Accepting request 1160556 from mozilla:Factory

- LLVM18 breaks building Thunderbird on Tumbleweed; add
  * mozilla-fix-issues-with-llvm18.patch

- Mozilla Thunderbird 115.9.0
  https://www.thunderbird.net/en-US/thunderbird/115.9.0/releasenotes/
  MFSA 2024-14 (bsc#1221327)
  * CVE-2024-0743 (bmo#1867408)
    Crash in NSS TLS method
  * CVE-2024-2605 (bmo#1872920)
    Windows Error Reporter could be used as a Sandbox escape vector
  * CVE-2024-2607 (bmo#1879939)
    JIT code failed to save return registers on Armv7-A
  * CVE-2024-2608 (bmo#1880692)
    Integer overflow could have led to out of bounds write
  * CVE-2024-2616 (bmo#1846197)
    Improve handling of out-of-memory conditions in ICU
  * CVE-2023-5388 (bmo#1780432)
    NSS susceptible to timing attack against RSA decryption
  * CVE-2024-2610 (bmo#1871112)
    Improper handling of html and body tags enabled CSP nonce leakage
  * CVE-2024-2611 (bmo#1876675)
    Clickjacking vulnerability could have led to a user accidentally
    granting permissions
  * CVE-2024-2612 (bmo#1879444)
    Self referencing object could have potentially led to a use-
    after-free
  * CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405, bmo#1881093)
    Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9,
    and Thunderbird 115.9

OBS-URL: https://build.opensuse.org/request/show/1160556
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=332

MozillaThunderbird.changes

@@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Wed Mar 20 13:55:26 UTC 2024 - Manfred Hollstein <manfred.h@gmx.net>
+
+- LLVM18 breaks building Thunderbird on Tumbleweed; add
+  * mozilla-fix-issues-with-llvm18.patch
+
+-------------------------------------------------------------------
+Sat Mar 16 11:41:27 UTC 2024 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Thunderbird 115.9.0
+  https://www.thunderbird.net/en-US/thunderbird/115.9.0/releasenotes/
+  MFSA 2024-14 (bsc#1221327)
+  * CVE-2024-0743 (bmo#1867408)
+    Crash in NSS TLS method
+  * CVE-2024-2605 (bmo#1872920)
+    Windows Error Reporter could be used as a Sandbox escape vector
+  * CVE-2024-2607 (bmo#1879939)
+    JIT code failed to save return registers on Armv7-A
+  * CVE-2024-2608 (bmo#1880692)
+    Integer overflow could have led to out of bounds write
+  * CVE-2024-2616 (bmo#1846197)
+    Improve handling of out-of-memory conditions in ICU
+  * CVE-2023-5388 (bmo#1780432)
+    NSS susceptible to timing attack against RSA decryption
+  * CVE-2024-2610 (bmo#1871112)
+    Improper handling of html and body tags enabled CSP nonce leakage
+  * CVE-2024-2611 (bmo#1876675)
+    Clickjacking vulnerability could have led to a user accidentally
+    granting permissions
+  * CVE-2024-2612 (bmo#1879444)
+    Self referencing object could have potentially led to a use-
+    after-free
+  * CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405, bmo#1881093)
+    Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9,
+    and Thunderbird 115.9
+
+-------------------------------------------------------------------
+Tue Mar  5 08:13:43 UTC 2024 - Adam Mizerski <adam@mizerski.pl>
+
+- Create subpackage MozillaThunderbird-openpgp-librnp
+
 -------------------------------------------------------------------
 Tue Mar  5 09:09:34 CET 2024 - Wolfgang Rosenauer <wr@@rosenauer.org>
 

MozillaThunderbird.spec

@@ -29,8 +29,8 @@
 # major 69
 # mainver %%major.99
 %define major          115
-%define mainver        %major.8.1
-%define orig_version   115.8.1
+%define mainver        %major.9.0
+%define orig_version   115.9.0
 %define orig_suffix    %nil
 %define update_channel release
 %define source_prefix  thunderbird-%{orig_version}
@@ -128,7 +128,11 @@ BuildRequires:  zip
 %if 0%{?suse_version} < 1550
 BuildRequires:  pkgconfig(gconf-2.0) >= 1.2.1
 %endif
+%if (0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000)
+BuildRequires:  clang6-devel
+%else
 BuildRequires:  clang-devel >= 5
+%endif
 BuildRequires:  pkgconfig(glib-2.0) >= 2.22
 BuildRequires:  pkgconfig(gobject-2.0)
 BuildRequires:  pkgconfig(gtk+-3.0) >= 3.14.0
@@ -203,6 +207,10 @@ Patch19:        svg-rendering.patch
 Patch20:        mozilla-partial-revert-1768632.patch
 Patch21:        mozilla-bmo1775202.patch
 Patch22:        mozilla-rust-disable-future-incompat.patch
+%if 0%{?product_libs_llvm_ver} > 17
+# LLVM18 breaks building Firefox ESR:
+Patch30:        mozilla-fix-issues-with-llvm18.patch
+%endif
 %endif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         /bin/sh
@@ -216,6 +224,8 @@ PreReq:         textutils
 Recommends:     libcanberra0
 Recommends:     libotr5
 Recommends:     libpulse0
+Requires:       %{name}-openpgp
+Suggests:       %{name}-openpgp-librnp
 Requires(post): desktop-file-utils
 Requires(postun): desktop-file-utils
 %define libgssapi libgssapi_krb5.so.2
@@ -227,6 +237,16 @@ managing email, news feeds, chat, and news groups. It is a local
 (rather than browser- or web-based) email application that is powerful
 yet easy to use.
 
+%package openpgp-librnp
+Summary:        Thunderbird's upstream OpenPGP implementation
+Group:          Productivity/Networking/Email/Clients
+Requires:       %{name} = %{version}
+Provides:       %{name}-openpgp
+Conflicts:      %{name}-openpgp
+
+%description openpgp-librnp
+Thunderbird's upstream OpenPGP implementation.
+
 %if %localize
 %package translations-common
 Summary:        Common translations for %{appname}
@@ -593,6 +613,7 @@ exit 0
 %{progdir}/application.ini
 %{progdir}/dependentlibs.list
 %{progdir}/*.so
+%exclude %{progdir}/librnp.so
 %{progdir}/glxtest
 %if 0%{wayland_supported}
 %{progdir}/vaapitest
@@ -622,6 +643,9 @@ exit 0
 %{_datadir}/icons/hicolor/symbolic/apps/%{progname}-symbolic.svg
 %{_bindir}/%{progname}
 
+%files openpgp-librnp
+%{progdir}/librnp.so
+
 %if %localize
 %files translations-common -f %{_tmppath}/translations.common
 %defattr(-,root,root)

l10n-115.8.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:71cf508cfbc2a3636faf476e298c2f93e538fdf766b86d8aa0f643fc8bf2a2da
-size 28293800

l10n-115.9.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7943b97cba342c3a998d7ee4f2dd2cf3eac73201ab9b1f332556aaa637abd3b9
+size 29763000

mozilla-fix-issues-with-llvm18.patch

@@ -0,0 +1,94 @@
+Adapt the shipped rust-bindgen copy for LLVM-18 and later,
+and tell cargo we've modified the code of rust-bindgen so
+the checksum verification of this crate should be skipped
+
+diff -rup a/Cargo.lock b/Cargo.lock
+--- a/Cargo.lock        2024-03-14 06:21:23.000000000 +0100
++++ b/Cargo.lock        2024-03-20 13:15:35.146224179 +0100
+@@ -414,8 +414,8 @@ dependencies = [
+ [[package]]
+ name = "bindgen"
+ version = "0.64.0"
+-source = "registry+https://github.com/rust-lang/crates.io-index"
+-checksum = "c4243e6031260db77ede97ad86c27e501d646a27ab57b59a574f725d98ab1fb4"
++#source = "registry+https://github.com/rust-lang/crates.io-index"
++#checksum = "c4243e6031260db77ede97ad86c27e501d646a27ab57b59a574f725d98ab1fb4"
+ dependencies = [
+  "bitflags 1.3.2",
+  "cexpr",
+diff -rup a/Cargo.toml b/Cargo.toml
+--- a/Cargo.toml        2024-03-20 13:09:16.152828408 +0100
++++ b/Cargo.toml        2024-03-20 13:14:09.072867031 +0100
+@@ -193,3 +193,8 @@ weedle2 = "=4.0.0"
+ # Shut up such messages for now to make the build succeed
+ [future-incompat-report]
+ frequency = "never"
++
++[patch.crates-io.bindgen_0_64_0]
++package = "bindgen"
++version = "0.64.0"
++path = "third_party/rust/bindgen"
+diff -rup a/third_party/rust/bindgen/ir/item.rs b/third_party/rust/bindgen/ir/item.rs
+--- a/third_party/rust/bindgen/ir/item.rs        2024-03-14 06:21:40.000000000 +0100
++++ b/third_party/rust/bindgen/ir/item.rs        2024-03-20 13:11:32.062844514 +0100
+@@ -1434,6 +1434,7 @@ impl Item {
+             // We allowlist cursors here known to be unhandled, to prevent being
+             // too noisy about this.
+             match cursor.kind() {
++                CXCursor_LinkageSpec => return Err(ParseError::Recurse),
+                 CXCursor_MacroDefinition |
+                 CXCursor_MacroExpansion |
+                 CXCursor_UsingDeclaration |
+
+
+Adapt the WebRTC code to use 64-bit timestamp to fix a build
+failure with Clang-18 and later
+
+diff -rup a/dom/media/gmp-plugin-openh264/gmp-fake-openh264.cpp b/dom/media/gmp-plugin-openh264/gmp-fake-openh264.cpp
+--- a/dom/media/gmp-plugin-openh264/gmp-fake-openh264.cpp        2024-03-14 06:21:25.000000000 +0100
++++ b/dom/media/gmp-plugin-openh264/gmp-fake-openh264.cpp        2024-03-20 13:17:20.839584778 +0100
+@@ -99,7 +99,7 @@ struct EncodedFrame {
+     uint8_t y_;
+     uint8_t u_;
+     uint8_t v_;
+-    uint32_t timestamp_;
++    uint64_t timestamp_;
+   } idr_nalu;
+ };
+ #pragma pack(pop)
+diff -rup a/dom/media/gtest/TestGMPRemoveAndDelete.cpp b/dom/media/gtest/TestGMPRemoveAndDelete.cpp
+--- a/dom/media/gtest/TestGMPRemoveAndDelete.cpp        2024-03-14 06:21:25.000000000 +0100
++++ b/dom/media/gtest/TestGMPRemoveAndDelete.cpp        2024-03-20 13:17:20.839584778 +0100
+@@ -361,7 +361,7 @@ void GMPRemoveTest::gmp_Decode() {
+       uint8_t y_;
+       uint8_t u_;
+       uint8_t v_;
+-      uint32_t timestamp_;
++      uint64_t timestamp_;
+     } idr_nalu;
+   };
+ #pragma pack(pop)
+diff -rup a/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.cpp b/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.cpp
+--- a/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.cpp        2024-03-14 06:21:24.000000000 +0100
++++ b/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.cpp        2024-03-20 13:17:20.842918112 +0100
+@@ -540,7 +540,7 @@ void WebrtcGmpVideoEncoder::Encoded(
+ 
+   webrtc::VideoFrameType ft;
+   GmpFrameTypeToWebrtcFrameType(aEncodedFrame->FrameType(), &ft);
+-  uint32_t timestamp = (aEncodedFrame->TimeStamp() * 90ll + 999) / 1000;
++  uint64_t timestamp = (aEncodedFrame->TimeStamp() * 90ll + 999) / 1000;
+ 
+   GMP_LOG_DEBUG("GMP Encoded: %" PRIu64 ", type %d, len %d",
+                 aEncodedFrame->TimeStamp(), aEncodedFrame->BufferType(),
+diff -rup a/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.h b/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.h
+--- a/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.h        2024-03-14 06:21:24.000000000 +0100
++++ b/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.h        2024-03-20 13:17:32.442921055 +0100
+@@ -302,7 +302,7 @@ class WebrtcGmpVideoEncoder : public GMP
+     int64_t timestamp_us;
+   };
+   // Map rtp time -> input image data
+-  DataMutex<std::map<uint32_t, InputImageData>> mInputImageMap;
++  DataMutex<std::map<uint64_t, InputImageData>> mInputImageMap;
+ 
+   MediaEventProducer<uint64_t> mInitPluginEvent;
+   MediaEventProducer<uint64_t> mReleasePluginEvent;

tar_stamps

@@ -1,10 +1,10 @@
 PRODUCT="thunderbird"
 CHANNEL="esr115"
-VERSION="115.8.1"
+VERSION="115.9.0"
 VERSION_SUFFIX=""
-PREV_VERSION="115.8.0"
+PREV_VERSION="115.8.1"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr115"
-RELEASE_TAG="5b8708dc0314dab535d9357b5dfd6b2bef9441c8"
-RELEASE_TIMESTAMP="20240304230937"
+RELEASE_TAG="1e95a096fd3c6053c4eeeca935eb8227cf9ee25c"
+RELEASE_TIMESTAMP="20240314154241"

thunderbird-115.8.1.source.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:80d75ae91b7cbd60bcbaf134fc3f11290bd542a8a7ff965eaa4a0d95bb0d4d51
-size 541062996

thunderbird-115.8.1.source.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmXmhDAACgkQ4207E/PZ
-MnSnSBAApDkhrSNJyYXdovTXUqoMHOsqwwFoS7DBoGSu4kZBIviqzGrfipu5xNCT
-3ItnPrH0VXJIpzTGwkNivqcFfhJvHyEsupBScx5Dbi7+/u0/Ah5fEzGmOYq3L8JE
-QCkyXe7aMHWg0M1Qumpg7NN5fB/u6hKSUtypxbWZKfcHvLUVWtWfsPuQf0F6sQoF
-mVX+ftC0+X/pffoEu6FGasXsZM4kGcb/+UJiJyBgz7zGXCx/tG6g5NnW5rN2A/Iw
-2sJXTwC1JcpYdpuB/HV7g9yKkUYQwvZxcYyevtZu4zd7Gaxs4xwuJOiz5iZaxANP
-OkopDC7yI36q4ULerQ/pRk0X5YIAdbIHvq6xBLpx30iG1tqDFPEHutV6YKrD1e5z
-hiJcjEME/73tVv8LA5KW9GO5VAporXpY8Q21v5AG1uat5lYjLb+4znbhYWdGaL6n
-ynCUgFDbLrdiEb/RJiu/yZOmHYia68R3X+fjxAgJN1uA+/1Jko+wkq9xVssESe1C
-5SVKy5Sc0+0o3+bYdzsR8VSpQac5gVYB20HIyvk5vw8EYCWfX4Ttv0qggd9oHg+j
-wz5Db9lv5Y6ZQfxH4dvoSv889l+VOynA5g2BDpT8RSdFTp1sZKQyIcQn48vfzAaz
-q47NXaHA/ckQd6M2h2fEGOsXLDs76Ahwi6LuA6eL6zg8oIh83nQ=
-=x4za
------END PGP SIGNATURE-----

thunderbird-115.9.0.source.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2aeb77ca7038df6f3d306f9c3d2a4ea615af0edcf0f7290215ca5f30c1290e57
+size 535516012

thunderbird-115.9.0.source.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmX0cvkACgkQ4207E/PZ
+MnQsig/9ENVeCyVRzE8NJpHqJwBnxztGaqkeOyDxonbKEQ1NTwrvn5hIRdHkWiRz
+cYo0SH5Cw7cjOrhAS+fWQdx43RaTRwVNN8nJv6HfxJFL5OSQ/QbHkunVNg0Yq9TE
+RYv+D/9IX+Fm48ZNQ5wl5dkCbhg0euFoPSxqZKrvi7U0LJ1uHtle9TOXztn+I0s1
+uafbMiuLdNi8r4UIcopYpoMTg0Yt9hbKIdG9tFF/thotT5DJeN3Vrx/rBh2cMZX+
+wvwbXdQziVsLGqpQ14dl9vCsZqujoiRG+G4oAo9nngyQZgF+aucEev1vAq7YFbaM
+Q3Tc+V8JVpJxk1TYS08CU8Ph1ZuCJOiixCwjTzXo5RqOUrC5zAd29fcQkMqqyGB+
+p6nLvXFwlWdroLsROCcMH9MmJzAFDhfUms41AeUvyp+1sUyqpkzJBczBjHOi0DQ6
+tmFjgK+Ph8VAct4kIBKI7FRkn5w3e7/Xr670oc/zFo0AunWBktowx5R2LyXqXpmk
+hIlYC3n5QhtX08SxqgFsV18rFUrDXBuMssmJbcet7ZETCdFHjKk9CITD5zsi3oQW
+mLR+IkZYrzEv4btvJdd8W8o4wUv2VPHCDP7Pxkk1V2/1h8n4+BhaO3E4GNz17odZ
+l1h1EkhMUErlApPKhVd2EflF38v7uKhSw2WKTiQpwzZSNk2B00k=
+=WHyd
+-----END PGP SIGNATURE-----