Update to 91.7.0
plus patches to bundled expat against CVE-2022-25235 CVE-2022-25236 CVE-2022-25315
This commit is contained in:
parent
a0822a1c21
commit
0619c8e092
2
.gitignore
vendored
2
.gitignore
vendored
@ -351,3 +351,5 @@ thunderbird-langpacks-3.1.2-20100803.tar.bz2
|
||||
/thunderbird-langpacks-91.6.1-20220228.tar.xz
|
||||
/thunderbird-langpacks-91.6.2-20220307.tar.xz
|
||||
/thunderbird-91.6.2.source.tar.xz
|
||||
/thunderbird-langpacks-91.7.0-20220308.tar.xz
|
||||
/thunderbird-91.7.0.source.tar.xz
|
||||
|
49
expat-CVE-2022-25235.patch
Normal file
49
expat-CVE-2022-25235.patch
Normal file
@ -0,0 +1,49 @@
|
||||
diff -up thunderbird-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235 thunderbird-91.7.0/parser/expat/lib/xmltok.c
|
||||
--- thunderbird-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235 2022-03-02 17:57:38.364361168 +0100
|
||||
+++ thunderbird-91.7.0/parser/expat/lib/xmltok.c 2022-03-02 17:58:22.235512399 +0100
|
||||
@@ -65,13 +65,6 @@
|
||||
+ ((((byte)[2]) >> 5) & 1)] \
|
||||
& (1u << (((byte)[2]) & 0x1F)))
|
||||
|
||||
-#define UTF8_GET_NAMING(pages, p, n) \
|
||||
- ((n) == 2 \
|
||||
- ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p)) \
|
||||
- : ((n) == 3 \
|
||||
- ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) \
|
||||
- : 0))
|
||||
-
|
||||
/* Detection of invalid UTF-8 sequences is based on Table 3.1B
|
||||
of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/
|
||||
with the additional restriction of not allowing the Unicode
|
||||
diff -up thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235 thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c
|
||||
--- thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235 2022-03-02 17:57:38.365361172 +0100
|
||||
+++ thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c 2022-03-02 18:04:51.240853247 +0100
|
||||
@@ -34,7 +34,7 @@
|
||||
case BT_LEAD ## n: \
|
||||
if (end - ptr < n) \
|
||||
return XML_TOK_PARTIAL_CHAR; \
|
||||
- if (!IS_NAME_CHAR(enc, ptr, n)) { \
|
||||
+ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \
|
||||
*nextTokPtr = ptr; \
|
||||
return XML_TOK_INVALID; \
|
||||
} \
|
||||
@@ -62,7 +62,7 @@
|
||||
case BT_LEAD ## n: \
|
||||
if (end - ptr < n) \
|
||||
return XML_TOK_PARTIAL_CHAR; \
|
||||
- if (!IS_NMSTRT_CHAR(enc, ptr, n)) { \
|
||||
+ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \
|
||||
*nextTokPtr = ptr; \
|
||||
return XML_TOK_INVALID; \
|
||||
} \
|
||||
@@ -1090,6 +1090,10 @@ PREFIX(prologTok)(const ENCODING *enc, c
|
||||
case BT_LEAD ## n: \
|
||||
if (end - ptr < n) \
|
||||
return XML_TOK_PARTIAL_CHAR; \
|
||||
+ if (IS_INVALID_CHAR(enc, ptr, n)) { \
|
||||
+ *nextTokPtr = ptr; \
|
||||
+ return XML_TOK_INVALID; \
|
||||
+ } \
|
||||
if (IS_NMSTRT_CHAR(enc, ptr, n)) { \
|
||||
ptr += n; \
|
||||
tok = XML_TOK_NAME; \
|
40
expat-CVE-2022-25236.patch
Normal file
40
expat-CVE-2022-25236.patch
Normal file
@ -0,0 +1,40 @@
|
||||
diff -up thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 thunderbird-91.7.0/parser/expat/lib/xmlparse.c
|
||||
--- thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 2022-03-02 18:08:40.085642028 +0100
|
||||
+++ thunderbird-91.7.0/parser/expat/lib/xmlparse.c 2022-03-02 18:13:31.838667958 +0100
|
||||
@@ -700,8 +700,7 @@ XML_ParserCreate(const XML_Char *encodin
|
||||
XML_Parser XMLCALL
|
||||
XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep)
|
||||
{
|
||||
- XML_Char tmp[2];
|
||||
- *tmp = nsSep;
|
||||
+ XML_Char tmp[2] = {nsSep, 0};
|
||||
return XML_ParserCreate_MM(encodingName, NULL, tmp);
|
||||
}
|
||||
#endif
|
||||
@@ -1276,8 +1275,7 @@ XML_ExternalEntityParserCreate(XML_Parse
|
||||
would be otherwise.
|
||||
*/
|
||||
if (ns) {
|
||||
- XML_Char tmp[2];
|
||||
- *tmp = namespaceSeparator;
|
||||
+ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
|
||||
parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
|
||||
}
|
||||
else {
|
||||
@@ -3667,6 +3665,16 @@ addBinding(XML_Parser parser, PREFIX *pr
|
||||
if (!mustBeXML && isXMLNS
|
||||
&& (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
|
||||
isXMLNS = XML_FALSE;
|
||||
+ // NOTE: While Expat does not validate namespace URIs against RFC 3986,
|
||||
+ // we have to at least make sure that the XML processor on top of
|
||||
+ // Expat (that is splitting tag names by namespace separator into
|
||||
+ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
|
||||
+ // by an attacker putting additional namespace separator characters
|
||||
+ // into namespace declarations. That would be ambiguous and not to
|
||||
+ // be expected.
|
||||
+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
|
||||
+ return XML_ERROR_SYNTAX;
|
||||
+ }
|
||||
}
|
||||
isXML = isXML && len == xmlLen;
|
||||
isXMLNS = isXMLNS && len == xmlnsLen;
|
24
expat-CVE-2022-25315.patch
Normal file
24
expat-CVE-2022-25315.patch
Normal file
@ -0,0 +1,24 @@
|
||||
diff -up thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 thunderbird-91.7.0/parser/expat/lib/xmlparse.c
|
||||
--- thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 2022-03-02 18:17:50.966583254 +0100
|
||||
+++ thunderbird-91.7.0/parser/expat/lib/xmlparse.c 2022-03-02 18:19:27.636924735 +0100
|
||||
@@ -2479,6 +2479,7 @@ storeRawNames(XML_Parser parser)
|
||||
while (tag) {
|
||||
int bufSize;
|
||||
int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);
|
||||
+ size_t rawNameLen;
|
||||
char *rawNameBuf = tag->buf + nameLen;
|
||||
/* Stop if already stored. Since tagStack is a stack, we can stop
|
||||
at the first entry that has already been copied; everything
|
||||
@@ -2490,7 +2491,11 @@ storeRawNames(XML_Parser parser)
|
||||
/* For re-use purposes we need to ensure that the
|
||||
size of tag->buf is a multiple of sizeof(XML_Char).
|
||||
*/
|
||||
- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
|
||||
+ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
|
||||
+ /* Detect and prevent integer overflow. */
|
||||
+ if (rawNameLen > (size_t)INT_MAX - nameLen)
|
||||
+ return XML_FALSE;
|
||||
+ bufSize = nameLen + (int)rawNameLen;
|
||||
if (bufSize > tag->bufEnd - tag->buf) {
|
||||
char *temp = (char *)REALLOC(tag->buf, bufSize);
|
||||
if (temp == NULL)
|
4
sources
4
sources
@ -1,3 +1,3 @@
|
||||
SHA512 (cbindgen-vendor.tar.xz) = 105a7d93d63920d8c232421a29f6330c171343d27807feaeadb1737374e5cf1d48916cb6e9ce04773dd81bb3c52a6f5cef12e633b0922cb9f91ca99acc9e4b78
|
||||
SHA512 (thunderbird-langpacks-91.6.2-20220307.tar.xz) = 6008e7d5e0e80b0170f18213338c5339f9ed434d791df08524bca454c111d3013f10874fe15a5e7dd270b27f7a1c55cbde151910c38c8fb83dc3fa21c9ce519d
|
||||
SHA512 (thunderbird-91.6.2.source.tar.xz) = eb1cb06390694872e37830991e16d1e0bd3259cd1fedfed86fd24901f190bc9c274fc1a85cfbba01a0c9cac0d422b62a9b1062d8ba1770fd25bf99528f6df9e0
|
||||
SHA512 (thunderbird-langpacks-91.7.0-20220308.tar.xz) = e606af74edc52edf0905b9314c30a0865c7f9d1ac19347bb7601c1574b1c569b95faeda4dc760f6bdd652f20ec081b25396312672f7371d9e106977beb72347f
|
||||
SHA512 (thunderbird-91.7.0.source.tar.xz) = 2afaee16f155edcb0bdb46ebe282a733cf041ec6f562aebd06f8b675e46917f6f500fcc532fc54d74f3f4b0b489a88934a2c6c304f849873de4bc2690b9056a0
|
||||
|
@ -89,13 +89,13 @@ ExcludeArch: s390x
|
||||
|
||||
Summary: Mozilla Thunderbird mail/newsgroup client
|
||||
Name: thunderbird
|
||||
Version: 91.6.2
|
||||
Version: 91.7.0
|
||||
Release: 1%{?dist}
|
||||
URL: http://www.mozilla.org/projects/thunderbird/
|
||||
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
||||
Source0: https://archive.mozilla.org/pub/thunderbird/releases/%{version}%{?pre_version}/source/thunderbird-%{version}%{?pre_version}.source.tar.xz
|
||||
%if %{build_langpacks}
|
||||
Source1: thunderbird-langpacks-%{version}-20220307.tar.xz
|
||||
Source1: thunderbird-langpacks-%{version}-20220308.tar.xz
|
||||
%endif
|
||||
Source3: get-calendar-langpacks.sh
|
||||
Source4: cbindgen-vendor.tar.xz
|
||||
@ -128,6 +128,11 @@ Patch304: mozilla-1245783.patch
|
||||
Patch402: mozilla-526293.patch
|
||||
Patch406: mozilla-1170092.patch
|
||||
|
||||
# Bundled expat backported patches
|
||||
Patch501: expat-CVE-2022-25235.patch
|
||||
Patch502: expat-CVE-2022-25236.patch
|
||||
Patch503: expat-CVE-2022-25315.patch
|
||||
|
||||
%if %{official_branding}
|
||||
# Required by Mozilla Corporation
|
||||
|
||||
@ -291,6 +296,10 @@ debug %{name}, you want to install %{name}-debuginfo instead.
|
||||
pushd comm
|
||||
popd
|
||||
|
||||
%patch501 -p1 -b .expat-CVE-2022-25235
|
||||
%patch502 -p1 -b .expat-CVE-2022-25236
|
||||
%patch503 -p1 -b .expat-CVE-2022-25315
|
||||
|
||||
%if %{official_branding}
|
||||
# Required by Mozilla Corporation
|
||||
|
||||
@ -720,6 +729,10 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
|
||||
#===============================================================================
|
||||
|
||||
%changelog
|
||||
* Tue Mar 15 2022 Eike Rathke <erack@redhat.com> - 91.7.0-1
|
||||
- Update to 91.7.0
|
||||
- plus patches to bundled expat against CVE-2022-25235 CVE-2022-25236 CVE-2022-25315
|
||||
|
||||
* Mon Mar 7 2022 Jan Horak <jhorak@redhat.com> - 91.6.2-1
|
||||
- Update to 91.6.2
|
||||
|
||||
@ -864,7 +877,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
|
||||
* Fri Mar 13 2020 Jan Horak <jhorak@redhat.com> - 68.6.0-1
|
||||
- Update to 68.6.0 build2
|
||||
|
||||
* Wed Mar 3 2020 David Auer <dreua@posteo.de> - 68.5.0-2
|
||||
* Thu Mar 03 2020 David Auer <dreua@posteo.de> - 68.5.0-2
|
||||
- Fix spellcheck (rhbz#1753011)
|
||||
|
||||
* Thu Feb 13 2020 Jan Horak <jhorak@redhat.com> - 68.5.0-1
|
||||
|
Loading…
Reference in New Issue
Block a user