CLD-408 Details

Other IDs this deficiency may be known by:

CVE ID None
Other ID(s) Efail, fixed-in-52.8.0, mfsa2018-13

Basic Information:

Affected Package(s) thunderbird
Deficiency Type SECURITY
Date Created 2018-05-20 16:15:25
Date Last Modified 2018-05-20 22:53:51

Version Specific Information:

Cucumber 1.0 i686fixed in thunderbird-52.8.0-i686-1
Cucumber 1.0 x86_64fixed in thunderbird-52.8.0-x86_64-1

Cucumber 1.1 i686 fixed in thunderbird-52.8.0-i686-1
Cucumber 1.1 x86_64 fixed in thunderbird-52.8.0-x86_64-1

Details:

This update contains many mitigations against the EFAIL attacks. For more
information about the efail attacks see https://efail.de/.

Addresses the following CVEs:

CVE-2018-5183: Backport critical security fixes in Skia
CVE-2018-5184: Full plaintext recovery in S/MIME via chosen-ciphertext attack
CVE-2018-5154: Use-after-free with SVG animations and clip paths
CVE-2018-5155: Use-after-free with SVG animations and text paths
CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
CVE-2018-5161: Hang via malformed headers
CVE-2018-5162: Encrypted mail leaks plaintext through src attribute
CVE-2018-5170: Filename spoofing for external attachments
CVE-2018-5168: Lightweight themes can be installed without user interaction
CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior
	for downloaded files in Windows 10 April 2018 Update
CVE-2018-5178: Buffer overflow during UTF-8 to Unicode string conversion
	through legacy extensionCVE-2018-5185: Leaking plaintext through HTML
	forms
CVE-2018-5150: Memory safety bugs fixed in Firefox 60, Firefox ESR 52.8, and
	Thunderbird 52.8

For more information see:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/