Vulnerability CVE-2018-12390: Information

Description

Mozilla developers and community members reported memory safety bugs present in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox < 63, Firefox ESR < 60.3, and Thunderbird < 60.3.

Severity: CRITICAL (9.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2018-12390

Published: Feb. 28, 2019

Modified: March 1, 2019

Error type identifier: CWE-119

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
firefox	sisyphus	63.0.1-alt1	126.0.1-alt1	ALT-PU-2018-2645-1	216395	Fixed
firefox	p10	63.0.1-alt1	118.0.2-alt0.p10.1	ALT-PU-2018-2645-1	216395	Fixed
firefox	p9	63.0.1-alt1	105.0.1-alt0.c9.1	ALT-PU-2018-2645-1	216395	Fixed
firefox	p8	63.0.3-alt0.M80P.1	68.0.1-alt0.M80P.1	ALT-PU-2018-2742-1	216526	Fixed
firefox	c10f1	63.0.1-alt1	112.0.2-alt0.p10.1	ALT-PU-2018-2645-1	216395	Fixed
firefox	c9f2	63.0.1-alt1	105.0.1-alt0.c9.1	ALT-PU-2018-2645-1	216395	Fixed
firefox	c7	60.6.1-alt0.M70C.1	60.8.0-alt0.M70C.1	ALT-PU-2019-1726-1	218597	Fixed
firefox	p11	63.0.1-alt1	126.0.1-alt1	ALT-PU-2018-2645-1	216395	Fixed
firefox-esr	sisyphus	60.3.0-alt1	115.11.0-alt1	ALT-PU-2018-2550-1	215469	Fixed
firefox-esr	p10	60.3.0-alt1	115.11.0-alt1	ALT-PU-2018-2550-1	215469	Fixed
firefox-esr	p9	68.0.2-alt1	102.11.0-alt0.c9.1	ALT-PU-2019-2486-1	235108	Fixed
firefox-esr	p8	60.3.0-alt0.M80P.1	68.4.1-alt0.M80P.1	ALT-PU-2018-2565-1	215471	Fixed
firefox-esr	c10f1	60.3.0-alt1	115.9.1-alt0.c10.1	ALT-PU-2018-2550-1	215469	Fixed
firefox-esr	c9f2	68.0.2-alt1	102.12.0-alt0.c9.1	ALT-PU-2019-2486-1	235108	Fixed
firefox-esr	p11	60.3.0-alt1	115.11.0-alt1	ALT-PU-2018-2550-1	215469	Fixed
thunderbird	sisyphus	60.3.0-alt1	115.9.0-alt1	ALT-PU-2018-2669-1	210777	Fixed
thunderbird	p10	60.3.0-alt1	115.9.0-alt1	ALT-PU-2018-2669-1	210777	Fixed
thunderbird	p9	60.3.0-alt1	102.11.0-alt0.c9.1	ALT-PU-2018-2669-1	210777	Fixed
thunderbird	p8	60.7.2-alt0.M80P.1	60.8.0-alt0.M80P.1	ALT-PU-2019-2196-1	216874	Fixed
thunderbird	c10f1	60.3.0-alt1	115.9.0-alt0.c10.1	ALT-PU-2018-2669-1	210777	Fixed
thunderbird	c9f2	60.3.0-alt1	102.11.0-alt0.c9.1	ALT-PU-2018-2669-1	210777	Fixed
thunderbird	c7	60.8.0-alt0.M70C.1	60.8.0-alt0.M70C.1	ALT-PU-2019-2345-1	234994	Fixed
thunderbird	p11	60.3.0-alt1	115.9.0-alt1	ALT-PU-2018-2669-1	210777	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://www.mozilla.org/security/advisories/mfsa2018-28/	Patch Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-27/	Patch Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-26/	Patch Vendor Advisory
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1487098%2C1487660%2C1490234%2C1496159%2C1443748%2C1496340%2C1483905%2C1493347%2C1488803%2C1498701%2C1498482%2C1442010%2C1495245%2C1483699%2C1469486%2C1484905%2C1490561%2C1492524%2C1481844	Issue Tracking Patch Vendor Advisory
DSA-4337	Third Party Advisory
DSA-4324	Third Party Advisory
USN-3868-1	Third Party Advisory
USN-3801-1	Third Party Advisory
GLSA-201811-13	Third Party Advisory
GLSA-201811-04	Third Party Advisory
[debian-lts-announce] 20181112 [SECURITY] [DLA 1575-1] thunderbird security update	Mailing List Third Party Advisory
[debian-lts-announce] 20181107 [SECURITY] [DLA 1571-1] firefox-esr security update	Mailing List Third Party Advisory
RHSA-2018:3532	Third Party Advisory
RHSA-2018:3531	Third Party Advisory
RHSA-2018:3006	Third Party Advisory
RHSA-2018:3005	Third Party Advisory
1041944	Third Party Advisory VDB Entry
105769	Third Party Advisory VDB Entry
105718	Third Party Advisory VDB Entry

Affected configurations:
1. Configuration 1
  cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
  End excliding
  63.0
  cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
  End excliding
  60.3.0
  cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
  End excliding
  60.3.0
  
  Configuration 2
  cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
  
  Configuration 4
  cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*

Version: v24.5.3

Vulnerability CVE-2018-12390: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4