Bug 32337 - Firefox and Thunderbird 115.3.1
Summary: Firefox and Thunderbird 115.3.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-09-28 10:10 CEST by Nicolas Salguero
Modified: 2023-10-10 19:23 CEST (History)
10 users (show)

See Also:
Source RPM: firefox, firefox-l10n, thunderbird, thunderbird-l10n
CVE:
Status comment:

Attachments
flatpak 115.2 (238.90 KB, image/png)
2023-10-03 15:53 CEST, Robert Fox 		Details
flatpak 115.2 calendar (92.82 KB, image/png)
2023-10-03 15:53 CEST, Robert Fox 		Details
Mageia RPM 115.3.1 (237.11 KB, image/png)
2023-10-03 15:54 CEST, Robert Fox 		Details
Mageia RPM 115.3.1 Calendar (79.60 KB, image/png)
2023-10-03 15:54 CEST, Robert Fox 		Details
pic with sidebar - flatpak version (251.43 KB, image/png)
2023-10-03 15:57 CEST, Robert Fox 		Details
Mageia RPM greyed out view menu (64.34 KB, image/png)
2023-10-03 16:11 CEST, Robert Fox 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2023-09-28 10:10:15 CEST 
Mozilla has released Firefox and Thunderbird 115.3 on September 26:
https://www.mozilla.org/en-US/firefox/115.3.0/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/115.3.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-42/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-43/

Firefox ESR and Thunderbird 102.x seem EOL so, for the moment, there is no solution for Mageia 8.
Nicolas Salguero 2023-09-28 10:10:39 CEST

CC: (none) => nicolas.salguero
Source RPM: (none) => firefox, firefox-l10n, thunderbird, thunderbird-l10n
Whiteboard: (none) => MGA9TOO
Assignee: bugsquad => nicolas.salguero

Comment 1 Nicolas Salguero 2023-09-29 09:52:25 CEST 
Mozilla has released Firefox 115.3.1 on September 28:
https://www.mozilla.org/en-US/firefox/115.3.1/releasenotes/

The security issue that was fixed is CVE-2023-5217 (0-day in libvpx, see bug 32342):
https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/
Nicolas Salguero 2023-09-29 10:00:32 CEST

Severity: major => critical

Nicolas Salguero 2023-09-29 11:53:56 CEST

Summary: Firefox and Thunderbird 115.3 => Firefox 115.3.1 and Thunderbird 115.3

Comment 2 Nicolas Salguero 2023-09-29 17:06:45 CEST Comment hidden (obsolete)

Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED

Comment 3 Dan Fandrich 2023-09-29 17:56:28 CEST 
The patch is tiny and if Firefox has simply vendored libvpx, it ought to apply cleanly to the ESR version. Here's the patch to mga8 libvpx:

https://svnweb.mageia.org/packages/updates/8/libvpx/current/SOURCES/libvpx-1.13.0-git-CVE-2023-5217.patch?view=markup&pathrev=1992070

CC: (none) => dan

Comment 4 Brian Rockwell 2023-09-29 18:17:29 CEST 
MGA9-64, Xfce, AMD apu

The following 5 packages are going to be installed:

- firefox-115.3.1-1.mga9.x86_64
- firefox-en_CA-115.3.1-1.mga9.noarch
- firefox-en_GB-115.3.1-1.mga9.noarch
- firefox-en_US-115.3.1-1.mga9.noarch
- glibc-2.36-50.mga9.x86_64

125KB of additional disk space will be used.

28MB of additional disk space will be used.


web mail
websites
video work

CC: (none) => brtians1

Comment 5 Morgan Leijström 2023-09-30 09:51:06 CEST 
Unusual to handle TB and FF in same bug.
Maybe efficient :)

Both OK here, mga9-64
Plasma, Intel i7-870, ‎Radeon RX 6400 (Navi 24), 4K screen


Firefox:
Settings and tabs preserved
Swedish locale
Used some banking sites and video sites
printing
pdf rendering still need manual setting https://bugs.mageia.org/show_bug.cgi?id=32207#c10 (preserved during update)

Thunderbird:
Settings and local mail preserved
Swedish locale
Offline IMAP, SMTP

CC: (none) => fri

Nicolas Salguero 2023-10-01 11:44:58 CEST

Summary: Firefox 115.3.1 and Thunderbird 115.3 => Firefox and Thunderbird 115.3.1
Assignee: qa-bugs => nicolas.salguero

Comment 6 Robert Fox 2023-10-02 11:32:38 CEST 
Since update to 115.3 something has broken - Calendar and Tasks are greyed out - no tab to switch between calendar and tasks in folderpane and calendar entires missing . . .

[rfox@FoxLT5 ~]$ rpm -qa | grep thunderbird
thunderbird-compose-1.1-1.mga9
thunderbird-servicemenu-2-4.mga9
thunderbird-en_US-115.3.0-1.mga10
thunderbird-115.3.0-1.mga10

115.2 was fine

CC: (none) => rfox

Comment 7 Morgan Leijström 2023-10-02 22:31:45 CEST 
Nicolas, ready for QA?

OK for me mga9-64 thunderbird-115.3.1-1.mga9
Settings and local mail preserved
Swedish locale
Offline IMAP, SMTP

I have never used calendar or tasks, but i can open them via menu or Ctrl+3 / Ctrl+4 and they appear like tabs.


There is as usual some output when it starts, i cant judge it:

$ thunderbird
[Parent 110430, Main Thread] WARNING: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.: 'glib warning', file /home/iurt/rpmbuild/BUILD/thunderbird-115.3.1/thunderbird-115.3.1/toolkit/xre/nsSigHandlers.cpp:167

(thunderbird:110430): GLib-GIO-WARNING **: 22:25:59.897: /usr/share/applications/kde-mimeapps.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.
Comment 8 Nicolas Salguero 2023-10-03 08:55:20 CEST 
Regarding the warning, I think it comes from thunderbird-compose, which is not a part of thunderbird but is a package created by another Mageia user.

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Out-of-bounds write in PathOps. (CVE-2023-5169)

Use-after-free in Ion Compiler. (CVE-2023-5171)

Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3. (CVE-2023-5176)

Heap buffer overflow in libvpx. (CVE-2023-5217)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5169
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5171
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5217
https://www.mozilla.org/en-US/firefox/115.3.0/releasenotes/
https://www.thunderbird.net/en-US/thunderbird/115.3.0/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-42/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-43/
https://www.mozilla.org/en-US/firefox/115.3.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2023-44/
========================

Updated packages in core/updates_testing:
========================
firefox-115.3.1-1.mga9
firefox-af-115.3.1-1.mga9
firefox-an-115.3.1-1.mga9
firefox-ar-115.3.1-1.mga9
firefox-ast-115.3.1-1.mga9
firefox-az-115.3.1-1.mga9
firefox-be-115.3.1-1.mga9
firefox-bg-115.3.1-1.mga9
firefox-bn-115.3.1-1.mga9
firefox-br-115.3.1-1.mga9
firefox-bs-115.3.1-1.mga9
firefox-ca-115.3.1-1.mga9
firefox-cs-115.3.1-1.mga9
firefox-cy-115.3.1-1.mga9
firefox-da-115.3.1-1.mga9
firefox-de-115.3.1-1.mga9
firefox-el-115.3.1-1.mga9
firefox-en_CA-115.3.1-1.mga9
firefox-en_GB-115.3.1-1.mga9
firefox-en_US-115.3.1-1.mga9
firefox-eo-115.3.1-1.mga9
firefox-es_AR-115.3.1-1.mga9
firefox-es_CL-115.3.1-1.mga9
firefox-es_ES-115.3.1-1.mga9
firefox-es_MX-115.3.1-1.mga9
firefox-et-115.3.1-1.mga9
firefox-eu-115.3.1-1.mga9
firefox-fa-115.3.1-1.mga9
firefox-ff-115.3.1-1.mga9
firefox-fi-115.3.1-1.mga9
firefox-fr-115.3.1-1.mga9
firefox-fur-115.3.1-1.mga9
firefox-fy_NL-115.3.1-1.mga9
firefox-ga_IE-115.3.1-1.mga9
firefox-gd-115.3.1-1.mga9
firefox-gl-115.3.1-1.mga9
firefox-gu_IN-115.3.1-1.mga9
firefox-he-115.3.1-1.mga9
firefox-hi_IN-115.3.1-1.mga9
firefox-hr-115.3.1-1.mga9
firefox-hsb-115.3.1-1.mga9
firefox-hu-115.3.1-1.mga9
firefox-hy_AM-115.3.1-1.mga9
firefox-ia-115.3.1-1.mga9
firefox-id-115.3.1-1.mga9
firefox-is-115.3.1-1.mga9
firefox-it-115.3.1-1.mga9
firefox-ja-115.3.1-1.mga9
firefox-ka-115.3.1-1.mga9
firefox-kab-115.3.1-1.mga9
firefox-kk-115.3.1-1.mga9
firefox-km-115.3.1-1.mga9
firefox-kn-115.3.1-1.mga9
firefox-ko-115.3.1-1.mga9
firefox-lij-115.3.1-1.mga9
firefox-lt-115.3.1-1.mga9
firefox-lv-115.3.1-1.mga9
firefox-mk-115.3.1-1.mga9
firefox-mr-115.3.1-1.mga9
firefox-ms-115.3.1-1.mga9
firefox-my-115.3.1-1.mga9
firefox-nb_NO-115.3.1-1.mga9
firefox-nl-115.3.1-1.mga9
firefox-nn_NO-115.3.1-1.mga9
firefox-oc-115.3.1-1.mga9
firefox-pa_IN-115.3.1-1.mga9
firefox-pl-115.3.1-1.mga9
firefox-pt_BR-115.3.1-1.mga9
firefox-pt_PT-115.3.1-1.mga9
firefox-ro-115.3.1-1.mga9
firefox-ru-115.3.1-1.mga9
firefox-sc-115.3.1-1.mga9
firefox-si-115.3.1-1.mga9
firefox-sk-115.3.1-1.mga9
firefox-sl-115.3.1-1.mga9
firefox-sq-115.3.1-1.mga9
firefox-sr-115.3.1-1.mga9
firefox-sv_SE-115.3.1-1.mga9
firefox-szl-115.3.1-1.mga9
firefox-ta-115.3.1-1.mga9
firefox-te-115.3.1-1.mga9
firefox-tg-115.3.1-1.mga9
firefox-th-115.3.1-1.mga9
firefox-tl-115.3.1-1.mga9
firefox-tr-115.3.1-1.mga9
firefox-uk-115.3.1-1.mga9
firefox-ur-115.3.1-1.mga9
firefox-uz-115.3.1-1.mga9
firefox-vi-115.3.1-1.mga9
firefox-xh-115.3.1-1.mga9
firefox-zh_CN-115.3.1-1.mga9
firefox-zh_TW-115.3.1-1.mga9

thunderbird-115.3.1-1.mga9
thunderbird-af-115.3.1-1.mga9
thunderbird-ar-115.3.1-1.mga9
thunderbird-ast-115.3.1-1.mga9
thunderbird-be-115.3.1-1.mga9
thunderbird-bg-115.3.1-1.mga9
thunderbird-br-115.3.1-1.mga9
thunderbird-ca-115.3.1-1.mga9
thunderbird-cs-115.3.1-1.mga9
thunderbird-cy-115.3.1-1.mga9
thunderbird-da-115.3.1-1.mga9
thunderbird-de-115.3.1-1.mga9
thunderbird-dsb-115.3.1-1.mga9
thunderbird-el-115.3.1-1.mga9
thunderbird-en_CA-115.3.1-1.mga9
thunderbird-en_GB-115.3.1-1.mga9
thunderbird-en_US-115.3.1-1.mga9
thunderbird-es_AR-115.3.1-1.mga9
thunderbird-es_ES-115.3.1-1.mga9
thunderbird-es_MX-115.3.1-1.mga9
thunderbird-et-115.3.1-1.mga9
thunderbird-eu-115.3.1-1.mga9
thunderbird-fi-115.3.1-1.mga9
thunderbird-fr-115.3.1-1.mga9
thunderbird-fy_NL-115.3.1-1.mga9
thunderbird-ga_IE-115.3.1-1.mga9
thunderbird-gd-115.3.1-1.mga9
thunderbird-gl-115.3.1-1.mga9
thunderbird-he-115.3.1-1.mga9
thunderbird-hr-115.3.1-1.mga9
thunderbird-hsb-115.3.1-1.mga9
thunderbird-hu-115.3.1-1.mga9
thunderbird-hy_AM-115.3.1-1.mga9
thunderbird-id-115.3.1-1.mga9
thunderbird-is-115.3.1-1.mga9
thunderbird-it-115.3.1-1.mga9
thunderbird-ja-115.3.1-1.mga9
thunderbird-ka-115.3.1-1.mga9
thunderbird-kab-115.3.1-1.mga9
thunderbird-kk-115.3.1-1.mga9
thunderbird-ko-115.3.1-1.mga9
thunderbird-lt-115.3.1-1.mga9
thunderbird-lv-115.3.1-1.mga9
thunderbird-ms-115.3.1-1.mga9
thunderbird-nb_NO-115.3.1-1.mga9
thunderbird-nl-115.3.1-1.mga9
thunderbird-nn_NO-115.3.1-1.mga9
thunderbird-pa_IN-115.3.1-1.mga9
thunderbird-pl-115.3.1-1.mga9
thunderbird-pt_BR-115.3.1-1.mga9
thunderbird-pt_PT-115.3.1-1.mga9
thunderbird-ro-115.3.1-1.mga9
thunderbird-ru-115.3.1-1.mga9
thunderbird-sk-115.3.1-1.mga9
thunderbird-sl-115.3.1-1.mga9
thunderbird-sq-115.3.1-1.mga9
thunderbird-sr-115.3.1-1.mga9
thunderbird-sv_SE-115.3.1-1.mga9
thunderbird-th-115.3.1-1.mga9
thunderbird-tr-115.3.1-1.mga9
thunderbird-uk-115.3.1-1.mga9
thunderbird-uz-115.3.1-1.mga9
thunderbird-vi-115.3.1-1.mga9
thunderbird-zh_CN-115.3.1-1.mga9
thunderbird-zh_TW-115.3.1-1.mga9

from SRPMS:
firefox-115.3.1-1.mga9.src.rpm
firefox-l10n-115.3.1-1.mga9.src.rpm
thunderbird-115.3.1-1.mga9.src.rpm
thunderbird-l10n-115.3.1-1.mga9.src.rpm

Assignee: nicolas.salguero => qa-bugs

Comment 9 Jose Manuel López 2023-10-03 10:16:18 CEST 
Hi,

Updated from repos testing, Firefox and Thunderbird.

Firefox: 
- Video and sound ok.
- Banks ok.
- Settings, addons, and sync account ok.
- Language Spanish ok.

Thunderbird:
- Settings ok.
- Language Spanish ok.
- Send and receive ok.
- Signature ok.
- Search ok.

For the moment, works fine for me in Mageia Plasma X86_64

Greetings and good work!!

CC: (none) => joselp

Comment 10 Robert Fox 2023-10-03 15:52:15 CEST 
Unfortunately, 115.3.1 doesn't fix my problem.  if i install the flatpak version of Thunderbird - I see the new supernova interface with search bar on top and a side bar to change between mail, calendar and tasks.

Since the latest updates to 115.3 from Mageia package - calendar and tasks are greyed out in the view menu - and there is no sidebar to switch 

Calendar is not syncing and I see no entries - All was working with 115.2

see attached pics
Comment 11 Robert Fox 2023-10-03 15:53:07 CEST 
Created attachment 14030 [details]
flatpak 115.2

Pixelated sensitive material
Comment 12 Robert Fox 2023-10-03 15:53:44 CEST 
Created attachment 14031 [details]
flatpak 115.2 calendar

Pixelated sensitive material
Comment 13 Robert Fox 2023-10-03 15:54:12 CEST 
Created attachment 14032 [details]
Mageia RPM 115.3.1

Pixelated sensitive material
Comment 14 Robert Fox 2023-10-03 15:54:44 CEST 
Created attachment 14033 [details]
Mageia RPM 115.3.1 Calendar

Pixelated sensitive material
Comment 15 Robert Fox 2023-10-03 15:56:10 CEST 
(In reply to Robert Fox from comment #11)
> Created attachment 14030 [details]
> flatpak 115.2
> 
> Pixelated sensitive material

Notice the sidebar to change between mail, calendar and tasks
Comment 16 Marja Van Waes 2023-10-03 15:57:26 CEST 
The advisory from comment 8 has been uploaded.

Please remove the advisory keyword and obsolete comment 8 if the advisory needs to be changed.

Keywords: (none) => advisory
CC: (none) => marja11

Comment 17 Robert Fox 2023-10-03 15:57:55 CEST 
Created attachment 14034 [details]
pic with sidebar - flatpak version

Pixelated sensitive material
Comment 18 Robert Fox 2023-10-03 15:59:01 CEST 
Comment on attachment 14030 [details]
flatpak 115.2

Notice the sidebar on the left to change between mail, calendar and tasks
Comment 19 Robert Fox 2023-10-03 16:11:49 CEST 
Created attachment 14035 [details]
Mageia RPM greyed out view menu
Comment 20 Herman Viaene 2023-10-09 16:14:47 CEST 
MGA9-64 Xfce on Acer Aspire 5253
No installation issues.
No thunderbird previously on this laptop
Fire fox works OK.
Thunderbird new install, let it configure my hotmail account from scratch, worrks OK. The user interface looks pretty the same as in 115.2, those greyed items in  the menu are simply not there as in 115.2

CC: (none) => herman.viaene

Comment 21 Thomas Andrews 2023-10-10 03:02:11 CEST 
(In reply to Robert Fox from comment #10)
> Unfortunately, 115.3.1 doesn't fix my problem.  if i install the flatpak
> version of Thunderbird - I see the new supernova interface with search bar
> on top and a side bar to change between mail, calendar and tasks.
> 
> Since the latest updates to 115.3 from Mageia package - calendar and tasks
> are greyed out in the view menu - and there is no sidebar to switch 
>
The sidebar is called the "Spaces Toolbar." Click on the hamburger in the upper right corner, then View, then Toolbars. Checking the box next to Spaces Toolbar should make it visible.
 
> Calendar is not syncing and I see no entries - All was working with 115.2
> 
Can't help with that one - I don't use the calendar.

> see attached pics

CC: (none) => andrewsfarm

Comment 22 Thomas Andrews 2023-10-10 03:08:45 CEST 
MGA9-64 Plasma. No installation issues.

Tried Firefox on several websites, with no issues.

Checked email and newsgroups in Thunderbird, send and receive POP mail, with no issues.
Comment 23 Thomas Andrews 2023-10-10 03:43:50 CEST 
There are reports that the libvpx vulnerability has been exploited in the wild, so we should get these updates out ASAP. I'm giving this an OK, and validating.

@Robert Fox: If you cannot get the Thunderbird calendar working correctly, please file another bug.

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 24 Robert Fox 2023-10-10 10:21:29 CEST 
Opened a new bug demonstrating the differences between the broken Cauldron RPM package and the Flatpak version

https://bugs.mageia.org/show_bug.cgi?id=32365
Comment 25 Mageia Robot 2023-10-10 19:23:20 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0285.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.