Bug 920508 (CVE-2023-50761, CVE-2023-50762)

Summary:	<mail-client/thunderbird{,-bin}-115.6.0: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	ajak, mozilla
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/
Whiteboard:	A2 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	920506

Description John Helmert III archtester

2023-12-22 00:46:58 UTC

CVE-2023-50761 (https://bugzilla.mozilla.org/show_bug.cgi?id=1865647):

The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. If present, Thunderbird did not compare the signature creation date with the message date and time, and displayed a valid signature despite a date or time mismatch. This could be used to give recipients the impression that a message was sent at a different date or time. This vulnerability affects Thunderbird < 115.6.

CVE-2023-50762 (https://bugzilla.mozilla.org/show_bug.cgi?id=1862625):

When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. This is because the text was interpreted as a MIME message and the first paragraph was always treated as an email header section. A digitally signed text from a different context, such as a signed GIT commit, could be used to spoof an email message. This vulnerability affects Thunderbird < 115.6.

Please stabilize when ready, thanks!

Comment 1 Larry the Git Cow gentoo-dev

2023-12-22 11:41:43 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7854682c7b0c37f76873fb3e7aab5a0d1a027b3f

commit 7854682c7b0c37f76873fb3e7aab5a0d1a027b3f
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2023-12-22 11:40:09 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2023-12-22 11:40:09 +0000

    mail-client/thunderbird: stabilize 115.6.0 for x86
    
    Bug: https://bugs.gentoo.org/920508
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/thunderbird-115.6.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ad2c57d7c40f804df3f54df0128bd66d51786de

commit 5ad2c57d7c40f804df3f54df0128bd66d51786de
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2023-12-22 11:39:57 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2023-12-22 11:39:57 +0000

    mail-client/thunderbird: stabilize 115.6.0 for amd64
    
    Bug: https://bugs.gentoo.org/920508
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/thunderbird-115.6.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 2 Joonas Niilola gentoo-dev

2024-01-06 09:35:57 UTC

Tree should be clean, along with bug 918444 and bug 914073

Comment 3 Larry the Git Cow gentoo-dev

2024-02-19 06:11:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=39f2a7a485887d1506cfabc1ac4bee230c06a1e7

commit 39f2a7a485887d1506cfabc1ac4bee230c06a1e7
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-19 05:59:01 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-02-19 06:10:22 +0000

    [ GLSA 202402-25 ] Mozilla Thunderbird: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/918444
    Bug: https://bugs.gentoo.org/920508
    Bug: https://bugs.gentoo.org/924845
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202402-25.xml | 129 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 129 insertions(+)