Bug 25474 - Thunderbird 68.1.1
Summary: Thunderbird 68.1.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-09-26 09:17 CEST by Nicolas Salguero
Modified: 2019-10-03 22:24 CEST (History)
8 users (show)

See Also:
Source RPM: thunderbird, thunderbird-l10n
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2019-09-26 09:17:00 CEST
Mozilla has released Thunderbird 68.1.1 on September 25:
https://www.thunderbird.net/en-US/thunderbird/68.1.1/releasenotes/

It fixes several bugs and likely security issues as well.
Nicolas Salguero 2019-09-26 09:17:27 CEST

Assignee: bugsquad => nicolas.salguero
Whiteboard: (none) => MGA7TOO

Nicolas Salguero 2019-09-26 09:18:30 CEST

Source RPM: (none) => thunderbird, thunderbird-l10n

Comment 1 Lewis Smith 2019-09-26 11:17:10 CEST
Nicolas, thank you for taking this on board immediately.
There are a couple of other bugs against Thunderbird which are assigned to doktor5000.
Comment 2 Nicolas Salguero 2019-09-26 16:46:22 CEST
Suggested advisory:
========================

The updated packages fix several bugs and security issues.

References:
https://www.thunderbird.net/en-US/thunderbird/68.1.1/releasenotes/
========================

Updated packages in core/updates_testing:
========================
thunderbird-68.1.1-1.mga7
thunderbird-enigmail-68.1.1-1.mga7
thunderbird-ar-68.1.1-1.mga7
thunderbird-ast-68.1.1-1.mga7
thunderbird-be-68.1.1-1.mga7
thunderbird-bg-68.1.1-1.mga7
thunderbird-br-68.1.1-1.mga7
thunderbird-ca-68.1.1-1.mga7
thunderbird-cs-68.1.1-1.mga7
thunderbird-cy-68.1.1-1.mga7
thunderbird-da-68.1.1-1.mga7
thunderbird-de-68.1.1-1.mga7
thunderbird-el-68.1.1-1.mga7
thunderbird-en_GB-68.1.1-1.mga7
thunderbird-en_US-68.1.1-1.mga7
thunderbird-es_AR-68.1.1-1.mga7
thunderbird-es_ES-68.1.1-1.mga7
thunderbird-et-68.1.1-1.mga7
thunderbird-eu-68.1.1-1.mga7
thunderbird-fi-68.1.1-1.mga7
thunderbird-fr-68.1.1-1.mga7
thunderbird-fy_NL-68.1.1-1.mga7
thunderbird-ga_IE-68.1.1-1.mga7
thunderbird-gd-68.1.1-1.mga7
thunderbird-gl-68.1.1-1.mga7
thunderbird-he-68.1.1-1.mga7
thunderbird-hr-68.1.1-1.mga7
thunderbird-hsb-68.1.1-1.mga7
thunderbird-hu-68.1.1-1.mga7
thunderbird-hy_AM-68.1.1-1.mga7
thunderbird-id-68.1.1-1.mga7
thunderbird-is-68.1.1-1.mga7
thunderbird-it-68.1.1-1.mga7
thunderbird-ja-68.1.1-1.mga7
thunderbird-ko-68.1.1-1.mga7
thunderbird-lt-68.1.1-1.mga7
thunderbird-nb_NO-68.1.1-1.mga7
thunderbird-nl-68.1.1-1.mga7
thunderbird-nn_NO-68.1.1-1.mga7
thunderbird-pl-68.1.1-1.mga7
thunderbird-pt_BR-68.1.1-1.mga7
thunderbird-pt_PT-68.1.1-1.mga7
thunderbird-ro-68.1.1-1.mga7
thunderbird-ru-68.1.1-1.mga7
thunderbird-si-68.1.1-1.mga7
thunderbird-sk-68.1.1-1.mga7
thunderbird-sl-68.1.1-1.mga7
thunderbird-sq-68.1.1-1.mga7
thunderbird-sv_SE-68.1.1-1.mga7
thunderbird-tr-68.1.1-1.mga7
thunderbird-uk-68.1.1-1.mga7
thunderbird-vi-68.1.1-1.mga7
thunderbird-zh_CN-68.1.1-1.mga7
thunderbird-zh_TW-68.1.1-1.mga7

from SRPMS:
thunderbird-68.1.1-1.mga7.src.rpm
thunderbird-l10n-68.1.1-1.mga7.src.rpm

Whiteboard: MGA7TOO => (none)
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 7
Status: NEW => ASSIGNED

Comment 3 Nicolas Salguero 2019-09-27 10:00:30 CEST
Suggested advisory:
========================

The updated packages fix several bugs and security issues:

Spoofing a message author via a crafted S/MIME message. (CVE-2019-11755)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11755
https://www.thunderbird.net/en-US/thunderbird/68.1.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-32/
Comment 4 Thomas Backlund 2019-09-28 02:06:47 CEST
Seems to work ok here on x86_64

Whiteboard: (none) => MGA7-64-OK
CC: (none) => tmb

Comment 5 James Kerr 2019-09-28 16:19:45 CEST
On mga7-64  kernel-desktop  plasma

packages installed cleanly:
- thunderbird-68.1.1-1.mga7.x86_64
- thunderbird-en_GB-68.1.1-1.mga7.noarch

email (POP, SMTP):  OK
Calendar: OK
Address book: OK
Movemail: OK

I don't use enigmail or IMAP

looks OK for mga7-64

CC: (none) => jim

Comment 6 Len Lawrence 2019-09-29 02:12:32 CEST
Mageia 7, x86_64.
Installed this and it failed to display anything.  All the panels were blank and calendar would not launch.  Looking in the directories under ./thunderbird I see a symbolic link flashing.  On systems where tbird works that link completes - steady red.  That means I must be careful not to update it on any of the systems where it works.

CC: (none) => tarazed25

Comment 7 Len Lawrence 2019-10-01 08:51:33 CEST
With deference to James, comment 5, the OK needs to be withdrawn on the basis that thunderbird failed on my system.  Note that thunderbird has been working smoothly on several of my systems ever since Mageia was launched.

Shall try to test this for another user.  Later.

Whiteboard: MGA7-64-OK => (none)

Comment 8 Herman Viaene 2019-10-01 10:24:39 CEST
MGA7-64 Plasma on Lenovo B50.
Tried to replicate Len's issue. This laptop didn't have thunderbird before, so installed first version 60.7 as thihas worked OK on M6.
Noticed that selecting thunderbird DID NOT DRAW in the nl language pack as this laptop is installed in Dutch, so selected it manually.
So this makes me wonder whether Len's installation was incomplete in some way???
Anyway, then installed the 68.1.1 version, this took now he correct language pack automatically, and thunderbird worked OK.

CC: (none) => herman.viaene

Comment 9 Len Lawrence 2019-10-01 10:58:59 CEST
Thanks for the double-check Herman.  My installation was complete and as I have been using thunderbird for several years the breakdown was very surprising.  There has never been a problem before this.  

After setting up a Mageia 7 virtualbox guest I installed thunderbird from release then updated it to 68.1.1.  It works perfectly.

Next check will be on another machine with real hardware.
Comment 10 Len Lawrence 2019-10-01 12:39:27 CEST
Done that and it failed again.  Examining the broken link, which is a lock file, it is apparent that the failure on this particular machine is caused by a change to the local network address of the machine since the profile was created.  That is why I had to create a new profile on the other machine where it first failed.  The local addresses are assigned by the router and every now and again the router assigns a different address, which is no big deal.  It just means editing the hosts files on all the networked machines but there is no way to do that for an existing profile.  Setting up a new profile means losing all the local email folders which IS a big deal.

So, in view of this discovery, the update is OK.

Whiteboard: (none) => MGA7-64-OK

Comment 11 Len Lawrence 2019-10-01 17:02:00 CEST
Referring to comment 10; it gets weirder.  On my Skylake machine with thunderbird 60.7.2 using an imported profile, all the folders are present and email works but the lock is flashing but has the correct address for this machine.  The lock file is present only when the respective profile is in use; in this case the profile came from another machine (via a tarball).
Comment 12 Bill Wilkinson 2019-10-01 17:07:54 CEST
Len,
Maybe check that it's got the right owner?

Bill

CC: (none) => wrw105

Comment 13 Len Lawrence 2019-10-01 17:22:07 CEST
Replying to Bill Wilkinson, comment 12:

Checked in several places and all profiles are owned by me, permissions 700.
The flashing of 'lock' in a directory listing is probably intentional.  And maybe this sudden change in behaviour is also intended, like a bugfix, removing a vulnerability...

Thanks Bill
Comment 14 Herman Viaene 2019-10-02 10:41:09 CEST
@ Len
I respect that you have seen what you saw, but isn't there something weird with your explanation??? This would mean that everyone who has a machine that does not have an explicite fixed IP address would have this problem every so often. If you have multiple machines on your LAN, the addresses assigned by the router might be different every day you start the machines in another sequence. There would be a lot of complaints on this.
On the other hand, just today I saw a (Win10) user in one of our local forums complaining about Thunderbird after using it for a long time. Although the explanation was not very clear, I suspect a similar issue.
If this problem seems to really exist, but is quite rare, i wouldn't suggest withholding this update.
Comment 15 Thomas Andrews 2019-10-02 17:54:09 CEST
Bit Twister had a problem with his update to Mozilla's T-bird 68.1.0, which he brought up on Usenet. I'm wondering if that has caught up to us here. I've asked him to take a look, and see what he thinks.

CC: (none) => andrewsfarm

Comment 16 Len Lawrence 2019-10-02 19:26:16 CEST
@Herman, comment 14
Agreed this should not hold up the update.  Agreed also; the "explanation" does not explain anything.
Comment 17 Bit Twister 2019-10-02 20:36:08 CEST
(In reply to Len Lawrence from comment #16)
> @Herman, comment 14
> Agreed this should not hold up the update.  Agreed also; the "explanation"
> does not explain anything.

I'll second that. Dangling lock file does exists while TB is open. Closing TB
removes the dangling lock file.

Some history follows: I want fixes installed as soon as possible, so I install
TB and Firefox from vendor site and have been doing this for years via my
install_thunderbird _firefox scripts.

LAN running static ip, postfix, dovecot, mail.home.test is 127.0.0.2 and using named.

Had a MGA7 kernel update not long ago. Rebooted and when opening TB, panels were
blank. Checked Mozilla and saw the 69.x.x release. Downloaded,unzip/tar and
my install script puts it in /local/opt. PATH has local/opt before /usr/bin.

Downside, each TB 69 install is always launching and creating a completely new
profile. All desired old profile ~/.thunderbird/*.default files and folders
have to be copied to *default-release and default-release-x upon point release.

Somewhere in starting over/clean installs, attempting using backups, I
think the problem happens when using a local mail server and when the local
security certificate check fails, TB starts over with a "Clean" set of defaults where you have to re-enter all accounts/profiles.

Weird, that I have yet to see others complaining about the 69 release and its
point release. Running 6 separate thunderbird user accounts, and had same
problems on all user TB launchs.

Some users on Usenet tried the 69 release and did not have my problems.
Mozilla web side does say there is no upgrade path from 68 to 69.

CC: (none) => bittwister2

Comment 18 Thomas Andrews 2019-10-02 21:24:54 CEST
I had an install that hadn't been run or updated for months, due to ISP problems. Those problems have been resolved, and I caught up on updates a week or so ago, including T-bird 68.1.0.

I don't use T-bird on this install except when testing, so it hadn't been used in some time. I just fired it up to try this update, running it before as a check. Immediately saw the blank panes problem. Looked in .thunderbird, and a new profile had been created, just as Bit Twister described. I tried doing some folder renaming, but T-bird refused to run, saying I had no profile. Restoring the original names let it run, but again there were the blank panes.

Renamed .thunderbird to .thunderbird.old, and copied a working .thunderbird from a Mageia 6 install. When I ran T-bird 68.1.0 this time, everything was there as it should be. After updating to 68.1.1, it's still working.

No idea what we should do with this. If it's going to make some users think all their old files/settings have been lost, even though they really haven't, that's not good. It would be nice if we could find what triggers that situation, so it could be addressed.
Comment 19 Len Lawrence 2019-10-03 00:57:59 CEST
@Thomas Andrews, comment 18
Thanks for probing this TJ.  I juggled with the new ...default-release and old ...default directories until thunderbird came up with all the old folders and their contents.  Not entirely sure what I did but it involved copying some of the files from the new profile to the "new" old profile which had been renamed with the "-release" ending.  There is no way I can document that.  Simply renaming the old to the new profile did not work.  

I removed the dangling link before launching thunderbird but that comes back as soon as the application launches and no longer refers to any LAN addresses.  Ran nslookup on the address it was trying and returned "name = unallocated.barefruit.co.uk", effectively in the dead zone, and possibly a springboard for unsolicited advertisements.
Comment 20 Thomas Andrews 2019-10-03 14:24:47 CEST
Len, please see http://kb.mozillazine.org/Profile_Manager and https://support.mozilla.org/en-US/kb/using-multiple-profiles

I'm wondering if somehow on the affected installs the new profile manager is finding something unacceptable with the existing profile(s) so triggers creating a new one.

If you still have an affected install, try running "thunderbird -profilemanager" (before running any instance of T-bird that session) and see what comes up.
Comment 21 Thomas Andrews 2019-10-03 15:47:53 CEST
More information:

According to https://www.thunderbird.net/en-US/thunderbird/69.0beta/releasenotes/ this is a known issue with Thunderbird 69beta that was/is unresolved when that site was published. The release notes for 68.1.1 don't mention it, but obviously it is also affected. The published workaround is 

"Workaround: start with the profile manager option -p."

I have searched both Bugzilla and the forum, and I didn't find any reports of the issue from users - yet.

Since it is as yet unresolved upstream, we are unlikely to resolve it here. So, since everything else seems to be working, I am now inclined to pass this along.

Any objections?
Comment 22 Len Lawrence 2019-10-03 20:32:34 CEST
In reply to comment 20; Thanks for the suggestion TJ.  tbird is running fine on my two main desktops so there is not much I am willing to do with them.  Running  with the -p option gives the user the opportunity to rename profiles so that might be the best starting option with future updates or moves to other machines.

And, no, I see no reason to hold up this update.
Comment 23 Thomas Andrews 2019-10-03 21:34:42 CEST
Validating. Suggested advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2019-10-03 22:02:46 CEST

Keywords: (none) => advisory

Comment 24 Mageia Robot 2019-10-03 22:24:02 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0292.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.