Bug 32090

Summary: Thunderbird 115.2
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, chb0, davidwhodgins, fri, guillaume.royer, joselp, mageia, nicolas.salguero
Version: 9   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: thunderbird, thunderbird-l10n CVE:
Status comment:
Bug Depends on: 32207    
Bug Blocks:    

Description Nicolas Salguero 2023-07-10 09:29:25 CEST 
Mozilla has released Thunderbird 102.13.0 on July 5:
https://www.thunderbird.net/en-US/thunderbird/102.13.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-24/
Nicolas Salguero 2023-07-10 09:29:42 CEST

CC: (none) => nicolas.salguero
Assignee: bugsquad => nicolas.salguero
Whiteboard: (none) => MGA8TOO
Source RPM: (none) => thunderbird, thunderbird-l10n

Nicolas Salguero 2023-07-10 09:30:10 CEST

Depends on: (none) => 32077

Comment 1 David Walser 2023-07-17 19:44:33 CEST 
RedHat has issued an advisory for this on July 13:
https://access.redhat.com/errata/RHSA-2023:4062
Comment 2 Nicolas Salguero 2023-08-30 10:47:59 CEST 
Mozilla has released Thunderbird 102.13.0 on August 30:
https://www.thunderbird.net/en-US/thunderbird/115.2.0/releasenotes/

Depends on: 32077 => 32207
Summary: Thunderbird 102.13 => Thunderbird 115.2

Comment 3 Marc Krämer 2023-08-30 11:44:23 CEST 
do we provide thunderbird 115 update for cauldron or as backport to mga9?

CC: (none) => mageia

Marc Krämer 2023-08-30 11:44:54 CEST

Whiteboard: MGA8TOO => MGA8TOO, MGA9TOO

Comment 4 Nicolas Salguero 2023-08-30 13:37:34 CEST 
thunderbird 115 will be an update for mga8, mga9 and cauldron.
Morgan Leijström 2023-09-04 09:27:26 CEST

CC: (none) => fri

Comment 5 Nicolas Salguero 2023-09-05 16:19:20 CEST 
For the moment, Thunderbird 115.2 is only built for Mageia 9 because it needs at least rust 1.66.0 and Mageia 8 only provides rust 1.60.0.

List of updated packages in 9/core/updates_testing:
========================
thunderbird-115.2.0-1.mga9
thunderbird-af-115.2.0-1.mga9
thunderbird-ar-115.2.0-1.mga9
thunderbird-ast-115.2.0-1.mga9
thunderbird-be-115.2.0-1.mga9
thunderbird-bg-115.2.0-1.mga9
thunderbird-br-115.2.0-1.mga9
thunderbird-ca-115.2.0-1.mga9
thunderbird-cs-115.2.0-1.mga9
thunderbird-cy-115.2.0-1.mga9
thunderbird-da-115.2.0-1.mga9
thunderbird-de-115.2.0-1.mga9
thunderbird-dsb-115.2.0-1.mga9
thunderbird-el-115.2.0-1.mga9
thunderbird-en_CA-115.2.0-1.mga9
thunderbird-en_GB-115.2.0-1.mga9
thunderbird-en_US-115.2.0-1.mga9
thunderbird-es_AR-115.2.0-1.mga9
thunderbird-es_ES-115.2.0-1.mga9
thunderbird-es_MX-115.2.0-1.mga9
thunderbird-et-115.2.0-1.mga9
thunderbird-eu-115.2.0-1.mga9
thunderbird-fi-115.2.0-1.mga9
thunderbird-fr-115.2.0-1.mga9
thunderbird-fy_NL-115.2.0-1.mga9
thunderbird-ga_IE-115.2.0-1.mga9
thunderbird-gd-115.2.0-1.mga9
thunderbird-gl-115.2.0-1.mga9
thunderbird-he-115.2.0-1.mga9
thunderbird-hr-115.2.0-1.mga9
thunderbird-hsb-115.2.0-1.mga9
thunderbird-hu-115.2.0-1.mga9
thunderbird-hy_AM-115.2.0-1.mga9
thunderbird-id-115.2.0-1.mga9
thunderbird-is-115.2.0-1.mga9
thunderbird-it-115.2.0-1.mga9
thunderbird-ja-115.2.0-1.mga9
thunderbird-ka-115.2.0-1.mga9
thunderbird-kab-115.2.0-1.mga9
thunderbird-kk-115.2.0-1.mga9
thunderbird-ko-115.2.0-1.mga9
thunderbird-lt-115.2.0-1.mga9
thunderbird-lv-115.2.0-1.mga9
thunderbird-ms-115.2.0-1.mga9
thunderbird-nb_NO-115.2.0-1.mga9
thunderbird-nl-115.2.0-1.mga9
thunderbird-nn_NO-115.2.0-1.mga9
thunderbird-pa_IN-115.2.0-1.mga9
thunderbird-pl-115.2.0-1.mga9
thunderbird-pt_BR-115.2.0-1.mga9
thunderbird-pt_PT-115.2.0-1.mga9
thunderbird-ro-115.2.0-1.mga9
thunderbird-ru-115.2.0-1.mga9
thunderbird-sk-115.2.0-1.mga9
thunderbird-sl-115.2.0-1.mga9
thunderbird-sq-115.2.0-1.mga9
thunderbird-sr-115.2.0-1.mga9
thunderbird-sv_SE-115.2.0-1.mga9
thunderbird-th-115.2.0-1.mga9
thunderbird-tr-115.2.0-1.mga9
thunderbird-uk-115.2.0-1.mga9
thunderbird-uz-115.2.0-1.mga9
thunderbird-vi-115.2.0-1.mga9
thunderbird-zh_CN-115.2.0-1.mga9
thunderbird-zh_TW-115.2.0-1.mga9

from SRPMS:
thunderbird-115.2.0-1.mga9.src.rpm
thunderbird-l10n-115.2.0-1.mga9.src.rpm
Comment 6 Jose Manuel López 2023-09-06 13:56:20 CEST 
Hi,

I have tried from testing repositories.

No issues for the moment.

- Accounts and folders ok.
- Settings, addons, signatures ok.
- Calendar and task, ok.
- Language-es ok.
- Search and quick filter, ok.
- Send and receive ok.
- Themes ok.

Greetings!

CC: (none) => joselp

Nicolas Salguero 2023-09-07 09:13:44 CEST

Depends on: (none) => 32258

Nicolas Salguero 2023-09-07 09:16:22 CEST

Depends on: 32258 => (none)

Comment 7 Nicolas Salguero 2023-09-07 09:57:15 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Use-after-free in workers. (CVE-2023-3600)

File Extension Spoofing using the Text Direction Override Character. (CVE-2023-3417)

Offscreen Canvas could have bypassed cross-origin restrictions. (CVE-2023-4045)

Incorrect value used during WASM compilation. (CVE-2023-4046)

Potential permissions request bypass via clickjacking. (CVE-2023-4047)

Crash in DOMParser due to out-of-memory conditions. (CVE-2023-4048)

Fix potential race conditions when releasing platform objects. (CVE-2023-4049)

Stack buffer overflow in StorageManager. (CVE-2023-4050)

Cookie jar overflow caused unexpected cookie jar state. (CVE-2023-4055)

Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14. (CVE-2023-4056)

Memory safety bugs fixed in Firefox 116, Firefox ESR 115.1, and Thunderbird 115.1. (CVE-2023-4057)

Memory corruption in IPC CanvasTranslator. (CVE-2023-4573)

Memory corruption in IPC ColorPickerShownCallback. (CVE-2023-4574)

Memory corruption in IPC FilePickerShownCallback. (CVE-2023-4575)

Memory corruption in JIT UpdateRegExpStatics. (CVE-2023-4577)

Full screen notification obscured by file open dialog. (CVE-2023-4051)

Error reporting methods in SpiderMonkey could have triggered an Out of Memory Exception. (CVE-2023-4578)

Full screen notification obscured by external program. (CVE-2023-4053)

Push notifications saved to disk unencrypted. (CVE-2023-4580)

XLL file extensions were downloadable without warnings. (CVE-2023-4581)

Browsing Context potentially not cleared when closing Private Window. (CVE-2023-4583)

Memory safety bugs fixed in Firefox 117, Firefox ESR 102.15, Firefox ESR 115.2, Thunderbird 102.15, and Thunderbird 115.2. (CVE-2023-4584)

Memory safety bugs fixed in Firefox 117, Firefox ESR 115.2, and Thunderbird 115.2. (CVE-2023-4585)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3600
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3417
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4045
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4047
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4049
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4050
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4055
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4056
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4057
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4573
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4574
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4575
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4578
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4053
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4580
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4581
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4583
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4584
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4585
https://www.thunderbird.net/en-US/thunderbird/115.0/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/115.0.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-27/
https://www.thunderbird.net/en-US/thunderbird/115.1.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/
https://www.thunderbird.net/en-US/thunderbird/115.1.1/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/115.2.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/
========================

Updated packages in core/updates_testing:
========================
thunderbird-115.2.0-1.mga9
thunderbird-af-115.2.0-1.mga9
thunderbird-ar-115.2.0-1.mga9
thunderbird-ast-115.2.0-1.mga9
thunderbird-be-115.2.0-1.mga9
thunderbird-bg-115.2.0-1.mga9
thunderbird-br-115.2.0-1.mga9
thunderbird-ca-115.2.0-1.mga9
thunderbird-cs-115.2.0-1.mga9
thunderbird-cy-115.2.0-1.mga9
thunderbird-da-115.2.0-1.mga9
thunderbird-de-115.2.0-1.mga9
thunderbird-dsb-115.2.0-1.mga9
thunderbird-el-115.2.0-1.mga9
thunderbird-en_CA-115.2.0-1.mga9
thunderbird-en_GB-115.2.0-1.mga9
thunderbird-en_US-115.2.0-1.mga9
thunderbird-es_AR-115.2.0-1.mga9
thunderbird-es_ES-115.2.0-1.mga9
thunderbird-es_MX-115.2.0-1.mga9
thunderbird-et-115.2.0-1.mga9
thunderbird-eu-115.2.0-1.mga9
thunderbird-fi-115.2.0-1.mga9
thunderbird-fr-115.2.0-1.mga9
thunderbird-fy_NL-115.2.0-1.mga9
thunderbird-ga_IE-115.2.0-1.mga9
thunderbird-gd-115.2.0-1.mga9
thunderbird-gl-115.2.0-1.mga9
thunderbird-he-115.2.0-1.mga9
thunderbird-hr-115.2.0-1.mga9
thunderbird-hsb-115.2.0-1.mga9
thunderbird-hu-115.2.0-1.mga9
thunderbird-hy_AM-115.2.0-1.mga9
thunderbird-id-115.2.0-1.mga9
thunderbird-is-115.2.0-1.mga9
thunderbird-it-115.2.0-1.mga9
thunderbird-ja-115.2.0-1.mga9
thunderbird-ka-115.2.0-1.mga9
thunderbird-kab-115.2.0-1.mga9
thunderbird-kk-115.2.0-1.mga9
thunderbird-ko-115.2.0-1.mga9
thunderbird-lt-115.2.0-1.mga9
thunderbird-lv-115.2.0-1.mga9
thunderbird-ms-115.2.0-1.mga9
thunderbird-nb_NO-115.2.0-1.mga9
thunderbird-nl-115.2.0-1.mga9
thunderbird-nn_NO-115.2.0-1.mga9
thunderbird-pa_IN-115.2.0-1.mga9
thunderbird-pl-115.2.0-1.mga9
thunderbird-pt_BR-115.2.0-1.mga9
thunderbird-pt_PT-115.2.0-1.mga9
thunderbird-ro-115.2.0-1.mga9
thunderbird-ru-115.2.0-1.mga9
thunderbird-sk-115.2.0-1.mga9
thunderbird-sl-115.2.0-1.mga9
thunderbird-sq-115.2.0-1.mga9
thunderbird-sr-115.2.0-1.mga9
thunderbird-sv_SE-115.2.0-1.mga9
thunderbird-th-115.2.0-1.mga9
thunderbird-tr-115.2.0-1.mga9
thunderbird-uk-115.2.0-1.mga9
thunderbird-uz-115.2.0-1.mga9
thunderbird-vi-115.2.0-1.mga9
thunderbird-zh_CN-115.2.0-1.mga9
thunderbird-zh_TW-115.2.0-1.mga9

from SRPMS:
thunderbird-115.2.0-1.mga9.src.rpm
thunderbird-l10n-115.2.0-1.mga9.src.rpm

Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 9
Whiteboard: MGA8TOO, MGA9TOO => (none)
Status: NEW => ASSIGNED

Comment 8 Morgan Leijström 2023-09-07 12:57:07 CEST 
mga9-64 ok for me
Swedish
offline IMAP
SMTP
Preserved accounts, local storage, and settings.
Comment 9 christian barranco 2023-09-08 22:33:55 CEST 
Plasma MGA9 x86_64
multiple accounts synced
Nextcloud contacts and calendars synced

CC: (none) => chb0

Comment 10 Thomas Andrews 2023-09-10 00:23:12 CEST 
MGA9-64 Plasma, on an HP Pavilion 15.

No installation issues. Everything I use seems to be working as designed, though some of the changes in the interface are going to take some getting used to.

CC: (none) => andrewsfarm

Comment 11 Guillaume Royer 2023-09-10 20:44:39 CEST 
MGA9 64 GNOME

Updated with QA repo et RPM :

thunderbird                    115.2.0      1.mga9        x86_64  
thunderbird-fr                 115.2.0      1.mga9        noarch  

No installation issue.
Sent and receive SMTP mail OK
multiple accounts synced
Nextcloud contacts and calendars synced

CC: (none) => guillaume.royer

Comment 12 Morgan Leijström 2023-09-12 23:59:47 CEST 
Seem OK for 64 bit - can we have a test on 32 bit?

Whiteboard: (none) => MGA9-64-OK

Comment 13 Thomas Andrews 2023-09-13 13:49:32 CEST 
(In reply to Thomas Andrews from comment #10)
> MGA9-64 Plasma, on an HP Pavilion 15.
> 
> No installation issues. Everything I use seems to be working as designed,
> though some of the changes in the interface are going to take some getting
> used to.

Found the setting to change the interface font size. I didn't know there was one. That helped a great deal.
Comment 14 Thomas Andrews 2023-09-13 13:54:30 CEST 
(In reply to Morgan Leijström from comment #12)
> Seem OK for 64 bit - can we have a test on 32 bit?

I can test for a clean install on Foolishness, but I'm not really excited about actually setting it up to send/receive mail because of the old hardware's speed limitations. Maybe newsgroups would be good enough?
Comment 15 Morgan Leijström 2023-09-13 15:57:16 CEST 
Sounds enough to me; install working, GUI working, some communication.
Comment 16 Dave Hodgins 2023-09-13 20:38:49 CEST 
Like firefox, this update will be held until 115.2.1 is ready.

CC: (none) => davidwhodgins

Comment 17 Morgan Leijström 2023-09-13 21:14:11 CEST 
back to packagers

Assignee: qa-bugs => pkg-bugs

Comment 18 Nicolas Salguero 2023-09-14 16:21:53 CEST 
Duplicate of bug 32258.

*** This bug has been marked as a duplicate of bug 32258 ***

Status: ASSIGNED => RESOLVED
Resolution: (none) => DUPLICATE