thunderbird-91.0

[Bruce Dubbs]

New minor version.

[Bruce Dubbs]

Milestone renamed

[Douglas R. Reno]

Now 78.13.0

[Tim Tassonis]

Changes:

• WeTransfer FileLink provider removed
• The fix for bug 1707360, from Thunderbird 78.12.0, was removed for causing regressions

Fixes:

• OpenPGP: Homebrew's GPG Smartcard libraries not found on M1 Macs
• Various security fixes
• Sending an email containing HTML links with spaces in the URL sometimes resulted in broken links
• Folder Pane display theme fixes for macOS
• Chat account settings did not always save as expected
• RSS feed subscriptions sometimes lost
• Calendar: A parsing error for alarm triggers of type "DURATION" caused sync problems for some users

[Douglas R. Reno]

... and now 91.0

Ken, do you still want me to do this one?

[ken@…]

Replying to Douglas R. Reno:

... and now 91.0

Ken, do you still want me to do this one?

I don't have time until (probably) next week.

[Douglas R. Reno]

Alright, I will make an attempt to take care of this one over the next two days due to security fixes

[Tim Tassonis]

Quite a lot of interesting changes: "PDF.js viewer now included" sounds good, at leas. I'll start the compile now, but not re-assign the ticket to me (unless you want me to).

new

• Native support for macOS devices built with Apple Silicon CPUs
• Thunderbird now operates in multi-process (e10s) mode by default
• Latvian language support
• New user interface for adding attachments
• Enable redirect of messages
• Ability to change order of accounts in UI
• Allow showing empty CC/BCC rows in compose window
• Warning popup when sending a reply to a likely non-existant email address such as "noreply@…"
• Warning popup when public recipients of a message exceeds threshold
• Add support for "X-Unsent: 1" header, to open a saved email in a compose window for editing
• Add support for non-ASCII characters in recipient addresses
• Context menu to expand mail list pills in the compose window to the list of recipients
• Quick Find is now available in the multi-message (thread summary) view
• Keyboard shortcuts to access To/CC/BCC fields of compose window
• Allow pinning folder views to the Folder Pane
• Language packs and dictionaries added to about:support
• PDF.js viewer now included in Thunderbird
• OpenPGP: "Copy Key Id" option added to Key Manager context menu
• OpenPGP: Added config option to disable encrypting saved drafts
• Encrypt mail to BCC recipients (with warning that it will expose the recipients in the list of keys)

new

• CardDAV address book support
• CardDAV address books automatically detected based on provided user information
• Access to Outlook Contacts; To enable, set ldap_2.servers.outlook.dirType to 3; This setting may cause startup delays.
• Suggest replacements for discontinued/incompatible add-ons
• Chat: Beta-level support for Matrix servers (set chat.prpls.prpl-matrix.disable to false)
• Calendar: Remote calendar auto-detection now supported
• Calendar: Calendar and category colors now displayed in selection dropdowns
• Calendar: "Edit" item added to event context menu
• Calendar: Support opening of .ics files by double-click
• Calendar: Thunderbird now informs the operating system that it knows how to open webcal: URLs
• Calendar: Filter and sort items to be imported in the Import dialog
• Prompt to choose the identity of an accepted calendar invite when no identity matches the event attendees list
• Support mid: URL scheme for Related Links in calendar event dialogs
• Permissions to access calendar and address book are now requested when a GMail account is set up, so that calendar and address book can be accessed without having to re-authorize (see notes)
• Calendar: Per-calendar and global notification settings (in addition to alerts set in events)
• Tasks: Undo/Redo support for event and task creation and deletion

Changes

• "Master Password" renamed to "Primary Password"
• Renamed "Add-ons" to "Add-ons and Themes" and "Options" to "Preferences"
• Account setup moved to a tab
• Mail recipients that are not found in any address book will no longer appear in red - type; invalid addresses will appear red
• Clicking on an already-selected pill in the recipient list will now allow editing the address
• Folder pane color scheme overhauled with a focus on readability
• Sending backend, SMTP protocol, and LDAP protocol implementations rewritten in Javascript
• Sending backend, SMTP, and IMAP protocols now operate only in UTF-8 mode
• Sending a message will now fail if any recipients are not accepted by the SMTP server
• Error messages from an SMTP server are now displayed to the user
• UI Customization controls moved to the View menu
• End-to-End Encryption "Advanced Settings" are now disabled when encryption is not configured
• Movemail support removed
• WeTransfer FileLink provider removed
• Enterprise policies updated
• Printing UI updated
• AutoComplete from LDAP directories now searches by substring instead of left-side match
• Chat modules and custom widgets are now lazy-loaded to improve Thunderbird startup time
• Default IRC server for new chat accounts changed to "libera.chat"
• Chat: Image based emoticons replaced with Unicode
• Calendar: Opening an existing event now opens summary dialog
• Calendar: Default to CalDAV when supported by the server

Fixes

• Thunderbird did not properly handle Self-signed certificates on IMAP servers
• Various issues with special and non-ASCII characters in IMAP folders names, especially on Gmail
• Drag & drop operations could be disrupted by incoming mail notifications
• Dragging a folder from an authenticated IMAP server to a not-yet authenticated server fails
• Temporary errors from POP3 servers would cause Thunderbird to stop downloading mail until it was restarted
• Favorite Folder view did not maintain UI state between Thunderbird restarts
• Saved search virtual folders were not retained after restarting Thunderbird
• Thunderbird did not correctly warn about all affected filters when removing a folder
• Manually running filters on a maildir folder did not work
• Partially downloaded messages displayed in a stand-alone window did not refresh after clicking link to download the rest of the message
• An erroneous "Sender" header was displayed in the message preview after viewing certain S/MIME signed emails
• Some temporary files created by the message composer were not automatically removed after closing the compose window
• Archiving messages from an NNTP account made the target folder unusable
• Compose window: The user-configured style for quoted text was not honored
• Message headers in compose window disregarded manual resizing when adding additional recipients
• Various improvements to new message notifications
• A Thunderbird icon pinned to the Windows taskbar reverted to a non-functional placeholder after an update
• Various improvements to recipient pills in message compose window
• Keyboard shortcut to open the Message Security popup did not work on Mac
• Subject column in message lists sometimes showed text from invalid email headers
• Account settings: When creating a new account, some already entered settings did not copy to the Advanced Config dialog
• Default address book preference was not honored in the contacts sidebar
• Import Address Book from CSV did not not allow mapping all available fields
• LDAP address books did not display multi-valued attributes
• Address Book: Users with LDAP admin rights could delete accounts if trying to delete an entry from an address book backed by LDAP
• Some preferences related to an address book were not removed when the address book was deleted
• Shortcut for Advanced Address Book Search (Ctrl+Shift+F) did not work on Linux
• Radio buttons could not be selected on photo tab of an address card
• Windows uninstaller did not always remove all Thunderbird program files
• Chat: Double clicking an account type in new account wizard did not select it
• Chat account settings did not always save as expected
• User nickname colors were not used in chat content
• Chat: Multiple system messages did not collapse
• Calendar: Reminder details appeared editable when viewing an event
• Calendar: HTML rendering in event descriptions restored
• Calendar: The toolbar in the invitation details dialog was not honoring the theme colors
• Calendar: Various dialog updates
• Calendar: Import and export via CSV did not parse years correctly in event dates
• Calendar: Event boxes were not always focused when clicked
• Dragging and dropping an ICS file to the Today Pane did not populate the "New Event" dialog
• Calendar: Reduced flickering effect in Today Pane
• Calendar: The time of day indicator line did not update automatically
• Location field was not preserved when modifying recurring events stored on a remote calendar
• Today was difficult to pick out visually in the month/multiweek calendar views
• Columns in Today Pane were not resizable
• Calendar event text could render outside the confines of the event block
• Event time and event name were not vertically aligned
• Improved formatting of event descriptions with long links, such as Zoom invites
• RSVP replies to invitations sometimes sent from the wrong email address
• Various UI and theme improvements, especially to dark themes
• Various security fixes

[Douglas R. Reno]

Ken had given me a set of changes that needed to go in with this similar to Firefox-91. I'd prefer to still do it but I'll let you know tomorrow at some point.

[Douglas R. Reno]

The first of these vulnerabilities listed here is serious. It allows for a remote attacker to inject commands and malicious emails through STARTTLS connections via IMAP.

78.12.0

Mozilla Foundation Security Advisory 2021-30
Security Vulnerabilities fixed in Thunderbird 78.12

Announced
    July 13, 2021
Impact
    high
Products
    Thunderbird
Fixed in

        Thunderbird 78.12

#CVE-2021-29969: IMAP server responses sent by a MITM prior to STARTTLS could be processed

Reporter
    Damian Poddebniak and Fabian Ising
Impact
    high

Description

If Thunderbird was configured to use STARTTLS for an IMAP connection, and an attacker injected IMAP server responses prior to the completion of the STARTTLS handshake, then Thunderbird didn't ignore the injected data. This could have resulted in Thunderbird showing incorrect information, for example the attacker could have tricked Thunderbird to show folders that didn't exist on the IMAP server.
References

    Bug 1682370

#CVE-2021-29970: Use-after-free in accessibility features of a document

Reporter
    Irvan Kurniawan
Impact
    high

Description

A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash.
This bug only affected Thunderbird when accessibility was enabled.
References

    Bug 1709976

#CVE-2021-30547: Out of bounds write in ANGLE

Reporter
    (Unknown)
Impact
    high

Description

An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash.
References

    Bug 1715766

#CVE-2021-29976: Memory safety bugs fixed in Thunderbird 78.12

Reporter
    Mozilla developers
Impact
    high

Description

Mozilla developers Valentin Gosu, Randell Jesup, Emil Ghitta, Tyson Smith, and Olli Pettay reported memory safety bugs present in Thunderbird 78.11. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Thunderbird 78.12

78.13.0

Mozilla Foundation Security Advisory 2021-35
Security Vulnerabilities fixed in Thunderbird 78.13

Announced
    August 10, 2021
Impact
    high
Products
    Thunderbird
Fixed in

        Thunderbird 78.13

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
#CVE-2021-29986: Race condition when resolving DNS names could have led to memory corruption

Reporter
    pahhur
Impact
    high

Description

A suspected race condition when calling getaddrinfo led to memory corruption and a potentially exploitable crash.
Note: This issue only affected Linux operating systems. Other operating systems are unaffected.
References

    Bug 1696138

#CVE-2021-29988: Memory corruption as a result of incorrect style treatment

Reporter
    Irvan Kurniawan
Impact
    high

Description

Thunderbird incorrectly treated an inline list-item element as a block element, resulting in an out of bounds read or memory corruption, and a potentially exploitable crash.
References

    Bug 1717922

#CVE-2021-29984: Incorrect instruction reordering during JIT optimization

Reporter
    Lukas Bernhard
Impact
    high

Description

Instruction reordering resulted in a sequence of instructions that would cause an object to be incorrectly considered during garbage collection. This led to memory corruption and a potentially exploitable crash.
References

    Bug 1720031

#CVE-2021-29980: Uninitialized memory in a canvas object could have led to memory corruption

Reporter
    Irvan Kurniawan
Impact
    high

Description

Uninitialized memory in a canvas object could have caused an incorrect free() leading to memory corruption and a potentially exploitable crash.
References

    Bug 1722204

#CVE-2021-29985: Use-after-free media channels

Reporter
    Marcin 'Icewall' Noga of Cisco Talos
Impact
    moderate

Description

A use-after-free vulnerability in media channels could have led to memory corruption and a potentially exploitable crash.
References

    Bug 1722083

#CVE-2021-29989: Memory safety bugs fixed in Thunderbird 78.13

Reporter
    Mozilla developers and community
Impact
    high

Description

Mozilla developers Christoph Kerschbaumer, Simon Giesecke, Sandor Molnar, and Olli Pettay reported memory safety bugs present in Thunderbird 78.12. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Thunderbird 78.13

In the case of 78.13.0, there is a security vulnerability that ONLY affects Linux due to the use of getaddrinfo(). There is another one that only affects Linux that also allows for privilege escalation through downloaded files. Ouch.

Security Vulnerabilities fixed in 91.0 are the same as in 78.13.0.

Promoting to Highest severity.

[Tim Tassonis]

As with firefox, I now had to change the build to:

./mach create-mach-environment

./mach build || exit 1

I see that in the book, it is configure instead of create-mach-environment, so that should work also.

The build is running now, so I guess there should be no problems now.

[ken@…]

Replying to Tim Tassonis:

As with firefox, I now had to change the build to:

./mach create-mach-environment

./mach build || exit 1

I see that in the book, it is configure instead of create-mach-environment, so that should work also.

The build is running now, so I guess there should be no problems now.

If this is on glibc-2.34 you'll probably want the same patch that is used for firefox (error is at the start of that patch).

For separating configure - I picked that up from AUR thunderbird 78 a while ago, I find it useful to get confirmation that I've got rust on my PATH (or, at times, the intended version of rust).

[Douglas R. Reno]

Replying to ken@…:

Replying to Tim Tassonis:

As with firefox, I now had to change the build to:

./mach create-mach-environment

./mach build || exit 1

I see that in the book, it is configure instead of create-mach-environment, so that should work also.

The build is running now, so I guess there should be no problems now.

If this is on glibc-2.34 you'll probably want the same patch that is used for firefox (error is at the start of that patch).

For separating configure - I picked that up from AUR thunderbird 78 a while ago, I find it useful to get confirmation that I've got rust on my PATH (or, at times, the intended version of rust).

Thank you for the reminder on glibc-2.34. I guess I'll need to test the update over on that system too. That machine is getting a lot of usage lately.

[Douglas R. Reno]

Thunderbird patch added to the patches repository. I did apply it and it seemed to build OK. I just copied the Firefox patch and renamed it.

Doing one final test build of Thunderbird and will be submitting this in the next few hours, assuming all goes well!

[Douglas R. Reno]

Fixed at 7223070283320b444aeef1ae0dece33b167b5b0f