Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 833520 (CVE-2022-0566) - <mail-client/thunderbird{-bin,}-91.6.2: multiple vulnerabilities
Summary: <mail-client/thunderbird{-bin,}-91.6.2: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-0566
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+]
Keywords:
Depends on:
Blocks: CVE-2022-22754, CVE-2022-22756, CVE-2022-22759, CVE-2022-22760, CVE-2022-22761, CVE-2022-22763, CVE-2022-22764 CVE-2022-26485, CVE-2022-26486
  Show dependency tree
 
Reported: 2022-02-17 10:19 UTC by Frederik Pfautsch
Modified: 2022-08-10 04:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Frederik Pfautsch 2022-02-17 10:19:56 UTC
CVE-2022-0566: Crafted email could trigger an out-of-bounds write

It may be possible for an attacker to craft an email message that causes Thunderbird to perform an out-of-bounds write of one byte when processing the message.

Please stabilize 91.6.1 of non-bin package

Reproducible: Always
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-17 22:45:01 UTC
Thank you for reporting! I missed Thunderbird in the last round of Mozilla advisories due to Mozilla releasing them asynchronously, so I'll block the tracker here.

mozilla@, please stabilize 91.6.1.
Comment 2 Larry the Git Cow gentoo-dev 2022-02-18 12:27:01 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=270c3894322dfbbf9a5f663732e4e50b68d4c9dd

commit 270c3894322dfbbf9a5f663732e4e50b68d4c9dd
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-02-18 10:39:17 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-02-18 12:26:54 +0000

    mail-client/thunderbird: stabilize 91.6.1 for amd64
    
    Bug: https://bugs.gentoo.org/833520
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/thunderbird-91.6.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 Joonas Niilola gentoo-dev 2022-03-06 09:46:34 UTC
I'm gonna push thunderbird-91.6.2 straight to stable today due to multiple "possible" security fixes it carries.
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/#thunderbird91.6.2
(may be updated later?)
https://www.thunderbird.net/en-US/thunderbird/91.6.2/releasenotes/

May need to package.use.mask system-libvpx for x86 since upstream hasn't commented anything about it, and figure out the root-reason later. Might be related to "too new" libvpx that's stabilized in Gentoo, wouldn't be the first time firefox/thunderbird need to depend on older version. Just for the record, firefox-esr and thunderbird both bundle 1.8.2 version of libvpx.
Comment 4 Joonas Niilola gentoo-dev 2022-03-06 09:54:36 UTC
* package.use.force of course ^
Comment 5 Larry the Git Cow gentoo-dev 2022-03-06 17:30:26 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7b5a41ea4e25241b0ee175bc8a6efa6850d7ceb

commit d7b5a41ea4e25241b0ee175bc8a6efa6850d7ceb
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-03-06 17:27:58 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-03-06 17:30:19 +0000

    mail-client/thunderbird: security stabilization on 91.6.2 for amd64
    
    Bug: https://bugs.gentoo.org/833520
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/thunderbird-91.6.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b7741605585343123d580bdf73dd7c9db0761df1

commit b7741605585343123d580bdf73dd7c9db0761df1
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-03-06 15:37:34 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-03-06 17:30:19 +0000

    mail-client/thunderbird: security stabilization 91.6.2 for x86
    
    Bug: https://bugs.gentoo.org/833520
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/thunderbird-91.6.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-03-06 18:21:43 UTC
Thanks, I didn't even notice Thunderbird was affected in this advisory thanks to the advisory title not mentioning it.
Comment 8 Larry the Git Cow gentoo-dev 2022-08-10 04:18:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=8856093f804feeda5fe9097d49ba3307aaefc9c2

commit 8856093f804feeda5fe9097d49ba3307aaefc9c2
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 04:08:55 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 04:17:36 +0000

    [ GLSA 202208-14 ] Mozilla Thunderbird: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/794085
    Bug: https://bugs.gentoo.org/802759
    Bug: https://bugs.gentoo.org/807943
    Bug: https://bugs.gentoo.org/811912
    Bug: https://bugs.gentoo.org/813501
    Bug: https://bugs.gentoo.org/822294
    Bug: https://bugs.gentoo.org/828539
    Bug: https://bugs.gentoo.org/831040
    Bug: https://bugs.gentoo.org/833520
    Bug: https://bugs.gentoo.org/834805
    Bug: https://bugs.gentoo.org/845057
    Bug: https://bugs.gentoo.org/846596
    Bug: https://bugs.gentoo.org/849047
    Bug: https://bugs.gentoo.org/857048
    Bug: https://bugs.gentoo.org/864577
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-14.xml | 165 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 165 insertions(+)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-10 04:26:32 UTC
GLSA released, all done!