Bug 27826

Advisory to come.

Updated packages in core/updates_testing:
========================
thunderbird-78.6.0-1.mga7
thunderbird-enigmail-78.6.0-1.mga7
thunderbird-ar-78.6.0-1.mga7
thunderbird-ast-78.6.0-1.mga7
thunderbird-be-78.6.0-1.mga7
thunderbird-bg-78.6.0-1.mga7
thunderbird-br-78.6.0-1.mga7
thunderbird-ca-78.6.0-1.mga7
thunderbird-cs-78.6.0-1.mga7
thunderbird-cy-78.6.0-1.mga7
thunderbird-da-78.6.0-1.mga7
thunderbird-de-78.6.0-1.mga7
thunderbird-el-78.6.0-1.mga7
thunderbird-en_GB-78.6.0-1.mga7
thunderbird-en_US-78.6.0-1.mga7
thunderbird-es_AR-78.6.0-1.mga7
thunderbird-es_ES-78.6.0-1.mga7
thunderbird-et-78.6.0-1.mga7
thunderbird-eu-78.6.0-1.mga7
thunderbird-fi-78.6.0-1.mga7
thunderbird-fr-78.6.0-1.mga7
thunderbird-fy_NL-78.6.0-1.mga7
thunderbird-ga_IE-78.6.0-1.mga7
thunderbird-gd-78.6.0-1.mga7
thunderbird-gl-78.6.0-1.mga7
thunderbird-he-78.6.0-1.mga7
thunderbird-hr-78.6.0-1.mga7
thunderbird-hsb-78.6.0-1.mga7
thunderbird-hu-78.6.0-1.mga7
thunderbird-hy_AM-78.6.0-1.mga7
thunderbird-id-78.6.0-1.mga7
thunderbird-is-78.6.0-1.mga7
thunderbird-it-78.6.0-1.mga7
thunderbird-ja-78.6.0-1.mga7
thunderbird-ka-78.6.0-1.mga7
thunderbird-kab-78.6.0-1.mga7
thunderbird-kk-78.6.0-1.mga7
thunderbird-ko-78.6.0-1.mga7
thunderbird-lt-78.6.0-1.mga7
thunderbird-ms-78.6.0-1.mga7
thunderbird-nb_NO-78.6.0-1.mga7
thunderbird-nl-78.6.0-1.mga7
thunderbird-nn_NO-78.6.0-1.mga7
thunderbird-pl-78.6.0-1.mga7
thunderbird-pt_BR-78.6.0-1.mga7
thunderbird-pt_PT-78.6.0-1.mga7
thunderbird-ro-78.6.0-1.mga7
thunderbird-ru-78.6.0-1.mga7
thunderbird-si-78.6.0-1.mga7
thunderbird-sk-78.6.0-1.mga7
thunderbird-sl-78.6.0-1.mga7
thunderbird-sq-78.6.0-1.mga7
thunderbird-sv_SE-78.6.0-1.mga7
thunderbird-tr-78.6.0-1.mga7
thunderbird-uk-78.6.0-1.mga7
thunderbird-uz-78.6.0-1.mga7
thunderbird-vi-78.6.0-1.mga7
thunderbird-zh_CN-78.6.0-1.mga7
thunderbird-zh_TW-78.6.0-1.mga7

from SRPMS:
thunderbird-78.6.0-1.mga7.src.rpm
thunderbird-l10n-78.6.0-1.mga7.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs

attempted to install mga7-64, received a missing signature error

CC: (none) => wrw105

I've asked sysadmins to remove it, as it'd be better to not increase the release.  Is it thunderbird, a l10n package, or both that's missing signature?

Advisory:
========================

Updated thunderbird packages fix security vulnerabilities:

When a BigInt was right-shifted the backing store was not properly cleared,
allowing uninitialized memory to be read (CVE-2020-16042).

Certain blit values provided by the user were not properly constrained leading
to a heap buffer overflow in WebGL on some video drivers (CVE-2020-26971).

Certain input to the CSS Sanitizer confused it, resulting in incorrect
components being removed. This could have been used as a sanitizer bypass
(CVE-2020-26973).

When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object
could have been incorrectly cast to the wrong type. This resulted in a heap
user-after-free, memory corruption, and a potentially exploitable crash
(CVE-2020-26974).

Using techniques that built on the slipstream research, a malicious webpage
could have exposed both an internal network's hosts as well as services running
on the user's local machine (CVE-2020-26978).

When an extension with the proxy permission registered to receive <all_urls>,
the proxy.onRequest callback was not triggered for view-source URLs. While web
content cannot navigate to such URLs, a user opening View Source could have
inadvertently leaked their IP address (CVE-2020-35111).

Mozilla developer Christian Holler reported memory safety bugs present in
Thunderbird 78.5. Some of these bugs showed evidence of memory corruption and
we presume that with enough effort some of these could have been exploited to
run arbitrary code (CVE-2020-35113).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26971
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26973
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26974
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26978
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35111
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35113
https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/
https://www.thunderbird.net/en-US/thunderbird/78.6.0/releasenotes/

David,

In case you didn't see the response on qa-discuss, it's both.

Ouch, so there may be several packages in Cauldron affected.

Rebuilds for this are submitted to the build system.

Looks like the l10n package built, but thunderbird itself was rejected...

This is on hold until the build system is fixed.

http://pkgsubmit.mageia.org/uploads/rejected/7/core/updates_testing/20201215185325.luigiwalser.duvel.23366.youri

CC: (none) => sysadmin-bugs
Keywords: (none) => feedback

Should be good soon.

Keywords: feedback => (none)

Tested MGA7-64
Send/receive/move/delete under smtp/IMAP ok, calendar loaded normally

*Side note, I had to use urpmi --clear to remove the unsigned version from yesterday which my machine still had cached.

Whiteboard: (none) => mga7-64-ok

tested mga7-32 as above, all ok.

Probably would be a good idea to have someone test POP3 yet, and it's good to go.

Whiteboard: mga7-64-ok => mga7-64-ok mga7-32-ok

Updated 64-bit versions of Firefox and Thunderbird in one operation. Both look good, including POP3 in Thunderbird.

Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Advisory pushed to SVN.

Keywords: (none) => advisory
CC: (none) => ouaurelien

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0462.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

OK I experienced no issues either, 64 bit Plasma, Swedish, IMAP, SMTP, some accounts and many thousand mails.

CC: (none) => fri

RedHat has issued an advisory for this today (December 17):
https://access.redhat.com/errata/RHSA-2020:5618