- Mozilla Thunderbird 102.9.0

* https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes MFSA 2023-11 (bsc#1209173)) * CVE-2023-25751 (bmo#1814899) Incorrect code generation during JIT compilation * CVE-2023-28164 (bmo#1809122) URL being dragged from a removed cross-origin iframe into the same tab triggered navigation * CVE-2023-28162 (bmo#1811327) Invalid downcast in Worklets * CVE-2023-25752 (bmo#1811627) Potential out-of-bounds when accessing throttled streams * CVE-2023-28163 (bmo#1817768) Windows Save As dialog resolved environment variables * CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904, bmo#1817442, bmo#1818674) Memory safety bugs fixed in Thunderbird 102.9 - update create-tar.sh - Ensure gcc11-c++ gets used on Leap 15.5, too. OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=690
2023-03-16 10:35:50 +00:00 · 2023-03-16 10:35:50 +00:00 · 34b61a3e8e
commit 34b61a3e8e
parent 7e7b48d551
9 changed files with 132 additions and 81 deletions
--- a/MozillaThunderbird.changes
+++ b/MozillaThunderbird.changes
@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Sun Mar 12 09:52:40 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Thunderbird 102.9.0
+  * https://www.thunderbird.net/en-US/thunderbird/102.9.0/releasenotes
+  MFSA 2023-11 (bsc#1209173))
+  * CVE-2023-25751 (bmo#1814899)
+    Incorrect code generation during JIT compilation
+  * CVE-2023-28164 (bmo#1809122)
+    URL being dragged from a removed cross-origin iframe into the
+    same tab triggered navigation
+  * CVE-2023-28162 (bmo#1811327)
+    Invalid downcast in Worklets
+  * CVE-2023-25752 (bmo#1811627)
+    Potential out-of-bounds when accessing throttled streams
+  * CVE-2023-28163 (bmo#1817768)
+    Windows Save As dialog resolved environment variables
+  * CVE-2023-28176 (bmo#1808352, bmo#1811637, bmo#1815904,
+    bmo#1817442, bmo#1818674)
+    Memory safety bugs fixed in Thunderbird 102.9
+- update create-tar.sh
+
+-------------------------------------------------------------------
+Tue Mar  7 18:30:09 UTC 2023 - Manfred Hollstein <manfred.h@gmx.net>
+
+- Ensure gcc11-c++ gets used on Leap 15.5, too.
+
 -------------------------------------------------------------------
 Wed Feb 15 07:46:58 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>

--- a/MozillaThunderbird.spec
+++ b/MozillaThunderbird.spec
@ -29,8 +29,8 @@
 # major 69
 # mainver %major.99
 %define major          102
-%define mainver        %major.8.0
-%define orig_version   102.8.0
+%define mainver        %major.9.0
+%define orig_version   102.9.0
 %define orig_suffix    %{nil}
 %define update_channel release
 %define source_prefix  thunderbird-%{orig_version}
@ -85,7 +85,7 @@ BuildRequires:  autoconf213
 BuildRequires:  dbus-1-glib-devel
 BuildRequires:  fdupes
 BuildRequires:  memory-constraints
-%if 0%{?suse_version} < 1550 && 0%{?sle_version} <= 150400
+%if 0%{?suse_version} < 1550 && 0%{?sle_version} <= 150500
 BuildRequires:  gcc11-c++
 %else
 BuildRequires:  gcc-c++
@ -180,7 +180,7 @@ Source6:        suse-default-prefs.js
 Source7:        l10n-%{orig_version}%{orig_suffix}.tar.xz
 Source9:        thunderbird.appdata.xml
 Source13:       spellcheck.js
-Source14:       https://github.com/openSUSE/firefox-scripts/raw/f4363ab1d76e173666e56408d44fe00af16ddbd8/create-tar.sh
+Source14:       https://github.com/openSUSE/firefox-scripts/raw/9b77cf0/create-tar.sh
 Source20:       https://ftp.mozilla.org/pub/%{srcname}/releases/%{version}%{orig_suffix}/source/%{srcname}-%{orig_version}%{orig_suffix}.source.tar.xz.asc
 Source21:       https://ftp.mozilla.org/pub/%{srcname}/releases/%{version}%{orig_suffix}/KEY#/mozilla.keyring
 # Gecko/Toolkit
@ -334,7 +334,7 @@ export BUILD_OFFICIAL=1
 export MOZ_TELEMETRY_REPORTING=1
 export MOZ_REQUIRE_SIGNING=
 export MACH_USE_SYSTEM_PYTHON=1
-%if 0%{?suse_version} < 1550 && 0%{?sle_version} <= 150400
+%if 0%{?suse_version} < 1550 && 0%{?sle_version} <= 150500
 export CC=gcc-11
 %else
 %if 0%{?clang_build} == 0
--- a/create-tar.sh
+++ b/create-tar.sh
@ -16,10 +16,17 @@ function main() {

  set_internal_variables

-  check_what_changed
+  check_what_to_do_with_source_tarballs
  download_upstream_source_tarballs

-  create_locales_tarballs
+  if [ -z ${SKIP_LOCALES+x} ]; then
+    check_what_to_do_with_locales_tarballs
+    create_locales_tarballs
+  else 
+    printf "%-40s: User forced skip (SKIP_LOCALES set)\n" "locales"
+  fi
+
+  clean_up_old_tarballs
 }

 function print_usage_and_exit() {
@ -64,7 +71,9 @@ function set_internal_variables() {
  else
    FF_LOCALE_FILE="thunderbird-$VERSION/browser/locales/l10n-changesets.json"
    TB_LOCALE_FILE="thunderbird-$VERSION/comm/mail/locales/l10n-changesets.json"
-    L10N_STRING_PATTERNS="thunderbird-$VERSION/python/l10n/tbxchannel/l10n_merge.py"
+    FF_PREV_LOCALE_FILE="thunderbird-$PREV_VERSION/browser/locales/l10n-changesets.json"
+    TB_PREV_LOCALE_FILE="thunderbird-$PREV_VERSION/comm/mail/locales/l10n-changesets.json"
+    L10N_STRING_PATTERNS="thunderbird-$VERSION/comm/python/l10n/tbxchannel/l10n_merge.py"
  fi

  SOURCE_TARBALL="$PRODUCT-$VERSION$VERSION_SUFFIX.source.tar.xz"
@ -93,7 +102,7 @@ function check_tarball_source () {
      local CANDIDATE_TARBALL_LOCATION=""
      CANDIDATE_TARBALL_LOCATION="$(printf "%s/%s/source/%s" "$(get_ftp_candidates_url "$PRODUCT" "$VERSION$VERSION_SUFFIX")" "$BUILD_ID" "$TARBALL" )"
      if wget --spider "$CANDIDATE_TARBALL_LOCATION" 2> /dev/null; then
-          echo "Download UNRELEASED candidate"
+          echo "Download UNRELEASED candidate ($BUILD_ID)"
      else
          echo "Mercurial checkout"
      fi
@ -119,13 +128,13 @@ function check_for_binary() {
 }

 function get_source_stamp() {
-  CURR_BUILD_ID="$1"
-  FTP_CANDIDATES_BASE_URL=$(get_ftp_candidates_url "$PRODUCT" "$VERSION$VERSION_SUFFIX")
-  FTP_CANDIDATES_JSON_SUFFIX="${CURR_BUILD_ID}/linux-x86_64/en-US/$PRODUCT-$VERSION$VERSION_SUFFIX.json"
-  BUILD_JSON=$(curl --silent --fail "$FTP_CANDIDATES_BASE_URL/$FTP_CANDIDATES_JSON_SUFFIX") || return 1;
-  REV=$(echo "$BUILD_JSON" | jq .moz_source_stamp)
-  SOURCE_REPO=$(echo "$BUILD_JSON" | jq .moz_source_repo)
-  TIMESTAMP=$(echo "$BUILD_JSON" | jq .buildid)
+  local CURR_BUILD_ID="$1"
+  local FTP_CANDIDATES_BASE_URL=$(get_ftp_candidates_url "$PRODUCT" "$VERSION$VERSION_SUFFIX")
+  local FTP_CANDIDATES_JSON_SUFFIX="${CURR_BUILD_ID}/linux-x86_64/en-US/$PRODUCT-$VERSION$VERSION_SUFFIX.json"
+  local BUILD_JSON=$(curl --silent --fail "$FTP_CANDIDATES_BASE_URL/$FTP_CANDIDATES_JSON_SUFFIX") || return 1;
+  local REV=$(echo "$BUILD_JSON" | jq .moz_source_stamp)
+  local SOURCE_REPO=$(echo "$BUILD_JSON" | jq .moz_source_repo)
+  local TIMESTAMP=$(echo "$BUILD_JSON" | jq .buildid)
  echo "Extending $TAR_STAMP with:"
  echo "RELEASE_REPO=${SOURCE_REPO}"
  echo "RELEASE_TAG=${REV}"
@ -170,9 +179,9 @@ function get_build_number() {
 }

 function locales_get() {
-  CURR_PRODUCT="$1"
-  TMP_VERSION="$2"
-  CURR_BUILD_ID="$3"
+  local CURR_PRODUCT="$1"
+  local TMP_VERSION="$2"
+  local CURR_BUILD_ID="$3"
  # Make first letter of CURR_PRODUCT upper case
  CURR_PRODUCT_CAP="${CURR_PRODUCT^}"
  URL_TO_CHECK="${LOCALES_URL}/${CURR_PRODUCT_CAP}-${TMP_VERSION}"
@ -216,9 +225,9 @@ function extract_locales_file() {
 }

 function locales_unchanged() {
-  CURR_PRODUCT="$1"
-  CURR_BUILD_ID="$2"
-  PREV_BUILD_ID=$(get_build_number "$CURR_PRODUCT" "$PREV_VERSION$PREV_VERSION_SUFFIX")
+  local CURR_PRODUCT="$1"
+  local CURR_BUILD_ID="$2"
+  local PREV_BUILD_ID=$(get_build_number "$CURR_PRODUCT" "$PREV_VERSION$PREV_VERSION_SUFFIX")
  # If no json-file for one of the versions can be found, we say "they changed"
  prev_url=$(locales_get "$CURR_PRODUCT" "$PREV_VERSION$PREV_VERSION_SUFFIX" "$PREV_BUILD_ID") || return 1
  prev_content=$(locales_parse_url "$prev_url") || exit 1
@ -284,32 +293,10 @@ function create_and_copy_locales() {
    done
 }

-function check_what_changed() {
+function check_what_to_do_with_source_tarballs() {
  # Get ID 
  BUILD_ID=$(get_build_number "$PRODUCT" "$VERSION$VERSION_SUFFIX")

-  if [ -z ${SKIP_LOCALES+x} ]; then
-    LOCALES_CHANGED=1
-    if [ "$PREV_VERSION" != "" ]; then
-      # If we have a previous version, check either FF or (TB and FF)
-      if [ "$PRODUCT" = "firefox" ]; then
-        locales_unchanged "$PRODUCT" "$BUILD_ID"
-      else
-        FF_BUILD_ID=$(get_build_number "firefox" "$VERSION$VERSION_SUFFIX")
-        locales_unchanged "$PRODUCT" "$BUILD_ID" && locales_unchanged "firefox" "$FF_BUILD_ID"
-      fi
-      LOCALES_CHANGED=$?
-    fi
-
-    if [ $LOCALES_CHANGED -eq 1 ]; then
-      printf "%-40s: Need to download.\n" "locales"
-    else
-      printf "%-40s: Did not change. Skipping.\n" "locales"
-    fi
-  else 
-    printf "%-40s: User forced skip (SKIP_LOCALES set)\n" "locales"
-  fi
-
  # Check what is going to be done and ask for consent
  for ff in $SOURCE_TARBALL $SOURCE_TARBALL.asc; do
    printf "%-40s: %s\n" "$ff" "$(check_tarball_source $ff)"
@ -318,6 +305,47 @@ function check_what_changed() {
  ask_cont_abort_question "Is this ok?" || exit 0
 }

+function check_what_to_do_with_locales_tarballs() {
+  LOCALES_CHANGED=1
+
+  extract_locales_file
+
+  if [ "$PREV_VERSION" != "" ]; then
+    # If we have a previous version, check either FF or (TB and FF)
+    if [ "$PRODUCT" = "firefox" ]; then
+      locales_unchanged "$PRODUCT" "$BUILD_ID"
+    else
+      # Currently, upstream 'forgets' which Firefox-locales get used for which Thunderbird-release upon release
+      # so, instead of parsing upstream JSON-files, we rely on the previous tarball being there and comparing
+      # the lang-files directly
+      # FF_BUILD_ID=$(get_build_number "firefox" "$VERSION$VERSION_SUFFIX")
+      # locales_unchanged "$PRODUCT" "$BUILD_ID" && locales_unchanged "firefox" "$FF_BUILD_ID"
+      if [ -e "$PREV_SOURCE_TARBALL" ]; then 
+        echo "extract previous locale changesets"
+        tar -xf "$PREV_SOURCE_TARBALL" "$FF_PREV_LOCALE_FILE" "$TB_PREV_LOCALE_FILE"
+
+        curr_ff_content=$(locales_parse_file "$FF_LOCALE_FILE") || exit 1
+        prev_ff_content=$(locales_parse_file "$FF_PREV_LOCALE_FILE") || exit 1
+        curr_tb_content=$(locales_parse_file "$TB_LOCALE_FILE") || exit 1
+        prev_tb_content=$(locales_parse_file "$TB_PREV_LOCALE_FILE") || exit 1
+
+        diff -y --suppress-common-lines -d <(echo "$prev_ff_content") <(echo "$curr_ff_content") ||
+        diff -y --suppress-common-lines -d <(echo "$prev_tb_content") <(echo "$curr_tb_content")
+      fi
+    fi
+    LOCALES_CHANGED=$?
+  fi
+
+  # New line for better visibility
+  echo ""
+  if [ $LOCALES_CHANGED -eq 1 ]; then
+    printf "%-40s: Need to download.\n" "locales"
+    ask_cont_abort_question "Is this ok?" || exit 0
+  else
+    printf "%-40s: Did not change. Skipping.\n" "locales"
+  fi
+}
+
 function download_release_or_candidate_file() {
  local upstream_file="$1"
  if [ -e "$upstream_file" ]; then
@ -338,9 +366,6 @@ function download_upstream_source_tarballs() {

  # we might have an upstream archive already and can skip the checkout
  if [ -e "$SOURCE_TARBALL" ]; then
-    if [ -z ${SKIP_LOCALES+x} ] && [ $LOCALES_CHANGED -ne 0 ]; then
-      extract_locales_file
-    fi
    get_source_stamp "$BUILD_ID"
  else
    # We are working on a version that is not yet published on the mozilla mirror
@ -386,9 +411,9 @@ function clone_and_repackage_sources() {
  hg update --check "$FF_RELEASE_TAG"
  [ "$FF_RELEASE_TAG" == "default" ] || hg update -r "$FF_RELEASE_TAG"
  # get repo and source stamp
-  REV=$(hg -R . parent --template="{node|short}\n")
-  SOURCE_REPO=$(hg showconfig paths.default 2>/dev/null | head -n1 | sed -e "s/^ssh:/https:/")
-  TIMESTAMP=$(date +%Y%m%d%H%M%S)
+  local REV=$(hg -R . parent --template="{node|short}\n")
+  local SOURCE_REPO=$(hg showconfig paths.default 2>/dev/null | head -n1 | sed -e "s/^ssh:/https:/")
+  local TIMESTAMP=$(date +%Y%m%d%H%M%S)

  if [ "$PRODUCT" = "thunderbird" ]; then
    pushd comm || exit 1
@ -412,7 +437,8 @@ function clone_and_repackage_sources() {
  echo "RELEASE_TIMESTAMP=$TIMESTAMP" >> "$TAR_STAMP"

  echo "creating archive..."
-  tar "$compression" -cf "$PRODUCT-$VERSION$VERSION_SUFFIX.source.tar.xz" --exclude=.hgtags --exclude=.hgignore --exclude=.hg --exclude=CVS "$PRODUCT-$VERSION"
+  tar "$compression" -cf "$PRODUCT-$VERSION$VERSION_SUFFIX.source.tar.xz" --exclude-vcs "$PRODUCT-$VERSION"
+  ALREADY_EXTRACTED_LOCALES_FILE=1
 }

 function create_locales_tarballs() {
@ -420,7 +446,7 @@ function create_locales_tarballs() {
    echo "Skipping locales-creation."
    exit 0
  fi
-  
+
  if [ "$LOCALES_CHANGED" -ne 0 ]; then
    clone_and_repackage_locales
  elif [ -f "l10n-$PREV_VERSION$PREV_VERSION_SUFFIX.tar.xz" ]; then
@ -492,13 +518,11 @@ function clone_and_repackage_locales() {
      esac
    done
  echo "creating l10n archive..."
+  local TAR_FLAGS="--exclude-vcs"
  if [ "$PRODUCT" = "thunderbird" ]; then
-    TB_TAR_FLAGS="--exclude=suite"
+    TAR_FLAGS="$TAR_FLAGS --exclude=suite"
  fi
-  tar "$compression" -cf "l10n-$VERSION$VERSION_SUFFIX.tar.xz" \
-  --exclude=.hgtags --exclude=.hgignore --exclude=.hg \
-  "$TB_TAR_FLAGS" \
-  "$FINAL_L10N_BASE"
+  tar "$compression" -cf "l10n-$VERSION$VERSION_SUFFIX.tar.xz" $TAR_FLAGS "$FINAL_L10N_BASE"
 }

 function clean_up_old_tarballs() {
--- a/l10n-102.9.0.tar.xz
+++ b/l10n-102.9.0.tar.xz
--- a/8
+++ b/8
@ -1,10 +1,10 @@
 PRODUCT="thunderbird"
 CHANNEL="esr102"
-VERSION="102.8.0"
+VERSION="102.9.0"
 VERSION_SUFFIX=""
-PREV_VERSION="102.7.2"
+PREV_VERSION="102.8.0"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr102"
-RELEASE_TAG="d2f3330ed11584d3f02ba72cf2fbaa397cd5f3f4"
-RELEASE_TIMESTAMP="20230214184313"
+RELEASE_TAG="db735c436e680abf21cc67f9a29b42fdf30d416d"
+RELEASE_TIMESTAMP="20230310165821"
--- a/thunderbird-102.8.0.source.tar.xz
+++ b/thunderbird-102.8.0.source.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:12221faeb425490b799df12aa420ff9017eba573812b119b97ae1a1ed2727fc3
-size 506030440
--- a/thunderbird-102.8.0.source.tar.xz.asc
+++ b/thunderbird-102.8.0.source.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmPsBZsACgkQ6+QekPbx
-L23CrhAAm21whlxopurD2H7xTbPF6XJc2MSyKOWR8MtQWzSbVsvJ8Nzio/vc3SyC
-cWzbSopjrF7DvrnytZviiU9/iLV4pGrl7sq8plXPYTOA5b1Ue9v1fXcagD3RiASI
-j5RZfajqqw8QMVQLWbzXooRDQJOmsRpV4EYiM6Y47XRbsTXq1qQgA963Et6X7O3U
-YQNEPYuNQqW2nnDWk4YRdf2yRg4xFwxAyTl3mUkbHHkOrBfV35zipdHv+cdiAkIl
-9gkZ/uPBJ21zVHHNCMIKjQbClDQZaE/t5DssFt7W2bJRrVSPBI5U5z3v7Z9uaKGt
-nuSJMPQN+WU/BQAwQhndVHCgeEj92F0AMRXtEdU9QcyaQCC0SGnZ7sxdSq6QRsbB
-zOzOu1qZ/jH0/w5lJRhNF4tnLbVmyGgAbYnUBhSiE6/Kx0hdf1pX/5Z0xZEJ9Ay9
-IO138PucoHHPBo+NU5VCzsqU21rREG7FucUh5GbZqRQWfVHqVPm7vWBYbCKAA8sX
-D+p8jb6G1GG1qt6KtiV/KaEAgmJEAZKHEHx44zPwqjWsW+oHn6w3Iaf2rmSYoQNd
-CmMzDYloutqie55ywvcrypjSlNlRJbixvUe5oHy7hsjO0mfMNvk1YCsWMr9Vqk6r
-F7yNdyFwVGRhb3JVby+QJDDrHRrcZZfv42eVQsb4V8lwg613fJQ=
-=NJbk
-----END PGP SIGNATURE-----
--- a/thunderbird-102.9.0.source.tar.xz
+++ b/thunderbird-102.9.0.source.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ecb34de765d548ed26ea24d4d617567a7896230d7c8379c1ef76be8ca05d6fef
+size 503081436
--- a/thunderbird-102.9.0.source.tar.xz.asc
+++ b/thunderbird-102.9.0.source.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmQLrkIACgkQ6+QekPbx
+L22h1g/+LXtjCm9UdWsufMQ6GWhNkdHXdhL7Uog6c8Z/vcyfotKNShUYzk8up9Rm
+yUTZQ/vOPZPRt3MmONpE1KvOstThYncUPAdv9ZbIFQEF2eLQ73fiXSP/g5uGFThk
+ZoXCEZt/pnDm6Uv7P/ufh+VYRkNu9TxpYTw5OH5u0YFbwazbyKHdwP2XwHmDqlff
+ObbHyNy7m3+X1jrAb3ayWnK/PUqcw/GbbAdwdtM0eF3RttTO60d/8P+MQ/qxuM1a
+OuVkgAQIpVJiJexbJXMVSUl/c2OwLXDwSX9Q0JKcCqGH1ruv2hss/6Hp9pIdazZs
+85ko0g16DEx5EOTvNFmkYAaSnCAjNZOEqzv/hN71n5V+cvBQNF5U6rFM7qJOzeT6
+As8DI813YsAefHXo620Q+UQXBLXvwwnsuUS7CzzcLX2V+njhrZIKbGB2C5tgEwTg
+FuSK6+0kWEpbYPXQDrrvzOWAJbs5lJNBdWX2WUeX7sNpeaUH/FPBULNo2LRuTgFG
+qiZxaxQfaJ86ZZu29jdkmBQzC90e5dyw2PwipNDRu8FDbinod1vEcEJ1AhQywt2E
+KnX7lp1A/7nMW+b1YbqGTk6w7NLpqGzW0XdfjYdvw2BYCJwtpVl2y8CaZYBxzOBl
+dg+ibkdDRr5gk6XycidonfHVu4xZqEYZd2h62lVlnnTErV10YeE=
+=4xjl
+-----END PGP SIGNATURE-----