Closed Bug 1925929 (CVE-2024-11159) Opened 2 months ago Closed 1 month ago

remote content in OpenPGP encrypted emails not blocked like it should

Categories

(MailNews Core :: Security: OpenPGP, defect)

defect

Tracking

(thunderbird_esr128 fixed, thunderbird132 fixed, thunderbird133 fixed)

RESOLVED FIXED
134 Branch
Tracking Status
thunderbird_esr128 --- fixed
thunderbird132 --- fixed
thunderbird133 --- fixed

People

(Reporter: mkmelin, Assigned: KaiE)

References

Details

(Keywords: sec-high)

Attachments

(1 file)

Testing bug 1924058 made me realize we're not hard blocking remote content for OpenPGP encrypted emails the way we're supposed to (only S/MIME), see bug 1411592.

This check is here: https://searchfox.org/comm-central/rev/57782ef9cbf3f0fccb709b33db0bda808101bc02/mailnews/base/src/nsMsgContentPolicy.cpp#321
Another case of confusion due to OpenPGP instead using EnigmailURIs.isEncryptedUri. We should unify this check.

See Also: → 1924058
Assignee: nobody → kaie
Status: NEW → ASSIGNED

Pushed by john@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/f4a450f4d1f5
Forbid viewing remote content in encrypted OpenPGP messages. r=mkmelin

Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Resolution: --- → FIXED
Target Milestone: --- → 134 Branch

Comment on attachment 9433680 [details]
Bug 1925929 - Forbid viewing remote content in encrypted OpenPGP messages. r=mkmelin

[Approval Request Comment]
Regression caused by (bug #): since we offer OpenPGP
User impact if declined: see old CVE-2018-5184 but for OpenPGP
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): Code risk is low. Most of the patch is unifying two parallel tracking services (that were separate for OpenPGP and S/MIME) to a single one, which means all code querying for that status will work regardless of the technology being used. Users might complain they can no longer allow remote content in OpenPGP messages, but we are deliberately disabling that, as we already did in the past for S/MIME messages

Attachment #9433680 - Flags: approval-comm-esr128?
Attachment #9433680 - Flags: approval-comm-beta?
Alias: CVE-xyz-abc

Comment on attachment 9433680 [details]
Bug 1925929 - Forbid viewing remote content in encrypted OpenPGP messages. r=mkmelin

[Triage Comment]
Approved for beta

Attachment #9433680 - Flags: approval-comm-beta? → approval-comm-beta+
CVE-2024-NNNN:
    title: Potential disclosure of plaintext in OpenPGP encrypted message
    impact: high
    reporter: Several reporters
    description: |
      Using remote content in OpenPGP encrypted messages can lead to the
      disclosure of plaintext. This vulnerability affects Thunderbird
      ESR < 128.4.3esr and Thunderbird Release < 132.0.1.
    bugs:
      - url: 1925929
Keywords: sec-moderate
Keywords: sec-moderatesec-high

Comment on attachment 9433680 [details]
Bug 1925929 - Forbid viewing remote content in encrypted OpenPGP messages. r=mkmelin

Because old CVE bug was sec-high, I think this one should be the same.

Attachment #9433680 - Flags: approval-comm-release?

Comment on attachment 9433680 [details]
Bug 1925929 - Forbid viewing remote content in encrypted OpenPGP messages. r=mkmelin

[Triage Comment]
Approved for release
Approved for esr128

Attachment #9433680 - Flags: approval-comm-release?
Attachment #9433680 - Flags: approval-comm-release+
Attachment #9433680 - Flags: approval-comm-esr128?
Attachment #9433680 - Flags: approval-comm-esr128+
Alias: CVE-xyz-abc → CVE-2024-11159
See Also: → 1931550

There isn't any secret information in this bug, I'm opening it.

Group: mail-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: