OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=28

2008-11-21 15:08:40 +00:00 · 2008-11-21 15:08:40 +00:00 · b43705df88
commit b43705df88
parent da73731b3b
8 changed files with 108 additions and 22 deletions
--- a/MozillaThunderbird.changes
+++ b/MozillaThunderbird.changes
@ -1,3 +1,25 @@
+-------------------------------------------------------------------
+Thu Nov 20 18:53:35 CST 2008 - maw@suse.de
+
+- Review and approve changes.
+
+-------------------------------------------------------------------
+Thu Nov 13 11:02:01 CET 2008 - wr@rosenauer.org
+
+- security update to version 2.0.0.18 (bnc#439841)
+  * MFSA 2008-48 / CVE-2008-5012
+    Image stealing via canvas and HTTP redirect
+  * MFSA 2008-50 / CVE-2008-5014 (bmo#436741)
+    Crash and remote code execution via __proto__ tampering
+  * MFSA 2008-52 / CVE-2008-5016 / CVE-2008-5017 / CVE-2008-5018
+    Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
+  * MFSA 2008-55 / CVE-2008-5021 (bmo#456896)
+    Crash and remote code execution in nsFrameManager
+  * MFSA 2008-56 / CVE-2008-5022 (bmo#460002)
+    nsXMLHttpRequest::NotifyEventListeners() same-origin violation
+  * MFSA 2008-58 / CVE-2008-5024 (bmo#453915)
+    Parsing error in E4X default namespace
+
 -------------------------------------------------------------------
 Wed Oct 15 10:32:09 CDT 2008 - maw@suse.de

--- a/MozillaThunderbird.spec
+++ b/MozillaThunderbird.spec
@ -1,5 +1,5 @@
 #
-# spec file for package MozillaThunderbird (Version 2.0.0.17)
+# spec file for package MozillaThunderbird (Version 2.0.0.18)
 #
 # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@ -34,7 +34,7 @@ BuildRequires:  freetype2-devel popt-devel
 BuildRequires:  gnome-vfs2 libgnome libgnomeui pkgconfig
 %endif
 License:        GPL v2 or later; LGPL v2.1 or later; MOZILLA PUBLIC LICENSE (MPL/NPL)
-Version:        2.0.0.17
+Version:        2.0.0.18
 Release:        1
 Summary:        The Stand-Alone Mozilla Mail Component
 Url:            http://www.mozilla.org/products/thunderbird/
@ -66,6 +66,7 @@ Patch14:        html-compose.patch
 Patch15:        system-extensions.patch
 Patch16:        list-replyto-clobber.patch
 Patch17:        mozilla-path_len.patch
+Patch18:        mozldap-charray_strdup.patch
 Patch22:        cjk-postscript-fonts.dif
 Patch25:        postscript.patch
 Patch26:        cups-paper.patch
@ -96,7 +97,7 @@ Requires:       mozilla-nspr >= %(rpm -q --queryformat '%{VERSION}' mozilla-nspr
 BuildRequires:  mozilla-nss-devel
 %endif
 %define _unpackaged_files_terminate_build 0
-%define releasedate 2008092200
+%define releasedate 2008111200
 %define progname thunderbird
 %define progdir %{_prefix}/%_lib/thunderbird
 %define my_provides /tmp/my-provides
@ -196,10 +197,11 @@ cd $RPM_BUILD_DIR/mozilla
 %patch15
 %patch16
 %patch17 -p1
+%patch18
 %patch22
 %patch25
 %patch26
-%patch27 -p0
+%patch27
 # use hunspell from 11.0 on only
 %if %suse_version > 1030
 %patch28
@ -693,6 +695,22 @@ exit 0
 %{_bindir}/thunderbird-config

 %changelog
+* Thu Nov 20 2008 maw@suse.de
+- Review and approve changes.
+* Thu Nov 13 2008 wr@rosenauer.org
+- security update to version 2.0.0.18 (bnc#439841)
+  * MFSA 2008-48 / CVE-2008-5012
+  Image stealing via canvas and HTTP redirect
+  * MFSA 2008-50 / CVE-2008-5014 (bmo#436741)
+  Crash and remote code execution via __proto__ tampering
+  * MFSA 2008-52 / CVE-2008-5016 / CVE-2008-5017 / CVE-2008-5018
+  Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
+  * MFSA 2008-55 / CVE-2008-5021 (bmo#456896)
+  Crash and remote code execution in nsFrameManager
+  * MFSA 2008-56 / CVE-2008-5022 (bmo#460002)
+  nsXMLHttpRequest::NotifyEventListeners() same-origin violation
+  * MFSA 2008-58 / CVE-2008-5024 (bmo#453915)
+  Parsing error in E4X default namespace
 * Wed Oct 15 2008 maw@suse.de
 - Review and approve changes.
 * Wed Oct 08 2008 wr@rosenauer.org
@ -832,7 +850,7 @@ exit 0
 - Security update to version 1.5.0.12 (#271197).
 * Tue Jun 05 2007 sbrabec@suse.cz
 - Removed invalid desktop category "Application" (#254654).
-* Thu Apr 19 2007 wr@rosenauer.org
+* Wed Apr 18 2007 wr@rosenauer.org
 - update to final version 2.0.0.0
  (http://www.mozilla.com/en-US/thunderbird/2.0.0.0/releasenotes/)
 - update enigmail to 0.95.0
@ -876,7 +894,7 @@ exit 0
  ReplyToListThunderbirdExtension (#199125, bmo #45715)
 - added mailnews.clobber_list_reply pref which switches
  "Reply All" to "Reply List" functionality if set
-* Thu Jul 27 2006 stark@suse.de
+* Wed Jul 26 2006 stark@suse.de
 - security update to version 1.5.0.5 (#195043)
 - fixed overwrite confirmation for GTK filesaver (#179531)
 * Wed Jun 07 2006 stark@suse.de
@ -886,7 +904,7 @@ exit 0
 * Fri Jun 02 2006 stark@suse.de
 - update to security/stability release 1.5.0.4 (#179011)
  (http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird)
-* Mon May 15 2006 stark@suse.de
+* Sun May 14 2006 stark@suse.de
 - update to version 1.5.0.2
 - update mailredirect to 0.7.3
 - save printer settings properly (#174082, bmo #324072)
@ -945,7 +963,7 @@ exit 0
 - added patch for GTK2 handling (#134831)
 * Fri Nov 25 2005 stark@suse.de
 - update to 1.5 (20051124)
-* Fri Oct 28 2005 stark@suse.de
+* Thu Oct 27 2005 stark@suse.de
 - update to latest 1.5 snapshot (20051027)
 - added patch to be able to reply to and forward rfc822 messages
  (bmo #204350)
@ -978,21 +996,21 @@ exit 0
 - fixed Gdk-WARNING at startup (gtk.patch)
 - fixed regression in profile locking change (bmo #303633)
 - fixed crash with gtk 2.7 (bmo #300226, bnc #104586)
-* Wed Aug 03 2005 stark@suse.de
+* Tue Aug 02 2005 stark@suse.de
 - fixed profile locking (bmo #151188)
-* Fri Jul 29 2005 stark@suse.de
+* Thu Jul 28 2005 stark@suse.de
 - don't require and provide NSS libs (#98002)
 * Fri Jul 22 2005 stark@suse.de
 - fixed printing patch
 * Tue Jul 19 2005 stark@suse.de
 - added NSPR to PreReq
 - disable stripping in specfile
-* Fri Jul 15 2005 stark@suse.de
+* Thu Jul 14 2005 stark@suse.de
 - update to 1.0.6 which restores API compatibility
 - fixed width calculation in Postscript module (bmo #290292)
 * Thu Jul 14 2005 stark@suse.de
 - fixed filelist to include icon-file and startscript again
-* Tue Jul 12 2005 stark@suse.de
+* Mon Jul 11 2005 stark@suse.de
 - fixed remote usage behaviour in start script (bnc #41903)
 - update to 1.0.5 security release
 - fixed quoting patch
@ -1073,12 +1091,12 @@ exit 0
 - more fixes for #35179
 - added firefox as default handler for its protocols
 - update enigmail to 0.83.4
-* Wed Mar 03 2004 stark@suse.de
+* Tue Mar 02 2004 stark@suse.de
 - removed unused patches for GTK2 build
 * Sun Feb 29 2004 stark@suse.de
 - improved start-script to interact with firefox and mozilla
  (#35179)
-* Fri Feb 27 2004 stark@suse.de
+* Thu Feb 26 2004 stark@suse.de
 - update to 0.5
 - spec-file cleanup
 * Wed Oct 15 2003 stark@suse.de
--- a/l10n-2.0.0.17.tar.bz2
+++ b/l10n-2.0.0.17.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5e872e07339d7cb40f16c13fd560a2607b55948e1ab0dc72505be07a8b54c686
-size 10044071
--- a/l10n-2.0.0.18.tar.bz2
+++ b/l10n-2.0.0.18.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eeabbfe3462b5b51d13ab758b533fd09a4e028bfaf60006ef09354de522ec508
+size 10046051
--- a/mozilla-system-hunspell.patch.bz2
+++ b/mozilla-system-hunspell.patch.bz2
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:1e6d91c89720c42391c4d91a94d502d99c6c41199c444b5798a716b93d50a7b7
-size 23552
+oid sha256:b947423b5dc09a97648b5d577a7f9f31ad577658570ea5f51d3827966e0389ef
+size 23531
--- a/mozldap-charray_strdup.patch
+++ b/mozldap-charray_strdup.patch
@ -0,0 +1,46 @@
+--- directory/c-sdk/ldap/libraries/libldap/charray.c_orig	2008-10-28 14:12:34.000000000 +0100
+++ directory/c-sdk/ldap/libraries/libldap/charray.c	2008-10-28 14:36:05.000000000 +0100
+@@ -191,7 +191,7 @@
+  */
+ char **
+ LDAP_CALL
+-ldap_str2charray( char *str, char *brkstr )
+ldap_str2charray( char *str_in, char *brkstr )
+      /* This implementation fails if brkstr contains multibyte characters.
+         But it works OK if str is UTF-8 and brkstr is 7-bit ASCII.
+       */
+@@ -199,6 +199,12 @@
+ 	char	**res;
+ 	char	*s;
+ 	int	i;
+	char	*str;
+
+	str = nsldapi_strdup( str_in );
+	if ( str == NULL ) {
+		return NULL;
+	}
+ 
+ 	i = 1;
+ 	for ( s = str; *s; s++ ) {
+@@ -209,6 +215,7 @@
+ 
+ 	res = (char **)NSLDAPI_MALLOC( (i + 1) * sizeof(char *) );
+ 	if ( res == NULL ) {
+		NSLDAPI_FREE( str );
+ 		return NULL;
+ 	}
+ 	i = 0;
+@@ -221,11 +228,13 @@
+ 			for ( j = 0; j < (i - 1); j++ )
+ 			    NSLDAPI_FREE( res[j] );
+ 			NSLDAPI_FREE( res );
+			NSLDAPI_FREE( str );
+ 			return NULL;
+ 		}
+ 	}
+ 	res[i] = NULL;
+ 
+	NSLDAPI_FREE( str );
+ 	return( res );
+ }
+ 
--- a/thunderbird-2.0.0.17-source.tar.bz2
+++ b/thunderbird-2.0.0.17-source.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a2a68c397d8893b554b92d07d414a78699d70341c2dc3cc36e5cce0cfad74898
-size 40603932
--- a/thunderbird-2.0.0.18-source.tar.bz2
+++ b/thunderbird-2.0.0.18-source.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9fe3d0211b4d79dd868090185fc46634ced90411928f37d3118302a4ffc0ccb2
+size 40626981