{"id":"MGASA-2021-0506","summary":"Updated thunderbird packages fix security vulnerabilities","details":"Updated thunderbird packages fix security vulnerabilities:\n\nThe iframe sandbox rules were not correctly applied to XSLT stylesheets,\nallowing an iframe to bypass restrictions such as executing scripts or\nnavigating the top-level frame (CVE-2021-38503).\n\nWhen interacting with an HTML input element's file picker dialog with\nwebkitdirectory set, a use-after-free could have resulted, leading to memory\ncorruption and a potentially exploitable crash (CVE-2021-38504).\n\nThrough a series of navigations, Thunderbird could have entered fullscreen\nmode without notification or warning to the user. This could lead to spoofing\nattacks on the browser UI including phishing (CVE-2021-38506).\n\nThe Opportunistic Encryption feature of HTTP2 (RFC 8164) allows a connection\nto be transparently upgraded to TLS while retaining the visual properties of\nan HTTP connection, including being same-origin with unencrypted connections\non port 80. However, if a second encrypted port on the same IP address (e.g.\nport 8443) did not opt-in to opportunistic encryption; a network attacker\ncould forward a connection from the browser to port 443 to port 8443, causing\nthe browser to treat the content of port 8443 as same-origin with HTTP. This\nwas resolved by disabling the Opportunistic Encryption feature, which had low\nusage (CVE-2021-38507).\n\nA use-after-free could have occured when an HTTP2 session object was released\non a different thread, leading to memory corruption and a potentially\nexploitable crash (CVE-2021-43535).\n\nBy displaying a form validity message in the correct location at the same time\nas a permission prompt (such as for geolocation), the validity message could\nhave obscured the prompt, resulting in the user potentially being tricked into\ngranting the permission (CVE-2021-38508).\n\nDue to an unusual sequence of attacker-controlled events, a Javascript alert()\ndialog with arbitrary (although unstyled) contents could be displayed over top\nan uncontrolled webpage of the attacker's choosing (CVE-2021-38509).\n\nMozilla developers and community members Christian Holler, Valentin Gosu, and\nAndrew McCreight reported memory safety bugs present in Thunderbird 91.2. Some\nof these bugs showed evidence of memory corruption and we presume that with\nenough effort some of these could have been exploited to run arbitrary code\n(CVE-2021-43534).\n","modified":"2026-02-02T10:01:57.432200Z","published":"2021-11-10T22:53:34Z","related":["CVE-2021-38503","CVE-2021-38504","CVE-2021-38506","CVE-2021-38507","CVE-2021-38508","CVE-2021-38509","CVE-2021-43534","CVE-2021-43535"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0506.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29625"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2021-50/"},{"type":"REPORT","url":"https://www.thunderbird.net/en-US/thunderbird/91.3.0/releasenotes/"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/thunderbird?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"91.3.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0506.json"}},{"package":{"name":"thunderbird-l10n","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/thunderbird-l10n?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"91.3.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0506.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}