{"id":"MGASA-2022-0019","summary":"Updated thunderbird packages fix security vulnerability","details":"It was possible to construct specific XSLT markup that would be able to bypass\nan iframe sandbox (CVE-2021-4140).\n\nConstructing audio sinks could have lead to a race condition when playing\naudio files and closing windows. This could have lead to a use-after-free\ncausing a potentially exploitable crash (CVE-2022-22737).\n\nApplying a CSS filter effect could have accessed out of bounds memory. This\ncould have lead to a heap-buffer-overflow in blendGaussianBlur causing a\npotentially exploitable crash (CVE-2022-22738).\n\nMalicious websites could have tricked users into accepting launching a program\nto handle an external URL protocol due to missing throttling on external\nprotocol launch dialog (CVE-2022-22739).\n\nCertain network request objects were freed too early when releasing a network\nrequest handle. This could have lead to a use-after-free of\nChannelEventQueue::mOwner causing a potentially exploitable crash\n(CVE-2022-22740).\n\nWhen resizing a popup while requesting fullscreen access, the popup would have\nbecome unable to leave fullscreen mode (CVE-2022-22741).\n\nWhen inserting text while in edit mode, some characters might have lead to\nout-of-bounds memory access causing a potentially exploitable crash\n(CVE-2022-22742).\n\nWhen navigating from inside an iframe while requesting fullscreen access, an\nattacker-controlled tab could have made the browser unable to leave fullscreen\nmode (CVE-2022-22743).\n\nSecuritypolicyviolation events could have leaked cross-origin information for\nframe-ancestors violations (CVE-2022-22745).\n\nAfter accepting an untrusted certificate, handling an empty pkcs7 sequence as\npart of the certificate data could have lead to a crash. This crash is\nbelieved to be unexploitable (CVE-2022-22747).\n\nMalicious websites could have confused Thunderbird into showing the wrong\norigin when asking to launch a program and handling an external URL protocol\n(CVE-2022-22748).\n\nMozilla developers Calixte Denizet, Kershaw Chang, Christian Holler, Jason\nKratzer, Gabriele Svelto, Tyson Smith, Simon Giesecke, and Steve Fink reported\nmemory safety bugs present in Thunderbird 91.4. Some of these bugs showed\nevidence of memory corruption and we presume that with enough effort some of\nthese could have been exploited to run arbitrary code (CVE-2022-22751).\n","modified":"2026-01-31T04:46:41.747511Z","published":"2022-01-16T20:39:09Z","related":["CVE-2021-4140","CVE-2022-22737","CVE-2022-22738","CVE-2022-22739","CVE-2022-22740","CVE-2022-22741","CVE-2022-22742","CVE-2022-22743","CVE-2022-22745","CVE-2022-22747","CVE-2022-22748","CVE-2022-22751"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0019.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=29873"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2022-03/"},{"type":"REPORT","url":"https://www.thunderbird.net/en-US/thunderbird/91.5.0/releasenotes/"},{"type":"REPORT","url":"https://access.redhat.com/errata/RHSA-2022:0129"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/thunderbird?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"91.5.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0019.json"}},{"package":{"name":"thunderbird-l10n","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/thunderbird-l10n?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"91.5.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0019.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}