CVE-2018-5146

Published: 16 March 2018

An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. This vulnerability affects Firefox < 59.0.1, Firefox ESR < 52.7.2, and Thunderbird < 52.7.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
Upstream
Released (59.0.1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 LTS (Xenial Xerus)
Released (59.0.1+build1-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [59.0.1+build1-0ubuntu0.14.04.1])
firefox-esr
Launchpad, Ubuntu, Debian
Upstream
Released (52.7.2)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

libvorbis
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(1.3.5-4.2)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1.3.5-3ubuntu0.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1.3.2-1.3ubuntu1.2])
Patches:
Upstream: https://git.xiph.org/?p=vorbis.git;a=commit;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
thunderbird
Launchpad, Ubuntu, Debian
Upstream
Released (52.7.0)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (1:52.7.0+build1-0ubuntu1)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1:52.7.0+build1-0ubuntu0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1:52.7.0+build1-0ubuntu0.14.04.1])