thunderbird-91.7.0

[Bruce Dubbs]

New minor version.

[Bruce Dubbs]

Seems to build OK with the current instructions.

960.6 Elapsed Time -  thunderbird-91.7.0.source
 
md5sum : d84de42ee659577f36ad1b2e5323b17e  /usr/src/thunderbird/thunderbird-91.7.0.source.tar.xz
399856 /usr/src/thunderbird/thunderbird-91.7.0.source.tar.xz SIZE (390.484 MB)
6906620 kilobytes BUILD SIZE (6744.746 MB)
SBU=10.111

The short SBU time is probably because I did not disable any CPUs, so it ran using all 24.

[Douglas R. Reno]

Changes changed Thunderbird will use the first occurrence of headers that should only appear once

Fixes fixed Auto-complete incorrectly changed a pasted email address to the primary address of a contact

fixed Attachments with filename extensions that were not registered in MIME types could not be opened

fixed Copy/Cut/Paste actions not working in Thunderbird Preferences

fixed Improved screen reader support of displayed message headers

fixed Various security fixes []Changes changed

Thunderbird will use the first occurrence of headers that should only appear once Fixes fixed

Auto-complete incorrectly changed a pasted email address to the primary address of a contact fixed

Attachments with filename extensions that were not registered in MIME types could not be opened fixed

Copy/Cut/Paste actions not working in Thunderbird Preferences fixed

Improved screen reader support of displayed message headers fixed

Various security fixes

---

Mozilla Foundation Security Advisory 2022-12 Security Vulnerabilities fixed in Thunderbird 91.7

Announced

March 8, 2022

Impact

high

Products

Thunderbird

Fixed in

Thunderbird 91.7

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. #CVE-2022-26383: Browser window spoof using fullscreen mode

Reporter

Irvan Kurniawan

Impact

high

Description

When resizing a popup after requesting fullscreen access, the popup would not display the fullscreen notification. References

Bug 1742421

#CVE-2022-26384: iframe allow-scripts sandbox bypass

Reporter

Ed McManus

Impact

high

Description

If an attacker could control the contents of an iframe sandboxed with allow-popups but not allow-scripts, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. References

Bug 1744352

#CVE-2022-26387: Time-of-check time-of-use bug when verifying add-on signatures

Reporter

Armin Ebert

Impact

high

Description

When installing an add-on, Thunderbird verified the signature before prompting the user; but while the user was confirming the prompt, the underlying add-on file could have been modified and Thunderbird would not have noticed. References

Bug 1752979

#CVE-2022-26381: Use-after-free in text reflows

Reporter

Mozilla Fuzzing Team and Hossein Lotfi of Trend Micro Zero Day Initiative

Impact

high

Description

An attacker could have caused a use-after-free by forcing a text reflow in an SVG object leading to a potentially exploitable crash. References

Bug 1736243

#CVE-2022-26386: Temporary files downloaded to /tmp and accessible by other local users

Reporter

attila

Impact

low

Description

Previously Thunderbird for macOS and Linux would download temporary files to a user-specific directory in /tmp, but this behavior was changed to download them to /tmp where they could be affected by other local users. This behavior was reverted to the original, user-specific directory. This bug only affects Thunderbird for macOS and Linux. Other operating systems are unaffected. References

Bug 1752396

[Douglas R. Reno]

Fixed at 4432ef8e8810076044dd87b0f955a25b15932016

Security Advisory SA-11.1-016 filed and inputted into advisories app.