1
0

Accepting request 1078519 from mozilla:Factory

- Mozilla Thunderbird 102.10.0
  * New messages will automatically select S/MIME if configured and
    OpenPGP is not
  * Calendar events with timezone America/Mexico_City incorrectly
    applied Daylight Savings Time
  MFSA 2023-15 (bsc#1210212)
  * CVE-2023-29531 (bmo#1794292)
    Out-of-bound memory access in WebGL on macOS
  * CVE-2023-29532 (bmo#1806394)
    Mozilla Maintenance Service Write-lock bypass
  * CVE-2023-29533 (bmo#1798219, bmo#1814597)
    Fullscreen notification obscured
  * MFSA-TMP-2023-0001 (bmo#1819244)
    Double-free in libwebp
  * CVE-2023-29535 (bmo#1820543)
    Potential Memory Corruption following Garbage Collector compaction
  * CVE-2023-29536 (bmo#1821959)
    Invalid free from JavaScript code
  * CVE-2023-0547 (bmo#1811298)
    Revocation status of S/Mime recipient certificates was not checked
  * CVE-2023-29479 (bmo#1824978)
    Hang when processing certain OpenPGP messages
  * CVE-2023-29539 (bmo#1784348)
    Content-Disposition filename truncation leads to Reflected
    File Download
  * CVE-2023-29541 (bmo#1810191)
    Files with malicious extensions could have been downloaded
    unsafely on Linux
  * CVE-2023-29542 (bmo#1810793, bmo#1815062)
    Bypass of file download extension restrictions

OBS-URL: https://build.opensuse.org/request/show/1078519
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaThunderbird?expand=0&rev=307
This commit is contained in:
Dominique Leuenberger 2023-04-12 10:51:34 +00:00 committed by Git OBS Bridge
commit b9156650b9
9 changed files with 288 additions and 25 deletions

View File

@ -1,3 +1,57 @@
-------------------------------------------------------------------
Wed Apr 5 21:10:11 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.10.0
* New messages will automatically select S/MIME if configured and
OpenPGP is not
* Calendar events with timezone America/Mexico_City incorrectly
applied Daylight Savings Time
MFSA 2023-15 (bsc#1210212)
* CVE-2023-29531 (bmo#1794292)
Out-of-bound memory access in WebGL on macOS
* CVE-2023-29532 (bmo#1806394)
Mozilla Maintenance Service Write-lock bypass
* CVE-2023-29533 (bmo#1798219, bmo#1814597)
Fullscreen notification obscured
* MFSA-TMP-2023-0001 (bmo#1819244)
Double-free in libwebp
* CVE-2023-29535 (bmo#1820543)
Potential Memory Corruption following Garbage Collector compaction
* CVE-2023-29536 (bmo#1821959)
Invalid free from JavaScript code
* CVE-2023-0547 (bmo#1811298)
Revocation status of S/Mime recipient certificates was not checked
* CVE-2023-29479 (bmo#1824978)
Hang when processing certain OpenPGP messages
* CVE-2023-29539 (bmo#1784348)
Content-Disposition filename truncation leads to Reflected
File Download
* CVE-2023-29541 (bmo#1810191)
Files with malicious extensions could have been downloaded
unsafely on Linux
* CVE-2023-29542 (bmo#1810793, bmo#1815062)
Bypass of file download extension restrictions
* CVE-2023-29545 (bmo#1823077)
Windows Save As dialog resolved environment variables
* CVE-2023-1945 (bmo#1777588)
Memory Corruption in Safe Browsing Code
* CVE-2023-29548 (bmo#1822754)
Incorrect optimization result on ARM64
* CVE-2023-29550 (bmo#1720594, bmo#1751945, bmo#1812498, bmo#1814217,
bmo#1818357, bmo#1818762, bmo#1819493, bmo#1820389, bmo#1820602,
bmo#1821448, bmo#1822413, bmo#1824828)
Memory safety bugs fixed in Thunderbird 102.10
- add mozilla-llvm16.patch to fix build with LLVM16
-------------------------------------------------------------------
Wed Mar 29 10:50:35 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
- Mozilla Thunderbird 102.9.1
MFSA 2023-12
* CVE-2023-28427 (bmo#1822595)
Matrix SDK bundled with Thunderbird vulnerable to
denial-of-service attack
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Mar 26 10:57:52 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org> Sun Mar 26 10:57:52 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>

View File

@ -29,8 +29,8 @@
# major 69 # major 69
# mainver %major.99 # mainver %major.99
%define major 102 %define major 102
%define mainver %major.9.0 %define mainver %major.10.0
%define orig_version 102.9.0 %define orig_version 102.10.0
%define orig_suffix %{nil} %define orig_suffix %{nil}
%define update_channel release %define update_channel release
%define source_prefix thunderbird-%{orig_version} %define source_prefix thunderbird-%{orig_version}
@ -207,6 +207,7 @@ Patch20: mozilla-bmo531915.patch
Patch21: one_swizzle_to_rule_them_all.patch Patch21: one_swizzle_to_rule_them_all.patch
Patch22: svg-rendering.patch Patch22: svg-rendering.patch
Patch23: gcc13-fix.patch Patch23: gcc13-fix.patch
Patch24: mozilla-llvm16.patch
%endif %endif
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: /bin/sh PreReq: /bin/sh
@ -296,6 +297,7 @@ fi
%patch21 -p1 %patch21 -p1
%patch22 -p1 %patch22 -p1
%patch23 -p1 %patch23 -p1
%patch24 -p1
%endif %endif
%build %build

207
mozilla-llvm16.patch Normal file
View File

@ -0,0 +1,207 @@
From 80738016a36e803fe3bf8b8f6f388c6589d86a1c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= <emilio@crisal.io>
Date: Tue, 18 Oct 2022 02:17:18 +0200
Subject: [PATCH] clang: Detect anonymous items explicitly, rather than relying
on empty names.
In Clang 16, anonymous items may return names like
`(anonymous union at ..)` rather than empty names.
The right way to detect them is using clang_Cursor_isAnonymous.
Fixes #2312
Closes #2316
Co-Authored-by: Patrick Walton <pcwalton@fb.com>
From c03b37697a1e117995ea76203e5c0ce7d6696c4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= <emilio@crisal.io>
Date: Wed, 9 Nov 2022 13:33:19 +0100
Subject: [PATCH] ir: Don't crash with built-in unexposed types from libclang.
This fixes #2325.
The issue is that `__bf16` is not exposed at all by libclang, which
causes us to crash. It's a bit of a shame libclang doesn't expose it but
there's no rust equivalent I think, so this should be ok for now.
Unfortunately no test because the header crashes older clang versions.
diff --git a/Cargo.lock b/Cargo.lock
index 163674ec5d..28456ee0ba 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -394,8 +394,6 @@ dependencies = [
[[package]]
name = "bindgen"
version = "0.56.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2da379dbebc0b76ef63ca68d8fc6e71c0f13e59432e0987e508c1820e6ab5239"
dependencies = [
"bitflags",
"cexpr",
diff --git a/Cargo.toml b/Cargo.toml
index d918adae95..dddd1298f7 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -117,6 +117,7 @@ packed_simd = { package = "packed_simd_2", git = "https://github.com/hsivonen/pa
midir = { git = "https://github.com/mozilla/midir.git", rev = "4c11f0ffb5d6a10de4aff40a7b81218b33b94e6f" }
minidump_writer_linux = { git = "https://github.com/rust-minidump/minidump-writer.git", rev = "75ada456c92a429704691a85e1cb42fef8cafc0d" }
glslopt = { path = "third_party/rust/glslopt/" }
+bindgen = { path = "third_party/rust/bindgen/" }
# Patch mio 0.6 to use winapi 0.3 and miow 0.3, getting rid of winapi 0.2.
# There is not going to be new version of mio 0.6, mio now being >= 0.7.11.
diff --git a/third_party/rust/bindgen/src/clang.rs b/third_party/rust/bindgen/src/clang.rs
index 488660c434..ef74ac08c2 100644
--- a/third_party/rust/bindgen/src/clang.rs
+++ b/third_party/rust/bindgen/src/clang.rs
@@ -54,6 +54,11 @@ impl Cursor {
unsafe { clang_isDeclaration(self.kind()) != 0 }
}
+ /// Is this cursor's referent an anonymous record or so?
+ pub fn is_anonymous(&self) -> bool {
+ unsafe { clang_Cursor_isAnonymous(self.x) != 0 }
+ }
+
/// Get this cursor's referent's spelling.
pub fn spelling(&self) -> String {
unsafe { cxstring_into_string(clang_getCursorSpelling(self.x)) }
diff --git a/third_party/rust/bindgen/src/ir/comp.rs b/third_party/rust/bindgen/src/ir/comp.rs
index 22c124fa36..b715616c5e 100644
--- a/third_party/rust/bindgen/src/ir/comp.rs
+++ b/third_party/rust/bindgen/src/ir/comp.rs
@@ -1372,8 +1372,7 @@ impl CompInfo {
// A declaration of an union or a struct without name could
// also be an unnamed field, unfortunately.
- if cur.spelling().is_empty() &&
- cur.kind() != CXCursor_EnumDecl
+ if cur.is_anonymous() && cur.kind() != CXCursor_EnumDecl
{
let ty = cur.cur_type();
let offset = cur.offset_of_field().ok();
diff --git a/third_party/rust/bindgen/src/ir/ty.rs b/third_party/rust/bindgen/src/ir/ty.rs
index e6eecc3c50..f3e1193ce2 100644
--- a/third_party/rust/bindgen/src/ir/ty.rs
+++ b/third_party/rust/bindgen/src/ir/ty.rs
@@ -737,7 +737,12 @@ impl Type {
let layout = ty.fallible_layout(ctx).ok();
let cursor = ty.declaration();
- let mut name = cursor.spelling();
+ let is_anonymous = cursor.is_anonymous();
+ let mut name = if is_anonymous {
+ None
+ } else {
+ Some(cursor.spelling()).filter(|n| !n.is_empty())
+ };
debug!(
"from_clang_ty: {:?}, ty: {:?}, loc: {:?}",
@@ -771,7 +776,7 @@ impl Type {
if is_canonical_objcpointer && is_template_type_param {
// Objective-C generics are just ids with fancy name.
// To keep it simple, just name them ids
- name = "id".to_owned();
+ name = Some("id".to_owned());
}
}
@@ -900,7 +905,7 @@ impl Type {
return Err(ParseError::Recurse);
}
} else {
- name = location.spelling();
+ name = Some(location.spelling());
}
let complex = CompInfo::from_ty(
@@ -942,7 +947,7 @@ impl Type {
CXType_Typedef
);
- name = current.spelling();
+ name = Some(location.spelling());
let inner_ty = cur
.typedef_type()
@@ -1126,10 +1131,10 @@ impl Type {
CXType_Enum => {
let enum_ = Enum::from_ty(ty, ctx).expect("Not an enum?");
- if name.is_empty() {
+ if !is_anonymous {
let pretty_name = ty.spelling();
if clang::is_valid_identifier(&pretty_name) {
- name = pretty_name;
+ name = Some(pretty_name);
}
}
@@ -1144,12 +1149,12 @@ impl Type {
)
.expect("Not a complex type?");
- if name.is_empty() {
+ if !is_anonymous {
// The pretty-printed name may contain typedefed name,
// but may also be "struct (anonymous at .h:1)"
let pretty_name = ty.spelling();
if clang::is_valid_identifier(&pretty_name) {
- name = pretty_name;
+ name = Some(pretty_name);
}
}
@@ -1161,8 +1166,7 @@ impl Type {
location,
None,
ctx,
- )
- .expect("Not able to resolve vector element?");
+ )?;
TypeKind::Vector(inner, ty.num_elements().unwrap())
}
CXType_ConstantArray => {
@@ -1189,7 +1193,9 @@ impl Type {
CXType_ObjCClass | CXType_ObjCInterface => {
let interface = ObjCInterface::from_ty(&location, ctx)
.expect("Not a valid objc interface?");
- name = interface.rust_name();
+ if !is_anonymous {
+ name = Some(interface.rust_name());
+ }
TypeKind::ObjCInterface(interface)
}
CXType_Dependent => {
@@ -1207,7 +1213,7 @@ impl Type {
}
};
- let name = if name.is_empty() { None } else { Some(name) };
+ name = name.filter(|n| !n.is_empty());
let is_const = ty.is_const() ||
(ty.kind() == CXType_ConstantArray &&
diff --git a/third_party/rust/bindgen/src/ir/var.rs b/third_party/rust/bindgen/src/ir/var.rs
index c6f121d74e..679c92bbea 100644
--- a/third_party/rust/bindgen/src/ir/var.rs
+++ b/third_party/rust/bindgen/src/ir/var.rs
@@ -301,11 +301,11 @@ impl ClangSubItemParser for Var {
let ty = match Item::from_ty(&ty, cursor, None, ctx) {
Ok(ty) => ty,
Err(e) => {
- assert_eq!(
- ty.kind(),
- CXType_Auto,
+ assert!(
+ matches!(ty.kind(), CXType_Auto | CXType_Unexposed),
"Couldn't resolve constant type, and it \
- wasn't an nondeductible auto type!"
+ wasn't an nondeductible auto type or unexposed \
+ type!"
);
return Err(e);
}

View File

@ -1,10 +1,10 @@
PRODUCT="thunderbird" PRODUCT="thunderbird"
CHANNEL="esr102" CHANNEL="esr102"
VERSION="102.9.0" VERSION="102.10.0"
VERSION_SUFFIX="" VERSION_SUFFIX=""
PREV_VERSION="102.8.0" PREV_VERSION="102.9.1"
PREV_VERSION_SUFFIX="" PREV_VERSION_SUFFIX=""
#SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr102" RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr102"
RELEASE_TAG="db735c436e680abf21cc67f9a29b42fdf30d416d" RELEASE_TAG="d8df3bebc4b529388b62b9cb4df152f13910fbe3"
RELEASE_TIMESTAMP="20230310165821" RELEASE_TIMESTAMP="20230407145224"

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:73183365c0888b489648b9baaa717ebccbb9add4d245e24e95d43cc76810f8ca
size 500949660

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmQ0LS8ACgkQ6+QekPbx
L22flhAAsOlC7n7VWB6I0ak90oGfzvZiqlf9WbikM9oXukrYIwqXKfUDKPZZDKTV
hfrCHzSUWi+QQc6HS8diq7CcRjJb2aJXHxL9E3E2j0qfdWjpoYMBkoQzXQR12Ve8
lXWEPxrlfJhR8Z2S6geCMVQbyPh6zbMIZTT/Zp1vV8r5PcxwvfC3wviWU721E45k
moT/CZX6PmeS3UO0kL/6RECNA/HgxnNu2gKFlc9Qc90wCiwtR92RGuB15CXYmZcx
F3//Jc4n4GSMBxX/4RUto+HFxJWZ1k7Cl7CvtXKYTFkUZvMfrLBCcruzZ3Deuos0
qKZyreUDbgeNuu+Ynh8qyEkZn+6k+rkb7t+a1jaOpgTtc/B+9fwjv34rIVD4KRO6
Ym2qotNk3zNYU7moD53rnfvgBb2J4PUbvJobVOcthVvM0HNUbptGDvSrPByeYLOB
veC4Bqy9heICCwRa3JBIzNCMGQgzP3fKkpFiPJxLoU/Je9FKqhHsbu9wu7/OeE/R
BQMIFfXNwRpZcmDie3OfqYR6wZEZ5xemOZEkH0wtB7dZLlAir4tkg+P2PkKMS59q
ihdLEqpiZpDeqIHivRbzi5Bt4GD0V8UEadIjhJ9RMBIfRM0GmjxO5d/nmnhuE+ww
bH/M1uFnEgit9gICOZDndLhlDSArMUe8xLmjWIy1HXCktxRsnwY=
=z2m1
-----END PGP SIGNATURE-----

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ecb34de765d548ed26ea24d4d617567a7896230d7c8379c1ef76be8ca05d6fef
size 503081436

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmQLrkIACgkQ6+QekPbx
L22h1g/+LXtjCm9UdWsufMQ6GWhNkdHXdhL7Uog6c8Z/vcyfotKNShUYzk8up9Rm
yUTZQ/vOPZPRt3MmONpE1KvOstThYncUPAdv9ZbIFQEF2eLQ73fiXSP/g5uGFThk
ZoXCEZt/pnDm6Uv7P/ufh+VYRkNu9TxpYTw5OH5u0YFbwazbyKHdwP2XwHmDqlff
ObbHyNy7m3+X1jrAb3ayWnK/PUqcw/GbbAdwdtM0eF3RttTO60d/8P+MQ/qxuM1a
OuVkgAQIpVJiJexbJXMVSUl/c2OwLXDwSX9Q0JKcCqGH1ruv2hss/6Hp9pIdazZs
85ko0g16DEx5EOTvNFmkYAaSnCAjNZOEqzv/hN71n5V+cvBQNF5U6rFM7qJOzeT6
As8DI813YsAefHXo620Q+UQXBLXvwwnsuUS7CzzcLX2V+njhrZIKbGB2C5tgEwTg
FuSK6+0kWEpbYPXQDrrvzOWAJbs5lJNBdWX2WUeX7sNpeaUH/FPBULNo2LRuTgFG
qiZxaxQfaJ86ZZu29jdkmBQzC90e5dyw2PwipNDRu8FDbinod1vEcEJ1AhQywt2E
KnX7lp1A/7nMW+b1YbqGTk6w7NLpqGzW0XdfjYdvw2BYCJwtpVl2y8CaZYBxzOBl
dg+ibkdDRr5gk6XycidonfHVu4xZqEYZd2h62lVlnnTErV10YeE=
=4xjl
-----END PGP SIGNATURE-----