#13806 closed enhancement (fixed)

thunderbird-78.0

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: high Milestone: 10.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New major version.

Change History (9)

comment:1 by Douglas R. Reno, 14 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 14 months ago

The release notes are not yet available. I'll look later today.

comment:3 by Bruce Dubbs, 14 months ago

Milestone: 9.210,0

Milestone renamed

comment:4 by Bruce Dubbs, 14 months ago

Milestone: 10,010.0

Milestone renamed

comment:5 by Douglas R. Reno, 14 months ago

Priority: normalhigh

First up: The security fixes

Mozilla Foundation Security Advisory 2020-29
Security Vulnerabilities fixed in Thunderbird 78

Announced
    July 16, 2020
Impact
    high
Products
    Thunderbird
Fixed in

        Thunderbird 78

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2020-12415: AppCache manifest poisoning due to url encoded character processing

Reporter
    Kevin Higgs
Impact
    high

Description

When %2F was present in a manifest URL, Thunderbird's AppCache behavior may have become confused and allowed a manifest to be served from a subdirectory. This could cause the appcache to be used to service requests for the top level directory.
References

    Bug 1586630

#CVE-2020-12416: Use-after-free in WebRTC VideoBroadcaster

Reporter
    Alex Mayorga
Impact
    high

Description

A VideoStreamEncoder may have been freed in a race condition with VideoBroadcaster::AddOrUpdateSink, resulting in a use-after-free, memory corruption, and a potentially exploitable crash.
References

    Bug 1639734

#CVE-2020-12417: Memory corruption due to missing sign-extension for ValueTags on ARM64

Reporter
    Deian Stefan
Impact
    high

Description

Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially exploitable crash.
Note: this issue only affects Firefox on ARM64 platforms.
References

    Bug 1640737

#CVE-2020-12418: Information disclosure due to manipulated URL object

Reporter
    Marcin 'Icewall' Noga of Cisco Talos
Impact
    high

Description

Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript.
References

    Bug 1641303

#CVE-2020-12419: Use-after-free in nsGlobalWindowInner

Reporter
    worcester12345
Impact
    high

Description

When processing callbacks that occurred during window flushing in the parent process, the associated window may die; causing a use-after-free condition. This could have led to memory corruption and a potentially exploitable crash.
References

    Bug 1643874

#CVE-2020-12420: Use-After-Free when trying to connect to a STUN server

Reporter
    Byron Campen
Impact
    high

Description

When trying to connect to a STUN server, a race condition could have caused a use-after-free of a pointer, leading to memory corruption and a potentially exploitable crash.
References

    Bug 1643437

#CVE-2020-15648: X-Frame-Options bypass using object or embed tags

Reporter
    Frederik Braun
Impact
    moderate

Description

Using object or embed tags, it was possible to frame other websites, even if they disallowed framing using the X-Frame-Options header.
Note: This issue is pending a CVE assignment and will be updated when one is available.
References

    Bug 1644076

#CVE-2020-12402: RSA Key Generation vulnerable to side-channel attack

Reporter
    Sohaib ul Hassan, Iaroslav Gridin, Ignacio M. Delgado-Lozano, Cesar Pereida García, Jesús-Javier Chi-Domínguez, Alejandro Cabrera Aldaya, and Billy Bob Brumley, Network and Information Security (NISEC) Group, Tampere University, Finland
Impact
    moderate

Description

During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.
We would like to thank Sohaib ul Hassan for contributing a fix for this issue as well.
Note: An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might.
References

    Bug 1631597

#CVE-2020-12421: Add-On updates did not respect the same certificate trust rules as software updates

Reporter
    Chuck Harmston, Robert Hardy
Impact
    moderate

Description

When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user.
References

    Bug 1308251

#CVE-2020-12422: Integer overflow in nsJPEGEncoder::emptyOutputBuffer

Reporter
    Ronald Crane
Impact
    moderate

Description

In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash.
References

    Bug 1450353

#CVE-2020-12423: DLL Hijacking due to searching %PATH% for a library

Reporter
    Riccardo Ancarani
Impact
    moderate

Description

When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Thunderbird may have loaded the DLL, leading to arbitrary code execution.
Note: This issue only affects the Windows operating system; other operating systems are unaffected.
References

    Bug 1642400

#CVE-2020-12424: WebRTC permission prompt could have been bypassed by a compromised content process

Reporter
    Paul Theriault
Impact
    low

Description

When constructing a permission prompt for WebRTC, a URI was supplied from the content process. This URI was untrusted, and could have been the URI of an origin that was previously granted permission; bypassing the prompt.
References

    Bug 1562600

#CVE-2020-12425: Out of bound read in Date.parse()

Reporter
    Bruno Keith
Impact
    low

Description

Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure.
References

    Bug 1634738

#CVE-2020-12426: Memory safety bugs fixed in Thunderbird 78

Reporter
    Mozilla developers and community
Impact
    high

Description

Mozilla developers and community members Bob Clary, Benjamin Bouvier, Calixte Denizet, Christian Holler reported memory safety bugs present in Thunderbird 77. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Thunderbird 78

comment:6 by Douglas R. Reno, 14 months ago

Here are the release notes for TB-78.

A few things stick out to me:

Address Books are converted to SQLite. That makes this version of Thunderbird incompatible with previous versions. After upgrading Thunderbird, you'll no longer be able to use your profile in an older version.

Some of the UI elements seem to have changed.

The Calendar add-on is now integrated into Thunderbird itself

If you're using Enigmail for OpenPGP stuff, DO NOT UPGRADE. Thunderbird includes it's own OpenPGP stack now, although it's disabled by default and won't be enabled until 78.2.


Check out "What’s New" and "Known Issues" for this version of Thunderbird below. As always, you’re encouraged to tell us what you think, or file a bug in Bugzilla

Thunderbird version 78.0 is only offered as direct download from thunderbird.net and not as an upgrade from Thunderbird version 68 or earlier. A future release will provide updates from earlier versions.

Add-on support: As of version 78.0, Thunderbird only supports MailExtensions. Your favorite add-ons may not have been updated for compatibility.

At this time, users of the Enigmail Add-on should not update to Thunderbird 78.

OpenPGP functionality for Thunderbird 78 is still work in progress, and is disabled by default in the initial 78.0 release. See the wiki for how to enable and help with testing.

System Requirements: Details

    Windows: Windows 7 or later
    Mac: macOS 10.9 or later
    Linux: GTK+ 3.14 or higher

 
What’s New
new

New Account Hub for centralized account setup
new

Redesigned recipient address fields (To, Cc, Bcc) as single-line input fields (pills) for multiple addresses instead of one line per address. More improvements to come.
new

Color customization of Folder Pane icons
new

Allow selecting messages via selection boxes instead of classic selection. "Select Messages" column needs to be selected via the thread pane's column picker.
new

"Delete" action column in thread pane (message list). "Select Messages" column needs to be selected via the thread pane's column picker.
new

Themes can be previewed in the Add-On Manager
new

Minimize to tray support added for Windows
new

New config option to anonymize message date header
new

Global Search menu item in app menu
new

Additional Enterprise policies
new

Calendar: Added ICS import support to -file command line option
new

Calendar: Add event preview to ICS import dialog
new

Chat: OTR messaging support
new

Chat: IRC echo-message capability
Changes
changed

Add-on support: As of version 78.0, Thunderbird only supports MailExtensions and MailExtension Experiments. Restartless add-ons and non-restartless legacy add-ons using XUL overlays are no longer supported.
changed

Linux minimum runtime requirements have changed: GTK 3.14, GLIBC 2.17, libstdc++ 4.8.1 Details
changed

Thunderbird Options/Preferences tab redesigned and with new user interface
changed

Account creation dialog redesigned and with new user interface
changed

Account Manager moved to a tab
changed

Add-ons manager with new user interface and notifications
changed

Improved "Recent" folder list for "Move to" and "Copy to" in message context menu
changed

Improved UI of global search results tab
changed

Improvements to the location bar of a tab displaying web pages
changed

Use scalable icons throughout Thunderbird to improve support for HiDPI monitors and dark mode
changed

Thunderbird will now ask for OS account password before displaying saved passwords
changed

Address books are now stored as SQLite databases to prepare for future addressbook improvements. Existing address books in MAB format (using a Mork database) will be converted.
changed

New parser and formatter for vCard. vCard versions 3.0 and 4.0 are now supported.
changed

Various theme and dark mode improvements
changed

Various look and feel improvements
changed

Improved dialog for folder compaction (purging of deleted messages)
changed

Graphics hardware acceleration is now enabled by default
changed

TLS 1.0 and 1.1 disabled
changed

Calendar: The Lightning calendar add-on is now integrated into Thunderbird
changed

Calendar: Lightning version removed from Thunderbird user agent string
changed

Calendar: Web Calendar Access Protocol (WCAP) support removed
changed

Calendar: Storage access is now asynchronous to improve performance
changed

Calendar: Location URLs are now clickable
changed

Addon Developers: Updates to and expansion of MailExtensions APIs. Details
Fixes
fixed

Password display font had characters that were difficult to read
fixed

When copying messages from an IMAP folder to a local folder, offline store wasn't used
fixed

While Thunderbird was in safe mode, the help menu did not offer an item to restart with add-ons enabled
fixed

Mailbox quotas not displayed correctly
fixed

Images not rotated when composing a message
fixed

Email addresses sometimes displayed incorrectly in message composer
fixed

Many accessibility fixes and improvements: message composer, account setup, attachment pane
fixed

Mailbox format conversion fixes
fixed

Address book improvements: exporting, editing contacts, contact photos
fixed

Chat: Renaming contacts in context menu did not work
fixed

Calendar: Task and event dialogs were sometimes too small for their content
fixed

Calendar: URLs in the event reminder dialog were not clickable
fixed

Various security fixes
Known Issues
unresolved

Mail header toolbar (Reply, Forward, Archive, Junk buttons) no longer configurable
unresolved

Preferences search not available
unresolved

Drag and drop of address book contacts not working in some situations

comment:7 by Douglas R. Reno, 14 months ago

So far, here are the changes that need to be made (similar to Firefox-78):

mozconfig

Remove --enable-startup-notification from mozconfig

Remove --enable-system-sqlite from mozconfig (has to use the internal sqlite now)

Remove --with-system-bz2 from mozconfig

dependencies

Promote startup-notification to required

Add a dependency on Python3 (with the sqlite module)

Remove dependency on sqlite

Also, the command explanation text for ./mach build needs to be changed to say that it's using Python3 now.

comment:8 by ken@…, 14 months ago

In sqlite3, the command explanation 'Applications such as Seamonkey and Thunderbird require' can be changed to 'Seamonkey requires'.

comment:9 by Douglas R. Reno, 14 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r23396

Note: See TracTickets for help on using tickets.