From b695ba5251d8e1d8aec8aac0ec68ea0829502d25ce4ef6bf5ffe9eb7aa45e316 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Wed, 29 Mar 2023 12:48:43 +0000 Subject: [PATCH 1/3] - Mozilla Thunderbird 102.9.1 MFSA 2023-12 * CVE-2023-28427 (bmo#1822595) Matrix SDK bundled with Thunderbird vulnerable to denial-of-service attack OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=695 --- MozillaThunderbird.changes | 9 +++++++++ MozillaThunderbird.spec | 4 ++-- l10n-102.9.0.tar.xz => l10n-102.9.1.tar.xz | 0 tar_stamps | 8 ++++---- thunderbird-102.9.0.source.tar.xz | 3 --- thunderbird-102.9.0.source.tar.xz.asc | 16 ---------------- thunderbird-102.9.1.source.tar.xz | 3 +++ thunderbird-102.9.1.source.tar.xz.asc | 16 ++++++++++++++++ 8 files changed, 34 insertions(+), 25 deletions(-) rename l10n-102.9.0.tar.xz => l10n-102.9.1.tar.xz (100%) delete mode 100644 thunderbird-102.9.0.source.tar.xz delete mode 100644 thunderbird-102.9.0.source.tar.xz.asc create mode 100644 thunderbird-102.9.1.source.tar.xz create mode 100644 thunderbird-102.9.1.source.tar.xz.asc diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes index 5a30c9f..c0380bb 100644 --- a/MozillaThunderbird.changes +++ b/MozillaThunderbird.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Wed Mar 29 10:50:35 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.9.1 + MFSA 2023-12 + * CVE-2023-28427 (bmo#1822595) + Matrix SDK bundled with Thunderbird vulnerable to + denial-of-service attack + ------------------------------------------------------------------- Sun Mar 26 10:57:52 UTC 2023 - Wolfgang Rosenauer diff --git a/MozillaThunderbird.spec b/MozillaThunderbird.spec index fdafef2..310d3c5 100644 --- a/MozillaThunderbird.spec +++ b/MozillaThunderbird.spec @@ -29,8 +29,8 @@ # major 69 # mainver %major.99 %define major 102 -%define mainver %major.9.0 -%define orig_version 102.9.0 +%define mainver %major.9.1 +%define orig_version 102.9.1 %define orig_suffix %{nil} %define update_channel release %define source_prefix thunderbird-%{orig_version} diff --git a/l10n-102.9.0.tar.xz b/l10n-102.9.1.tar.xz similarity index 100% rename from l10n-102.9.0.tar.xz rename to l10n-102.9.1.tar.xz diff --git a/tar_stamps b/tar_stamps index 2ca86f2..e7cad68 100644 --- a/tar_stamps +++ b/tar_stamps @@ -1,10 +1,10 @@ PRODUCT="thunderbird" CHANNEL="esr102" -VERSION="102.9.0" +VERSION="102.9.1" VERSION_SUFFIX="" -PREV_VERSION="102.8.0" +PREV_VERSION="102.9.0" PREV_VERSION_SUFFIX="" #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr102" -RELEASE_TAG="db735c436e680abf21cc67f9a29b42fdf30d416d" -RELEASE_TIMESTAMP="20230310165821" +RELEASE_TAG="a8965ef0b30705f497df3df718db60d9dc2c304f" +RELEASE_TIMESTAMP="20230328155238" diff --git a/thunderbird-102.9.0.source.tar.xz b/thunderbird-102.9.0.source.tar.xz deleted file mode 100644 index 4098e6a..0000000 --- a/thunderbird-102.9.0.source.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ecb34de765d548ed26ea24d4d617567a7896230d7c8379c1ef76be8ca05d6fef -size 503081436 diff --git a/thunderbird-102.9.0.source.tar.xz.asc b/thunderbird-102.9.0.source.tar.xz.asc deleted file mode 100644 index 322d34b..0000000 --- a/thunderbird-102.9.0.source.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmQLrkIACgkQ6+QekPbx -L22h1g/+LXtjCm9UdWsufMQ6GWhNkdHXdhL7Uog6c8Z/vcyfotKNShUYzk8up9Rm -yUTZQ/vOPZPRt3MmONpE1KvOstThYncUPAdv9ZbIFQEF2eLQ73fiXSP/g5uGFThk -ZoXCEZt/pnDm6Uv7P/ufh+VYRkNu9TxpYTw5OH5u0YFbwazbyKHdwP2XwHmDqlff -ObbHyNy7m3+X1jrAb3ayWnK/PUqcw/GbbAdwdtM0eF3RttTO60d/8P+MQ/qxuM1a -OuVkgAQIpVJiJexbJXMVSUl/c2OwLXDwSX9Q0JKcCqGH1ruv2hss/6Hp9pIdazZs -85ko0g16DEx5EOTvNFmkYAaSnCAjNZOEqzv/hN71n5V+cvBQNF5U6rFM7qJOzeT6 -As8DI813YsAefHXo620Q+UQXBLXvwwnsuUS7CzzcLX2V+njhrZIKbGB2C5tgEwTg -FuSK6+0kWEpbYPXQDrrvzOWAJbs5lJNBdWX2WUeX7sNpeaUH/FPBULNo2LRuTgFG -qiZxaxQfaJ86ZZu29jdkmBQzC90e5dyw2PwipNDRu8FDbinod1vEcEJ1AhQywt2E -KnX7lp1A/7nMW+b1YbqGTk6w7NLpqGzW0XdfjYdvw2BYCJwtpVl2y8CaZYBxzOBl -dg+ibkdDRr5gk6XycidonfHVu4xZqEYZd2h62lVlnnTErV10YeE= -=4xjl ------END PGP SIGNATURE----- diff --git a/thunderbird-102.9.1.source.tar.xz b/thunderbird-102.9.1.source.tar.xz new file mode 100644 index 0000000..4aee6b6 --- /dev/null +++ b/thunderbird-102.9.1.source.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9ba28be5f2ad7c79419786ac9d753d780cf84984a2d4a88b0e8cafe0c0f95873 +size 503181696 diff --git a/thunderbird-102.9.1.source.tar.xz.asc b/thunderbird-102.9.1.source.tar.xz.asc new file mode 100644 index 0000000..a0751ea --- /dev/null +++ b/thunderbird-102.9.1.source.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmQjNvIACgkQ6+QekPbx +L23f6g/5AWrdW5B2DvjPOus4fdt13pLvK4kNkIq3y3MZgF2nsRRTgk30scjaZxf3 +yYZOicMHTa3cVapNZTe0f2BFDMHKElL1hE8OsPdLyrFKuG3Xbsm8s7dnWQHPLo0w +IP8OfNm7MhGhVq4NN68liFH6gnmYCsKluHWrWFw3KvKsKuHjZaIcI/7CgmzWtOZI +k9S7Lr/jk1o2VRIXuI5yoFIkCs8mshUbY7SLEBVzBLtDobYkxj059P1A9stEorSn +lVyi5FxJlQLPj3L0U12xnYzfv+c+SNuOFvWx4yfMUOncPGDN3AKYtrm18U2pQGXG +Ub+EamDek0C8DQqUya/oE8Ar3XFddGDwLOTw/zZunmANRyqolWq0gLrkMOcPtz/s +0TOJxjDss2X3dk2bpBJkRgieRS4G2EDABbKJDk8vEjxL0fAH3P4JKczb+pUU4iig ++Py7IW1TsHEdTUFQYDKaG6bu4pMKhNh0kreug0a+PDLRSEAcLAIsE7x3dokP2JD/ +pNoJQ/8fZyZG0yRpyday/AwlY6U6ahgwsfpAhxwEGjExie4NjyLqqWSEeHNNexjv +ZL6uFNwzNVVgYE0deGAKnh2fZuNO4n8I/MB1fzy3vBurkwcjox3FeBLgmM8A0leP +LNc3yO8rY5Usu1IN6iCvIDL1XMM5IdwfJj6N0JVk3+gJO02rpFc= +=RWOf +-----END PGP SIGNATURE----- From 7a75a567795d6a8e3730c8df7f36a723086bfd745a36ee479b465ce134bac898 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Thu, 6 Apr 2023 13:55:17 +0000 Subject: [PATCH 2/3] - Mozilla Thunderbird 102.10.0 - add mozilla-llvm16.patch trying to fix build with LLVM16 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=696 --- MozillaThunderbird.changes | 6 + MozillaThunderbird.spec | 6 +- l10n-102.9.1.tar.xz => l10n-102.10.0.tar.xz | 0 mozilla-llvm16.patch | 207 ++++++++++++++++++++ tar_stamps | 8 +- thunderbird-102.10.0.source.tar.xz | 3 + thunderbird-102.10.0.source.tar.xz.asc | 16 ++ thunderbird-102.9.1.source.tar.xz | 3 - thunderbird-102.9.1.source.tar.xz.asc | 16 -- 9 files changed, 240 insertions(+), 25 deletions(-) rename l10n-102.9.1.tar.xz => l10n-102.10.0.tar.xz (100%) create mode 100644 mozilla-llvm16.patch create mode 100644 thunderbird-102.10.0.source.tar.xz create mode 100644 thunderbird-102.10.0.source.tar.xz.asc delete mode 100644 thunderbird-102.9.1.source.tar.xz delete mode 100644 thunderbird-102.9.1.source.tar.xz.asc diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes index c0380bb..8397c17 100644 --- a/MozillaThunderbird.changes +++ b/MozillaThunderbird.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Apr 5 21:10:11 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.10.0 +- add mozilla-llvm16.patch trying to fix build with LLVM16 + ------------------------------------------------------------------- Wed Mar 29 10:50:35 UTC 2023 - Wolfgang Rosenauer diff --git a/MozillaThunderbird.spec b/MozillaThunderbird.spec index 310d3c5..332df3e 100644 --- a/MozillaThunderbird.spec +++ b/MozillaThunderbird.spec @@ -29,8 +29,8 @@ # major 69 # mainver %major.99 %define major 102 -%define mainver %major.9.1 -%define orig_version 102.9.1 +%define mainver %major.10.0 +%define orig_version 102.10.0 %define orig_suffix %{nil} %define update_channel release %define source_prefix thunderbird-%{orig_version} @@ -207,6 +207,7 @@ Patch20: mozilla-bmo531915.patch Patch21: one_swizzle_to_rule_them_all.patch Patch22: svg-rendering.patch Patch23: gcc13-fix.patch +Patch24: mozilla-llvm16.patch %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: /bin/sh @@ -296,6 +297,7 @@ fi %patch21 -p1 %patch22 -p1 %patch23 -p1 +%patch24 -p1 %endif %build diff --git a/l10n-102.9.1.tar.xz b/l10n-102.10.0.tar.xz similarity index 100% rename from l10n-102.9.1.tar.xz rename to l10n-102.10.0.tar.xz diff --git a/mozilla-llvm16.patch b/mozilla-llvm16.patch new file mode 100644 index 0000000..dbbe79e --- /dev/null +++ b/mozilla-llvm16.patch @@ -0,0 +1,207 @@ +From 80738016a36e803fe3bf8b8f6f388c6589d86a1c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= +Date: Tue, 18 Oct 2022 02:17:18 +0200 +Subject: [PATCH] clang: Detect anonymous items explicitly, rather than relying + on empty names. + +In Clang 16, anonymous items may return names like +`(anonymous union at ..)` rather than empty names. + +The right way to detect them is using clang_Cursor_isAnonymous. + +Fixes #2312 +Closes #2316 + +Co-Authored-by: Patrick Walton + +From c03b37697a1e117995ea76203e5c0ce7d6696c4e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= +Date: Wed, 9 Nov 2022 13:33:19 +0100 +Subject: [PATCH] ir: Don't crash with built-in unexposed types from libclang. + +This fixes #2325. + +The issue is that `__bf16` is not exposed at all by libclang, which +causes us to crash. It's a bit of a shame libclang doesn't expose it but +there's no rust equivalent I think, so this should be ok for now. + +Unfortunately no test because the header crashes older clang versions. + +diff --git a/Cargo.lock b/Cargo.lock +index 163674ec5d..28456ee0ba 100644 +--- a/Cargo.lock ++++ b/Cargo.lock +@@ -394,8 +394,6 @@ dependencies = [ + [[package]] + name = "bindgen" + version = "0.56.0" +-source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "2da379dbebc0b76ef63ca68d8fc6e71c0f13e59432e0987e508c1820e6ab5239" + dependencies = [ + "bitflags", + "cexpr", +diff --git a/Cargo.toml b/Cargo.toml +index d918adae95..dddd1298f7 100644 +--- a/Cargo.toml ++++ b/Cargo.toml +@@ -117,6 +117,7 @@ packed_simd = { package = "packed_simd_2", git = "https://github.com/hsivonen/pa + midir = { git = "https://github.com/mozilla/midir.git", rev = "4c11f0ffb5d6a10de4aff40a7b81218b33b94e6f" } + minidump_writer_linux = { git = "https://github.com/rust-minidump/minidump-writer.git", rev = "75ada456c92a429704691a85e1cb42fef8cafc0d" } + glslopt = { path = "third_party/rust/glslopt/" } ++bindgen = { path = "third_party/rust/bindgen/" } + + # Patch mio 0.6 to use winapi 0.3 and miow 0.3, getting rid of winapi 0.2. + # There is not going to be new version of mio 0.6, mio now being >= 0.7.11. +diff --git a/third_party/rust/bindgen/src/clang.rs b/third_party/rust/bindgen/src/clang.rs +index 488660c434..ef74ac08c2 100644 +--- a/third_party/rust/bindgen/src/clang.rs ++++ b/third_party/rust/bindgen/src/clang.rs +@@ -54,6 +54,11 @@ impl Cursor { + unsafe { clang_isDeclaration(self.kind()) != 0 } + } + ++ /// Is this cursor's referent an anonymous record or so? ++ pub fn is_anonymous(&self) -> bool { ++ unsafe { clang_Cursor_isAnonymous(self.x) != 0 } ++ } ++ + /// Get this cursor's referent's spelling. + pub fn spelling(&self) -> String { + unsafe { cxstring_into_string(clang_getCursorSpelling(self.x)) } +diff --git a/third_party/rust/bindgen/src/ir/comp.rs b/third_party/rust/bindgen/src/ir/comp.rs +index 22c124fa36..b715616c5e 100644 +--- a/third_party/rust/bindgen/src/ir/comp.rs ++++ b/third_party/rust/bindgen/src/ir/comp.rs +@@ -1372,8 +1372,7 @@ impl CompInfo { + + // A declaration of an union or a struct without name could + // also be an unnamed field, unfortunately. +- if cur.spelling().is_empty() && +- cur.kind() != CXCursor_EnumDecl ++ if cur.is_anonymous() && cur.kind() != CXCursor_EnumDecl + { + let ty = cur.cur_type(); + let offset = cur.offset_of_field().ok(); +diff --git a/third_party/rust/bindgen/src/ir/ty.rs b/third_party/rust/bindgen/src/ir/ty.rs +index e6eecc3c50..f3e1193ce2 100644 +--- a/third_party/rust/bindgen/src/ir/ty.rs ++++ b/third_party/rust/bindgen/src/ir/ty.rs +@@ -737,7 +737,12 @@ impl Type { + + let layout = ty.fallible_layout(ctx).ok(); + let cursor = ty.declaration(); +- let mut name = cursor.spelling(); ++ let is_anonymous = cursor.is_anonymous(); ++ let mut name = if is_anonymous { ++ None ++ } else { ++ Some(cursor.spelling()).filter(|n| !n.is_empty()) ++ }; + + debug!( + "from_clang_ty: {:?}, ty: {:?}, loc: {:?}", +@@ -771,7 +776,7 @@ impl Type { + if is_canonical_objcpointer && is_template_type_param { + // Objective-C generics are just ids with fancy name. + // To keep it simple, just name them ids +- name = "id".to_owned(); ++ name = Some("id".to_owned()); + } + } + +@@ -900,7 +905,7 @@ impl Type { + return Err(ParseError::Recurse); + } + } else { +- name = location.spelling(); ++ name = Some(location.spelling()); + } + + let complex = CompInfo::from_ty( +@@ -942,7 +947,7 @@ impl Type { + CXType_Typedef + ); + +- name = current.spelling(); ++ name = Some(location.spelling()); + + let inner_ty = cur + .typedef_type() +@@ -1126,10 +1131,10 @@ impl Type { + CXType_Enum => { + let enum_ = Enum::from_ty(ty, ctx).expect("Not an enum?"); + +- if name.is_empty() { ++ if !is_anonymous { + let pretty_name = ty.spelling(); + if clang::is_valid_identifier(&pretty_name) { +- name = pretty_name; ++ name = Some(pretty_name); + } + } + +@@ -1144,12 +1149,12 @@ impl Type { + ) + .expect("Not a complex type?"); + +- if name.is_empty() { ++ if !is_anonymous { + // The pretty-printed name may contain typedefed name, + // but may also be "struct (anonymous at .h:1)" + let pretty_name = ty.spelling(); + if clang::is_valid_identifier(&pretty_name) { +- name = pretty_name; ++ name = Some(pretty_name); + } + } + +@@ -1161,8 +1166,7 @@ impl Type { + location, + None, + ctx, +- ) +- .expect("Not able to resolve vector element?"); ++ )?; + TypeKind::Vector(inner, ty.num_elements().unwrap()) + } + CXType_ConstantArray => { +@@ -1189,7 +1193,9 @@ impl Type { + CXType_ObjCClass | CXType_ObjCInterface => { + let interface = ObjCInterface::from_ty(&location, ctx) + .expect("Not a valid objc interface?"); +- name = interface.rust_name(); ++ if !is_anonymous { ++ name = Some(interface.rust_name()); ++ } + TypeKind::ObjCInterface(interface) + } + CXType_Dependent => { +@@ -1207,7 +1213,7 @@ impl Type { + } + }; + +- let name = if name.is_empty() { None } else { Some(name) }; ++ name = name.filter(|n| !n.is_empty()); + + let is_const = ty.is_const() || + (ty.kind() == CXType_ConstantArray && +diff --git a/third_party/rust/bindgen/src/ir/var.rs b/third_party/rust/bindgen/src/ir/var.rs +index c6f121d74e..679c92bbea 100644 +--- a/third_party/rust/bindgen/src/ir/var.rs ++++ b/third_party/rust/bindgen/src/ir/var.rs +@@ -301,11 +301,11 @@ impl ClangSubItemParser for Var { + let ty = match Item::from_ty(&ty, cursor, None, ctx) { + Ok(ty) => ty, + Err(e) => { +- assert_eq!( +- ty.kind(), +- CXType_Auto, ++ assert!( ++ matches!(ty.kind(), CXType_Auto | CXType_Unexposed), + "Couldn't resolve constant type, and it \ +- wasn't an nondeductible auto type!" ++ wasn't an nondeductible auto type or unexposed \ ++ type!" + ); + return Err(e); + } diff --git a/tar_stamps b/tar_stamps index e7cad68..768ffff 100644 --- a/tar_stamps +++ b/tar_stamps @@ -1,10 +1,10 @@ PRODUCT="thunderbird" CHANNEL="esr102" -VERSION="102.9.1" +VERSION="102.10.0" VERSION_SUFFIX="" -PREV_VERSION="102.9.0" +PREV_VERSION="102.9.1" PREV_VERSION_SUFFIX="" #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr102" -RELEASE_TAG="a8965ef0b30705f497df3df718db60d9dc2c304f" -RELEASE_TIMESTAMP="20230328155238" +RELEASE_TAG="242807330298599a41c6a9e37d676cceeaf86dec" +RELEASE_TIMESTAMP="20230405152512" diff --git a/thunderbird-102.10.0.source.tar.xz b/thunderbird-102.10.0.source.tar.xz new file mode 100644 index 0000000..b7fbd1c --- /dev/null +++ b/thunderbird-102.10.0.source.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:516ba1863d98205d3d0472cadb56ebddadce9e7198041d12f1f0d8fa398524f8 +size 501419444 diff --git a/thunderbird-102.10.0.source.tar.xz.asc b/thunderbird-102.10.0.source.tar.xz.asc new file mode 100644 index 0000000..10687ff --- /dev/null +++ b/thunderbird-102.10.0.source.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmQt2REACgkQ6+QekPbx +L23RZQ//SZe0Qy0RbZlLVcs75KaEdY07+3ReWaczFNZswuor4uGorgemocR8Q+vH +qJJEPj4jJxITpF3oTtPa3QiLRSFykiF7g4kGsWODHCpHTCtb3/9XhaIpfpFFkQ3N +Y+LPMouS1OEi0L/C9bHGFfSux8uRzaoukpvMhNkk5QwkU2mnvtg85JxTCjiVjvuV +pqCGksnbUnwNmSfdGvM7Trct0HtuYmTaXSbexef7ME+jmuzGL/5jykl7HP462ZU4 +3eqtK8qeIwgBnLVAWzHe5Sz2y6meVYkne9tY4YJXdQt5XpQHriyesLv6LmczsMaF +bM9bYC1dq5CIa3qcyyeRB067aPLSJ+zk1OJaDiKV1KrdunbXrIEuY9mATiXdKkCq +MrJpfrqQ4WP19H1WxycHIFewGgPTq5+KpnlpHJNVt54F9dZgJ5+CWFb+UE8P7PeJ +niKsdn8eyRgGM415r7Qz0BA++Cf5N7Ovux9zDjlSEsoJmj9WbdG/Bi5ea7zd8tDm +OC9VaJx9AAtB65zPCkBurNlj/cFHcVGfI1k2hlwNsKtmJvZ8i0/hbq4Vnr8GjqeP +ki3xm1scaxKe2CfqgxlQ8TAe67aD2K/q5PhCVTBF/LgkrHeuxfpsYKAC/C5qBvvX +DVUp4NQzbCQhGwMjlkTiCvgPtno/vllac4PEhCg6JarQioRwvMs= +=mJiC +-----END PGP SIGNATURE----- diff --git a/thunderbird-102.9.1.source.tar.xz b/thunderbird-102.9.1.source.tar.xz deleted file mode 100644 index 4aee6b6..0000000 --- a/thunderbird-102.9.1.source.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9ba28be5f2ad7c79419786ac9d753d780cf84984a2d4a88b0e8cafe0c0f95873 -size 503181696 diff --git a/thunderbird-102.9.1.source.tar.xz.asc b/thunderbird-102.9.1.source.tar.xz.asc deleted file mode 100644 index a0751ea..0000000 --- a/thunderbird-102.9.1.source.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmQjNvIACgkQ6+QekPbx -L23f6g/5AWrdW5B2DvjPOus4fdt13pLvK4kNkIq3y3MZgF2nsRRTgk30scjaZxf3 -yYZOicMHTa3cVapNZTe0f2BFDMHKElL1hE8OsPdLyrFKuG3Xbsm8s7dnWQHPLo0w -IP8OfNm7MhGhVq4NN68liFH6gnmYCsKluHWrWFw3KvKsKuHjZaIcI/7CgmzWtOZI -k9S7Lr/jk1o2VRIXuI5yoFIkCs8mshUbY7SLEBVzBLtDobYkxj059P1A9stEorSn -lVyi5FxJlQLPj3L0U12xnYzfv+c+SNuOFvWx4yfMUOncPGDN3AKYtrm18U2pQGXG -Ub+EamDek0C8DQqUya/oE8Ar3XFddGDwLOTw/zZunmANRyqolWq0gLrkMOcPtz/s -0TOJxjDss2X3dk2bpBJkRgieRS4G2EDABbKJDk8vEjxL0fAH3P4JKczb+pUU4iig -+Py7IW1TsHEdTUFQYDKaG6bu4pMKhNh0kreug0a+PDLRSEAcLAIsE7x3dokP2JD/ -pNoJQ/8fZyZG0yRpyday/AwlY6U6ahgwsfpAhxwEGjExie4NjyLqqWSEeHNNexjv -ZL6uFNwzNVVgYE0deGAKnh2fZuNO4n8I/MB1fzy3vBurkwcjox3FeBLgmM8A0leP -LNc3yO8rY5Usu1IN6iCvIDL1XMM5IdwfJj6N0JVk3+gJO02rpFc= -=RWOf ------END PGP SIGNATURE----- From 376ac03b18ead66b989fc2baf66f7ea5662645aa534fb9fffb404fd26327c0e9 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Tue, 11 Apr 2023 20:58:19 +0000 Subject: [PATCH 3/3] * New messages will automatically select S/MIME if configured and OpenPGP is not * Calendar events with timezone America/Mexico_City incorrectly applied Daylight Savings Time MFSA 2023-15 (bsc#1210212) * CVE-2023-29531 (bmo#1794292) Out-of-bound memory access in WebGL on macOS * CVE-2023-29532 (bmo#1806394) Mozilla Maintenance Service Write-lock bypass * CVE-2023-29533 (bmo#1798219, bmo#1814597) Fullscreen notification obscured * MFSA-TMP-2023-0001 (bmo#1819244) Double-free in libwebp * CVE-2023-29535 (bmo#1820543) Potential Memory Corruption following Garbage Collector compaction * CVE-2023-29536 (bmo#1821959) Invalid free from JavaScript code * CVE-2023-0547 (bmo#1811298) Revocation status of S/Mime recipient certificates was not checked * CVE-2023-29479 (bmo#1824978) Hang when processing certain OpenPGP messages * CVE-2023-29539 (bmo#1784348) Content-Disposition filename truncation leads to Reflected File Download * CVE-2023-29541 (bmo#1810191) Files with malicious extensions could have been downloaded unsafely on Linux * CVE-2023-29542 (bmo#1810793, bmo#1815062) Bypass of file download extension restrictions * CVE-2023-29545 (bmo#1823077) OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=697 --- MozillaThunderbird.changes | 41 +++++++++++++++++++++++++- tar_stamps | 4 +-- thunderbird-102.10.0.source.tar.xz | 4 +-- thunderbird-102.10.0.source.tar.xz.asc | 26 ++++++++-------- 4 files changed, 57 insertions(+), 18 deletions(-) diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes index 8397c17..d242da6 100644 --- a/MozillaThunderbird.changes +++ b/MozillaThunderbird.changes @@ -2,7 +2,46 @@ Wed Apr 5 21:10:11 UTC 2023 - Wolfgang Rosenauer - Mozilla Thunderbird 102.10.0 -- add mozilla-llvm16.patch trying to fix build with LLVM16 + * New messages will automatically select S/MIME if configured and + OpenPGP is not + * Calendar events with timezone America/Mexico_City incorrectly + applied Daylight Savings Time + MFSA 2023-15 (bsc#1210212) + * CVE-2023-29531 (bmo#1794292) + Out-of-bound memory access in WebGL on macOS + * CVE-2023-29532 (bmo#1806394) + Mozilla Maintenance Service Write-lock bypass + * CVE-2023-29533 (bmo#1798219, bmo#1814597) + Fullscreen notification obscured + * MFSA-TMP-2023-0001 (bmo#1819244) + Double-free in libwebp + * CVE-2023-29535 (bmo#1820543) + Potential Memory Corruption following Garbage Collector compaction + * CVE-2023-29536 (bmo#1821959) + Invalid free from JavaScript code + * CVE-2023-0547 (bmo#1811298) + Revocation status of S/Mime recipient certificates was not checked + * CVE-2023-29479 (bmo#1824978) + Hang when processing certain OpenPGP messages + * CVE-2023-29539 (bmo#1784348) + Content-Disposition filename truncation leads to Reflected + File Download + * CVE-2023-29541 (bmo#1810191) + Files with malicious extensions could have been downloaded + unsafely on Linux + * CVE-2023-29542 (bmo#1810793, bmo#1815062) + Bypass of file download extension restrictions + * CVE-2023-29545 (bmo#1823077) + Windows Save As dialog resolved environment variables + * CVE-2023-1945 (bmo#1777588) + Memory Corruption in Safe Browsing Code + * CVE-2023-29548 (bmo#1822754) + Incorrect optimization result on ARM64 + * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217, + bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602, + bmo#1821448, bmo#1822413, bmo#1824828) + Memory safety bugs fixed in Thunderbird 102.10 +- add mozilla-llvm16.patch to fix build with LLVM16 ------------------------------------------------------------------- Wed Mar 29 10:50:35 UTC 2023 - Wolfgang Rosenauer diff --git a/tar_stamps b/tar_stamps index 768ffff..56c51e4 100644 --- a/tar_stamps +++ b/tar_stamps @@ -6,5 +6,5 @@ PREV_VERSION="102.9.1" PREV_VERSION_SUFFIX="" #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr102" -RELEASE_TAG="242807330298599a41c6a9e37d676cceeaf86dec" -RELEASE_TIMESTAMP="20230405152512" +RELEASE_TAG="d8df3bebc4b529388b62b9cb4df152f13910fbe3" +RELEASE_TIMESTAMP="20230407145224" diff --git a/thunderbird-102.10.0.source.tar.xz b/thunderbird-102.10.0.source.tar.xz index b7fbd1c..4c56660 100644 --- a/thunderbird-102.10.0.source.tar.xz +++ b/thunderbird-102.10.0.source.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:516ba1863d98205d3d0472cadb56ebddadce9e7198041d12f1f0d8fa398524f8 -size 501419444 +oid sha256:73183365c0888b489648b9baaa717ebccbb9add4d245e24e95d43cc76810f8ca +size 500949660 diff --git a/thunderbird-102.10.0.source.tar.xz.asc b/thunderbird-102.10.0.source.tar.xz.asc index 10687ff..3362529 100644 --- a/thunderbird-102.10.0.source.tar.xz.asc +++ b/thunderbird-102.10.0.source.tar.xz.asc @@ -1,16 +1,16 @@ -----BEGIN PGP SIGNATURE----- -iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmQt2REACgkQ6+QekPbx -L23RZQ//SZe0Qy0RbZlLVcs75KaEdY07+3ReWaczFNZswuor4uGorgemocR8Q+vH -qJJEPj4jJxITpF3oTtPa3QiLRSFykiF7g4kGsWODHCpHTCtb3/9XhaIpfpFFkQ3N -Y+LPMouS1OEi0L/C9bHGFfSux8uRzaoukpvMhNkk5QwkU2mnvtg85JxTCjiVjvuV -pqCGksnbUnwNmSfdGvM7Trct0HtuYmTaXSbexef7ME+jmuzGL/5jykl7HP462ZU4 -3eqtK8qeIwgBnLVAWzHe5Sz2y6meVYkne9tY4YJXdQt5XpQHriyesLv6LmczsMaF -bM9bYC1dq5CIa3qcyyeRB067aPLSJ+zk1OJaDiKV1KrdunbXrIEuY9mATiXdKkCq -MrJpfrqQ4WP19H1WxycHIFewGgPTq5+KpnlpHJNVt54F9dZgJ5+CWFb+UE8P7PeJ -niKsdn8eyRgGM415r7Qz0BA++Cf5N7Ovux9zDjlSEsoJmj9WbdG/Bi5ea7zd8tDm -OC9VaJx9AAtB65zPCkBurNlj/cFHcVGfI1k2hlwNsKtmJvZ8i0/hbq4Vnr8GjqeP -ki3xm1scaxKe2CfqgxlQ8TAe67aD2K/q5PhCVTBF/LgkrHeuxfpsYKAC/C5qBvvX -DVUp4NQzbCQhGwMjlkTiCvgPtno/vllac4PEhCg6JarQioRwvMs= -=mJiC +iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmQ0LS8ACgkQ6+QekPbx +L22flhAAsOlC7n7VWB6I0ak90oGfzvZiqlf9WbikM9oXukrYIwqXKfUDKPZZDKTV +hfrCHzSUWi+QQc6HS8diq7CcRjJb2aJXHxL9E3E2j0qfdWjpoYMBkoQzXQR12Ve8 +lXWEPxrlfJhR8Z2S6geCMVQbyPh6zbMIZTT/Zp1vV8r5PcxwvfC3wviWU721E45k +moT/CZX6PmeS3UO0kL/6RECNA/HgxnNu2gKFlc9Qc90wCiwtR92RGuB15CXYmZcx +F3//Jc4n4GSMBxX/4RUto+HFxJWZ1k7Cl7CvtXKYTFkUZvMfrLBCcruzZ3Deuos0 +qKZyreUDbgeNuu+Ynh8qyEkZn+6k+rkb7t+a1jaOpgTtc/B+9fwjv34rIVD4KRO6 +Ym2qotNk3zNYU7moD53rnfvgBb2J4PUbvJobVOcthVvM0HNUbptGDvSrPByeYLOB +veC4Bqy9heICCwRa3JBIzNCMGQgzP3fKkpFiPJxLoU/Je9FKqhHsbu9wu7/OeE/R +BQMIFfXNwRpZcmDie3OfqYR6wZEZ5xemOZEkH0wtB7dZLlAir4tkg+P2PkKMS59q +ihdLEqpiZpDeqIHivRbzi5Bt4GD0V8UEadIjhJ9RMBIfRM0GmjxO5d/nmnhuE+ww +bH/M1uFnEgit9gICOZDndLhlDSArMUe8xLmjWIy1HXCktxRsnwY= +=z2m1 -----END PGP SIGNATURE-----