891217 – <mail-client/thunderbird{-bin,}-102.7.0: multiple vulnerabilities

Bug 891217 - <mail-client/thunderbird{-bin,}-102.7.0: multiple vulnerabilities

Summary: <mail-client/thunderbird{-bin,}-102.7.0: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://www.mozilla.org/en-US/securit...
Whiteboard:	A2 [glsa+]
Keywords:

Depends on:	qt-5.15.8-stable
Blocks:	CVE-2022-46871, CVE-2022-46872, CVE-2022-46874, CVE-2022-46875, CVE-2022-46877, CVE-2022-46878, CVE-2022-46880, CVE-2022-46881, CVE-2022-46882 CVE-2023-23598, CVE-2023-23599, CVE-2023-23601, CVE-2023-23602, CVE-2023-23603, CVE-2023-23605
	Show dependency tree

Reported:	2023-01-17 18:00 UTC by John Helmert III
Modified:	2023-05-03 10:09 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2023-01-17 18:00:37 UTC

No advisory for this round yet, but there is one from last time (which unfortunately reuses an already used CVE...):

https://www.mozilla.org/en-US/security/advisories/mfsa2022-54/

Please stabilize thunderbird-102.6.1.

Comment 1 Joonas Niilola gentoo-dev

2023-01-17 18:05:25 UTC

(In reply to John Helmert III from comment #0)
> No advisory for this round yet, ...
> 
> Please stabilize thunderbird-102.6.1.

"yet" ;) I expect 102.7.0 to be out within 24 hours, or at least by friday so it's best to stabilize that instead. If no security adversaries are posted with the release, 102.6.1 will go. Would be great to pair thunderbird with bug 888946 if needed.

But let's give it few days and wait for 102.7.0 first.

Comment 2 Joonas Niilola gentoo-dev

2023-01-19 07:06:39 UTC

So looks like 102.7.0 is delayed due to https://hg.mozilla.org/releases/comm-esr102/rev/37f32ce1863b being broken. Knowing that I may be a bit reluctant fast-stabilizing 102.7.0 at all, even with security fixes, so I'm gonna start with 102.6.1 and hope it buys some time.

Comment 3 Larry the Git Cow gentoo-dev

2023-01-19 08:54:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4099efdfd72e809623c4f1077fe4767c24e6ab8

commit f4099efdfd72e809623c4f1077fe4767c24e6ab8
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2023-01-19 08:53:51 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2023-01-19 08:54:19 +0000

    mail-client/thunderbird: stabilize 102.6.1 for amd64
    
    Bug: https://bugs.gentoo.org/891217
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/thunderbird-102.6.1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 4 John Helmert III archtester

2023-01-25 19:21:33 UTC

Well, hopefully wrangled the aliases properly. Waiting on unmasking of a fixed version.

Comment 5 John Helmert III archtester

2023-01-25 19:32:11 UTC

GLSA request filed

Comment 6 Larry the Git Cow gentoo-dev

2023-01-30 06:16:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86af4490a19aaf73d3481323bb4ebf0d38ca7f3f

commit 86af4490a19aaf73d3481323bb4ebf0d38ca7f3f
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2023-01-30 06:16:13 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2023-01-30 06:16:34 +0000

    mail-client/thunderbird: drop 102.6.0
    
    Bug: https://bugs.gentoo.org/891217
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/Manifest                   |   65 --
 mail-client/thunderbird/thunderbird-102.6.0.ebuild | 1177 --------------------
 2 files changed, 1242 deletions(-)

Comment 7 Larry the Git Cow gentoo-dev

2023-02-01 05:52:59 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7cabad7ea19c41d685ac6857d24f0cd63ff6f881

commit 7cabad7ea19c41d685ac6857d24f0cd63ff6f881
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2023-02-01 05:50:58 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2023-02-01 05:52:56 +0000

    mail-client/thunderbird: add 102.7.1
    
    Bug: https://bugs.gentoo.org/891217
    Closes: https://bugs.gentoo.org/892465
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/Manifest                   |   66 ++
 mail-client/thunderbird/thunderbird-102.7.1.ebuild | 1172 ++++++++++++++++++++
 2 files changed, 1238 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=451b4cd908ada85dde57de5b485eac3782e41691

commit 451b4cd908ada85dde57de5b485eac3782e41691
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2023-02-01 05:50:11 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2023-02-01 05:52:56 +0000

    mail-client/thunderbird-bin: add 102.7.1
    
    Bug: https://bugs.gentoo.org/891217
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird-bin/Manifest               |  66 +++++
 .../thunderbird-bin/thunderbird-bin-102.7.1.ebuild | 325 +++++++++++++++++++++
 2 files changed, 391 insertions(+)

Comment 8 Larry the Git Cow gentoo-dev

2023-05-03 10:05:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=1df1a35313a092ebe845f59cac3ae44f876c5197

commit 1df1a35313a092ebe845f59cac3ae44f876c5197
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-05-03 10:03:08 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-05-03 10:05:28 +0000

    [ GLSA 202305-13 ] Mozilla Thunderbird: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/885815
    Bug: https://bugs.gentoo.org/891217
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202305-13.xml | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)