PublicDateAtUSN: 2018-03-16 Candidate: CVE-2018-5146 PublicDate: 2018-06-11 21:29:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5146 https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ https://ubuntu.com/security/notices/USN-3599-1 https://ubuntu.com/security/notices/USN-3604-1 https://ubuntu.com/security/notices/USN-3545-1 Description: An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. This vulnerability affects Firefox < 59.0.1, Firefox ESR < 52.7.2, and Thunderbird < 52.7. Ubuntu-Description: Notes: Bugs: https://bugs.launchpad.net/ubuntu/+source/libvorbis/+bug/1756516 Priority: medium Discovered-by: Richard Zhu Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [8.8 HIGH] Patches_firefox: upstream_firefox: released (59.0.1) precise/esm_firefox: DNE trusty_firefox: released (59.0.1+build1-0ubuntu0.14.04.1) trusty/esm_firefox: DNE (trusty was released [59.0.1+build1-0ubuntu0.14.04.1]) xenial_firefox: released (59.0.1+build1-0ubuntu0.16.04.1) esm-infra/xenial_firefox: released (59.0.1+build1-0ubuntu0.16.04.1) artful_firefox: released (59.0.1+build1-0ubuntu0.17.10.1) bionic_firefox: not-affected devel_firefox: not-affected Patches_thunderbird: upstream_thunderbird: released (52.7.0) precise/esm_thunderbird: DNE trusty_thunderbird: released (1:52.7.0+build1-0ubuntu0.14.04.1) trusty/esm_thunderbird: DNE (trusty was released [1:52.7.0+build1-0ubuntu0.14.04.1]) xenial_thunderbird: released (1:52.7.0+build1-0ubuntu0.16.04.1) esm-infra/xenial_thunderbird: released (1:52.7.0+build1-0ubuntu0.16.04.1) artful_thunderbird: released (1:52.7.0+build1-0ubuntu0.17.10.1) bionic_thunderbird: released (1:52.7.0+build1-0ubuntu1) devel_thunderbird: released (1:52.7.0+build1-0ubuntu1) Patches_firefox-esr: upstream_firefox-esr: released (52.7.2) precise/esm_firefox-esr: DNE trusty_firefox-esr: DNE trusty/esm_firefox-esr: DNE xenial_firefox-esr: DNE artful_firefox-esr: DNE bionic_firefox-esr: DNE devel_firefox-esr: DNE Patches_libvorbis: upstream: https://git.xiph.org/?p=vorbis.git;a=commit;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f upstream_libvorbis: needs-triage precise/esm_libvorbis: DNE trusty_libvorbis: released (1.3.2-1.3ubuntu1.2) trusty/esm_libvorbis: DNE (trusty was released [1.3.2-1.3ubuntu1.2]) xenial_libvorbis: released (1.3.5-3ubuntu0.2) esm-infra/xenial_libvorbis: released (1.3.5-3ubuntu0.2) artful_libvorbis: released (1.3.5-4ubuntu0.2) bionic_libvorbis: not-affected (1.3.5-4.2) devel_libvorbis: not-affected (1.3.5-4.2)