Security Vulnerabilities Addressed in Thunderbird 115.6

On December 19, 2023, Mozilla Foundation released Thunderbird 115.6, addressing a series of security vulnerabilities across various impact levels and areas.

Description of Critical Vulnerabilities

CVE-2023-50762: Truncated signed text within PGP/MIME payloads bypassed user visibility, potentially enabling spoofed email messages.

CVE-2023-50761: S/MIME signatures were accepted despite mismatching message dates, creating the potential for false message timing.

CVE-2023-6856: A critical WebGL vulnerability resulted in a heap buffer overflow, possibly leading to remote code execution and sandbox escape.

CVE-2023-6864: Multiple memory safety bugs were fixed, addressing potential memory corruption and the threat of arbitrary code execution in Thunderbird.

Additional Identified Vulnerabilities

Other vulnerabilities, though of lesser impact, were also addressed:

  • CVE-2023-6857: A symlink resolution race condition posed moderate risk for Unix-based Thunderbird installations.
  • CVE-2023-6858: A moderate-risk heap buffer overflow affected Thunderbird due to insufficient handling in nsTextFragment.
  • CVE-2023-6859: A moderate-risk use-after-free issue impacted TLS socket creation under memory pressure.
  • CVE-2023-6860: The VideoBridge vulnerability could allow moderate-risk sandbox escapes through improper texture validation.
  • CVE-2023-6861: A moderate-risk heap buffer overflow affected nsWindow::PickerOpen in headless mode.
  • CVE-2023-6862: A moderate-risk use-after-free incident was identified in nsDNSService::Init.
  • CVE-2023-6863: A low-impact vulnerability was discovered in Thunderbird’s ShutdownObserver() due to potential undefined behavior.

The Thunderbird 115.6 release includes critical patches for the mentioned vulnerabilities. Users are strongly advised to update to this version to mitigate these security risks.

Find more detailed information about each CVE in the Mozilla Foundation Security Advisory 2023-55.