Your message dated Mon, 22 Jun 2026 20:43:25 +0000
with message-id <[email protected]>
and subject line Bug#880424: fixed in thunderbird 1:152.0-1
has caused the Debian Bug report #880424,
regarding /etc/apparmor.d/usr.bin.thunderbird: should allow execution of the
configured browser
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
880424: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880424
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: thunderbird
Version: 1:52.4.0-1
I turned on AppArmor and Thunderbird stopped opening links for me. dmesg
has the following denial message:
[ 3795.153239] audit: type=1400 audit(1509283418.100:64):
apparmor="DENIED" operation="exec" profile="thunderbird"
name="/opt/google/chrome-beta/google-chrome-beta" pid=31896
comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
I think there needs to be some kind of defined way for browsers to be
allowed to be executed. I understand that I use a browser that is not in
the distribution, which makes this even more important. In this case the
browser is literally set as the xdg default:
$ xdg-settings get default-web-browser
google-chrome-beta.desktop
/etc/apparmor.d/abstractions/ubuntu-browsers includes the regular
google-chrome:
/opt/google/chrome/google-chrome Cx -> sanitized_helper,
Literally the only browser Thunderbird should be able to execute is the
one configured as the default, not some set of ancient and potentially
exploitable other browsers (like some compiled against old webkit
versions), looking at the current list in the abstraction.
I suppose one way would be to always launch some kind of
sensible-browser binary and let that call out to the default browser
only. Which might be what sanitized_helper is already trying to
accomplish. Except that the abstraction leaks into the... abstraction. :)
Another way would be to let browser packages ship a file that allows
their execution and then the installed ones are automatically available
to Thunderbird (or another browser-spawning program). In this case
Chrome would need to start shipping such a file.
Kind regards and thanks
Philipp Kern
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: thunderbird
Source-Version: 1:152.0-1
Done: Carsten Schoenert <[email protected]>
We believe that the bug you reported is fixed in the latest version of
thunderbird, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carsten Schoenert <[email protected]> (supplier of updated thunderbird
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 22 Jun 2026 21:41:06 +0200
Source: thunderbird
Architecture: source
Version: 1:152.0-1
Distribution: experimental
Urgency: medium
Maintainer: Carsten Schoenert <[email protected]>
Changed-By: Carsten Schoenert <[email protected]>
Closes: 880424 882218 883245 900210 909281 914403 917613 928178 949450 949649
955380 961269 1127710 1128672 1128876 1138513
Changes:
thunderbird (1:152.0-1) experimental; urgency=medium
.
[ Carsten Schoenert ]
* [5097e09] d/control: Bump B-D for libnss3-dev
* [5350030] New upstream version 152.0
(Closes: #1138513)
* [92962df] Rebuild patch queue from patch-queue branch
Removed patch (included upstream):
fixes/Fix-conflicting-types-for-once_flag-and-call_once-with-gl.patch
fixes/Fix-math_private.h-for-i386-FTBFS.patch
fixes/Fix-sandbox-to-build-with-glibc-2.43.patch
* [46de392] d/mozconfig.default: Remove option --enable-av1
.
[ Christoph Goehre ]
* [5308430] rebuild patch queue from patch-queue branch (Closes: #1128876)
.
[ intrigeri ]
* [77d16c3] Don't install AppArmor policy anymore
(Closes: #1128672, #1127710, #928178, #909281, #955380, #882218, #900210,
#914403, #917613, #949450, #880424, #883245, #961269, #949649)
Checksums-Sha1:
1e9bca601d3dab684f2c1e34bbd107712eb17f8e 8402 thunderbird_152.0-1.dsc
5ed145d0f72ee7e539f3f0d40cea83ed62b1499f 12403192
thunderbird_152.0.orig-thunderbird-l10n.tar.xz
dbef2f6a94cec7b667931b222bdd6f0aaf9a4810 931861244
thunderbird_152.0.orig.tar.xz
6fc9531bd0e3c27e7908228227a542966eb827f8 537512
thunderbird_152.0-1.debian.tar.xz
41476b21bed4090bcf2c148b0178ef52d0e2f2e7 40158
thunderbird_152.0-1_amd64.buildinfo
Checksums-Sha256:
8d348b506605fc73d56722d5a55ed9dae8af623989312e5c039786edfbe4f0f2 8402
thunderbird_152.0-1.dsc
f4afa9846377239357e485da027035fe53762cc8100ced5cf5abca87fca7a1f8 12403192
thunderbird_152.0.orig-thunderbird-l10n.tar.xz
64f02562f1f4a18e39c67b07255feb5828acde86327f55b1ebe45e3ac63963ea 931861244
thunderbird_152.0.orig.tar.xz
52abff98afbeb3859791f46e5602bbbf6982f38876f7e223d0ff1ac7bb77c778 537512
thunderbird_152.0-1.debian.tar.xz
38ab10bf14449c38f7233f8d883b1a6ffbe412606232763f9bcaa5dcda320c03 40158
thunderbird_152.0-1_amd64.buildinfo
Files:
cddc168c5e8bdb4c051a11b4e56831b8 8402 mail optional thunderbird_152.0-1.dsc
27c69983d0063061996fc52794377743 12403192 mail optional
thunderbird_152.0.orig-thunderbird-l10n.tar.xz
f49e9b967f1a1fdceec316060aef4959 931861244 mail optional
thunderbird_152.0.orig.tar.xz
d435a5b441fa39456dfa21b01881fdf3 537512 mail optional
thunderbird_152.0-1.debian.tar.xz
20c10b422095bf9f1d461c01e152c30e 40158 mail optional
thunderbird_152.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtw38bxNP7PwBHmKqgwFgFCUdHbAFAmo5mL4ACgkQgwFgFCUd
HbCPqw/+LEBi5TrBqIfSUOoosSHHufs3R4FzJrZ6vNsK4ur6EVNNhR1u0Gc4VtEG
JIaiGg7fCDf3mgAowEIKSQpVHnqMPKpqZemfIWHNT0exdKp1RXlh9OuwGdOqg0Og
5MWrhKzrDVr7p9LmB7ilQ2V0I+xHx1zh/cG58Ar2Pp9Wn8YDlpIQmO0vp6sX2ex5
GTUYHvVrssW4L/hOAsbMu9YUnGPRiHPvj94JF7XT2JFC6mndXtiqvEOH5Oo1UluK
FcM8Xz1GsANmwB4gR7/g0f06RWEjAsOMXPU98ESaY85kRTJ4VlVvGWOknGa0Sptv
frrEG893xRFXFmnrDR7dLH8Ux1cnsGy5wpNCZeLVViuT6Pv4OIm83jijKqaGHvp3
jdD8OWx7YGbYdm+INBBnff5Y/IEEni7EIuX17/S3ZNqlLYJGPbL6OWG+pMK52+xZ
0dMFXCrSMc+xMMUHBQ/aUw3up5t4B5de51tX9kWTFv3W/qIiLdA+PpH2EGiJJJIF
Jgm9q0sAlXLC2GZW55MTbk2/jhewQOcShIRrEKFJUPzpPgeXZAAN/I47uKAzoUAW
0x/Hb0+b72NKBlK8jurZfKYBDPyxLnHSUcCbVCPj8SyzxcCHBZ12jsVhIEjUwMEH
cyFP/Ep5MDC7yo9XX+Xt4na47jktwLRJ5jRpySaIV9RfhvBHPNQ=
=jjF1
-----END PGP SIGNATURE-----
pgpc6TjozTJhB.pgp
Description: PGP signature
--- End Message ---