Bug 670102 (MFSA-2018-28)

Summary:	<mail-client/thunderbird{,-bin}-60.3.0 - multiple vulnerabilities (MFSA-2018-28)
Product:	Gentoo Security	Reporter:	Ian Stakenvicius (RETIRED) <axs>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	Manfred.Knick
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.mozilla.org/en-US/security/advisories/mfsa2018-28/
Whiteboard:	B2 [glsa+ cve]
Package list:	=mail-client/thunderbird-60.3.0	Runtime testing required:	---

Description Ian Stakenvicius (RETIRED) gentoo-dev

2018-11-01 17:59:10 UTC

Per URL , vulnerabilities discovered thunderbird and thunderbird-bin , addressed in v60.3.0 of each.

Comment 1 Ian Stakenvicius (RETIRED) gentoo-dev

2018-11-01 18:04:13 UTC

Ebuilds pushed to gentoo repo.  Arches please stabilize when ready.

Comment 2 Manfred Knick 2018-11-01 20:42:38 UTC

Please, see Bug 670104 :
   mail-client/thunderbird-60.3.0 
     thunderbird-60.3.0-de.xpi Filesize does not match recorded size

Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev

2018-11-04 19:15:41 UTC

x86 stable

Comment 4 Mikle Kolyada (RETIRED) archtester

2018-11-05 18:22:27 UTC

amd64 stable

Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev

2018-11-06 13:39:38 UTC

@ Maintainer(s): Please cleanup and drop <mail-client/thunderbird-60.3.0!

Comment 6 Ian Stakenvicius (RETIRED) gentoo-dev

2018-11-07 16:55:11 UTC

Somehow the =mail-client/thunderbird-bin-60.3.0 atom in the package list was eaten..  I see where I added it but not where it was dropped.

Anyways, I've pushed it directly to stable as well (since there's noting we can do about it anyways, binary package and all).

Versions prior to 60.0 are p.masked for removal by year-end -- the jump from 52 to 60 could still be problematic for some deployments.

Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev

2018-11-16 10:42:55 UTC

New GLSA request filed.

Comment 8 Plüss Roland 2018-11-18 17:29:41 UTC

Update broken. Portage does not install 60+ version but wants to remove 60- versions due to masking. Can you please fix this so either 60+ can be emerged or push back the masking of 60- until this issue is fixed?

(My report is based on a fresh sync today)

Comment 9 Ian Stakenvicius (RETIRED) gentoo-dev

2018-11-19 14:20:55 UTC

(In reply to Plüss Roland from comment #8)
> Update broken. Portage does not install 60+ version but wants to remove 60-
> versions due to masking. Can you please fix this so either 60+ can be
> emerged or push back the masking of 60- until this issue is fixed?
> 
> (My report is based on a fresh sync today)

Please file a new bug with all the usual details.  There should not be a reason for portage disallowing an update to 60+

Comment 10 GLSAMaker/CVETool Bot gentoo-dev

2018-11-24 19:52:54 UTC

This issue was resolved and addressed in
 GLSA 201811-13 at https://security.gentoo.org/glsa/201811-13
by GLSA coordinator Aaron Bauman (b-man).

Comment 11 Manfred Knick 2019-10-31 11:51:27 UTC

(In reply to GLSAMaker/CVETool Bot from comment #10)
> This issue was resolved and addressed in
>  GLSA 201811-13 at https://security.gentoo.org/glsa/201811-13
> by GLSA coordinator Aaron Bauman (b-man).
Just realized that

. . . [-P-] [M ] mail-client/thunderbird-52.9.1:0

is still contained in MainPortageTree ?

Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev

2019-10-31 12:40:19 UTC

(In reply to Manfred Knick from comment #11)
> (In reply to GLSAMaker/CVETool Bot from comment #10)
> > This issue was resolved and addressed in
> >  GLSA 201811-13 at https://security.gentoo.org/glsa/201811-13
> > by GLSA coordinator Aaron Bauman (b-man).
> Just realized that
> 
> . . . [-P-] [M ] mail-client/thunderbird-52.9.1:0
> 
> is still contained in MainPortageTree ?

...which isn't a problem and package is masked with a clear message indicating security problems:

>  on behalf of Mozilla Project Mask old/vuln thunderbird for removal by 2019, see security bug 670102

Comment 13 Manfred Knick 2019-10-31 13:13:05 UTC

(In reply to Thomas Deutschmann from comment #12)
> ...which isn't a problem and package is masked with a clear message
> indicating security problems:
Sure, Thomas!
That's exactly why I cited the "[M ]" in front.

Just wondering why all the later versions in between have been deleted,
but exactly this one is being kept.
I definitely expected that to have it's reason behind - 
but I was not able to find out which one;
can you help with a hint?

Comment 14 Ian Stakenvicius (RETIRED) gentoo-dev

2019-10-31 16:32:57 UTC

52.9.1 is the last version in the 52.x series, the 60.x series has some regressions compared to 52.x.  

New versions being released in 60.x are security and bugfix updates to previous releases in the 60.x series and so it doesn't make sense to keep them around.

We will likely keep the last of the 60.x series in the repo for a while as we continue to update the 68.x series for similar reasons, although I read a note from upstream that 68.2.2 should address all regressions.

Comment 15 Manfred Knick 2019-10-31 17:07:56 UTC

(In reply to Ian Stakenvicius from comment #14)

Ian, thank you for enlightening me, very much!

> ... I read a
> note from upstream that 68.2.2 should address all regressions.
Could you perhaps share a reference, please, as info for Bug 693602 ?

Comment 16 Anton Bolshakov 2019-11-02 01:27:40 UTC

The current package list in this bug includes -bin version. However, it is not in sync with the src version.

Did you forget about it -bin? Please sync.

Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev

2019-11-02 13:05:12 UTC

No. Multiple things to keep in mind:

1) You are writing in an old, already closed bug from 1y ago.

2) mail-client/thunderbird-bin ebuilds will be committed straight to stable, therefore they will never show in package list in security bugs (only summary) because package list field is only for stabilization work.