CVE-2020-6794: 
NixOS vulnerability analysis and mitigation

CVE-2020-6794 is a security vulnerability discovered in Mozilla Thunderbird that affects versions prior to 68.5. The vulnerability was disclosed on February 11, 2020, and involves the exposure of stored passwords. If a user saved passwords before Thunderbird 60 and then later set a master password, an unencrypted copy of these passwords would remain accessible because the older stored password file (key3.db) was not deleted when the data was copied to a new format starting in Thunderbird 60 (Mozilla Advisory, NVD).

The vulnerability stems from an incomplete cleanup process during the password storage format transition in Thunderbird 60. When users migrated from pre-60 versions to newer versions, the password data was copied to a new format, but the original unencrypted key3.db file remained on disk. While the new master password was correctly applied to the new file format, it did not affect the legacy file, leaving sensitive data exposed. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (NVD).

The impact of this vulnerability is primarily focused on confidentiality. A local attacker could potentially access stored password data outside of user expectations, even when a master password is set. This particularly affects users who upgraded from Thunderbird 52.x to version 60 or later and subsequently set a master password (Mozilla Advisory, Ubuntu Advisory).

The vulnerability was fixed in Thunderbird version 68.5. Users are advised to upgrade to this version or later. The fix involves properly cleaning up the old password file during the migration process. Ubuntu users can update to thunderbird version 1:68.7.0+build1-0ubuntu0.19.10.1 for Ubuntu 19.10, 1:68.7.0+build1-0ubuntu0.18.04.1 for Ubuntu 18.04, and 1:68.7.0+build1-0ubuntu0.16.04.2 for Ubuntu 16.04 (Ubuntu Advisory, Ubuntu Advisory).