Bug 802759 (CVE-2021-29969)

Summary:	<mail-client/thunderbird{-bin,}-78.12.0: multiple vulnerabilities (CVE-2021-29969)
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	mozilla
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.mozilla.org/en-US/security/advisories/mfsa2021-30/
Whiteboard:	A2 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	807352, 802756

Description John Helmert III archtester

2021-07-18 16:13:20 UTC

CVE-2021-29969: IMAP server responses sent by a MITM prior to STARTTLS could be processed

If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for example the attacker could have tricked Thunderbird to show folders that didn't exist on the IMAP server.


More vulnerabilities at tracker. Fixed in 78.12. Still need bump for -bin.

Comment 1 Larry the Git Cow gentoo-dev

2021-07-21 11:10:58 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d8979757af1f878471fdac154fd132e4942db2ed

commit d8979757af1f878471fdac154fd132e4942db2ed
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-21 11:09:48 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-21 11:09:48 +0000

    mail-client/thunderbird-bin: drop 78.11.0
    
    Bug: https://bugs.gentoo.org/802759
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird-bin/Manifest               |  66 ----
 .../thunderbird-bin/thunderbird-bin-78.11.0.ebuild | 378 ---------------------
 2 files changed, 444 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=338e4b1fe6a0856ba94eeacc770facc5218996ee

commit 338e4b1fe6a0856ba94eeacc770facc5218996ee
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-21 11:09:00 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-21 11:09:00 +0000

    mail-client/thunderbird-bin: add 78.12.0
    
    Bug: https://bugs.gentoo.org/802759
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird-bin/Manifest               |  66 ++++
 .../thunderbird-bin/thunderbird-bin-78.12.0.ebuild | 378 +++++++++++++++++++++
 2 files changed, 444 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2021-07-21 13:29:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=33648758419ed0b3ab4b047a8b09e7f09ed217d1

commit 33648758419ed0b3ab4b047a8b09e7f09ed217d1
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-21 13:23:35 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-21 13:29:28 +0000

    mail-client/thunderbird: stabilize 78.12.0 for amd64
    
    Bug: https://bugs.gentoo.org/802759
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/thunderbird-78.12.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e7e94d01f13b3b7dee80058c3f5b6bede6abb653

commit e7e94d01f13b3b7dee80058c3f5b6bede6abb653
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-21 12:36:23 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-21 13:29:28 +0000

    mail-client/thunderbird: stabilize 78.12.0 for x86
    
    Bug: https://bugs.gentoo.org/802759
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/thunderbird-78.12.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 3 Joonas Niilola gentoo-dev

2021-07-21 13:30:56 UTC

Gonna wait for ~2 days before cleaning the old version, just in case.

Comment 4 John Helmert III archtester

2021-07-21 21:48:45 UTC

(In reply to Joonas Niilola from comment #3)
> Gonna wait for ~2 days before cleaning the old version, just in case.

Thank you!

Comment 5 Larry the Git Cow gentoo-dev

2021-07-23 19:05:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6d0cf19c70d0483f79f7dcaa744c97dc7ad55e1d

commit 6d0cf19c70d0483f79f7dcaa744c97dc7ad55e1d
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-23 19:03:51 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-23 19:05:45 +0000

    mail-client/thunderbird: security cleanup
    
    Bug: https://bugs.gentoo.org/802759
    
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 mail-client/thunderbird/Manifest                   |   66 --
 mail-client/thunderbird/thunderbird-78.11.0.ebuild | 1108 --------------------
 2 files changed, 1174 deletions(-)

Comment 6 NATTkA bot gentoo-dev

2021-07-29 17:20:56 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 7 NATTkA bot gentoo-dev

2021-07-29 17:29:03 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 8 NATTkA bot gentoo-dev

2021-07-29 17:36:59 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 9 NATTkA bot gentoo-dev

2021-07-29 17:45:02 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 10 NATTkA bot gentoo-dev

2021-07-29 17:53:05 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 11 NATTkA bot gentoo-dev

2021-07-29 17:57:01 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 12 NATTkA bot gentoo-dev

2021-07-29 18:01:01 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 18:09:19 UTC

Package list is empty or all packages have requested keywords.

Comment 14 Larry the Git Cow gentoo-dev

2022-08-10 04:18:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=8856093f804feeda5fe9097d49ba3307aaefc9c2

commit 8856093f804feeda5fe9097d49ba3307aaefc9c2
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-10 04:08:55 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-08-10 04:17:36 +0000

    [ GLSA 202208-14 ] Mozilla Thunderbird: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/794085
    Bug: https://bugs.gentoo.org/802759
    Bug: https://bugs.gentoo.org/807943
    Bug: https://bugs.gentoo.org/811912
    Bug: https://bugs.gentoo.org/813501
    Bug: https://bugs.gentoo.org/822294
    Bug: https://bugs.gentoo.org/828539
    Bug: https://bugs.gentoo.org/831040
    Bug: https://bugs.gentoo.org/833520
    Bug: https://bugs.gentoo.org/834805
    Bug: https://bugs.gentoo.org/845057
    Bug: https://bugs.gentoo.org/846596
    Bug: https://bugs.gentoo.org/849047
    Bug: https://bugs.gentoo.org/857048
    Bug: https://bugs.gentoo.org/864577
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202208-14.xml | 165 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 165 insertions(+)

Comment 15 John Helmert III archtester

2022-08-10 04:28:32 UTC

GLSA released, all done!