Der kostenlose Mailclient für Windows, macOS und Linux Thunderbird ist in Version 102.6.0 erschienen. Das Update schließt 7 Sicherheitslücken und entfernt diverse Fehler.
Thunderbird 102.6.0 Release Notes
- Importing secret OpenPGP keys failed when public key with public subkey was already present
- Message index files were incorrectly deleted when too many folders were opened
- Thunderbird sometimes incorrectly formatted synced vCards
- Recurring events did not display past a certain number of repetitions
- Cookies deleted from the “Show Cookies” dialog were not actually deleted
- Paused RSS feeds did not actually pause updates
- Various visual and UX improvements
Thunderbird 102.6.0 Security Notes
#CVE-2022-46880: Use-after-free in WebGL
Reporter: Atte Kettunen
A missing check related to tex units could have led to a use-after-free and potentially exploitable crash.
#CVE-2022-46872: Arbitrary file read from a compromised content process
Reporter: Nika Layzell
An attacker who compromised a content process could have partially escaped the sandbox to read arbitrary files via clipboard-related IPC messages. This bug only affects Thunderbird for Linux. Other operating systems are unaffected.
#CVE-2022-46881: Memory corruption in WebGL
Reporter: Karl and an Anonymous ASAN Nightly User
An optimization in WebGL was incorrect in some cases, and could have led to memory corruption and a potentially exploitable crash.
#CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions
Reporter: Matthias Zoellner
A file with a long filename could have had its filename truncated to remove the valid extension, leaving a malicious extension in its place. This could potentially led to user confusion and the execution of malicious code.
#CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS
Reporter: Dohyun Lee
The executable file warning was not presented when downloading .atloc and .ftploc files, which can run commands on a user’s computer.
Note: This issue only affected Mac OS operating systems. Other operating systems are unaffected.
#CVE-2022-46882: Use-after-free in WebGL
Reporter: Irvan Kurniawan
A use-after-free in WebGL extensions could have led to a potentially exploitable crash.
#CVE-2022-46878: Memory safety bugs fixed in Thunderbird 102.6
Reporter: Mozilla developers
Mozilla developers Randell Jesup, Valentin Gosu, Olli Pettay, and the Mozilla Fuzzing Team reported memory safety bugs present in Thunderbird 102.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.