Bug #16118: Rebase Thunderbird on top of 1:60.3.0-1~deb9u1

Bug #16118

Rebase Thunderbird on top of 1:60.3.0-1~deb9u1

Added by intrigeri 2018-11-11 11:54:35 . Updated 2018-12-16 13:20:46 .

Status:

Resolved

Priority:

Elevated

Assignee:

Category:

Target version:

Tails_3.11

Start date:

2018-11-11

Due date:

% Done:

100%

Feature Branch:

feature/16118-thunderbird-60.3.0

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Email Client

Deliverable for:

Description

Some of https://security-tracker.debian.org/tracker/CVE-2018-12389, https://security-tracker.debian.org/tracker/CVE-2018-12390, https://security-tracker.debian.org/tracker/CVE-2018-12392 are rated critical or high impact by Mozilla becuase “evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code”, “potentially exploitable crash”.

We’re not vulnerable to CVE-2018-12393 because we only support 64-bit.

Subtasks

Related issues

Blocks Tails - ~~Feature #15506~~: Core work 2018Q4: Foundations Team

Resolved

2018-04-08

History

#1 Updated by intrigeri 2018-11-11 11:54:49

blocks ~~Feature #15506~~: Core work 2018Q4: Foundations Team added

#2 Updated by anonym 2018-11-22 14:20:55

Assignee set to anonym

I’ll take this one as I’m working on Feature #6156 and will rebuild Thunderbird any way. It also aligns well with our plans to split some of the RM work for 3.11, Cyril.

#3 Updated by intrigeri 2018-11-22 15:50:41

> I’ll take this one as I’m working on Feature #6156 and will rebuild Thunderbird any way.

Great :)

> It also aligns well with our plans to split some of the RM work for 3.11, Cyril.

Note that this is FT work, not RM’ing.

#4 Updated by anonym 2018-11-22 16:00:54

Status changed from Confirmed to In Progress

Applied in changeset commit:tails|20baa2df4fe64af097726d0d5fba4b8c9538de7a.

#5 Updated by anonym 2018-11-23 14:36:31

Assignee changed from anonym to intrigeri
% Done changed from 0 to 50
QA Check set to Ready for QA
Feature Branch set to feature/16118-thunderbird-60.3.0

All scenarios passed for me locally, so it looks good for Tails 3.11. Just so there’s no confusion: I only upgraded Thunderbird; I did not update the secure-account-config patch series (Feature #6156) like I initially said on XMPP.

#6 Updated by intrigeri 2018-11-23 15:27:09

Feature Branch changed from feature/16118-thunderbird-60.3.0 to feature/16118-thunderbird-60.3.0+force-all-tests

(I want the Thunderbird tests to run on Jenkins.)

#7 Updated by intrigeri 2018-11-23 15:50:34

Assignee changed from intrigeri to anonym
QA Check changed from Ready for QA to Info Needed

Code review passes, great!

A little bit more action and info is needed.

Wrt. commit:ad90d86d1b1b8cc0e128cfbf3f53d4d562c69a51 and more precisely “Dropping the ”Allow opening links" part might want something we follow up on": indeed, something is needed, see below. But first, why did you revert this upstream change while you were refreshing our patch?

Then, I think that:

This is not a problem on Stretch but please confirm that you can open attachments (at least PDF) and URLs from Thunderbird in a Tails built from this branch.
Removing this rule will break this functionality on Buster => please file a ticket so that those who’ll work on it are aware of the reason for the upcoming breakage and don’t have to reverse-engineer it.

And one last question. In icedove.git there’s no changelog entry for 7c93d26d3e003e1d1efc4fb1113f3aedade76cbf, while we had a entry when we added these patches. Not worth rebuilding the package but please check if this happened because our release doc is buggy or for another reason: it would be nice to have safeguards so we don’t do such mistakes again in the future :)

#8 Updated by intrigeri 2018-11-23 16:03:48

Crap, by renaming the branch, as a side effect I’ve also deleted the corresponding overlay APT suite. I’m very sorry about this! The files are still there (only not in the reprepro DB anymore) so I’ll try to fix this.

#9 Updated by intrigeri 2018-11-23 16:09:23

intrigeri wrote:
> Crap, by renaming the branch, as a side effect I’ve also deleted the corresponding overlay APT suite. I’m very sorry about this! The files are still there (only not in the reprepro DB anymore) so I’ll try to fix this.

I think I’ve fixed it. https://jenkins.tails.boum.org/job/build_Tails_ISO_feature-16118-thunderbird-60.3.0-force-all-tests/2/ should use the correct packages.

#10 Updated by anonym 2018-11-29 15:43:39

Assignee changed from anonym to intrigeri
% Done changed from 50 to 60
QA Check changed from Info Needed to Ready for QA
Feature Branch changed from feature/16118-thunderbird-60.3.0+force-all-tests to feature/16118-thunderbird-60.3.0

intrigeri wrote:
> Wrt. commit:ad90d86d1b1b8cc0e128cfbf3f53d4d562c69a51 and more precisely “Dropping the ”Allow opening links" part might want something we follow up on": indeed, something is needed, see below. But first, why did you revert this upstream change while you were refreshing our patch?

I actually cannot remember what I was thinking at the time. I just recall that I noted that the file (gio-launch-desktop) doesn’t even exist in current, Strech-based, Tails so that line wasn’t needed; perhaps I just got conspiranoid? :P

> Then, I think that:
>
> * This is not a problem on Stretch but please confirm that you can open attachments (at least PDF) and URLs from Thunderbird in a Tails built from this branch.

Just to be sure I tested again, still works.

> * Removing this rule will break this functionality on Buster => please file a ticket so that those who’ll work on it are aware of the reason for the upcoming breakage and don’t have to reverse-engineer it.

Let’s just undo my confusion and re-add it now: commit:7bd56418e403d7370c12bae2fc2af578d744ab94

> And one last question. In icedove.git there’s no changelog entry for 7c93d26d3e003e1d1efc4fb1113f3aedade76cbf, while we had a entry when we added these patches. Not worth rebuilding the package but please check if this happened because our release doc is buggy or for another reason: it would be nice to have safeguards so we don’t do such mistakes again in the future :)

Agreed! Last time I just happened to remember to add a changelog entry, but there are no safe guards, and I propose we solve it with gbp dch: commit:97e85513f363d12ebd53d5f93a9f7ffac29f274a

I think I screwed up the branch by basing it on devel, so I have force-pushed the branch based on stable. Same for the +force-all-tests one!

#11 Updated by intrigeri 2018-11-30 13:38:55

Status changed from In Progress to Fix committed
% Done changed from 60 to 100

Applied in changeset commit:tails|13d2948bb6391295504e0ac94405d549d846d704.

#12 Updated by intrigeri 2018-11-30 13:44:17

QA Check changed from Ready for QA to Pass

Merged!

You might have missed that meanwhile, 60.3.1 was released; and today 60.3.2 was released too. The former is in Debian already, the latter is not. There’s been no MFSA and the bugfixes they bring don’t seem worth upgrading at this point. I’ll keep an eye on what’s coming next.

#13 Updated by intrigeri 2018-11-30 14:00:30

Assignee deleted (~~intrigeri~~)

#14 Updated by CyrilBrulebois 2018-12-16 13:20:46

Status changed from Fix committed to Resolved