From d81c4a7fc9fa8167c3ac398f5bdb4c86e198d1c2b384c761842637b3cb820b2b Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Fri, 5 Aug 2016 19:12:21 +0000 Subject: [PATCH 1/2] Accepting request 417133 from home:pcerny:mozilla:Factory flex hotfix OBS-URL: https://build.opensuse.org/request/show/417133 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=333 --- MozillaThunderbird.changes | 6 +++ MozillaThunderbird.spec | 5 +- mozilla-flex_buffer_overrun.patch | 76 +++++++++++++++++++++++++++++++ 3 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 mozilla-flex_buffer_overrun.patch diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes index 648fa65..35ccc9c 100644 --- a/MozillaThunderbird.changes +++ b/MozillaThunderbird.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com + +- Fix for possible buffer overrun (bsc#990856) + CVE-2016-6354 (bmo#1292534) + ------------------------------------------------------------------- Thu Jul 21 11:50:27 UTC 2016 - mailaender@opensuse.org diff --git a/MozillaThunderbird.spec b/MozillaThunderbird.spec index 4060a29..d0949a5 100644 --- a/MozillaThunderbird.spec +++ b/MozillaThunderbird.spec @@ -1,7 +1,7 @@ # # spec file for package MozillaThunderbird # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. # 2006-2016 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties @@ -108,6 +108,8 @@ Patch8: mozilla-aarch64-48bit-va.patch Patch9: mozilla-binutils-visibility.patch # Thunderbird/mail Patch20: tb-ssldap.patch +# hotfix +Patch150: mozilla-flex_buffer_overrun.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: coreutils fileutils textutils /bin/sh Recommends: libcanberra0 @@ -204,6 +206,7 @@ pushd mozilla %patch6 -p1 %patch8 -p1 %patch9 -p1 +%patch150 -p1 popd # comm-central patches %patch20 -p1 diff --git a/mozilla-flex_buffer_overrun.patch b/mozilla-flex_buffer_overrun.patch new file mode 100644 index 0000000..7dc3ebc --- /dev/null +++ b/mozilla-flex_buffer_overrun.patch @@ -0,0 +1,76 @@ +# HG changeset patch +# Parent c8e8364b303892fdb5a574b96411d2d8f699a15e +Patch lexical parser files generated by flex which may be potentially +exploitable in a buffer overrun. These seem to come from an upstream projects +(CMU Sphinx and ANGLE) so it should be fixed there in the first place. + +CVE-2016-6354 + +https://bugzilla.suse.com/show_bug.cgi?id=990856 + +diff --git a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp +--- a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp ++++ b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp +@@ -1375,17 +1375,17 @@ static int yy_get_next_buffer (yyscan_t + if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) + /* don't do the read, it's not guaranteed to return an EOF, + * just force an EOF + */ + YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; + + else + { +- yy_size_t num_to_read = ++ int num_to_read = + YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; + + while ( num_to_read <= 0 ) + { /* Not enough room in the buffer - grow it. */ + + /* just a shorter name for the current buffer */ + YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; + +diff --git a/gfx/angle/src/compiler/translator/glslang_lex.cpp b/gfx/angle/src/compiler/translator/glslang_lex.cpp +--- a/gfx/angle/src/compiler/translator/glslang_lex.cpp ++++ b/gfx/angle/src/compiler/translator/glslang_lex.cpp +@@ -2269,17 +2269,17 @@ static int yy_get_next_buffer (yyscan_t + if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) + /* don't do the read, it's not guaranteed to return an EOF, + * just force an EOF + */ + YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; + + else + { +- yy_size_t num_to_read = ++ int num_to_read = + YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; + + while ( num_to_read <= 0 ) + { /* Not enough room in the buffer - grow it. */ + + /* just a shorter name for the current buffer */ + YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; + +diff --git a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c +--- a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c ++++ b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c +@@ -1242,17 +1242,17 @@ static int yy_get_next_buffer (yyscan_t + if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) + /* don't do the read, it's not guaranteed to return an EOF, + * just force an EOF + */ + YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; + + else + { +- yy_size_t num_to_read = ++ int num_to_read = + YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; + + while ( num_to_read <= 0 ) + { /* Not enough room in the buffer - grow it. */ + + /* just a shorter name for the current buffer */ + YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; + From 16ad6788d3a67b7e82301bb5e5318a3f8f9c7e9d662ae9c1348dd31db8fe9124 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Mon, 8 Aug 2016 09:15:17 +0000 Subject: [PATCH 2/2] Accepting request 417429 from home:pcerny:mozilla:Factory flex hotfix - changelog update OBS-URL: https://build.opensuse.org/request/show/417429 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=334 --- MozillaThunderbird.changes | 1 + 1 file changed, 1 insertion(+) diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes index 35ccc9c..0cf26da 100644 --- a/MozillaThunderbird.changes +++ b/MozillaThunderbird.changes @@ -3,6 +3,7 @@ Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com - Fix for possible buffer overrun (bsc#990856) CVE-2016-6354 (bmo#1292534) + [mozilla-flex_buffer_overrun.patch] ------------------------------------------------------------------- Thu Jul 21 11:50:27 UTC 2016 - mailaender@opensuse.org