rpms
/
thunderbird
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import thunderbird-91.7.0-2.el8

This commit is contained in:
CentOS Sources 2022-03-24 09:18:03 +00:00 committed by Stepan Oksanichenko
parent ad56af3fc0
commit 731f6dc309
6 changed files with 153 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -1,5 +1,5 @@
SOURCES/cbindgen-vendor.tar.xz
SOURCES/nspr-4.32.0-1.el8_1.src.rpm
SOURCES/nss-3.67.0-7.el8_1.src.rpm
SOURCES/thunderbird-91.4.0.processed-source.tar.xz
SOURCES/thunderbird-langpacks-91.4.0-20211201.tar.xz
SOURCES/thunderbird-91.7.0.processed-source.tar.xz
SOURCES/thunderbird-langpacks-91.7.0-20220308.tar.xz

4
.thunderbird.metadata
View File

@ -1,5 +1,5 @@
c822547dbc12e2baebdfdfb38b665e23f0c2513a SOURCES/cbindgen-vendor.tar.xz
b5fd1332d8e0d37339ae170c7bebcb63a40b22e0 SOURCES/nspr-4.32.0-1.el8_1.src.rpm
8fff814901e03c2518ede2f8992d898f5ba61ed9 SOURCES/nss-3.67.0-7.el8_1.src.rpm
d24c56caa08e29c90b8e1872fa94d7413218b347 SOURCES/thunderbird-91.4.0.processed-source.tar.xz
b31f3a5df2446bf64e16ffe88b0bb5e0e981249e SOURCES/thunderbird-langpacks-91.4.0-20211201.tar.xz
0d9dea815661a0ad101d2fd758be855a542f2797 SOURCES/thunderbird-91.7.0.processed-source.tar.xz
eab467b27d7ff768518cbb6ee38cc8b1ab793920 SOURCES/thunderbird-langpacks-91.7.0-20220308.tar.xz

49
SOURCES/expat-CVE-2022-25235.patch Normal file
View File

@ -0,0 +1,49 @@
diff -up thunderbird-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235 thunderbird-91.7.0/parser/expat/lib/xmltok.c
--- thunderbird-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235 2022-03-02 17:57:38.364361168 +0100
+++ thunderbird-91.7.0/parser/expat/lib/xmltok.c 2022-03-02 17:58:22.235512399 +0100
@@ -65,13 +65,6 @@
+ ((((byte)[2]) >> 5) & 1)] \
& (1u << (((byte)[2]) & 0x1F)))
-#define UTF8_GET_NAMING(pages, p, n) \
- ((n) == 2 \
- ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p)) \
- : ((n) == 3 \
- ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) \
- : 0))
-
/* Detection of invalid UTF-8 sequences is based on Table 3.1B
of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/
with the additional restriction of not allowing the Unicode
diff -up thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235 thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c
--- thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235 2022-03-02 17:57:38.365361172 +0100
+++ thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c 2022-03-02 18:04:51.240853247 +0100
@@ -34,7 +34,7 @@
case BT_LEAD ## n: \
if (end - ptr < n) \
return XML_TOK_PARTIAL_CHAR; \
- if (!IS_NAME_CHAR(enc, ptr, n)) { \
+ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \
*nextTokPtr = ptr; \
return XML_TOK_INVALID; \
} \
@@ -62,7 +62,7 @@
case BT_LEAD ## n: \
if (end - ptr < n) \
return XML_TOK_PARTIAL_CHAR; \
- if (!IS_NMSTRT_CHAR(enc, ptr, n)) { \
+ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \
*nextTokPtr = ptr; \
return XML_TOK_INVALID; \
} \
@@ -1090,6 +1090,10 @@ PREFIX(prologTok)(const ENCODING *enc, c
case BT_LEAD ## n: \
if (end - ptr < n) \
return XML_TOK_PARTIAL_CHAR; \
+ if (IS_INVALID_CHAR(enc, ptr, n)) { \
+ *nextTokPtr = ptr; \
+ return XML_TOK_INVALID; \
+ } \
if (IS_NMSTRT_CHAR(enc, ptr, n)) { \
ptr += n; \
tok = XML_TOK_NAME; \

40
SOURCES/expat-CVE-2022-25236.patch Normal file
View File

@ -0,0 +1,40 @@
diff -up thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 thunderbird-91.7.0/parser/expat/lib/xmlparse.c
--- thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 2022-03-02 18:08:40.085642028 +0100
+++ thunderbird-91.7.0/parser/expat/lib/xmlparse.c 2022-03-02 18:13:31.838667958 +0100
@@ -700,8 +700,7 @@ XML_ParserCreate(const XML_Char *encodin
XML_Parser XMLCALL
XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep)
{
- XML_Char tmp[2];
- *tmp = nsSep;
+ XML_Char tmp[2] = {nsSep, 0};
return XML_ParserCreate_MM(encodingName, NULL, tmp);
}
#endif
@@ -1276,8 +1275,7 @@ XML_ExternalEntityParserCreate(XML_Parse
would be otherwise.
*/
if (ns) {
- XML_Char tmp[2];
- *tmp = namespaceSeparator;
+ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0};
parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd);
}
else {
@@ -3667,6 +3665,16 @@ addBinding(XML_Parser parser, PREFIX *pr
if (!mustBeXML && isXMLNS
&& (len > xmlnsLen || uri[len] != xmlnsNamespace[len]))
isXMLNS = XML_FALSE;
+ // NOTE: While Expat does not validate namespace URIs against RFC 3986,
+ // we have to at least make sure that the XML processor on top of
+ // Expat (that is splitting tag names by namespace separator into
+ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused
+ // by an attacker putting additional namespace separator characters
+ // into namespace declarations. That would be ambiguous and not to
+ // be expected.
+ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) {
+ return XML_ERROR_SYNTAX;
+ }
}
isXML = isXML && len == xmlLen;
isXMLNS = isXMLNS && len == xmlnsLen;

24
SOURCES/expat-CVE-2022-25315.patch Normal file
View File

@ -0,0 +1,24 @@
diff -up thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 thunderbird-91.7.0/parser/expat/lib/xmlparse.c
--- thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 2022-03-02 18:17:50.966583254 +0100
+++ thunderbird-91.7.0/parser/expat/lib/xmlparse.c 2022-03-02 18:19:27.636924735 +0100
@@ -2479,6 +2479,7 @@ storeRawNames(XML_Parser parser)
while (tag) {
int bufSize;
int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1);
+ size_t rawNameLen;
char *rawNameBuf = tag->buf + nameLen;
/* Stop if already stored. Since tagStack is a stack, we can stop
at the first entry that has already been copied; everything
@@ -2490,7 +2491,11 @@ storeRawNames(XML_Parser parser)
/* For re-use purposes we need to ensure that the
size of tag->buf is a multiple of sizeof(XML_Char).
*/
- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
+ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char));
+ /* Detect and prevent integer overflow. */
+ if (rawNameLen > (size_t)INT_MAX - nameLen)
+ return XML_FALSE;
+ bufSize = nameLen + (int)rawNameLen;
if (bufSize > tag->bufEnd - tag->buf) {
char *temp = (char *)REALLOC(tag->buf, bufSize);
if (temp == NULL)

84
SPECS/thunderbird.spec
View File

@ -128,8 +128,8 @@ end}
%global build_langpacks 1
Summary: Mozilla Thunderbird mail/newsgroup client
Name: thunderbird
Version: 91.4.0
Release: 1%{?dist}
Version: 91.7.0
Release: 2%{?dist}
URL: http://www.mozilla.org/projects/thunderbird/
License: MPLv1.1 or GPLv2+ or LGPLv2+
Group: Applications/Internet
@ -138,10 +138,14 @@ Group: Applications/Internet
ExcludeArch: %{ix86}
%endif
%if 0%{?rhel} == 8
%if %{rhel_minor_version} == 1
ExcludeArch: %{ix86} aarch64 s390x
%else
ExcludeArch: %{ix86}
%endif
%endif
%if 0%{?rhel} == 7
ExcludeArch: s390 ppc
ExcludeArch: aarch64 s390 ppc
%endif
# We can't use the official tarball as it contains some test files that use
@ -151,7 +155,7 @@ ExcludeArch: s390 ppc
# Link to official tarball: https://archive.mozilla.org/pub/thunderbird/releases/%%{version}%%{?pre_version}/source/thunderbird-%%{version}%%{?pre_version}.source.tar.xz
Source0: thunderbird-%{version}%{?pre_version}.processed-source.tar.xz
%if %{build_langpacks}
Source1: thunderbird-langpacks-%{version}%{?ext_version}-20211201.tar.xz
Source1: thunderbird-langpacks-%{version}%{?ext_version}-20220308.tar.xz
%endif
Source2: cbindgen-vendor.tar.xz
Source3: get-calendar-langpacks.sh
@ -199,6 +203,9 @@ Patch512: mozilla-bmo849632.patch
Patch513: mozilla-bmo998749.patch
Patch514: mozilla-s390x-skia-gradient.patch
Patch515: mozilla-bmo1626236.patch
Patch516: expat-CVE-2022-25235.patch
Patch517: expat-CVE-2022-25236.patch
Patch518: expat-CVE-2022-25315.patch
%if %{?system_nss}
%if !0%{?bundle_nss}
@ -425,6 +432,9 @@ echo "use_rustts %{?use_rustts}"
%patch513 -p1 -b .mozilla-bmo998749
%patch514 -p1 -b .mozilla-s390x-skia-gradient
%patch515 -p1 -b .mozilla-bmo1626236
%patch516 -p1 -b .expat-CVE-2022-25235
%patch517 -p1 -b .expat-CVE-2022-25236
%patch518 -p1 -b .expat-CVE-2022-25315
%patch237 -p1 -b .disable-openpgp-in-thunderbird
@ -630,7 +640,7 @@ function build_bundled_package() {
echo $PKG_CONFIG_PATH
rpm -ivh %{SOURCE403}
rpmbuild --nodeps --define '_prefix %{bundled_install_path}' -ba %{_specdir}/nss.spec
rpmbuild --nodeps --define '_prefix %{bundled_install_path}' --without=tests -ba %{_specdir}/nss.spec
pushd %{_buildrootdir}
#cleanup
#rm -rf {_buildrootdir}/usr/lib/debug/*
@ -865,9 +875,9 @@ ls %{_buildrootdir}
export MACH_USE_SYSTEM_PYTHON=1
%if 0%{?use_llvmts}
#scl enable llvm-toolset-%{llvm_version} './mach build -v'
./mach build -v
./mach build -v || exit 1
%else
./mach build -v
./mach build -v || exit 1
%endif
# Look for the reason we get: /usr/lib/rpm/debugedit: canonicalization unexpectedly shrank by one character
readelf -wl objdir/dist/bin/libxul.so | grep "/"
@ -1019,47 +1029,10 @@ rm -rf %{_prefix}/lib/debug/lib64/%{name}-devel-*
#
# See http://www.freedesktop.org/software/appstream/docs/ for more details.
#
%{__mkdir_p} %{buildroot}%{_datadir}/appdata
cat > %{buildroot}%{_datadir}/appdata/%{name}.appdata.xml <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!-- Copyright 2014 Richard Hughes <richard@hughsie.com> -->
<!--
BugReportURL: https://bugzilla.mozilla.org/show_bug.cgi?id=1071065
SentUpstream: 2014-09-22
-->
<application>
<id type="desktop">mozilla-thunderbird.desktop</id>
<metadata_license>CC0-1.0</metadata_license>
<project_license>MPLv1.1 or GPLv2+ or LGPLv2+</project_license>
<description>
<p>
Thunderbird is an email client that allows you to read, write and organise all
of your email messages. It is compatible with most email accounts, including the
most popular webmail services.
</p>
<p>
Thunderbird is designed by Mozilla, a global community working together to make
the Internet better. Mozilla believe that the Internet should be open, public,
and accessible to everyone without any restrictions.
</p>
<ul>
<li>Easier than ever to set up a new e-mail account</li>
<li>Awesome search allows you to find your messages fast</li>
<li>Thousands of add-ons give you the freedom to make Thunderbird your own</li>
</ul>
</description>
<url type="homepage">http://www.mozilla.org/thunderbird/</url>
<screenshots>
<screenshot type="default">https://raw.githubusercontent.com/hughsie/fedora-appstream/master/screenshots-extra/mozilla-thunderbird/a.png</screenshot>
</screenshots>
<releases>
<release version="%{version}" date="$(date '+%F')"/>
</releases>
<!-- FIXME: change this to an upstream email address for spec updates
<updatecontact>someone_who_cares@upstream_project.org</updatecontact>
-->
</application>
EOF
# Register as an application to be visible in the software center
mkdir -p $RPM_BUILD_ROOT%{_datadir}/appdata
%{__cp} -p comm/mail/branding/%{name}/net.thunderbird.Thunderbird.appdata.xml $RPM_BUILD_ROOT%{_datadir}/appdata/thunderbird.appdata.xml
#---------------------------------------------------------------------
@ -1151,6 +1124,21 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
#===============================================================================
%changelog
* Tue Mar 08 2022 Eike Rathke <erack@redhat.com> - 91.7.0-2
- Update to 91.7.0 build2
* Thu Mar 03 2022 Eike Rathke <erack@redhat.com> - 91.7.0-1
- Update to 91.7.0 build1
* Mon Feb 07 2022 Eike Rathke <erack@redhat.com> - 91.6.0-1
- Update to 91.6.0 build1
* Fri Jan 07 2022 Eike Rathke <erack@redhat.com> - 91.5.0-1
- Update to 91.5.0 build1
* Mon Dec 06 2021 Eike Rathke <erack@redhat.com> - 91.4.0-2
- Update to 91.4.0 build2
* Wed Dec 01 2021 Eike Rathke <erack@redhat.com> - 91.4.0-1
- Update to 91.4.0 build1