From 3ba157ec150cccb56812238175e2d9c45c66f5c7d61dc09712bb1f01cd82ba29 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Fri, 22 Mar 2024 07:53:18 +0000 Subject: [PATCH] - LLVM18 breaks building Thunderbird on Tumbleweed; add * mozilla-fix-issues-with-llvm18.patch - Mozilla Thunderbird 115.9.0 https://www.thunderbird.net/en-US/thunderbird/115.9.0/releasenotes/ MFSA 2024-14 (bsc#1221327) * CVE-2024-0743 (bmo#1867408) Crash in NSS TLS method * CVE-2024-2605 (bmo#1872920) Windows Error Reporter could be used as a Sandbox escape vector * CVE-2024-2607 (bmo#1879939) JIT code failed to save return registers on Armv7-A * CVE-2024-2608 (bmo#1880692) Integer overflow could have led to out of bounds write * CVE-2024-2616 (bmo#1846197) Improve handling of out-of-memory conditions in ICU * CVE-2023-5388 (bmo#1780432) NSS susceptible to timing attack against RSA decryption * CVE-2024-2610 (bmo#1871112) Improper handling of html and body tags enabled CSP nonce leakage * CVE-2024-2611 (bmo#1876675) Clickjacking vulnerability could have led to a user accidentally granting permissions * CVE-2024-2612 (bmo#1879444) Self referencing object could have potentially led to a use- after-free * CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405, bmo#1881093) Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaThunderbird?expand=0&rev=751 --- MozillaThunderbird.changes | 41 ++++++++++++ MozillaThunderbird.spec | 28 +++++++- l10n-115.8.1.tar.xz | 3 - l10n-115.9.0.tar.xz | 3 + mozilla-fix-issues-with-llvm18.patch | 94 +++++++++++++++++++++++++++ tar_stamps | 8 +-- thunderbird-115.8.1.source.tar.xz | 3 - thunderbird-115.8.1.source.tar.xz.asc | 16 ----- thunderbird-115.9.0.source.tar.xz | 3 + thunderbird-115.9.0.source.tar.xz.asc | 16 +++++ 10 files changed, 187 insertions(+), 28 deletions(-) delete mode 100644 l10n-115.8.1.tar.xz create mode 100644 l10n-115.9.0.tar.xz create mode 100644 mozilla-fix-issues-with-llvm18.patch delete mode 100644 thunderbird-115.8.1.source.tar.xz delete mode 100644 thunderbird-115.8.1.source.tar.xz.asc create mode 100644 thunderbird-115.9.0.source.tar.xz create mode 100644 thunderbird-115.9.0.source.tar.xz.asc diff --git a/MozillaThunderbird.changes b/MozillaThunderbird.changes index 65be4ee..c3e98f0 100644 --- a/MozillaThunderbird.changes +++ b/MozillaThunderbird.changes @@ -1,3 +1,44 @@ +------------------------------------------------------------------- +Wed Mar 20 13:55:26 UTC 2024 - Manfred Hollstein + +- LLVM18 breaks building Thunderbird on Tumbleweed; add + * mozilla-fix-issues-with-llvm18.patch + +------------------------------------------------------------------- +Sat Mar 16 11:41:27 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Thunderbird 115.9.0 + https://www.thunderbird.net/en-US/thunderbird/115.9.0/releasenotes/ + MFSA 2024-14 (bsc#1221327) + * CVE-2024-0743 (bmo#1867408) + Crash in NSS TLS method + * CVE-2024-2605 (bmo#1872920) + Windows Error Reporter could be used as a Sandbox escape vector + * CVE-2024-2607 (bmo#1879939) + JIT code failed to save return registers on Armv7-A + * CVE-2024-2608 (bmo#1880692) + Integer overflow could have led to out of bounds write + * CVE-2024-2616 (bmo#1846197) + Improve handling of out-of-memory conditions in ICU + * CVE-2023-5388 (bmo#1780432) + NSS susceptible to timing attack against RSA decryption + * CVE-2024-2610 (bmo#1871112) + Improper handling of html and body tags enabled CSP nonce leakage + * CVE-2024-2611 (bmo#1876675) + Clickjacking vulnerability could have led to a user accidentally + granting permissions + * CVE-2024-2612 (bmo#1879444) + Self referencing object could have potentially led to a use- + after-free + * CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405, bmo#1881093) + Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9, + and Thunderbird 115.9 + +------------------------------------------------------------------- +Tue Mar 5 08:13:43 UTC 2024 - Adam Mizerski + +- Create subpackage MozillaThunderbird-openpgp-librnp + ------------------------------------------------------------------- Tue Mar 5 09:09:34 CET 2024 - Wolfgang Rosenauer diff --git a/MozillaThunderbird.spec b/MozillaThunderbird.spec index 14ad4a7..8b47b0c 100644 --- a/MozillaThunderbird.spec +++ b/MozillaThunderbird.spec @@ -29,8 +29,8 @@ # major 69 # mainver %%major.99 %define major 115 -%define mainver %major.8.1 -%define orig_version 115.8.1 +%define mainver %major.9.0 +%define orig_version 115.9.0 %define orig_suffix %nil %define update_channel release %define source_prefix thunderbird-%{orig_version} @@ -128,7 +128,11 @@ BuildRequires: zip %if 0%{?suse_version} < 1550 BuildRequires: pkgconfig(gconf-2.0) >= 1.2.1 %endif +%if (0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000) +BuildRequires: clang6-devel +%else BuildRequires: clang-devel >= 5 +%endif BuildRequires: pkgconfig(glib-2.0) >= 2.22 BuildRequires: pkgconfig(gobject-2.0) BuildRequires: pkgconfig(gtk+-3.0) >= 3.14.0 @@ -203,6 +207,10 @@ Patch19: svg-rendering.patch Patch20: mozilla-partial-revert-1768632.patch Patch21: mozilla-bmo1775202.patch Patch22: mozilla-rust-disable-future-incompat.patch +%if 0%{?product_libs_llvm_ver} > 17 +# LLVM18 breaks building Firefox ESR: +Patch30: mozilla-fix-issues-with-llvm18.patch +%endif %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: /bin/sh @@ -216,6 +224,8 @@ PreReq: textutils Recommends: libcanberra0 Recommends: libotr5 Recommends: libpulse0 +Requires: %{name}-openpgp +Suggests: %{name}-openpgp-librnp Requires(post): desktop-file-utils Requires(postun): desktop-file-utils %define libgssapi libgssapi_krb5.so.2 @@ -227,6 +237,16 @@ managing email, news feeds, chat, and news groups. It is a local (rather than browser- or web-based) email application that is powerful yet easy to use. +%package openpgp-librnp +Summary: Thunderbird's upstream OpenPGP implementation +Group: Productivity/Networking/Email/Clients +Requires: %{name} = %{version} +Provides: %{name}-openpgp +Conflicts: %{name}-openpgp + +%description openpgp-librnp +Thunderbird's upstream OpenPGP implementation. + %if %localize %package translations-common Summary: Common translations for %{appname} @@ -593,6 +613,7 @@ exit 0 %{progdir}/application.ini %{progdir}/dependentlibs.list %{progdir}/*.so +%exclude %{progdir}/librnp.so %{progdir}/glxtest %if 0%{wayland_supported} %{progdir}/vaapitest @@ -622,6 +643,9 @@ exit 0 %{_datadir}/icons/hicolor/symbolic/apps/%{progname}-symbolic.svg %{_bindir}/%{progname} +%files openpgp-librnp +%{progdir}/librnp.so + %if %localize %files translations-common -f %{_tmppath}/translations.common %defattr(-,root,root) diff --git a/l10n-115.8.1.tar.xz b/l10n-115.8.1.tar.xz deleted file mode 100644 index 8be7554..0000000 --- a/l10n-115.8.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:71cf508cfbc2a3636faf476e298c2f93e538fdf766b86d8aa0f643fc8bf2a2da -size 28293800 diff --git a/l10n-115.9.0.tar.xz b/l10n-115.9.0.tar.xz new file mode 100644 index 0000000..d556a20 --- /dev/null +++ b/l10n-115.9.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7943b97cba342c3a998d7ee4f2dd2cf3eac73201ab9b1f332556aaa637abd3b9 +size 29763000 diff --git a/mozilla-fix-issues-with-llvm18.patch b/mozilla-fix-issues-with-llvm18.patch new file mode 100644 index 0000000..e827c2e --- /dev/null +++ b/mozilla-fix-issues-with-llvm18.patch @@ -0,0 +1,94 @@ +Adapt the shipped rust-bindgen copy for LLVM-18 and later, +and tell cargo we've modified the code of rust-bindgen so +the checksum verification of this crate should be skipped + +diff -rup a/Cargo.lock b/Cargo.lock +--- a/Cargo.lock 2024-03-14 06:21:23.000000000 +0100 ++++ b/Cargo.lock 2024-03-20 13:15:35.146224179 +0100 +@@ -414,8 +414,8 @@ dependencies = [ + [[package]] + name = "bindgen" + version = "0.64.0" +-source = "registry+https://github.com/rust-lang/crates.io-index" +-checksum = "c4243e6031260db77ede97ad86c27e501d646a27ab57b59a574f725d98ab1fb4" ++#source = "registry+https://github.com/rust-lang/crates.io-index" ++#checksum = "c4243e6031260db77ede97ad86c27e501d646a27ab57b59a574f725d98ab1fb4" + dependencies = [ + "bitflags 1.3.2", + "cexpr", +diff -rup a/Cargo.toml b/Cargo.toml +--- a/Cargo.toml 2024-03-20 13:09:16.152828408 +0100 ++++ b/Cargo.toml 2024-03-20 13:14:09.072867031 +0100 +@@ -193,3 +193,8 @@ weedle2 = "=4.0.0" + # Shut up such messages for now to make the build succeed + [future-incompat-report] + frequency = "never" ++ ++[patch.crates-io.bindgen_0_64_0] ++package = "bindgen" ++version = "0.64.0" ++path = "third_party/rust/bindgen" +diff -rup a/third_party/rust/bindgen/ir/item.rs b/third_party/rust/bindgen/ir/item.rs +--- a/third_party/rust/bindgen/ir/item.rs 2024-03-14 06:21:40.000000000 +0100 ++++ b/third_party/rust/bindgen/ir/item.rs 2024-03-20 13:11:32.062844514 +0100 +@@ -1434,6 +1434,7 @@ impl Item { + // We allowlist cursors here known to be unhandled, to prevent being + // too noisy about this. + match cursor.kind() { ++ CXCursor_LinkageSpec => return Err(ParseError::Recurse), + CXCursor_MacroDefinition | + CXCursor_MacroExpansion | + CXCursor_UsingDeclaration | + + +Adapt the WebRTC code to use 64-bit timestamp to fix a build +failure with Clang-18 and later + +diff -rup a/dom/media/gmp-plugin-openh264/gmp-fake-openh264.cpp b/dom/media/gmp-plugin-openh264/gmp-fake-openh264.cpp +--- a/dom/media/gmp-plugin-openh264/gmp-fake-openh264.cpp 2024-03-14 06:21:25.000000000 +0100 ++++ b/dom/media/gmp-plugin-openh264/gmp-fake-openh264.cpp 2024-03-20 13:17:20.839584778 +0100 +@@ -99,7 +99,7 @@ struct EncodedFrame { + uint8_t y_; + uint8_t u_; + uint8_t v_; +- uint32_t timestamp_; ++ uint64_t timestamp_; + } idr_nalu; + }; + #pragma pack(pop) +diff -rup a/dom/media/gtest/TestGMPRemoveAndDelete.cpp b/dom/media/gtest/TestGMPRemoveAndDelete.cpp +--- a/dom/media/gtest/TestGMPRemoveAndDelete.cpp 2024-03-14 06:21:25.000000000 +0100 ++++ b/dom/media/gtest/TestGMPRemoveAndDelete.cpp 2024-03-20 13:17:20.839584778 +0100 +@@ -361,7 +361,7 @@ void GMPRemoveTest::gmp_Decode() { + uint8_t y_; + uint8_t u_; + uint8_t v_; +- uint32_t timestamp_; ++ uint64_t timestamp_; + } idr_nalu; + }; + #pragma pack(pop) +diff -rup a/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.cpp b/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.cpp +--- a/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.cpp 2024-03-14 06:21:24.000000000 +0100 ++++ b/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.cpp 2024-03-20 13:17:20.842918112 +0100 +@@ -540,7 +540,7 @@ void WebrtcGmpVideoEncoder::Encoded( + + webrtc::VideoFrameType ft; + GmpFrameTypeToWebrtcFrameType(aEncodedFrame->FrameType(), &ft); +- uint32_t timestamp = (aEncodedFrame->TimeStamp() * 90ll + 999) / 1000; ++ uint64_t timestamp = (aEncodedFrame->TimeStamp() * 90ll + 999) / 1000; + + GMP_LOG_DEBUG("GMP Encoded: %" PRIu64 ", type %d, len %d", + aEncodedFrame->TimeStamp(), aEncodedFrame->BufferType(), +diff -rup a/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.h b/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.h +--- a/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.h 2024-03-14 06:21:24.000000000 +0100 ++++ b/dom/media/webrtc/libwebrtcglue/WebrtcGmpVideoCodec.h 2024-03-20 13:17:32.442921055 +0100 +@@ -302,7 +302,7 @@ class WebrtcGmpVideoEncoder : public GMP + int64_t timestamp_us; + }; + // Map rtp time -> input image data +- DataMutex> mInputImageMap; ++ DataMutex> mInputImageMap; + + MediaEventProducer mInitPluginEvent; + MediaEventProducer mReleasePluginEvent; diff --git a/tar_stamps b/tar_stamps index c0d2042..ff4ad1f 100644 --- a/tar_stamps +++ b/tar_stamps @@ -1,10 +1,10 @@ PRODUCT="thunderbird" CHANNEL="esr115" -VERSION="115.8.1" +VERSION="115.9.0" VERSION_SUFFIX="" -PREV_VERSION="115.8.0" +PREV_VERSION="115.8.1" PREV_VERSION_SUFFIX="" #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation RELEASE_REPO="https://hg.mozilla.org/releases/comm-esr115" -RELEASE_TAG="5b8708dc0314dab535d9357b5dfd6b2bef9441c8" -RELEASE_TIMESTAMP="20240304230937" +RELEASE_TAG="1e95a096fd3c6053c4eeeca935eb8227cf9ee25c" +RELEASE_TIMESTAMP="20240314154241" diff --git a/thunderbird-115.8.1.source.tar.xz b/thunderbird-115.8.1.source.tar.xz deleted file mode 100644 index 037ba20..0000000 --- a/thunderbird-115.8.1.source.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:80d75ae91b7cbd60bcbaf134fc3f11290bd542a8a7ff965eaa4a0d95bb0d4d51 -size 541062996 diff --git a/thunderbird-115.8.1.source.tar.xz.asc b/thunderbird-115.8.1.source.tar.xz.asc deleted file mode 100644 index 427e929..0000000 --- a/thunderbird-115.8.1.source.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmXmhDAACgkQ4207E/PZ -MnSnSBAApDkhrSNJyYXdovTXUqoMHOsqwwFoS7DBoGSu4kZBIviqzGrfipu5xNCT -3ItnPrH0VXJIpzTGwkNivqcFfhJvHyEsupBScx5Dbi7+/u0/Ah5fEzGmOYq3L8JE -QCkyXe7aMHWg0M1Qumpg7NN5fB/u6hKSUtypxbWZKfcHvLUVWtWfsPuQf0F6sQoF -mVX+ftC0+X/pffoEu6FGasXsZM4kGcb/+UJiJyBgz7zGXCx/tG6g5NnW5rN2A/Iw -2sJXTwC1JcpYdpuB/HV7g9yKkUYQwvZxcYyevtZu4zd7Gaxs4xwuJOiz5iZaxANP -OkopDC7yI36q4ULerQ/pRk0X5YIAdbIHvq6xBLpx30iG1tqDFPEHutV6YKrD1e5z -hiJcjEME/73tVv8LA5KW9GO5VAporXpY8Q21v5AG1uat5lYjLb+4znbhYWdGaL6n -ynCUgFDbLrdiEb/RJiu/yZOmHYia68R3X+fjxAgJN1uA+/1Jko+wkq9xVssESe1C -5SVKy5Sc0+0o3+bYdzsR8VSpQac5gVYB20HIyvk5vw8EYCWfX4Ttv0qggd9oHg+j -wz5Db9lv5Y6ZQfxH4dvoSv889l+VOynA5g2BDpT8RSdFTp1sZKQyIcQn48vfzAaz -q47NXaHA/ckQd6M2h2fEGOsXLDs76Ahwi6LuA6eL6zg8oIh83nQ= -=x4za ------END PGP SIGNATURE----- diff --git a/thunderbird-115.9.0.source.tar.xz b/thunderbird-115.9.0.source.tar.xz new file mode 100644 index 0000000..30cd714 --- /dev/null +++ b/thunderbird-115.9.0.source.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2aeb77ca7038df6f3d306f9c3d2a4ea615af0edcf0f7290215ca5f30c1290e57 +size 535516012 diff --git a/thunderbird-115.9.0.source.tar.xz.asc b/thunderbird-115.9.0.source.tar.xz.asc new file mode 100644 index 0000000..dc3694f --- /dev/null +++ b/thunderbird-115.9.0.source.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmX0cvkACgkQ4207E/PZ +MnQsig/9ENVeCyVRzE8NJpHqJwBnxztGaqkeOyDxonbKEQ1NTwrvn5hIRdHkWiRz +cYo0SH5Cw7cjOrhAS+fWQdx43RaTRwVNN8nJv6HfxJFL5OSQ/QbHkunVNg0Yq9TE +RYv+D/9IX+Fm48ZNQ5wl5dkCbhg0euFoPSxqZKrvi7U0LJ1uHtle9TOXztn+I0s1 +uafbMiuLdNi8r4UIcopYpoMTg0Yt9hbKIdG9tFF/thotT5DJeN3Vrx/rBh2cMZX+ +wvwbXdQziVsLGqpQ14dl9vCsZqujoiRG+G4oAo9nngyQZgF+aucEev1vAq7YFbaM +Q3Tc+V8JVpJxk1TYS08CU8Ph1ZuCJOiixCwjTzXo5RqOUrC5zAd29fcQkMqqyGB+ +p6nLvXFwlWdroLsROCcMH9MmJzAFDhfUms41AeUvyp+1sUyqpkzJBczBjHOi0DQ6 +tmFjgK+Ph8VAct4kIBKI7FRkn5w3e7/Xr670oc/zFo0AunWBktowx5R2LyXqXpmk +hIlYC3n5QhtX08SxqgFsV18rFUrDXBuMssmJbcet7ZETCdFHjKk9CITD5zsi3oQW +mLR+IkZYrzEv4btvJdd8W8o4wUv2VPHCDP7Pxkk1V2/1h8n4+BhaO3E4GNz17odZ +l1h1EkhMUErlApPKhVd2EflF38v7uKhSw2WKTiQpwzZSNk2B00k= +=WHyd +-----END PGP SIGNATURE-----