=====================================================================

                                 CERT-Renater

                     Note d'Information No. 2022/VULN220

_____________________________________________________________________

DATE                : 29/06/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Thunderbird versions prior to 102,
                                          91.11.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2022-26/
_____________________________________________________________________


Security Vulnerabilities fixed in Thunderbird 91.11 and Thunderbird 102

Announced        June 28, 2022
Impact           high
Products
     Thunderbird
Fixed in

         Thunderbird 102
         Thunderbird 91.11

In general, these flaws cannot be exploited through email in the
Thunderbird product because scripting is disabled when reading mail,
but are potentially risks in browser or browser-like contexts. Note:
While Bug 1771084 does not represent a specific vulnerability that
was fixed, we recommend anyone rebasing patches to include it.
102 branch: Patch 1 and 2. 91 Branch: Patch 1 and 2 (Despite
saying Parts 2 and 3, there is no Part 1)
#CVE-2022-34479: A popup window could be resized in a way to overlay
the address bar with web content

Reporter        Irvan Kurniawan
Impact          high

Description

A malicious website that could create a popup could have resized
the popup to overlay the address bar with its own content,
resulting in potential user confusion or spoofing attacks.
This bug only affects Thunderbird for Linux. Other operating
systems are unaffected.

References

     Bug 1745595


#CVE-2022-34470: Use-after-free in nsSHistory

Reporter        Armin Ebert
Impact          high

Description

Navigations between XML documents may have led to a
use-after-free and potentially exploitable crash.

References

     Bug 1765951


#CVE-2022-34468: CSP sandbox header without `allow-scripts`
can be bypassed via retargeted javascript: URI

Reporter        Armin Ebert
Impact          high

Description

An iframe that was not permitted to run scripts could do
so if the user clicked on a javascript: link.

References

     Bug 1768537

#CVE-2022-2226: An email with a mismatching OpenPGP
signature date was accepted as valid

Reporter         Nickolay Olshevsky
Impact           moderate

Description

An OpenPGP digital signature includes information about
the date when the signature was created. When displaying
an email that contains a digital signature, the email's
date will be shown. If the dates were different, then
Thunderbird didn't report the email as having an invalid
signature. If an attacker performed a replay attack, in
which an old email with old contents are resent at a
later time, it could lead the victim to believe that the
statements in the email are current. Fixed versions of
Thunderbird will require that the signature's date
roughly matches the displayed date of the email.

References

     Bug 1775441


#CVE-2022-34481: Potential integer overflow in ReplaceElementsAt

Reporter
     Ronald Crane
Impact
     moderate

Description

In the nsTArray_Impl::ReplaceElementsAt() function, an integer
overflow could have occurred when the number of elements
to replace was too large for the container.

References

     Bug 1497246


#CVE-2022-31744: CSP bypass enabling stylesheet injection

Reporter        Gertjan
Impact          moderate

Description

An attacker could have injected CSS into stylesheets accessible
via internal URIs, such as resource:, and in doing so bypass
a page's Content Security Policy.

References

     Bug 1757604

#CVE-2022-34472: Unavailable PAC file resulted in OCSP requests
being blocked

Reporter        Laurent Bigonville
Impact          moderate

Description

If there was a PAC URL set and the server that hosts the
PAC was not reachable, OCSP requests would have been blocked,
resulting in incorrect error pages being shown.

References

     Bug 1770123


#CVE-2022-34478: Microsoft protocols can be attacked if a
user accepts a prompt

Reporter        Gijs
Impact          moderate

Description

The ms-msdt, search, and search-ms protocols deliver content
to Microsoft applications, bypassing the browser, when a user
accepts a prompt. These applications have had known
vulnerabilities, exploited in the wild (although we know
of none exploited through Thunderbird), so in this release
Thunderbird has blocked these protocols from prompting the
user to open them.
This bug only affects Thunderbird on Windows. Other
operating systems are unaffected.

References

     Bug 1773717


#CVE-2022-2200: Undesired attributes could be set as part
of prototype pollution

Reporter        Manfred Paul via Trend Micro's Zero Day Initiative
Impact          moderate

Description

If an object prototype was corrupted by an attacker, they
would have been able to set undesired attributes on a
JavaScript object, leading to privileged code execution.

References

     Bug 1771381


#CVE-2022-34484: Memory safety bugs fixed in Thunderbird
91.11 and Thunderbird 102

Reporter        Mozilla developers and community
Impact          high

Description

The Mozilla Fuzzing Team reported potential vulnerabilities
present in Thunderbird 91.10. Some of these bugs showed
evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to
run arbitrary code.

References

     Memory safety bugs fixed in Thunderbird 91.11 and
Thunderbird 102



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================