Bug 27204

Summary: Thunderbird 68.12
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, fri, jim, marc, nicolas.salguero, sysadmin-bugs, tarazed25, yvesbrungard
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: thunderbird, thunderbird-l10n CVE:
Status comment:
Bug Depends on: 27193    
Bug Blocks:    

Description Nicolas Salguero 2020-08-26 21:56:14 CEST
Mozilla has released Thunderbird 68.12.0 on August 25:
https://www.thunderbird.net/en-US/thunderbird/68.12.0/releasenotes/

It fixes security issues:
https://www.mozilla.org/en-US/security/advisories/mfsa2020-40/
Nicolas Salguero 2020-08-26 21:56:39 CEST

Assignee: bugsquad => nicolas.salguero
Source RPM: (none) => thunderbird, thunderbird-l10n

Nicolas Salguero 2020-08-26 22:00:01 CEST

Depends on: (none) => 27193

David Walser 2020-08-26 22:04:15 CEST

Depends on: 27193 => (none)

David Walser 2020-08-26 22:04:50 CEST

Depends on: (none) => 27193

Nicolas Salguero 2020-08-26 22:49:38 CEST

CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => pkg-bugs

Comment 1 David Walser 2020-08-27 18:30:57 CEST
Advisory:
========================

Updated thunderbird packages fix security vulnerabilities:

By holding a reference to the eval() function from an about:blank window, a
malicious webpage could have gained access to the InstallTrigger object which
would allow them to prompt the user to install an extension. Combined with user
confusion, this could result in an unintended or malicious extension being
installed (CVE-2020-15664).

When aborting an operation, such as a fetch, an abort signal may be deleted
while alerting the objects to be notified. This results in a use-after-free and
we presume that with enough effort it could have been exploited to run
arbitrary code (CVE-2020-15669).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15664
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15669
https://www.thunderbird.net/en-US/thunderbird/68.12.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2020-40/
========================

Updated packages in core/updates_testing:
========================
thunderbird-68.12.0-1.mga7
thunderbird-enigmail-68.12.0-1.mga7
thunderbird-ar-68.12.0-1.mga7
thunderbird-ast-68.12.0-1.mga7
thunderbird-be-68.12.0-1.mga7
thunderbird-bg-68.12.0-1.mga7
thunderbird-br-68.12.0-1.mga7
thunderbird-ca-68.12.0-1.mga7
thunderbird-cs-68.12.0-1.mga7
thunderbird-cy-68.12.0-1.mga7
thunderbird-da-68.12.0-1.mga7
thunderbird-de-68.12.0-1.mga7
thunderbird-el-68.12.0-1.mga7
thunderbird-en_GB-68.12.0-1.mga7
thunderbird-en_US-68.12.0-1.mga7
thunderbird-es_AR-68.12.0-1.mga7
thunderbird-es_ES-68.12.0-1.mga7
thunderbird-et-68.12.0-1.mga7
thunderbird-eu-68.12.0-1.mga7
thunderbird-fi-68.12.0-1.mga7
thunderbird-fr-68.12.0-1.mga7
thunderbird-fy_NL-68.12.0-1.mga7
thunderbird-ga_IE-68.12.0-1.mga7
thunderbird-gd-68.12.0-1.mga7
thunderbird-gl-68.12.0-1.mga7
thunderbird-he-68.12.0-1.mga7
thunderbird-hr-68.12.0-1.mga7
thunderbird-hsb-68.12.0-1.mga7
thunderbird-hu-68.12.0-1.mga7
thunderbird-hy_AM-68.12.0-1.mga7
thunderbird-id-68.12.0-1.mga7
thunderbird-is-68.12.0-1.mga7
thunderbird-it-68.12.0-1.mga7
thunderbird-ja-68.12.0-1.mga7
thunderbird-ka-68.12.0-1.mga7
thunderbird-kab-68.12.0-1.mga7
thunderbird-kk-68.12.0-1.mga7
thunderbird-ko-68.12.0-1.mga7
thunderbird-lt-68.12.0-1.mga7
thunderbird-ms-68.12.0-1.mga7
thunderbird-nb_NO-68.12.0-1.mga7
thunderbird-nl-68.12.0-1.mga7
thunderbird-nn_NO-68.12.0-1.mga7
thunderbird-pl-68.12.0-1.mga7
thunderbird-pt_BR-68.12.0-1.mga7
thunderbird-pt_PT-68.12.0-1.mga7
thunderbird-ro-68.12.0-1.mga7
thunderbird-ru-68.12.0-1.mga7
thunderbird-si-68.12.0-1.mga7
thunderbird-sk-68.12.0-1.mga7
thunderbird-sl-68.12.0-1.mga7
thunderbird-sq-68.12.0-1.mga7
thunderbird-sv_SE-68.12.0-1.mga7
thunderbird-tr-68.12.0-1.mga7
thunderbird-uk-68.12.0-1.mga7
thunderbird-uz-68.12.0-1.mga7
thunderbird-vi-68.12.0-1.mga7
thunderbird-zh_CN-68.12.0-1.mga7
thunderbird-zh_TW-68.12.0-1.mga7

from SRPMS:
thunderbird-68.12.0-1.mga7.src.rpm
thunderbird-l10n-68.12.0-1.mga7.src.rpm

Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs

Comment 2 Thomas Andrews 2020-08-27 23:06:41 CEST
Updated the US-English version. Both packages installed cleanly. Looked at newsgroups, sent and received email, no regressions noted. I do not use the calendar or enigmail.

Holding back the OK a day or two so someone can check the calendar and another language or two, potential trouble spots in previous versions.

CC: (none) => andrewsfarm

Comment 3 Len Lawrence 2020-08-28 01:56:00 CEST
Following up on calendar for en_GB.
Installed and restarted fine - no more forced new profile.  Everything came up as  it was.  Sent a short email from the address book.  Made a couple of entries in the calendar, one of them a reminder, which popped up on time.  Looks OK so far.

CC: (none) => tarazed25

Comment 4 James Kerr 2020-08-28 06:53:27 CEST
On mga7-64  kernel-desktop  plasma

packages installed cleanly:
- thunderbird-68.12.0-1.mga7.x86_64
- thunderbird-en_GB-68.12.0-1.mga7.noarch

email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

I don't use enigmail or IMAP

looks OK for mga7-64

CC: (none) => jim

Comment 5 papoteur 2020-08-28 10:57:31 CEST
Installed now in French, 64 bits.
No problem reported.
I don't use enigmail nor Imap

CC: (none) => yves.brungard_mageia

Comment 6 Len Lawrence 2020-08-28 12:04:20 CEST
Should have said - test in comment 3 was IMAP.
Comment 7 Thomas Andrews 2020-08-28 13:49:10 CEST
Thanks, guys. My own test was with POP mail.

Giving this the OK, and validating. Advisory in Comment 1.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => sysadmin-bugs

Aurelien Oudelet 2020-08-28 15:21:35 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2020-08-28 16:48:08 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0352.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 9 Morgan Leijström 2020-08-28 17:06:56 CEST
On mga7-64  kernel-desktop  plasma
Tests OK:  Swedish, IMAP, SMTP
Keep using it as main app

CC: (none) => fri

Comment 10 Marc Paré 2020-09-05 05:31:43 CEST
I use TBird in FR, Agenda, and Enigmail under Plasma.

I use my TBird extensively for all of these 3 and have not seen any issues as of yet. My TBird manages close to 2,000 emails per day at times and has loads of filters and multiple pop, imap, smtp, aliases.

On mga7-64, kernel-desktop plasma

CC: (none) => marc

Comment 11 David Walser 2020-09-07 23:54:26 CEST
RedHat has issued an advisory for this today (September 7):
https://access.redhat.com/errata/RHSA-2020:3631