Der kostenlose Mailclient für Windows, macOS und Linux Thunderbird ist in Version 102.6.0 erschienen. Das Update schließt 7 Sicherheitslücken und entfernt diverse Fehler.
Thunderbird 102.6.0 Release Notes
- Importing secret OpenPGP keys failed when public key with public subkey was already present
- Message index files were incorrectly deleted when too many folders were opened
- Thunderbird sometimes incorrectly formatted synced vCards
- Recurring events did not display past a certain number of repetitions
- Cookies deleted from the „Show Cookies“ dialog were not actually deleted
- Paused RSS feeds did not actually pause updates
- Various visual and UX improvements
Thunderbird 102.6.0 Security Notes
#CVE-2022-46880: Use-after-free in WebGL
Reporter: Atte Kettunen
Impact: high
Description
A missing check related to tex units could have led to a use-after-free and potentially exploitable crash.
#CVE-2022-46872: Arbitrary file read from a compromised content process
Reporter: Nika Layzell
Impact: high
Description
An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages. This bug only affects Thunderbird for Linux. Other operating systems are unaffected.
#CVE-2022-46881: Memory corruption in WebGL
Reporter: Karl and an Anonymous ASAN Nightly User
Impact: high
Description
An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash.
#CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions
Reporter: Matthias Zoellner
Impact: moderate
Description
A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.
#CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS
Reporter: Dohyun Lee
Impact: moderate
Description
The executable file warning was not presented when downloading .atloc and .ftploc files, which can run commands on a user’s computer.
Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.
#CVE-2022-46882: Use-after-free in WebGL
Reporter: Irvan Kurniawan
Impact: moderate
Description
A use-after-free in WebGL extensions could have led to a potentially exploitable crash.
#CVE-2022-46878: Memory safety bugs fixed in Thunderbird 102.6
Reporter: Mozilla developers
Impact: high
Description
Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
Quelle: Thunderbird — Release Notes (102.6.0) — Thunderbird
Interessiert in verschiedenste IT Themen, schreibe ich in diesem Blog über Software, Hardware, Smart Home, Games und vieles mehr. Ich berichte z.B. über die Installation und Konfiguration von Software als auch von Problemen mit dieser. News sind ebenso spannend, sodass ich auch über Updates, Releases und Neuigkeiten aus der IT berichte. Letztendlich nutze ich Taste-of-IT als eigene Dokumentation und Anlaufstelle bei wiederkehrenden Themen. Ich hoffe ich kann dich ebenso informieren und bei Problemen eine schnelle Lösung anbieten. Wer meinen Aufwand unterstützen möchte, kann gerne eine Tasse oder Pod Kaffe per PayPal spenden – vielen Dank.