!NBBFPbiuttRgTqbrcY:nixos.org

NixOS Security Discussions

363 Members
Discussions around Security | Triaging happens in #security:nixos.org126 Servers

Load older messages

SenderMessageTime
13 Oct 2024
@hexa:lossy.networkhexa
In reply to @aloisw:kde.org
I'm not aware of any specific security fixes or knownVulnerabilities in Thunderbird, it's just a browser engine so it's probably better to assume every release is security-relevant.
basically they track the esr cycle of firefox (up until now), which regularly comes with a security advisory attached 		18:05:47
@hexa:lossy.networkhexa
In reply to @aloisw:kde.org
Lol this literally is every release, right?
yes. 		18:06:05
@hexa:lossy.networkhexa
In reply to @emilazy:matrix.org
yes, though like their notice says probably a lot of them are effectively irrelevant for a product that doesn't (or at least tries not to?) run untrusted JS
you can open a website in thunderbird fwiw 		18:06:22
@emilazy:matrix.orgemily

Security Vulnerabilities fixed in Thunderbird 115.10
CVE-2024-3864: Memory safety bug fixed in Firefox 125, Firefox ESR 115.10, and Thunderbird 115.10
Memory safety bug present in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code.

(April)

Update request: betterbird 115.9 → 115.12 #323169

(June)

Could you create a PR, please?

18:06:44
@emilazy:matrix.orgemilyupdate eventually merged 3 weeks ago18:06:56
@hexa:lossy.networkhexayeah, not acceptable18:07:06
@emilazy:matrix.orgemily

https://github.com/NixOS/nixpkgs/issues/251427

Sadly the package is repeatedly out of date. I would really like to switch to betterbird but as it's internet-facing, timely updates should be ensured.

(August 2023)

18:07:52
@emilazy:matrix.orgemilythink it's fair to say that the situation is unlikely to change18:08:08
@hexa:lossy.networkhexahttps://github.com/NixOS/nixpkgs/pull/241560#issuecomment-162079502818:09:12
@hexa:lossy.networkhexa do you remember this one, emily? 18:09:18
@aloisw:kde.orgaloiswOn a cursory glance, upstream (if that's the correct word here given that it's a patched Thunderbird) maintainance looks kinda okay, but nixpkgs is lagging severely.18:09:19
@emilazy:matrix.orgemilyupstream is some guy who was banned from Thunderbird development for constantly being uncivil IIRC18:10:07
@emilazy:matrix.orgemilybut I agree that it seems to meet my basic expectations for backports of upstream browser engine security fixes18:10:20
@emilazy:matrix.orgemilyso it's ahead of, like, most Firefox forks18:10:29
@emilazy:matrix.orgemily
In reply to @hexa:lossy.network
do you remember this one, emily?
right. this is what I was remembering re: stable backports 		18:10:47
@emilazy:matrix.orgemilythe commitment is more than I remember, but it doesn't seem to have been fulfilled18:11:07
@emilazy:matrix.orgemily

currently unfixed on stable that don't look JS-specific:

  • https://bugzilla.mozilla.org/show_bug.cgi?id=1888333
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1893340
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1878199
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1193389
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1896555 (maybe? "By manipulating the text in an <input> tag, an attacker could have caused corrupt memory leading to a potentially exploitable crash." – bug is not public still, lol)
  • https://bugzilla.mozilla.org/buglist.cgi?bug_id=1862809%2C1889355%2C1893388%2C1895123 (also not accesible)
  • uhh more NSS stuff… actually this is too tedious, there's like 3 more point releases left
18:15:36
@emilazy:matrix.orgemily I think we need to set knownVulnerabilities on 24.05 for sure. removal before the 24.11 freeze also seems like a reasonable course of action to me, or we will inevitably end up shipping vulnerable versions to users again within the next 6 months unless someone else wants to be responsible for the package. 18:16:14
@emilazy:matrix.orgemilyactually the NSS stuff might be fine if we have a separate NSS package18:16:44
@emilazy:matrix.orgemilyand of course it may be hard to impossible to construct an exploit chain for some or all of them without JS18:16:55
@emilazy:matrix.orgemilybut that is certainly not wholly obvious to me for some of them18:17:16
@rosscomputerguy:matrix.orgTristan Ross
In reply to @emilazy:matrix.org
you'd want to talk to ris
Idk who that is 		18:19:08
@hexa:lossy.networkhexarisicle18:19:13
@hexa:lossy.networkhexaris_ in this room18:19:23
@emilazy:matrix.orgemily also lib.maintainers.ris 18:19:39
@rosscomputerguy:matrix.orgTristan RossOh18:19:43
@hexa:lossy.networkhexa
In reply to @emilazy:matrix.org
actually the NSS stuff might be fine if we have a separate NSS package
hm? I maintain nss 		18:21:02
@rosscomputerguy:matrix.orgTristan RossTime to find the issue I was pinged in relating to what I'm doing lol18:21:09
@emilazy:matrix.orgemilyI meant that one of the vulns I linked was NSS-related18:21:13
@emilazy:matrix.orgemilyso it may not apply to us assuming we have a split NSS package that actually gets updates18:21:23

Show newer messages

Back to Room ListRoom Version: 9