Vulnerability CVE-2018-12365: Information

Description

A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61.

Severity: MEDIUM (6.5) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2018-12365

Published: Oct. 18, 2018

Modified: Dec. 3, 2018

Error type identifier: CWE-200

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
firefox	sisyphus	61.0-alt1	127.0-alt1	ALT-PU-2018-1985-1	209471	Fixed
firefox	p10	61.0-alt1	118.0.2-alt0.p10.1	ALT-PU-2018-1985-1	209471	Fixed
firefox	p9	61.0-alt1	105.0.1-alt0.c9.1	ALT-PU-2018-1985-1	209471	Fixed
firefox	p8	61.0.1-alt0.M80P.1	68.0.1-alt0.M80P.1	ALT-PU-2018-2036-1	209591	Fixed
firefox	c10f1	61.0-alt1	112.0.2-alt0.p10.1	ALT-PU-2018-1985-1	209471	Fixed
firefox	c9f2	61.0-alt1	105.0.1-alt0.c9.1	ALT-PU-2018-1985-1	209471	Fixed
firefox	c7	60.6.1-alt0.M70C.1	60.8.0-alt0.M70C.1	ALT-PU-2019-1726-1	218597	Fixed
firefox	p11	61.0-alt1	126.0.1-alt1	ALT-PU-2018-1985-1	209471	Fixed
firefox-esr	sisyphus	60.1.0-alt1	115.11.0-alt1	ALT-PU-2018-1952-1	209186	Fixed
firefox-esr	p10	60.1.0-alt1	115.11.0-alt1	ALT-PU-2018-1952-1	209186	Fixed
firefox-esr	p9	68.0.2-alt1	102.11.0-alt0.c9.1	ALT-PU-2019-2486-1	235108	Fixed
firefox-esr	p8	60.1.0-alt0.M80P.1	68.4.1-alt0.M80P.1	ALT-PU-2018-1966-1	207865	Fixed
firefox-esr	c10f1	60.1.0-alt1	115.9.1-alt0.c10.1	ALT-PU-2018-1952-1	209186	Fixed
firefox-esr	c9f2	68.0.2-alt1	102.12.0-alt0.c9.1	ALT-PU-2019-2486-1	235108	Fixed
firefox-esr	p11	60.1.0-alt1	115.11.0-alt1	ALT-PU-2018-1952-1	209186	Fixed
thunderbird	sisyphus	52.9.0-alt1	115.9.0-alt1	ALT-PU-2018-1978-1	209483	Fixed
thunderbird	p10	52.9.0-alt1	115.9.0-alt1	ALT-PU-2018-1978-1	209483	Fixed
thunderbird	p9	52.9.0-alt1	102.11.0-alt0.c9.1	ALT-PU-2018-1978-1	209483	Fixed
thunderbird	p8	52.9.0-alt0.M80P.1	60.8.0-alt0.M80P.1	ALT-PU-2018-1988-1	209501	Fixed
thunderbird	c10f1	52.9.0-alt1	115.9.0-alt0.c10.1	ALT-PU-2018-1978-1	209483	Fixed
thunderbird	c9f2	52.9.0-alt1	102.11.0-alt0.c9.1	ALT-PU-2018-1978-1	209483	Fixed
thunderbird	c7	60.8.0-alt0.M70C.1	60.8.0-alt0.M70C.1	ALT-PU-2019-2345-1	234994	Fixed
thunderbird	p11	52.9.0-alt1	115.9.0-alt1	ALT-PU-2018-1978-1	209483	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://www.mozilla.org/security/advisories/mfsa2018-19/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-18/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-17/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-16/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2018-15/	Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1459206	Issue Tracking Permissions Required Vendor Advisory
DSA-4244	Third Party Advisory
DSA-4235	Third Party Advisory
USN-3714-1	Third Party Advisory
USN-3705-1	Third Party Advisory
[debian-lts-announce] 20180714 [SECURITY] [DLA 1425-1] thunderbird security update	Mailing List Third Party Advisory
[debian-lts-announce] 20180629 [SECURITY] [DLA 1406-1] firefox-esr security update	Mailing List Third Party Advisory
RHSA-2018:2252	Third Party Advisory
RHSA-2018:2251	Third Party Advisory
RHSA-2018:2113	Third Party Advisory
RHSA-2018:2112	Third Party Advisory
1041193	Third Party Advisory VDB Entry
104560	Third Party Advisory VDB Entry
GLSA-201810-01	Third Party Advisory
GLSA-201811-13	Third Party Advisory

Affected configurations:
1. Configuration 1
  cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
  
  Configuration 2
  cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  
  Configuration 4
  cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
  End excliding
  61.0
  cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
  End excliding
  52.9
  cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
  End excliding
  52.9
  cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*:*
  Start including
  53.0
  End excliding
  60.1.0
  cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
  Start including
  52.9.1
  End excliding
  60.0

Version: v24.5.3

Vulnerability CVE-2018-12365: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4