CVE-2023-50762: 
NixOS vulnerability analysis and mitigation

CVE-2023-50762 is a security vulnerability discovered in Mozilla Thunderbird affecting versions prior to 115.6. The vulnerability was disclosed on December 19, 2023, and involves a flaw in how Thunderbird processes PGP/MIME payloads containing digitally signed text. The issue affects the email client's handling of signed messages, where the first paragraph of digitally signed text was never displayed to the user due to being incorrectly interpreted as email header section (Mozilla Advisory).

The vulnerability stems from a processing error where Thunderbird incorrectly interprets the first paragraph of a PGP/MIME payload as an email header section rather than message content. When processing a PGP/MIME payload containing digitally signed text, the application would treat the first paragraph as MIME message headers, resulting in that content never being displayed to the user despite having a valid signature (NVD). The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

The vulnerability could be exploited to spoof email messages by using digitally signed text from a different context, such as a signed GIT commit. This could allow attackers to manipulate how signed messages appear to recipients, potentially leading to email spoofing attacks where malicious content could be presented with a valid digital signature (Mozilla Advisory).

The vulnerability has been fixed in Thunderbird version 115.6. Users are advised to upgrade to this version or later to mitigate the risk. The fix has been backported to various distributions, including Debian 11 (Bullseye) as version 1:115.6.0-1~deb11u1 and Debian 12 (Bookworm) as version 1:115.6.0-1~deb12u1 (Debian Advisory).