Bug 2171397 (CVE-2023-0616)

Summary: CVE-2023-0616 Mozilla: User Interface lockup with messages combining S/MIME and OpenPGP
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: erack, jhorak, nobody, stransky, tpopela
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: thunderbird 102.8 Doc Type: ---
Doc Text:
The Mozilla Foundation Security Advisory describes this flaw as: If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which could cause Thunderbird's user interface to lock up and no longer respond to the user's actions. An attacker could send a crafted message with this structure to attempt a DoS attack.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-20 18:48:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2167672, 2167673, 2167674, 2167675, 2167676, 2167677, 2167678, 2167679, 2167680, 2167681, 2167682    
Bug Blocks: 2167591    

Description Mauro Matteo Cascella 2023-02-20 09:50:53 UTC 
If a MIME email combines OpenPGP and OpenPGP MIME data in a certain way Thunderbird repeatedly attempts to process and display the message, which could cause Thunderbird's user interface to lock up and no longer respond to the user's actions. An attacker could send a crafted message with this structure to attempt a DoS attack.

External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/#CVE-2023-0616
Comment 1 errata-xmlrpc 2023-02-20 12:12:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0818 https://access.redhat.com/errata/RHSA-2023:0818
Comment 2 errata-xmlrpc 2023-02-20 12:12:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:0819 https://access.redhat.com/errata/RHSA-2023:0819
Comment 3 errata-xmlrpc 2023-02-20 12:16:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:0822 https://access.redhat.com/errata/RHSA-2023:0822
Comment 4 errata-xmlrpc 2023-02-20 12:17:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:0817 https://access.redhat.com/errata/RHSA-2023:0817
Comment 5 errata-xmlrpc 2023-02-20 12:17:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0824 https://access.redhat.com/errata/RHSA-2023:0824
Comment 6 errata-xmlrpc 2023-02-20 12:17:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:0820 https://access.redhat.com/errata/RHSA-2023:0820
Comment 7 errata-xmlrpc 2023-02-20 12:18:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0821 https://access.redhat.com/errata/RHSA-2023:0821
Comment 8 errata-xmlrpc 2023-02-20 12:18:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:0823 https://access.redhat.com/errata/RHSA-2023:0823
Comment 9 Product Security DevOps Team 2023-02-20 18:48:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0616