Bug 1801956 (CVE-2020-6794) - CVE-2020-6794 Mozilla: Setting a master password post-Thunderbird 52 does not delete unencrypted previously stored passwords
Summary: CVE-2020-6794 Mozilla: Setting a master password post-Thunderbird 52 does not...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-6794
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1801946 1801947 1801948 1801949 1801950 1801951
Blocks: 1801944
TreeView+ depends on / blocked
 
Reported: 2020-02-11 23:57 UTC by Doran Moppert
Modified: 2021-02-16 20:35 UTC (History)
4 users (show)

Fixed In Version: thunderbird 68.5
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-21 03:49:52 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:0565 0 None None None 2020-02-20 22:15:42 UTC
Red Hat Product Errata RHSA-2020:0574 0 None None None 2020-02-24 12:31:55 UTC
Red Hat Product Errata RHSA-2020:0576 0 None None None 2020-02-24 12:49:04 UTC
Red Hat Product Errata RHSA-2020:0577 0 None None None 2020-02-24 12:16:51 UTC

Description Doran Moppert 2020-02-11 23:57:41 UTC 
If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords is still accessible. This is because the older stored password file was not deleted when the data was copied to a new format starting in Thunderbird 60. The new master password is added only on the new file. This could allow the exposure of stored password data outside of user expectations.



External Reference:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-07/#CVE-2020-6794
Comment 1 Doran Moppert 2020-02-11 23:57:45 UTC 
Acknowledgments:

Name: the Mozilla project
Upstream: Jurgen Gaeremyn
Comment 2 errata-xmlrpc 2020-02-20 22:15:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0565 https://access.redhat.com/errata/RHSA-2020:0565
Comment 3 Product Security DevOps Team 2020-02-21 03:49:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-6794
Comment 4 errata-xmlrpc 2020-02-24 12:16:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0577 https://access.redhat.com/errata/RHSA-2020:0577
Comment 5 errata-xmlrpc 2020-02-24 12:31:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0574 https://access.redhat.com/errata/RHSA-2020:0574
Comment 6 errata-xmlrpc 2020-02-24 12:49:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0576 https://access.redhat.com/errata/RHSA-2020:0576
Note You need to log in before you can comment on or make changes to this bug.