CVE-2018-5146

Published: 16 March 2018

An out of bounds memory write while processing Vorbis audio data was reported through the Pwn2Own contest. This vulnerability affects Firefox < 59.0.1, Firefox ESR < 52.7.2, and Thunderbird < 52.7.

Priority

CVSS 3 base score: 8.8

Status

Package	Release	Status
firefox Launchpad, Ubuntu, Debian	artful	Released (59.0.1+build1-0ubuntu0.17.10.1)
	bionic	Not vulnerable
	precise	Does not exist
	trusty	Does not exist (trusty was released [59.0.1+build1-0ubuntu0.14.04.1])
	upstream	Released (59.0.1)
	xenial	Released (59.0.1+build1-0ubuntu0.16.04.1)
firefox-esr Launchpad, Ubuntu, Debian	artful	Does not exist
	bionic	Does not exist
	precise	Does not exist
	trusty	Does not exist
	upstream	Released (52.7.2)
	xenial	Does not exist
libvorbis Launchpad, Ubuntu, Debian	artful	Released (1.3.5-4ubuntu0.2)
	bionic	Not vulnerable (1.3.5-4.2)
	precise	Does not exist
	trusty	Does not exist (trusty was released [1.3.2-1.3ubuntu1.2])
	upstream	Needs triage
	xenial	Released (1.3.5-3ubuntu0.2)
	Patches: upstream: https://git.xiph.org/?p=vorbis.git;a=commit;h=667ceb4aab60c1f74060143bb24e5f427b3cce5f
thunderbird Launchpad, Ubuntu, Debian	artful	Released (1:52.7.0+build1-0ubuntu0.17.10.1)
	bionic	Released (1:52.7.0+build1-0ubuntu1)
	precise	Does not exist
	trusty	Does not exist (trusty was released [1:52.7.0+build1-0ubuntu0.14.04.1])
	upstream	Released (52.7.0)
	xenial	Released (1:52.7.0+build1-0ubuntu0.16.04.1)

References

Bugs

https://bugs.launchpad.net/ubuntu/+source/libvorbis/+bug/1756516

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Security