Bug 23057 - Thunderbird 52.8
Summary: Thunderbird 52.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-64-ok has_procedure mga6-32-ok
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-05-19 02:05 CEST by David Walser
Modified: 2018-05-30 21:56 CEST (History)
11 users (show)

See Also:
Source RPM: thunderbird
CVE:
Status comment:


Attachments

Description David Walser 2018-05-19 02:05:42 CEST
Mozilla has released Thunderbird 52.8 today (May 18):
https://www.thunderbird.net/en-US/thunderbird/52.8.0/releasenotes/

The security issues fixed are listed here:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/

Mageia 5 and Mageia 6 are also affected.

If it builds for Mageia 5, we can push the nspr, rootcerts, and nss packages from Bug 22904 with it.
David Walser 2018-05-19 02:06:36 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO
CC: (none) => doktor5000, mrambo, nicolas.salguero

Comment 1 José Jorge 2018-05-23 09:49:07 CEST
I am working on it.

Status: NEW => ASSIGNED
CC: (none) => lists.jjorge
Assignee: pkg-bugs => lists.jjorge

Comment 2 José Jorge 2018-05-23 11:27:11 CEST
Like for 52.7.0 version, I will not push to MGA5 which is long way EOL.

Updated package uploaded for cauldron and Mageia 6.

Advisory:
========================

Updated thunderbird package fixes bugs and security vulnerabilities.

References:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/
========================

Updated packages in core/updates_testing:
========================
thunderbird-52.8.0-1.mga6
thunderbird-enigmail-52.8.0-1.mga6

from thunderbird-52.8.0-1.mga6.src.rpm

thunderbird-ar-52.8.0-1.mga6.noarch.rpm
thunderbird-ast-52.8.0-1.mga6.noarch.rpm
thunderbird-be-52.8.0-1.mga6.noarch.rpm
thunderbird-bg-52.8.0-1.mga6.noarch.rpm
thunderbird-bn_BD-52.8.0-1.mga6.noarch.rpm
thunderbird-br-52.8.0-1.mga6.noarch.rpm
thunderbird-ca-52.8.0-1.mga6.noarch.rpm
thunderbird-cs-52.8.0-1.mga6.noarch.rpm
thunderbird-cy-52.8.0-1.mga6.noarch.rpm
thunderbird-da-52.8.0-1.mga6.noarch.rpm
thunderbird-de-52.8.0-1.mga6.noarch.rpm
thunderbird-el-52.8.0-1.mga6.noarch.rpm
thunderbird-en_GB-52.8.0-1.mga6.noarch.rpm
thunderbird-en_US-52.8.0-1.mga6.noarch.rpm
thunderbird-es_AR-52.8.0-1.mga6.noarch.rpm
thunderbird-es_ES-52.8.0-1.mga6.noarch.rpm
thunderbird-et-52.8.0-1.mga6.noarch.rpm
thunderbird-eu-52.8.0-1.mga6.noarch.rpm
thunderbird-fi-52.8.0-1.mga6.noarch.rpm
thunderbird-fr-52.8.0-1.mga6.noarch.rpm
thunderbird-fy_NL-52.8.0-1.mga6.noarch.rpm
thunderbird-ga_IE-52.8.0-1.mga6.noarch.rpm
thunderbird-gd-52.8.0-1.mga6.noarch.rpm
thunderbird-gl-52.8.0-1.mga6.noarch.rpm
thunderbird-he-52.8.0-1.mga6.noarch.rpm
thunderbird-hr-52.8.0-1.mga6.noarch.rpm
thunderbird-hsb-52.8.0-1.mga6.noarch.rpm
thunderbird-hu-52.8.0-1.mga6.noarch.rpm
thunderbird-hy_AM-52.8.0-1.mga6.noarch.rpm
thunderbird-id-52.8.0-1.mga6.noarch.rpm
thunderbird-is-52.8.0-1.mga6.noarch.rpm
thunderbird-it-52.8.0-1.mga6.noarch.rpm
thunderbird-ja-52.8.0-1.mga6.noarch.rpm
thunderbird-ko-52.8.0-1.mga6.noarch.rpm
thunderbird-lt-52.8.0-1.mga6.noarch.rpm
thunderbird-nb_NO-52.8.0-1.mga6.noarch.rpm
thunderbird-nl-52.8.0-1.mga6.noarch.rpm
thunderbird-nn_NO-52.8.0-1.mga6.noarch.rpm
thunderbird-pa_IN-52.8.0-1.mga6.noarch.rpm
thunderbird-pl-52.8.0-1.mga6.noarch.rpm
thunderbird-pt_BR-52.8.0-1.mga6.noarch.rpm
thunderbird-pt_PT-52.8.0-1.mga6.noarch.rpm
thunderbird-ro-52.8.0-1.mga6.noarch.rpm
thunderbird-ru-52.8.0-1.mga6.noarch.rpm
thunderbird-si-52.8.0-1.mga6.noarch.rpm
thunderbird-sk-52.8.0-1.mga6.noarch.rpm
thunderbird-sl-52.8.0-1.mga6.noarch.rpm
thunderbird-sq-52.8.0-1.mga6.noarch.rpm
thunderbird-sv_SE-52.8.0-1.mga6.noarch.rpm
thunderbird-ta_LK-52.8.0-1.mga6.noarch.rpm
thunderbird-tr-52.8.0-1.mga6.noarch.rpm
thunderbird-uk-52.8.0-1.mga6.noarch.rpm
thunderbird-vi-52.8.0-1.mga6.noarch.rpm
thunderbird-zh_CN-52.8.0-1.mga6.noarch.rpm
thunderbird-zh_TW-52.8.0-1.mga6.noarch.rpm

from thunderbird-l10n-52.8.0-1.mga6.src.rpm
Comment 3 David Walser 2018-05-23 14:38:00 CEST
Could someone please try pushing a mga5 build to see if it will build?
Comment 4 José Jorge 2018-05-23 14:43:15 CEST
(In reply to David Walser from comment #3)
> Could someone please try pushing a mga5 build to see if it will build?

All in all, it just eats space and cpu time... done.
Comment 5 David Walser 2018-05-23 15:39:58 CEST
Still fails with the virtual memory exhausted.  Thanks for trying!

Whiteboard: MGA6TOO, MGA5TOO => (none)
Version: Cauldron => 6
Assignee: lists.jjorge => qa-bugs

Comment 6 David Walser 2018-05-23 23:21:39 CEST
Oops, I didn't see that the mga6 build failed too.  Not ready just yet :o)

Assignee: qa-bugs => lists.jjorge

Comment 7 David Walser 2018-05-25 17:22:44 CEST
RedHat has issued an advisory for this on May 24:
https://access.redhat.com/errata/RHSA-2018:1725
Comment 8 Morgan Leijström 2018-05-27 00:22:40 CEST
Updated to 52.8.0 in production on my workstation, 64 bit.
No issues noted.
Using online and offline IMAP to several accounts at my ISP.

CC: (none) => fri

José Jorge 2018-05-27 07:30:24 CEST

Assignee: lists.jjorge => qa-bugs

Comment 9 José Jorge 2018-05-27 07:41:23 CEST
The build system was finally fixed so the version is -4 instead of -1 for thunderbird and thunderbird-enigmail when build succeeded.
Comment 10 Len Lawrence 2018-05-28 18:42:01 CEST
Mageia 6, x86_64

Thunderbird already in use for an IMAP account.  It works fine after the update but no testing of enigmail for historical reasons (GNOME keyring  and all that).
The calendar works as before.

CC: (none) => tarazed25

Comment 11 Thomas Andrews 2018-05-29 15:02:36 CEST
Mageia 6, x86_64

Using Thunderbird for POP3 email, and for newsgroups. I do not use the calendar.

Sent and received messages, all seems successful. Looks OK here.

CC: (none) => andrewsfarm

Comment 12 James Kerr 2018-05-29 15:53:08 CEST
on mga6-64 - packages installed cleanly:

- thunderbird-52.8.0-4.mga6.x86_64
- thunderbird-en_GB-52.8.0-1.mga6.noarch

email - POP/SMTP - OK
calendar - OK 
movemail - OK

OK here for mga6-64

CC: (none) => jim

Comment 13 Bill Wilkinson 2018-05-30 17:02:52 CEST
Tested mga6-64, IMAP/SMTP/calendar
Send/receive/move delete all ok

Whiteboard: (none) => has_procedure mga6-64-ok
CC: (none) => wrw105

Comment 14 Bill Wilkinson 2018-05-30 17:04:22 CEST
Tested mga6-32 under virtualbox as above, all OK.

Validating. ready for push when advisory uploaded to svn.

Whiteboard: has_procedure mga6-64-ok => mga6-64-ok has_procedure mga6-32-ok
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 15 David Walser 2018-05-30 17:50:14 CEST
Advisory:
========================

Updated thunderbird packages fix security vulnerabilities:

Mozilla: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 (CVE-2018-5150).

Mozilla: Backport critical security fixes in Skia (CVE-2018-5183).

Mozilla: Use-after-free with SVG animations and clip paths (CVE-2018-5154).

Mozilla: Use-after-free with SVG animations and text paths (CVE-2018-5155).

Mozilla: Integer overflow and out-of-bounds write in Skia (CVE-2018-5159).

Mozilla: Full plaintext recovery in S/MIME via chosen-ciphertext attack
(CVE-2018-5184).

Mozilla: Hang via malformed headers (CVE-2018-5161).

Mozilla: Encrypted mail leaks plaintext through src attribute (CVE-2018-5162).

Mozilla: Lightweight themes can be installed without user interaction
(CVE-2018-5168).

Mozilla: Filename spoofing for external attachments (CVE-2018-5170).

Mozilla: Buffer overflow during UTF-8 to Unicode string conversion through
legacy extension (CVE-2018-5178).

Mozilla: Leaking plaintext through HTML forms (CVE-2018-5185).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5155
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5159
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5161
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5162
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5178
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5184
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5185
https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/
https://www.thunderbird.net/en-US/thunderbird/52.8.0/releasenotes/
https://access.redhat.com/errata/RHSA-2018:1725
Thomas Backlund 2018-05-30 21:31:19 CEST

Keywords: (none) => advisory
CC: (none) => tmb

Comment 16 Mageia Robot 2018-05-30 21:56:38 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0261.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.