=====================================================================

                                  CERT-Renater

                       Note d'Information No. 2022/VULN282

_____________________________________________________________________

DATE                : 24/08/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Thunderbird versions prior to
                                     102.2, 91.13.

=====================================================================
https://www.mozilla.org/en-US/security/advisories/mfsa2022-36/
https://www.mozilla.org/en-US/security/advisories/mfsa2022-37/
_____________________________________________________________________

Mozilla Foundation Security Advisory 2022-36
Security Vulnerabilities fixed in Thunderbird 102.2


Announced       August 23, 2022
Impact          high
Products        Thunderbird
Fixed in
         Thunderbird 102.2

In general, these flaws cannot be exploited through email in the 
Thunderbird product because scripting is disabled when reading mail, but 
are potentially risks in browser or browser-like contexts.


#CVE-2022-38472: Address bar spoofing via XSLT error handling

Reporter         Armin Ebert
Impact           high

Description

An attacker could have abused XSLT error handling to associate 
attacker-controlled content with another origin which was displayed in 
the address bar. This could have been used to fool the user into 
submitting data intended for the spoofed origin.

References

     Bug 1769155


#CVE-2022-38473: Cross-origin XSLT Documents would have inherited the 
parent's permissions

Reporter         Armin Ebert
Impact           high

Description

A cross-origin iframe referencing an XSLT document would inherit the 
parent domain's permissions (such as microphone or camera access).

References

     Bug 1771685


#CVE-2022-38476: Data race and potential use-after-free in PK11_ChangePW

Reporter         Marian Laza
Impact           low

Description

A data race could occur in the PK11_ChangePW function, potentially 
leading to a use-after-free vulnerability. In Thunderbird, this lock 
protected the data when a user changed their master password.

References

     Bug 1760998


#CVE-2022-38477: Memory safety bugs fixed in Thunderbird 102.2

Reporter         Mozilla developers and community
Impact           high

Description

Mozilla developer Nika Layzell and the Mozilla Fuzzing Team reported 
memory safety bugs present in Thunderbird 102.1. Some of these bugs 
showed evidence of memory corruption and we presume that with enough 
effort some of these could have been exploited to run arbitrary code.

References

     Memory safety bugs fixed in Thunderbird 102.2


#CVE-2022-38478: Memory safety bugs fixed in Thunderbird 102.2, and 
Thunderbird 91.13

Reporter         Mozilla developers and community
Impact           high

Description

Members the Mozilla Fuzzing Team reported memory safety bugs present in 
Thunderbird 102.1 and Thunderbird 91.12. Some of these bugs showed 
evidence of memory corruption and we presume that with enough effort 
some of these could have been exploited to run arbitrary code.

References

     Memory safety bugs fixed in Thunderbird 102.2, and Thunderbird 91.13


_____________________________________________________________________

Mozilla Foundation Security Advisory 2022-37
Security Vulnerabilities fixed in Thunderbird 91.13

Announced       August 23, 2022
Impact          high
Products        Thunderbird
Fixed in

         Thunderbird 91.13

In general, these flaws cannot be exploited through email in the 
Thunderbird product because scripting is disabled when reading mail, but 
are potentially risks in browser or browser-like contexts.

#CVE-2022-38472: Address bar spoofing via XSLT error handling

Reporter         Armin Ebert
Impact           high

Description

An attacker could have abused XSLT error handling to associate 
attacker-controlled content with another origin which was displayed in 
the address bar. This could have been used to fool the user into 
submitting data intended for the spoofed origin.

References

     Bug 1769155

#CVE-2022-38473: Cross-origin XSLT Documents would have inherited the 
parent's permissions

Reporter         Armin Ebert
Impact           high

Description

A cross-origin iframe referencing an XSLT document would inherit the 
parent domain's permissions (such as microphone or camera access).

References

     Bug 1771685


#CVE-2022-38478: Memory safety bugs fixed in Thunderbird 102.2, and 
Thunderbird 91.13

Reporter         Mozilla developers and community
Impact           high

Description

Members the Mozilla Fuzzing Team reported memory safety bugs present in 
Thunderbird 102.1 and Thunderbird 91.12. Some of these bugs showed 
evidence of memory corruption and we presume that with enough effort 
some of these could have been exploited to run arbitrary code.

References

     Memory safety bugs fixed in Thunderbird 102.2 and Thunderbird 91.13



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================