Updated thunderbird packages fix security vulnerabilities
Publication date: 27 Jun 2025Modification date: 27 Jun 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-5262 , CVE-2025-5263 , CVE-2025-5264 , CVE-2025-5266 , CVE-2025-5267 , CVE-2025-5268 , CVE-2025-5269 , CVE-2025-5986
Description
CVE-2025-5262: A double-free could have occurred in
vpx_codec_enc_init_multi after a failed allocation when initializing the
encoder for WebRTC. This could have caused memory corruption and a
potentially exploitable crash.
CVE-2025-5263: Error handling for script execution was incorrectly
isolated from web content, which could have allowed cross-origin leak
attacks.
CVE-2025-5264: Due to insufficient escaping of the newline character in
the “Copy as cURL” feature, an attacker could trick a user into using
this command, potentially leading to local code execution on the user's
system.
CVE-2025-5266: Script elements loading cross-origin resources generated
load and error events which leaked information enabling XS-Leaks
attacks.
CVE-2025-5267: A clickjacking vulnerability could have been used to
trick a user into leaking saved payment card details to a malicious
page.
CVE-2025-5268: Memory safety bugs present in Firefox 138, Thunderbird
138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs
showed evidence of memory corruption and we presume that with enough
effort some of these could have been exploited to run arbitrary code.
CVE-2025-5269: Memory safety bug present in Firefox ESR 128.10, and
Thunderbird 128.10. This bug showed evidence of memory corruption and we
presume that with enough effort this could have been exploited to run
arbitrary code.
CVE-2025-5986: A crafted HTML email using mailbox:/// links can trigger
automatic, unsolicited downloads of .pdf files to the user's desktop or
home directory without prompting, even if auto-saving is disabled. This
behavior can be abused to fill the disk with garbage data (e.g. using
/dev/urandom on Linux) or to leak Windows credentials via SMB links when
the email is viewed in HTML mode. While user interaction is required to
download the .pdf file, visual obfuscation can conceal the download
trigger. Viewing the email in HTML mode is enough to load external
content.
We can't ship this update to armv7hl architecture, we are investigating
the issue and will try to update thunderbird for armv7hl as soon as
posible.
References
- https://bugs.mageia.org/show_bug.cgi?id=34338
- https://www.thunderbird.net/en-US/thunderbird/128.11.0esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-46/
- https://www.thunderbird.net/en-US/thunderbird/128.11.1esr/releasenotes/
- https://www.mozilla.org/en-US/security/advisories/mfsa2025-49/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5262
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5263
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5264
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5266
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5267
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5268
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5269
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5986
SRPMS
9/core
- thunderbird-128.11.1-1.1.mga9
- thunderbird-l10n-128.11.1-1.mga9