| Summary: | Thunderbird 78.13 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | sysadmin-bugs, tmb |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | thunderbird | CVE: | |
| Status comment: | |||
| Bug Depends on: | 29346 | ||
| Bug Blocks: | |||
|
Description
David Walser
2021-08-10 22:47:29 CEST
David Walser
2021-08-10 22:47:41 CEST
Depends on:
(none) =>
29346 I see Thomas is building this update, but this doesn't look right: http://svnweb.mageia.org/packages/updates/8/thunderbird-l10n/current/SOURCES/sha1.lst?r1=1741345&r2=1741344&pathrev=1741345 Every xpi file should change for every update. CC:
(none) =>
tmb I'm guessing you might have used the bogus update_translations.sh that Nicolas added. That script should be removed from SOURCES, it's incorrect and unnecessary. nope, I simply do: edit SPECS/thunderbird.spec to bump version rm -f SOURCES/*.xpi mgarepo sync -d I guess one need to check if upstream did mess up translations or simply copied them between releases... (In reply to Thomas Backlund from comment #3) > nope, I simply do: > > edit SPECS/thunderbird.spec to bump version that would obviously be SPECS/thunderbird-l10n.spec Interesting! I just noticed the ones that didn't change are also missing from the script. Do they no longer exist upstream? This was the first time I had looked at this package in a while. I used to update it myself sometimes, but then we added something...maybe it was enigmail translations? It had a complicated update procedure, so I stopped messing with it then. I wonder what happened to that. ah, it's because: theese are disabled: af.xpi cak.xpi theese are unlisted: en-CA.xpi fa.xpi pa-IN.xpi th.xpi but they all exist in upstream: https://ftp.mozilla.org/pub/thunderbird/releases/78.13.0/linux-x86_64/xpi/ but since they were not in 78.12, maybe ignore them for 78.13 and see if they still exist in the upcoming 91esr Ok. Thanks. SRPMS: thunderbird-78.13.0-1.mga8.src.rpm thunderbird-l10n-78.13.0-1.mga8.src.rpm i586: thunderbird-78.13.0-1.mga8.i586.rpm thunderbird-ar-78.13.0-1.mga8.noarch.rpm thunderbird-ast-78.13.0-1.mga8.noarch.rpm thunderbird-be-78.13.0-1.mga8.noarch.rpm thunderbird-bg-78.13.0-1.mga8.noarch.rpm thunderbird-br-78.13.0-1.mga8.noarch.rpm thunderbird-ca-78.13.0-1.mga8.noarch.rpm thunderbird-cs-78.13.0-1.mga8.noarch.rpm thunderbird-cy-78.13.0-1.mga8.noarch.rpm thunderbird-da-78.13.0-1.mga8.noarch.rpm thunderbird-de-78.13.0-1.mga8.noarch.rpm thunderbird-el-78.13.0-1.mga8.noarch.rpm thunderbird-en_GB-78.13.0-1.mga8.noarch.rpm thunderbird-enigmail-78.13.0-1.mga8.i586.rpm thunderbird-en_US-78.13.0-1.mga8.noarch.rpm thunderbird-es_AR-78.13.0-1.mga8.noarch.rpm thunderbird-es_ES-78.13.0-1.mga8.noarch.rpm thunderbird-et-78.13.0-1.mga8.noarch.rpm thunderbird-eu-78.13.0-1.mga8.noarch.rpm thunderbird-fi-78.13.0-1.mga8.noarch.rpm thunderbird-fr-78.13.0-1.mga8.noarch.rpm thunderbird-fy_NL-78.13.0-1.mga8.noarch.rpm thunderbird-ga_IE-78.13.0-1.mga8.noarch.rpm thunderbird-gd-78.13.0-1.mga8.noarch.rpm thunderbird-gl-78.13.0-1.mga8.noarch.rpm thunderbird-he-78.13.0-1.mga8.noarch.rpm thunderbird-hr-78.13.0-1.mga8.noarch.rpm thunderbird-hsb-78.13.0-1.mga8.noarch.rpm thunderbird-hu-78.13.0-1.mga8.noarch.rpm thunderbird-hy_AM-78.13.0-1.mga8.noarch.rpm thunderbird-id-78.13.0-1.mga8.noarch.rpm thunderbird-is-78.13.0-1.mga8.noarch.rpm thunderbird-it-78.13.0-1.mga8.noarch.rpm thunderbird-ja-78.13.0-1.mga8.noarch.rpm thunderbird-ka-78.13.0-1.mga8.noarch.rpm thunderbird-kab-78.13.0-1.mga8.noarch.rpm thunderbird-kk-78.13.0-1.mga8.noarch.rpm thunderbird-ko-78.13.0-1.mga8.noarch.rpm thunderbird-lt-78.13.0-1.mga8.noarch.rpm thunderbird-ms-78.13.0-1.mga8.noarch.rpm thunderbird-nb_NO-78.13.0-1.mga8.noarch.rpm thunderbird-nl-78.13.0-1.mga8.noarch.rpm thunderbird-nn_NO-78.13.0-1.mga8.noarch.rpm thunderbird-pl-78.13.0-1.mga8.noarch.rpm thunderbird-pt_BR-78.13.0-1.mga8.noarch.rpm thunderbird-pt_PT-78.13.0-1.mga8.noarch.rpm thunderbird-ro-78.13.0-1.mga8.noarch.rpm thunderbird-ru-78.13.0-1.mga8.noarch.rpm thunderbird-si-78.13.0-1.mga8.noarch.rpm thunderbird-sk-78.13.0-1.mga8.noarch.rpm thunderbird-sl-78.13.0-1.mga8.noarch.rpm thunderbird-sq-78.13.0-1.mga8.noarch.rpm thunderbird-sv_SE-78.13.0-1.mga8.noarch.rpm thunderbird-tr-78.13.0-1.mga8.noarch.rpm thunderbird-uk-78.13.0-1.mga8.noarch.rpm thunderbird-uz-78.13.0-1.mga8.noarch.rpm thunderbird-vi-78.13.0-1.mga8.noarch.rpm thunderbird-zh_CN-78.13.0-1.mga8.noarch.rpm thunderbird-zh_TW-78.13.0-1.mga8.noarch.rpm x86_64: thunderbird-78.13.0-1.mga8.x86_64.rpm thunderbird-ar-78.13.0-1.mga8.noarch.rpm thunderbird-ast-78.13.0-1.mga8.noarch.rpm thunderbird-be-78.13.0-1.mga8.noarch.rpm thunderbird-bg-78.13.0-1.mga8.noarch.rpm thunderbird-br-78.13.0-1.mga8.noarch.rpm thunderbird-ca-78.13.0-1.mga8.noarch.rpm thunderbird-cs-78.13.0-1.mga8.noarch.rpm thunderbird-cy-78.13.0-1.mga8.noarch.rpm thunderbird-da-78.13.0-1.mga8.noarch.rpm thunderbird-de-78.13.0-1.mga8.noarch.rpm thunderbird-el-78.13.0-1.mga8.noarch.rpm thunderbird-en_GB-78.13.0-1.mga8.noarch.rpm thunderbird-enigmail-78.13.0-1.mga8.x86_64.rpm thunderbird-en_US-78.13.0-1.mga8.noarch.rpm thunderbird-es_AR-78.13.0-1.mga8.noarch.rpm thunderbird-es_ES-78.13.0-1.mga8.noarch.rpm thunderbird-et-78.13.0-1.mga8.noarch.rpm thunderbird-eu-78.13.0-1.mga8.noarch.rpm thunderbird-fi-78.13.0-1.mga8.noarch.rpm thunderbird-fr-78.13.0-1.mga8.noarch.rpm thunderbird-fy_NL-78.13.0-1.mga8.noarch.rpm thunderbird-ga_IE-78.13.0-1.mga8.noarch.rpm thunderbird-gd-78.13.0-1.mga8.noarch.rpm thunderbird-gl-78.13.0-1.mga8.noarch.rpm thunderbird-he-78.13.0-1.mga8.noarch.rpm thunderbird-hr-78.13.0-1.mga8.noarch.rpm thunderbird-hsb-78.13.0-1.mga8.noarch.rpm thunderbird-hu-78.13.0-1.mga8.noarch.rpm thunderbird-hy_AM-78.13.0-1.mga8.noarch.rpm thunderbird-id-78.13.0-1.mga8.noarch.rpm thunderbird-is-78.13.0-1.mga8.noarch.rpm thunderbird-it-78.13.0-1.mga8.noarch.rpm thunderbird-ja-78.13.0-1.mga8.noarch.rpm thunderbird-ka-78.13.0-1.mga8.noarch.rpm thunderbird-kab-78.13.0-1.mga8.noarch.rpm thunderbird-kk-78.13.0-1.mga8.noarch.rpm thunderbird-ko-78.13.0-1.mga8.noarch.rpm thunderbird-lt-78.13.0-1.mga8.noarch.rpm thunderbird-ms-78.13.0-1.mga8.noarch.rpm thunderbird-nb_NO-78.13.0-1.mga8.noarch.rpm thunderbird-nl-78.13.0-1.mga8.noarch.rpm thunderbird-nn_NO-78.13.0-1.mga8.noarch.rpm thunderbird-pl-78.13.0-1.mga8.noarch.rpm thunderbird-pt_BR-78.13.0-1.mga8.noarch.rpm thunderbird-pt_PT-78.13.0-1.mga8.noarch.rpm thunderbird-ro-78.13.0-1.mga8.noarch.rpm thunderbird-ru-78.13.0-1.mga8.noarch.rpm thunderbird-si-78.13.0-1.mga8.noarch.rpm thunderbird-sk-78.13.0-1.mga8.noarch.rpm thunderbird-sl-78.13.0-1.mga8.noarch.rpm thunderbird-sq-78.13.0-1.mga8.noarch.rpm thunderbird-sv_SE-78.13.0-1.mga8.noarch.rpm thunderbird-tr-78.13.0-1.mga8.noarch.rpm thunderbird-uk-78.13.0-1.mga8.noarch.rpm thunderbird-uz-78.13.0-1.mga8.noarch.rpm thunderbird-vi-78.13.0-1.mga8.noarch.rpm thunderbird-zh_CN-78.13.0-1.mga8.noarch.rpm thunderbird-zh_TW-78.13.0-1.mga8.noarch.rpm Assignee:
nicolas.salguero =>
qa-bugs Tested fine on Mageia 8 x86_64 (with en_US l10n) with both IMAP and NNTP protocols. Let's get this pushed. Advisory: ======================== Updated thunderbird packages fix security vulnerabilities: Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash (CVE-2021-29980). Instruction reordering during JIT optimization resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash (CVE-2021-29984). A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash (CVE-2021-29985). A suspected race condition when calling getaddrinfo while resolving DNS names could have led to memory corruption and a potentially exploitable crash (CVE-2021-29986). Thunderbird incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash (CVE-2021-29988). Mozilla developers Christoph Kerschbaumer, Simon Giesecke, Sandor Molnar, and Olli Pettay reported memory safety bugs present in Thunderbird ESR 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code (CVE-2021-29989). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29980 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29984 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29985 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29986 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29988 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29989 https://www.thunderbird.net/en-US/thunderbird/78.13.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2021-35/ Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0407.html Status:
NEW =>
RESOLVED RedHat has issued an advisory for this today (August 16): https://access.redhat.com/errata/RHSA-2021:3160 |