Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 745432 (MFSA-2020-44)

Summary: <mail-client/thunderbird{,-bin}-78.3.1: Multiple vulnerabilities (MFSA-2020-44)
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: arnaudv6, mozilla
Priority: Normal Keywords: CC-ARCHES
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.mozilla.org/en-US/security/advisories/mfsa2020-44/
Whiteboard: A2 [glsa+ cve]
Package list:
mail-client/thunderbird-78.3.2
 Runtime testing required: ---
Bug Depends on: 746152, 746155    
Bug Blocks: 745426    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-09-29 14:38:30 UTC 
See tracker.
Comment 1 Larry the Git Cow gentoo-dev 2020-09-30 18:05:44 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6f96f350b74a65923ca6239879a5f96e100ef69

commit a6f96f350b74a65923ca6239879a5f96e100ef69
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-09-30 16:53:56 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-09-30 18:03:51 +0000

    mail-client/thunderbird: bump to v78.3.1
    
    Closes: https://bugs.gentoo.org/698986
    Closes: https://bugs.gentoo.org/733062
    Bug: https://bugs.gentoo.org/745432
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/thunderbird/Manifest                   |  66 ++
 .../thunderbird/files/gentoo-default-prefs.js      |   7 +
 .../thunderbird/files/icon/thunderbird-r2.desktop  |  30 +
 .../thunderbird/files/thunderbird-wayland.sh       |   7 +
 mail-client/thunderbird/files/thunderbird-x11.sh   |   7 +
 mail-client/thunderbird/files/thunderbird.sh       | 128 +++
 mail-client/thunderbird/metadata.xml               |   2 +
 mail-client/thunderbird/thunderbird-78.3.1.ebuild  | 990 +++++++++++++++++++++
 8 files changed, 1237 insertions(+)
Comment 2 NATTkA bot gentoo-dev Security 2020-09-30 19:36:49 UTC 
Unable to check for sanity:

> no match for package: www-client/thunderbird-78.3.1
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-01 10:32:07 UTC 
*** Bug 745828 has been marked as a duplicate of this bug. ***
Comment 4 NATTkA bot gentoo-dev Security 2020-10-01 11:04:54 UTC 
Sanity check failed:

> mail-client/thunderbird-78.3.1
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
Comment 5 NATTkA bot gentoo-dev Security 2020-10-02 15:26:25 UTC 
Sanity check failed:

> mail-client/thunderbird-78.3.1
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/harfbuzz-2.6.8:0=
Comment 6 NATTkA bot gentoo-dev Security 2020-10-02 22:12:59 UTC 
Sanity check failed:

> mail-client/thunderbird-78.3.1
>   depend amd64 stable profile default/linux/amd64/17.0 (28 total)
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (28 total)
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/libvpx-1.8.2:0=[postproc]
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-03 14:21:41 UTC 
amd64 done
Comment 8 NATTkA bot gentoo-dev Security 2020-10-03 14:25:00 UTC 
Sanity check failed:

> mail-client/thunderbird-78.3.1
>   depend x86 stable profile default/linux/x86/17.0 (11 total)
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>   rdepend x86 stable profile default/linux/x86/17.0 (11 total)
>     >=media-libs/libvpx-1.8.2:0=[postproc]
Comment 9 NATTkA bot gentoo-dev Security 2020-10-03 14:36:59 UTC 
All sanity-check issues have been resolved
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-03 20:14:27 UTC 
x86 done

all arches done
Comment 11 Larry the Git Cow gentoo-dev 2020-10-10 17:40:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa3600bae5192b1d976fb6271e947ead3f1e71f9

commit aa3600bae5192b1d976fb6271e947ead3f1e71f9
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-10 16:50:50 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-10-10 17:40:16 +0000

    mail-client/thunderbird-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/745432
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/thunderbird-bin/Manifest               | 122 -------
 .../thunderbird-bin/files/10thunderbird-bin        |   1 -
 .../files/icon/thunderbird-bin.desktop             |  10 -
 .../files/thunderbird-gentoo-default-prefs-r1.js   |  12 -
 mail-client/thunderbird-bin/metadata.xml           |   3 -
 .../thunderbird-bin/thunderbird-bin-68.12.0.ebuild | 186 -----------
 .../thunderbird-bin-78.3.1-r2.ebuild               | 370 ---------------------
 7 files changed, 704 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30d0f6f5f6a97198040a99db02590416f24efa6e

commit 30d0f6f5f6a97198040a99db02590416f24efa6e
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-10 14:25:16 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-10-10 17:40:13 +0000

    mail-client/thunderbird: security cleanup
    
    Bug: https://bugs.gentoo.org/745432
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/thunderbird/Manifest                   | 130 ---
 .../files/1000_fix_gentoo_preferences.patch        |  25 -
 .../files/icon/thunderbird-unbranded.desktop       |  10 -
 .../thunderbird/files/icon/thunderbird.desktop     |   9 -
 .../files/thunderbird-gentoo-default-prefs.js-2    |  10 -
 mail-client/thunderbird/metadata.xml               |  10 -
 mail-client/thunderbird/thunderbird-68.12.0.ebuild | 810 -----------------
 mail-client/thunderbird/thunderbird-78.3.1.ebuild  | 984 ---------------------
 profiles/arch/alpha/package.use.mask               |   1 -
 profiles/arch/ia64/package.use.mask                |   1 -
 10 files changed, 1990 deletions(-)
Comment 12 NATTkA bot gentoo-dev Security 2020-10-10 17:48:55 UTC 
Unable to check for sanity:

> no match for package: mail-client/thunderbird-78.3.1
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2020-10-17 09:07:27 UTC 
This issue was resolved and addressed in
 GLSA 202010-02 at https://security.gentoo.org/glsa/202010-02
by GLSA coordinator Sam James (sam_c).