=====================================================================

                               CERT-Renater

                    Note d'Information No. 2022/VULN194

_____________________________________________________________________

DATE                : 01/06/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Thunderbird versions prior
                                     to 91.10.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2022-22/
_____________________________________________________________________

Mozilla Foundation Security Advisory 2022-22

Security Vulnerabilities fixed in Thunderbird 91.10

Announced: May 31, 2022
Impact:    high
Products:  Thunderbird
Fixed in:  Thunderbird 91.10

In general, these flaws cannot be exploited through email in the 
Thunderbird product because scripting is disabled when reading mail, but 
are potentially risks in browser or browser-like contexts.

# CVE-2022-31736: Cross-Origin resource's length leaked

Reporter: Luan Herrera
Impact:   high

Description

A malicious website could have learned the size of a cross-origin 
resource that supported Range requests.

References

   o Bug 1735923

# CVE-2022-31737: Heap buffer overflow in WebGL

Reporter: Atte Kettunen
Impact:   high

Description

A malicious webpage could have caused an out-of-bounds write in WebGL, 
leading to memory corruption and a potentially exploitable crash.

References

   o Bug 1743767

# CVE-2022-31738: Browser window spoof using fullscreen mode

Reporter: Irvan Kurniawan
Impact:   high

Description

When exiting fullscreen mode, an iframe could have confused the browser
about the current state of fullscreen, resulting in potential user 
confusion or spoofing attacks.

References

   o Bug 1756388

# CVE-2022-31739: Attacker-influenced path traversal when saving 
downloaded files

Reporter: Chaobin Zhang
Impact:   high

Description

When downloading files on Windows, the % character was not escaped, 
which could have lead to a download incorrectly being saved to 
attacker-influenced paths that used variables such as %HOMEPATH% or 
%APPDATA%.
This bug only affects Thunderbird for Windows. Other operating systems 
are unaffected.

References

   o Bug 1765049

# CVE-2022-31740: Register allocation problem in WASM on arm64

Reporter: Gary Kwong
Impact:   high

Description

On arm64, WASM code could have resulted in incorrect assembly generation
leading to a register allocation problem, and a potentially exploitable 
crash.

References

   o Bug 1766806

# CVE-2022-31741: Uninitialized variable leads to invalid memory read

Reporter: Yaniv
Impact:   high

Description

A crafted CMS message could have been processed incorrectly, leading to 
an invalid memory read, and potentially further memory corruption.

References

   o Bug 1767590

# CVE-2022-1834: Braille space character caused incorrect sender email 
to be shown for a digitally signed email

Reporter: Jonathan von Niessen
Impact:   high

Description

When displaying the sender of an email, and the sender name contained 
the Braille Pattern Blank space character multiple times, Thunderbird 
would have displayed all the spaces. This could have been used by an 
attacker to send an email message with the attacker's digital signature, 
that was shown with an arbitrary sender email address chosen by the 
attacker. If the sender name started with a false email address, 
followed by many Braille space characters, the attacker's email address 
was not visible. Because Thunderbird compared the invisible sender 
address with the signature's email address, if the signing key or 
certificate was accepted by Thunderbird, the email was shown as having a 
valid digital signature.

References

   o Bug 1767816

# CVE-2022-31742: Querying a WebAuthn token with a large number of
allowCredential entries may have leaked cross-origin information

Reporter: Michal
Impact:   moderate

Description

An attacker could have exploited a timing attack by sending a large 
number of allowCredential entries and detecting the difference between 
invalid key handles and cross-origin key handles. This could have led to 
cross-origin account linking in violation of WebAuthn goals.

References

   o Bug 1730434

# CVE-2022-31747: Memory safety bugs fixed in Thunderbird 91.10

Reporter: Mozilla developers and community
Impact:   high

Description

Mozilla developers Andrew McCreight, Nicolas B. Pierron, and the Mozilla
Fuzzing Team reported memory safety bugs present in Thunderbird 91.9. 
Some of these bugs showed evidence of memory corruption and we presume 
that with enough effort some of these could have been exploited to run 
arbitrary code.

References

   o Memory safety bugs fixed in Thunderbird 91.10



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================