Bug 24953

Summary: Thunderbird 60.7.1
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, fri, herman.viaene, jim, sysadmin-bugs, tarazed25, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK MGA6-32-OK
Source RPM: thunderbird, thunderbird-l10n CVE: CVE-2019-11703, CVE-2019-11704, CVE-2019-11705, CVE-2019-11706
Status comment:

Comment 1 Nicolas Salguero 2019-06-14 10:49:49 CEST 
Thunderbird 60.7.1

Source RPM: (none) => thunderbird, thunderbird-l10n
Whiteboard: (none) => MGA6TOO

Comment 2 Nicolas Salguero 2019-06-14 13:54:55 CEST 
Suggested advisory:
========================

The updated packages fix some bugs and security vulnerabilities:

Heap buffer overflow in icalparser.c. (CVE-2019-11703)

Heap buffer overflow in icalvalue.c. (CVE-2019-11704)

Stack buffer overflow in icalrecur.c. (CVE-2019-11705)

Type confusion in icalproperty.c. (CVE-2019-11706)

References:
https://www.thunderbird.net/en-US/thunderbird/60.7.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-17/
https://www.openwall.com/lists/oss-security/2019/06/13/1
https://www.openwall.com/lists/oss-security/2019/06/13/2
https://www.openwall.com/lists/oss-security/2019/06/13/3
https://www.openwall.com/lists/oss-security/2019/06/13/4
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11703
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11704
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11705
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11706
========================

Updated packages in core/updates_testing:
========================
thunderbird-60.7.1-1.mga6
thunderbird-enigmail-60.7.1-1.mga6
thunderbird-ar-60.7.1-1.mga6
thunderbird-ast-60.7.1-1.mga6
thunderbird-be-60.7.1-1.mga6
thunderbird-bg-60.7.1-1.mga6
thunderbird-br-60.7.1-1.mga6
thunderbird-ca-60.7.1-1.mga6
thunderbird-cs-60.7.1-1.mga6
thunderbird-cy-60.7.1-1.mga6
thunderbird-da-60.7.1-1.mga6
thunderbird-de-60.7.1-1.mga6
thunderbird-el-60.7.1-1.mga6
thunderbird-en_GB-60.7.1-1.mga6
thunderbird-en_US-60.7.1-1.mga6
thunderbird-es_AR-60.7.1-1.mga6
thunderbird-es_ES-60.7.1-1.mga6
thunderbird-et-60.7.1-1.mga6
thunderbird-eu-60.7.1-1.mga6
thunderbird-fi-60.7.1-1.mga6
thunderbird-fr-60.7.1-1.mga6
thunderbird-fy_NL-60.7.1-1.mga6
thunderbird-ga_IE-60.7.1-1.mga6
thunderbird-gd-60.7.1-1.mga6
thunderbird-gl-60.7.1-1.mga6
thunderbird-he-60.7.1-1.mga6
thunderbird-hr-60.7.1-1.mga6
thunderbird-hsb-60.7.1-1.mga6
thunderbird-hu-60.7.1-1.mga6
thunderbird-hy_AM-60.7.1-1.mga6
thunderbird-id-60.7.1-1.mga6
thunderbird-is-60.7.1-1.mga6
thunderbird-it-60.7.1-1.mga6
thunderbird-ja-60.7.1-1.mga6
thunderbird-ko-60.7.1-1.mga6
thunderbird-lt-60.7.1-1.mga6
thunderbird-nb_NO-60.7.1-1.mga6
thunderbird-nl-60.7.1-1.mga6
thunderbird-nn_NO-60.7.1-1.mga6
thunderbird-pl-60.7.1-1.mga6
thunderbird-pt_BR-60.7.1-1.mga6
thunderbird-pt_PT-60.7.1-1.mga6
thunderbird-ro-60.7.1-1.mga6
thunderbird-ru-60.7.1-1.mga6
thunderbird-si-60.7.1-1.mga6
thunderbird-sk-60.7.1-1.mga6
thunderbird-sl-60.7.1-1.mga6
thunderbird-sq-60.7.1-1.mga6
thunderbird-sv_SE-60.7.1-1.mga6
thunderbird-tr-60.7.1-1.mga6
thunderbird-uk-60.7.1-1.mga6
thunderbird-vi-60.7.1-1.mga6
thunderbird-zh_CN-60.7.1-1.mga6
thunderbird-zh_TW-60.7.1-1.mga6

from SRPMS:
thunderbird-60.7.1-1.mga6.src.rpm
thunderbird-l10n-60.7.1-1.mga6.src.rpm

CVE: (none) => CVE-2019-11703, CVE-2019-11704, CVE-2019-11705, CVE-2019-11706
Version: Cauldron => 6
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA6TOO => (none)

Comment 3 Morgan Leijström 2019-06-14 17:09:43 CEST 
64 bit, Plasma: Tests OK and i keep using it:
offline IMAP, and SMTP, thousands of emails, swedish.

CC: (none) => fri

Comment 4 Len Lawrence 2019-06-15 12:38:35 CEST 
mga6, x86_64
Mate, en_GB
POP3
No problems apparent.  Calendar works.

CC: (none) => tarazed25

Comment 5 James Kerr 2019-06-16 15:06:15 CEST 
on mga6-64  plasma

packages installed cleanly:
- thunderbird-60.7.1-1.mga6.x86_64
- thunderbird-en_GB-60.7.1-1.mga6.noarch

email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

I don't use enigmail or IMAP

looks OK for mga6-64

CC: (none) => jim

James Kerr 2019-06-16 15:06:49 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 6 James Kerr 2019-06-16 16:53:44 CEST 
on mga6-32 plasma (in a vbox VM)

packages installed cleanly:
- thunderbird-60.7.1-1.mga6.i586
- thunderbird-en_GB-60.7.1-1.mga6.noarch

email - POP/SMTP - OK 
calendar - OK
address book - OK
movemail - OK

not tested: IMAP, enigmail

looks OK for mga6-32
Comment 7 Herman Viaene 2019-06-18 11:42:15 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues. Installed thunderbird + dutch language pack.
Launching from CLI gives:
$ thunderbird 

(thunderbird:10496): Gtk-WARNING **: Theme parsing error: <data>:1:31: Expected ')' in color definition

(thunderbird:10496): Gtk-WARNING **: Theme parsing error: <data>:1:75: Expected ')' in color definition
alloc factor 0,900000 0,900000
alloc factor 0,900000 0,900000

but sending and receiving mail with and without attachment work all OK.

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
CC: (none) => herman.viaene

Comment 8 Thomas Andrews 2019-06-18 14:03:34 CEST 
Validating. Suggested advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-06-21 01:51:32 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 9 Mageia Robot 2019-06-21 03:08:11 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0193.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED