CVE-2018-18501

Name	CVE-2018-18501
Description	Mozilla developers and community members reported memory safety bugs present in Firefox 64 and Firefox ESR 60.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Thunderbird < 60.5, Firefox ESR < 60.5, and Firefox < 65.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
References	DLA-1648-1, DLA-1678-1, DSA-4376-1, DSA-4392-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
firefox (PTS)	sid	113.0.2-1	fixed
firefox-esr (PTS)	buster	91.12.0esr-1~deb10u1	fixed
	buster (security)	102.11.0esr-1~deb10u1	fixed
	bullseye	102.10.0esr-1~deb11u1	fixed
	bullseye (security)	102.11.0esr-1~deb11u1	fixed
	bookworm, sid	102.11.0esr-1	fixed
thunderbird (PTS)	buster	1:91.12.0-1~deb10u1	fixed
	buster (security)	1:102.11.0-1~deb10u1	fixed
	bullseye	1:102.10.0-1~deb11u1	fixed
	bullseye (security)	1:102.11.0-1~deb11u1	fixed
	bookworm, sid	1:102.11.0-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
firefox	source	(unstable)	65.0-1
firefox-esr	source	jessie	60.5.0esr-1~deb8u1	DLA-1648-1
firefox-esr	source	stretch	60.5.0esr-1~deb9u1	DSA-4376-1
firefox-esr	source	(unstable)	60.5.0esr-1
thunderbird	source	jessie	1:60.5.1-1~deb8u1	DLA-1678-1
thunderbird	source	stretch	1:60.5.1-1~deb9u1	DSA-4392-1
thunderbird	source	(unstable)	1:60.5.0-1

Notes

https://www.mozilla.org/en-US/security/advisories/mfsa2019-01/#CVE-2018-18501
https://www.mozilla.org/en-US/security/advisories/mfsa2019-02/#CVE-2018-18501
https://www.mozilla.org/en-US/security/advisories/mfsa2019-03/#CVE-2018-18501