Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Mageia: 2022-0221 Moderate: Thunderbird Email Safety Risks and Fixes

mageia
Calendar Grey June 4, 2022
Dist Mageia Esm H88
The recent update for Mageia's Thunderbird fixes a variety of vulnerabilities identified on June 4, 2022, boosting email security.
When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces

Summary

When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown with an arbitrary sender email address chosen by the attacker. If the sender name started with a false email address, followed by many Braille space characters, the attacker's email address was not visible. Because Thunderbird compared the invisible sender address with the signature's email address, if the signing key or certificate was accepted by Thunderbird, the email was shown as having a valid digital signature (CVE-2022-1834).
A malicious website could have learned the size of a cross-origin resource that supported Range requests (CVE-2022-31736).
A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash (CVE...

Read the Full Advisory

References

- https://bugs.mageia.org/show_bug.cgi?id=30499

- https://www.mozilla.org/en-US/security/advisories/mfsa2022-22/

- https://www.thunderbird.net/en-US/thunderbird/91.10.0/releasenotes/

- https://access.redhat.com/errata/RHSA-2022:4892

- https://www.cve.org/CVERecord?id=CVE-2022-1834

- https://www.cve.org/CVERecord?id=CVE-2022-31736

- https://www.cve.org/CVERecord?id=CVE-2022-31737

- https://www.cve.org/CVERecord?id=CVE-2022-31738

- https://www.cve.org/CVERecord?id=CVE-2022-31740

- https://www.cve.org/CVERecord?id=CVE-2022-31741

- https://www.cve.org/CVERecord?id=CVE-2022-31742

- https://www.cve.org/CVERecord?id=CVE-2022-31747

Resolution

SRPMS

- 8/core/thunderbird-91.10.0-1.mga8

- 8/core/thunderbird-l10n-91.10.0-1.mga8

Publication date: 04 Jun 2022
URL: https://advisories.mageia.org/MGASA-2022-0221.html
Type: security
CVE: CVE-2022-1834, CVE-2022-31736, CVE-2022-31737, CVE-2022-31738, CVE-2022-31740, CVE-2022-31741, CVE-2022-31742, CVE-2022-31747

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here