13 Oct 2024 |
hexa | In reply to @aloisw:kde.org Lol this literally is every release, right? yes. | 18:06:05 |
hexa | In reply to @emilazy:matrix.org yes, though like their notice says probably a lot of them are effectively irrelevant for a product that doesn't (or at least tries not to?) run untrusted JS you can open a website in thunderbird fwiw | 18:06:22 |
emily |
Security Vulnerabilities fixed in Thunderbird 115.10 CVE-2024-3864: Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10 Memory safety bug present in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code.
(April)
Update request: betterbird 115.9 → 115.12 #323169
(June)
Could you create a PR, please?
| 18:06:44 |
emily | update eventually merged 3 weeks ago | 18:06:56 |
hexa | yeah, not acceptable | 18:07:06 |
emily | https://github.com/NixOS/nixpkgs/issues/251427
Sadly the package is repeatedly out of date. I would really like to switch to betterbird but as it's internet-facing, timely updates should be ensured.
(August 2023)
| 18:07:52 |
emily | think it's fair to say that the situation is unlikely to change | 18:08:08 |
hexa | https://github.com/NixOS/nixpkgs/pull/241560#issuecomment-1620795028 | 18:09:12 |
hexa | do you remember this one, emily? | 18:09:18 |
aloisw | On a cursory glance, upstream (if that's the correct word here given that it's a patched Thunderbird) maintainance looks kinda okay, but nixpkgs is lagging severely. | 18:09:19 |
emily | upstream is some guy who was banned from Thunderbird development for constantly being uncivil IIRC | 18:10:07 |
emily | but I agree that it seems to meet my basic expectations for backports of upstream browser engine security fixes | 18:10:20 |
emily | so it's ahead of, like, most Firefox forks | 18:10:29 |
emily | In reply to @hexa:lossy.network do you remember this one, emily? right. this is what I was remembering re: stable backports | 18:10:47 |
emily | the commitment is more than I remember, but it doesn't seem to have been fulfilled | 18:11:07 |
emily | currently unfixed on stable that don't look JS-specific:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1888333
- https://bugzilla.mozilla.org/show_bug.cgi?id=1893340
- https://bugzilla.mozilla.org/show_bug.cgi?id=1878199
- https://bugzilla.mozilla.org/show_bug.cgi?id=1193389
- https://bugzilla.mozilla.org/show_bug.cgi?id=1896555 (maybe? "By manipulating the text in an
<input> tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash." – bug is not public still, lol)
- https://bugzilla.mozilla.org/buglist.cgi?bug_id=1862809%2C1889355%2C1893388%2C1895123 (also not accesible)
- uhh more NSS stuff… actually this is too tedious, there's like 3 more point releases left
| 18:15:36 |
emily | I think we need to set knownVulnerabilities on 24.05 for sure. removal before the 24.11 freeze also seems like a reasonable course of action to me, or we will inevitably end up shipping vulnerable versions to users again within the next 6 months unless someone else wants to be responsible for the package. | 18:16:14 |
emily | actually the NSS stuff might be fine if we have a separate NSS package | 18:16:44 |
emily | and of course it may be hard to impossible to construct an exploit chain for some or all of them without JS | 18:16:55 |
emily | but that is certainly not wholly obvious to me for some of them | 18:17:16 |
Tristan Ross | In reply to @emilazy:matrix.org you'd want to talk to ris Idk who that is | 18:19:08 |
hexa | risicle | 18:19:13 |
hexa | ris_ in this room | 18:19:23 |
emily | also lib.maintainers.ris | 18:19:39 |
Tristan Ross | Oh | 18:19:43 |
hexa | In reply to @emilazy:matrix.org actually the NSS stuff might be fine if we have a separate NSS package hm? I maintain nss | 18:21:02 |
Tristan Ross | Time to find the issue I was pinged in relating to what I'm doing lol | 18:21:09 |
emily | I meant that one of the vulns I linked was NSS-related | 18:21:13 |
emily | so it may not apply to us assuming we have a split NSS package that actually gets updates | 18:21:23 |
hexa | nss is always recent | 18:21:28 |