{"id":"MGASA-2025-0197","summary":"Updated thunderbird packages fix security vulnerabilities","details":"CVE-2025-5262: A double-free could have occurred in\nvpx_codec_enc_init_multi after a failed allocation when initializing the\nencoder for WebRTC. This could have caused memory corruption and a\npotentially exploitable crash.\nCVE-2025-5263: Error handling for script execution was incorrectly\nisolated from web content, which could have allowed cross-origin leak\nattacks.\nCVE-2025-5264: Due to insufficient escaping of the newline character in\nthe “Copy as cURL” feature, an attacker could trick a user into using\nthis command, potentially leading to local code execution on the user's\nsystem.\nCVE-2025-5266: Script elements loading cross-origin resources generated\nload and error events which leaked information enabling XS-Leaks\nattacks.\nCVE-2025-5267: A clickjacking vulnerability could have been used to\ntrick a user into leaking saved payment card details to a malicious\npage.\nCVE-2025-5268: Memory safety bugs present in Firefox 138, Thunderbird\n138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs\nshowed evidence of memory corruption and we presume that with enough\neffort some of these could have been exploited to run arbitrary code.\nCVE-2025-5269: Memory safety bug present in Firefox ESR 128.10, and\nThunderbird 128.10. This bug showed evidence of memory corruption and we\npresume that with enough effort this could have been exploited to run\narbitrary code.\nCVE-2025-5986: A crafted HTML email using mailbox:/// links can trigger\nautomatic, unsolicited downloads of .pdf files to the user's desktop or\nhome directory without prompting, even if auto-saving is disabled. This\nbehavior can be abused to fill the disk with garbage data (e.g. using\n/dev/urandom on Linux) or to leak Windows credentials via SMB links when\nthe email is viewed in HTML mode. While user interaction is required to\ndownload the .pdf file, visual obfuscation can conceal the download\ntrigger. Viewing the email in HTML mode is enough to load external\ncontent.\nWe can't ship this update to armv7hl architecture, we are investigating\n  the issue and will try to update thunderbird for armv7hl as soon as\nposible.\n","modified":"2026-04-16T00:12:41.643597087Z","published":"2025-06-27T02:11:40Z","upstream":["CVE-2025-5262","CVE-2025-5263","CVE-2025-5264","CVE-2025-5266","CVE-2025-5267","CVE-2025-5268","CVE-2025-5269","CVE-2025-5986"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2025-0197.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=34338"},{"type":"WEB","url":"https://www.thunderbird.net/en-US/thunderbird/128.11.0esr/releasenotes/"},{"type":"ADVISORY","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2025-46/"},{"type":"WEB","url":"https://www.thunderbird.net/en-US/thunderbird/128.11.1esr/releasenotes/"},{"type":"ADVISORY","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2025-49/"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/thunderbird?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"128.11.1-1.1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0197.json"}},{"package":{"name":"thunderbird-l10n","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/thunderbird-l10n?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"128.11.1-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0197.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}