FS#75848 - [thunderbird] 102.2.0-1: CVE-2022-3033, CVE-2022-3032, CVE-2022-3034, CVE-2022-36059

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Thursday, 08 September 2022, 07:53 GMT
Last edited by Toolybird (Toolybird) - Sunday, 18 September 2022, 00:45 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No


Thunderbird 102.2.1 fixes 4 CVEs:

CVE-2022-3033: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
CVE-2022-3032: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked
CVE-2022-3034: An iframe element in an HTML email could trigger a network request
CVE-2022-36059: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack

CVE-2022-3033 is rated "high" and allows (among other things) injecting JavaScript code into the context of the message compose document.

The other 4 CVEs are rated "moderate", though CVE-2022-3032, CVE-2022-3033 and CVE-2022-3034 allow triggering unwanted HTTP requests from HTML emails even if JavaScript is disabled in Thunderbird.

Thunderbird 102.2.2 seems to be a plain bugfix release without any security-relevant changes.

Sadly both Thunderbird 102.2.1 and 102.2.2 require some patching and replacing/updating two Python packages that ship with the Thunderbird source tarball released by Mozilla. I've attached a patch and a modified PKGBUILD that fixes the build issues for me.
This task depends upon

Closed by  Toolybird (Toolybird)
Sunday, 18 September 2022, 00:45 GMT
Reason for closing:  Fixed
Additional comments about closing:  thunderbird 102.2.2-1
Comment by Pascal Ernster (hardfalcon) - Thursday, 08 September 2022, 08:33 GMT
I've submitted an issue for this in Mozilla's bug tracker: https://bugzilla.mozilla.org/show_bug.cgi?id=1789794
Comment by loqs (loqs) - Thursday, 08 September 2022, 22:59 GMT
firefox used an alternative approach of switching to pip resolve the build failure [1]. diff attached of updated to 102.2.2 and switch to using pip [2].

[1] https://github.com/archlinux/svntogit-packages/commit/e34234af7746f18eb6390c62c38c1e7fe6f1194e
[2] PKGBUILD.diff