Bug 22251 - Thunderbird 52.5.2
Summary: Thunderbird 52.5.2
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32...
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-12-22 19:45 CET by David Walser
Modified: 2017-12-31 01:11 CET (History)
7 users (show)

See Also:
Source RPM: thunderbird
CVE:
Status comment:


Attachments

Description David Walser 2017-12-22 19:45:44 CET
Mozilla has released Thunderbird 52.5.2 today (December 22):
https://www.mozilla.org/en-US/thunderbird/52.5.2/releasenotes/

It fixes some security issues which haven't been detailed yet.
David Walser 2017-12-22 19:45:57 CET

CC: (none) => nicolas.salguero
Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-12-22 20:21:32 CET
The Enigmail extension is affected by one of the security issues, so it will also need to be updated.

Debian has issued an advisory for Enigmail on December 21:
https://www.debian.org/security/2017/dsa-4070
Comment 2 Marja Van Waes 2017-12-23 18:18:26 CET
Assigning to the registered thunderbird maintainer.

Assignee: bugsquad => doktor5000
CC: (none) => marja11

Comment 3 David Walser 2017-12-26 21:45:52 CET
openSUSE has issued advisories for this on December 22 and 25:
https://lists.opensuse.org/opensuse-updates/2017-12/msg00107.html
https://lists.opensuse.org/opensuse-updates/2017-12/msg00101.html
Comment 4 Mike Rambo 2017-12-28 21:57:49 CET
Updates submitted for cauldron, mga5, and mga6. Advisory to follow after they've built.

Assignee: doktor5000 => mrambo
CC: (none) => mrambo

Comment 5 Mike Rambo 2017-12-29 03:16:57 CET
Updated package uploaded for cauldron, Mageia 6, and Mageia 5.

Advisory:
========================

Updated thunderbird package fixes security vulnerabilities:

Multiple vulnerabilies have been fixed in thunderbird.
* JavaScript Execution via RSS in mailbox:// origin (CVE-2017-7846).
* Local path string can be leaked from RSS feed (CVE-2017-7847).
* RSS Feed vulnerable to new line Injection (CVE-2017-7848).
* Mailsploit From address with encoded null character is cut off in message header display (CVE-2017-7829).

Multiple vulnerabilies have been fixed in the bundled enigmail package.
* An issue was discovered that allows remote attackers to trigger use of an intended public key for encryption, because incorrect regular expressions are used for extraction of an e-mail address from a comma-separated list (CVE-2017-17843).
* A remote attacker can obtain cleartext content by sending an encrypted data block to a victim, and relying on the victim to automatically decrypt that block and then send it back to the attacker as quoted text (CVE-2017-17844).
* An issue was discovered where Improper Random Secret Generation occurs because Math.Random() is used by pretty Easy privacy (pEp) (CVE-2017-17845).
* An issue was discovered where regular expressions are exploitable for Denial of Service, because of attempts to match arbitrarily long strings (CVE-2017-17846).
* An issue was discovered that signature spoofing is possible because the UI does not properly distinguish between an attachment signature, and a signature that applies to the entire containing message (CVE-2017-17847).
* In a variant of CVE-2017-17847, signature spoofing is possible for multipart/related messages because a signed message part can be referenced with a cid: URI but not actually displayed (CVE-2017-17848).

References:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17845
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17847
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17848
========================

Updated packages in core/updates_testing:
========================
thunderbird-52.5.2-1.mga6
thunderbird-enigmail-52.5.2-1.mga6

from thunderbird-52.5.2-1.mga6.src.rpm

thunderbird-ar-52.5.2-1.mga6.noarch.rpm
thunderbird-ast-52.5.2-1.mga6.noarch.rpm
thunderbird-be-52.5.2-1.mga6.noarch.rpm
thunderbird-bg-52.5.2-1.mga6.noarch.rpm
thunderbird-bn_BD-52.5.2-1.mga6.noarch.rpm
thunderbird-br-52.5.2-1.mga6.noarch.rpm
thunderbird-ca-52.5.2-1.mga6.noarch.rpm
thunderbird-cs-52.5.2-1.mga6.noarch.rpm
thunderbird-cy-52.5.2-1.mga6.noarch.rpm
thunderbird-da-52.5.2-1.mga6.noarch.rpm
thunderbird-de-52.5.2-1.mga6.noarch.rpm
thunderbird-el-52.5.2-1.mga6.noarch.rpm
thunderbird-en_GB-52.5.2-1.mga6.noarch.rpm
thunderbird-en_US-52.5.2-1.mga6.noarch.rpm
thunderbird-es_AR-52.5.2-1.mga6.noarch.rpm
thunderbird-es_ES-52.5.2-1.mga6.noarch.rpm
thunderbird-et-52.5.2-1.mga6.noarch.rpm
thunderbird-eu-52.5.2-1.mga6.noarch.rpm
thunderbird-fi-52.5.2-1.mga6.noarch.rpm
thunderbird-fr-52.5.2-1.mga6.noarch.rpm
thunderbird-fy_NL-52.5.2-1.mga6.noarch.rpm
thunderbird-ga_IE-52.5.2-1.mga6.noarch.rpm
thunderbird-gd-52.5.2-1.mga6.noarch.rpm
thunderbird-gl-52.5.2-1.mga6.noarch.rpm
thunderbird-he-52.5.2-1.mga6.noarch.rpm
thunderbird-hr-52.5.2-1.mga6.noarch.rpm
thunderbird-hsb-52.5.2-1.mga6.noarch.rpm
thunderbird-hu-52.5.2-1.mga6.noarch.rpm
thunderbird-hy_AM-52.5.2-1.mga6.noarch.rpm
thunderbird-id-52.5.2-1.mga6.noarch.rpm
thunderbird-is-52.5.2-1.mga6.noarch.rpm
thunderbird-it-52.5.2-1.mga6.noarch.rpm
thunderbird-ja-52.5.2-1.mga6.noarch.rpm
thunderbird-ko-52.5.2-1.mga6.noarch.rpm
thunderbird-lt-52.5.2-1.mga6.noarch.rpm
thunderbird-nb_NO-52.5.2-1.mga6.noarch.rpm
thunderbird-nl-52.5.2-1.mga6.noarch.rpm
thunderbird-nn_NO-52.5.2-1.mga6.noarch.rpm
thunderbird-pa_IN-52.5.2-1.mga6.noarch.rpm
thunderbird-pl-52.5.2-1.mga6.noarch.rpm
thunderbird-pt_BR-52.5.2-1.mga6.noarch.rpm
thunderbird-pt_PT-52.5.2-1.mga6.noarch.rpm
thunderbird-ro-52.5.2-1.mga6.noarch.rpm
thunderbird-ru-52.5.2-1.mga6.noarch.rpm
thunderbird-si-52.5.2-1.mga6.noarch.rpm
thunderbird-sk-52.5.2-1.mga6.noarch.rpm
thunderbird-sl-52.5.2-1.mga6.noarch.rpm
thunderbird-sq-52.5.2-1.mga6.noarch.rpm
thunderbird-sv_SE-52.5.2-1.mga6.noarch.rpm
thunderbird-ta_LK-52.5.2-1.mga6.noarch.rpm
thunderbird-tr-52.5.2-1.mga6.noarch.rpm
thunderbird-uk-52.5.2-1.mga6.noarch.rpm
thunderbird-vi-52.5.2-1.mga6.noarch.rpm
thunderbird-zh_CN-52.5.2-1.mga6.noarch.rpm
thunderbird-zh_TW-52.5.2-1.mga6.noarch.rpm

from thunderbird-l10n-52.5.2-1.mga6.src.rpm


thunderbird-52.5.2-1.mga5
thunderbird-enigmail-52.5.2-1.mga5

from thunderbird-52.5.2-1.mga5.src.rpm

thunderbird-ar-52.5.2-1.mga5.noarch.rpm
thunderbird-ast-52.5.2-1.mga5.noarch.rpm
thunderbird-be-52.5.2-1.mga5.noarch.rpm
thunderbird-bg-52.5.2-1.mga5.noarch.rpm
thunderbird-bn_BD-52.5.2-1.mga5.noarch.rpm
thunderbird-br-52.5.2-1.mga5.noarch.rpm
thunderbird-ca-52.5.2-1.mga5.noarch.rpm
thunderbird-cs-52.5.2-1.mga5.noarch.rpm
thunderbird-cy-52.5.2-1.mga5.noarch.rpm
thunderbird-da-52.5.2-1.mga5.noarch.rpm
thunderbird-de-52.5.2-1.mga5.noarch.rpm
thunderbird-el-52.5.2-1.mga5.noarch.rpm
thunderbird-en_GB-52.5.2-1.mga5.noarch.rpm
thunderbird-en_US-52.5.2-1.mga5.noarch.rpm
thunderbird-es_AR-52.5.2-1.mga5.noarch.rpm
thunderbird-es_ES-52.5.2-1.mga5.noarch.rpm
thunderbird-et-52.5.2-1.mga5.noarch.rpm
thunderbird-eu-52.5.2-1.mga5.noarch.rpm
thunderbird-fi-52.5.2-1.mga5.noarch.rpm
thunderbird-fr-52.5.2-1.mga5.noarch.rpm
thunderbird-fy_NL-52.5.2-1.mga5.noarch.rpm
thunderbird-ga_IE-52.5.2-1.mga5.noarch.rpm
thunderbird-gd-52.5.2-1.mga5.noarch.rpm
thunderbird-gl-52.5.2-1.mga5.noarch.rpm
thunderbird-he-52.5.2-1.mga5.noarch.rpm
thunderbird-hr-52.5.2-1.mga5.noarch.rpm
thunderbird-hsb-52.5.2-1.mga5.noarch.rpm
thunderbird-hu-52.5.2-1.mga5.noarch.rpm
thunderbird-hy_AM-52.5.2-1.mga5.noarch.rpm
thunderbird-id-52.5.2-1.mga5.noarch.rpm
thunderbird-is-52.5.2-1.mga5.noarch.rpm
thunderbird-it-52.5.2-1.mga5.noarch.rpm
thunderbird-ja-52.5.2-1.mga5.noarch.rpm
thunderbird-ko-52.5.2-1.mga5.noarch.rpm
thunderbird-lt-52.5.2-1.mga5.noarch.rpm
thunderbird-nb_NO-52.5.2-1.mga5.noarch.rpm
thunderbird-nl-52.5.2-1.mga5.noarch.rpm
thunderbird-nn_NO-52.5.2-1.mga5.noarch.rpm
thunderbird-pa_IN-52.5.2-1.mga5.noarch.rpm
thunderbird-pl-52.5.2-1.mga5.noarch.rpm
thunderbird-pt_BR-52.5.2-1.mga5.noarch.rpm
thunderbird-pt_PT-52.5.2-1.mga5.noarch.rpm
thunderbird-ro-52.5.2-1.mga5.noarch.rpm
thunderbird-ru-52.5.2-1.mga5.noarch.rpm
thunderbird-si-52.5.2-1.mga5.noarch.rpm
thunderbird-sk-52.5.2-1.mga5.noarch.rpm
thunderbird-sl-52.5.2-1.mga5.noarch.rpm
thunderbird-sq-52.5.2-1.mga5.noarch.rpm
thunderbird-sv_SE-52.5.2-1.mga5.noarch.rpm
thunderbird-ta_LK-52.5.2-1.mga5.noarch.rpm
thunderbird-tr-52.5.2-1.mga5.noarch.rpm
thunderbird-uk-52.5.2-1.mga5.noarch.rpm
thunderbird-vi-52.5.2-1.mga5.noarch.rpm
thunderbird-zh_CN-52.5.2-1.mga5.noarch.rpm
thunderbird-zh_TW-52.5.2-1.mga5.noarch.rpm

from thunderbird-l10n-52.5.2-1.mga5.src.rpm

Assignee: mrambo => qa-bugs

Comment 6 David Walser 2017-12-29 04:15:36 CET
Thanks Mike!  Just a minor note, the Thunderbird CVEs (CVE-2017-7829, CVE-2017-784[6-8]) are missing in your references list, so QA team, please make sure those go in the CVE list when making the advisory in SVN.
Comment 7 peter winterflood 2017-12-29 14:42:13 CET
tested on 586 platform, lxde, amd athlon XP  all appears to be working as usual
tested on x86_64 platform plasma ryzen, all appears to be working OK

urpmi  thunderbird-en_GB-52.5.2-1.mga6.noarch thunderbird-52.5.2-1.mga6.i586


    $MIRRORLIST: media/core/updates_testing/thunderbird-52.5.2-1.mga6.i586.rpm
    $MIRRORLIST: media/core/updates_testing/thunderbird-en_GB-52.5.2-1.mga6.noarch.rpm                                                           
installing thunderbird-52.5.2-1.mga6.i586.rpm thunderbird-en_GB-52.5.2-1.mga6.noarch.rpm from /var/cache/urpmi/rpms                              
Preparing...                     ###############################################################################################################
      1/2: thunderbird           ###############################################################################################################
      2/2: thunderbird-en_GB     ###############################################################################################################
      1/2: removing thunderbird-en_GB-52.5.0-1.mga6.noarch
                                 ###############################################################################################################
      2/2: removing thunderbird-0:52.5.0-1.mga6.i586
                                 ###############################################################################################################




urpmi  thunderbird-en_GB-52.5.2-1.mga6.noarch thunderbird-52.5.2-1.mga6.x86_64


    $MIRRORLIST: media/core/updates_testing/thunderbird-52.5.2-1.mga6.x86_64.rpm
    $MIRRORLIST: media/core/updates_testing/thunderbird-en_GB-52.5.2-1.mga6.noarch.rpm                                                           
installing thunderbird-52.5.2-1.mga6.x86_64.rpm thunderbird-en_GB-52.5.2-1.mga6.noarch.rpm from /var/cache/urpmi/rpms                            
Preparing...                     ###############################################################################################################
      1/2: thunderbird           ###############################################################################################################
      2/2: thunderbird-en_GB     ###############################################################################################################
      1/2: removing thunderbird-en_GB-52.5.0-1.mga6.noarch
                                 ###############################################################################################################
      2/2: removing thunderbird-0:52.5.0-1.mga6.x86_64
                                 ###############################################################################################################

using imap backend citadel. 
confirmed read navigate folders and smtp send outbound from both platforms.

CC: (none) => peter.winterflood

Comment 8 Thomas Andrews 2017-12-29 17:07:29 CET
Checked out the i586 version in Mageia 5, with the US English language pack. Received emails, sent one to qa-discuss, checked out the Mageia newsgroup.

Everything looks good.

CC: (none) => andrewsfarm

Thomas Andrews 2017-12-29 17:08:22 CET

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Comment 9 James Kerr 2017-12-29 17:54:36 CET
on mga5-64

packages installed cleanly:
- thunderbird-52.5.2-1.mga5.x86_64
- thunderbird-en_GB-52.5.2-1.mga5.noarch

email - POP, SMTP - OK
calendar - OK
movemail - OK

OK for mga5-64

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK
CC: (none) => jim

Comment 10 Lewis Smith 2017-12-29 18:15:58 CET
(In reply to David Walser from comment #6)
> Thanks Mike!  Just a minor note, the Thunderbird CVEs (CVE-2017-7829,
> CVE-2017-784[6-8]) are missing in your references list, so QA team, please
> make sure those go in the CVE list when making the advisory in SVN.
All the CVEs *are* itemised in the Advisory Description, which is fine. The CVE URL list can serve as a cross-check for CVE numbers cited in the Title or Description.
OTOH If the CVEs are only listed as URLs, or there are a lot, we can pick them off that list: it is a question of what makes the easier editing.
-------------------------------------------------------------
And I am adding both Mageia 6 OKs from comment 7 (thanks Peter):

> tested on 586 platform, lxde, amd athlon XP  all appears to be working as usual
> thunderbird-en_GB-52.5.2-1.mga6.noarch thunderbird-52.5.2-1.mga6.i586

> tested on x86_64 platform plasma ryzen, all appears to be working OK
> thunderbird-en_GB-52.5.2-1.mga6.noarch thunderbird-52.5.2-1.mga6.x86_64

> confirmed read navigate folders and smtp send outbound from both platforms
All of which, with comments 8 & 9, warrants validation: 4/4..

Keywords: (none) => advisory, validated_update
Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-64 MGA6-64-OK
CC: (none) => sysadmin-bugs

Lewis Smith 2017-12-29 18:17:51 CET

Whiteboard: MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-64 MGA6-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK

Comment 11 Mageia Robot 2017-12-31 01:11:19 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0477.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.