Security update for Mozilla Thunderbird

SUSE Security Update: Security update for Mozilla Thunderbird
Announcement ID: SUSE-SU-2018:2174-1
Rating: moderate
References: #1076907 #1085780 #1091376 #1098998 #1100079 #1100081 #1100082 #1100780
Affected Products:
  • SUSE Linux Enterprise Workstation Extension 15

  • An update that fixes 11 vulnerabilities is now available.

    Description:

    This update for Mozilla Thunderbird to version 52.9.1 fixes multiple
    issues.

    Security issues fixed, inherited from the Mozilla common code base (MFSA
    2018-16, bsc#1098998):

    - CVE-2018-12359: Buffer overflow using computed size of canvas element
    - CVE-2018-12360: Use-after-free when using focus()
    - CVE-2018-12362: Integer overflow in SSSE3 scaler
    - CVE-2018-12363: Use-after-free when appending DOM nodes
    - CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
    - CVE-2018-12365: Compromised IPC child process can list local filenames
    - CVE-2018-12366: Invalid data handling during QCMS transformations
    - CVE-2018-5188: Memory safety bugs fixed in Thunderbird 52.9.0

    Security issues fixed that affect e-mail privacy and integrity (including
    EFAIL):

    - CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML
    emails (bsc#1100082)
    - CVE-2018-12373: S/MIME plaintext can be leaked through HTML
    reply/forward (bsc#1100079)
    - CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing
    enter in form field (bsc#1100081)

    The following options are available for added security in certain
    scenarios:

    - Option for not decrypting subordinate message parts that otherwise might
    reveal decryted content to the attacker. Preference
    mailnews.p7m_subparts_external needs to be set to true for added
    security.

    The following upstream changes are included:

    - Thunderbird will now prompt to compact IMAP folders even if the account
    is online
    - Fix various problems when forwarding messages inline when using "simple"
    HTML view
    - Deleting or detaching attachments corrupted messages under certain
    circumstances (bsc#1100780)

    The following tracked packaging changes are included:

    - correct requires and provides handling (boo#1076907)
    - reduce memory footprint with %ix86 at linking time via additional
    compiler flags (boo#1091376)
    - Build from upstream source archive and verify source signature
    (boo#1085780)

    Patch Instructions:

    To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Workstation Extension 15:
      zypper in -t patch SUSE-SLE-Product-WE-15-2018-1475=1

    Package List:

    • SUSE Linux Enterprise Workstation Extension 15 (x86_64):
      • MozillaThunderbird-52.9.1-3.7.1
      • MozillaThunderbird-debuginfo-52.9.1-3.7.1
      • MozillaThunderbird-debugsource-52.9.1-3.7.1
      • MozillaThunderbird-devel-52.9.1-3.7.1
      • MozillaThunderbird-translations-common-52.9.1-3.7.1
      • MozillaThunderbird-translations-other-52.9.1-3.7.1

    References: