Accepting request 645920 from mozilla:Factory

- update to Thunderbird 60.3.0
  * various theme fixes
  * Shift+PageUp/PageDown in Write window
  * Gloda attachment filtering
  * Mailing list address auto-complete enter/return handling
  * Thunderbird hung if HTML signature references non-existent image
  * Filters not working for headers that appear more than once
- Security fixes for the Mozilla platform picked up from 60.3
  (Firefox ESR release). In general, these flaws cannot be exploited
  through email in Thunderbird because scripting is disabled when
  reading mail, but are potentially risks in browser or browser-like
  contexts (MFSA 2018-28) (bsc#1112852)
  * CVE-2018-12391 (bmo#1478843) (Android only)
    HTTP Live Stream audio data is accessible cross-origin
  * CVE-2018-12392 (bmo#1492823)
    Crash with nested event loops
  * CVE-2018-12393 (bmo#1495011)
    Integer overflow during Unicode conversion while loading JavaScript
  * CVE-2018-12389 (bmo#1498460, bmo#1499198)
    Memory safety bugs fixed in Firefox ESR 60.3
  * CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159,
    bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803,
    bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699,
    bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844)
    Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3

- Update _constraints for armv6/7

- Add patch to fix build on armv7:
  * mozilla-bmo1463035.patch

OBS-URL: https://build.opensuse.org/request/show/645920
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=199

MozillaThunderbird.changes

@@ -1,3 +1,48 @@
+-------------------------------------------------------------------
+Tue Oct 30 08:18:23 UTC 2018 - wr@rosenauer.org
+
+- update to Thunderbird 60.3.0
+  * various theme fixes
+  * Shift+PageUp/PageDown in Write window
+  * Gloda attachment filtering
+  * Mailing list address auto-complete enter/return handling
+  * Thunderbird hung if HTML signature references non-existent image
+  * Filters not working for headers that appear more than once
+- Security fixes for the Mozilla platform picked up from 60.3
+  (Firefox ESR release). In general, these flaws cannot be exploited
+  through email in Thunderbird because scripting is disabled when
+  reading mail, but are potentially risks in browser or browser-like
+  contexts (MFSA 2018-28) (bsc#1112852)
+  * CVE-2018-12391 (bmo#1478843) (Android only)
+    HTTP Live Stream audio data is accessible cross-origin
+  * CVE-2018-12392 (bmo#1492823)
+    Crash with nested event loops
+  * CVE-2018-12393 (bmo#1495011)
+    Integer overflow during Unicode conversion while loading JavaScript
+  * CVE-2018-12389 (bmo#1498460, bmo#1499198)
+    Memory safety bugs fixed in Firefox ESR 60.3
+  * CVE-2018-12390 (bmo#1487098, bmo#1487660, bmo#1490234, bmo#1496159,
+    bmo#1443748, bmo#1496340, bmo#1483905, bmo#1493347, bmo#1488803,
+    bmo#1498701, bmo#1498482, bmo#1442010, bmo#1495245, bmo#1483699,
+    bmo#1469486, bmo#1484905, bmo#1490561, bmo#1492524, bmo#1481844)
+    Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3
+
+-------------------------------------------------------------------
+Thu Oct 25 14:40:14 UTC 2018 - guillaume.gardet@opensuse.org
+
+- Update _constraints for armv6/7
+
+-------------------------------------------------------------------
+Thu Oct 25 08:26:12 UTC 2018 - guillaume.gardet@opensuse.org
+
+- Add patch to fix build on armv7:
+  * mozilla-bmo1463035.patch
+
+-------------------------------------------------------------------
+Thu Oct 25 08:25:52 UTC 2018 - guillaume.gardet@opensuse.org
+
+- Add memory-constraints to avoid OOM errors
+
 -------------------------------------------------------------------
 Fri Oct 12 14:26:17 UTC 2018 - meissner@suse.com
 
@@ -15,7 +60,7 @@ Tue Oct  2 10:08:00 UTC 2018 - wr@rosenauer.org
   * Fix multiple requests for master password when Google Mail or
     Calendar OAuth2 is enabled
   * Fix scrollbar of the address entry auto-complete popup
-  * Fix security info dialog in compose window not showing 
+  * Fix security info dialog in compose window not showing
     certificate status
   * Fix links in the Add-on Manager's search results and theme
     browsing tabs that opened in external browser

MozillaThunderbird.spec

@@ -13,13 +13,13 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
-%define mainversion 60.2.1
+%define mainversion 60.3.0
 %define update_channel release
-%define releasedate 20180930223627
+%define releasedate 20181025202514
 
 %bcond_without mozilla_tb_kde4
 %bcond_with    mozilla_tb_valgrind
@@ -42,6 +42,7 @@ BuildRequires:  libXcomposite-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  libidl-devel
 BuildRequires:  libnotify-devel
+BuildRequires:  memory-constraints
 BuildRequires:  mozilla-nspr-devel >= 4.19
 BuildRequires:  mozilla-nss-devel >= 3.36.4
 BuildRequires:  python
@@ -119,6 +120,7 @@ Patch7:         mozilla-bmo1375074.patch
 Patch8:         mozilla-bmo1464766.patch
 Patch9:         mozilla-i586-DecoderDoctorLogger.patch
 Patch10:        mozilla-i586-domPrefs.patch
+Patch11:        mozilla-bmo1463035.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         coreutils fileutils textutils /bin/sh
 Recommends:     libcanberra0
@@ -202,6 +204,7 @@ symbols meant for upload to Mozilla's crash collector database.
 %patch9 -p1
 %patch10 -p1
 %endif
+%patch11 -p1
 
 %build
 # no need to add build time to binaries
@@ -251,6 +254,8 @@ export MOZCONFIG=$RPM_BUILD_DIR/mozconfig
 # is not forced into CFLAGS
 export MOZ_DEBUG_FLAGS="-pipe"
 #
+# Limit RAM usage to avoid OOM
+%limit_build -m 1500
 cat << EOF > $MOZCONFIG
 mk_add_options MOZILLA_OFFICIAL=1
 mk_add_options BUILD_OFFICIAL=1

_constraints

@@ -12,15 +12,6 @@
     <conditions>
       <arch>armv6l</arch>
       <arch>armv7l</arch>
-    </conditions>
-    <hardware>
-      <memory>
-        <size unit="M">2600</size>
-      </memory>
-    </hardware>
-  </overwrite>
-  <overwrite>
-    <conditions>
       <arch>aarch64</arch>
     </conditions>
     <hardware>

compare-locales.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:ad03f7c20354dd56fa2501c5018e7b2ce512315da9b462c37358f4b7d30b26af
-size 28372
+oid sha256:158df1b15780d704364f4d7ee7eb6289252d8f338ce6823da325bb0129a65181
+size 28432

create-tar.sh

@@ -2,9 +2,9 @@
 
 CHANNEL="esr60"
 BRANCH="releases/comm-$CHANNEL"
-RELEASE_TAG="5cdee4ae33c0868ae420a5a826c63b42d823c584"
-MOZ_RELEASE_TAG="8d71faee5dcdd0773b7e0830b8fad96a6bda559b"
-VERSION="60.2.1"
+RELEASE_TAG="dd958ef605d132d08a063f29606737ffb3453e68"
+MOZ_RELEASE_TAG="ab014151d4c338562949c28aa140786b548856ca"
+VERSION="60.3.0"
 VERSION_SUFFIX=""
 LOCALE_FILE="thunderbird-$VERSION/comm/mail/locales/l10n-changesets.json"
 

l10n-60.2.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6cfc0c4dd586141d79fde3aa1360c50bd78f90ef393484a7112f8afd416e2067
-size 27451556

l10n-60.3.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7be94c4cce5562e3a414691beee347a8b4940c41742e8270090d8b4215fcefb9
+size 27433892

mozilla-bmo1463035.patch

@@ -0,0 +1,130 @@
+
+# HG changeset patch
+# User Mike Hommey <mh+mozilla@glandium.org>
+# Date 1526871862 -32400
+# Node ID 94f21505ff13cd089f7129cd24927cf8b31a0f43
+# Parent  1800b8895c08bc0c60302775dc0a4b5ea4deb310
+Bug 1463035 - Remove MOZ_SIGNAL_TRAMPOLINE. r?darchons
+
+For some reason, GNU as is not happy with the assembly generated after
+bug 1238661 anymore on Debian armel.
+
+OTOH, as mentioned in bug 1238661 comment 4, we actually don't need this
+workaround anymore, so let's just kill it.
+
+
+diff --git a/mfbt/LinuxSignal.h b/mfbt/LinuxSignal.h
+deleted file mode 100644
+--- a/mfbt/LinuxSignal.h
++++ /dev/null
+@@ -1,45 +0,0 @@
+-/* This Source Code Form is subject to the terms of the Mozilla Public
+- * License, v. 2.0. If a copy of the MPL was not distributed with this
+- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+-
+-#ifndef mozilla_LinuxSignal_h
+-#define mozilla_LinuxSignal_h
+-
+-namespace mozilla {
+-
+-#if defined(__arm__)
+-
+-// Some (old) Linux kernels on ARM have a bug where a signal handler
+-// can be called without clearing the IT bits in CPSR first. The result
+-// is that the first few instructions of the handler could be skipped,
+-// ultimately resulting in crashes. To workaround this bug, the handler
+-// on ARM is a trampoline that starts with enough NOP instructions, so
+-// that even if the IT bits are not cleared, only the NOP instructions
+-// will be skipped over.
+-
+-template <void (*H)(int, siginfo_t*, void*)>
+-__attribute__((naked)) void
+-SignalTrampoline(int aSignal, siginfo_t* aInfo, void* aContext)
+-{
+-  asm volatile (
+-    "nop; nop; nop; nop"
+-    : : : "memory");
+-
+-  asm volatile (
+-    "b %0"
+-    :
+-    : "X"(H)
+-    : "memory");
+-}
+-
+-# define MOZ_SIGNAL_TRAMPOLINE(h) (mozilla::SignalTrampoline<h>)
+-
+-#else // __arm__
+-
+-# define MOZ_SIGNAL_TRAMPOLINE(h) (h)
+-
+-#endif // __arm__
+-
+-} // namespace mozilla
+-
+-#endif // mozilla_LinuxSignal_h
+diff --git a/mfbt/moz.build b/mfbt/moz.build
+--- a/mfbt/moz.build
++++ b/mfbt/moz.build
+@@ -117,20 +117,16 @@ EXPORTS["double-conversion"] = [
+ LOCAL_INCLUDES += [
+     '/mfbt/double-conversion',
+ ]
+ 
+ if CONFIG['OS_ARCH'] == 'WINNT':
+     EXPORTS.mozilla += [
+         'WindowsVersion.h',
+     ]
+-elif CONFIG['OS_ARCH'] == 'Linux':
+-    EXPORTS.mozilla += [
+-        'LinuxSignal.h',
+-    ]
+ 
+ UNIFIED_SOURCES += [
+     'Assertions.cpp',
+     'ChaosMode.cpp',
+     'double-conversion/double-conversion/bignum-dtoa.cc',
+     'double-conversion/double-conversion/bignum.cc',
+     'double-conversion/double-conversion/cached-powers.cc',
+     'double-conversion/double-conversion/diy-fp.cc',
+diff --git a/tools/profiler/core/platform-linux-android.cpp b/tools/profiler/core/platform-linux-android.cpp
+--- a/tools/profiler/core/platform-linux-android.cpp
++++ b/tools/profiler/core/platform-linux-android.cpp
+@@ -55,17 +55,16 @@
+ #ifdef __GLIBC__
+ #include <execinfo.h>   // backtrace, backtrace_symbols
+ #endif  // def __GLIBC__
+ #include <strings.h>    // index
+ #include <errno.h>
+ #include <stdarg.h>
+ 
+ #include "prenv.h"
+-#include "mozilla/LinuxSignal.h"
+ #include "mozilla/PodOperations.h"
+ #include "mozilla/DebugOnly.h"
+ 
+ #include <string.h>
+ #include <list>
+ 
+ using namespace mozilla;
+ 
+@@ -272,17 +271,17 @@ Sampler::Sampler(PSLockRef aLock)
+ 
+   // NOTE: We don't initialize LUL here, instead initializing it in
+   // SamplerThread's constructor. This is because with the
+   // profiler_suspend_and_sample_thread entry point, we want to be able to
+   // sample without waiting for LUL to be initialized.
+ 
+   // Request profiling signals.
+   struct sigaction sa;
+-  sa.sa_sigaction = MOZ_SIGNAL_TRAMPOLINE(SigprofHandler);
++  sa.sa_sigaction = SigprofHandler;
+   sigemptyset(&sa.sa_mask);
+   sa.sa_flags = SA_RESTART | SA_SIGINFO;
+   if (sigaction(SIGPROF, &sa, &mOldSigprofHandler) != 0) {
+     MOZ_CRASH("Error installing SIGPROF handler in the profiler");
+   }
+ }
+ 
+ void
+

thunderbird-60.2.1.source.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d313f25cd7ddc016bf8e4d4115f14b34a66621c0feabbc0dd72f9304cb93d7bf
-size 284570000

thunderbird-60.2.1.source.tar.xz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.14 (GNU/Linux)
-
-iQIcBAABCAAGBQJbsjeEAAoJELu+vbskxvNV2hEP/3dWNPNcF0+A1S+ePf/JXyn8
-a3DFlu2s7ihtsFy4EW7CcOHyMdRIiKAPlrCKJR4DQorL0C1S+Q/WaFyyibQX3oSi
-Q/g1Ch1sKKz03YIKweLHzz0eTQDvcxY2AbJkrsJNNrZH/5MvCh0jbohWeBwsJ3s7
-OtxPDAHBSSL0oJOj6klrBfWMLamOyBhiH8RdUTJzsIHuKusco6hJwlilQrwnfTZB
-FZfp88D69v2bQS1JdkzJvSQFD0GsS75fej3qwvqMiUiuBFl4KYD+oly0Th3XqHt6
-PD+1YqagRPpZt253Sv12KUG06OkoK+TgTiseKbY1lT2k+4TvSw68jocZbsIYuOFH
-uxyVWQhWxkwvcxeD1qZr0r0NjFd8uFvG72G6JxRfYUO2XjGKBqYjexUhI8zzAoyU
-00AmnwyeTEMg8Y/PTlh7NxKMITJFUX5HAatSB9eyBgQdKcalbZb+lCQZzccv9kd6
-9JxeRg+8TlM8SNOv3upLdqH8m2DCNCgWpURJW10+jf5O1qIm5G2K2lvffum9lTJ+
-cOu8+WN5lFR9UV3f0nAvWDb7KeK/i+pIDVozhCKXuGJbWRguhtVQICJBzYcn3lk0
-VB/xHlDrK4oIEG/BWAWAZsDt8ScRn4d0bwIVPC/NAN14AaritBFcR6lwfBGRH6on
-pbq7+PPTen/nfk303ub5
-=y8ku
------END PGP SIGNATURE-----

thunderbird-60.3.0.source.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:23fc097a5aa62006919029df890e5e2bec38c2c3e6081723040ef702ff6e4a7b
+size 285211708

thunderbird-60.3.0.source.tar.xz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.14 (GNU/Linux)
+
+iQIcBAABCAAGBQJb2EY1AAoJELu+vbskxvNVjCAP+wVmU2xhLhneLRJ/0iE6wWD6
+PH/9lt/wNi8KutxeVzfrnS1AS/RnpgbTkbVg9FZqzJQ30SjhQ4u/3i7MsgFpCS4Y
+qhNs0sIvp7RKDTd+2wubk+/GLoDSPlSdEJO3jTUXBc6D25GzMfrd89kShJsLlfb8
+WqFchIwP3ivlIaocL5/I1+GOhP4KxND10RgEICKwwJ3qlE+AKsX+pGWvM7McKjuJ
+Usnss7BtXB/QfjjJEdTMCx+imFPbUV4SWg9UaY5H/sPHxhlNbulHgGjuUdFJPrU5
+RSCkkOYodp/XsIvVneswGmoqd3g9v3rF5Dari1YavxSB/LguafDmny83hgVnyiUp
+KohhntuQmLuOaT1YL78igc1QY/edtFd8wpsjwI27aIuI20wqT0kN+maSOExvavDI
+Z60SIflw12GOg9ZqnsWiOdc67reD0fT8e56xfSOXELQUklDBubg9Lxz4P/06zFUb
+cvNd961Cg3GuYloBkTpWKMcuvfRiGmR+EbHFTVEHbcYsdvWaAHHmcbup18ak/fUx
+LoheXza7zXbjYrwWyEWiXuhpFFzuqSLojeuBW8omklw8Ia3+p+4NZHCFUjt+3eEh
+AQpLf7Jh0UCogXKEgUowPyetUv1oBYWosyRLvkBBUwZaZ+DvjLneRf6bDB/BCoSE
+lrUVNb11lX42wHZpcJVB
+=KX6F
+-----END PGP SIGNATURE-----