- Mozilla Thunderbird 102.6.0

https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/
  MFSA 2022-53 (bsc#1206242)
  * CVE-2022-46880 (bmo#1749292)
    Use-after-free in WebGL
  * CVE-2022-46872 (bmo#1799156)
    Arbitrary file read from a compromised content process
  * CVE-2022-46881 (bmo#1770930)
    Memory corruption in WebGL
  * CVE-2022-46874 (bmo#1746139)
    Drag and Dropped Filenames could have been truncated to
    malicious extensions
  * CVE-2022-46875 (bmo#1786188)
    Download Protections were bypassed by .atloc and .ftploc
    files on Mac OS
  * CVE-2022-46882 (bmo#1789371)
    Use-after-free in WebGL
  * CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
    bmo#1801102, bmo#1801315, bmo#1802395)
    Memory safety bugs fixed in Thunderbird 102.6
- removed obsolete patches
  mozilla-newer-cbindgen.patch
  mozilla-glibc236.patch

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=680
This commit is contained in:
Wolfgang Rosenauer 2022-12-13 21:35:47 +00:00 committed by Git OBS Bridge
parent 8e5a394a01
commit 16ebad9cce
10 changed files with 52 additions and 148 deletions

View File

@ -1,3 +1,30 @@
-------------------------------------------------------------------
Tue Dec 13 13:49:09 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.6.0
https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/
MFSA 2022-53 (bsc#1206242)
* CVE-2022-46880 (bmo#1749292)
Use-after-free in WebGL
* CVE-2022-46872 (bmo#1799156)
Arbitrary file read from a compromised content process
* CVE-2022-46881 (bmo#1770930)
Memory corruption in WebGL
* CVE-2022-46874 (bmo#1746139)
Drag and Dropped Filenames could have been truncated to
malicious extensions
* CVE-2022-46875 (bmo#1786188)
Download Protections were bypassed by .atloc and .ftploc
files on Mac OS
* CVE-2022-46882 (bmo#1789371)
Use-after-free in WebGL
* CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685,
bmo#1801102, bmo#1801315, bmo#1802395)
Memory safety bugs fixed in Thunderbird 102.6
- removed obsolete patches
mozilla-newer-cbindgen.patch
mozilla-glibc236.patch
-------------------------------------------------------------------
Wed Nov 30 20:49:28 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>

View File

@ -29,8 +29,8 @@
# major 69
# mainver %major.99
%define major 102
%define mainver %major.5.1
%define orig_version 102.5.1
%define mainver %major.6.0
%define orig_version 102.6.0
%define orig_suffix %{nil}
%define update_channel release
%define source_prefix thunderbird-%{orig_version}
@ -206,8 +206,6 @@ Patch19: mozilla-silence-no-return-type.patch
Patch20: mozilla-bmo531915.patch
Patch21: one_swizzle_to_rule_them_all.patch
Patch22: svg-rendering.patch
Patch23: mozilla-newer-cbindgen.patch
Patch24: mozilla-glibc236.patch
%endif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: /bin/sh
@ -296,8 +294,6 @@ fi
%patch20 -p1
%patch21 -p1
%patch22 -p1
%patch23 -p1
%patch24 -p1
%endif
%build

View File

@ -1,101 +0,0 @@
# HG changeset patch
# User Mike Hommey <mh+mozilla@glandium.org>
# Date 1660077764 0
# Node ID 970ebbe54477a0e518bfee8aeddf487ad9bd4365
# Parent caca601f2f5e87dd660434f3db2156e950151adb
Bug 1782988 - Avoid build bustage when building against glibc 2.36 or newer. r=RyanVM
Differential Revision: https://phabricator.services.mozilla.com/D153716
diff --git a/ipc/chromium/src/third_party/libevent/README.mozilla b/ipc/chromium/src/third_party/libevent/README.mozilla
--- a/ipc/chromium/src/third_party/libevent/README.mozilla
+++ b/ipc/chromium/src/third_party/libevent/README.mozilla
@@ -17,11 +17,15 @@ evconfig-private.h can be found in the r
You then need to modify the EVENT__SIZEOF_* constants in the generated Linux,
Android, and BSD headers to be appropriate for both 32-bit and 64-bit platforms.
Mac doesn't need this since only 64-bit is supported. Use __LP64__ to
distinguish the two cases. If you get something wrong, the CHECK_EVENT_SIZEOF
static assertions in message_pump_libevent.cc will fail. If a new constant is
added, also add a static assertion for it to message_pump_libevent.cc.
+You also need to modify the EVENT__HAVE_ARC4RANDOM and EVENT__HAVE_ARC4RANDOM_BUF
+constants in the generated Linux header to account for the results of the arc4random
+and arc4random_buf configure checks.
+
2. No additional patches are needed at this time, but be careful to avoid
clobbering changes to the various event-config.h files which have been customized
over time to avoid various build bustages.
diff --git a/ipc/chromium/src/third_party/libevent/linux/event2/event-config.h b/ipc/chromium/src/third_party/libevent/linux/event2/event-config.h
--- a/ipc/chromium/src/third_party/libevent/linux/event2/event-config.h
+++ b/ipc/chromium/src/third_party/libevent/linux/event2/event-config.h
@@ -24,24 +24,28 @@
/* #undef EVENT__DISABLE_THREAD_SUPPORT */
/* Define to 1 if you have the `accept4' function. */
#define EVENT__HAVE_ACCEPT4 1
/* Define to 1 if you have the <afunix.h> header file. */
/* #undef EVENT__HAVE_AFUNIX_H 1 */
+#ifdef HAVE_ARC4RANDOM
/* Define to 1 if you have the `arc4random' function. */
-/* #undef EVENT__HAVE_ARC4RANDOM */
+#define EVENT__HAVE_ARC4RANDOM 1
+#endif
/* Define to 1 if you have the `arc4random_addrandom' function. */
/* #undef EVENT__HAVE_ARC4RANDOM_ADDRANDOM */
+#ifdef HAVE_ARC4RANDOM_BUF
/* Define to 1 if you have the `arc4random_buf' function. */
-/* #undef EVENT__HAVE_ARC4RANDOM_BUF */
+#define EVENT__HAVE_ARC4RANDOM_BUF 1
+#endif
/* Define to 1 if you have the <arpa/inet.h> header file. */
#define EVENT__HAVE_ARPA_INET_H 1
/* Define to 1 if you have the `clock_gettime' function. */
#define EVENT__HAVE_CLOCK_GETTIME 1
/* Define to 1 if you have the declaration of `CTL_KERN', and to 0 if you
# HG changeset patch
# User Mike Hommey <mh+mozilla@glandium.org>
# Date 1660077764 0
# Node ID a61813bd9f0a0048b84a2c56a77a06eb5e269ab2
# Parent 970ebbe54477a0e518bfee8aeddf487ad9bd4365
Bug 1782988 - Fix use of arc4random_buf use in ping.cpp. r=gsvelto
The code was probably never built before glibc 2.36, because before
that, only Android and some BSDs had arc4random_buf, but none of those
actually built this code.
Differential Revision: https://phabricator.services.mozilla.com/D154024
diff --git a/toolkit/crashreporter/client/ping.cpp b/toolkit/crashreporter/client/ping.cpp
--- a/toolkit/crashreporter/client/ping.cpp
+++ b/toolkit/crashreporter/client/ping.cpp
@@ -48,17 +48,17 @@ static string GenerateUUID() {
return "";
}
CFUUIDBytes bytes = CFUUIDGetUUIDBytes(uuid);
memcpy(&id, &bytes, sizeof(UUID));
CFRelease(uuid);
#elif defined(HAVE_ARC4RANDOM_BUF) // Android, BSD, ...
- arc4random_buf(id, sizeof(UUID));
+ arc4random_buf(&id, sizeof(UUID));
#else // Linux
int fd = open("/dev/urandom", O_RDONLY);
if (fd == -1) {
return "";
}
if (read(fd, &id, sizeof(UUID)) != sizeof(UUID)) {

View File

@ -1,18 +0,0 @@
Description: Remove an extra constant definition that is now being generated by newer versions of cbindgen (0.24), and causing build failures because it is defined in several places.
Author: Olivier Tilloy <olivier.tilloy@canonical.com>
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1773259
Forwarded: not-needed
diff --git a/gfx/webrender_bindings/webrender_ffi.h b/gfx/webrender_bindings/webrender_ffi.h
index b1d67b1..eb79974 100644
--- a/gfx/webrender_bindings/webrender_ffi.h
+++ b/gfx/webrender_bindings/webrender_ffi.h
@@ -73,8 +73,6 @@ struct WrPipelineInfo;
struct WrPipelineIdAndEpoch;
using WrPipelineIdEpochs = nsTArray<WrPipelineIdAndEpoch>;
-const uint64_t ROOT_CLIP_CHAIN = ~0;
-
} // namespace wr
} // namespace mozilla

View File

@ -1,10 +1,10 @@
PRODUCT="thunderbird"
CHANNEL="esr102"
VERSION="102.5.1"
VERSION="102.6.0"
VERSION_SUFFIX=""
PREV_VERSION="102.5.0"
PREV_VERSION="102.5.1"
PREV_VERSION_SUFFIX=""
#SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr102"
RELEASE_TAG="bbf216e50e6a8cb4362b2b77feeb8ca4a1d78914"
RELEASE_TIMESTAMP="20221129154640"
RELEASE_TAG="563cc2baf242975fda41000da903db513713dc65"
RELEASE_TIMESTAMP="20221208182320"

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d8de843fffcd10b23c348c5726bff7215c983220ab9e63a5eb7e25aa33901528
size 509550884

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmOGQ1QACgkQ6+QekPbx
L21k3RAAodADilQf37+PPu3LWF4xyPgpwfnPct27TsZF2+8hDDgkxBLFfKVHhjmD
w2KWN+rwTxhCtwZ8KUZUjCR2BJoyJh/oYuMDrCSdmRey+SzAr1vwqWi2CqJmJ4gO
8zDyixKgnrkkG1XLEVzIbPOCaudI/VLSfPgjN7ILOoHaUQnFjoVc6SLlU8qWJ7MB
UBrq7oPeu+lpDEYJGbq0ugULCi+Z2iRp9TTqreqlSdxRfF2IntmCjg+oSzUS8UuZ
7zUhuxXsB9WB9z3aK96v20mCXlgZCRMbM9sfEtxG3/YgMLdsWbIpxwu3F/LW1Yoe
hQ2VT0LK6RqTdjsgpXFDy/4PGNEnSjROYJG4Ao2eEzJDbkj34JA/8ZZqhUGcinUT
r/WBmTjHv3Jh9ysG7JxXE45+RAXFORMrnJbUZyggIV3wx1CLzU47JTL29rehFCwC
0KkBM1L5tvaRJAzXVjWMBHEyrUPolE7oNktZcCWPtj2GwllEJJ5/hUDXeRa75HfH
oe1Xi3G3ZiCrZ5KEN04/JeBkK1NRP68P21MwheVjp/yi18QK6aOupn3svYneyCVr
yOQ9l9xcg6a/7UbtCFiHWf3shrByeqzm5H37ZCen8vcYqkmGk3NNxpYYAWM59E3k
igzi6+hH7sUo3m5ROCWXBBJbeMmD1L+CSrOZkl62OBY1EWxxPd4=
=E0W0
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f5847083281cde16a486f1449dc5c0a8cad689e2db2b34ae486d1795f8d43c2e
size 503321152

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmOXoEwACgkQ6+QekPbx
L23wLQ/8DORhGSUWd7vSojz0cRis26xQA0XK0S+G+v6F2ec2XTHR1Ae18cLv9a0L
l+d6XiizhFl0Xrg7zSVCHao5ivxzSGvbqeDEPL7Qc7RExBqhWfkjqGPy6RzVxADI
T4AmCCeh2B248YHds8OdWULUANxQIR3ZDmyukBZKid6bkY+5EyufvXMzrJvrMopf
QqjyOVUUzQ0hqFErpUUzLGw/f+Be6lUZrtTk/w1j0+5HRteyf37nU7kxPpH2LrnA
3Duj7hfM7OHOQumpXSNhfgjNZIF7fs0rKr68DfDryh4zID4HG/oqd5E2tH+5Hf7F
erhlv/U9GUzrU7FF88KOs045wu3SzxDxax+74ifxdsWUS+K/v1dwtCiU2gwxCneT
jP8yQueQItNCscyigwXTy7xZ9zEjsnq9K2pN0m7rSasSuW8Gbat0i4PV6NcWRZ0H
zrgt/7mEAi4hqp+yLPQMaCQIhOzfLrSZM7fkMnkJs01Gn3moNepbSxreHram38E5
mHhuDcjwOFLsb4GbVd3NIYPMl5px0qHBuSCV+dXcPXZxfHLKdHBHBZK72pp8Koco
fgGvYPObCDbg6N3nDmccnQ5x1PEW3tytpuGVUkcPwQECHoBRnuVyMPXTUGQpzxVP
qwYr81xwI1UkH1HBqVij6JjS7ErwxHamVVvEpv2T1OXSBh66VHk=
=1NJn
-----END PGP SIGNATURE-----