remote content in OpenPGP encrypted emails not blocked like it should
Categories
(MailNews Core :: Security: OpenPGP, defect)
Tracking
(thunderbird_esr128 fixed, thunderbird132 fixed, thunderbird133 fixed)
People
(Reporter: mkmelin, Assigned: KaiE)
References
Details
(Keywords: sec-high)
Attachments
(1 file)
48 bytes,
text/x-phabricator-request
|
corey
:
approval-comm-beta+
corey
:
approval-comm-release+
corey
:
approval-comm-esr128+
|
Details | Review |
Testing bug 1924058 made me realize we're not hard blocking remote content for OpenPGP encrypted emails the way we're supposed to (only S/MIME), see bug 1411592.
This check is here: https://searchfox.org/comm-central/rev/57782ef9cbf3f0fccb709b33db0bda808101bc02/mailnews/base/src/nsMsgContentPolicy.cpp#321
Another case of confusion due to OpenPGP instead using EnigmailURIs.isEncryptedUri. We should unify this check.
Assignee | ||
Comment 1•1 month ago
|
||
Updated•1 month ago
|
Assignee | ||
Updated•1 month ago
|
Pushed by john@thunderbird.net:
https://hg.mozilla.org/comm-central/rev/f4a450f4d1f5
Forbid viewing remote content in encrypted OpenPGP messages. r=mkmelin
Reporter | ||
Updated•1 month ago
|
Assignee | ||
Comment 3•1 month ago
|
||
Comment on attachment 9433680 [details]
Bug 1925929 - Forbid viewing remote content in encrypted OpenPGP messages. r=mkmelin
[Approval Request Comment]
Regression caused by (bug #): since we offer OpenPGP
User impact if declined: see old CVE-2018-5184 but for OpenPGP
Testing completed (on c-c, etc.):
Risk to taking this patch (and alternatives if risky): Code risk is low. Most of the patch is unifying two parallel tracking services (that were separate for OpenPGP and S/MIME) to a single one, which means all code querying for that status will work regardless of the technology being used. Users might complain they can no longer allow remote content in OpenPGP messages, but we are deliberately disabling that, as we already did in the past for S/MIME messages
Updated•1 month ago
|
Comment 4•1 month ago
|
||
Comment on attachment 9433680 [details]
Bug 1925929 - Forbid viewing remote content in encrypted OpenPGP messages. r=mkmelin
[Triage Comment]
Approved for beta
Comment 5•1 month ago
•
|
||
CVE-2024-NNNN:
title: Potential disclosure of plaintext in OpenPGP encrypted message
impact: high
reporter: Several reporters
description: |
Using remote content in OpenPGP encrypted messages can lead to the
disclosure of plaintext. This vulnerability affects Thunderbird
ESR < 128.4.3esr and Thunderbird Release < 132.0.1.
bugs:
- url: 1925929
Updated•1 month ago
|
Updated•1 month ago
|
Assignee | ||
Comment 6•1 month ago
|
||
Comment on attachment 9433680 [details]
Bug 1925929 - Forbid viewing remote content in encrypted OpenPGP messages. r=mkmelin
Because old CVE bug was sec-high, I think this one should be the same.
Comment 7•1 month ago
|
||
Thunderbird 133.0b3:
https://hg.mozilla.org/releases/comm-beta/rev/ca2621269949
Updated•1 month ago
|
Updated•1 month ago
|
Comment 8•1 month ago
|
||
Comment on attachment 9433680 [details]
Bug 1925929 - Forbid viewing remote content in encrypted OpenPGP messages. r=mkmelin
[Triage Comment]
Approved for release
Approved for esr128
Comment 9•1 month ago
|
||
uplift |
Thunderbird 128.4.3esr:
https://hg.mozilla.org/releases/comm-esr128/rev/e3bb2f816d5c
Updated•1 month ago
|
Comment 10•1 month ago
|
||
uplift |
Thunderbird 132.0.1:
https://hg.mozilla.org/releases/comm-release/rev/3e5322772f5c
Updated•29 days ago
|
Assignee | ||
Comment 11•23 days ago
|
||
There isn't any secret information in this bug, I'm opening it.
Description
•