Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 873667 (CVE-2022-39236, CVE-2022-39249, CVE-2022-39250, CVE-2022-39251) - <mail-client/thunderbird{-bin,}-102.3.1: multiple vulnerabilities
Summary: <mail-client/thunderbird{-bin,}-102.3.1: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-39236, CVE-2022-39249, CVE-2022-39250, CVE-2022-39251
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-30 15:33 UTC by John Helmert III
Modified: 2022-10-31 20:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-09-30 15:33:17 UTC
CVE-2022-39236 (https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x):
https://github.com/matrix-org/matrix-spec-proposals/pull/3488
https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76
https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Starting with version 17.1.0-rc.1, improperly formed beacon events can disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data safely. Note that the matrix-js-sdk can appear to be operating normally but be excluding or corrupting runtime data presented to the consumer. This is patched in matrix-js-sdk v19.7.0. Redacting applicable events, waiting for the sync processor to store data, and restarting the client are possible workarounds. Alternatively, redacting the applicable events and clearing all storage will fix the further perceived issues. Downgrading to an unaffected version, noting that such a version may be subject to other vulnerabilities, will additionally resolve the issue.

CVE-2022-39251 (https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76):
https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0
https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. Starting with version 19.7.0, matrix-js-sdk has been modified to only accept Olm-encrypted to-device messages. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.

CVE-2022-39250 (https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76):
https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0
https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf

Matrix JavaScript SDK is the Matrix Client-Server software development kit (SDK) for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver could interfere with the verification flow between two users, injecting its own cross-signing user identity in place of one of the users’ identities. This would lead to the other device trusting/verifying the user identity under the control of the homeserver instead of the intended one. The vulnerability is a bug in the matrix-js-sdk, caused by checking and signing user identities and devices in two separate steps, and inadequately fixing the keys to be signed between those steps. Even though the attack is partly made possible due to the design decision of treating cross-signing user identities as Matrix devices on the server side (with their device ID set to the public part of the user identity key), no other examined implementations were vulnerable. Starting with version 19.7.0, the matrix-js-sdk has been modified to double check that the key signed is the one that was verified instead of just referencing the key by ID. An additional check has been made to report an error when one of the device ID matches a cross-signing key. As this attack requires coordination between a malicious homeserver and an attacker, those who trust their homeservers do not need a particular workaround.

CVE-2022-39249 (https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76):
https://github.com/matrix-org/matrix-js-sdk/releases/tag/v19.7.0
https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg
https://github.com/matrix-org/matrix-spec-proposals/pull/3061
https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients

Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to version 19.7.0, an attacker cooperating with a malicious homeserver can construct messages appearing to have come from another person. Such messages will be marked with a grey shield on some platforms, but this may be missing in others. This attack is possible due to the matrix-js-sdk implementing a too permissive key forwarding strategy on the receiving end. Starting with version 19.7.0, the default policy for accepting key forwards has been made more strict in the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys in response to previously issued requests and only from own, verified devices. The SDK now sets a `trusted` flag on the decrypted message upon decryption, based on whether the key used to decrypt the message was received from a trusted source. Clients need to ensure that messages decrypted with a key with `trusted = false` are decorated appropriately, for example, by showing a warning for such messages. This attack requires coordination between a malicious homeserver and an attacker, and those who trust your homeservers do not need a workaround.

Please stabilize when ready.
Comment 1 Larry the Git Cow gentoo-dev 2022-10-01 08:10:12 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7c939081f39f194af6f780d81b4b1839521df2b4

commit 7c939081f39f194af6f780d81b4b1839521df2b4
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-10-01 08:09:49 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-10-01 08:10:10 +0000

    mail-client/thunderbird: stabilize 102.3.1 for x86
    
    Bug: https://bugs.gentoo.org/873667
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/thunderbird-102.3.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71016de51edebed62fb64162334173802589b2a1

commit 71016de51edebed62fb64162334173802589b2a1
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-10-01 08:09:29 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-10-01 08:10:10 +0000

    mail-client/thunderbird: stabilize 102.3.1 for amd64
    
    Bug: https://bugs.gentoo.org/873667
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/thunderbird-102.3.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 2 Larry the Git Cow gentoo-dev 2022-10-03 13:13:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7ef9a4ead601772707a43e90e15a62d3b2e8daf0

commit 7ef9a4ead601772707a43e90e15a62d3b2e8daf0
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-10-03 13:12:47 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-10-03 13:12:47 +0000

    mail-client/thunderbird: drop 102.3.0
    
    Bug: https://bugs.gentoo.org/873667
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/Manifest                   |   66 --
 mail-client/thunderbird/thunderbird-102.3.0.ebuild | 1164 --------------------
 2 files changed, 1230 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2022-10-25 14:10:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5afdd241d0a30c3dea5fc284878b0451613d6fe6

commit 5afdd241d0a30c3dea5fc284878b0451613d6fe6
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2022-10-25 14:08:20 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2022-10-25 14:10:13 +0000

    mail-client/thunderbird: security cleanup, drop 91.13.1, 102.3.*
    
    Bug: https://bugs.gentoo.org/873667
    Bug: https://bugs.gentoo.org/872572
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/Manifest                   |  260 -----
 mail-client/thunderbird/thunderbird-102.3.1.ebuild | 1164 -------------------
 mail-client/thunderbird/thunderbird-102.3.2.ebuild | 1165 --------------------
 mail-client/thunderbird/thunderbird-102.3.3.ebuild | 1165 --------------------
 mail-client/thunderbird/thunderbird-91.13.1.ebuild | 1131 -------------------
 5 files changed, 4885 deletions(-)
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-25 21:49:13 UTC
Thanks!
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 15:45:44 UTC
GLSA request filed
Comment 6 Larry the Git Cow gentoo-dev 2022-10-31 20:01:58 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=794e005ddee1af19fec133f96c714f4b8786a377

commit 794e005ddee1af19fec133f96c714f4b8786a377
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-10-31 20:00:20 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-10-31 20:01:44 +0000

    [ GLSA 202210-35 ] Mozilla Thunderbird: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/873667
    Bug: https://bugs.gentoo.org/878315
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202210-35.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-31 20:02:45 UTC
GLSA released, all done!