CVE-2021-29949: 
NixOS vulnerability analysis and mitigation

CVE-2021-29949 is a security vulnerability affecting Mozilla Thunderbird versions prior to 78.9.1, discovered by Tuan Vu Pham. The vulnerability relates to how Thunderbird loads the shared library that provides the OTR (Off-the-Record) protocol implementation. The issue was disclosed on April 20, 2021, and was assigned a low severity impact rating (Mozilla Advisory).

The vulnerability stems from Thunderbird's library loading mechanism, where it initially attempts to open the OTR library using a filename that isn't distributed with Thunderbird. This behavior is related to an uncontrolled search path element (CWE-427). The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability could allow an attacker who has already compromised a machine to execute arbitrary code through Thunderbird by placing a malicious library in a directory contained in the search path for executable libraries. The malicious library would be loaded and executed with Thunderbird's privileges, potentially leading to data theft or system compromise (Mozilla Advisory).

The vulnerability was fixed in Thunderbird version 78.9.1. The fix involves modifying the library loading mechanism to prefer loading the distributed OTR library from Thunderbird's application directory rather than searching system paths first. Users should upgrade to Thunderbird 78.9.1 or later to receive the security fix (Mozilla Advisory).