From 5e8c474a19e4ca8931e55efc05c540aa0c138ff9eaa191ab5cb17becdebd59d2 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Fri, 11 Feb 2022 22:30:53 +0000 Subject: [PATCH] - Mozilla Thunderbird 91.6.0 * TB will now offer to send large forwarded attachments via FileLink * Partially signed unencrypted messages displayed an incorrect "parrtially encrypted" notification * Attachments filenames were not sanitized before saving to disk * In the attachment bar, the "Import OpenPGP Key" item displayed for public keys displayed an error and did not import the key * "Open with" attachment dialog did not have a selected radio button option MFSA 2022-06 (bsc#1195682) * CVE-2022-22753 (bmo#1732435) Privilege Escalation to SYSTEM on Windows via Maintenance Service * CVE-2022-22754 (bmo#1750565) Extensions could have bypassed permission confirmation during update * CVE-2022-22756 (bmo#1317873) Drag and dropping an image could have resulted in the dropped object being an executable * CVE-2022-22759 (bmo#1739957) Sandboxed iframes could have executed script if the parent appended elements * CVE-2022-22760 (bmo#1740985, bmo#1748503) Cross-Origin responses could be distinguished between script and non-script content-types * CVE-2022-22761 (bmo#1745566) frame-ancestors Content Security Policy directive was not enforced for framed extension pages * CVE-2022-22763 (bmo#1740534) Script Execution during invalid object state OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=623 --- MozillaThunderbird.changes | 39 ++++++++++++++++++++++++++++ MozillaThunderbird.spec | 18 +++++-------- l10n-91.5.1.tar.xz | 3 --- l10n-91.6.0.tar.xz | 3 +++ mozilla-bmo1745560.patch | 14 ---------- tar_stamps | 8 +++--- thunderbird-91.5.1.source.tar.xz | 3 --- thunderbird-91.5.1.source.tar.xz.asc | 16 ------------ thunderbird-91.6.0.source.tar.xz | 3 +++ thunderbird-91.6.0.source.tar.xz.asc | 16 ++++++++++++ 10 files changed, 71 insertions(+), 52 deletions(-) delete mode 100644 l10n-91.5.1.tar.xz create mode 100644 l10n-91.6.0.tar.xz delete mode 100644 mozilla-bmo1745560.patch delete mode 100644 thunderbird-91.5.1.source.tar.xz delete mode 100644 thunderbird-91.5.1.source.tar.xz.asc create mode 100644 thunderbird-91.6.0.source.tar.xz create mode 100644 thunderbird-91.6.0.source.tar.xz.asc diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes index fe58c0d..d58ef33 100644 --- a/MozillaThunderbird.changes +++ b/MozillaThunderbird.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Sat Feb 5 14:11:31 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 91.6.0 + * TB will now offer to send large forwarded attachments via FileLink + * Partially signed unencrypted messages displayed an incorrect + "parrtially encrypted" notification + * Attachments filenames were not sanitized before saving to disk + * In the attachment bar, the "Import OpenPGP Key" item displayed + for public keys displayed an error and did not import the key + * "Open with" attachment dialog did not have a selected radio + button option + MFSA 2022-06 (bsc#1195682) + * CVE-2022-22753 (bmo#1732435) + Privilege Escalation to SYSTEM on Windows via Maintenance + Service + * CVE-2022-22754 (bmo#1750565) + Extensions could have bypassed permission confirmation during + update + * CVE-2022-22756 (bmo#1317873) + Drag and dropping an image could have resulted in the dropped + object being an executable + * CVE-2022-22759 (bmo#1739957) + Sandboxed iframes could have executed script if the parent + appended elements + * CVE-2022-22760 (bmo#1740985, bmo#1748503) + Cross-Origin responses could be distinguished between script + and non-script content-types + * CVE-2022-22761 (bmo#1745566) + frame-ancestors Content Security Policy directive was not + enforced for framed extension pages + * CVE-2022-22763 (bmo#1740534) + Script Execution during invalid object state + * CVE-2022-22764 (bmo#1742682, bmo#1744165, bmo#1746545, + bmo#1748210, bmo#1748279) + Memory safety bugs fixed in Thunderbird 91.6 +- do not use ccache by default +- removed obsolete mozilla-bmo1745560.patch + ------------------------------------------------------------------- Sat Jan 22 09:57:59 UTC 2022 - Manfred Hollstein diff --git a/MozillaThunderbird.spec b/MozillaThunderbird.spec index f9c102a..39718be 100644 --- a/MozillaThunderbird.spec +++ b/MozillaThunderbird.spec @@ -2,7 +2,7 @@ # spec file # # Copyright (c) 2022 SUSE LLC -# 2006-2021 Wolfgang Rosenauer +# 2006-2022 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,8 +26,8 @@ # major 69 # mainver %major.99 %define major 91 -%define mainver %major.5.1 -%define orig_version 91.5.1 +%define mainver %major.6.0 +%define orig_version 91.6.0 %define orig_suffix %{nil} %define update_channel release %define source_prefix thunderbird-%{orig_version} @@ -38,9 +38,6 @@ # upstream default is clang (to use gcc for large parts set to 0) %define clang_build 0 -# PIE, full relro -%define build_hardened 1 - %bcond_with only_print_mozconfig %bcond_without mozilla_tb_kde4 @@ -48,7 +45,7 @@ %bcond_without mozilla_tb_optimize_for_size # define if ccache should be used or not -%define useccache 1 +%define useccache 0 # Firefox only supports i686 %ifarch %ix86 @@ -207,7 +204,6 @@ Patch28: mozilla-libavcodec58_91.patch Patch29: mozilla-silence-no-return-type.patch Patch30: mozilla-bmo531915.patch Patch31: mozilla-bmo1724679.patch -Patch32: mozilla-bmo1745560.patch %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: /bin/sh @@ -310,7 +306,6 @@ fi %patch29 -p1 %patch30 -p1 %patch31 -p1 -%patch32 -p1 %endif %build @@ -366,9 +361,7 @@ export CFLAGS="$CFLAGS -fimplicit-constexpr" # Limit RAM usage during link export LDFLAGS="${LDFLAGS} -Wl,--no-keep-memory -Wl,--reduce-memory-overheads" %endif -%if 0%{?build_hardened} export LDFLAGS="${LDFLAGS} -fPIC -Wl,-z,relro,-z,now" -%endif %ifarch ppc64 ppc64le %if 0%{?clang_build} == 0 export CFLAGS="$CFLAGS -mminimal-toc" @@ -530,9 +523,10 @@ sed -r '/^(ja-JP-mac|en-US|$)/d;s/ .*$//' $RPM_BUILD_DIR/%{source_prefix}/comm/m >> %{_tmppath}/translations.$_l10ntarget ' -- {} %endif - +%if 0%{useccache} != 0 ccache -s %endif +%endif %install cd $RPM_BUILD_DIR/obj diff --git a/l10n-91.5.1.tar.xz b/l10n-91.5.1.tar.xz deleted file mode 100644 index 13eba35..0000000 --- a/l10n-91.5.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bf372dd234e130669ceca5b15b2a312893b03f6d7a7e14bcb3c8b10822943ff8 -size 28849860 diff --git a/l10n-91.6.0.tar.xz b/l10n-91.6.0.tar.xz new file mode 100644 index 0000000..ebd7ec6 --- /dev/null +++ b/l10n-91.6.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2a949123ba7b07ac78562ebb9038b691b072823c0237d1644c05fd4464319cfc +size 28819616 diff --git a/mozilla-bmo1745560.patch b/mozilla-bmo1745560.patch deleted file mode 100644 index 3f199d1..0000000 --- a/mozilla-bmo1745560.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/widget/gtk/mozwayland/mozwayland.c b/widget/gtk/mozwayland/mozwayland.c ---- a/widget/gtk/mozwayland/mozwayland.c -+++ b/widget/gtk/mozwayland/mozwayland.c -@@ -200,3 +200,10 @@ - - MOZ_EXPORT void wl_list_insert_list(struct wl_list* list, - struct wl_list* other) {} -+ -+MOZ_EXPORT struct wl_proxy* wl_proxy_marshal_flags( -+ struct wl_proxy* proxy, uint32_t opcode, -+ const struct wl_interface* interface, uint32_t version, uint32_t flags, -+ ...) { -+ return NULL; -+} diff --git a/tar_stamps b/tar_stamps index d31d6e1..9f60179 100644 --- a/tar_stamps +++ b/tar_stamps @@ -1,10 +1,10 @@ PRODUCT="thunderbird" CHANNEL="esr91" -VERSION="91.5.1" +VERSION="91.6.0" VERSION_SUFFIX="" -PREV_VERSION="91.5.0" +PREV_VERSION="91.5.1" PREV_VERSION_SUFFIX="" #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr91" -RELEASE_TAG="46a4af6b62978ae76a41fcf57bc3309c4d9bb22e" -RELEASE_TIMESTAMP="20220120011414" +RELEASE_TAG="676bfbddd4b3ed77f818b6b07d9d8a79c61be4da" +RELEASE_TIMESTAMP="20220204195633" diff --git a/thunderbird-91.5.1.source.tar.xz b/thunderbird-91.5.1.source.tar.xz deleted file mode 100644 index 7d0f79e..0000000 --- a/thunderbird-91.5.1.source.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:15918d48c59988ddeba3c7b5d98cf483db9c38a782dfbf6472dc889fed9b9c8a -size 405332676 diff --git a/thunderbird-91.5.1.source.tar.xz.asc b/thunderbird-91.5.1.source.tar.xz.asc deleted file mode 100644 index f89057d..0000000 --- a/thunderbird-91.5.1.source.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmHqDckACgkQ6+QekPbx -L22h3g/9Gtqoij3wrjH4hRjcaoq7/kLdouDTLXLWUs8yO3UdPJlsssdkFrYHpvXB -/WjXSDS7FY6mPxVWIDgeF2N8s07fIeDFB5tCAzJhpb4hpkYIrszGJXed7vvuJZmC -BzXqPZdhLi6njo6iHwtPFWoidrT+fOEM4tdFUG2pVSjrUNr5A3QbQySzyuwh5G1W -sj5SmtqotwZY60r3tx2j81PcxU3pn29piU7NJ9ma/PTmxj3vI6xZWfsvYk3UJnNK -RbMlVwyj10qQKAHYB7mLba7GzSqWBGezeyysTtTinR7qMC3CPopYfOSfwcL+FJul -lUFvYhIQlcXRIRcp1AHTspfGGIHgpVrJBQK2iIcsFmxXpCNkJq6m2Z7O//YyQslN -uxJpMCMXtEr1ULATJVMoI963e+3C0bJz4FpzcN3Xoh++GmifKeo+DhW0Hq7uR/Yq -PJr9ci99ti4wtsDVm4UKgqx7PQm1Mg3Gp8c1EKx05pRMjg64zBzAL84wa+oi8lTM -LyVFFyIn5Jslt9izudQrgB1TXcCChEt+HK8yPRWUBqAqMXNuCj7gaSA2CN1yXKsx -tO5ijyXX2XP4NgVfn9p+iI48geEfKB4YJMmNFzfXbhOp1yQ48uGd0kYoLFl9K79m -5ysFEzl5qXH586YPYECMQheFZmKI3679EGzDgq4JawXnE1swshU= -=n0Mf ------END PGP SIGNATURE----- diff --git a/thunderbird-91.6.0.source.tar.xz b/thunderbird-91.6.0.source.tar.xz new file mode 100644 index 0000000..f598a42 --- /dev/null +++ b/thunderbird-91.6.0.source.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e9c6a82a41c869ce291d50352250856cbb3e9be8e603038be72cd5bc52438afb +size 404738672 diff --git a/thunderbird-91.6.0.source.tar.xz.asc b/thunderbird-91.6.0.source.tar.xz.asc new file mode 100644 index 0000000..1716acb --- /dev/null +++ b/thunderbird-91.6.0.source.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmH9ursACgkQ6+QekPbx +L22lAQ/+KaxdNSpa33jrG9KtWEk/gPpSQAKyeZmqpKuNpnlPowM8gAb5cehPEhtm +olzcdZV3CNS2KPIkd7fa+UuncV3Ze9zoD3HlDmGobduzpP0NZtDiW4xPnidFDrKG +d1YvLoCR7lSD9TSN+yhNwqWkyqJdeFkyZ4tiJhIzz0sPjdOf+DzaQVIokZ4aOLR5 +I9Yn7LB5Q3ijt+NhZeGKPVgHgWwQxwyI/xW4pHxGQX1nSyHQHTmMLp3QToEej0OU +tAwA3ZlPMNhbl+G6wejXQPJZUigfUQxme6hE6//CAmVlIJWdgmqY6zEDJMwHk+A9 +VEHaVp1bnUaV9FSrHYpCo17zgwdia2MXeQUJWLllUwiOJQh/leXu4MP5yMGOL4ll +i9bu7avAT077m1wpwMxqV39bVf2YR0o3KpAUa5sx46TuusUBzSpxb95c4dsapP8q +rywnJxUACIo5jP3v97GLkrE/481YNSjtdYIoKJn3oEIOMgKQfOs7fAK+IyEc35LD +JHf/87v3015k95s1eYpqYvR3LbJrbei72SbtrIURYy+4fiz1G7CYOa0gfvinM/S6 +b8+8ND/E/qg9UySofyRzSSMY2mlHBmfoFCe8P99kuwNVGNTMeuB40HK/UuZS7MXH +PxXy97LbPmNoBZPLaK1NY3bk64gJNyr8DD1fE1QO1fdSwh0Tx6A= +=kv22 +-----END PGP SIGNATURE-----