Opened 2 years ago
Closed 2 years ago
#16564 closed enhancement (fixed)
thunderbird-91.9.1
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 11.2 |
| Component: | BOOK | Version: | git |
| Severity: | major | Keywords: | |
| Cc: |
Description
New point version.
Change History (7)
comment:1 by , 2 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 2 years ago
| Priority: | normal → high |
|---|---|
| Severity: | normal → critical |
comment:3 by , 2 years ago
| Severity: | critical → major |
|---|
The same two critical javascript vulnerabilities fixed in firefox-91.8.1 and firefox-100.0.2.
https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/
Two critical javascript vulnerabilities also fixed in 100.0.2 and thunderbird 91.9.1.
Mozilla Foundation Security Advisory 2022-19 Security Vulnerabilities fixed in Firefox 100.0.2, Firefox for Android 100.3.0, Firefox ESR 91.9.1, Thunderbird 91.9.1
Announced
May 20, 2022
Impact
critical
Products
Firefox, Firefox ESR, Firefox for Android, Thunderbird
Fixed in
Firefox 100.0.2 Firefox ESR 91.9.1 Firefox for Android 100.3 Thunderbird 91.9.1
#CVE-2022-1802: Prototype pollution in Top-Level Await implementation
Reporter
Manfred Paul via Trend Micro's Zero Day Initiative
Impact
critical
Description
If an attacker was able to corrupt the methods of an Array object in JavaScript via prototype pollution, they could have achieved execution of attacker-controlled JavaScript code in a privileged context. References
Bug 1770137
#CVE-2022-1529: Untrusted input used in JavaScript object indexing, leading to prototype pollution
Reporter
Manfred Paul via Trend Micro's Zero Day Initiative
Impact
critical
Description
An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. References
Bug 1770048
comment:4 by , 2 years ago
I found a suggestion that although javascript is disabled for emails it is enabled for rss feeds, unless disabled by the user (from the hamburger menu, search for Config) - this appears to still be true.
follow-up: 6 comment:5 by , 2 years ago
Taking a look at one of the commits, it seems that this is related to the notification code in DOM. I wonder if that means one could trigger one of these CVEs just by receiving an email, with Thunderbird processing it to generate the notification.
That's kind of a stretch though.
comment:6 by , 2 years ago
Replying to Douglas R. Reno:
Taking a look at one of the commits, it seems that this is related to the notification code in DOM. I wonder if that means one could trigger one of these CVEs just by receiving an email, with Thunderbird processing it to generate the notification.
That's kind of a stretch though.
All the information I can find says that JS is disabled on emails, but allowed on rss. The config entry merely shows that it defaults to enabled, without specifying any context.
comment:7 by , 2 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed in f9579a89d3459d81bdf9357cfb96b02bdc8134f4 11.1-548
SA 11.1-044
Due to the security-related nature of both of these updates, promoting to High. See Firefox ticket for more details.
These vulnerabilities were both demonstrated at the Pwn2Own conference on Wednesday. https://www.zerodayinitiative.com/blog/2022/5/18/pwn2own-vancouver-2022-the-results