Bug 28431 - Thunderbird 78.8
Summary: Thunderbird 78.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: MGA7TOO MGA7-32-OK MGA8-64-OK
Keywords: advisory
Depends on: 28432
Blocks:
  Show dependency treegraph
 
Reported: 2021-02-24 17:00 CET by Aurelien Oudelet
Modified: 2021-03-05 15:40 CET (History)
7 users (show)

See Also:
Source RPM: thunderbird-78.7.0-1.mga8.src.rpm
CVE: CVE-2021-23968, CVE-2021-23969, CVE-2021-23973, CVE-2021-23978
Status comment:


Attachments

Description Aurelien Oudelet 2021-02-24 17:00:18 CET
Mozilla.org has released this advisory on February 23, 2021:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/

Mageia 7 also affected.
Aurelien Oudelet 2021-02-24 17:00:47 CET

Whiteboard: (none) => MGA7TOO MGA8TOO

Aurelien Oudelet 2021-02-24 17:08:17 CET

Depends on: (none) => 28432

Comment 1 David Walser 2021-02-24 17:34:14 CET
Mozilla has released Thunderbird 78.8 on February 23:
https://www.thunderbird.net/en-US/thunderbird/78.8.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/

Summary: Thunderbird 78.8 new security issues => Thunderbird 78.8
Group: secteam => (none)
Whiteboard: MGA7TOO MGA8TOO => MGA8TOO, MGA7TOO

Comment 2 David Walser 2021-02-25 17:19:15 CET
RedHat has issued an advisory for this on February 24:
https://access.redhat.com/errata/RHSA-2021:0657
Comment 3 Nicolas Lécureuil 2021-03-02 15:20:13 CET
fixes in cauldron.

Pushed in mga7/8

src:
   mageia7:
    - thunderbird-78.8.0-1.mga7
    - thunderbird-l10n-78.8.0-1.mga7
   mageia8:
    - thunderbird-78.8.0-1.mga8
    - thunderbird-l10n-78.8.0-1.mga8

CC: (none) => mageia
Assignee: pkg-bugs => qa-bugs

Nicolas Lécureuil 2021-03-02 15:20:23 CET

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Version: Cauldron => 8

Comment 4 David Walser 2021-03-02 18:48:49 CET
Mageia 7 packages for Thunderbird below (Mageia 8 are the same but mga8):
thunderbird-78.8.0-1.mga7
thunderbird-enigmail-78.8.0-1.mga7
thunderbird-ar-78.8.0-1.mga7
thunderbird-ast-78.8.0-1.mga7
thunderbird-be-78.8.0-1.mga7
thunderbird-bg-78.8.0-1.mga7
thunderbird-br-78.8.0-1.mga7
thunderbird-ca-78.8.0-1.mga7
thunderbird-cs-78.8.0-1.mga7
thunderbird-cy-78.8.0-1.mga7
thunderbird-da-78.8.0-1.mga7
thunderbird-de-78.8.0-1.mga7
thunderbird-el-78.8.0-1.mga7
thunderbird-en_GB-78.8.0-1.mga7
thunderbird-en_US-78.8.0-1.mga7
thunderbird-es_AR-78.8.0-1.mga7
thunderbird-es_ES-78.8.0-1.mga7
thunderbird-et-78.8.0-1.mga7
thunderbird-eu-78.8.0-1.mga7
thunderbird-fi-78.8.0-1.mga7
thunderbird-fr-78.8.0-1.mga7
thunderbird-fy_NL-78.8.0-1.mga7
thunderbird-ga_IE-78.8.0-1.mga7
thunderbird-gd-78.8.0-1.mga7
thunderbird-gl-78.8.0-1.mga7
thunderbird-he-78.8.0-1.mga7
thunderbird-hr-78.8.0-1.mga7
thunderbird-hsb-78.8.0-1.mga7
thunderbird-hu-78.8.0-1.mga7
thunderbird-hy_AM-78.8.0-1.mga7
thunderbird-id-78.8.0-1.mga7
thunderbird-is-78.8.0-1.mga7
thunderbird-it-78.8.0-1.mga7
thunderbird-ja-78.8.0-1.mga7
thunderbird-ka-78.8.0-1.mga7
thunderbird-kab-78.8.0-1.mga7
thunderbird-kk-78.8.0-1.mga7
thunderbird-ko-78.8.0-1.mga7
thunderbird-lt-78.8.0-1.mga7
thunderbird-ms-78.8.0-1.mga7
thunderbird-nb_NO-78.8.0-1.mga7
thunderbird-nl-78.8.0-1.mga7
thunderbird-nn_NO-78.8.0-1.mga7
thunderbird-pl-78.8.0-1.mga7
thunderbird-pt_BR-78.8.0-1.mga7
thunderbird-pt_PT-78.8.0-1.mga7
thunderbird-ro-78.8.0-1.mga7
thunderbird-ru-78.8.0-1.mga7
thunderbird-si-78.8.0-1.mga7
thunderbird-sk-78.8.0-1.mga7
thunderbird-sl-78.8.0-1.mga7
thunderbird-sq-78.8.0-1.mga7
thunderbird-sv_SE-78.8.0-1.mga7
thunderbird-tr-78.8.0-1.mga7
thunderbird-uk-78.8.0-1.mga7
thunderbird-uz-78.8.0-1.mga7
thunderbird-vi-78.8.0-1.mga7
thunderbird-zh_CN-78.8.0-1.mga7
thunderbird-zh_TW-78.8.0-1.mga7
Comment 5 David Walser 2021-03-03 00:54:51 CET
Advisory:
========================

Updated thunderbird packages fix security vulnerabilities:

If Content Security Policy blocked frame navigation, the full destination of a
redirect served in the frame was reported in the violation report; as opposed
to the original frame URI. This could be used to leak sensitive information
contained in such URIs (CVE-2021-23968).

As specified in the W3C Content Security Policy draft, when creating a
violation report, "User agents need to ensure that the source file is the URL
requested by the page, pre-redirects. If that’s not possible, user agents need
to strip the URL down to an origin to avoid unintentional leakage." Under
certain types of redirects, Firefox incorrectly set the source file to be the
destination of the redirects. This was fixed to be the redirect destination's
origin (CVE-2021-23969).

When trying to load a cross-origin resource in an audio/video context a
decoding error may have resulted, and the content of that MediaError message
may have revealed information about the resource (CVE-2021-23973).

Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and Mats
Palmgren reported memory safety bugs present in Thunderbird 78.7. Some of
these bugs showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run arbitrary code
(CVE-2021-23978).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23968
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23969
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23973
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23978
https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/
https://www.thunderbird.net/en-US/thunderbird/78.8.0/releasenotes/


SRPMS:
thunderbird-78.8.0-1.mga7.src.rpm
thunderbird-l10n-78.8.0-1.mga7.src.rpm
thunderbird-78.8.0-1.mga8.src.rpm
thunderbird-l10n-78.8.0-1.mga8.src.rpm

Severity: normal => critical

Comment 6 Bill Wilkinson 2021-03-03 23:42:35 CET
tested mga8-64
send receive, move delete all OK over SMTP/IMAP Calendar loads normally.

Whiteboard: MGA7TOO => MGA7TOO mga8-64-ok
CC: (none) => wrw105

Comment 7 Bill Wilkinson 2021-03-04 04:12:12 CET
tested mga7-32 as above, all ok

Whiteboard: MGA7TOO mga8-64-ok => MGA7TOO mga8-64-ok mga7-32-ok

Comment 8 Morgan Leijström 2021-03-04 10:44:07 CET
mga7-64 OK, Plasma, Nvidia-current, Intel i7, Swedish
Updated cleanly, all updates from testing installed.
Offline IMAP(receive, +sync both ways), SMTP for sending.
Took over all accounts and content OK
Not tested: Calendar, PGP, Filter...

CC: (none) => fri

Comment 9 Aurelien Oudelet 2021-03-04 11:38:04 CET
MGA7 and 8 64, Plasma, Intel i5 6600K, French

Updated cleanly, all updates from QARepo installed.

IMAP SSL and noSSL OK
SMTP for sending OK to SSL and non SSL servvers.

Google Calendar OK.
PGP OK.


Validating.
Advisory pushed to SVN.

CC: (none) => sysadmin-bugs
Keywords: (none) => advisory, validated_update
Whiteboard: MGA7TOO mga8-64-ok mga7-32-ok => MGA7TOO MGA7-32-OK MGA8-64-OK

Comment 10 Len Lawrence 2021-03-04 12:31:44 CET
Mageia 8, x64
Just switched to mga8 for testing and find that thunderbird does not work at all.  The new version did not work in mga7 either.
It is completely blank and even the menu options do not work.  It is not even possible to look at account settings - nothing happens.  It is like a cardboard cut-out.  It comes up blank with every profile tried, completely useless.

CC: (none) => tarazed25

Comment 11 Len Lawrence 2021-03-04 12:36:11 CET
Referring to comment 10:
Not using enigmail or PGP keys.
Comment 12 Aurelien Oudelet 2021-03-04 13:01:44 CET
(In reply to Len Lawrence from comment #10)
> Mageia 8, x64
> Just switched to mga8 for testing and find that thunderbird does not work at
> all.  The new version did not work in mga7 either.
> It is completely blank and even the menu options do not work.  It is not
> even possible to look at account settings - nothing happens.  It is like a
> cardboard cut-out.  It comes up blank with every profile tried, completely
> useless.

Have you installed Firefox update before?
See Bug 28432

Keywords: validated_update => (none)

Comment 13 Mageia Robot 2021-03-04 13:28:04 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0096.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 14 Len Lawrence 2021-03-04 16:31:50 CET
@Aurelien, comment 12
I had not but I did that just now and restarted firefox OK but this had no effect on thunderbird.  It still comes up blank.  I tried creating a new profile and that at least allowed access to gmail but my address book and local folders are all gone.  Account settings is accessible again.

Tried copying the abook files from this machine to the test machine and inserted them into the profile directory just created.  Still no sign of address book in thunderbird.  That might be because they were not created in this profile so there might be hidden credentials that do not match.  And there is no sign of any facility for importing old address books or their contents.  It might take a couple or three days to retype the data but what happens at the next update if you cannot use older profiles?  But the loss of local folders is much more serious.  Copying the directories across has not worked in the past.

Just noticed that thunderbird has been copying down 42,519 messages in All Mail - two or three hours and not quite halfway.  What on earth would cause that?  This is an Imail account.
Comment 15 Aurelien Oudelet 2021-03-04 18:18:00 CET
Perhaps this https://support.mozilla.org/en-US/questions/1281911
could help?
Comment 17 Len Lawrence 2021-03-04 19:38:22 CET
Nor me Aurelien.  I may just cut my losses and revert to Claws-Mail.
I would not regard those solutions in the links as proper solutions.  thunderbird is defective.

Thanks very much for doing the research.
Comment 18 Aurelien Oudelet 2021-03-04 19:41:44 CET
For me, as a Plasma user I rely heavily on KMail. I only use thunderbird for QA tests.

I asked QA users also to look at this. I don't have answers, meanwhile.

(In reply to Len Lawrence from comment #17)
> Nor me Aurelien.  I may just cut my losses and revert to Claws-Mail.
> I would not regard those solutions in the links as proper solutions. 
> thunderbird is defective.
> 
> Thanks very much for doing the research.

You're welcomed!
Comment 19 Len Lawrence 2021-03-05 09:29:58 CET
No, thunderbird is not defective.  There is a strong suspicion that the "missing data" may have something to do with attempts earlier on to use dovecot as a backend for thunderbird.  Copying 'Local Folders' in an old profile to <current profile directory>/Mail and the corresponding abook.sqlite to the current profile re-establishes the missing data, albeit somewhat out-of-date.

Since nobody else in Mageia has had these problems we have to conclude that this is a non-bug.

Resolution: FIXED => INVALID

Comment 20 David Walser 2021-03-05 15:40:37 CET
Fixed.

CC: (none) => luigiwalser
Resolution: INVALID => FIXED


Note You need to log in before you can comment on or make changes to this bug.