Mozilla Foundation Security Advisory 2021-26

Security Vulnerabilities fixed in Thunderbird 78.11

Announced

June 3, 2021

Impact

moderate

Products

Thunderbird

Fixed in

Thunderbird 78.11

#CVE-2021-29964: Out of bounds-read when parsing a "WM_COPYDATA" message

Reporter: Ronald Crane
Impact: moderate

Description

A locally-installed hostile program could send WM_COPYDATA messages that Thunderbird would processing incorrectly, leading to an out-of-bounds read.
This bug only affects Thunderbird on Windows. Other operating systems are unaffected.

References

Bug 1706501

#CVE-2021-29967: Memory safety bugs fixed in Thunderbird 78.11

Reporter: Mozilla developers and community
Impact: high

Description

Mozilla developers Gabriele Svelto, Anny Gakhokidze, Alexandru Michis, Christian Holler reported memory safety bugs present in Thunderbird 78.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Thunderbird 78.11

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2021-26

Security Vulnerabilities fixed in Thunderbird 78.11

#CVE-2021-29964: Out of bounds-read when parsing a "WM_COPYDATA" message

Description

References

#CVE-2021-29967: Memory safety bugs fixed in Thunderbird 78.11

Description

References