[manjaro-security] [arch-security] [ASA-201607-4] thunderbird: arbitrary code execution

[Remi Gacogne]

Arch Linux Security Advisory ASA-201607-4
=========================================

Severity: Critical
Date    : 2016-07-10
CVE-ID  : CVE-2016-2815 CVE-2016-2818
Package : thunderbird
Type    : arbitrary code execution
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package thunderbird before version 45.2.0-1 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 45.2.0-1.

# pacman -Syu "thunderbird>=45.2.0-1"

The problems have been fixed upstream in version 45.2.0.

Workaround
==========

None.

Description
===========

- CVE-2016-2815 (arbitrary code execution)

Mozilla developers and community members reported several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.

- CVE-2016-2818 (arbitrary code execution)

Mozilla developers and community members reported several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code.

Impact
======

A remote attacker can execute arbitrary code on the affected host.

References
==========

https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird45.2
https://access.redhat.com/security/cve/CVE-2016-2815
https://access.redhat.com/security/cve/CVE-2016-2818

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20160710/a37bcce7/attachment.pgp>