Project

General

Profile

Bug #16118

Rebase Thunderbird on top of 1:60.3.0-1~deb9u1

Added by intrigeri about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Elevated
Assignee:
-
Category:
-
Target version:
Start date:
11/11/2018
Due date:
% Done:

100%

Feature Branch:
feature/16118-thunderbird-60.3.0
Type of work:
Code
Blueprint:
Starter:
Affected tool:
Email Client

Description

Some of https://security-tracker.debian.org/tracker/CVE-2018-12389, https://security-tracker.debian.org/tracker/CVE-2018-12390, https://security-tracker.debian.org/tracker/CVE-2018-12392 are rated critical or high impact by Mozilla becuase "evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code", "potentially exploitable crash".

We're not vulnerable to CVE-2018-12393 because we only support 64-bit.


Related issues

Blocks Tails - Feature #15506: Core work 2018Q4: Foundations Team Resolved 04/08/2018

Associated revisions

Revision 20baa2df (diff)
Added by anonym about 1 year ago

Enable the feature-16118-thunderbird-60.3.0 APT overlay.

Will-fix: #16118

Revision 78a06051 (diff)
Added by anonym about 1 year ago

Enable the feature-16118-thunderbird-60.3.0 APT overlay.

Will-fix: #16118

Revision ff2ca99c (diff)
Added by anonym about 1 year ago

Enable the feature-16118-thunderbird-60.3.0 APT overlay.

Will-fix: #16118

Revision 13d2948b
Added by intrigeri about 1 year ago

Merge remote-tracking branch 'origin/feature/16118-thunderbird-60.3.0' into stable (Fix-committed: #16118)

History

#1 Updated by intrigeri about 1 year ago

#2 Updated by anonym about 1 year ago

  • Assignee set to anonym

I'll take this one as I'm working on #6156 and will rebuild Thunderbird any way. It also aligns well with our plans to split some of the RM work for 3.11, Cyril.

#3 Updated by intrigeri about 1 year ago

I'll take this one as I'm working on #6156 and will rebuild Thunderbird any way.

Great :)

It also aligns well with our plans to split some of the RM work for 3.11, Cyril.

Note that this is FT work, not RM'ing.

#4 Updated by anonym about 1 year ago

  • Status changed from Confirmed to In Progress

#5 Updated by anonym about 1 year ago

  • Assignee changed from anonym to intrigeri
  • % Done changed from 0 to 50
  • QA Check set to Ready for QA
  • Feature Branch set to feature/16118-thunderbird-60.3.0

All scenarios passed for me locally, so it looks good for Tails 3.11. Just so there's no confusion: I only upgraded Thunderbird; I did not update the secure-account-config patch series (#6156) like I initially said on XMPP.

#6 Updated by intrigeri about 1 year ago

  • Feature Branch changed from feature/16118-thunderbird-60.3.0 to feature/16118-thunderbird-60.3.0+force-all-tests

(I want the Thunderbird tests to run on Jenkins.)

#7 Updated by intrigeri about 1 year ago

  • Assignee changed from intrigeri to anonym
  • QA Check changed from Ready for QA to Info Needed

Code review passes, great!

A little bit more action and info is needed.

Wrt. ad90d86d1b1b8cc0e128cfbf3f53d4d562c69a51 and more precisely "Dropping the "Allow opening links" part might want something we follow up on": indeed, something is needed, see below. But first, why did you revert this upstream change while you were refreshing our patch?

Then, I think that:

  • This is not a problem on Stretch but please confirm that you can open attachments (at least PDF) and URLs from Thunderbird in a Tails built from this branch.
  • Removing this rule will break this functionality on Buster => please file a ticket so that those who'll work on it are aware of the reason for the upcoming breakage and don't have to reverse-engineer it.

And one last question. In icedove.git there's no changelog entry for 7c93d26d3e003e1d1efc4fb1113f3aedade76cbf, while we had a entry when we added these patches. Not worth rebuilding the package but please check if this happened because our release doc is buggy or for another reason: it would be nice to have safeguards so we don't do such mistakes again in the future :)

#8 Updated by intrigeri about 1 year ago

Crap, by renaming the branch, as a side effect I've also deleted the corresponding overlay APT suite. I'm very sorry about this! The files are still there (only not in the reprepro DB anymore) so I'll try to fix this.

#9 Updated by intrigeri about 1 year ago

intrigeri wrote:

Crap, by renaming the branch, as a side effect I've also deleted the corresponding overlay APT suite. I'm very sorry about this! The files are still there (only not in the reprepro DB anymore) so I'll try to fix this.

I think I've fixed it. https://jenkins.tails.boum.org/job/build_Tails_ISO_feature-16118-thunderbird-60.3.0-force-all-tests/2/ should use the correct packages.

#10 Updated by anonym about 1 year ago

  • Assignee changed from anonym to intrigeri
  • % Done changed from 50 to 60
  • QA Check changed from Info Needed to Ready for QA
  • Feature Branch changed from feature/16118-thunderbird-60.3.0+force-all-tests to feature/16118-thunderbird-60.3.0

intrigeri wrote:

Wrt. ad90d86d1b1b8cc0e128cfbf3f53d4d562c69a51 and more precisely "Dropping the "Allow opening links" part might want something we follow up on": indeed, something is needed, see below. But first, why did you revert this upstream change while you were refreshing our patch?

I actually cannot remember what I was thinking at the time. I just recall that I noted that the file (gio-launch-desktop) doesn't even exist in current, Strech-based, Tails so that line wasn't needed; perhaps I just got conspiranoid? :P

Then, I think that:

  • This is not a problem on Stretch but please confirm that you can open attachments (at least PDF) and URLs from Thunderbird in a Tails built from this branch.

Just to be sure I tested again, still works.

  • Removing this rule will break this functionality on Buster => please file a ticket so that those who'll work on it are aware of the reason for the upcoming breakage and don't have to reverse-engineer it.

Let's just undo my confusion and re-add it now: 7bd56418e403d7370c12bae2fc2af578d744ab94

And one last question. In icedove.git there's no changelog entry for 7c93d26d3e003e1d1efc4fb1113f3aedade76cbf, while we had a entry when we added these patches. Not worth rebuilding the package but please check if this happened because our release doc is buggy or for another reason: it would be nice to have safeguards so we don't do such mistakes again in the future :)

Agreed! Last time I just happened to remember to add a changelog entry, but there are no safe guards, and I propose we solve it with gbp dch: 97e85513f363d12ebd53d5f93a9f7ffac29f274a

I think I screwed up the branch by basing it on devel, so I have force-pushed the branch based on stable. Same for the +force-all-tests one!

#11 Updated by intrigeri about 1 year ago

  • Status changed from In Progress to 11
  • % Done changed from 60 to 100

#12 Updated by intrigeri about 1 year ago

  • QA Check changed from Ready for QA to Pass

Merged!

You might have missed that meanwhile, 60.3.1 was released; and today 60.3.2 was released too. The former is in Debian already, the latter is not. There's been no MFSA and the bugfixes they bring don't seem worth upgrading at this point. I'll keep an eye on what's coming next.

#13 Updated by intrigeri about 1 year ago

  • Assignee deleted (intrigeri)

#14 Updated by CyrilBrulebois about 1 year ago

  • Status changed from 11 to Resolved

Also available in: Atom PDF