The ElGamal implementation in Botan through 2.18.1, as used in Thunderbird and other products, allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.
Unreleased in Botan (https://github.com/randombit/botan/pull/2790), and doesn't seem the patch is in Thunderbird yet.
Fixed in 2.18.2.
(In reply to John Helmert III from comment #1)
> Fixed in 2.18.2.
... which is in Thunderbird 91.3.2.
The bug has been referenced in the following commit(s):
Author: GLSAMaker <email@example.com>
AuthorDate: 2022-08-10 04:08:55 +0000
Commit: John Helmert III <firstname.lastname@example.org>
CommitDate: 2022-08-10 04:17:36 +0000
[ GLSA 202208-14 ] Mozilla Thunderbird: Multiple Vulnerabilities
Signed-off-by: GLSAMaker <email@example.com>
Signed-off-by: John Helmert III <firstname.lastname@example.org>
glsa-202208-14.xml | 165 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 165 insertions(+)
GLSA released, all done!