Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.4707 MFSA 2022-42 Security Vulnerabilities fixed in Thunderbird 102.3 23 September 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Mozilla Thunderbird Publisher: Mozilla Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-40962 CVE-2022-40960 CVE-2022-40959 CVE-2022-40958 CVE-2022-40957 CVE-2022-40956 CVE-2022-3155 Original Bulletin: https://www.mozilla.org/en-US/security/advisories/mfsa2022-42/ Comment: CVSS (Max): 7.5 CVE-2022-40962 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Mozilla Foundation Security Advisory 2022-42 Security Vulnerabilities fixed in Thunderbird 102.3 Announced: September 20, 2022 Impact: high Products: Thunderbird Fixed in: Thunderbird 102.3 In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. # CVE-2022-40959: Bypassing FeaturePolicy restrictions on transient pages Reporter: Armin Ebert Impact: high Description During iframe navigation, certain pages did not have their FeaturePolicy fully initialized leading to a bypass that leaked device permissions into untrusted subdocuments. References o Bug 1782211 # CVE-2022-40960: Data-race when parsing non-UTF-8 URLs in threads Reporter: Armin Ebert Impact: high Description Concurrent use of the URL parser with non-UTF-8 data was not thread-safe. This could lead to a use-after-free causing a potentially exploitable crash. References o Bug 1787633 # CVE-2022-40958: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix Reporter: Axel Chong (@Haxatron) Impact: moderate Description By injecting a cookie with certain special characters, an attacker on a shared subdomain which is not a secure context could set and thus overwrite cookies from a secure context, leading to session fixation and other attacks. References o Bug 1779993 # CVE-2022-40956: Content-Security-Policy base-uri bypass Reporter: Satoki Tsuji Impact: low Description When injecting an HTML base element, some requests would ignore the CSP's base-uri settings and accept the injected element's base instead. References o Bug 1770094 # CVE-2022-40957: Incoherent instruction cache when building WASM on ARM64 Reporter: Gary Kwong Impact: low Description Inconsistent data in instruction and data cache when creating wasm code could lead to a potentially exploitable crash. This bug only affects Thunderbird on ARM64 platforms. References o Bug 1777604 # CVE-2022-3155: Attachment files saved to disk on macOS could be executed without warning Reporter: Koh M. Nakagawa Impact: low Description When saving or opening an email attachment on macOS, Thunderbird did not set attribute com.apple.quarantine on the received file. If the received file was an application and the user attempted to open it, then the application was started immediately without asking the user to confirm. References o Bug 1789061 # CVE-2022-40962: Memory safety bugs fixed in Thunderbird 102.3 Reporter: Mozilla developers and community Impact: high Description Mozilla developers Nika Layzell, Timothy Nikkel, Jeff Muizelaar, Sebastian Hengst, Andreas Pehrson, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. References o Memory safety bugs fixed in Thunderbird 102.3 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYy02vckNZI30y1K9AQi24Q/9GGzz3JNnpuoSWw+ip/gkFH7hCTdytiuk qnlRYhwLrUzjf0BmrfgLrDJeg+MiC+RGiEkU5xAl7p33tPstu5YCE927goewGpaz yBWy+UwGmtqlNMPR6V+ZnNsoMpocGJkILjbVfe1jKJ82wbP5pZFbzqhZp1xh948T a6YtQ1EH87q4uiaE9TlbCG1znXXoI6BGqxqhV3IEQhcIdfqhXfx+iGU172LnI60v iY3087eSQ9Sp1awoeLB+ATNE2+ws8oAdCRSWAwRKh6JvnS7/XeLC0vdyZ1Lh1FuC OwbmnuA1mbLlTGI2C8aRDjmLUTusAsL403galPSvL2EYPH/cXhpg9qlNXTnsrbQe yky9D1XltNUaNLkBQ0O3nWJcuatcPEbBziOPsJSRZ9+OW1+pb148S4xU7IypfdcU CxnChI3gKufIi7zCBwqBA29OHRWk7qJHnukbZnzQ0GW5dyQrGG2Qxe0938mGlSTI LlgpzQN3emXOUyQSePzSLAqgoYjONfGUZ5D61Y0J74QLGiyg9DVdvK3K+i5ubb++ klOfRyfZG7roVJM0g6NbeBBqL1HcfqsXERLT+6wCIvfDl7D+403RvWSd4F/PiUcu v8qO39lQQFZt/LEcjJsfd5Qx7aX50o7hfs9XBPZNWqosrfXzPtr5tRbE4tYvt6HE BFDLOkj0CEQ= =zF4J -----END PGP SIGNATURE-----