Opened 3 months ago

Closed 5 weeks ago

#15729 closed enhancement (fixed)

thunderbird-91.4.1

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: elevated Milestone: 11.1
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New minor version.

Change History (14)

comment:1 by Douglas R. Reno, 2 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 6 weeks ago

Priority: normalelevated

Looking at the release notes for these last night, it's obvious these two contain some pretty significant security fixes. I may promote them to High after more research (which will happen after Java).

comment:3 by Douglas R. Reno, 5 weeks ago

Summary: thunderbird-91.3.0thunderbird-91.4.1

Now 91.4.1

comment:4 by Douglas R. Reno, 5 weeks ago

91.3.0

Fixes

fixed
Default mail headers were set incorrectly when the value contained a colon (:)

fixed
Thunderbird did not send the QUIT command when closing an SMTP connection

fixed
Mail tabs could not be closed using the context menu

fixed
"Print" context menu was still shown when no message pane was displayed

fixed
Windows tray icon did not reappear after restarting Windows Explorer

fixed
Compose window attachment drag and drop fixes

fixed
Various macOS stability improvements

fixed
Drag and Drop area for file attachments on Windows was incorrect

fixed
CardDAV address books without a name did not work

fixed
Thunderbird tried to refresh disabled and manual-only calendars when the network state changed from offline to online

fixed
Various Calendar event dialog fixes

fixed
Various security fixes

comment:5 by Douglas R. Reno, 5 weeks ago

91.3.1

Changes

changed
OpenPGP public keys will no longer count as an attachment in the message list

changed
Adding a search engine via URL now supported

changed
FileLink messages' template updated; Thunderbird advertisement removed

changed
After an update, Thunderbird will now check installed addons for updates

Fixes

fixed
New mail popups were displayed while running full screen applications

fixed
Messages received with non-standard "koi8r" encoding were not supported

fixed
Various macOS stability improvements

fixed
PDF attachments opened in Firefox while composing an email

fixed
Addons were disabled when "Offline Settings" were set to "Ask me for online state (on startup)"

fixed
Clicking '"addons://" links in the Addons Manager prompted for an application to open it, rather than opening internally

fixed
The Contacts sidebar "Address Book" drop down was unreadable on Windows

fixed
vCard attachments were not shown when using "inline" view for attachments

fixed
Importing an ICS file with TODO items failed

comment:6 by Douglas R. Reno, 5 weeks ago

91.3.2

Changes

changed
Date selection in Calendar print settings widget changed to use mini calendar widget

changed
OpenPGP: Botan updated to 2.18.2; addresses CVE-2021-40529

Fixes

fixed
"Repair Text Encoding" menu item did not work

fixed
Troubleshoot Mode menu item did not always indicate whether troubleshooting mode was enabled

fixed
Message content could be unintentionally hidden due to CSS class names conflicting

fixed
SMTP server port was reset to "0" after clicking the "Re-Test" button in the Account Setup wizard

fixed
No "Paste" option was available in the config editor (about:config) context menu

fixed
Saving a PDF attachment opened in a separate tab saved the email message instead

fixed
Opening a PDF attachment from a message in a standalone or compose window did move the focus to opened attachment

fixed
After restart, Thunderbird was not able to restore opened message tabs when the message was in a folder with non-ASCII characters in its name

fixed
The "pill" indicator was incorrectly shown when sending a message to newsgroup

fixed
When printing from Calendar, after leaving the "Calendar" settings, there was no way to go back

fixed
Month pickers in the Calendar print UI lacked scrollbars when the content overflowed

fixed
Account Manager and Addons Manager were unreadable when using the Dark theme

Note that CVE-2021-40529 was fixed in Botan, which is a bundled package in Thunderbird for OpenPGP stuff

comment:7 by Douglas R. Reno, 5 weeks ago

91.4.0

Fixes

fixed
IMAP startup performance improved for accounts with a multitude of folders

fixed
Thunderbird failed to send messages when configured to use an IPv6 SMTP server by IP address (instead of a hostname)

fixed
Forwarding messages with attachments sometimes failed

fixed
Printing multiple messages at once was not possible

fixed
Non-utf8 news groups were not supported

fixed
Thunderbird stalled after sending a message with NNTP and SMTP recipients

fixed
Using Thunderbird with multiple language packs caused high RAM and CPU use and sluggish performance

fixed
Clicking a "mailto:" started the composer with the default sending identity instead of a configured alternate

fixed
Drag and dropped text into a plain text message in the compose window was handled inconsistently

fixed
FileLink messages did not display correctly when viewed in Outlook

fixed
In account setup, after selecting an extension provided protocol, it was not possible to create an IMAP/POP account

fixed
Multiday selections were not cleared when changing week viewed

fixed
When creating a new event by clicking and dragging the mouse to create a box, the view did not auto-scroll after reaching the bottom

fixed
Calendar Invitation Panel did not scroll when multiple invitations were pending

fixed
Calendar print dialog did not have a cancel button

fixed
Various security fixes

comment:8 by Douglas R. Reno, 5 weeks ago

91.4.1

Fixes

fixed
Attachments that should open in Thunderbird, such as ICS attachments, offered to save the file instead

fixed
Saving attachments from IMAP accounts where usernames contained special characters failed

fixed
Temporary files created for forwarded attachments sometimes had the wrong extension

fixed
S/MIME signatures were shown as invalid by Outlook

fixed
URL input boxes on content tabs erroneously displayed a search glass icon on macOS

fixed
Message bars (such as content blocking) did not use high contrast theme colors

fixed
Some messages with autocrypt headers loaded slowly, causing Thunderbird to hang

fixed
Server hostnames were cut-off in the account manager

fixed
Account Setup did not support non-ASCII characters in passwords

fixed
Account Setup did not always retain set values

fixed
Virtual folders did not retain folder selection when a folder name contained non-ASCII characters

fixed
Messages saved as "html" or "eml" did not include message headers

fixed
"Private web page" field was not included when exporting a contact to a vCard

fixed
Addons were still active after restarting Thunderbird in troubleshooting mode with "disable all addons" checked

fixed
FileLink attachments did not always display the FileLink provider's icon

fixed
FileLink privacy notifications persisted in the compose window after removing all FileLink attachments

fixed
"Loading" icon remained after a FileLink upload failed

fixed
Lengthy event names for multiday events did not wrap

fixed
Various theme and UX improvements

fixed
Various security fixes

comment:9 by Douglas R. Reno, 5 weeks ago

CVEs in Thunderbird-91.3

Mozilla Foundation Security Advisory 2021-50
Security Vulnerabilities fixed in Thunderbird 91.3

Announced
    November 3, 2021
Impact
    high
Products
    Thunderbird
Fixed in

        Thunderbird 91.3

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2021-38503: iframe sandbox rules did not apply to XSLT stylesheets

Reporter
    Armin Ebert
Impact
    high

Description

The iframe sandbox rules were not correctly applied to XSLT stylesheets, allowing an iframe to bypass restrictions such as executing scripts or navigating the top-level frame.
References

    Bug 1729517

#CVE-2021-38504: Use-after-free in file picker dialog

Reporter
    Irvan Kurniawan
Impact
    high

Description

When interacting with an HTML input element's file picker dialog with webkitdirectory set, a use-after-free could have resulted, leading to memory corruption and a potentially exploitable crash.
References

    Bug 1730156

#CVE-2021-38505: Windows 10 Cloud Clipboard may have recorded sensitive user data

Reporter
    Sergey Galich
Impact
    high

Description

Microsoft introduced a new feature in Windows 10 known as Cloud Clipboard which, if enabled, will record data copied to the clipboard to the cloud, and make it available on other computers in certain scenarios. Applications that wish to prevent copied data from being recorded in Cloud History must use specific clipboard formats; and Thunderbird before version 91.3 did not implement them. This could have caused sensitive data to be recorded to a user's Microsoft account.
This bug only affects Thunderbird for Windows 10+ with Cloud Clipboard enabled. Other operating systems are unaffected.
References

    Bug 1730194

#CVE-2021-38506: Thunderbird could be coaxed into going into fullscreen mode without notification or warning

Reporter
    Irvan Kurniawan
Impact
    high

Description

Through a series of web navigations, Thunderbird could have entered fullscreen mode without notification or warning to the user. This could lead to spoofing attacks on the browser UI including phishing.
References

    Bug 1730750

#CVE-2021-38507: Opportunistic Encryption in HTTP2 could be used to bypass the Same-Origin-Policy on services hosted on other ports

Reporter
    Takeshi Terada
Impact
    high

Description

The Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection to be transparently upgraded to TLS while retaining the visual properties of an HTTP connection, including being same-origin with unencrypted connections on port 80. However, if a second encrypted port on the same IP address (e.g. port 8443) did not opt-in to opportunistic encryption; a network attacker could forward a connection from the browser to port 443 to port 8443, causing the browser to treat the content of port 8443 as same-origin with HTTP. This was resolved by disabling the Opportunistic Encryption feature, which had low usage.
References

    Bug 1730935

#CVE-2021-43535: Use-after-free in HTTP2 Session object

Reporter
    Julien Cristau
Impact
    high

Description

A use-after-free could have occured when an HTTP2 session object was released on a different thread, leading to memory corruption and a potentially exploitable crash.
References

    Bug 1667102

#CVE-2021-38508: Permission Prompt could be overlaid, resulting in user confusion and potential spoofing

Reporter
    Raphael
Impact
    moderate

Description

By displaying a form validity message in the correct location at the same time as a permission prompt (such as for geolocation), the validity message could have obscured the prompt, resulting in the user potentially being tricked into granting the permission.
References

    Bug 1366818

#CVE-2021-38509: Javascript alert box could have been spoofed onto an arbitrary domain

Reporter
    Ademar Nowasky Junior
Impact
    moderate

Description

Due to an unusual sequence of attacker-controlled events, a Javascript alert() dialog with arbitrary (although unstyled) contents could be displayed over top an uncontrolled webpage of the attacker's choosing.
References

    Bug 1718571

#CVE-2021-38510: Download Protections were bypassed by .inetloc files on Mac OS

Reporter
    Hou JingYi
Impact
    moderate

Description

The executable file warning was not presented when downloading .inetloc files, which, due to a flaw in Mac OS, can run commands on a user's computer.
Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.
References

    Bug 1731779

#CVE-2021-43534: Memory safety bugs fixed in Thunderbird ESR 91.3

Reporter
    Mozilla developers
Impact
    high

Description

Mozilla developers and community members Christian Holler, Valentin Gosu, and Andrew McCreight reported memory safety bugs present in Thunderbird 91.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Thunderbird 91.3

comment:10 by Douglas R. Reno, 5 weeks ago

CVEs in Thunderbird-91.4

Mozilla Foundation Security Advisory 2021-54
Security Vulnerabilities fixed in Thunderbird 91.4.0

Announced
    December 7, 2021
Impact
    high
Products
    Thunderbird
Fixed in

        Thunderbird 91.4

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2021-43536: URL leakage when navigating while executing asynchronous function

Reporter
    Sunwoo Kim and Youngmin Kim of SNU CompSec Lab
Impact
    high

Description

Under certain circumstances, asynchronous functions could have caused a navigation to fail but expose the target URL.
References

    Bug 1730120

#CVE-2021-43537: Heap buffer overflow when using structured clone

Reporter
    bo13oy of Cyber Kunlun Lab
Impact
    high

Description

An incorrect type conversion of sizes from 64bit to 32bit integers allowed an attacker to corrupt memory leading to a potentially exploitable crash.
References

    Bug 1738237

#CVE-2021-43538: Missing fullscreen and pointer lock notification when requesting both

Reporter
    Irvan Kurniawan (@sourc7)
Impact
    high

Description

By misusing a race in our notification code, an attacker could have forcefully hidden the notification for pages that had received full screen and pointer lock access, which could have been used for spoofing attacks.
References

    Bug 1739091

#CVE-2021-43539: GC rooting failure when calling wasm instance methods

Reporter
    Asumu Takikawa and Ioanna Dimitriou
Impact
    high

Description

Failure to correctly record the location of live pointers across wasm instance calls resulted in a GC occurring within the call not tracing those live pointers. This could have led to a use-after-free causing a potentially exploitable crash.
References

    Bug 1739683

#CVE-2021-43541: External protocol handler parameters were unescaped

Reporter
    chriscla
Impact
    moderate

Description

When invoking protocol handlers for external protocols, a supplied parameter URL containing spaces was not properly escaped.
References

    Bug 1696685

#CVE-2021-43542: XMLHttpRequest error codes could have leaked the existence of an external protocol handler

Reporter
    Raphael Smolik
Impact
    moderate

Description

Using XMLHttpRequest, an attacker could have identified installed applications by probing error messages for loading external protocols.
References

    Bug 1723281

#CVE-2021-43543: Bypass of CSP sandbox directive when embedding

Reporter
    Armin Ebert
Impact
    moderate

Description

Documents loaded with the CSP sandbox directive could have escaped the sandbox's script restriction by embedding additional content.
References

    Bug 1738418

#CVE-2021-43545: Denial of Service when using the Location API in a loop

Reporter
    Paul Zühlcke
Impact
    low

Description

Using the Location API in a loop could have caused severe application hangs and crashes.
References

    Bug 1720926

#CVE-2021-43546: Cursor spoofing could overlay user interface when native cursor is zoomed

Reporter
    Daniel Veditz
Impact
    low

Description

It was possible to recreate previous cursor spoofing attacks against users with a zoomed native cursor.
References

    Bug 1737751

#CVE-2021-43528: JavaScript unexpectedly enabled for the composition area

Reporter
    Pedro Batista
Impact
    low

Description

Thunderbird unexpectedly enabled JavaScript in the composition area. The JavaScript execution context was limited to this area and did not receive chrome-level privileges, but could be used as a stepping stone to further an attack with other vulnerabilities.
References

    Bug 1742579

#CVE-2021-4129: Memory safety bugs fixed in Thunderbird 91.4.0

Reporter
    Mozilla developers and community
Impact
    high

Description

Mozilla developers and community members Julian Hector, Randell Jesup, Gabriele Svelto, Tyson Smith, Christian Holler, and Masayuki Nakano reported memory safety bugs present in Thunderbird 91.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Thunderbird 91.4.0

comment:11 by Douglas R. Reno, 5 weeks ago

CVEs in Thunderbird-91.4.1

Mozilla Foundation Security Advisory 2021-55
Security Vulnerabilities fixed in Thunderbird 91.4.1

Announced
    December 21, 2021
Impact
    moderate
Products
    Thunderbird
Fixed in

        Thunderbird 91.4.1

#CVE-2021-4126: OpenPGP signature status doesn't consider additional message content

Reporter
    Kai Engert
Impact
    moderate

Description

When receiving an OpenPGP/MIME signed email message that contains an additional outer MIME message layer, for example a message footer added by a mailing list gateway, Thunderbird only considered the inner signed message for the signature validity. This gave the false impression that the additional contents were also covered by the digital signature. Starting with Thunderbird version 91.4.1, only the signature that belongs to the top level MIME part will be considered for the displayed status.
References

    Bug 1732310

#CVE-2021-44538: Matrix chat library libolm bundled with Thunderbird vulnerable to a buffer overflow

Reporter
    brevilo
Impact
    moderate

Description

Thunderbird users who use the Matrix chat protocol were vulnerable to a buffer overflow in libolm, that an attacker may trigger by a crafted sequence of messages. The overflow content is partially controllable by the attacker and limited to ASCII spaces and digits.
References

    Bug 1744056

comment:12 by Douglas R. Reno, 5 weeks ago

... and we have build bustage. It seems to affect Firefox as well, so I'll fix it there too.

The problem is due to Wayland-1.20 removing a symbol.

51:55.25    Compiling gkrust v0.1.0 (/sources/thunderbird-91.4.1/thunderbird-91.4.1/toolkit/library/rust)
55:59.16     Finished release [optimized] target(s) in 55m 30s
55:59.37 /sources/thunderbird-91.4.1/thunderbird-91.4.1/python/mozbuild/mozbuild/action/check_binary.py:13: DeprecationWarning: The distutils package is deprecated and slated for removal in Python 3.12. Use setuptools or check PEP 632 for potential alternatives
55:59.37   from distutils.version import StrictVersion as Version
55:59.76 toolkit/library/build/libxul.so
56:06.09 /sources/thunderbird-91.4.1/thunderbird-91.4.1/obj-x86_64-pc-linux-gnu/toolkit/library/build/../../../gfx/gl/Unified_cpp_gfx_gl0.o:Unified_cpp_gfx_gl0.cpp:function mozilla::gl::DeleteWaylandGLSurface(void*) [clone .part.0]: error: undefined reference to 'wl_proxy_marshal_flags'
56:06.09 /sources/thunderbird-91.4.1/thunderbird-91.4.1/obj-x86_64-pc-linux-gnu/toolkit/library/build/../../../gfx/gl/Unified_cpp_gfx_gl0.o:Unified_cpp_gfx_gl0.cpp:function mozilla::gl::GLContextEGL::CreateWaylandBufferSurface(mozilla::gl::EglDisplay&, void*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>&): error: undefined reference to 'wl_proxy_marshal_flags'
56:06.09 /sources/thunderbird-91.4.1/thunderbird-91.4.1/obj-x86_64-pc-linux-gnu/toolkit/library/build/../../../gfx/layers/Unified_cpp_gfx_layers1.o:Unified_cpp_gfx_layers1.cpp:function mozilla::layers::NativeLayerRootWayland::CommitToScreen(): error: undefined reference to 'wl_proxy_marshal_flags'
56:06.09 /sources/thunderbird-91.4.1/thunderbird-91.4.1/obj-x86_64-pc-linux-gnu/toolkit/library/build/../../../gfx/layers/Unified_cpp_gfx_layers1.o:Unified_cpp_gfx_layers1.cpp:function mozilla::layers::NativeLayerRootWayland::EnsureHideLayer(RefPtr<mozilla::layers::NativeLayerWayland> const&): error: undefined reference to 'wl_proxy_marshal_flags'
56:06.74 collect2: error: ld returned 1 exit status
56:06.74 make[4]: *** [/sources/thunderbird-91.4.1/thunderbird-91.4.1/config/rules.mk:545: libxul.so] Error 1
56:06.74 make[3]: *** [/sources/thunderbird-91.4.1/thunderbird-91.4.1/config/recurse.mk:72: toolkit/library/build/target] Error 2
56:06.74 make[2]: *** [/sources/thunderbird-91.4.1/thunderbird-91.4.1/config/recurse.mk:34: compile] Error 2
56:06.74 make[1]: *** [/sources/thunderbird-91.4.1/thunderbird-91.4.1/config/rules.mk:355: default] Error 2
56:06.74 make: *** [client.mk:65: build] Error 2
56:06.76 690 compiler warnings present.

Patch is here: https://git.alpinelinux.org/aports/tree/community/firefox-esr/mozwayland-add-missing-stub.patch?id=a408069e75632ce625aea68c70c23ee9e30995a5

Gentoo bug is here: https://bugs.gentoo.org/811840

in reply to:  12 comment:13 by pierre, 5 weeks ago

Replying to Douglas R. Reno:

... and we have build bustage. It seems to affect Firefox as well, so I'll fix it there too.

The problem is due to Wayland-1.20 removing a symbol.

Patch is here: https://git.alpinelinux.org/aports/tree/community/firefox-esr/mozwayland-add-missing-stub.patch?id=a408069e75632ce625aea68c70c23ee9e30995a5

Gentoo bug is here: https://bugs.gentoo.org/811840

Affects also SDL2 (reported by Berzerkula on #lfs-support):

Bug: https://github.com/libsdl-org/SDL/issues/5088

Patch: https://github.com/libsdl-org/SDL/commit/e2ade2bfc46d915cd306c63c830b81d800b2575f

I will take care of that one. According to Berzerkula, if upstream does not make an exceptional release, next scheduled one is in February.

comment:14 by Douglas R. Reno, 5 weeks ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.