Bug 24360

Summary: Thunderbird 60.5.1
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, fri, jim, sysadmin-bugs, tarazed25
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: thunderbird CVE:
Status comment:

Description David Walser 2019-02-14 23:48:55 CET 
Mozilla has released Thunderbird 60.5.1 today (February 14):
https://www.thunderbird.net/en-US/thunderbird/60.5.1/releasenotes/

The security issues fixed are listed here:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/
Comment 1 Nicolas Salguero 2019-02-15 12:57:36 CET 
Suggested advisory:
========================

The updated packages fix several bugs and some security issues:

A use-after-free vulnerability in the Skia library can occur when creating a path, leading to a potentially exploitable crash. (CVE-2018-18356)

An integer overflow vulnerability in the Skia library can occur after specific transform operations, leading to a potentially exploitable crash. (CVE-2019-5785)

A buffer overflow vulnerability in the Skia library can occur with Canvas 2D acceleration on macOS. This issue was addressed by disabling Canvas 2D acceleration in Firefox ESR. (CVE-2018-18335)

A flaw during verification of certain S/MIME signatures causes emails to be shown in Thunderbird as having a valid digital signature, even if the shown message contents aren't covered by the signature. The flaw allows an attacker to reuse a valid S/MIME signature to craft an email message with arbitrary content. (CVE-2018-18509)

References:
========================
https://www.thunderbird.net/en-US/thunderbird/60.5.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-06/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18356
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18335
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18509

Updated packages in core/updates_testing:
========================
thunderbird-60.5.1-1.mga6
thunderbird-enigmail-60.5.1-1.mga6
thunderbird-ar-60.5.1-1.mga6
thunderbird-ast-60.5.1-1.mga6
thunderbird-be-60.5.1-1.mga6
thunderbird-bg-60.5.1-1.mga6
thunderbird-br-60.5.1-1.mga6
thunderbird-ca-60.5.1-1.mga6
thunderbird-cs-60.5.1-1.mga6
thunderbird-cy-60.5.1-1.mga6
thunderbird-da-60.5.1-1.mga6
thunderbird-de-60.5.1-1.mga6
thunderbird-el-60.5.1-1.mga6
thunderbird-en_GB-60.5.1-1.mga6
thunderbird-en_US-60.5.1-1.mga6
thunderbird-es_AR-60.5.1-1.mga6
thunderbird-es_ES-60.5.1-1.mga6
thunderbird-et-60.5.1-1.mga6
thunderbird-eu-60.5.1-1.mga6
thunderbird-fi-60.5.1-1.mga6
thunderbird-fr-60.5.1-1.mga6
thunderbird-fy_NL-60.5.1-1.mga6
thunderbird-ga_IE-60.5.1-1.mga6
thunderbird-gd-60.5.1-1.mga6
thunderbird-gl-60.5.1-1.mga6
thunderbird-he-60.5.1-1.mga6
thunderbird-hr-60.5.1-1.mga6
thunderbird-hsb-60.5.1-1.mga6
thunderbird-hu-60.5.1-1.mga6
thunderbird-hy_AM-60.5.1-1.mga6
thunderbird-id-60.5.1-1.mga6
thunderbird-is-60.5.1-1.mga6
thunderbird-it-60.5.1-1.mga6
thunderbird-ja-60.5.1-1.mga6
thunderbird-ko-60.5.1-1.mga6
thunderbird-lt-60.5.1-1.mga6
thunderbird-nb_NO-60.5.1-1.mga6
thunderbird-nl-60.5.1-1.mga6
thunderbird-nn_NO-60.5.1-1.mga6
thunderbird-pl-60.5.1-1.mga6
thunderbird-pt_BR-60.5.1-1.mga6
thunderbird-pt_PT-60.5.1-1.mga6
thunderbird-ro-60.5.1-1.mga6
thunderbird-ru-60.5.1-1.mga6
thunderbird-si-60.5.1-1.mga6
thunderbird-sk-60.5.1-1.mga6
thunderbird-sl-60.5.1-1.mga6
thunderbird-sq-60.5.1-1.mga6
thunderbird-sv_SE-60.5.1-1.mga6
thunderbird-tr-60.5.1-1.mga6
thunderbird-uk-60.5.1-1.mga6
thunderbird-vi-60.5.1-1.mga6
thunderbird-zh_CN-60.5.1-1.mga6
thunderbird-zh_TW-60.5.1-1.mga6

from SRPMS:
thunderbird-60.5.1-1.mga6.src.rpm
thunderbird-l10n-60.5.1-1.mga6.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

Comment 2 Thomas Andrews 2019-02-15 23:00:21 CET 
Testing US English version on a 64-bit Plasma system.

Packages installed cleanly. Upon running, checked for mail as instructed. Sent and received mail, and received newsgroup messages.

Looks OK here for what I do, but as I do not use either the calendar or Enigmail I cannot do a thorough test.

CC: (none) => andrewsfarm

Comment 3 Len Lawrence 2019-02-15 23:21:52 CET 
mga6, x86_64

Installs cleanly with en_GB package.
Just testing calendar - it looks OK.  Set a new event for the near future and the alarm went off as expected five minutes beforehand.  

Not able to check imap or enigmail.

CC: (none) => tarazed25

Comment 4 James Kerr 2019-02-16 13:58:40 CET 
on mga6-64  kernel-desktop  plasma

packages installed cleanly:
thunderbird-en_GB-60.5.1-1.mga6.noarch 
thunderbird-60.5.1-1.mga6.x86_64 

email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

I don't use enigmail or IMAP

looks OK for mga6-64

CC: (none) => jim

Comment 5 Morgan Leijström 2019-02-16 16:47:19 CET 
IMAP(offline)  works here. 
Have upgraded my workinstall, and used it a little bit now, no peoblems noted.
mga6-64 kernel-desktop plasma swedish

CC: (none) => fri

Comment 6 Thomas Andrews 2019-02-16 16:58:21 CET 
I think that's enough. Validating. Advisory in Comment 1.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2019-02-17 17:35:36 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2019-02-17 18:19:27 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0088.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED