Source: https://archive.mozilla.org/pub/thunderbird/releases/60.2.1/source/thunderbird-60.2.1.source.tar.xz https://archive.mozilla.org/pub/thunderbird/releases/60.2.1/source/thunderbird-60.2.1.source.tar.xz.asc Release info (fixes): https://www.thunderbird.net/en-US/thunderbird/60.2.1/releasenotes/ Security fixes: https://www.mozilla.org/en-US/security/advisories/mfsa2018-25/
There are estimated one critical and two of high security alerts fixed: CVE-2018-12376: Memory safety bugs fixed in Firefox 62 and Firefox ESR 60.2 Reporter Mozilla developers and community Impact critical CVE-2018-12377: Use-after-free in refresh driver timers Reporter Nils Impact high CVE-2018-12378: Use-after-free in IndexedDB Reporter Zhanjia Song Impact high
Trying a simple bump from: mv thunderbird-60.0-r3.ebuild thunderbird-60.2.1.ebuild end with having an configure error out: --- 0:12.99 --enable-ldap 0:12.99 --enable-calendar 0:12.99 --without-ccache 0:12.99 --enable-extensions=default 0:12.99 checking for vcs source checkout... no 0:13.03 ERROR: Cannot find project mail 0:13.07 *** Fix above errors and then restart with\ 0:13.07 "/usr/bin/gmake -f client.mk build" 0:13.07 gmake: *** [client.mk:149: configure] Error 1 * ERROR: mail-client/thunderbird-60.2.1::pmaci failed (configure phase): * (no error message) ---
Hi, Is it possible to add mail-client/thunderbird-bin to the basket, considering the security aspect of the upstream version bump? Cheers
We are working on this. But don't overrate these vulnerabilities: Yes, they are present in Thunderbird just because Thunderbird is based on the same core like Firefox and these vulns were found in Firefox. However, most users won't use Thunderbird to open arbitrary web pages and viewing HTML mails won't run any JS. So the normal user isn't really affected. But we are working updated ebuilds.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ab4be61d5a1afb23c84a3df9a4d8e29dcd68199 commit 5ab4be61d5a1afb23c84a3df9a4d8e29dcd68199 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-10-09 12:16:40 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-10-09 12:17:00 +0000 mail-client/thunderbird-bin: bump to v60.2.1 Bug: https://bugs.gentoo.org/668036 Package-Manager: Portage-2.3.50, Repoman-2.3.11 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> mail-client/thunderbird-bin/Manifest | 55 +++++++ .../thunderbird-bin/thunderbird-bin-60.2.1.ebuild | 164 +++++++++++++++++++++ 2 files changed, 219 insertions(+)
(In reply to Ulenrich from comment #2) > 0:13.03 ERROR: Cannot find project mail My error was due using an old eclass/mozconfig* in local overlay. Sorry disturbing I found an ebuild from https://github.com/perfect7gentleman/pg_overlay which seems to work now, like: --- # emerge -1 =mail-client/thunderbird-60.2.1 These are the packages that would be merged, in order: Calculating dependencies ... .... ....... done! [ebuild U ] mail-client/thunderbird-60.2.1::pmaci [52.9.1::gentoo] USE="-bindist -clang% (-crypt%*) custom-cflags -custom-optimization dbus -debug (-gtk2%) hardened -jack% (-jemalloc%*) jit%* -kde% (-ldap%) lightning (-minimal%*) -mozdom (-neon) pulseaudio (-rust%) (-selinux) startup-notification (-system-cairo%) system-harfbuzz system-icu system-jpeg system-libevent system-libvpx system-sqlite wifi" L10N="(-ar%) (-ast%) (-be%) (-bg%) (-bn-BD%) (-br%) (-ca%) (-cs%) (-cy%) (-da%) de (-el%) -en-GB (-es-AR%) (-es-ES%) (-et%) (-eu%) (-fi%) (-fr%) (-fy%) (-ga%) (-gd%) (-gl%) (-he%) (-hr%) (-hsb%) (-hu%) (-hy%) (-id%) (-is%) (-it%) (-ja%) (-ko%) (-lt%) (-nb%) (-nl%) (-nn%) (-pa%) (-pl%) (-pt-BR%) (-pt-PT%) (-rm%) (-ro%) -ru (-si%) (-sk%) (-sl%) (-sq%) (-sr%) (-sv%) (-ta-LK%) (-tr%) (-uk%) (-vi%) (-zh-CN%) (-zh-TW%)" 0 KiB Total: 1 package (1 upgrade), Size of downloads: 0 KiB Would you like to merge these packages? [Yes/No] y >>> Verifying ebuild manifests >>> Running pre-merge checks for mail-client/thunderbird-60.2.1 --- just running ... I changed the patchset of the ebuild to a newer: < PATCHFF="firefox-60.0-patches-02" --- > PATCHFF="firefox-60.0-patches-03"
The ebuild from pg_overlay emerges perfectly and runs fine mail-client/thunderbird-60.2.1 --- I found a little issue in the build log: * The version of lightning used for localization differs from the version * in thunderbird. Please update MOZ_LIGHTNING_VER in the ebuild from 6.2 * to 6.2.2.1 If I update the MOZ_LIGHTNING_VER variable accordingly in the ebuild then the download of the lightning source fails (not found)
And Lightning is the reason why we haven't pushed a new ebuild yet: This TB version requires a newer version. But we don't know how to re-generate the tarball with our changes (patched gdata stuff) and localization.
You should simply mask the USE lightning and then release thunderbird-60.2.1 with the hint: if you don't need Google calendar api to work then you can unmask if you want lightning to work
Created attachment 551444 [details, diff] fix for gdata found at Debian sources This patch I found searching through Debian sources. But I don't know where to apply it.
(In reply to Ulenrich from comment #9) > You should simply mask the USE lightning and then > release thunderbird-60.2.1 with the hint: > if you don't need Google calendar api to work then you can unmask > if you want lightning to work It's not that easy - The lightning USE flag controls whether or not lightning is system-installed, but lightning is -always- installed no matter what. Without USE=lightning then it's installed as an addon that force-installs itself into the user's profile on startup. In both cases, lightning for non en-US locales is broken, that is, it doesn't exist. So although we -could- ship it and it will work for anyone using en-US just fine, it won't work for everyone else. At this point, due to the changes with the build system starting with v60, even lightning upstream doesn't know how to roll a version of it that contains alternate locales. The only solution at present is to build the lightning and gdata-provider addons by hand, by merging the various relevant bits from the object-dir of a thunderbird build for each locale. Which is slow, and massively wasteful of compute resources, but it's what I'm doing.
(In reply to Ulenrich from comment #10) > Created attachment 551444 [details, diff] [details, diff] > fix for gdata found at Debian sources > > This patch I found searching through Debian sources. But I don't know where > to apply it. This patch is irrelevant to the issue at hand. Gdata-provider builds fine, the issue is that (just like lightning) it seems impossible to trigger builds for different locales other than the primary one.
@Ian, if > In both cases, lightning for non en-US locales is broken, that is, it doesn't > exist. So although we -could- ship it and it will work for anyone using en-US > just fine, it won't work for everyone else. > At this point, due to the changes with the build system starting with v60, even > lightning upstream doesn't know how to roll a version of it that contains > alternate locales. upstream Mozilla is in such a mess with locales other than en-US Then I surely prefer to just super impose the en-US locale on all users and publicly blame upstream for this and have have all "critical" security issues announced by Mozilla solved Why not going that path the easy way? (isn't security more important than locales?)
Mozilla-overlay now has a complete thunderbird-60.2.1. If all is well, it will be transferred to the gentoo repo within 12 hours and stablereq’d within the following 24 hours.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=914833ec88af2bb51c7d4a6efd31503d2727e5a4 commit 914833ec88af2bb51c7d4a6efd31503d2727e5a4 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-10-18 09:03:41 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-10-18 09:04:06 +0000 mail-client/thunderbird: bump to v60.2.1 Closes: https://bugs.gentoo.org/668036 Package-Manager: Portage-2.3.51, Repoman-2.3.11 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> mail-client/thunderbird/Manifest | 56 +++ mail-client/thunderbird/thunderbird-60.2.1.ebuild | 569 ++++++++++++++++++++++ 2 files changed, 625 insertions(+)
