[Secure-testing-team] Bug#855344: thunderbird: retains mails from removed IMAP accounts

Thu Feb 16 23:21:53 UTC 2017

Package: thunderbird
Version: 1:45.7.1-1
Severity: grave
Tags: security
Justification: user security hole

Hi!
I'm afraid that, similar to the current debian-devel thread about leaving
old (possibly subsequently purged) mails on .icedove->.thunderbird
transition, Icedove/Thunderbird leaves the whole IMAP cache on the disk
when you delete an account.  It is completely gone from the user interface,
so any user who doesn't look "under the hood" will be wrongly assured the
data is actually gone.  Then, when that user crosses a border or is under
investigation for any reason, such mails are the first target government
agents look for.

And this is not a hypothetical situation, I just found such sensitive
"deleted" mails on my disk.  Fortunately, this didn't end in a police raid
-- this machine is a desktop not a laptop, but then, using Tor is a sure
proof I must run a commercial kiddie-porn site and donate the proceeds to
ISIS -- or, far worse, offer tech advice to someone who thinks bad about the
ruling party.

As you seem to have doubts about gravity of such scenarios, I'll mail you an
anonymized rough outline of the contents privately.  For other readers of
this bug report: it's nothing child porn level bad, but it still could land
someone I (vaguely) know in jail.  (For agents reading this bug report:
these mails are now, to the best of my knowledge, actually purged, including
backups -- and it was nothing subversive.)

As it takes a simple look at the filesystem to find this, I assume makers of
forensics software already know of this bug (perhaps even not noticing
anything is amiss -- they don't use the user interface), thus I'm reporting
it openly.

Meow!
-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (150, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.10.0-rc8-debug+ (SMP w/6 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages thunderbird depends on:
ii  debianutils               4.8.1
ii  fontconfig                2.11.0-6.7
ii  libasound2                1.1.3-5
ii  libatk1.0-0               2.22.0-1
ii  libc6                     2.24-9
ii  libcairo2                 1.14.8-1
ii  libdbus-1-3               1.10.14-1.0nosystemd1
ii  libdbus-glib-1-2          0.108-2
ii  libevent-2.0-5            2.0.21-stable-3
ii  libffi6                   3.2.1-6
ii  libfontconfig1            2.11.0-6.7
ii  libfreetype6              2.6.3-3+b1
ii  libgcc1                   1:7-20170129-1
ii  libgdk-pixbuf2.0-0        2.36.5-2
ii  libglib2.0-0              2.50.3-1
ii  libgtk2.0-0               2.24.31-2
ii  libhunspell-1.4-0         1.4.1-2+b1
ii  libicu57                  57.1-5
ii  libnspr4                  2:4.12-6
ii  libnss3                   2:3.26.2-1
ii  libpango-1.0-0            1.40.3-3
ii  libpangocairo-1.0-0       1.40.3-3
ii  libpangoft2-1.0-0         1.40.3-3
ii  libpixman-1-0             0.34.0-1
ii  libsqlite3-0              3.16.2-2
ii  libstartup-notification0  0.12-4
ii  libstdc++6                7-20170129-1
ii  libvpx4                   1.6.1-2
ii  libx11-6                  2:1.6.4-3
ii  libxcomposite1            1:0.4.4-2
ii  libxdamage1               1:1.1.4-2+b1
ii  libxext6                  2:1.3.3-1
ii  libxfixes3                1:5.0.3-1
ii  libxrender1               1:0.9.10-1
ii  libxt6                    1:1.1.5-1
ii  psmisc                    22.21-2.1+b1
ii  zlib1g                    1:1.2.8.dfsg-5

Versions of packages thunderbird recommends:
ii  hunspell-en-us [hunspell-dictionary]  20070829-7
ii  lightning                             1:45.7.1-1

Versions of packages thunderbird suggests:
pn  apparmor          <none>
pn  fonts-lyx         <none>
ii  libgssapi-krb5-2  1.15-1

-- no debconf information