Bug 1179530 (CVE-2020-26970)

Summary: VUL-0: CVE-2020-26970: MozillaThunderbird: Mozilla Foundation Security Advisory 2020-53 (Thunderbird version 78.5.1)
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Martin Sirringhaus <martin.sirringhaus>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: atoptsoglou, cgrobertson, wolfgang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/272621/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2020-12-02 13:40:57 UTC
Security Vulnerabilities fixed in Thunderbird 78.5.1

Announced
    December 1, 2020
Impact
    high
Products
    Thunderbird
Fixed in

        Thunderbird 78.5.1

#CVE-2020-26970: Stack overflow due to incorrect parsing of SMTP server response codes

Reporter
    Chiaki Ishikawa
Impact
    high

Description

When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Depending on processor architecture and stack layout, this leads to stack corruption that may be exploitable.
References

    Bug 1677338
Comment 1 Robert Frohl 2020-12-02 13:43:24 UTC
Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-53
Comment 3 OBSbugzilla Bot 2020-12-02 17:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1179530) was mentioned in
https://build.opensuse.org/request/show/852686 Factory / MozillaThunderbird
Comment 4 Swamp Workflow Management 2020-12-07 17:19:41 UTC
SUSE-SU-2020:3642-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1179530
CVE References: CVE-2020-26970
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    MozillaThunderbird-78.5.1-3.110.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2020-12-25 14:16:24 UTC
SUSE-SU-2020:3935-1: An update that fixes 9 vulnerabilities is now available.

Category: security (critical)
Bug References: 1179530,1180039
CVE References: CVE-2020-16042,CVE-2020-26970,CVE-2020-26971,CVE-2020-26973,CVE-2020-26974,CVE-2020-26978,CVE-2020-35111,CVE-2020-35112,CVE-2020-35113
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    MozillaThunderbird-78.6.0-8.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Marcus Meissner 2021-08-09 12:31:30 UTC
done