diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes index 5a30c9f..d242da6 100644 --- a/MozillaThunderbird.changes +++ b/MozillaThunderbird.changes @@ -1,3 +1,57 @@ +------------------------------------------------------------------- +Wed Apr 5 21:10:11 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.10.0 + * New messages will automatically select S/MIME if configured and + OpenPGP is not + * Calendar events with timezone America/Mexico_City incorrectly + applied Daylight Savings Time + MFSA 2023-15 (bsc#1210212) + * CVE-2023-29531 (bmo#1794292) + Out-of-bound memory access in WebGL on macOS + * CVE-2023-29532 (bmo#1806394) + Mozilla Maintenance Service Write-lock bypass + * CVE-2023-29533 (bmo#1798219, bmo#1814597) + Fullscreen notification obscured + * MFSA-TMP-2023-0001 (bmo#1819244) + Double-free in libwebp + * CVE-2023-29535 (bmo#1820543) + Potential Memory Corruption following Garbage Collector compaction + * CVE-2023-29536 (bmo#1821959) + Invalid free from JavaScript code + * CVE-2023-0547 (bmo#1811298) + Revocation status of S/Mime recipient certificates was not checked + * CVE-2023-29479 (bmo#1824978) + Hang when processing certain OpenPGP messages + * CVE-2023-29539 (bmo#1784348) + Content-Disposition filename truncation leads to Reflected + File Download + * CVE-2023-29541 (bmo#1810191) + Files with malicious extensions could have been downloaded + unsafely on Linux + * CVE-2023-29542 (bmo#1810793, bmo#1815062) + Bypass of file download extension restrictions + * CVE-2023-29545 (bmo#1823077) + Windows Save As dialog resolved environment variables + * CVE-2023-1945 (bmo#1777588) + Memory Corruption in Safe Browsing Code + * CVE-2023-29548 (bmo#1822754) + Incorrect optimization result on ARM64 + * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217, + bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602, + bmo#1821448, bmo#1822413, bmo#1824828) + Memory safety bugs fixed in Thunderbird 102.10 +- add mozilla-llvm16.patch to fix build with LLVM16 + +------------------------------------------------------------------- +Wed Mar 29 10:50:35 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.9.1 + MFSA 2023-12 + * CVE-2023-28427 (bmo#1822595) + Matrix SDK bundled with Thunderbird vulnerable to + denial-of-service attack + ------------------------------------------------------------------- Sun Mar 26 10:57:52 UTC 2023 - Wolfgang Rosenauer diff --git a/MozillaThunderbird.spec b/MozillaThunderbird.spec index fdafef2..332df3e 100644 --- a/MozillaThunderbird.spec +++ b/MozillaThunderbird.spec @@ -29,8 +29,8 @@ # major 69 # mainver %major.99 %define major 102 -%define mainver %major.9.0 -%define orig_version 102.9.0 +%define mainver %major.10.0 +%define orig_version 102.10.0 %define orig_suffix %{nil} %define update_channel release %define source_prefix thunderbird-%{orig_version} @@ -207,6 +207,7 @@ Patch20: mozilla-bmo531915.patch Patch21: one_swizzle_to_rule_them_all.patch Patch22: svg-rendering.patch Patch23: gcc13-fix.patch +Patch24: mozilla-llvm16.patch %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: /bin/sh @@ -296,6 +297,7 @@ fi %patch21 -p1 %patch22 -p1 %patch23 -p1 +%patch24 -p1 %endif %build diff --git a/l10n-102.9.0.tar.xz b/l10n-102.10.0.tar.xz similarity index 100% rename from l10n-102.9.0.tar.xz rename to l10n-102.10.0.tar.xz diff --git a/mozilla-llvm16.patch b/mozilla-llvm16.patch new file mode 100644 index 0000000..dbbe79e --- /dev/null +++ b/mozilla-llvm16.patch @@ -0,0 +1,207 @@ +From 80738016a36e803fe3bf8b8f6f388c6589d86a1c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= +Date: Tue, 18 Oct 2022 02:17:18 +0200 +Subject: [PATCH] clang: Detect anonymous items explicitly, rather than relying + on empty names. + +In Clang 16, anonymous items may return names like +`(anonymous union at ..)` rather than empty names. + +The right way to detect them is using clang_Cursor_isAnonymous. + +Fixes #2312 +Closes #2316 + +Co-Authored-by: Patrick Walton + +From c03b37697a1e117995ea76203e5c0ce7d6696c4e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= +Date: Wed, 9 Nov 2022 13:33:19 +0100 +Subject: [PATCH] ir: Don't crash with built-in unexposed types from libclang. + +This fixes #2325. + +The issue is that `__bf16` is not exposed at all by libclang, which +causes us to crash. It's a bit of a shame libclang doesn't expose it but +there's no rust equivalent I think, so this should be ok for now. + +Unfortunately no test because the header crashes older clang versions. + +diff --git a/Cargo.lock b/Cargo.lock +index 163674ec5d..28456ee0ba 100644 +--- a/Cargo.lock ++++ b/Cargo.lock +@@ -394,8 +394,6 @@ dependencies = [ + [[package]] + name = "bindgen" + version = "0.56.0" +-source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "2da379dbebc0b76ef63ca68d8fc6e71c0f13e59432e0987e508c1820e6ab5239" + dependencies = [ + "bitflags", + "cexpr", +diff --git a/Cargo.toml b/Cargo.toml +index d918adae95..dddd1298f7 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -117,6 +117,7 @@ packed_simd = { package = "packed_simd_2", git = "https://github.com/hsivonen/pa + midir = { git = "https://github.com/mozilla/midir.git", rev = "4c11f0ffb5d6a10de4aff40a7b81218b33b94e6f" } + minidump_writer_linux = { git = "https://github.com/rust-minidump/minidump-writer.git", rev = "75ada456c92a429704691a85e1cb42fef8cafc0d" } + glslopt = { path = "third_party/rust/glslopt/" } ++bindgen = { path = "third_party/rust/bindgen/" } + + # Patch mio 0.6 to use winapi 0.3 and miow 0.3, getting rid of winapi 0.2. + # There is not going to be new version of mio 0.6, mio now being >= 0.7.11. +diff --git a/third_party/rust/bindgen/src/clang.rs b/third_party/rust/bindgen/src/clang.rs +index 488660c434..ef74ac08c2 100644 +--- a/third_party/rust/bindgen/src/clang.rs ++++ b/third_party/rust/bindgen/src/clang.rs +@@ -54,6 +54,11 @@ impl Cursor { + unsafe { clang_isDeclaration(self.kind()) != 0 } + } + ++ /// Is this cursor's referent an anonymous record or so? ++ pub fn is_anonymous(&self) -> bool { ++ unsafe { clang_Cursor_isAnonymous(self.x) != 0 } ++ } ++ + /// Get this cursor's referent's spelling. + pub fn spelling(&self) -> String { + unsafe { cxstring_into_string(clang_getCursorSpelling(self.x)) } +diff --git a/third_party/rust/bindgen/src/ir/comp.rs b/third_party/rust/bindgen/src/ir/comp.rs +index 22c124fa36..b715616c5e 100644 +--- a/third_party/rust/bindgen/src/ir/comp.rs ++++ b/third_party/rust/bindgen/src/ir/comp.rs +@@ -1372,8 +1372,7 @@ impl CompInfo { + + // A declaration of an union or a struct without name could + // also be an unnamed field, unfortunately. +- if cur.spelling().is_empty() && +- cur.kind() != CXCursor_EnumDecl ++ if cur.is_anonymous() && cur.kind() != CXCursor_EnumDecl + { + let ty = cur.cur_type(); + let offset = cur.offset_of_field().ok(); +diff --git a/third_party/rust/bindgen/src/ir/ty.rs b/third_party/rust/bindgen/src/ir/ty.rs +index e6eecc3c50..f3e1193ce2 100644 +--- a/third_party/rust/bindgen/src/ir/ty.rs ++++ b/third_party/rust/bindgen/src/ir/ty.rs +@@ -737,7 +737,12 @@ impl Type { + + let layout = ty.fallible_layout(ctx).ok(); + let cursor = ty.declaration(); +- let mut name = cursor.spelling(); ++ let is_anonymous = cursor.is_anonymous(); ++ let mut name = if is_anonymous { ++ None ++ } else { ++ Some(cursor.spelling()).filter(|n| !n.is_empty()) ++ }; + + debug!( + "from_clang_ty: {:?}, ty: {:?}, loc: {:?}", +@@ -771,7 +776,7 @@ impl Type { + if is_canonical_objcpointer && is_template_type_param { + // Objective-C generics are just ids with fancy name. + // To keep it simple, just name them ids +- name = "id".to_owned(); ++ name = Some("id".to_owned()); + } + } + +@@ -900,7 +905,7 @@ impl Type { + return Err(ParseError::Recurse); + } + } else { +- name = location.spelling(); ++ name = Some(location.spelling()); + } + + let complex = CompInfo::from_ty( +@@ -942,7 +947,7 @@ impl Type { + CXType_Typedef + ); + +- name = current.spelling(); ++ name = Some(location.spelling()); + + let inner_ty = cur + .typedef_type() +@@ -1126,10 +1131,10 @@ impl Type { + CXType_Enum => { + let enum_ = Enum::from_ty(ty, ctx).expect("Not an enum?"); + +- if name.is_empty() { ++ if !is_anonymous { + let pretty_name = ty.spelling(); + if clang::is_valid_identifier(&pretty_name) { +- name = pretty_name; ++ name = Some(pretty_name); + } + } + +@@ -1144,12 +1149,12 @@ impl Type { + ) + .expect("Not a complex type?"); + +- if name.is_empty() { ++ if !is_anonymous { + // The pretty-printed name may contain typedefed name, + // but may also be "struct (anonymous at .h:1)" + let pretty_name = ty.spelling(); + if clang::is_valid_identifier(&pretty_name) { +- name = pretty_name; ++ name = Some(pretty_name); + } + } + +@@ -1161,8 +1166,7 @@ impl Type { + location, + None, + ctx, +- ) +- .expect("Not able to resolve vector element?"); ++ )?; + TypeKind::Vector(inner, ty.num_elements().unwrap()) + } + CXType_ConstantArray => { +@@ -1189,7 +1193,9 @@ impl Type { + CXType_ObjCClass | CXType_ObjCInterface => { + let interface = ObjCInterface::from_ty(&location, ctx) + .expect("Not a valid objc interface?"); +- name = interface.rust_name(); ++ if !is_anonymous { ++ name = Some(interface.rust_name()); ++ } + TypeKind::ObjCInterface(interface) + } + CXType_Dependent => { +@@ -1207,7 +1213,7 @@ impl Type { + } + }; + +- let name = if name.is_empty() { None } else { Some(name) }; ++ name = name.filter(|n| !n.is_empty()); + + let is_const = ty.is_const() || + (ty.kind() == CXType_ConstantArray && +diff --git a/third_party/rust/bindgen/src/ir/var.rs b/third_party/rust/bindgen/src/ir/var.rs +index c6f121d74e..679c92bbea 100644 +--- a/third_party/rust/bindgen/src/ir/var.rs ++++ b/third_party/rust/bindgen/src/ir/var.rs +@@ -301,11 +301,11 @@ impl ClangSubItemParser for Var { + let ty = match Item::from_ty(&ty, cursor, None, ctx) { + Ok(ty) => ty, + Err(e) => { +- assert_eq!( +- ty.kind(), +- CXType_Auto, ++ assert!( ++ matches!(ty.kind(), CXType_Auto | CXType_Unexposed), + "Couldn't resolve constant type, and it \ +- wasn't an nondeductible auto type!" ++ wasn't an nondeductible auto type or unexposed \ ++ type!" + ); + return Err(e); + } diff --git a/tar_stamps b/tar_stamps index 2ca86f2..56c51e4 100644 --- a/tar_stamps +++ b/tar_stamps @@ -1,10 +1,10 @@ PRODUCT="thunderbird" CHANNEL="esr102" -VERSION="102.9.0" +VERSION="102.10.0" VERSION_SUFFIX="" -PREV_VERSION="102.8.0" +PREV_VERSION="102.9.1" PREV_VERSION_SUFFIX="" #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr102" -RELEASE_TAG="db735c436e680abf21cc67f9a29b42fdf30d416d" -RELEASE_TIMESTAMP="20230310165821" +RELEASE_TAG="d8df3bebc4b529388b62b9cb4df152f13910fbe3" +RELEASE_TIMESTAMP="20230407145224" diff --git a/thunderbird-102.10.0.source.tar.xz b/thunderbird-102.10.0.source.tar.xz new file mode 100644 index 0000000..4c56660 --- /dev/null +++ b/thunderbird-102.10.0.source.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:73183365c0888b489648b9baaa717ebccbb9add4d245e24e95d43cc76810f8ca +size 500949660 diff --git a/thunderbird-102.10.0.source.tar.xz.asc b/thunderbird-102.10.0.source.tar.xz.asc new file mode 100644 index 0000000..3362529 --- /dev/null +++ b/thunderbird-102.10.0.source.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmQ0LS8ACgkQ6+QekPbx +L22flhAAsOlC7n7VWB6I0ak90oGfzvZiqlf9WbikM9oXukrYIwqXKfUDKPZZDKTV +hfrCHzSUWi+QQc6HS8diq7CcRjJb2aJXHxL9E3E2j0qfdWjpoYMBkoQzXQR12Ve8 +lXWEPxrlfJhR8Z2S6geCMVQbyPh6zbMIZTT/Zp1vV8r5PcxwvfC3wviWU721E45k +moT/CZX6PmeS3UO0kL/6RECNA/HgxnNu2gKFlc9Qc90wCiwtR92RGuB15CXYmZcx +F3//Jc4n4GSMBxX/4RUto+HFxJWZ1k7Cl7CvtXKYTFkUZvMfrLBCcruzZ3Deuos0 +qKZyreUDbgeNuu+Ynh8qyEkZn+6k+rkb7t+a1jaOpgTtc/B+9fwjv34rIVD4KRO6 +Ym2qotNk3zNYU7moD53rnfvgBb2J4PUbvJobVOcthVvM0HNUbptGDvSrPByeYLOB +veC4Bqy9heICCwRa3JBIzNCMGQgzP3fKkpFiPJxLoU/Je9FKqhHsbu9wu7/OeE/R +BQMIFfXNwRpZcmDie3OfqYR6wZEZ5xemOZEkH0wtB7dZLlAir4tkg+P2PkKMS59q +ihdLEqpiZpDeqIHivRbzi5Bt4GD0V8UEadIjhJ9RMBIfRM0GmjxO5d/nmnhuE+ww +bH/M1uFnEgit9gICOZDndLhlDSArMUe8xLmjWIy1HXCktxRsnwY= +=z2m1 +-----END PGP SIGNATURE----- diff --git a/thunderbird-102.9.0.source.tar.xz b/thunderbird-102.9.0.source.tar.xz deleted file mode 100644 index 4098e6a..0000000 --- a/thunderbird-102.9.0.source.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ecb34de765d548ed26ea24d4d617567a7896230d7c8379c1ef76be8ca05d6fef -size 503081436 diff --git a/thunderbird-102.9.0.source.tar.xz.asc b/thunderbird-102.9.0.source.tar.xz.asc deleted file mode 100644 index 322d34b..0000000 --- a/thunderbird-102.9.0.source.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmQLrkIACgkQ6+QekPbx -L22h1g/+LXtjCm9UdWsufMQ6GWhNkdHXdhL7Uog6c8Z/vcyfotKNShUYzk8up9Rm -yUTZQ/vOPZPRt3MmONpE1KvOstThYncUPAdv9ZbIFQEF2eLQ73fiXSP/g5uGFThk -ZoXCEZt/pnDm6Uv7P/ufh+VYRkNu9TxpYTw5OH5u0YFbwazbyKHdwP2XwHmDqlff -ObbHyNy7m3+X1jrAb3ayWnK/PUqcw/GbbAdwdtM0eF3RttTO60d/8P+MQ/qxuM1a -OuVkgAQIpVJiJexbJXMVSUl/c2OwLXDwSX9Q0JKcCqGH1ruv2hss/6Hp9pIdazZs -85ko0g16DEx5EOTvNFmkYAaSnCAjNZOEqzv/hN71n5V+cvBQNF5U6rFM7qJOzeT6 -As8DI813YsAefHXo620Q+UQXBLXvwwnsuUS7CzzcLX2V+njhrZIKbGB2C5tgEwTg -FuSK6+0kWEpbYPXQDrrvzOWAJbs5lJNBdWX2WUeX7sNpeaUH/FPBULNo2LRuTgFG -qiZxaxQfaJ86ZZu29jdkmBQzC90e5dyw2PwipNDRu8FDbinod1vEcEJ1AhQywt2E -KnX7lp1A/7nMW+b1YbqGTk6w7NLpqGzW0XdfjYdvw2BYCJwtpVl2y8CaZYBxzOBl -dg+ibkdDRr5gk6XycidonfHVu4xZqEYZd2h62lVlnnTErV10YeE= -=4xjl ------END PGP SIGNATURE-----