Bug 1150939 (CVE-2019-11739)

Summary: VUL-0: CVE-2019-11739: MozillaThunderbird: Covert Content Attack on S/MIME encryption using a crafted multipart/alternative message
Product: [Novell Products] SUSE Security Incidents Reporter: Alexandros Toptsoglou <atoptsoglou>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/242508/
Whiteboard: CVSSv3:SUSE:CVE-2019-11739:5.3:(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1152848    
Bug Blocks:    

Description Alexandros Toptsoglou 2019-09-16 14:13:41 UTC 
CVE-2019-11739

Encrypted S/MIME parts in a crafted multipart/alternative message can leak plaintext when included in a a HTML reply/forward.

External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2019-29/#CVE-2019-11739

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1752307
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-11739
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11739.html
http://www.debian.org/security/-1/dsa-4523
Comment 3 Swamp Workflow Management 2019-10-02 16:28:46 UTC 
SUSE-SU-2019:2515-1: An update that fixes 27 vulnerabilities is now available.

Category: security (important)
Bug References: 1140868,1141322,1149296,1149297,1149298,1149299,1149303,1149304,1150939,1152375
CVE References: CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11739,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11752,CVE-2019-11755
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    MozillaThunderbird-68.1.1-3.51.1
SUSE Linux Enterprise Workstation Extension 15 (src):    MozillaThunderbird-68.1.1-3.51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2019-10-04 16:24:36 UTC 
openSUSE-SU-2019:2249-1: An update that fixes 27 vulnerabilities is now available.

Category: security (important)
Bug References: 1140868,1141322,1149296,1149297,1149298,1149299,1149303,1149304,1150939,1152375
CVE References: CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11739,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11752,CVE-2019-11755
Sources used:
openSUSE Leap 15.1 (src):    MozillaThunderbird-68.1.1-lp151.2.13.1, enigmail-2.1.2-lp151.2.6.1
Comment 5 Swamp Workflow Management 2019-10-04 16:28:34 UTC 
openSUSE-SU-2019:2248-1: An update that fixes 27 vulnerabilities is now available.

Category: security (important)
Bug References: 1140868,1141322,1149296,1149297,1149298,1149299,1149303,1149304,1150939,1152375
CVE References: CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11739,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11752,CVE-2019-11755
Sources used:
openSUSE Leap 15.0 (src):    MozillaThunderbird-68.1.1-lp150.3.51.1, enigmail-2.1.2-lp150.34.1
Comment 6 Scott Reeves 2019-10-16 02:21:40 UTC 
Martin - can you check this set of thunderbird bugs and make sure they are fixed. If so assign them back to the security team. Thanks.
Comment 7 Martin Sirringhaus 2019-10-16 06:36:45 UTC 
This has been fixed with the release of Thunderbird 68.1 (MFSA2019-30)
Comment 8 Alexandros Toptsoglou 2020-05-06 08:03:23 UTC 
Done