{"id":"MGASA-2022-0061","summary":"Updated thunderbird packages fix security vulnerabilities","details":"If a user installed an extension of a particular type, the extension could\nhave auto-updated itself and while doing so, bypass the prompt which grants\nthe new version the new requested permissions (CVE-2022-22754).\n\nIf a user was convinced to drag and drop an image to their desktop or other\nfolder, the resulting object could have been changed into an executable script\nwhich would have run arbitrary code after the user clicked on it\n(CVE-2022-22756).\n\nIf a document created a sandboxed iframe without allow-scripts, and\nsubsequently appended an element to the iframe's document that e.g. had a\nJavaScript event handler - the event handler would have run despite the\niframe's sandbox (CVE-2022-22759).\n\nWhen importing resources using Web Workers, error messages would distinguish\nthe difference between application/javascript responses and non-script\nresponses. This could have been abused to learn information cross-origin\n(CVE-2022-22760).\n\nWeb-accessible extension pages (pages with a moz-extension:// scheme) were not\ncorrectly enforcing the frame-ancestors directive when it was used in the Web\nExtension's Content Security Policy (CVE-2022-22761).\n\nWhen a worker is shutdown, it was possible to cause script to run late in the\nlifecycle, at a point after where it should not be possible (CVE-2022-22763).\n\nMozilla developers and community members Paul Adenot and the Mozilla Fuzzing\nTeam reported memory safety bugs present in Thunderbird 91.5. Some of these\nbugs showed evidence of memory corruption and we presume that with enough\neffort some of these could have been exploited to run arbitrary code\n(CVE-2022-22764).\n","modified":"2026-02-02T09:50:10.939070Z","published":"2022-02-12T17:31:35Z","related":["CVE-2022-22754","CVE-2022-22756","CVE-2022-22759","CVE-2022-22760","CVE-2022-22761","CVE-2022-22763","CVE-2022-22764"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2022-0061.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=30012"},{"type":"REPORT","url":"https://www.thunderbird.net/en-US/thunderbird/91.6.0/releasenotes/"},{"type":"REPORT","url":"https://www.mozilla.org/en-US/security/advisories/mfsa2022-06/"}],"affected":[{"package":{"name":"thunderbird","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/thunderbird?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"91.6.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0061.json"}},{"package":{"name":"thunderbird-l10n","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/thunderbird-l10n?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"91.6.0-1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2022-0061.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}