Bug 1801956 (CVE-2020-6794)

Summary: CVE-2020-6794 Mozilla: Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cschalle, gecko-bugs-nobody, jhorak, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: thunderbird 68.5 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-21 03:49:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1801946, 1801947, 1801948, 1801949, 1801950, 1801951    
Bug Blocks: 1801944    

Description Doran Moppert 2020-02-11 23:57:41 UTC 
If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations.



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6794
Comment 1 Doran Moppert 2020-02-11 23:57:45 UTC 
Acknowledgments:

Name: the Mozilla project
Upstream: Jurgen Gaeremyn
Comment 2 errata-xmlrpc 2020-02-20 22:15:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0565 https://access.redhat.com/errata/RHSA-2020:0565
Comment 3 Product Security DevOps Team 2020-02-21 03:49:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-6794
Comment 4 errata-xmlrpc 2020-02-24 12:16:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0577 https://access.redhat.com/errata/RHSA-2020:0577
Comment 5 errata-xmlrpc 2020-02-24 12:31:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0574 https://access.redhat.com/errata/RHSA-2020:0574
Comment 6 errata-xmlrpc 2020-02-24 12:49:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0576 https://access.redhat.com/errata/RHSA-2020:0576