From a450a78f9c622398d233e417870a0a552072363814d3e95cb0b48245b5874b7f Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Sat, 8 Jul 2023 18:44:08 +0000 Subject: [PATCH] - Mozilla Thunderbird 102.13.0 * Upstream RNP version numbers now recognized as official in about:support MFSA 2023-24 (bsc#1212438) * CVE-2023-37201 (bmo#1826002) Use-after-free in WebRTC certificate generation * CVE-2023-37202 (bmo#1834711) Potential use-after-free from compartment mismatch in SpiderMonkey * CVE-2023-37207 (bmo#1816287) Fullscreen notification obscured * CVE-2023-37208 (bmo#1837675) Lack of warning when opening Diagcab files * CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886, bmo#1836550, bmo#1837450) Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, and Thunderbird 102.13 - mozilla-llvm16.patch has been applied upstream, remove it here OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=707 --- MozillaThunderbird.changes | 21 +++ MozillaThunderbird.spec | 6 +- l10n-102.12.0.tar.xz => l10n-102.13.0.tar.xz | 0 mozilla-llvm16.patch | 169 ------------------- tar_stamps | 8 +- thunderbird-102.12.0.source.tar.xz | 3 - thunderbird-102.12.0.source.tar.xz.asc | 16 -- thunderbird-102.13.0.source.tar.xz | 3 + thunderbird-102.13.0.source.tar.xz.asc | 16 ++ 9 files changed, 46 insertions(+), 196 deletions(-) rename l10n-102.12.0.tar.xz => l10n-102.13.0.tar.xz (100%) delete mode 100644 mozilla-llvm16.patch delete mode 100644 thunderbird-102.12.0.source.tar.xz delete mode 100644 thunderbird-102.12.0.source.tar.xz.asc create mode 100644 thunderbird-102.13.0.source.tar.xz create mode 100644 thunderbird-102.13.0.source.tar.xz.asc diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes index fba22d0..ec91ff2 100644 --- a/MozillaThunderbird.changes +++ b/MozillaThunderbird.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Fri Jul 7 12:47:11 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Thunderbird 102.13.0 + * Upstream RNP version numbers now recognized as official in about:support + MFSA 2023-24 (bsc#1212438) + * CVE-2023-37201 (bmo#1826002) + Use-after-free in WebRTC certificate generation + * CVE-2023-37202 (bmo#1834711) + Potential use-after-free from compartment mismatch in + SpiderMonkey + * CVE-2023-37207 (bmo#1816287) + Fullscreen notification obscured + * CVE-2023-37208 (bmo#1837675) + Lack of warning when opening Diagcab files + * CVE-2023-37211 (bmo#1832306, bmo#1834862, bmo#1835886, + bmo#1836550, bmo#1837450) + Memory safety bugs fixed in Firefox 115, Firefox ESR 102.13, + and Thunderbird 102.13 +- mozilla-llvm16.patch has been applied upstream, remove it here + ------------------------------------------------------------------- Sun Jun 4 08:22:58 UTC 2023 - Wolfgang Rosenauer diff --git a/MozillaThunderbird.spec b/MozillaThunderbird.spec index 7f03b17..51c3847 100644 --- a/MozillaThunderbird.spec +++ b/MozillaThunderbird.spec @@ -29,8 +29,8 @@ # major 69 # mainver %major.99 %define major 102 -%define mainver %major.12.0 -%define orig_version 102.12.0 +%define mainver %major.13.0 +%define orig_version 102.13.0 %define orig_suffix %{nil} %define update_channel release %define source_prefix thunderbird-%{orig_version} @@ -207,7 +207,6 @@ Patch20: mozilla-bmo531915.patch Patch21: one_swizzle_to_rule_them_all.patch Patch22: svg-rendering.patch Patch23: gcc13-fix.patch -Patch24: mozilla-llvm16.patch %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: /bin/sh @@ -297,7 +296,6 @@ fi %patch21 -p1 %patch22 -p1 %patch23 -p1 -%patch24 -p1 %endif %build diff --git a/l10n-102.12.0.tar.xz b/l10n-102.13.0.tar.xz similarity index 100% rename from l10n-102.12.0.tar.xz rename to l10n-102.13.0.tar.xz diff --git a/mozilla-llvm16.patch b/mozilla-llvm16.patch deleted file mode 100644 index a0525e5..0000000 --- a/mozilla-llvm16.patch +++ /dev/null @@ -1,169 +0,0 @@ -From 80738016a36e803fe3bf8b8f6f388c6589d86a1c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= -Date: Tue, 18 Oct 2022 02:17:18 +0200 -Subject: [PATCH] clang: Detect anonymous items explicitly, rather than relying - on empty names. - -In Clang 16, anonymous items may return names like -`(anonymous union at ..)` rather than empty names. - -The right way to detect them is using clang_Cursor_isAnonymous. - -Fixes #2312 -Closes #2316 - -Co-Authored-by: Patrick Walton - -diff --git a/third_party/rust/bindgen/src/clang.rs b/third_party/rust/bindgen/src/clang.rs -index 488660c434..ef74ac08c2 100644 ---- a/third_party/rust/bindgen/src/clang.rs -+++ b/third_party/rust/bindgen/src/clang.rs -@@ -54,6 +54,11 @@ impl Cursor { - unsafe { clang_isDeclaration(self.kind()) != 0 } - } - -+ /// Is this cursor's referent an anonymous record or so? -+ pub fn is_anonymous(&self) -> bool { -+ unsafe { clang_Cursor_isAnonymous(self.x) != 0 } -+ } -+ - /// Get this cursor's referent's spelling. - pub fn spelling(&self) -> String { - unsafe { cxstring_into_string(clang_getCursorSpelling(self.x)) } -diff --git a/third_party/rust/bindgen/src/ir/comp.rs b/third_party/rust/bindgen/src/ir/comp.rs -index 22c124fa36..b715616c5e 100644 ---- a/third_party/rust/bindgen/src/ir/comp.rs -+++ b/third_party/rust/bindgen/src/ir/comp.rs -@@ -1372,8 +1372,7 @@ impl CompInfo { - - // A declaration of an union or a struct without name could - // also be an unnamed field, unfortunately. -- if cur.spelling().is_empty() && -- cur.kind() != CXCursor_EnumDecl -+ if cur.is_anonymous() && cur.kind() != CXCursor_EnumDecl - { - let ty = cur.cur_type(); - let offset = cur.offset_of_field().ok(); -diff --git a/third_party/rust/bindgen/src/ir/ty.rs b/third_party/rust/bindgen/src/ir/ty.rs -index e6eecc3c50..f3e1193ce2 100644 ---- a/third_party/rust/bindgen/src/ir/ty.rs -+++ b/third_party/rust/bindgen/src/ir/ty.rs -@@ -737,7 +737,12 @@ impl Type { - - let layout = ty.fallible_layout(ctx).ok(); - let cursor = ty.declaration(); -- let mut name = cursor.spelling(); -+ let is_anonymous = cursor.is_anonymous(); -+ let mut name = if is_anonymous { -+ None -+ } else { -+ Some(cursor.spelling()).filter(|n| !n.is_empty()) -+ }; - - debug!( - "from_clang_ty: {:?}, ty: {:?}, loc: {:?}", -@@ -771,7 +776,7 @@ impl Type { - if is_canonical_objcpointer && is_template_type_param { - // Objective-C generics are just ids with fancy name. - // To keep it simple, just name them ids -- name = "id".to_owned(); -+ name = Some("id".to_owned()); - } - } - -@@ -900,7 +905,7 @@ impl Type { - return Err(ParseError::Recurse); - } - } else { -- name = location.spelling(); -+ name = Some(location.spelling()); - } - - let complex = CompInfo::from_ty( -@@ -942,7 +947,7 @@ impl Type { - CXType_Typedef - ); - -- name = current.spelling(); -+ name = Some(location.spelling()); - - let inner_ty = cur - .typedef_type() -@@ -1126,10 +1131,10 @@ impl Type { - CXType_Enum => { - let enum_ = Enum::from_ty(ty, ctx).expect("Not an enum?"); - -- if name.is_empty() { -+ if !is_anonymous { - let pretty_name = ty.spelling(); - if clang::is_valid_identifier(&pretty_name) { -- name = pretty_name; -+ name = Some(pretty_name); - } - } - -@@ -1144,12 +1149,12 @@ impl Type { - ) - .expect("Not a complex type?"); - -- if name.is_empty() { -+ if !is_anonymous { - // The pretty-printed name may contain typedefed name, - // but may also be "struct (anonymous at .h:1)" - let pretty_name = ty.spelling(); - if clang::is_valid_identifier(&pretty_name) { -- name = pretty_name; -+ name = Some(pretty_name); - } - } - -@@ -1161,8 +1166,7 @@ impl Type { - location, - None, - ctx, -- ) -- .expect("Not able to resolve vector element?"); -+ )?; - TypeKind::Vector(inner, ty.num_elements().unwrap()) - } - CXType_ConstantArray => { -@@ -1189,7 +1193,9 @@ impl Type { - CXType_ObjCClass | CXType_ObjCInterface => { - let interface = ObjCInterface::from_ty(&location, ctx) - .expect("Not a valid objc interface?"); -- name = interface.rust_name(); -+ if !is_anonymous { -+ name = Some(interface.rust_name()); -+ } - TypeKind::ObjCInterface(interface) - } - CXType_Dependent => { -@@ -1207,7 +1213,7 @@ impl Type { - } - }; - -- let name = if name.is_empty() { None } else { Some(name) }; -+ name = name.filter(|n| !n.is_empty()); - - let is_const = ty.is_const() || - (ty.kind() == CXType_ConstantArray && -diff --git a/third_party/rust/bindgen/src/ir/var.rs b/third_party/rust/bindgen/src/ir/var.rs -index c6f121d74e..679c92bbea 100644 ---- a/third_party/rust/bindgen/src/ir/var.rs -+++ b/third_party/rust/bindgen/src/ir/var.rs -@@ -301,11 +301,11 @@ impl ClangSubItemParser for Var { - let ty = match Item::from_ty(&ty, cursor, None, ctx) { - Ok(ty) => ty, - Err(e) => { -- assert_eq!( -- ty.kind(), -- CXType_Auto, -+ assert!( -+ matches!(ty.kind(), CXType_Auto | CXType_Unexposed), - "Couldn't resolve constant type, and it \ -- wasn't an nondeductible auto type!" -+ wasn't an nondeductible auto type or unexposed \ -+ type!" - ); - return Err(e); - } diff --git a/tar_stamps b/tar_stamps index c40cc22..b031004 100644 --- a/tar_stamps +++ b/tar_stamps @@ -1,10 +1,10 @@ PRODUCT="thunderbird" CHANNEL="esr102" -VERSION="102.12.0" +VERSION="102.13.0" VERSION_SUFFIX="" -PREV_VERSION="102.11.2" +PREV_VERSION="102.12.0" PREV_VERSION_SUFFIX="" #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr102" -RELEASE_TAG="9d42734e12597ccdb59fee178bf369d8c328dcad" -RELEASE_TIMESTAMP="20230604001933" +RELEASE_TAG="2bf94c4d195694485df5d632f2453888cf4f6657" +RELEASE_TIMESTAMP="20230704155023" diff --git a/thunderbird-102.12.0.source.tar.xz b/thunderbird-102.12.0.source.tar.xz deleted file mode 100644 index f13c3e7..0000000 --- a/thunderbird-102.12.0.source.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5aa776b75dd47e77303185033c2c443a425488d28ced5c6e29e5bd64e7ac5afe -size 502135796 diff --git a/thunderbird-102.12.0.source.tar.xz.asc b/thunderbird-102.12.0.source.tar.xz.asc deleted file mode 100644 index f55cdbe..0000000 --- a/thunderbird-102.12.0.source.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmR8AegACgkQ4207E/PZ -MnSD7xAAvp3CxpTK2iAxLEajal67crBILNXeVCI7JdaS9WfcRNBEA+94sGhRP9OL -Cq4KQECQl897cOY+Wffgdm3Mdgj+KBgDE/M1zL5GqFYdqQAEN8DaMGqBf/9GCvMQ -iHb32ICUNgtBrEZIIA34wdgjfrFn3Zx+KjzIiygyRL3RhnOmwST/BfMJi+MI67lg -8vsGCEgbHEWDbEKUZkn2wtSiMaWrHYQI4sFlOAlxL15V0GJ6GBiL12utt48rddWT -BHQi1rCRgdJl4HtX5rjLrUGD3Hmy3ZyyV9AxRvlLI7XZyqaxd3RSn6SChRGyJnEQ -7aUql8sh3ccN4pxPakKxFIHQ7Y/39t5oFemlwZwU18FRozhicvSInsPLlDo+VXZH -Xz/4avO/4JSdy/2ss5I3S/idblHh9voX2qlv/PnVoc36onunnb1veP6Jaah2rPNj -WYEZzGKlAD4qU507EHGrq1U8n7lBhZWeCD6Hu5SpcIMeCEmztcw151fegZUus4kg -y9Wv1wah/b1iETAheEMtdd00G7hcvK9YkhKSiZK6CUe7WwXtMNQ9CrvtdULCAdAA -Mwvo17XTRiK8a8L379qBXyUzzUvHsfoBOTjnWZ1NXFJSlsqObnNBFZQ8Z3bBNpSI -V343EP2luGZgaRYACsSZ7/yV/N5gAejPxMUjjKEEZKsmLJTsYkQ= -=gM5a ------END PGP SIGNATURE----- diff --git a/thunderbird-102.13.0.source.tar.xz b/thunderbird-102.13.0.source.tar.xz new file mode 100644 index 0000000..6764cce --- /dev/null +++ b/thunderbird-102.13.0.source.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7a7208cab2810231c2842334a2ffb37d704934dd212011395aec3609751affbc +size 503365504 diff --git a/thunderbird-102.13.0.source.tar.xz.asc b/thunderbird-102.13.0.source.tar.xz.asc new file mode 100644 index 0000000..0179948 --- /dev/null +++ b/thunderbird-102.13.0.source.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmSoJVcACgkQ4207E/PZ +MnRO+BAAklPa+yglRS7ZopMp820Jsv4GOBN4SusNjnVuDtXvESEKmBH+E00mHNiF +LaFHPr0ZY1BA7k8ImBmqX6osYEKMOGp7ksbD04mQlR3LMo5emjfOeQoTGhaBnVZy +iJGqqHj/1Ys7+8q/VmGvIjWJ4uPBVwTVDMivwKIAil2sS3ml8Dq5XuCGMSHXcq4x +i89qJE/NA1JC1YA6CO9drg6eGzhNvn0MbwtrQkcoRc65ltmIV55TUvIZnJxSA3tY +r+BAjbOij0eUnhWy8hA8igbqYEnELNZZQsghiJfm1zMWy0cpP9DJlIipLa3ODAwy +bp0yne/fEpq26y5gBAKiFHPdWpV7FWNYwlV9FPXg25MxfUqneGzs/B+TjYX8hxKF +KeSesabvNK7UYJL8Wc9HgocBlZ2S/pDPZ2T1quJ1+NFL5KAG1yanFX5CnXVEEYak +ecfgxjw7YjE/GO0MxF1spyx4abY5aQ6dVGfnVtRFDt6fh52DM18sWuPbC40lrhYE +S8UhkKMFBAZc8TvibLhgaz+8BEDJh2Y8W5bioRedwl/YWZ5wGBeiM2hJ+re92HlF +j0h5KaOOcmST/zdlOlPbBaTRChyK80T4kujU+UWM9hCEJAQ8lMyyHIBufRJVIUg5 ++3LQnYNYPxWJ7E6Pb09lBtcJ6zsE8Ie3Vx/P4ltu3Usfl7I/iNk= +=Gntb +-----END PGP SIGNATURE-----