CVE-2021-29956: 
NixOS vulnerability analysis and mitigation

CVE-2021-29956 affects Mozilla Thunderbird versions 78.8.1 through 78.10.1, where OpenPGP secret keys were stored unencrypted on the user's local disk despite having master password protection enabled. The vulnerability was discovered by participants on the Thunderbird E2EE Mailing List and was publicly disclosed on May 17, 2021 (Mozilla Advisory).

The vulnerability was introduced by a regression in the OpenPGP key import mechanism. When importing protected secret keys, the master password protection became inactive, leaving the keys unprotected in local storage. The issue received a CVSS v3.1 base score of 4.3 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-312: Cleartext Storage of Sensitive Information (NVD).

The vulnerability exposed OpenPGP secret keys by storing them unencrypted on the user's local disk, even when users had configured a master password for protection. This could potentially allow unauthorized access to the secret keys if an attacker gained access to the user's system (Mozilla Advisory).

The vulnerability was fixed in Thunderbird version 78.10.2. The update restores the protection mechanism for newly imported keys and automatically protects keys that were imported using affected versions. Users should upgrade to version 78.10.2 or later to ensure their OpenPGP secret keys are properly protected (Mozilla Advisory).