CVE-2021-29948: 
NixOS vulnerability analysis and mitigation

CVE-2021-29948 is a security vulnerability discovered in Mozilla Thunderbird versions prior to 78.10. The vulnerability was disclosed on April 19, 2021, and involves a race condition that occurs during signature verification processes. The issue specifically affects the way signatures are written to disk before and read during verification in Thunderbird's OpenPGP implementation (Mozilla Advisory).

The vulnerability stems from a process where signature data is extracted and written to the filesystem before calling the RNP library, which then reads the signature data back from the filesystem. This creates a race condition due to the timing and predictable file-path, where the signature file is temporarily stored on disk between write and read operations. The vulnerability has been assigned a CVSS 3.1 base score of 2.5 (Low) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability has been classified as having a low security impact. While the race condition exists, during the security assessment it was not possible to exploit this in any meaningful way. The vulnerability requires local access to the system and high attack complexity to potentially manipulate signature verification processes (Mozilla Advisory).

The vulnerability was fixed in Thunderbird version 78.10. The fix involves modifying the code to avoid using the filesystem for passing signature information to the library. Instead, the information is now passed via memory, similar to how signed data is handled. Users should upgrade to Thunderbird version 78.10 or later to receive the security fix (Mozilla Advisory).