Opened 4 years ago
Closed 4 years ago
#13806 closed enhancement (fixed)
thunderbird-78.0
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 10.0 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New major version.
Change History (9)
comment:1 by , 4 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 4 years ago
comment:5 by , 4 years ago
| Priority: | normal → high |
|---|
First up: The security fixes
Mozilla Foundation Security Advisory 2020-29
Security Vulnerabilities fixed in Thunderbird 78
Announced
July 16, 2020
Impact
high
Products
Thunderbird
Fixed in
Thunderbird 78
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing
Reporter
Kevin Higgs
Impact
high
Description
When %2F was present in a manifest URL, Thunderbird's AppCache behavior may have become confused and allowed a manifest to be served from a subdirectory. This could cause the appcache to be used to service requests for the top level directory.
References
Bug 1586630
#CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster
Reporter
Alex Mayorga
Impact
high
Description
A VideoStreamEncoder may have been freed in a race condition with VideoBroadcaster::AddOrUpdateSink, resulting in a use-after-free, memory corruption, and a potentially exploitable crash.
References
Bug 1639734
#CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64
Reporter
Deian Stefan
Impact
high
Description
Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash.
Note: this issue only affects Firefox on ARM64 platforms.
References
Bug 1640737
#CVE-2020-12418: Information disclosure due to manipulated URL object
Reporter
Marcin 'Icewall' Noga of Cisco Talos
Impact
high
Description
Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript.
References
Bug 1641303
#CVE-2020-12419: Use-after-free in nsGlobalWindowInner
Reporter
worcester12345
Impact
high
Description
When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash.
References
Bug 1643874
#CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
Reporter
Byron Campen
Impact
high
Description
When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash.
References
Bug 1643437
#CVE-2020-15648: X-Frame-Options bypass using object or embed tags
Reporter
Frederik Braun
Impact
moderate
Description
Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header.
Note: This issue is pending a CVE assignment and will be updated when one is available.
References
Bug 1644076
#CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack
Reporter
Sohaib ul Hassan, Iaroslav Gridin, Ignacio M. Delgado-Lozano, Cesar Pereida García, Jesús-Javier Chi-Domínguez, Alejandro Cabrera Aldaya, and Billy Bob Brumley, Network and Information Security (NISEC) Group, Tampere University, Finland
Impact
moderate
Description
During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.
We would like to thank Sohaib ul Hassan for contributing a fix for this issue as well.
Note: An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might.
References
Bug 1631597
#CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates
Reporter
Chuck Harmston, Robert Hardy
Impact
moderate
Description
When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user.
References
Bug 1308251
#CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer
Reporter
Ronald Crane
Impact
moderate
Description
In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash.
References
Bug 1450353
#CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library
Reporter
Riccardo Ancarani
Impact
moderate
Description
When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Thunderbird may have loaded the DLL, leading to arbitrary code execution.
Note: This issue only affects the Windows operating system; other operating systems are unaffected.
References
Bug 1642400
#CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process
Reporter
Paul Theriault
Impact
low
Description
When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing the prompt.
References
Bug 1562600
#CVE-2020-12425: Out of bound read in Date.parse()
Reporter
Bruno Keith
Impact
low
Description
Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure.
References
Bug 1634738
#CVE-2020-12426: Memory safety bugs fixed in Thunderbird 78
Reporter
Mozilla developers and community
Impact
high
Description
Mozilla developers and community members Bob Clary, Benjamin Bouvier, Calixte Denizet, Christian Holler reported memory safety bugs present in Thunderbird 77. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References
Memory safety bugs fixed in Thunderbird 78
comment:6 by , 4 years ago
Here are the release notes for TB-78.
A few things stick out to me:
Address Books are converted to SQLite. That makes this version of Thunderbird incompatible with previous versions. After upgrading Thunderbird, you'll no longer be able to use your profile in an older version.
Some of the UI elements seem to have changed.
The Calendar add-on is now integrated into Thunderbird itself
If you're using Enigmail for OpenPGP stuff, DO NOT UPGRADE. Thunderbird includes it's own OpenPGP stack now, although it's disabled by default and won't be enabled until 78.2.
Check out "What’s New" and "Known Issues" for this version of Thunderbird below. As always, you’re encouraged to tell us what you think, or file a bug in Bugzilla
Thunderbird version 78.0 is only offered as direct download from thunderbird.net and not as an upgrade from Thunderbird version 68 or earlier. A future release will provide updates from earlier versions.
Add-on support: As of version 78.0, Thunderbird only supports MailExtensions. Your favorite add-ons may not have been updated for compatibility.
At this time, users of the Enigmail Add-on should not update to Thunderbird 78.
OpenPGP functionality for Thunderbird 78 is still work in progress, and is disabled by default in the initial 78.0 release. See the wiki for how to enable and help with testing.
System Requirements: Details
Windows: Windows 7 or later
Mac: macOS 10.9 or later
Linux: GTK+ 3.14 or higher
What’s New
new
New Account Hub for centralized account setup
new
Redesigned recipient address fields (To, Cc, Bcc) as single-line input fields (pills) for multiple addresses instead of one line per address. More improvements to come.
new
Color customization of Folder Pane icons
new
Allow selecting messages via selection boxes instead of classic selection. "Select Messages" column needs to be selected via the thread pane's column picker.
new
"Delete" action column in thread pane (message list). "Select Messages" column needs to be selected via the thread pane's column picker.
new
Themes can be previewed in the Add-On Manager
new
Minimize to tray support added for Windows
new
New config option to anonymize message date header
new
Global Search menu item in app menu
new
Additional Enterprise policies
new
Calendar: Added ICS import support to -file command line option
new
Calendar: Add event preview to ICS import dialog
new
Chat: OTR messaging support
new
Chat: IRC echo-message capability
Changes
changed
Add-on support: As of version 78.0, Thunderbird only supports MailExtensions and MailExtension Experiments. Restartless add-ons and non-restartless legacy add-ons using XUL overlays are no longer supported.
changed
Linux minimum runtime requirements have changed: GTK 3.14, GLIBC 2.17, libstdc++ 4.8.1 Details
changed
Thunderbird Options/Preferences tab redesigned and with new user interface
changed
Account creation dialog redesigned and with new user interface
changed
Account Manager moved to a tab
changed
Add-ons manager with new user interface and notifications
changed
Improved "Recent" folder list for "Move to" and "Copy to" in message context menu
changed
Improved UI of global search results tab
changed
Improvements to the location bar of a tab displaying web pages
changed
Use scalable icons throughout Thunderbird to improve support for HiDPI monitors and dark mode
changed
Thunderbird will now ask for OS account password before displaying saved passwords
changed
Address books are now stored as SQLite databases to prepare for future addressbook improvements. Existing address books in MAB format (using a Mork database) will be converted.
changed
New parser and formatter for vCard. vCard versions 3.0 and 4.0 are now supported.
changed
Various theme and dark mode improvements
changed
Various look and feel improvements
changed
Improved dialog for folder compaction (purging of deleted messages)
changed
Graphics hardware acceleration is now enabled by default
changed
TLS 1.0 and 1.1 disabled
changed
Calendar: The Lightning calendar add-on is now integrated into Thunderbird
changed
Calendar: Lightning version removed from Thunderbird user agent string
changed
Calendar: Web Calendar Access Protocol (WCAP) support removed
changed
Calendar: Storage access is now asynchronous to improve performance
changed
Calendar: Location URLs are now clickable
changed
Addon Developers: Updates to and expansion of MailExtensions APIs. Details
Fixes
fixed
Password display font had characters that were difficult to read
fixed
When copying messages from an IMAP folder to a local folder, offline store wasn't used
fixed
While Thunderbird was in safe mode, the help menu did not offer an item to restart with add-ons enabled
fixed
Mailbox quotas not displayed correctly
fixed
Images not rotated when composing a message
fixed
Email addresses sometimes displayed incorrectly in message composer
fixed
Many accessibility fixes and improvements: message composer, account setup, attachment pane
fixed
Mailbox format conversion fixes
fixed
Address book improvements: exporting, editing contacts, contact photos
fixed
Chat: Renaming contacts in context menu did not work
fixed
Calendar: Task and event dialogs were sometimes too small for their content
fixed
Calendar: URLs in the event reminder dialog were not clickable
fixed
Various security fixes
Known Issues
unresolved
Mail header toolbar (Reply, Forward, Archive, Junk buttons) no longer configurable
unresolved
Preferences search not available
unresolved
Drag and drop of address book contacts not working in some situations
comment:7 by , 4 years ago
So far, here are the changes that need to be made (similar to Firefox-78):
mozconfig
Remove --enable-startup-notification from mozconfig
Remove --enable-system-sqlite from mozconfig (has to use the internal sqlite now)
Remove --with-system-bz2 from mozconfig
dependencies
Promote startup-notification to required
Add a dependency on Python3 (with the sqlite module)
Remove dependency on sqlite
Also, the command explanation text for ./mach build needs to be changed to say that it's using Python3 now.
comment:8 by , 4 years ago
In sqlite3, the command explanation 'Applications such as Seamonkey and Thunderbird require' can be changed to 'Seamonkey requires'.
Note:
See TracTickets
for help on using tickets.
The release notes are not yet available. I'll look later today.