Bug 24995

Summary: Thunderbird 60.7.2
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, fri, herman.viaene, jim, nicolas.salguero, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6TOO MGA6-32-OK MGA7-64-OK MGA6-64-OK
Source RPM: thunderbird, thunderbird-l10n CVE: CVE-2019-11707, CVE-2019-11708
Status comment:

Description David Walser 2019-06-23 18:55:28 CEST 
Mozilla has released Thunderbird 60.7.2 on June 20:
https://www.thunderbird.net/en-US/thunderbird/60.7.2/releasenotes/

fixing two security issues:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/

which were discovered being exploited in the wild.
David Walser 2019-06-23 18:55:42 CEST

Whiteboard: (none) => MGA7TOO, MGA6TOO

Comment 1 Nicolas Salguero 2019-06-24 16:29:22 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Type confusion in Array.pop. (CVE-2019-11707)

Sandbox escape using Prompt:Open. (CVE-2019-11708)

References:
https://www.thunderbird.net/en-US/thunderbird/60.7.2/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-20/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11708
========================

Updated packages in core/updates_testing:
========================
thunderbird-60.7.2-1.mga[67]
thunderbird-enigmail-60.7.2-1.mga[67]
thunderbird-ar-60.7.2-1.mga[67]
thunderbird-ast-60.7.2-1.mga[67]
thunderbird-be-60.7.2-1.mga[67]
thunderbird-bg-60.7.2-1.mga[67]
thunderbird-br-60.7.2-1.mga[67]
thunderbird-ca-60.7.2-1.mga[67]
thunderbird-cs-60.7.2-1.mga[67]
thunderbird-cy-60.7.2-1.mga[67]
thunderbird-da-60.7.2-1.mga[67]
thunderbird-de-60.7.2-1.mga[67]
thunderbird-el-60.7.2-1.mga[67]
thunderbird-en_GB-60.7.2-1.mga[67]
thunderbird-en_US-60.7.2-1.mga[67]
thunderbird-es_AR-60.7.2-1.mga[67]
thunderbird-es_ES-60.7.2-1.mga[67]
thunderbird-et-60.7.2-1.mga[67]
thunderbird-eu-60.7.2-1.mga[67]
thunderbird-fi-60.7.2-1.mga[67]
thunderbird-fr-60.7.2-1.mga[67]
thunderbird-fy_NL-60.7.2-1.mga[67]
thunderbird-ga_IE-60.7.2-1.mga[67]
thunderbird-gd-60.7.2-1.mga[67]
thunderbird-gl-60.7.2-1.mga[67]
thunderbird-he-60.7.2-1.mga[67]
thunderbird-hr-60.7.2-1.mga[67]
thunderbird-hsb-60.7.2-1.mga[67]
thunderbird-hu-60.7.2-1.mga[67]
thunderbird-hy_AM-60.7.2-1.mga[67]
thunderbird-id-60.7.2-1.mga[67]
thunderbird-is-60.7.2-1.mga[67]
thunderbird-it-60.7.2-1.mga[67]
thunderbird-ja-60.7.2-1.mga[67]
thunderbird-ko-60.7.2-1.mga[67]
thunderbird-lt-60.7.2-1.mga[67]
thunderbird-nb_NO-60.7.2-1.mga[67]
thunderbird-nl-60.7.2-1.mga[67]
thunderbird-nn_NO-60.7.2-1.mga[67]
thunderbird-pl-60.7.2-1.mga[67]
thunderbird-pt_BR-60.7.2-1.mga[67]
thunderbird-pt_PT-60.7.2-1.mga[67]
thunderbird-ro-60.7.2-1.mga[67]
thunderbird-ru-60.7.2-1.mga[67]
thunderbird-si-60.7.2-1.mga[67]
thunderbird-sk-60.7.2-1.mga[67]
thunderbird-sl-60.7.2-1.mga[67]
thunderbird-sq-60.7.2-1.mga[67]
thunderbird-sv_SE-60.7.2-1.mga[67]
thunderbird-tr-60.7.2-1.mga[67]
thunderbird-uk-60.7.2-1.mga[67]
thunderbird-vi-60.7.2-1.mga[67]
thunderbird-zh_CN-60.7.2-1.mga[67]
thunderbird-zh_TW-60.7.2-1.mga[67]

from SRPMS:
thunderbird-60.7.2-1.mga[67].src.rpm
thunderbird-l10n-60.7.2-1.mga[67].src.rpm

Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-11707, CVE-2019-11708

Nicolas Salguero 2019-06-24 16:29:47 CEST

CC: (none) => nicolas.salguero
Source RPM: thunderbird => thunderbird, thunderbird-l10n

Comment 2 Morgan Leijström 2019-06-25 20:20:29 CEST 
mga6 64 bit, Plasma.  Working OK a couple hours total use. Offline IMAP, SMTP, multiple accounts. Not using calendar functions.

CC: (none) => fri

Comment 3 Herman Viaene 2019-06-26 11:28:30 CEST 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues (Dutch installation).
Launched from CLI:
$ thunderbird 

(thunderbird:7214): Gtk-WARNING **: Theme parsing error: <data>:1:31: Expected ')' in color definition

(thunderbird:7214): Gtk-WARNING **: Theme parsing error: <data>:1:75: Expected ')' in color definition
alloc factor 0,900000 0,900000
alloc factor 0,900000 0,900000
Thunderbird comes up normally
Created new account, send mails and received answers with and without attachments, all OK.

CC: (none) => herman.viaene
Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO, MGA6TOO, MGA6-32-OK

Comment 4 Thomas Andrews 2019-06-26 21:26:59 CEST 
mga7 64-bit, Plasma 

Has worked OK all day today. Sent and received POP email, received newsgroup messages.

I do npt use enigmail or the calendar.

Whiteboard: MGA7TOO, MGA6TOO, MGA6-32-OK => MGA7TOO, MGA6TOO, MGA6-32-OK, MGA7-64-OK
CC: (none) => andrewsfarm

Comment 5 David Walser 2019-06-27 20:27:10 CEST 
RedHat has issued an advisory for this today (June 27):
https://access.redhat.com/errata/RHSA-2019:1623
Comment 6 James Kerr 2019-06-28 10:19:44 CEST 
on mga6-64  plasma

packages installed cleanly:
- thunderbird-60.7.2-1.mga6.x86_64
- thunderbird-en_GB-60.7.2-1.mga6.noarch


email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

I don't use enigmail or IMAP

looks OK for mga6-64

CC: (none) => jim
Whiteboard: MGA7TOO, MGA6TOO, MGA6-32-OK, MGA7-64-OK => MGA7TOO, MGA6TOO, MGA6-32-OK, MGA7-64-OK, MGA6-64-OK

Comment 7 James Kerr 2019-06-30 12:00:55 CEST 
This update needs to be re-submitted to mga7 updates-testing.

The testing repo's were cleared when mga7 was released.
James Kerr 2019-06-30 12:07:13 CEST

Whiteboard: MGA7TOO, MGA6TOO, MGA6-32-OK, MGA7-64-OK, MGA6-64-OK => MGA7TOO, MGA6TOO, MGA6-32-OK, MGA7-64-OK, MGA6-64-OK, feedback

Comment 8 James Kerr 2019-07-02 09:11:25 CEST 
packages are now available in mga7 updates-testing

Whiteboard: MGA7TOO, MGA6TOO, MGA6-32-OK, MGA7-64-OK, MGA6-64-OK, feedback => MGA7TOO, MGA6TOO, MGA6-32-OK, MGA7-64-OK, MGA6-64-OK

Comment 9 James Kerr 2019-07-02 09:24:11 CEST 
On mga7-64 packages installed cleanly:

- thunderbird-60.7.2-1.mga7.x86_64
- thunderbird-en_GB-60.7.2-1.mga7.noarch

email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

I don't use enigmail or IMAP

looks OK for mga7-64
Thomas Backlund 2019-07-02 11:41:41 CEST

Version: Cauldron => 7
Whiteboard: MGA7TOO, MGA6TOO, MGA6-32-OK, MGA7-64-OK, MGA6-64-OK => MGA6TOO, MGA6-32-OK, MGA7-64-OK, MGA6-64-OK
CC: (none) => tmb

David Walser 2019-07-02 12:42:54 CEST

Whiteboard: MGA6TOO, MGA6-32-OK, MGA7-64-OK, MGA6-64-OK => MGA6TOO MGA6-32-OK MGA7-64-OK MGA6-64-OK

Comment 10 Thomas Andrews 2019-07-02 14:38:51 CEST 
Looks like enough tests to me, in both Mageias. Validating. Suggested advisory in Comment 1, with additional reference in Comment 5.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2019-07-02 14:46:03 CEST

Keywords: (none) => advisory

Comment 11 Mageia Robot 2019-07-02 15:10:24 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0201.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED