Bug 25821

Summary: Thunderbird 68.3
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, jim, lists.jjorge, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK MGA7-32-OK
Source RPM: thunderbird, thunderbird-l10n CVE:
Status comment:
Bug Depends on: 25792    
Bug Blocks:    

Description Nicolas Salguero 2019-12-04 11:04:40 CET 
Mozilla has released Thunderbird 68.3.0 yesterday (December 3):
https://www.thunderbird.net/en-US/thunderbird/68.3.0/releasenotes/
Nicolas Salguero 2019-12-04 11:04:58 CET

Source RPM: (none) => thunderbird, thunderbird-l10n
Whiteboard: (none) => MGA7TOO

Nicolas Salguero 2019-12-04 14:11:20 CET

Depends on: (none) => 25820

Comment 1 Nicolas Salguero 2019-12-05 08:49:11 CET 
Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/
Comment 2 Nicolas Salguero 2019-12-05 16:46:38 CET 
Suggested advisory:
========================

The updated packages fix security issues:

Use-after-free in worker destruction. (CVE-2019-17008)

Stack corruption due to incorrect number of arguments in WebRTC code. (CVE-2019-13722)

Out of bounds write in NSS when encrypting with a block cipher. (CVE-2019-11745)

Updater temporary files accessible to unprivileged processes. (CVE-2019-17009)

Use-after-free when performing device orientation checks. (CVE-2019-17010)

Buffer overflow in plain text serializer. (CVE-2019-17005)

Use-after-free when retrieving a document in antitracking. (CVE-2019-17011)

Memory safety bugs fixed in Firefox 71, Firefox ESR 68.3, and Thunderbird 68.3. (CVE-2019-17012)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17008
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13722
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17009
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17005
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17012
https://www.thunderbird.net/en-US/thunderbird/68.3.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/
========================

Updated packages in core/updates_testing:
========================
thunderbird-68.3.0-1.mga7
thunderbird-enigmail-68.3.0-1.mga7
thunderbird-ar-68.3.0-1.mga7
thunderbird-ast-68.3.0-1.mga7
thunderbird-be-68.3.0-1.mga7
thunderbird-bg-68.3.0-1.mga7
thunderbird-br-68.3.0-1.mga7
thunderbird-ca-68.3.0-1.mga7
thunderbird-cs-68.3.0-1.mga7
thunderbird-cy-68.3.0-1.mga7
thunderbird-da-68.3.0-1.mga7
thunderbird-de-68.3.0-1.mga7
thunderbird-el-68.3.0-1.mga7
thunderbird-en_GB-68.3.0-1.mga7
thunderbird-en_US-68.3.0-1.mga7
thunderbird-es_AR-68.3.0-1.mga7
thunderbird-es_ES-68.3.0-1.mga7
thunderbird-et-68.3.0-1.mga7
thunderbird-eu-68.3.0-1.mga7
thunderbird-fi-68.3.0-1.mga7
thunderbird-fr-68.3.0-1.mga7
thunderbird-fy_NL-68.3.0-1.mga7
thunderbird-ga_IE-68.3.0-1.mga7
thunderbird-gd-68.3.0-1.mga7
thunderbird-gl-68.3.0-1.mga7
thunderbird-he-68.3.0-1.mga7
thunderbird-hr-68.3.0-1.mga7
thunderbird-hsb-68.3.0-1.mga7
thunderbird-hu-68.3.0-1.mga7
thunderbird-hy_AM-68.3.0-1.mga7
thunderbird-id-68.3.0-1.mga7
thunderbird-is-68.3.0-1.mga7
thunderbird-it-68.3.0-1.mga7
thunderbird-ja-68.3.0-1.mga7
thunderbird-ko-68.3.0-1.mga7
thunderbird-lt-68.3.0-1.mga7
thunderbird-nb_NO-68.3.0-1.mga7
thunderbird-nl-68.3.0-1.mga7
thunderbird-nn_NO-68.3.0-1.mga7
thunderbird-pl-68.3.0-1.mga7
thunderbird-pt_BR-68.3.0-1.mga7
thunderbird-pt_PT-68.3.0-1.mga7
thunderbird-ro-68.3.0-1.mga7
thunderbird-ru-68.3.0-1.mga7
thunderbird-si-68.3.0-1.mga7
thunderbird-sk-68.3.0-1.mga7
thunderbird-sl-68.3.0-1.mga7
thunderbird-sq-68.3.0-1.mga7
thunderbird-sv_SE-68.3.0-1.mga7
thunderbird-tr-68.3.0-1.mga7
thunderbird-uk-68.3.0-1.mga7
thunderbird-vi-68.3.0-1.mga7
thunderbird-zh_CN-68.3.0-1.mga7
thunderbird-zh_TW-68.3.0-1.mga7

from SRPMS:
thunderbird-68.3.0-1.mga7.src.rpm
thunderbird-l10n-68.3.0-1.mga7.src.rpm

Version: Cauldron => 7
Assignee: bugsquad => qa-bugs
Whiteboard: MGA7TOO => (none)
Status: NEW => ASSIGNED

Comment 3 David Walser 2019-12-05 16:59:17 CET 
CVE-2019-11745 shouldn't be in this advisory, it's in Bug 25792.

Depends on: 25820 => 25792

Comment 4 Nicolas Salguero 2019-12-06 08:45:12 CET 
Ooops, sorry !

Suggested advisory:
========================

The updated packages fix security issues:

Use-after-free in worker destruction. (CVE-2019-17008)

Stack corruption due to incorrect number of arguments in WebRTC code. (CVE-2019-13722)

Updater temporary files accessible to unprivileged processes. (CVE-2019-17009)

Use-after-free when performing device orientation checks. (CVE-2019-17010)

Buffer overflow in plain text serializer. (CVE-2019-17005)

Use-after-free when retrieving a document in antitracking. (CVE-2019-17011)

Memory safety bugs fixed in Firefox 71, Firefox ESR 68.3, and Thunderbird 68.3. (CVE-2019-17012)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17008
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13722
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17009
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17010
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17005
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17012
https://www.thunderbird.net/en-US/thunderbird/68.3.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-38/
Comment 5 Thomas Backlund 2019-12-06 21:14:21 CET 
 Seems to work ok here on x86_64

CC: (none) => tmb

Comment 6 Herman Viaene 2019-12-07 11:16:11 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Thunderbird was already on this laptop. As test removed the existing account from thunderbird, added it again. Send and receive message to and from other account accessed from my desktop PC, withand without attachment. All OK.

CC: (none) => herman.viaene

Comment 7 José Jorge 2019-12-07 16:55:49 CET 
All ok in MGA7-64 Plasma also here.

CC: (none) => lists.jjorge
Whiteboard: (none) => MGA7-64-OK

Comment 8 José Jorge 2019-12-07 17:46:13 CET 
Tested with an  i586 2005 latop, all ok except the bug which is there since first thunderbird 68 version : https://bugs.mageia.org/show_bug.cgi?id=25842

Whiteboard: MGA7-64-OK => MGA7-64-OK MGA7-32-OK

Comment 9 James Kerr 2019-12-08 17:37:31 CET 
On mga7-64  kernel-desktop  plasma

packages installed cleanly:
- thunderbird-68.3.0-1.mga7.x86_64
- thunderbird-en_GB-68.3.0-1.mga7.noarch


email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

I don't use enigmail or IMAP

looks OK for mga7-64

CC: (none) => jim

Thomas Backlund 2019-12-08 18:45:27 CET

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update

Comment 10 Mageia Robot 2019-12-08 19:13:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0377.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Comment 11 David Walser 2019-12-11 18:36:57 CET 
RedHat has issued an advisory for this on December 10:
https://access.redhat.com/errata/RHSA-2019:4148