after-free removing listeners in the event listener manager.

Buffer overflow in WebGL bufferdata on Linux. (CVE-2019-11693)

Theft of user history data through drag and drop of hyperlinks to and from
bookmarks. (CVE-2019-11698)

Inline-PGP messages that allows an attacker to have Enigmail display a
correctly signed or encrypted message info, but display a different
unauthenticated text.