Opened 2 years ago
Closed 2 years ago
#15729 closed enhancement (fixed)
thunderbird-91.4.1
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New minor version.
Change History (14)
comment:1 by , 2 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 2 years ago
| Priority: | normal → elevated |
|---|
comment:4 by , 2 years ago
91.3.0
Fixes fixed Default mail headers were set incorrectly when the value contained a colon (:) fixed Thunderbird did not send the QUIT command when closing an SMTP connection fixed Mail tabs could not be closed using the context menu fixed "Print" context menu was still shown when no message pane was displayed fixed Windows tray icon did not reappear after restarting Windows Explorer fixed Compose window attachment drag and drop fixes fixed Various macOS stability improvements fixed Drag and Drop area for file attachments on Windows was incorrect fixed CardDAV address books without a name did not work fixed Thunderbird tried to refresh disabled and manual-only calendars when the network state changed from offline to online fixed Various Calendar event dialog fixes fixed Various security fixes
comment:5 by , 2 years ago
91.3.1
Changes changed OpenPGP public keys will no longer count as an attachment in the message list changed Adding a search engine via URL now supported changed FileLink messages' template updated; Thunderbird advertisement removed changed After an update, Thunderbird will now check installed addons for updates Fixes fixed New mail popups were displayed while running full screen applications fixed Messages received with non-standard "koi8r" encoding were not supported fixed Various macOS stability improvements fixed PDF attachments opened in Firefox while composing an email fixed Addons were disabled when "Offline Settings" were set to "Ask me for online state (on startup)" fixed Clicking '"addons://" links in the Addons Manager prompted for an application to open it, rather than opening internally fixed The Contacts sidebar "Address Book" drop down was unreadable on Windows fixed vCard attachments were not shown when using "inline" view for attachments fixed Importing an ICS file with TODO items failed
comment:6 by , 2 years ago
91.3.2
Changes changed Date selection in Calendar print settings widget changed to use mini calendar widget changed OpenPGP: Botan updated to 2.18.2; addresses CVE-2021-40529 Fixes fixed "Repair Text Encoding" menu item did not work fixed Troubleshoot Mode menu item did not always indicate whether troubleshooting mode was enabled fixed Message content could be unintentionally hidden due to CSS class names conflicting fixed SMTP server port was reset to "0" after clicking the "Re-Test" button in the Account Setup wizard fixed No "Paste" option was available in the config editor (about:config) context menu fixed Saving a PDF attachment opened in a separate tab saved the email message instead fixed Opening a PDF attachment from a message in a standalone or compose window did move the focus to opened attachment fixed After restart, Thunderbird was not able to restore opened message tabs when the message was in a folder with non-ASCII characters in its name fixed The "pill" indicator was incorrectly shown when sending a message to newsgroup fixed When printing from Calendar, after leaving the "Calendar" settings, there was no way to go back fixed Month pickers in the Calendar print UI lacked scrollbars when the content overflowed fixed Account Manager and Addons Manager were unreadable when using the Dark theme
Note that CVE-2021-40529 was fixed in Botan, which is a bundled package in Thunderbird for OpenPGP stuff
comment:7 by , 2 years ago
91.4.0
Fixes fixed IMAP startup performance improved for accounts with a multitude of folders fixed Thunderbird failed to send messages when configured to use an IPv6 SMTP server by IP address (instead of a hostname) fixed Forwarding messages with attachments sometimes failed fixed Printing multiple messages at once was not possible fixed Non-utf8 news groups were not supported fixed Thunderbird stalled after sending a message with NNTP and SMTP recipients fixed Using Thunderbird with multiple language packs caused high RAM and CPU use and sluggish performance fixed Clicking a "mailto:" started the composer with the default sending identity instead of a configured alternate fixed Drag and dropped text into a plain text message in the compose window was handled inconsistently fixed FileLink messages did not display correctly when viewed in Outlook fixed In account setup, after selecting an extension provided protocol, it was not possible to create an IMAP/POP account fixed Multiday selections were not cleared when changing week viewed fixed When creating a new event by clicking and dragging the mouse to create a box, the view did not auto-scroll after reaching the bottom fixed Calendar Invitation Panel did not scroll when multiple invitations were pending fixed Calendar print dialog did not have a cancel button fixed Various security fixes
comment:8 by , 2 years ago
91.4.1
Fixes fixed Attachments that should open in Thunderbird, such as ICS attachments, offered to save the file instead fixed Saving attachments from IMAP accounts where usernames contained special characters failed fixed Temporary files created for forwarded attachments sometimes had the wrong extension fixed S/MIME signatures were shown as invalid by Outlook fixed URL input boxes on content tabs erroneously displayed a search glass icon on macOS fixed Message bars (such as content blocking) did not use high contrast theme colors fixed Some messages with autocrypt headers loaded slowly, causing Thunderbird to hang fixed Server hostnames were cut-off in the account manager fixed Account Setup did not support non-ASCII characters in passwords fixed Account Setup did not always retain set values fixed Virtual folders did not retain folder selection when a folder name contained non-ASCII characters fixed Messages saved as "html" or "eml" did not include message headers fixed "Private web page" field was not included when exporting a contact to a vCard fixed Addons were still active after restarting Thunderbird in troubleshooting mode with "disable all addons" checked fixed FileLink attachments did not always display the FileLink provider's icon fixed FileLink privacy notifications persisted in the compose window after removing all FileLink attachments fixed "Loading" icon remained after a FileLink upload failed fixed Lengthy event names for multiday events did not wrap fixed Various theme and UX improvements fixed Various security fixes
comment:9 by , 2 years ago
CVEs in Thunderbird-91.3
Mozilla Foundation Security Advisory 2021-50
Security Vulnerabilities fixed in Thunderbird 91.3
Announced
November 3, 2021
Impact
high
Products
Thunderbird
Fixed in
Thunderbird 91.3
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets
Reporter
Armin Ebert
Impact
high
Description
The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.
References
Bug 1729517
#CVE-2021-38504: Use-after-free in file picker dialog
Reporter
Irvan Kurniawan
Impact
high
Description
When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash.
References
Bug 1730156
#CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data
Reporter
Sergey Galich
Impact
high
Description
Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Thunderbird before version 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account.
This bug only affects Thunderbird for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.
References
Bug 1730194
#CVE-2021-38506: Thunderbird could be coaxed into going into fullscreen mode without notification or warning
Reporter
Irvan Kurniawan
Impact
high
Description
Through a series of web navigations, Thunderbird could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing.
References
Bug 1730750
#CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports
Reporter
Takeshi Terada
Impact
high
Description
The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.
References
Bug 1730935
#CVE-2021-43535: Use-after-free in HTTP2 Session object
Reporter
Julien Cristau
Impact
high
Description
A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash.
References
Bug 1667102
#CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing
Reporter
Raphael
Impact
moderate
Description
By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.
References
Bug 1366818
#CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain
Reporter
Ademar Nowasky Junior
Impact
moderate
Description
Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing.
References
Bug 1718571
#CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS
Reporter
Hou JingYi
Impact
moderate
Description
The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.
Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.
References
Bug 1731779
#CVE-2021-43534: Memory safety bugs fixed in Thunderbird ESR 91.3
Reporter
Mozilla developers
Impact
high
Description
Mozilla developers and community members Christian Holler, Valentin Gosu, and Andrew McCreight reported memory safety bugs present in Thunderbird 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
Memory safety bugs fixed in Thunderbird 91.3
comment:10 by , 2 years ago
CVEs in Thunderbird-91.4
Mozilla Foundation Security Advisory 2021-54
Security Vulnerabilities fixed in Thunderbird 91.4.0
Announced
December 7, 2021
Impact
high
Products
Thunderbird
Fixed in
Thunderbird 91.4
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2021-43536: URL leakage when navigating while executing asynchronous function
Reporter
Sunwoo Kim and Youngmin Kim of SNU CompSec Lab
Impact
high
Description
Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL.
References
Bug 1730120
#CVE-2021-43537: Heap buffer overflow when using structured clone
Reporter
bo13oy of Cyber Kunlun Lab
Impact
high
Description
An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash.
References
Bug 1738237
#CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both
Reporter
Irvan Kurniawan (@sourc7)
Impact
high
Description
By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks.
References
Bug 1739091
#CVE-2021-43539: GC rooting failure when calling wasm instance methods
Reporter
Asumu Takikawa and Ioanna Dimitriou
Impact
high
Description
Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash.
References
Bug 1739683
#CVE-2021-43541: External protocol handler parameters were unescaped
Reporter
chriscla
Impact
moderate
Description
When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped.
References
Bug 1696685
#CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler
Reporter
Raphael Smolik
Impact
moderate
Description
Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols.
References
Bug 1723281
#CVE-2021-43543: Bypass of CSP sandbox directive when embedding
Reporter
Armin Ebert
Impact
moderate
Description
Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content.
References
Bug 1738418
#CVE-2021-43545: Denial of Service when using the Location API in a loop
Reporter
Paul Zühlcke
Impact
low
Description
Using the Location API in a loop could have caused severe application hangs and crashes.
References
Bug 1720926
#CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed
Reporter
Daniel Veditz
Impact
low
Description
It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor.
References
Bug 1737751
#CVE-2021-43528: JavaScript unexpectedly enabled for the composition area
Reporter
Pedro Batista
Impact
low
Description
Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to further an attack with other vulnerabilities.
References
Bug 1742579
#CVE-2021-4129: Memory safety bugs fixed in Thunderbird 91.4.0
Reporter
Mozilla developers and community
Impact
high
Description
Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported memory safety bugs present in Thunderbird 91.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
Memory safety bugs fixed in Thunderbird 91.4.0
comment:11 by , 2 years ago
CVEs in Thunderbird-91.4.1
Mozilla Foundation Security Advisory 2021-55
Security Vulnerabilities fixed in Thunderbird 91.4.1
Announced
December 21, 2021
Impact
moderate
Products
Thunderbird
Fixed in
Thunderbird 91.4.1
#CVE-2021-4126: OpenPGP signature status doesn't consider additional message content
Reporter
Kai Engert
Impact
moderate
Description
When receiving an OpenPGP/MIME signed email message that contains an additional outer MIME message layer, for example a message footer added by a mailing list gateway, Thunderbird only considered the inner signed message for the signature validity. This gave the false impression that the additional contents were also covered by the digital signature. Starting with Thunderbird version 91.4.1, only the signature that belongs to the top level MIME part will be considered for the displayed status.
References
Bug 1732310
#CVE-2021-44538: Matrix chat library libolm bundled with Thunderbird vulnerable to a buffer overflow
Reporter
brevilo
Impact
moderate
Description
Thunderbird users who use the Matrix chat protocol were vulnerable to a buffer overflow in libolm, that an attacker may trigger by a crafted sequence of messages. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits.
References
Bug 1744056
follow-up: 13 comment:12 by , 2 years ago
... and we have build bustage. It seems to affect Firefox as well, so I'll fix it there too.
The problem is due to Wayland-1.20 removing a symbol.
51:55.25 Compiling gkrust v0.1.0 (/sources/thunderbird-91.4.1/thunderbird-91.4.1/toolkit/library/rust) 55:59.16 Finished release [optimized] target(s) in 55m 30s 55:59.37 /sources/thunderbird-91.4.1/thunderbird-91.4.1/python/mozbuild/mozbuild/action/check_binary.py:13: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives 55:59.37 from distutils.version import StrictVersion as Version 55:59.76 toolkit/library/build/libxul.so 56:06.09 /sources/thunderbird-91.4.1/thunderbird-91.4.1/obj-x86_64-pc-linux-gnu/toolkit/library/build/../../../gfx/gl/Unified_cpp_gfx_gl0.o:Unified_cpp_gfx_gl0.cpp:function mozilla::gl::DeleteWaylandGLSurface(void*) [clone .part.0]: error: undefined reference to 'wl_proxy_marshal_flags' 56:06.09 /sources/thunderbird-91.4.1/thunderbird-91.4.1/obj-x86_64-pc-linux-gnu/toolkit/library/build/../../../gfx/gl/Unified_cpp_gfx_gl0.o:Unified_cpp_gfx_gl0.cpp:function mozilla::gl::GLContextEGL::CreateWaylandBufferSurface(mozilla::gl::EglDisplay&, void*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>&): error: undefined reference to 'wl_proxy_marshal_flags' 56:06.09 /sources/thunderbird-91.4.1/thunderbird-91.4.1/obj-x86_64-pc-linux-gnu/toolkit/library/build/../../../gfx/layers/Unified_cpp_gfx_layers1.o:Unified_cpp_gfx_layers1.cpp:function mozilla::layers::NativeLayerRootWayland::CommitToScreen(): error: undefined reference to 'wl_proxy_marshal_flags' 56:06.09 /sources/thunderbird-91.4.1/thunderbird-91.4.1/obj-x86_64-pc-linux-gnu/toolkit/library/build/../../../gfx/layers/Unified_cpp_gfx_layers1.o:Unified_cpp_gfx_layers1.cpp:function mozilla::layers::NativeLayerRootWayland::EnsureHideLayer(RefPtr<mozilla::layers::NativeLayerWayland> const&): error: undefined reference to 'wl_proxy_marshal_flags' 56:06.74 collect2: error: ld returned 1 exit status 56:06.74 make[4]: *** [/sources/thunderbird-91.4.1/thunderbird-91.4.1/config/rules.mk:545: libxul.so] Error 1 56:06.74 make[3]: *** [/sources/thunderbird-91.4.1/thunderbird-91.4.1/config/recurse.mk:72: toolkit/library/build/target] Error 2 56:06.74 make[2]: *** [/sources/thunderbird-91.4.1/thunderbird-91.4.1/config/recurse.mk:34: compile] Error 2 56:06.74 make[1]: *** [/sources/thunderbird-91.4.1/thunderbird-91.4.1/config/rules.mk:355: default] Error 2 56:06.74 make: *** [client.mk:65: build] Error 2 56:06.76 690 compiler warnings present.
Gentoo bug is here: https://bugs.gentoo.org/811840
comment:13 by , 2 years ago
Replying to Douglas R. Reno:
... and we have build bustage. It seems to affect Firefox as well, so I'll fix it there too.
The problem is due to Wayland-1.20 removing a symbol.
Gentoo bug is here: https://bugs.gentoo.org/811840
Affects also SDL2 (reported by Berzerkula on #lfs-support):
Bug: https://github.com/libsdl-org/SDL/issues/5088
Patch: https://github.com/libsdl-org/SDL/commit/e2ade2bfc46d915cd306c63c830b81d800b2575f
I will take care of that one. According to Berzerkula, if upstream does not make an exceptional release, next scheduled one is in February.
comment:14 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
Looking at the release notes for these last night, it's obvious these two contain some pretty significant security fixes. I may promote them to High after more research (which will happen after Java).