Bug 1186199 (CVE-2021-29956)

Summary: VUL-1: CVE-2021-29956: MozillaThunderbird: Thunderbird stored OpenPGP secret keys without master password protection
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Martin Sirringhaus <martin.sirringhaus>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: Andreas.Stieger, carlos.e.r, smash_bz, wolfgang
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/284545/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-29956:3.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1187759    
Bug Blocks:    

Description Gianluca Gabrielli 2021-05-18 12:10:38 UTC
CVE-2021-29956

OpenPGP secret keys that were imported using Thunderbird version 78.8.1 up to version 78.10.1 were stored unencrypted on the user's local disk. The master password protection was inactive for those keys. Version 78.10.2 will restore the protection mechanism for newly imported keys, and will automatically protect keys that had been imported using affected Thunderbird versions.



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2021-22/#CVE-2021-29956

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1961504
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29956
Comment 1 Gianluca Gabrielli 2021-05-18 12:11:50 UTC
Affected packages:

 - SUSE:SLE-15-SP2:Update/MozillaThunderbird       78.10.0
 - openSUSE:Factory/MozillaThunderbird     78.10.1

Please update to version >= 78.10.2
Comment 3 Andreas Stieger 2021-05-26 15:27:41 UTC
*** Bug 1186464 has been marked as a duplicate of this bug. ***
Comment 4 OBSbugzilla Bot 2021-06-03 22:00:05 UTC
This is an autogenerated message for OBS integration:
This bug (1186199) was mentioned in
https://build.opensuse.org/request/show/897289 Factory / MozillaThunderbird
Comment 5 Swamp Workflow Management 2021-06-04 10:27:44 UTC
SUSE-SU-2021:1854-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185086,1185633,1186198,1186199
CVE References: CVE-2021-29950,CVE-2021-29951,CVE-2021-29956,CVE-2021-29957
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    MozillaThunderbird-78.10.2-8.27.1
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    MozillaThunderbird-78.10.2-8.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2021-07-10 22:20:00 UTC
openSUSE-SU-2021:1854-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1185086,1185633,1186198,1186199
CVE References: CVE-2021-29950,CVE-2021-29951,CVE-2021-29956,CVE-2021-29957
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    MozillaThunderbird-78.10.2-8.27.1
Comment 7 Marcus Meissner 2021-08-09 12:31:53 UTC
done