Bug 22470

Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => doktor5000

Suggested advisory:
========================

The updated packages fix several bugs and some security issues:

Integer overflow in Skia library during edge builder allocation. (CVE-2018-5095)

Use-after-free while editing form elements. (CVE-2018-5096)

Use-after-free when source document is manipulated during XSLT. (CVE-2018-5097)

Use-after-free while manipulating form input elements. (CVE-2018-5098)

Use-after-free with widget listener. (CVE-2018-5099)

Use-after-free in HTML media elements. (CVE-2018-5102)

Use-after-free during mouse event handling. (CVE-2018-5103)

Use-after-free during font face manipulation. (CVE-2018-5104)

URL spoofing with right-to-left text aligned left-to-right. (CVE-2018-5117)

Memory safety bugs fixed in Firefox 58, Firefox ESR 52.6, and Thunderbird 52.6. (CVE-2018-5089)

References:
========================
https://www.mozilla.org/en-US/thunderbird/52.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-04/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5095
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5097
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5099
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5102
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5103
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5089

Updated packages in 5/core/updates_testing:
========================
thunderbird-52.6.0-1.mga5
thunderbird-enigmail-52.6.0-1.mga5
thunderbird-ar-52.6.0-1.mga5
thunderbird-ast-52.6.0-1.mga5
thunderbird-be-52.6.0-1.mga5
thunderbird-bg-52.6.0-1.mga5
thunderbird-bn_BD-52.6.0-1.mga5
thunderbird-br-52.6.0-1.mga5
thunderbird-ca-52.6.0-1.mga5
thunderbird-cs-52.6.0-1.mga5
thunderbird-cy-52.6.0-1.mga5
thunderbird-da-52.6.0-1.mga5
thunderbird-de-52.6.0-1.mga5
thunderbird-el-52.6.0-1.mga5
thunderbird-en_GB-52.6.0-1.mga5
thunderbird-en_US-52.6.0-1.mga5
thunderbird-es_AR-52.6.0-1.mga5
thunderbird-es_ES-52.6.0-1.mga5
thunderbird-et-52.6.0-1.mga5
thunderbird-eu-52.6.0-1.mga5
thunderbird-fi-52.6.0-1.mga5
thunderbird-fr-52.6.0-1.mga5
thunderbird-fy_NL-52.6.0-1.mga5
thunderbird-ga_IE-52.6.0-1.mga5
thunderbird-gd-52.6.0-1.mga5
thunderbird-gl-52.6.0-1.mga5
thunderbird-he-52.6.0-1.mga5
thunderbird-hr-52.6.0-1.mga5
thunderbird-hsb-52.6.0-1.mga5
thunderbird-hu-52.6.0-1.mga5
thunderbird-hy_AM-52.6.0-1.mga5
thunderbird-id-52.6.0-1.mga5
thunderbird-is-52.6.0-1.mga5
thunderbird-it-52.6.0-1.mga5
thunderbird-ja-52.6.0-1.mga5
thunderbird-ko-52.6.0-1.mga5
thunderbird-lt-52.6.0-1.mga5
thunderbird-nb_NO-52.6.0-1.mga5
thunderbird-nl-52.6.0-1.mga5
thunderbird-nn_NO-52.6.0-1.mga5
thunderbird-pa_IN-52.6.0-1.mga5
thunderbird-pl-52.6.0-1.mga5
thunderbird-pt_BR-52.6.0-1.mga5
thunderbird-pt_PT-52.6.0-1.mga5
thunderbird-ro-52.6.0-1.mga5
thunderbird-ru-52.6.0-1.mga5
thunderbird-si-52.6.0-1.mga5
thunderbird-sk-52.6.0-1.mga5
thunderbird-sl-52.6.0-1.mga5
thunderbird-sq-52.6.0-1.mga5
thunderbird-sv_SE-52.6.0-1.mga5
thunderbird-ta_LK-52.6.0-1.mga5
thunderbird-tr-52.6.0-1.mga5
thunderbird-uk-52.6.0-1.mga5
thunderbird-vi-52.6.0-1.mga5
thunderbird-zh_CN-52.6.0-1.mga5
thunderbird-zh_TW-52.6.0-1.mga6

from SRPMS:
thunderbird-52.6.0-1.mga5.src.rpm
thunderbird-l10n-52.6.0-1.mga5.src.rpm

Updated packages in 6/core/updates_testing:
========================
thunderbird-52.6.0-1.mga6
thunderbird-enigmail-52.6.0-1.mga6
thunderbird-ar-52.6.0-1.mga6
thunderbird-ast-52.6.0-1.mga6
thunderbird-be-52.6.0-1.mga6
thunderbird-bg-52.6.0-1.mga6
thunderbird-bn_BD-52.6.0-1.mga6
thunderbird-br-52.6.0-1.mga6
thunderbird-ca-52.6.0-1.mga6
thunderbird-cs-52.6.0-1.mga6
thunderbird-cy-52.6.0-1.mga6
thunderbird-da-52.6.0-1.mga6
thunderbird-de-52.6.0-1.mga6
thunderbird-el-52.6.0-1.mga6
thunderbird-en_GB-52.6.0-1.mga6
thunderbird-en_US-52.6.0-1.mga6
thunderbird-es_AR-52.6.0-1.mga6
thunderbird-es_ES-52.6.0-1.mga6
thunderbird-et-52.6.0-1.mga6
thunderbird-eu-52.6.0-1.mga6
thunderbird-fi-52.6.0-1.mga6
thunderbird-fr-52.6.0-1.mga6
thunderbird-fy_NL-52.6.0-1.mga6
thunderbird-ga_IE-52.6.0-1.mga6
thunderbird-gd-52.6.0-1.mga6
thunderbird-gl-52.6.0-1.mga6
thunderbird-he-52.6.0-1.mga6
thunderbird-hr-52.6.0-1.mga6
thunderbird-hsb-52.6.0-1.mga6
thunderbird-hu-52.6.0-1.mga6
thunderbird-hy_AM-52.6.0-1.mga6
thunderbird-id-52.6.0-1.mga6
thunderbird-is-52.6.0-1.mga6
thunderbird-it-52.6.0-1.mga6
thunderbird-ja-52.6.0-1.mga6
thunderbird-ko-52.6.0-1.mga6
thunderbird-lt-52.6.0-1.mga6
thunderbird-nb_NO-52.6.0-1.mga6
thunderbird-nl-52.6.0-1.mga6
thunderbird-nn_NO-52.6.0-1.mga6
thunderbird-pa_IN-52.6.0-1.mga6
thunderbird-pl-52.6.0-1.mga6
thunderbird-pt_BR-52.6.0-1.mga6
thunderbird-pt_PT-52.6.0-1.mga6
thunderbird-ro-52.6.0-1.mga6
thunderbird-ru-52.6.0-1.mga6
thunderbird-si-52.6.0-1.mga6
thunderbird-sk-52.6.0-1.mga6
thunderbird-sl-52.6.0-1.mga6
thunderbird-sq-52.6.0-1.mga6
thunderbird-sv_SE-52.6.0-1.mga6
thunderbird-ta_LK-52.6.0-1.mga6
thunderbird-tr-52.6.0-1.mga6
thunderbird-uk-52.6.0-1.mga6
thunderbird-vi-52.6.0-1.mga6
thunderbird-zh_CN-52.6.0-1.mga6
thunderbird-zh_TW-52.6.0-1.mga6

from SRPMS:
thunderbird-52.6.0-1.mga6.src.rpm
thunderbird-l10n-52.6.0-1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Status: NEW => ASSIGNED
Source RPM: thunderbird => thunderbird, thunderbird-l10n
Version: Cauldron => 6
Assignee: doktor5000 => qa-bugs

Used this on two very different sets of hardware in 64-bit Mageia 6 Plasma systems. Sent and received emails and newsgroup posts, with no issues noted.

Looks OK to me.

CC: (none) => andrewsfarm

on mga5-64 KDE

packages installed cleanly:
- thunderbird-52.6.0-1.mga5.x86_64
- thunderbird-en_GB-52.6.0-1.mga5.noarch

email - POP/SMTP - OK
calendar - OK
movemail - OK

not tested - IMAP, enigmail

to the extent tested, OK for mga5-64

CC: (none) => jim

on mga5-32 in a vbox VM

packages installed cleanly:
- thunderbird-52.6.0-1.mga5.i586
- thunderbird-en_GB-52.6.0-1.mga5.noarch

email - POP/SMTP - OK
movemail - OK
calendar - OK

not tested - IMAP, enigmail

to the extent tested, OK for mga5-32

The Lightning extension is marked as incompatible with 52.6.0!

(In reply to Frédéric Buclin from comment #6)
> The Lightning extension is marked as incompatible with 52.6.0!

Hum, this is maybe because I also tested upstream 58.0b3, where Lightning is working fine.

MGA5-32 on Dell Latitude D600 Xfce
This is an update on on existing Thunderbird configuration in Dutch with a POP3 account.
I could send an e-mail to another account, read on other PC.
I could register a new event in the calender. All seems OK to me.

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Mageia 6 :: x86_64

Using this habitually so have installed the updates, with the en_GB package.  No problem with sending and receiving emails.  Ignoring enigmail for historic reasons.  Keeping an eye open for any regressions.

Godd for 64 bits.

CC: (none) => tarazed25

Installed in a 64-bit MGA5 system, server kernel, nvidia340 graphics.

Sent email to myself, checked newsgroups, everything looks OK.

Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA5-64-OK

Test in 32 bit with enigmail, encrypted mail sent ok, received also

CC: (none) => lists.jjorge

on mga6-64 plasma

packages installed cleanly:
- thunderbird-52.6.0-1.mga6.x86_64
- thunderbird-en_GB-52.6.0-1.mga6.noarch

email: POP/SMTP - OK
calendar - OK
movemail - OK

not tested: IMAP, enigmail

To the extent tested, OK for mga6-64

on mga6-32 in a vbox VM

packages installed cleanly:
- thunderbird-52.6.0-1.mga6.i586
- thunderbird-en_GB-52.6.0-1.mga6.noarch

email - POP/SMTP - OK
movemail - OK
calendar - OK

to extent tested, OK for mga6-32

Re comment 9: should have added - imail server.

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0115.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED