Bug 20003 - Thunderbird 45.6
Summary: Thunderbird 45.6
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/709140/
Whiteboard: has_procedure mga5-64-ok mga5-32-ok a...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2016-12-22 00:31 CET by David Walser
Modified: 2017-01-06 09:29 CET (History)
6 users (show)

See Also:
Source RPM: thunderbird
CVE:
Status comment:


Attachments

Description David Walser 2016-12-22 00:31:08 CET
RedHat has issued an advisory today (December 21):
https://rhn.redhat.com/errata/RHSA-2016-2973.html

I just checked ftp.mozilla.org and the 45.6.0 directory is there but the source tarballs are not, so hopefully they come back soon or we can get them from RedHat.
David Walser 2016-12-22 00:31:32 CET

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA5TOO

Comment 1 Kristoffer Grundström 2016-12-22 00:58:12 CET
David: Is THIS what you were looking after?:
http://ftp.mozilla.org/pub/firefox/releases/45.6.0esr/source/firefox-45.6.0esr.source.tar.xz

CC: (none) => hamnisdude

Comment 2 David Walser 2016-12-22 00:59:50 CET
No, this is what I was looking at:
http://ftp.mozilla.org/pub/thunderbird/releases/45.6.0/

We already released the Firefox 45.6 update.
Comment 3 Kristoffer Grundström 2016-12-22 01:02:47 CET
Sorry. My bad. I'm so tired that I didn't even reflect on which one of the Mozilla programs you needed the source for. Doh!
Comment 4 Nicolas Salguero 2017-01-03 12:50:42 CET
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Use-after-free while manipulating DOM events and removing audio elements due to errors in the handling of node adoption (CVE-2016-9899).

Event handlers on marquee elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript (CVE-2016-9895).

Memory corruption resulting in a potentially exploitable crash during WebGL functions using a vector constructor with a varying array within libGLES (CVE-2016-9897).

Use-after-free resulting in potentially exploitable crash when manipulating DOM subtrees in the Editor (CVE-2016-9898).

External resources that should be blocked when loaded by SVG images can bypass security restrictions through the use of data: URLs. This could allow for cross-domain data leakage (CVE-2016-9900).

An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites (CVE-2016-9904).

A potentially exploitable crash in EnumerateSubDocuments while adding or removing sub-documents (CVE-2016-9905).

Mozilla developers and community members Jan de Mooij, Iris Hsiao, Christian Holler, Carsten Book, Timothy Nikkel, Christoph Diehl, Olli Pettay, Raymond Forbes, and Boris Zbarsky reported memory safety bugs present in in Thunderbird ESR 45.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code (CVE-2016-9893).

References:
https://www.mozilla.org/en-US/thunderbird/45.6.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-96/
https://rhn.redhat.com/errata/RHSA-2016-2973.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9899
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9895
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9897
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9898
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9905
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9893
========================

Updated packages in core/updates_testing:
========================
thunderbird-45.6.0-1.mga5
thunderbird-enigmail-45.6.0-1.mga5
thunderbird-ar-45.6.0-1.mga5
thunderbird-ast-45.6.0-1.mga5
thunderbird-be-45.6.0-1.mga5
thunderbird-bg-45.6.0-1.mga5
thunderbird-bn_BD-45.6.0-1.mga5
thunderbird-br-45.6.0-1.mga5
thunderbird-ca-45.6.0-1.mga5
thunderbird-cs-45.6.0-1.mga5
thunderbird-cy-45.6.0-1.mga5
thunderbird-da-45.6.0-1.mga5
thunderbird-de-45.6.0-1.mga5
thunderbird-el-45.6.0-1.mga5
thunderbird-en_GB-45.6.0-1.mga5
thunderbird-en_US-45.6.0-1.mga5
thunderbird-es_AR-45.6.0-1.mga5
thunderbird-es_ES-45.6.0-1.mga5
thunderbird-et-45.6.0-1.mga5
thunderbird-eu-45.6.0-1.mga5
thunderbird-fi-45.6.0-1.mga5
thunderbird-fr-45.6.0-1.mga5
thunderbird-fy_NL-45.6.0-1.mga5
thunderbird-ga_IE-45.6.0-1.mga5
thunderbird-gd-45.6.0-1.mga5
thunderbird-gl-45.6.0-1.mga5
thunderbird-he-45.6.0-1.mga5
thunderbird-hr-45.6.0-1.mga5
thunderbird-hsb-45.6.0-1.mga5
thunderbird-hu-45.6.0-1.mga5
thunderbird-hy_AM-45.6.0-1.mga5
thunderbird-id-45.6.0-1.mga5
thunderbird-is-45.6.0-1.mga5
thunderbird-it-45.6.0-1.mga5
thunderbird-ja-45.6.0-1.mga5
thunderbird-ko-45.6.0-1.mga5
thunderbird-lt-45.6.0-1.mga5
thunderbird-nb_NO-45.6.0-1.mga5
thunderbird-nl-45.6.0-1.mga5
thunderbird-nn_NO-45.6.0-1.mga5
thunderbird-pa_IN-45.6.0-1.mga5
thunderbird-pl-45.6.0-1.mga5
thunderbird-pt_BR-45.6.0-1.mga5
thunderbird-pt_PT-45.6.0-1.mga5
thunderbird-ro-45.6.0-1.mga5
thunderbird-ru-45.6.0-1.mga5
thunderbird-si-45.6.0-1.mga5
thunderbird-sk-45.6.0-1.mga5
thunderbird-sl-45.6.0-1.mga5
thunderbird-sq-45.6.0-1.mga5
thunderbird-sv_SE-45.6.0-1.mga5
thunderbird-ta_LK-45.6.0-1.mga5
thunderbird-tr-45.6.0-1.mga5
thunderbird-uk-45.6.0-1.mga5
thunderbird-vi-45.6.0-1.mga5
thunderbird-zh_CN-45.6.0-1.mga5
thunderbird-zh_TW-45.6.0-1.mga5

from SRPMS:
thunderbird-45.6.0-1.mga5.src.rpm
thunderbird-l10n-45.6.0-1.mga5.src.rpm

Status: NEW => ASSIGNED
Assignee: doktor5000 => qa-bugs

David Walser 2017-01-04 00:02:52 CET

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 5 Bill Wilkinson 2017-01-04 14:24:47 CET
Tested mga5-64.

Send/receive/move/delete under SMTP/IMAP OK, Google calendar loads normally.

CC: (none) => wrw105
Whiteboard: (none) => has_procedure mga5-64-ok

Comment 6 youpburden 2017-01-05 08:32:59 CET
MGA5-32-OK & MGA5-64-OK on real hardware and virtualbox machines

Procedure :

Upgrade from 45.5.1-1 to 45.6.0-1
the installation goes fine (I still have my config files and account as before)

Sending and receiving mails with and without files/pictures works.
Adding/Removing accounts from different webmail works (tested with gmail, hotmail and yahoo)

I'm using these addons :

Enigmail
Adblockplus
Lightning

And to test a bit more, I used a few personas and themes and changed some settings.

Everything is working as intended, I'm OK'ing the update for both arch.
Waiting for more people to validate the update.

CC: (none) => youpburden
Whiteboard: has_procedure mga5-64-ok => has_procedure mga5-64-ok mga5-32-ok

Comment 7 Lewis Smith 2017-01-05 22:06:45 CET
Validating; Advisory from Comment 4.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-64-ok mga5-32-ok => has_procedure mga5-64-ok mga5-32-ok advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 8 Mageia Robot 2017-01-06 09:29:17 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0006.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.