FS#62974 - [thunderbird] <= 60.7.1: CVE-2019-11707 and CVE-2019-11708, ship "javascript.enabled=false"?
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Saturday, 22 June 2019, 11:36 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 13:54 GMT
Opened by Pascal Ernster (hardfalcon) - Saturday, 22 June 2019, 11:36 GMT
Last edited by freswa (frederik) - Sunday, 13 September 2020, 13:54 GMT
|
Details
Thunderbird releases before version 60.7.2 are vulnerable to
critical CVE-2019-11707 "Type confusion in Array.pop" and
high CVE-2019-11708 "sandbox escape using Prompt:Open"
according to a security advisory published by upstream:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/ Since almost all vulnerabilities in Thunderbird over the last years seem to affect its JavaScript implementation, and since I don't see any good reason why a mail client and RSS feed reader should have JS support enabled by default/out of the box, my suggestion would be to ship the Thunderbird package with the line pref("javascript.enabled", false); added to /usr/lib/thunderbird/defaults/preferences/vendor.js. I've been using Thunderbird with such a configuration for years now both as a mail client and as an RSS feed reader, with a bunch of extensions, and I've never encountered even just a single issue caused by JS being disabled - not when reading mail, not when reading RSS feeds, and not even when using my extensions/addons. And even *if* there should exist some exotic corner case where JS support is actually needed, the users in question could easily enable JS for that specific user profile using Thunderbird's GUI for about:config. |
This task depends upon
Closed by freswa (frederik)
Sunday, 13 September 2020, 13:54 GMT
Reason for closing: Fixed
Additional comments about closing: 68.11
Sunday, 13 September 2020, 13:54 GMT
Reason for closing: Fixed
Additional comments about closing: 68.11
What is upstream's position on disabling javascript in remote content such as RSS by default?
[1] https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Releases/3
"javascript.enabled" is only for the RSS context, whilst the pref for allowing JS in the email context was "javascript.allow.mailnews" - however they completely removed support for JS in the email context (hence also for the "javascript.allow.mailnews" pref itself) starting with Thunderbird 3, so it cannot be enabled for emails even if the user wanted to.
https://git.archlinux.org/svntogit/packages.git/tree/trunk/IM7-GS-policy.patch?h=packages/imagemagick#n7
Also, note that this is not a compile-time option, but just a changed default setting which users can still change back to Mozilla's default if they so please.
Users who don't like mozilla default can change it right now as well.
You may want to have a look at Mozilla's security advisories for Thunderbird:
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird60.7.2
Of the 11 security advisories from Thunderbird 60.0 to 60.7.2, there has only been a single one (MFSA2019-17 for Thunderbird 60.7.1) which fixed security issues that were *not* caused by JavaScript being enabled "in browser or browser-like contexts". *All* of the other 10 security advisories started with the following note:
"In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts."
Almost the same ratio applies to the 10 security advisories for Thunderbird 52.x - only a single one of them (MFSA2017-30 for Thunderbird 52.5.2) didn't come with the above note, but rather with (among others) a "CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin":
https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/#CVE-2017-7846
So at the end of the day, the change that I'm requesting would mitigate the security issues which have been the reason for over 90% of Thunderbird updates over the last two major releases, at the cost of potentially requiring a very small number of users to toggle a single about:config flag once for some very exotic use cases. In fact, of the 41 RSS feeds I'm currently subscribed to, there's only a single one that uses JS at all - and that one isn't even a public/free feed, but just the paid RSS feed of golem.de. And even there, JS is only needed if you actually want to play videos and scroll through picture galleries, whilst the rest of the feed works perfectly fine even without JS.
So people for whom this mitigation matter the most are ones who will disable it most likely. I think this isn't worth effort from Arch.
AVG-1214 CVE-2020-15659 CVE-2020-15652 CVE-2020-6514 CVE-2020-6463 were fixed in 68.11.
AVG-1214 CVE-2020-15658 CVE-2020-15656 CVE-2020-15655 CVE-2020-15654 CVE-2020-15653 were 78 series only which Arch did not package.
CVE-2020-15664 CVE-2020-15669 were fixed in 68.12.
There is the outstanding suggestion to change the shipped default of javascript.enabled.