From 16ebad9ccebc327243129229e0ab972c51d80e272e0eabe5f163efbe7976e1b5 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Tue, 13 Dec 2022 21:35:47 +0000 Subject: [PATCH] - Mozilla Thunderbird 102.6.0 https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/ MFSA 2022-53 (bsc#1206242) * CVE-2022-46880 (bmo#1749292) Use-after-free in WebGL * CVE-2022-46872 (bmo#1799156) Arbitrary file read from a compromised content process * CVE-2022-46881 (bmo#1770930) Memory corruption in WebGL * CVE-2022-46874 (bmo#1746139) Drag and Dropped Filenames could have been truncated to malicious extensions * CVE-2022-46875 (bmo#1786188) Download Protections were bypassed by .atloc and .ftploc files on Mac OS * CVE-2022-46882 (bmo#1789371) Use-after-free in WebGL * CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685, bmo#1801102, bmo#1801315, bmo#1802395) Memory safety bugs fixed in Thunderbird 102.6 - removed obsolete patches mozilla-newer-cbindgen.patch mozilla-glibc236.patch OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=680 --- MozillaThunderbird.changes | 27 ++++++ MozillaThunderbird.spec | 8 +- l10n-102.5.1.tar.xz => l10n-102.6.0.tar.xz | 0 mozilla-glibc236.patch | 101 --------------------- mozilla-newer-cbindgen.patch | 18 ---- tar_stamps | 8 +- thunderbird-102.5.1.source.tar.xz | 3 - thunderbird-102.5.1.source.tar.xz.asc | 16 ---- thunderbird-102.6.0.source.tar.xz | 3 + thunderbird-102.6.0.source.tar.xz.asc | 16 ++++ 10 files changed, 52 insertions(+), 148 deletions(-) rename l10n-102.5.1.tar.xz => l10n-102.6.0.tar.xz (100%) delete mode 100644 mozilla-glibc236.patch delete mode 100644 mozilla-newer-cbindgen.patch delete mode 100644 thunderbird-102.5.1.source.tar.xz delete mode 100644 thunderbird-102.5.1.source.tar.xz.asc create mode 100644 thunderbird-102.6.0.source.tar.xz create mode 100644 thunderbird-102.6.0.source.tar.xz.asc diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes index 7874cbd..0dc6bbb 100644 --- a/MozillaThunderbird.changes +++ b/MozillaThunderbird.changes @@ -1,3 +1,30 @@ +------------------------------------------------------------------- +Tue Dec 13 13:49:09 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.6.0 + https://www.thunderbird.net/en-US/thunderbird/102.6.0/releasenotes/ + MFSA 2022-53 (bsc#1206242) + * CVE-2022-46880 (bmo#1749292) + Use-after-free in WebGL + * CVE-2022-46872 (bmo#1799156) + Arbitrary file read from a compromised content process + * CVE-2022-46881 (bmo#1770930) + Memory corruption in WebGL + * CVE-2022-46874 (bmo#1746139) + Drag and Dropped Filenames could have been truncated to + malicious extensions + * CVE-2022-46875 (bmo#1786188) + Download Protections were bypassed by .atloc and .ftploc + files on Mac OS + * CVE-2022-46882 (bmo#1789371) + Use-after-free in WebGL + * CVE-2022-46878 (bmo#1782219, bmo#1797370, bmo#1797685, + bmo#1801102, bmo#1801315, bmo#1802395) + Memory safety bugs fixed in Thunderbird 102.6 +- removed obsolete patches + mozilla-newer-cbindgen.patch + mozilla-glibc236.patch + ------------------------------------------------------------------- Wed Nov 30 20:49:28 UTC 2022 - Wolfgang Rosenauer diff --git a/MozillaThunderbird.spec b/MozillaThunderbird.spec index d7b4a79..65060e3 100644 --- a/MozillaThunderbird.spec +++ b/MozillaThunderbird.spec @@ -29,8 +29,8 @@ # major 69 # mainver %major.99 %define major 102 -%define mainver %major.5.1 -%define orig_version 102.5.1 +%define mainver %major.6.0 +%define orig_version 102.6.0 %define orig_suffix %{nil} %define update_channel release %define source_prefix thunderbird-%{orig_version} @@ -206,8 +206,6 @@ Patch19: mozilla-silence-no-return-type.patch Patch20: mozilla-bmo531915.patch Patch21: one_swizzle_to_rule_them_all.patch Patch22: svg-rendering.patch -Patch23: mozilla-newer-cbindgen.patch -Patch24: mozilla-glibc236.patch %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: /bin/sh @@ -296,8 +294,6 @@ fi %patch20 -p1 %patch21 -p1 %patch22 -p1 -%patch23 -p1 -%patch24 -p1 %endif %build diff --git a/l10n-102.5.1.tar.xz b/l10n-102.6.0.tar.xz similarity index 100% rename from l10n-102.5.1.tar.xz rename to l10n-102.6.0.tar.xz diff --git a/mozilla-glibc236.patch b/mozilla-glibc236.patch deleted file mode 100644 index 2c635f0..0000000 --- a/mozilla-glibc236.patch +++ /dev/null @@ -1,101 +0,0 @@ - -# HG changeset patch -# User Mike Hommey -# Date 1660077764 0 -# Node ID 970ebbe54477a0e518bfee8aeddf487ad9bd4365 -# Parent caca601f2f5e87dd660434f3db2156e950151adb -Bug 1782988 - Avoid build bustage when building against glibc 2.36 or newer. r=RyanVM - -Differential Revision: https://phabricator.services.mozilla.com/D153716 - -diff --git a/ipc/chromium/src/third_party/libevent/README.mozilla b/ipc/chromium/src/third_party/libevent/README.mozilla ---- a/ipc/chromium/src/third_party/libevent/README.mozilla -+++ b/ipc/chromium/src/third_party/libevent/README.mozilla -@@ -17,11 +17,15 @@ evconfig-private.h can be found in the r - - You then need to modify the EVENT__SIZEOF_* constants in the generated Linux, - Android, and BSD headers to be appropriate for both 32-bit and 64-bit platforms. - Mac doesn't need this since only 64-bit is supported. Use __LP64__ to - distinguish the two cases. If you get something wrong, the CHECK_EVENT_SIZEOF - static assertions in message_pump_libevent.cc will fail. If a new constant is - added, also add a static assertion for it to message_pump_libevent.cc. - -+You also need to modify the EVENT__HAVE_ARC4RANDOM and EVENT__HAVE_ARC4RANDOM_BUF -+constants in the generated Linux header to account for the results of the arc4random -+and arc4random_buf configure checks. -+ - 2. No additional patches are needed at this time, but be careful to avoid - clobbering changes to the various event-config.h files which have been customized - over time to avoid various build bustages. -diff --git a/ipc/chromium/src/third_party/libevent/linux/event2/event-config.h b/ipc/chromium/src/third_party/libevent/linux/event2/event-config.h ---- a/ipc/chromium/src/third_party/libevent/linux/event2/event-config.h -+++ b/ipc/chromium/src/third_party/libevent/linux/event2/event-config.h -@@ -24,24 +24,28 @@ - /* #undef EVENT__DISABLE_THREAD_SUPPORT */ - - /* Define to 1 if you have the `accept4' function. */ - #define EVENT__HAVE_ACCEPT4 1 - - /* Define to 1 if you have the header file. */ - /* #undef EVENT__HAVE_AFUNIX_H 1 */ - -+#ifdef HAVE_ARC4RANDOM - /* Define to 1 if you have the `arc4random' function. */ --/* #undef EVENT__HAVE_ARC4RANDOM */ -+#define EVENT__HAVE_ARC4RANDOM 1 -+#endif - - /* Define to 1 if you have the `arc4random_addrandom' function. */ - /* #undef EVENT__HAVE_ARC4RANDOM_ADDRANDOM */ - -+#ifdef HAVE_ARC4RANDOM_BUF - /* Define to 1 if you have the `arc4random_buf' function. */ --/* #undef EVENT__HAVE_ARC4RANDOM_BUF */ -+#define EVENT__HAVE_ARC4RANDOM_BUF 1 -+#endif - - /* Define to 1 if you have the header file. */ - #define EVENT__HAVE_ARPA_INET_H 1 - - /* Define to 1 if you have the `clock_gettime' function. */ - #define EVENT__HAVE_CLOCK_GETTIME 1 - - /* Define to 1 if you have the declaration of `CTL_KERN', and to 0 if you - - -# HG changeset patch -# User Mike Hommey -# Date 1660077764 0 -# Node ID a61813bd9f0a0048b84a2c56a77a06eb5e269ab2 -# Parent 970ebbe54477a0e518bfee8aeddf487ad9bd4365 -Bug 1782988 - Fix use of arc4random_buf use in ping.cpp. r=gsvelto - -The code was probably never built before glibc 2.36, because before -that, only Android and some BSDs had arc4random_buf, but none of those -actually built this code. - -Differential Revision: https://phabricator.services.mozilla.com/D154024 - -diff --git a/toolkit/crashreporter/client/ping.cpp b/toolkit/crashreporter/client/ping.cpp ---- a/toolkit/crashreporter/client/ping.cpp -+++ b/toolkit/crashreporter/client/ping.cpp -@@ -48,17 +48,17 @@ static string GenerateUUID() { - return ""; - } - - CFUUIDBytes bytes = CFUUIDGetUUIDBytes(uuid); - memcpy(&id, &bytes, sizeof(UUID)); - - CFRelease(uuid); - #elif defined(HAVE_ARC4RANDOM_BUF) // Android, BSD, ... -- arc4random_buf(id, sizeof(UUID)); -+ arc4random_buf(&id, sizeof(UUID)); - #else // Linux - int fd = open("/dev/urandom", O_RDONLY); - - if (fd == -1) { - return ""; - } - - if (read(fd, &id, sizeof(UUID)) != sizeof(UUID)) { - diff --git a/mozilla-newer-cbindgen.patch b/mozilla-newer-cbindgen.patch deleted file mode 100644 index 89df451..0000000 --- a/mozilla-newer-cbindgen.patch +++ /dev/null @@ -1,18 +0,0 @@ -Description: Remove an extra constant definition that is now being generated by newer versions of cbindgen (0.24), and causing build failures because it is defined in several places. -Author: Olivier Tilloy -Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1773259 -Forwarded: not-needed - -diff --git a/gfx/webrender_bindings/webrender_ffi.h b/gfx/webrender_bindings/webrender_ffi.h -index b1d67b1..eb79974 100644 ---- a/gfx/webrender_bindings/webrender_ffi.h -+++ b/gfx/webrender_bindings/webrender_ffi.h -@@ -73,8 +73,6 @@ struct WrPipelineInfo; - struct WrPipelineIdAndEpoch; - using WrPipelineIdEpochs = nsTArray; - --const uint64_t ROOT_CLIP_CHAIN = ~0; -- - } // namespace wr - } // namespace mozilla - diff --git a/tar_stamps b/tar_stamps index cf29f43..62bccb2 100644 --- a/tar_stamps +++ b/tar_stamps @@ -1,10 +1,10 @@ PRODUCT="thunderbird" CHANNEL="esr102" -VERSION="102.5.1" +VERSION="102.6.0" VERSION_SUFFIX="" -PREV_VERSION="102.5.0" +PREV_VERSION="102.5.1" PREV_VERSION_SUFFIX="" #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr102" -RELEASE_TAG="bbf216e50e6a8cb4362b2b77feeb8ca4a1d78914" -RELEASE_TIMESTAMP="20221129154640" +RELEASE_TAG="563cc2baf242975fda41000da903db513713dc65" +RELEASE_TIMESTAMP="20221208182320" diff --git a/thunderbird-102.5.1.source.tar.xz b/thunderbird-102.5.1.source.tar.xz deleted file mode 100644 index 7dd9dda..0000000 --- a/thunderbird-102.5.1.source.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d8de843fffcd10b23c348c5726bff7215c983220ab9e63a5eb7e25aa33901528 -size 509550884 diff --git a/thunderbird-102.5.1.source.tar.xz.asc b/thunderbird-102.5.1.source.tar.xz.asc deleted file mode 100644 index 487c254..0000000 --- a/thunderbird-102.5.1.source.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmOGQ1QACgkQ6+QekPbx -L21k3RAAodADilQf37+PPu3LWF4xyPgpwfnPct27TsZF2+8hDDgkxBLFfKVHhjmD -w2KWN+rwTxhCtwZ8KUZUjCR2BJoyJh/oYuMDrCSdmRey+SzAr1vwqWi2CqJmJ4gO -8zDyixKgnrkkG1XLEVzIbPOCaudI/VLSfPgjN7ILOoHaUQnFjoVc6SLlU8qWJ7MB -UBrq7oPeu+lpDEYJGbq0ugULCi+Z2iRp9TTqreqlSdxRfF2IntmCjg+oSzUS8UuZ -7zUhuxXsB9WB9z3aK96v20mCXlgZCRMbM9sfEtxG3/YgMLdsWbIpxwu3F/LW1Yoe -hQ2VT0LK6RqTdjsgpXFDy/4PGNEnSjROYJG4Ao2eEzJDbkj34JA/8ZZqhUGcinUT -r/WBmTjHv3Jh9ysG7JxXE45+RAXFORMrnJbUZyggIV3wx1CLzU47JTL29rehFCwC -0KkBM1L5tvaRJAzXVjWMBHEyrUPolE7oNktZcCWPtj2GwllEJJ5/hUDXeRa75HfH -oe1Xi3G3ZiCrZ5KEN04/JeBkK1NRP68P21MwheVjp/yi18QK6aOupn3svYneyCVr -yOQ9l9xcg6a/7UbtCFiHWf3shrByeqzm5H37ZCen8vcYqkmGk3NNxpYYAWM59E3k -igzi6+hH7sUo3m5ROCWXBBJbeMmD1L+CSrOZkl62OBY1EWxxPd4= -=E0W0 ------END PGP SIGNATURE----- diff --git a/thunderbird-102.6.0.source.tar.xz b/thunderbird-102.6.0.source.tar.xz new file mode 100644 index 0000000..6d3d7e3 --- /dev/null +++ b/thunderbird-102.6.0.source.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f5847083281cde16a486f1449dc5c0a8cad689e2db2b34ae486d1795f8d43c2e +size 503321152 diff --git a/thunderbird-102.6.0.source.tar.xz.asc b/thunderbird-102.6.0.source.tar.xz.asc new file mode 100644 index 0000000..8aec72a --- /dev/null +++ b/thunderbird-102.6.0.source.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmOXoEwACgkQ6+QekPbx +L23wLQ/8DORhGSUWd7vSojz0cRis26xQA0XK0S+G+v6F2ec2XTHR1Ae18cLv9a0L +l+d6XiizhFl0Xrg7zSVCHao5ivxzSGvbqeDEPL7Qc7RExBqhWfkjqGPy6RzVxADI +T4AmCCeh2B248YHds8OdWULUANxQIR3ZDmyukBZKid6bkY+5EyufvXMzrJvrMopf +QqjyOVUUzQ0hqFErpUUzLGw/f+Be6lUZrtTk/w1j0+5HRteyf37nU7kxPpH2LrnA +3Duj7hfM7OHOQumpXSNhfgjNZIF7fs0rKr68DfDryh4zID4HG/oqd5E2tH+5Hf7F +erhlv/U9GUzrU7FF88KOs045wu3SzxDxax+74ifxdsWUS+K/v1dwtCiU2gwxCneT +jP8yQueQItNCscyigwXTy7xZ9zEjsnq9K2pN0m7rSasSuW8Gbat0i4PV6NcWRZ0H +zrgt/7mEAi4hqp+yLPQMaCQIhOzfLrSZM7fkMnkJs01Gn3moNepbSxreHram38E5 +mHhuDcjwOFLsb4GbVd3NIYPMl5px0qHBuSCV+dXcPXZxfHLKdHBHBZK72pp8Koco +fgGvYPObCDbg6N3nDmccnQ5x1PEW3tytpuGVUkcPwQECHoBRnuVyMPXTUGQpzxVP +qwYr81xwI1UkH1HBqVij6JjS7ErwxHamVVvEpv2T1OXSBh66VHk= +=1NJn +-----END PGP SIGNATURE-----