Closed Bug 1692899 (CVE-2021-29948) Opened 4 months ago Closed 3 months ago

RNP-01-003 WP3 Thunderbird: Possible race condition when reading from disk

Categories

(MailNews Core :: Security: OpenPGP, defect)

defect

Tracking

(thunderbird_esr78 fixed, thunderbird88 fixed)

RESOLVED FIXED
89 Branch
Tracking Status
thunderbird_esr78 --- fixed
thunderbird88 --- fixed

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

(Keywords: sec-low)

Attachments

(1 file)

When processing a PGP-signed email, the signature data is extracted and written to the
filesystem before calling the RNP library, which in turn reads the signature data back
from the filesystem. This introduces a race condition due to the timing and predictable
file-path wherein a malicious local user can swap out the dumped file for a malicious
signature file. During this assessment, however, it was not possible to exploit this in any
meaningful way. The following shows a code excerpt that is responsible for writing the
file to disk before calling the RNP library.

Affected File:
comm/mail/extensions/openpgp/content/modules/mimeVerify.jsm

Affected Code:

onStopRequest() {
[...]
if (this.protocol === PGPMIME_PROTO) {
[...]
this.sigFile = EnigmailFiles.getTempDirObj();
this.sigFile.append("data.sig");
this.sigFile.createUnique(this.sigFile.NORMAL_FILE_TYPE, 0x180);
EnigmailFiles.writeFileContents(this.sigFile, this.sigData, 0x180);
if (!EnigmailDecryption.isReady(win)) {
return;
}
let sigFileName = EnigmailFiles.getEscapedFilename(
EnigmailFiles.getFilePath(this.sigFile)
);
let keyserver = EnigmailPrefs.getPref("autoKeyRetrieve");
let options = {
keyserver,
keyserverProxy: EnigmailHttpProxy.getHttpProxy(keyserver),
fromAddr: EnigmailDecryption.getFromAddr(win),
mimeSignatureFile: sigFileName,
};
const cApi = EnigmailCryptoAPI();
[...]
this.returnStatus = cApi.sync(cApi.verifyMime(this.signedData, options));
[...]

It is recommended to avoid using the filesystem in order to pass the signature
information to the library. Instead, the information should be passed via memory, as
done with the signed data itself.

Assignee: nobody → kaie
Status: NEW → ASSIGNED
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → 89 Branch

Comment on attachment 9211305 [details]
Bug 1692899 - Don't use a file for passing OpenPGP signature data between modules. r=mkmelin

[Approval Request Comment]
Regression caused by (bug #): no
User impact if declined: none
Testing completed (on c-c, etc.): c-c
Risk to taking this patch (and alternatives if risky): low

Attachment #9211305 - Flags: approval-comm-beta?

Comment on attachment 9211305 [details]
Bug 1692899 - Don't use a file for passing OpenPGP signature data between modules. r=mkmelin

[Triage Comment]
Approved for beta

Attachment #9211305 - Flags: approval-comm-beta? → approval-comm-beta+

Comment on attachment 9211305 [details]
Bug 1692899 - Don't use a file for passing OpenPGP signature data between modules. r=mkmelin

approval info: see comment 3.

We can wait for 78.10

Attachment #9211305 - Flags: approval-comm-esr78?

Comment on attachment 9211305 [details]
Bug 1692899 - Don't use a file for passing OpenPGP signature data between modules. r=mkmelin

[Triage Comment]
Approved for esr78

Attachment #9211305 - Flags: approval-comm-esr78? → approval-comm-esr78+
Alias: CVE-2021-29948

I'm drafting security advisories for Thunderbird and need a security rating.
Given this requires a local user and has not been verified as exploitable, I will go with sec-low.
Let me know if you disagree and I'll happily adjust the advisory :)

Keywords: sec-low

Thanks Freddy, rating and advisory text sounds good to me!

Group: mail-core-security
You need to log in before you can comment on or make changes to this bug.