Your submission was sent successfully! Close

CVE-2018-5145

Published: 15 March 2018

Memory safety bugs were reported in Firefox ESR 52.6. These bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 52.7 and Thunderbird < 52.7.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
artful Not vulnerable

bionic Not vulnerable

cosmic Not vulnerable

disco Not vulnerable

eoan Not vulnerable

focal Not vulnerable

groovy Not vulnerable

hirsute Not vulnerable

impish Not vulnerable

jammy Not vulnerable

precise Does not exist

trusty Does not exist
(trusty was not-affected)
upstream Not vulnerable

xenial Not vulnerable

firefox-esr
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (52.7.0esr-1)
xenial Does not exist

mozjs38
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Needs triage

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

groovy Does not exist

hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

mozjs52
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Deferred

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Deferred

groovy Ignored
(reached end-of-life)
hirsute Does not exist

impish Does not exist

jammy Does not exist

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

thunderbird
Launchpad, Ubuntu, Debian
artful
Released (1:52.7.0+build1-0ubuntu0.17.10.1)
bionic
Released (1:52.7.0+build1-0ubuntu1)
cosmic
Released (1:52.7.0+build1-0ubuntu1)
disco
Released (1:52.7.0+build1-0ubuntu1)
eoan
Released (1:52.7.0+build1-0ubuntu1)
focal
Released (1:52.7.0+build1-0ubuntu1)
groovy
Released (1:52.7.0+build1-0ubuntu1)
hirsute
Released (1:52.7.0+build1-0ubuntu1)
impish
Released (1:52.7.0+build1-0ubuntu1)
jammy
Released (1:52.7.0+build1-0ubuntu1)
precise Does not exist

trusty Does not exist
(trusty was released [1:52.7.0+build1-0ubuntu0.14.04.1])
upstream
Released (52.7.0)
xenial
Released (1:52.7.0+build1-0ubuntu0.16.04.1)

Notes

AuthorNote
tyhicks
mozjs contains a copy of the SpiderMonkey JavaScript engine
chrisccoulson
It's not clear whether this affects mozjs52, as the bugs are
still private and some aren't referenced by any changesets. The following
need investigating:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1348955

References

Bugs