FS#75848 : [thunderbird] 102.2.0-1: CVE-2022-3033, CVE-2022-3032, CVE-2022-3034, CVE-2022-36059

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#75848 - [thunderbird] 102.2.0-1: CVE-2022-3033, CVE-2022-3032, CVE-2022-3034, CVE-2022-36059

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Thursday, 08 September 2022, 07:53 GMT
Last edited by Toolybird (Toolybird) - Sunday, 18 September 2022, 00:45 GMT

Task Type	Bug Report
Category	Security
Status	Closed
Assigned To	Levente Polyak (anthraxx)
Architecture	All
Severity	High
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	2 Lukas Oertel (luoe) (2022-09-10) Jonathon (jonathon) (2022-09-08)
Private	No

Details

Thunderbird 102.2.1 fixes 4 CVEs:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-38/

CVE-2022-3033: Leaking of sensitive information when composing a response to an HTML email with a META refresh tag
CVE-2022-3032: Remote content specified in an HTML document that was nested inside an iframe's srcdoc attribute was not blocked
CVE-2022-3034: An iframe element in an HTML email could trigger a network request
CVE-2022-36059: Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack

CVE-2022-3033 is rated "high" and allows (among other things) injecting JavaScript code into the context of the message compose document.

The other 4 CVEs are rated "moderate", though CVE-2022-3032, CVE-2022-3033 and CVE-2022-3034 allow triggering unwanted HTTP requests from HTML emails even if JavaScript is disabled in Thunderbird.

Thunderbird 102.2.2 seems to be a plain bugfix release without any security-relevant changes.

Sadly both Thunderbird 102.2.1 and 102.2.2 require some patching and replacing/updating two Python packages that ship with the Thunderbird source tarball released by Mozilla. I've attached a patch and a modified PKGBUILD that fixes the build issues for me.

fix.patch (5.1 KiB)

PKGBUILD (18 KiB)

This task depends upon

Closed by Toolybird (Toolybird)
Sunday, 18 September 2022, 00:45 GMT
Reason for closing: Fixed
Additional comments about closing: thunderbird 102.2.2-1

Comments (2)
Related Tasks (0/0)

Comment by Pascal Ernster (hardfalcon) - Thursday, 08 September 2022, 08:33 GMT

I've submitted an issue for this in Mozilla's bug tracker: https://bugzilla.mozilla.org/show_bug.cgi?id=1789794

Comment by loqs (loqs) - Thursday, 08 September 2022, 22:59 GMT

firefox used an alternative approach of switching to pip resolve the build failure [1]. diff attached of updated to 102.2.2 and switch to using pip [2].

[1] https://github.com/archlinux/svntogit-packages/commit/e34234af7746f18eb6390c62c38c1e7fe6f1194e
[2] PKGBUILD.diff

PKGBUILD.diff (20 KiB)

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

Arch Linux

FS#75848 - [thunderbird] 102.2.0-1: CVE-2022-3033, CVE-2022-3032, CVE-2022-3034, CVE-2022-36059

Details

Loading...