Bug 727118 (CVE-2020-12398)

Summary:	<mail-client/thunderbird{-bin}-68.9.0: Multiple vulnerabilities (MFSA-2020-22)
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	mozilla
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/
Whiteboard:	B2 [glsa+ cve]
Package list:	=mail-client/thunderbird-68.9.0 * =dev-util/cbindgen-0.14.2 *	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	807352, 727120

Description Sam James archtester

2020-06-04 12:32:40 UTC

* CVE-2020-12410

Description:
"Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code."

* CVE-2020-12398

Description:
"If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection."

Comment 1 NATTkA bot gentoo-dev

2020-06-04 12:40:35 UTC

Sanity check failed:

> mail-client/thunderbird-68.9.0
>   depend ppc64 stable profile default/linux/powerpc/ppc64/17.0/64bit-userland (9 total)
>     >=dev-util/cbindgen-0.8.7
>   depend ppc64 dev profile default/linux/ppc64le/17.0/desktop/plasma (2 total)
>     >=dev-util/cbindgen-0.8.7

Comment 2 Larry the Git Cow gentoo-dev

2020-06-04 22:21:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=17f55e1b324b7eec6a44f4c0c67362eb6ab07fa4

commit 17f55e1b324b7eec6a44f4c0c67362eb6ab07fa4
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-04 22:20:45 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-04 22:21:01 +0000

    mail-client/thunderbird-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/727118
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/thunderbird-bin/Manifest               | 166 ------------------
 .../thunderbird-bin/thunderbird-bin-60.9.1.ebuild  | 189 ---------------------
 .../thunderbird-bin/thunderbird-bin-68.8.0.ebuild  | 182 --------------------
 .../thunderbird-bin/thunderbird-bin-68.8.1.ebuild  | 182 --------------------
 4 files changed, 719 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=49692752cdf114588c51696622bc72020392a6c3

commit 49692752cdf114588c51696622bc72020392a6c3
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-04 22:20:06 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-04 22:21:00 +0000

    mail-client/thunderbird: security cleanup
    
    Bug: https://bugs.gentoo.org/727118
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/thunderbird/Manifest                  |  54 --
 mail-client/thunderbird/thunderbird-68.8.1.ebuild | 777 ----------------------
 2 files changed, 831 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbdc236c9d392006e0c07cfcabb223f704fd7ead

commit cbdc236c9d392006e0c07cfcabb223f704fd7ead
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-04 22:17:41 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-04 22:20:58 +0000

    mail-client/thunderbird: amd64 & x86 stable
    
    Bug: https://bugs.gentoo.org/727118
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/thunderbird/thunderbird-68.9.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 3 GLSAMaker/CVETool Bot gentoo-dev

2020-06-15 15:53:09 UTC

This issue was resolved and addressed in
 GLSA 202006-19 at https://security.gentoo.org/glsa/202006-19
by GLSA coordinator Aaron Bauman (b-man).