Menü Schließen

Mozilla Thunderbird 102.6.0 Security und Bugfix Release

Thunderbird Logo

Der kostenlose Mailclient für Windows, macOS und Linux Thunderbird ist in Version 102.6.0 erschienen. Das Update schließt 7 Sicherheitslücken und entfernt diverse Fehler.

Thunderbird 102.6.0 Release Notes

  • Importing secret OpenPGP keys failed when public key with public subkey was already present
  • Message index files were incorrectly deleted when too many folders were opened
  • Thunderbird sometimes incorrectly formatted synced vCards
  • Recurring events did not display past a certain number of repetitions
  • Cookies deleted from the „Show Cookies“ dialog were not actually deleted
  • Paused RSS feeds did not actually pause updates
  • Various visual and UX improvements

Thunderbird 102.6.0 Security Notes


#CVE-2022-46880: Use-after-free in WebGL

Reporter: Atte Kettunen
Impact: high

Description

A missing check related to tex units could have led to a use-after-free and potentially exploitable crash.

#CVE-2022-46872: Arbitrary file read from a compromised content process

Reporter: Nika Layzell
Impact: high

Description

An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages. This bug only affects Thunderbird for Linux. Other operating systems are unaffected.

#CVE-2022-46881: Memory corruption in WebGL

Reporter: Karl and an Anonymous ASAN Nightly User
Impact: high

Description

An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash.

#CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions

Reporter: Matthias Zoellner
Impact: moderate

Description

A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.

#CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS

Reporter: Dohyun Lee
Impact: moderate

Description

The executable file warning was not presented when downloading .atloc and .ftploc files, which can run commands on a user’s computer.
Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.

#CVE-2022-46882: Use-after-free in WebGL

Reporter: Irvan Kurniawan
Impact: moderate

Description

A use-after-free in WebGL extensions could have led to a potentially exploitable crash.

#CVE-2022-46878: Memory safety bugs fixed in Thunderbird 102.6

Reporter: Mozilla developers
Impact: high

Description

Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Quelle: Thunderbird — Release Notes (102.6.0) — Thunderbird

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert