thunderbird-78.7.0

[Douglas R. Reno]

New minor version

[Douglas R. Reno]

What’s New

new
Extension API: Compose API now supports editing messages and templates as new messages

new
Extension API: composeHtml is now exposed in MailIdentity

new
Extension API: windows.update and windows.create now support titlePreface

new
Extension API: new Accounts API functions: accounts.getDefault() and accounts.getDefaultIdentity(accountId)

Changes

changed
Extension API: body and plainTextBody are now used as compose mode selectors in setComposeDetails and begin* functions in Compose API

changed
Theme: removed the double border around the task description field on the Tasks tab

Fixes

fixed
Account Manager: When deleting the last remaining account, the default account was not getting cleared and still pointed to the no-longer-existing account

fixed
OpenPGP: Verification of an inline signed message would fail if it contained leading whitespace

fixed
OpenPGP: Various other minor bug and stability fixes

fixed
Mail Window: Quickfilter bar buttons disappear when hovered on Windows 10 High Contrast Black theme

fixed
Theme: folder properties dialog contained black text on a black background in dark mode

fixed
Theme: recipient pills in compose window were not visible in high contrast dark theme on Windows 10

fixed
Extension API: browserAction buttons were not restored after restart if they were moved outside the default toolbar

fixed
Extension API: browser.compose.beginNew could not override identity plaintext setting

fixed
Extension API: browser.compose.beginForward was ignoring ComposeDetails

fixed
Extension API: browser.compose.setComposeDetails did not properly handle Windows-style line endings

fixed
Various security fixes

Known Issues

unresolved

Thunderbird performs sluggishly on macOS Big Sur

[Douglas R. Reno]

And now, the security advisory...

Mozilla Foundation Security Advisory 2021-05
Security Vulnerabilities fixed in Thunderbird 78.7

Announced
    January 26, 2021
Impact
    high
Products
    Thunderbird
Fixed in

        Thunderbird 78.7

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2021-23953: Cross-origin information leakage via redirected PDF requests

Reporter
    Rob Wu
Impact
    high

Description

If a user clicked into a specifically crafted PDF, the PDF reader could be confused into leaking cross-origin information, when said information is served as chunked data.
References

    Bug 1683940

#CVE-2021-23954: Type confusion when using logical assignment operators in JavaScript switch statements

Reporter
    Gary Kwong
Impact
    high

Description

Using the new logical assignment operators in a JavaScript switch statement could have caused a type confusion, leading to a memory corruption and a potentially exploitable crash.
References

    Bug 1684020

#CVE-2020-15685: IMAP Response Injection when using STARTTLS

Reporter
    Damian Poddebniak
Impact
    moderate

Description

During the plaintext phase of the STARTTLS connection setup, protocol commands could have been injected and evaluated within the encrypted session.
References

    Bug 1622640

#CVE-2020-26976: HTTPS pages could have been intercepted by a registered service worker when they should not have been

Reporter
    Andrew Sutherland
Impact
    moderate

Description

When a HTTPS page was embedded in a HTTP page, and there was a service worker registered for the former, the service worker could have intercepted the request for the secure page despite the iframe not being a secure context due to the (insecure) framing.
References

    Bug 1674343

#CVE-2021-23960: Use-after-poison for incorrectly redeclared JavaScript variables during GC

Reporter
    Irvan Kurniawan
Impact
    moderate

Description

Performing garbage collection on re-declared JavaScript variables resulted in a user-after-poison, and a potentially exploitable crash.
References

    Bug 1675755

#CVE-2021-23964: Memory safety bugs fixed in Thunderbird 78.7

Reporter
    Mozilla developers and community
Impact
    high

Description

Mozilla developers Alexis Beingessner, Christian Holler, Andrew McCreight, Tyson Smith, Jon Coppeard, André Bargull, Jason Kratzer, Jesse Schwartzentruber, Steve Fink, Byron Campen reported memory safety bugs present in Thunderbird 78.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Thunderbird 78.7

One of these in particular sticks out to me:

#CVE-2020-15685: IMAP Response Injection when using STARTTLS

Reporter
    Damian Poddebniak
Impact
    moderate

Description

During the plaintext phase of the STARTTLS connection setup, protocol commands could have been injected and evaluated within the encrypted session.
References

    Bug 1622640

[Tim Tassonis]

I could not build it using rustc 1.47.0

54:20.25 error: could not compile `gkrust`.
54:20.28 Caused by:
54:20.29   process didn't exit successfully: `/usr/bin/rustc --crate-name gkrust toolkit/library/rust/lib.rs --error-format=json --json=diagnostic-rendered-ansi --crate-type staticlib --emit=dep-info,link -C opt-level=2 -C panic=abort -C embed-bitcode=no -Clto --cfg 'feature="cubeb-remoting"' --cfg 'feature="cubeb_pulse_rust"' --cfg 'feature="gecko_profiler"' --cfg 'feature="gecko_profiler_parse_elf"' --cfg 'feature="moz_memory"' --cfg 'feature="moz_places"' --cfg 'feature="new_cert_storage"' --cfg 'feature="quantum_render"' --cfg 'feature="webgpu"' --cfg 'feature="webrtc"' -C metadata=dad3c8813dc147e8 -C extra-filename=-dad3c8813dc147e8 --out-dir /lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/x86_64-unknown-linux-gnu/release/deps --target x86_64-unknown-linux-gnu -C linker=/lgl-bld/thunderbird-78.7.0/build/cargo-linker -L dependency=/lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/x86_64-unknown-linux-gnu/release/deps -L dependency=/lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/release/deps --extern gkrust_shared=/lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/x86_64-unknown-linux-gnu/release/deps/libgkrust_shared-a9b4e10c259f7676.rlib --extern mozglue_static=/lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/x86_64-unknown-linux-gnu/release/deps/libmozglue_static-883218533d9f5a22.rlib --extern mozilla_central_workspace_hack=/lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/x86_64-unknown-linux-gnu/release/deps/libmozilla_central_workspace_hack-ad1a2d14b4ab984f.rlib -C opt-level=2 -C debuginfo=2 --cap-lints warn -Cembed-bitcode=yes -C codegen-units=1 -L native=/usr/lib -L native=/lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/x86_64-unknown-linux-gnu/release/build/lmdb-rkv-sys-f8049458c9985f96/out -L native=/lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/x86_64-unknown-linux-gnu/release/build/mozglue-static-269d42d01a768b9b/out -L native=/lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/dist/bin -L native=/lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/security/nss/lib/nss/nss_nss3 -L native=/lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/security/nss/lib/ssl/ssl_ssl3 -L native=/lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/config/external/nspr/pr -L native=/lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/x86_64-unknown-linux-gnu/release/build/swgl-0c18f3c9237a6ac2/out -L native=/lgl-bld/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/x86_64-unknown-linux-gnu/release/build/libloading-6d38c7b153f4bb85/out -L native=/opt/X11/lib` (signal: 9, SIGKILL: kill)
54:20.29 make[4]: *** [/lgl-bld/thunderbird-78.7.0/config/makefiles/rust.mk:299: force-cargo-library-build] Error 101
54:20.29 make[3]: *** [/lgl-bld/thunderbird-78.7.0/config/recurse.mk:74: toolkit/library/rust/target] Error 2
54:20.31 make[2]: *** [/lgl-bld/thunderbird-78.7.0/config/recurse.mk:34: compile] Error 2
54:20.32 make[1]: *** [/lgl-bld/thunderbird-78.7.0/config/rules.mk:390: default] Error 2
54:20.34 make: *** [client.mk:125: build] Error 2

Did anybody have any success?

[Douglas R. Reno]

It just built fine for me:

 0:17.36 make[1]: Leaving directory '/sources/thunderbird-78.7.0/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/comm/mail/installer'
 0:17.36 make: Leaving directory '/sources/thunderbird-78.7.0/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu'
 0:17.38 /usr/bin/notify-send --app-name=Mozilla Build System Mozilla Build System Install complete
3091.1 Elasped Time - thunderbird-78.7.0
SBU=29.161
344828 /sources/thunderbird-78.7.0.source.tar.xz size (336.746 MB)
5620612 kilobytes build size (5488.878 MB)
md5sum : 65c466d8fae272848b9951913a536a7a  /sources/thunderbird-78.7.0.source.tar.xz
sha1sum: 88e36ea3ae7cb0e18da49edc103e2d3451c9fdec  /sources/thunderbird-78.7.0.source.tar.xz

[Douglas R. Reno]

Fixed at r24161

[Tim Tassonis]

Replying to renodr:

It just built fine for me:

 0:17.36 make[1]: Leaving directory '/sources/thunderbird-78.7.0/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu/comm/mail/installer'
 0:17.36 make: Leaving directory '/sources/thunderbird-78.7.0/thunderbird-78.7.0/obj-x86_64-pc-linux-gnu'
 0:17.38 /usr/bin/notify-send --app-name=Mozilla Build System Mozilla Build System Install complete
3091.1 Elasped Time - thunderbird-78.7.0
SBU=29.161
344828 /sources/thunderbird-78.7.0.source.tar.xz size (336.746 MB)
5620612 kilobytes build size (5488.878 MB)
md5sum : 65c466d8fae272848b9951913a536a7a  /sources/thunderbird-78.7.0.source.tar.xz
sha1sum: 88e36ea3ae7cb0e18da49edc103e2d3451c9fdec  /sources/thunderbird-78.7.0.source.tar.xz

Seemed to just be a memory issue on my box. After going from 4 to 8 GB, gkrust compiled fine.