Mandriva has issued an advisory today (June 9): http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:088 This update is also needed for Mageia 2. The build has already been submitted by Funda Wang. The SRPMS are: mozilla-thunderbird-10.0.5-1.mga1.src.rpm thunderbird-10.0.5-1.mga2.src.rpm We just need to get an advisory written.
CC: (none) => fundawang
works fine for me since 2 days, the french langpack is ok (I don't use enigmail)
Whiteboard: (none) => mga1-64-OK,
I forgot the l10n SRPMS in my previous post. The full list of SRPMS is: mozilla-thunderbird-10.0.5-1.mga1.src.rpm mozilla-thunderbird-l10n-10.0.5-1.mga1.src.rpm thunderbird-10.0.5-1.mga2.src.rpm thunderbird-l10n-10.0.5-1.mga2.src.rpm Advisory: ======================== Updated mozilla-thunderbird packages fix security vulnerabilities: Heap-based buffer overflow in the utf16_to_isolatin1 function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allows remote attackers to execute arbitrary code via vectors that trigger a character-set conversion failure (CVE-2012-1947) Use-after-free vulnerability in the nsFrameList::FirstChild function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) by changing the size of a container of absolutely positioned elements in a column (CVE-2012-1940). Heap-based buffer overflow in the nsHTMLReflowState::CalculateHypotheticalBox function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allows remote attackers to execute arbitrary code by resizing a window displaying absolutely positioned and relatively positioned elements in nested columns (CVE-2012-1941). Use-after-free vulnerability in the nsINode::ReplaceOrInsertBefore function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 might allow remote attackers to execute arbitrary code via document changes involving replacement or insertion of a node (CVE-2012-1946). Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow local users to obtain sensitive information via an HTML document that loads a shortcut (aka .lnk) file for display within an IFRAME element, as demonstrated by a network share implemented by (1) Microsoft Windows or (2) Samba (CVE-2012-1945). The Content Security Policy (CSP) implementation in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 does not block inline event handlers, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted HTML document (CVE-2012-1944). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 13.0, Thunderbird before 13.0, and SeaMonkey before 2.10 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) methodjit/ImmutableSync.cpp, (2) the JSObject::makeDenseArraySlow function in js/src/jsarray.cpp, and unknown other components (CVE-2012-1938). jsinfer.cpp in Mozilla Firefox ESR 10.x before 10.0.5 and Thunderbird ESR 10.x before 10.0.5 does not properly determine data types, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via crafted JavaScript code (CVE-2012-1939). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2012-1937). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1941 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1944 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1945 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1946 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1947 http://www.mozilla.org/security/announce/2012/mfsa2012-34.html http://www.mozilla.org/security/announce/2012/mfsa2012-36.html http://www.mozilla.org/security/announce/2012/mfsa2012-37.html http://www.mozilla.org/security/announce/2012/mfsa2012-38.html http://www.mozilla.org/security/announce/2012/mfsa2012-40.html
Ok here, on x86_64, french and lightning.
CC: (none) => lists.jjorge
Note to our new QA testers - If you are testing this then please also test thunderbird-lightning and thunderbird-enigmail which are part of the same SRPM.
Picking this up for QA testing on x86-64 and i586
CC: (none) => juergen.harms
CC: (none) => micheelsen
The references (plus googling) do not suffice for CVE-specific testing. Therefore testing against regressions using thunderbird in a production environment. List of items verified ---------------------- Plain thunderbird - GUI customisation - Account creation - Folder management (creation, deletion) - Receiving (imap, pop) and sending messages (without pgp) - Selecting & moving messages - Creating, applying filters (including junk) - Marking & tagging messages - Compacting - Searching - Address book (importing, modifying, using) - Spell checking (tried German and French) Enigmail - Setup wizard - Sending messages with pgp Lightning - Event handling (creation, editing) - Reminders - Calendar creation - Importing a calendar (.ics) exported from korganizer Done so far on mga2-64: works fine, no regressions found. Simplified advisory ------------------- I tried to make the advisory shorter and easier to read - here is an alternative suggestion, trying to focus on what a user might expect (maybe still too extensive - I tried not to eliminate info from the original proposal). Updated mozilla-thunderbird packages fix security vulnerabilities: Issues addressed by these fixes are (in the order of the CVE references quoted below): - multiple unspecified vulnerabilities in the browser engine allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors - multiple unspecified vulnerabilities in the browser engine allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) methodjit/ImmutableSync.cpp, (2) the JSObject::makeDenseArraySlow function in js/src/jsarray.cpp, and unknown other components - jsinfer.cpp does not properly determine data types, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via crafted JavaScript code - use-after-free vulnerability: a remote attackers can execute arbitrary code or cause a denial of service by changing the size of a container of absolutely positioned elements in a column (nsFrameList::FirstChild function) - heap-based buffer overflow allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) by changing the size of a container of absolutely positioned elements in a column (nsHTMLReflowState::CalculateHypotheticalBox function) - failure by the Content Security Policy (CSP) implementation to block inline event handlers, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted HTML document - obtaining sensitive information by a local user via an HTML document that loads a shortcut (aka .lnk) file for display within an IFRAME element - use-after-free vulnerability might allow remote attackers to execute arbitrary code via document changes involving replacement or insertion of a node (nsINode::ReplaceOrInsertBefore function) - heap-based buffer overflow allows remote attackers to execute arbitrary code via vectors that trigger a character-set conversion failure (utf16_to_isolatin1 function) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1941 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1944 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1945 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1946 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1947 http://www.mozilla.org/security/announce/2012/mfsa2012-34.html http://www.mozilla.org/security/announce/2012/mfsa2012-36.html http://www.mozilla.org/security/announce/2012/mfsa2012-37.html http://www.mozilla.org/security/announce/2012/mfsa2012-38.html http://www.mozilla.org/security/announce/2012/mfsa2012-40.html
Whiteboard: mga1-64-OK, => mga1-64-OK, mga2-64-OK
Testing complete in Mageia 1 i586 including enigmail and lightning. I'll test Mageia 2 i586 shortly.
CC: (none) => davidwhodginsWhiteboard: mga1-64-OK, mga2-64-OK => mga1-64-OK, mga2-64-OK, mga1-32-OK
Testing complete in Mageia 2 i586 including enigmail and lightning. Found a problem with gpg-agent. I've added a patch to bug 5360 to fix it. Once that's fixed, thunderbird with enigmail is working. Could someone from the sysadmin team push the srpms thunderbird-10.0.5-1.mga2.src.rpm thunderbird-l10n-10.0.5-1.mga2.src.rpm from Mageia 1 Core Updates Testing to Core Updates and the srpms thunderbird-l10n-10.0.5-1.mga2.src.rpm thunderbird-10.0.5-1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated mozilla-thunderbird packages fix security vulnerabilities: Issues addressed by these fixes are (in the order of the CVE references quoted below): - multiple unspecified vulnerabilities in the browser engine allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors - multiple unspecified vulnerabilities in the browser engine allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) methodjit/ImmutableSync.cpp, (2) the JSObject::makeDenseArraySlow function in js/src/jsarray.cpp, and unknown other components - jsinfer.cpp does not properly determine data types, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via crafted JavaScript code - use-after-free vulnerability: a remote attackers can execute arbitrary code or cause a denial of service by changing the size of a container of absolutely positioned elements in a column (nsFrameList::FirstChild function) - heap-based buffer overflow allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption and application crash) by changing the size of a container of absolutely positioned elements in a column (nsHTMLReflowState::CalculateHypotheticalBox function) - failure by the Content Security Policy (CSP) implementation to block inline event handlers, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted HTML document - obtaining sensitive information by a local user via an HTML document that loads a shortcut (aka .lnk) file for display within an IFRAME element - use-after-free vulnerability might allow remote attackers to execute arbitrary code via document changes involving replacement or insertion of a node (nsINode::ReplaceOrInsertBefore function) - heap-based buffer overflow allows remote attackers to execute arbitrary code via vectors that trigger a character-set conversion failure (utf16_to_isolatin1 function) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1937 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1938 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1939 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1940 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1941 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1944 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1945 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1946 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1947 http://www.mozilla.org/security/announce/2012/mfsa2012-34.html http://www.mozilla.org/security/announce/2012/mfsa2012-36.html http://www.mozilla.org/security/announce/2012/mfsa2012-37.html http://www.mozilla.org/security/announce/2012/mfsa2012-38.html http://www.mozilla.org/security/announce/2012/mfsa2012-40.html https://bugs.mageia.org/show_bug.cgi?id=6390
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: mga1-64-OK, mga2-64-OK, mga1-32-OK => mga1-64-OK, mga2-64-OK, mga1-32-OK, mga2-32-OK
Could we please use the original advisory posted in Comment 2? It fits our standard format.
(In reply to comment #9) > Could we please use the original advisory posted in Comment 2? It fits our > standard format. Fine with me.
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0120
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED