Bug 2128806 (CVE-2022-3155)

Summary: CVE-2022-3155 Mozilla: Attachment files saved to disk on macOS could be executed without warning
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: erack, jhorak, nobody, stransky, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: thunderbird 102.3 Doc Type: ---
Doc Text:
A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue that Thunderbird did not set the attribute com.apple.quarantine on the received file when saving or opening an email attachment on macOS. If the received file was an application and the user attempted to open it, the application was started immediately without asking the user to confirm.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-27 22:29:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2126005    

Description Mauro Matteo Cascella 2022-09-21 14:28:18 UTC 
When saving or opening an email attachment on macOS, Thunderbird did not set attribute com.apple.quarantine on the received file. If the received file was an application and the user attempted to open it, then the application was started immediately without asking the user to confirm.

External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2022-42/#CVE-2022-3155
Comment 1 Product Security DevOps Team 2022-11-27 22:29:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3155