-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
MFSA 2021-14 Security Vulnerabilities fixed in Thunderbird 78.10
20 April 2021
AusCERT Security Bulletin Summary
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Increased Privileges -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
CVE Names: CVE-2021-29948 CVE-2021-29946 CVE-2021-29945
CVE-2021-24002 CVE-2021-23999 CVE-2021-23998
CVE-2021-23995 CVE-2021-23994 CVE-2021-23961
- --------------------------BEGIN INCLUDED TEXT--------------------
Mozilla Foundation Security Advisory 2021-14
Security Vulnerabilities fixed in Thunderbird 78.10
Announced: April 19, 2021
Fixed in: Thunderbird 78.10
In general, these flaws cannot be exploited through email in the Thunderbird
product because scripting is disabled when reading mail, but are potentially
risks in browser or browser-like contexts.
# CVE-2021-23994: Out of bound write due to lazy initialization
Reporter: Abraruddin Khan and Omair
A WebGL framebuffer was not initialized early enough, resulting in memory
corruption and an out of bound write.
o Bug 1699077
# CVE-2021-23995: Use-after-free in Responsive Design Mode
Reporter: Irvan Kurniawan
When Responsive Design Mode was enabled, it used references to objects that
were previously freed. We presume that with enough effort this could have been
exploited to run arbitrary code.
o Bug 1699835
# CVE-2021-23998: Secure Lock icon could have been spoofed
Reporter: Jordi Chancel
Through complicated navigations with new windows, an HTTP page could have
inherited a secure lock icon from an HTTPS page.
o Bug 1667456
# CVE-2021-23961: More internal network hosts could have been probed by a
Reporter: Samy Kamkar, Ben Seri, and Gregory Vishnepolsky
Further techniques that built on the slipstream research combined with a
malicious webpage could have exposed both an internal network's hosts as well
as services running on the user's local machine.
o Bug 1677940
# CVE-2021-23999: Blob URLs may have been granted additional privileges
Reporter: Nika Layzell
If a Blob URL was loaded through some unusual user interaction, it could have
been loaded by the System Principal and granted additional privileges that
should not be granted to web content.
o Bug 1691153
# CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an
Reporter: Daniel Santos
When a user clicked on an FTP URL containing encoded newline characters (%0A
and %0D), the newlines would have been interpreted as such and allowed
arbitrary commands to be sent to the FTP server.
o Bug 1702374
# CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to
Reporter: Christian Holler
The WebAssembly JIT could miscalculate the size of a return type, which could
lead to a null read and result in a crash.
Note: This issue only affected x86-32 platforms. Other platforms are
o Bug 1700690
# CVE-2021-29946: Port blocking could be bypassed
Reporter: Frederik Braun
Ports that were written as an integer overflow above the bounds of a 16-bit
integer could have bypassed port blocking restrictions when used in the Alt-Svc
o Bug 1698503
# CVE-2021-29948: Race condition when reading from disk while verifying
Signatures are written to disk before and read during verification, which might
be subject to a race condition when a malicious local process or user is
replacing the file.
o Bug 1692899
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to firstname.lastname@example.org
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: email@example.com
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----