Accepting request 1078519 from mozilla:Factory

- Mozilla Thunderbird 102.10.0
  * New messages will automatically select S/MIME if configured and
    OpenPGP is not
  * Calendar events with timezone America/Mexico_City incorrectly
    applied Daylight Savings Time
  MFSA 2023-15 (bsc#1210212)
  * CVE-2023-29531 (bmo#1794292)
    Out-of-bound memory access in WebGL on macOS
  * CVE-2023-29532 (bmo#1806394)
    Mozilla Maintenance Service Write-lock bypass
  * CVE-2023-29533 (bmo#1798219, bmo#1814597)
    Fullscreen notification obscured
  * MFSA-TMP-2023-0001 (bmo#1819244)
    Double-free in libwebp
  * CVE-2023-29535 (bmo#1820543)
    Potential Memory Corruption following Garbage Collector compaction
  * CVE-2023-29536 (bmo#1821959)
    Invalid free from JavaScript code
  * CVE-2023-0547 (bmo#1811298)
    Revocation status of S/Mime recipient certificates was not checked
  * CVE-2023-29479 (bmo#1824978)
    Hang when processing certain OpenPGP messages
  * CVE-2023-29539 (bmo#1784348)
    Content-Disposition filename truncation leads to Reflected
    File Download
  * CVE-2023-29541 (bmo#1810191)
    Files with malicious extensions could have been downloaded
    unsafely on Linux
  * CVE-2023-29542 (bmo#1810793, bmo#1815062)
    Bypass of file download extension restrictions

OBS-URL: https://build.opensuse.org/request/show/1078519
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=307

MozillaThunderbird.changes

@@ -1,3 +1,57 @@
+-------------------------------------------------------------------
+Wed Apr  5 21:10:11 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Thunderbird 102.10.0
+  * New messages will automatically select S/MIME if configured and
+    OpenPGP is not
+  * Calendar events with timezone America/Mexico_City incorrectly
+    applied Daylight Savings Time
+  MFSA 2023-15 (bsc#1210212)
+  * CVE-2023-29531 (bmo#1794292)
+    Out-of-bound memory access in WebGL on macOS
+  * CVE-2023-29532 (bmo#1806394)
+    Mozilla Maintenance Service Write-lock bypass
+  * CVE-2023-29533 (bmo#1798219, bmo#1814597)
+    Fullscreen notification obscured
+  * MFSA-TMP-2023-0001 (bmo#1819244)
+    Double-free in libwebp
+  * CVE-2023-29535 (bmo#1820543)
+    Potential Memory Corruption following Garbage Collector compaction
+  * CVE-2023-29536 (bmo#1821959)
+    Invalid free from JavaScript code
+  * CVE-2023-0547 (bmo#1811298)
+    Revocation status of S/Mime recipient certificates was not checked
+  * CVE-2023-29479 (bmo#1824978)
+    Hang when processing certain OpenPGP messages
+  * CVE-2023-29539 (bmo#1784348)
+    Content-Disposition filename truncation leads to Reflected
+    File Download
+  * CVE-2023-29541 (bmo#1810191)
+    Files with malicious extensions could have been downloaded
+    unsafely on Linux
+  * CVE-2023-29542 (bmo#1810793, bmo#1815062)
+    Bypass of file download extension restrictions
+  * CVE-2023-29545 (bmo#1823077)
+    Windows Save As dialog resolved environment variables
+  * CVE-2023-1945 (bmo#1777588)
+    Memory Corruption in Safe Browsing Code
+  * CVE-2023-29548 (bmo#1822754)
+    Incorrect optimization result on ARM64
+  * CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217,
+    bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602,
+    bmo#1821448, bmo#1822413, bmo#1824828)
+    Memory safety bugs fixed in Thunderbird 102.10
+- add mozilla-llvm16.patch to fix build with LLVM16
+
+-------------------------------------------------------------------
+Wed Mar 29 10:50:35 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Thunderbird 102.9.1
+  MFSA 2023-12
+  * CVE-2023-28427 (bmo#1822595)
+    Matrix SDK bundled with Thunderbird vulnerable to
+    denial-of-service attack
+
 -------------------------------------------------------------------
 Sun Mar 26 10:57:52 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
 

MozillaThunderbird.spec

@@ -29,8 +29,8 @@
 # major 69
 # mainver %major.99
 %define major          102
-%define mainver        %major.9.0
+%define mainver        %major.10.0
-%define orig_version   102.9.0
+%define orig_version   102.10.0
 %define orig_suffix    %{nil}
 %define update_channel release
 %define source_prefix  thunderbird-%{orig_version}
@@ -207,6 +207,7 @@ Patch20:        mozilla-bmo531915.patch
 Patch21:        one_swizzle_to_rule_them_all.patch
 Patch22:        svg-rendering.patch
 Patch23:        gcc13-fix.patch
+Patch24:        mozilla-llvm16.patch
 %endif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         /bin/sh
@@ -296,6 +297,7 @@ fi
 %patch21 -p1
 %patch22 -p1
 %patch23 -p1
+%patch24 -p1
 %endif
 
 %build

mozilla-llvm16.patch

@@ -0,0 +1,207 @@
+From 80738016a36e803fe3bf8b8f6f388c6589d86a1c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= <emilio@crisal.io>
+Date: Tue, 18 Oct 2022 02:17:18 +0200
+Subject: [PATCH] clang: Detect anonymous items explicitly, rather than relying
+ on empty names.
+
+In Clang 16, anonymous items may return names like
+`(anonymous union at ..)` rather than empty names.
+
+The right way to detect them is using clang_Cursor_isAnonymous.
+
+Fixes #2312
+Closes #2316
+
+Co-Authored-by: Patrick Walton <pcwalton@fb.com>
+
+From c03b37697a1e117995ea76203e5c0ce7d6696c4e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= <emilio@crisal.io>
+Date: Wed, 9 Nov 2022 13:33:19 +0100
+Subject: [PATCH] ir: Don't crash with built-in unexposed types from libclang.
+
+This fixes #2325.
+
+The issue is that `__bf16` is not exposed at all by libclang, which
+causes us to crash. It's a bit of a shame libclang doesn't expose it but
+there's no rust equivalent I think, so this should be ok for now.
+
+Unfortunately no test because the header crashes older clang versions.
+
+diff --git a/Cargo.lock b/Cargo.lock
+index 163674ec5d..28456ee0ba 100644
+--- a/Cargo.lock
++++ b/Cargo.lock
+@@ -394,8 +394,6 @@ dependencies = [
+ [[package]]
+ name = "bindgen"
+ version = "0.56.0"
+-source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "2da379dbebc0b76ef63ca68d8fc6e71c0f13e59432e0987e508c1820e6ab5239"
+ dependencies = [
+  "bitflags",
+  "cexpr",
+diff --git a/Cargo.toml b/Cargo.toml
+index d918adae95..dddd1298f7 100644
+--- a/Cargo.toml
++++ b/Cargo.toml
+@@ -117,6 +117,7 @@ packed_simd = { package = "packed_simd_2", git = "https://github.com/hsivonen/pa
+ midir = { git = "https://github.com/mozilla/midir.git", rev = "4c11f0ffb5d6a10de4aff40a7b81218b33b94e6f" }
+ minidump_writer_linux = { git = "https://github.com/rust-minidump/minidump-writer.git", rev = "75ada456c92a429704691a85e1cb42fef8cafc0d" }
+ glslopt = { path = "third_party/rust/glslopt/" }
++bindgen = { path = "third_party/rust/bindgen/" }
+ 
+ # Patch mio 0.6 to use winapi 0.3 and miow 0.3, getting rid of winapi 0.2.
+ # There is not going to be new version of mio 0.6, mio now being >= 0.7.11.
+diff --git a/third_party/rust/bindgen/src/clang.rs b/third_party/rust/bindgen/src/clang.rs
+index 488660c434..ef74ac08c2 100644
+--- a/third_party/rust/bindgen/src/clang.rs
++++ b/third_party/rust/bindgen/src/clang.rs
+@@ -54,6 +54,11 @@ impl Cursor {
+         unsafe { clang_isDeclaration(self.kind()) != 0 }
+     }
+ 
++    /// Is this cursor's referent an anonymous record or so?
++    pub fn is_anonymous(&self) -> bool {
++        unsafe { clang_Cursor_isAnonymous(self.x) != 0 }
++    }
++
+     /// Get this cursor's referent's spelling.
+     pub fn spelling(&self) -> String {
+         unsafe { cxstring_into_string(clang_getCursorSpelling(self.x)) }
+diff --git a/third_party/rust/bindgen/src/ir/comp.rs b/third_party/rust/bindgen/src/ir/comp.rs
+index 22c124fa36..b715616c5e 100644
+--- a/third_party/rust/bindgen/src/ir/comp.rs
++++ b/third_party/rust/bindgen/src/ir/comp.rs
+@@ -1372,8 +1372,7 @@ impl CompInfo {
+ 
+                     // A declaration of an union or a struct without name could
+                     // also be an unnamed field, unfortunately.
+-                    if cur.spelling().is_empty() &&
+-                        cur.kind() != CXCursor_EnumDecl
++                    if cur.is_anonymous() && cur.kind() != CXCursor_EnumDecl
+                     {
+                         let ty = cur.cur_type();
+                         let offset = cur.offset_of_field().ok();
+diff --git a/third_party/rust/bindgen/src/ir/ty.rs b/third_party/rust/bindgen/src/ir/ty.rs
+index e6eecc3c50..f3e1193ce2 100644
+--- a/third_party/rust/bindgen/src/ir/ty.rs
++++ b/third_party/rust/bindgen/src/ir/ty.rs
+@@ -737,7 +737,12 @@ impl Type {
+ 
+         let layout = ty.fallible_layout(ctx).ok();
+         let cursor = ty.declaration();
+-        let mut name = cursor.spelling();
++        let is_anonymous = cursor.is_anonymous();
++        let mut name = if is_anonymous {
++            None
++        } else {
++            Some(cursor.spelling()).filter(|n| !n.is_empty())
++        };
+ 
+         debug!(
+             "from_clang_ty: {:?}, ty: {:?}, loc: {:?}",
+@@ -771,7 +776,7 @@ impl Type {
+             if is_canonical_objcpointer && is_template_type_param {
+                 // Objective-C generics are just ids with fancy name.
+                 // To keep it simple, just name them ids
+-                name = "id".to_owned();
++                name = Some("id".to_owned());
+             }
+         }
+ 
+@@ -900,7 +905,7 @@ impl Type {
+                                         return Err(ParseError::Recurse);
+                                     }
+                                 } else {
+-                                    name = location.spelling();
++                                    name = Some(location.spelling());
+                                 }
+ 
+                                 let complex = CompInfo::from_ty(
+@@ -942,7 +947,7 @@ impl Type {
+                                                 CXType_Typedef
+                                             );
+ 
+-                                            name = current.spelling();
++                                            name = Some(location.spelling());
+ 
+                                             let inner_ty = cur
+                                                 .typedef_type()
+@@ -1126,10 +1131,10 @@ impl Type {
+                 CXType_Enum => {
+                     let enum_ = Enum::from_ty(ty, ctx).expect("Not an enum?");
+ 
+-                    if name.is_empty() {
++                    if !is_anonymous {
+                         let pretty_name = ty.spelling();
+                         if clang::is_valid_identifier(&pretty_name) {
+-                            name = pretty_name;
++                            name = Some(pretty_name);
+                         }
+                     }
+ 
+@@ -1144,12 +1149,12 @@ impl Type {
+                     )
+                     .expect("Not a complex type?");
+ 
+-                    if name.is_empty() {
++                    if !is_anonymous {
+                         // The pretty-printed name may contain typedefed name,
+                         // but may also be "struct (anonymous at .h:1)"
+                         let pretty_name = ty.spelling();
+                         if clang::is_valid_identifier(&pretty_name) {
+-                            name = pretty_name;
++                            name = Some(pretty_name);
+                         }
+                     }
+ 
+@@ -1161,8 +1166,7 @@ impl Type {
+                         location,
+                         None,
+                         ctx,
+-                    )
+-                    .expect("Not able to resolve vector element?");
++                    )?;
+                     TypeKind::Vector(inner, ty.num_elements().unwrap())
+                 }
+                 CXType_ConstantArray => {
+@@ -1189,7 +1193,9 @@ impl Type {
+                 CXType_ObjCClass | CXType_ObjCInterface => {
+                     let interface = ObjCInterface::from_ty(&location, ctx)
+                         .expect("Not a valid objc interface?");
+-                    name = interface.rust_name();
++                    if !is_anonymous {
++                        name = Some(interface.rust_name());
++                    }
+                     TypeKind::ObjCInterface(interface)
+                 }
+                 CXType_Dependent => {
+@@ -1207,7 +1213,7 @@ impl Type {
+             }
+         };
+ 
+-        let name = if name.is_empty() { None } else { Some(name) };
++        name = name.filter(|n| !n.is_empty());
+ 
+         let is_const = ty.is_const() ||
+             (ty.kind() == CXType_ConstantArray &&
+diff --git a/third_party/rust/bindgen/src/ir/var.rs b/third_party/rust/bindgen/src/ir/var.rs
+index c6f121d74e..679c92bbea 100644
+--- a/third_party/rust/bindgen/src/ir/var.rs
++++ b/third_party/rust/bindgen/src/ir/var.rs
+@@ -301,11 +301,11 @@ impl ClangSubItemParser for Var {
+                 let ty = match Item::from_ty(&ty, cursor, None, ctx) {
+                     Ok(ty) => ty,
+                     Err(e) => {
+-                        assert_eq!(
+-                            ty.kind(),
+-                            CXType_Auto,
++                        assert!(
++			    matches!(ty.kind(), CXType_Auto | CXType_Unexposed),
+                             "Couldn't resolve constant type, and it \
+-                             wasn't an nondeductible auto type!"
++                             wasn't an nondeductible auto type or unexposed \
++			     type!"
+                         );
+                         return Err(e);
+                     }

tar_stamps

@@ -1,10 +1,10 @@
 PRODUCT="thunderbird"
 CHANNEL="esr102"
-VERSION="102.9.0"
+VERSION="102.10.0"
 VERSION_SUFFIX=""
-PREV_VERSION="102.8.0"
+PREV_VERSION="102.9.1"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr102"
-RELEASE_TAG="db735c436e680abf21cc67f9a29b42fdf30d416d"
+RELEASE_TAG="d8df3bebc4b529388b62b9cb4df152f13910fbe3"
-RELEASE_TIMESTAMP="20230310165821"
+RELEASE_TIMESTAMP="20230407145224"

thunderbird-102.10.0.source.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:73183365c0888b489648b9baaa717ebccbb9add4d245e24e95d43cc76810f8ca
+size 500949660

thunderbird-102.10.0.source.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmQ0LS8ACgkQ6+QekPbx
+L22flhAAsOlC7n7VWB6I0ak90oGfzvZiqlf9WbikM9oXukrYIwqXKfUDKPZZDKTV
+hfrCHzSUWi+QQc6HS8diq7CcRjJb2aJXHxL9E3E2j0qfdWjpoYMBkoQzXQR12Ve8
+lXWEPxrlfJhR8Z2S6geCMVQbyPh6zbMIZTT/Zp1vV8r5PcxwvfC3wviWU721E45k
+moT/CZX6PmeS3UO0kL/6RECNA/HgxnNu2gKFlc9Qc90wCiwtR92RGuB15CXYmZcx
+F3//Jc4n4GSMBxX/4RUto+HFxJWZ1k7Cl7CvtXKYTFkUZvMfrLBCcruzZ3Deuos0
+qKZyreUDbgeNuu+Ynh8qyEkZn+6k+rkb7t+a1jaOpgTtc/B+9fwjv34rIVD4KRO6
+Ym2qotNk3zNYU7moD53rnfvgBb2J4PUbvJobVOcthVvM0HNUbptGDvSrPByeYLOB
+veC4Bqy9heICCwRa3JBIzNCMGQgzP3fKkpFiPJxLoU/Je9FKqhHsbu9wu7/OeE/R
+BQMIFfXNwRpZcmDie3OfqYR6wZEZ5xemOZEkH0wtB7dZLlAir4tkg+P2PkKMS59q
+ihdLEqpiZpDeqIHivRbzi5Bt4GD0V8UEadIjhJ9RMBIfRM0GmjxO5d/nmnhuE+ww
+bH/M1uFnEgit9gICOZDndLhlDSArMUe8xLmjWIy1HXCktxRsnwY=
+=z2m1
+-----END PGP SIGNATURE-----

thunderbird-102.9.0.source.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ecb34de765d548ed26ea24d4d617567a7896230d7c8379c1ef76be8ca05d6fef
-size 503081436

thunderbird-102.9.0.source.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmQLrkIACgkQ6+QekPbx
-L22h1g/+LXtjCm9UdWsufMQ6GWhNkdHXdhL7Uog6c8Z/vcyfotKNShUYzk8up9Rm
-yUTZQ/vOPZPRt3MmONpE1KvOstThYncUPAdv9ZbIFQEF2eLQ73fiXSP/g5uGFThk
-ZoXCEZt/pnDm6Uv7P/ufh+VYRkNu9TxpYTw5OH5u0YFbwazbyKHdwP2XwHmDqlff
-ObbHyNy7m3+X1jrAb3ayWnK/PUqcw/GbbAdwdtM0eF3RttTO60d/8P+MQ/qxuM1a
-OuVkgAQIpVJiJexbJXMVSUl/c2OwLXDwSX9Q0JKcCqGH1ruv2hss/6Hp9pIdazZs
-85ko0g16DEx5EOTvNFmkYAaSnCAjNZOEqzv/hN71n5V+cvBQNF5U6rFM7qJOzeT6
-As8DI813YsAefHXo620Q+UQXBLXvwwnsuUS7CzzcLX2V+njhrZIKbGB2C5tgEwTg
-FuSK6+0kWEpbYPXQDrrvzOWAJbs5lJNBdWX2WUeX7sNpeaUH/FPBULNo2LRuTgFG
-qiZxaxQfaJ86ZZu29jdkmBQzC90e5dyw2PwipNDRu8FDbinod1vEcEJ1AhQywt2E
-KnX7lp1A/7nMW+b1YbqGTk6w7NLpqGzW0XdfjYdvw2BYCJwtpVl2y8CaZYBxzOBl
-dg+ibkdDRr5gk6XycidonfHVu4xZqEYZd2h62lVlnnTErV10YeE=
-=4xjl
------END PGP SIGNATURE-----