Accepting request 417432 from mozilla:Factory

1

OBS-URL: https://build.opensuse.org/request/show/417432
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=168

MozillaThunderbird.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Aug  5 13:47:12 UTC 2016 - pcerny@suse.com
+
+- Fix for possible buffer overrun (bsc#990856)
+  CVE-2016-6354 (bmo#1292534)
+  [mozilla-flex_buffer_overrun.patch]
+
 -------------------------------------------------------------------
 Thu Jul 21 11:50:27 UTC 2016 - mailaender@opensuse.org
 

MozillaThunderbird.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package MozillaThunderbird
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #               2006-2016 Wolfgang Rosenauer <wr@rosenauer.org>
 #
 # All modifications and additions to the file contributed by third parties
@@ -108,6 +108,8 @@ Patch8:         mozilla-aarch64-48bit-va.patch
 Patch9:         mozilla-binutils-visibility.patch
 # Thunderbird/mail
 Patch20:        tb-ssldap.patch
+# hotfix
+Patch150:       mozilla-flex_buffer_overrun.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         coreutils fileutils textutils /bin/sh
 Recommends:     libcanberra0
@@ -204,6 +206,7 @@ pushd mozilla
 %patch6 -p1
 %patch8 -p1
 %patch9 -p1
+%patch150 -p1
 popd
 # comm-central patches
 %patch20 -p1

mozilla-flex_buffer_overrun.patch

@@ -0,0 +1,76 @@
+# HG changeset patch
+# Parent  c8e8364b303892fdb5a574b96411d2d8f699a15e
+Patch lexical parser files generated by flex which may be potentially
+exploitable in a buffer overrun. These seem to come from an upstream projects
+(CMU Sphinx and ANGLE) so it should be fixed there in the first place.
+
+CVE-2016-6354
+
+https://bugzilla.suse.com/show_bug.cgi?id=990856
+
+diff --git a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp
+--- a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp
++++ b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp
+@@ -1375,17 +1375,17 @@ static int yy_get_next_buffer (yyscan_t 
+ 	if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
+ 		/* don't do the read, it's not guaranteed to return an EOF,
+ 		 * just force an EOF
+ 		 */
+ 		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0;
+ 
+ 	else
+ 		{
+-			yy_size_t num_to_read =
++			int num_to_read =
+ 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+ 
+ 		while ( num_to_read <= 0 )
+ 			{ /* Not enough room in the buffer - grow it. */
+ 
+ 			/* just a shorter name for the current buffer */
+ 			YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
+ 
+diff --git a/gfx/angle/src/compiler/translator/glslang_lex.cpp b/gfx/angle/src/compiler/translator/glslang_lex.cpp
+--- a/gfx/angle/src/compiler/translator/glslang_lex.cpp
++++ b/gfx/angle/src/compiler/translator/glslang_lex.cpp
+@@ -2269,17 +2269,17 @@ static int yy_get_next_buffer (yyscan_t 
+ 	if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
+ 		/* don't do the read, it's not guaranteed to return an EOF,
+ 		 * just force an EOF
+ 		 */
+ 		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0;
+ 
+ 	else
+ 		{
+-			yy_size_t num_to_read =
++			int num_to_read =
+ 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+ 
+ 		while ( num_to_read <= 0 )
+ 			{ /* Not enough room in the buffer - grow it. */
+ 
+ 			/* just a shorter name for the current buffer */
+ 			YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
+ 
+diff --git a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c
+--- a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c
++++ b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c
+@@ -1242,17 +1242,17 @@ static int yy_get_next_buffer (yyscan_t 
+ 	if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING )
+ 		/* don't do the read, it's not guaranteed to return an EOF,
+ 		 * just force an EOF
+ 		 */
+ 		YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0;
+ 
+ 	else
+ 		{
+-			yy_size_t num_to_read =
++			int num_to_read =
+ 			YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1;
+ 
+ 		while ( num_to_read <= 0 )
+ 			{ /* Not enough room in the buffer - grow it. */
+ 
+ 			/* just a shorter name for the current buffer */
+ 			YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
+