CVE-2023-50761: 
NixOS vulnerability analysis and mitigation

CVE-2023-50761 is a security vulnerability discovered in Mozilla Thunderbird affecting versions prior to 115.6. The vulnerability relates to how Thunderbird handles S/MIME email message signatures. When a digitally signed S/MIME email message includes an optional signature creation date and time, Thunderbird failed to compare this with the message date and time, displaying a valid signature despite any date or time mismatch (Mozilla Advisory, NVD).

The vulnerability stems from a validation flaw in Thunderbird's S/MIME signature verification process. When processing digitally signed S/MIME email messages, Thunderbird did not implement proper comparison between the signature creation timestamp and the actual message timestamp. This oversight in the validation mechanism resulted in the email client displaying a valid signature status even when there was a temporal mismatch between these two timestamps. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

The primary impact of this vulnerability is the potential for message spoofing. An attacker could exploit this flaw to manipulate recipients into believing that a message was sent at a different date or time than it actually was, while still maintaining an apparently valid digital signature. This could be particularly concerning in contexts where message timing is crucial for verification or authentication purposes (Mozilla Advisory).

The vulnerability has been fixed in Thunderbird version 115.6. Users are strongly advised to upgrade to this version or later to address the security issue. The fix has been backported to various distributions, including Debian 11 (Bullseye) as version 1:115.6.0-1~deb11u1 and Debian 12 (Bookworm) as version 1:115.6.0-1~deb12u1 (Debian Advisory).