- Mozilla Thunderbird 91.6.0

* TB will now offer to send large forwarded attachments via FileLink
  * Partially signed unencrypted messages displayed an incorrect
    "parrtially encrypted" notification
  * Attachments filenames were not sanitized before saving to disk
  * In the attachment bar, the "Import OpenPGP Key" item displayed
    for public keys displayed an error and did not import the key
  * "Open with" attachment dialog did not have a selected radio
    button option
  MFSA 2022-06 (bsc#1195682)
  * CVE-2022-22753 (bmo#1732435)
    Privilege Escalation to SYSTEM on Windows via Maintenance
    Service
  * CVE-2022-22754 (bmo#1750565)
    Extensions could have bypassed permission confirmation during
    update
  * CVE-2022-22756 (bmo#1317873)
    Drag and dropping an image could have resulted in the dropped
    object being an executable
  * CVE-2022-22759 (bmo#1739957)
    Sandboxed iframes could have executed script if the parent
    appended elements
  * CVE-2022-22760 (bmo#1740985, bmo#1748503)
    Cross-Origin responses could be distinguished between script
    and non-script content-types
  * CVE-2022-22761 (bmo#1745566)
    frame-ancestors Content Security Policy directive was not
    enforced for framed extension pages
  * CVE-2022-22763 (bmo#1740534)
    Script Execution during invalid object state

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=623

MozillaThunderbird.changes

@@ -1,3 +1,42 @@
+-------------------------------------------------------------------
+Sat Feb  5 14:11:31 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Thunderbird 91.6.0
+  * TB will now offer to send large forwarded attachments via FileLink
+  * Partially signed unencrypted messages displayed an incorrect
+    "parrtially encrypted" notification
+  * Attachments filenames were not sanitized before saving to disk
+  * In the attachment bar, the "Import OpenPGP Key" item displayed
+    for public keys displayed an error and did not import the key
+  * "Open with" attachment dialog did not have a selected radio
+    button option
+  MFSA 2022-06 (bsc#1195682)
+  * CVE-2022-22753 (bmo#1732435)
+    Privilege Escalation to SYSTEM on Windows via Maintenance
+    Service
+  * CVE-2022-22754 (bmo#1750565)
+    Extensions could have bypassed permission confirmation during
+    update
+  * CVE-2022-22756 (bmo#1317873)
+    Drag and dropping an image could have resulted in the dropped
+    object being an executable
+  * CVE-2022-22759 (bmo#1739957)
+    Sandboxed iframes could have executed script if the parent
+    appended elements
+  * CVE-2022-22760 (bmo#1740985, bmo#1748503)
+    Cross-Origin responses could be distinguished between script
+    and non-script content-types
+  * CVE-2022-22761 (bmo#1745566)
+    frame-ancestors Content Security Policy directive was not
+    enforced for framed extension pages
+  * CVE-2022-22763 (bmo#1740534)
+    Script Execution during invalid object state
+  * CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545,
+    bmo#1748210, bmo#1748279)
+    Memory safety bugs fixed in Thunderbird 91.6
+- do not use ccache by default
+- removed obsolete mozilla-bmo1745560.patch
+
 -------------------------------------------------------------------
 Sat Jan 22 09:57:59 UTC 2022 - Manfred Hollstein <manfred.h@gmx.net>
 

MozillaThunderbird.spec

@@ -2,7 +2,7 @@
 # spec file
 #
 # Copyright (c) 2022 SUSE LLC
-#               2006-2021 Wolfgang Rosenauer <wr@rosenauer.org>
+#               2006-2022 Wolfgang Rosenauer <wr@rosenauer.org>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,8 +26,8 @@
 # major 69
 # mainver %major.99
 %define major          91
-%define mainver        %major.5.1
-%define orig_version   91.5.1
+%define mainver        %major.6.0
+%define orig_version   91.6.0
 %define orig_suffix    %{nil}
 %define update_channel release
 %define source_prefix  thunderbird-%{orig_version}
@@ -38,9 +38,6 @@
 # upstream default is clang (to use gcc for large parts set to 0)
 %define clang_build    0
 
-# PIE, full relro
-%define build_hardened 1
-
 %bcond_with only_print_mozconfig
 
 %bcond_without mozilla_tb_kde4
@@ -48,7 +45,7 @@
 %bcond_without mozilla_tb_optimize_for_size
 
 # define if ccache should be used or not
-%define useccache     1
+%define useccache     0
 
 # Firefox only supports i686
 %ifarch %ix86
@@ -207,7 +204,6 @@ Patch28:        mozilla-libavcodec58_91.patch
 Patch29:        mozilla-silence-no-return-type.patch
 Patch30:        mozilla-bmo531915.patch
 Patch31:        mozilla-bmo1724679.patch
-Patch32:        mozilla-bmo1745560.patch
 %endif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         /bin/sh
@@ -310,7 +306,6 @@ fi
 %patch29 -p1
 %patch30 -p1
 %patch31 -p1
-%patch32 -p1
 %endif
 
 %build
@@ -366,9 +361,7 @@ export CFLAGS="$CFLAGS -fimplicit-constexpr"
 # Limit RAM usage during link
 export LDFLAGS="${LDFLAGS} -Wl,--no-keep-memory -Wl,--reduce-memory-overheads"
 %endif
-%if 0%{?build_hardened}
 export LDFLAGS="${LDFLAGS} -fPIC -Wl,-z,relro,-z,now"
-%endif
 %ifarch ppc64 ppc64le
 %if 0%{?clang_build} == 0
 export CFLAGS="$CFLAGS -mminimal-toc"
@@ -530,9 +523,10 @@ sed -r '/^(ja-JP-mac|en-US|$)/d;s/ .*$//' $RPM_BUILD_DIR/%{source_prefix}/comm/m
           >> %{_tmppath}/translations.$_l10ntarget
 ' -- {}
 %endif
-
+%if 0%{useccache} != 0
 ccache -s
 %endif
+%endif
 
 %install
 cd $RPM_BUILD_DIR/obj

l10n-91.5.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:bf372dd234e130669ceca5b15b2a312893b03f6d7a7e14bcb3c8b10822943ff8
-size 28849860

l10n-91.6.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2a949123ba7b07ac78562ebb9038b691b072823c0237d1644c05fd4464319cfc
+size 28819616

mozilla-bmo1745560.patch

@@ -1,14 +0,0 @@
-diff --git a/widget/gtk/mozwayland/mozwayland.c b/widget/gtk/mozwayland/mozwayland.c
---- a/widget/gtk/mozwayland/mozwayland.c
-+++ b/widget/gtk/mozwayland/mozwayland.c
-@@ -200,3 +200,10 @@
- 
- MOZ_EXPORT void wl_list_insert_list(struct wl_list* list,
-                                     struct wl_list* other) {}
-+
-+MOZ_EXPORT struct wl_proxy* wl_proxy_marshal_flags(
-+    struct wl_proxy* proxy, uint32_t opcode,
-+    const struct wl_interface* interface, uint32_t version, uint32_t flags,
-+    ...) {
-+  return NULL;
-+}

tar_stamps

@@ -1,10 +1,10 @@
 PRODUCT="thunderbird"
 CHANNEL="esr91"
-VERSION="91.5.1"
+VERSION="91.6.0"
 VERSION_SUFFIX=""
-PREV_VERSION="91.5.0"
+PREV_VERSION="91.5.1"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr91"
-RELEASE_TAG="46a4af6b62978ae76a41fcf57bc3309c4d9bb22e"
-RELEASE_TIMESTAMP="20220120011414"
+RELEASE_TAG="676bfbddd4b3ed77f818b6b07d9d8a79c61be4da"
+RELEASE_TIMESTAMP="20220204195633"

thunderbird-91.5.1.source.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:15918d48c59988ddeba3c7b5d98cf483db9c38a782dfbf6472dc889fed9b9c8a
-size 405332676

thunderbird-91.5.1.source.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmHqDckACgkQ6+QekPbx
-L22h3g/9Gtqoij3wrjH4hRjcaoq7/kLdouDTLXLWUs8yO3UdPJlsssdkFrYHpvXB
-/WjXSDS7FY6mPxVWIDgeF2N8s07fIeDFB5tCAzJhpb4hpkYIrszGJXed7vvuJZmC
-BzXqPZdhLi6njo6iHwtPFWoidrT+fOEM4tdFUG2pVSjrUNr5A3QbQySzyuwh5G1W
-sj5SmtqotwZY60r3tx2j81PcxU3pn29piU7NJ9ma/PTmxj3vI6xZWfsvYk3UJnNK
-RbMlVwyj10qQKAHYB7mLba7GzSqWBGezeyysTtTinR7qMC3CPopYfOSfwcL+FJul
-lUFvYhIQlcXRIRcp1AHTspfGGIHgpVrJBQK2iIcsFmxXpCNkJq6m2Z7O//YyQslN
-uxJpMCMXtEr1ULATJVMoI963e+3C0bJz4FpzcN3Xoh++GmifKeo+DhW0Hq7uR/Yq
-PJr9ci99ti4wtsDVm4UKgqx7PQm1Mg3Gp8c1EKx05pRMjg64zBzAL84wa+oi8lTM
-LyVFFyIn5Jslt9izudQrgB1TXcCChEt+HK8yPRWUBqAqMXNuCj7gaSA2CN1yXKsx
-tO5ijyXX2XP4NgVfn9p+iI48geEfKB4YJMmNFzfXbhOp1yQ48uGd0kYoLFl9K79m
-5ysFEzl5qXH586YPYECMQheFZmKI3679EGzDgq4JawXnE1swshU=
-=n0Mf
------END PGP SIGNATURE-----

thunderbird-91.6.0.source.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e9c6a82a41c869ce291d50352250856cbb3e9be8e603038be72cd5bc52438afb
+size 404738672

thunderbird-91.6.0.source.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmH9ursACgkQ6+QekPbx
+L22lAQ/+KaxdNSpa33jrG9KtWEk/gPpSQAKyeZmqpKuNpnlPowM8gAb5cehPEhtm
+olzcdZV3CNS2KPIkd7fa+UuncV3Ze9zoD3HlDmGobduzpP0NZtDiW4xPnidFDrKG
+d1YvLoCR7lSD9TSN+yhNwqWkyqJdeFkyZ4tiJhIzz0sPjdOf+DzaQVIokZ4aOLR5
+I9Yn7LB5Q3ijt+NhZeGKPVgHgWwQxwyI/xW4pHxGQX1nSyHQHTmMLp3QToEej0OU
+tAwA3ZlPMNhbl+G6wejXQPJZUigfUQxme6hE6//CAmVlIJWdgmqY6zEDJMwHk+A9
+VEHaVp1bnUaV9FSrHYpCo17zgwdia2MXeQUJWLllUwiOJQh/leXu4MP5yMGOL4ll
+i9bu7avAT077m1wpwMxqV39bVf2YR0o3KpAUa5sx46TuusUBzSpxb95c4dsapP8q
+rywnJxUACIo5jP3v97GLkrE/481YNSjtdYIoKJn3oEIOMgKQfOs7fAK+IyEc35LD
+JHf/87v3015k95s1eYpqYvR3LbJrbei72SbtrIURYy+4fiz1G7CYOa0gfvinM/S6
+b8+8ND/E/qg9UySofyRzSSMY2mlHBmfoFCe8P99kuwNVGNTMeuB40HK/UuZS7MXH
+PxXy97LbPmNoBZPLaK1NY3bk64gJNyr8DD1fE1QO1fdSwh0Tx6A=
+=kv22
+-----END PGP SIGNATURE-----