Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 727118 (CVE-2020-12398)

Summary: <mail-client/thunderbird{-bin}-68.9.0: Multiple vulnerabilities (MFSA-2020-22)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: mozilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.mozilla.org/en-US/security/advisories/mfsa2020-22/
Whiteboard: B2 [glsa+ cve]
Package list:
=mail-client/thunderbird-68.9.0 * =dev-util/cbindgen-0.14.2 *
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 807352, 727120    

Description Sam James archtester gentoo-dev Security 2020-06-04 12:32:40 UTC
* CVE-2020-12410

Description:
"Mozilla developers Tom Tung and Karl Tomlinson reported memory safety bugs present in Firefox 68.8. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code."

* CVE-2020-12398

Description:
"If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with an unencrypted connection, causing email data to be sent without protection."
Comment 1 NATTkA bot gentoo-dev 2020-06-04 12:40:35 UTC
Sanity check failed:

> mail-client/thunderbird-68.9.0
>   depend ppc64 stable profile default/linux/powerpc/ppc64/17.0/64bit-userland (9 total)
>     >=dev-util/cbindgen-0.8.7
>   depend ppc64 dev profile default/linux/ppc64le/17.0/desktop/plasma (2 total)
>     >=dev-util/cbindgen-0.8.7
Comment 2 Larry the Git Cow gentoo-dev 2020-06-04 22:21:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=17f55e1b324b7eec6a44f4c0c67362eb6ab07fa4

commit 17f55e1b324b7eec6a44f4c0c67362eb6ab07fa4
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-04 22:20:45 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-04 22:21:01 +0000

    mail-client/thunderbird-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/727118
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/thunderbird-bin/Manifest               | 166 ------------------
 .../thunderbird-bin/thunderbird-bin-60.9.1.ebuild  | 189 ---------------------
 .../thunderbird-bin/thunderbird-bin-68.8.0.ebuild  | 182 --------------------
 .../thunderbird-bin/thunderbird-bin-68.8.1.ebuild  | 182 --------------------
 4 files changed, 719 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=49692752cdf114588c51696622bc72020392a6c3

commit 49692752cdf114588c51696622bc72020392a6c3
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-04 22:20:06 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-04 22:21:00 +0000

    mail-client/thunderbird: security cleanup
    
    Bug: https://bugs.gentoo.org/727118
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/thunderbird/Manifest                  |  54 --
 mail-client/thunderbird/thunderbird-68.8.1.ebuild | 777 ----------------------
 2 files changed, 831 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbdc236c9d392006e0c07cfcabb223f704fd7ead

commit cbdc236c9d392006e0c07cfcabb223f704fd7ead
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-06-04 22:17:41 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-04 22:20:58 +0000

    mail-client/thunderbird: amd64 & x86 stable
    
    Bug: https://bugs.gentoo.org/727118
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/thunderbird/thunderbird-68.9.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2020-06-15 15:53:09 UTC
This issue was resolved and addressed in
 GLSA 202006-19 at https://security.gentoo.org/glsa/202006-19
by GLSA coordinator Aaron Bauman (b-man).