Bug 1179530 - (CVE-2020-26970) VUL-0: CVE-2020-26970: MozillaThunderbird: Mozilla Foundation Security Advisory 2020-53 (Thunderbird version 78.5.1)
(CVE-2020-26970)
VUL-0: CVE-2020-26970: MozillaThunderbird: Mozilla Foundation Security Adviso...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Martin Sirringhaus
Security Team bot
https://smash.suse.de/issue/272621/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-02 13:40 UTC by Robert Frohl
Modified: 2021-08-09 12:31 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2020-12-02 13:40:57 UTC
Security Vulnerabilities fixed in Thunderbird 78.5.1

Announced
    December 1, 2020
Impact
    high
Products
    Thunderbird
Fixed in

        Thunderbird 78.5.1

#CVE-2020-26970: Stack overflow due to incorrect parsing of SMTP server response codes

Reporter
    Chiaki Ishikawa
Impact
    high

Description

When reading SMTP server status codes, Thunderbird writes an integer value to a position on the stack that is intended to contain just one byte. Depending on processor architecture and stack layout, this leads to stack corruption that may be exploitable.
References

    Bug 1677338
Comment 1 Robert Frohl 2020-12-02 13:43:24 UTC
Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-53
Comment 3 OBSbugzilla Bot 2020-12-02 17:20:06 UTC
This is an autogenerated message for OBS integration:
This bug (1179530) was mentioned in
https://build.opensuse.org/request/show/852686 Factory / MozillaThunderbird
Comment 4 Swamp Workflow Management 2020-12-07 17:19:41 UTC
SUSE-SU-2020:3642-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1179530
CVE References: CVE-2020-26970
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    MozillaThunderbird-78.5.1-3.110.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2020-12-25 14:16:24 UTC
SUSE-SU-2020:3935-1: An update that fixes 9 vulnerabilities is now available.

Category: security (critical)
Bug References: 1179530,1180039
CVE References: CVE-2020-16042,CVE-2020-26970,CVE-2020-26971,CVE-2020-26973,CVE-2020-26974,CVE-2020-26978,CVE-2020-35111,CVE-2020-35112,CVE-2020-35113
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    MozillaThunderbird-78.6.0-8.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Marcus Meissner 2021-08-09 12:31:30 UTC
done