Bug 1100081 (CVE-2018-12374)

Summary: VUL-0: CVE-2018-12374: MozillaThunderbird: Using form to exfiltrate encrypted mail part by pressing enter in form field
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: pcerny, smash_bz, sreeves, wolfgang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/209447/
Whiteboard: CVSSv3:SUSE:CVE-2018-12374:3.1:(AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2018-12374:4.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1100780    
Bug Blocks:    

Description Johannes Segitz 2018-07-04 08:24:07 UTC
CVE-2018-12374

Plaintext of decrypted emails can leak through by user submitting an embedded form by pressing enter key within a text input field.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12374
https://www.mozilla.org/en-US/security/advisories/mfsa2018-18/#CVE-2018-12374
Comment 1 Swamp Workflow Management 2018-07-04 09:20:32 UTC
This is an autogenerated message for OBS integration:
This bug (1100081) was mentioned in
https://build.opensuse.org/request/show/620589 15.0+42.3+Backports:SLE-12 / MozillaThunderbird
Comment 3 Swamp Workflow Management 2018-07-04 14:40:31 UTC
This is an autogenerated message for OBS integration:
This bug (1100081) was mentioned in
https://build.opensuse.org/request/show/620628 15.0+42.3+Backports:SLE-12 / MozillaThunderbird
Comment 5 Swamp Workflow Management 2018-07-04 22:50:29 UTC
This is an autogenerated message for OBS integration:
This bug (1100081) was mentioned in
https://build.opensuse.org/request/show/620659 15.0+42.3+Backports:SLE-12 / MozillaThunderbird
Comment 7 Swamp Workflow Management 2018-07-06 22:09:03 UTC
openSUSE-SU-2018:1905-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1076907,1085780,1091376,1098998,1100079,1100081,1100082
CVE References: CVE-2018-12359,CVE-2018-12360,CVE-2018-12362,CVE-2018-12363,CVE-2018-12364,CVE-2018-12365,CVE-2018-12366,CVE-2018-12372,CVE-2018-12373,CVE-2018-12374,CVE-2018-5188
Sources used:
openSUSE Leap 42.3 (src):    MozillaThunderbird-52.9.0-68.1
openSUSE Leap 15.0 (src):    MozillaThunderbird-52.9.0-lp150.3.8.1
Comment 8 Swamp Workflow Management 2018-07-06 22:11:01 UTC
openSUSE-SU-2018:1907-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1076907,1085780,1091376,1098998,1100079,1100081,1100082
CVE References: CVE-2018-12359,CVE-2018-12360,CVE-2018-12362,CVE-2018-12363,CVE-2018-12364,CVE-2018-12365,CVE-2018-12366,CVE-2018-12372,CVE-2018-12373,CVE-2018-12374,CVE-2018-5188
Sources used:
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    MozillaThunderbird-52.9.0-65.1
Comment 11 Swamp Workflow Management 2018-08-02 16:10:56 UTC
SUSE-SU-2018:2174-1: An update that fixes 11 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1076907,1085780,1091376,1098998,1100079,1100081,1100082,1100780
CVE References: CVE-2018-12359,CVE-2018-12360,CVE-2018-12362,CVE-2018-12363,CVE-2018-12364,CVE-2018-12365,CVE-2018-12366,CVE-2018-12372,CVE-2018-12373,CVE-2018-12374,CVE-2018-5188
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    MozillaThunderbird-52.9.1-3.7.1
Comment 12 Marcus Meissner 2018-09-07 11:58:40 UTC
released