.gitignore

@@ -2,5 +2,5 @@ SOURCES/cbindgen-vendor.tar.xz
 SOURCES/nspr-4.35.0-1.el8_1.src.rpm
 SOURCES/nss-3.90.0-2.el8_1.src.rpm
 SOURCES/nss-3.90.0-3.el9_0.src.rpm
-SOURCES/thunderbird-115.3.1.processed-source.tar.xz
-SOURCES/thunderbird-langpacks-115.3.1-20230929.tar.xz
+SOURCES/thunderbird-115.9.0.processed-source.tar.xz
+SOURCES/thunderbird-langpacks-115.9.0-20240318.tar.xz

.thunderbird.metadata

@@ -2,5 +2,5 @@ b963b16f6879c5dbe6e33a3a3da058b494453922 SOURCES/cbindgen-vendor.tar.xz
 d744f92e874688cc4b5376477dfdd639a97a6cd4 SOURCES/nspr-4.35.0-1.el8_1.src.rpm
 39d1004f8948186cdaa33bbb90423f6f994bdf6c SOURCES/nss-3.90.0-2.el8_1.src.rpm
 df0dd588680f6ade6728a1fd3ff2d71e7a46255d SOURCES/nss-3.90.0-3.el9_0.src.rpm
-f7fb65ec6b54fd7c652e5ef7f90b2975f6ea47e1 SOURCES/thunderbird-115.3.1.processed-source.tar.xz
-6c731bd5d70d3c84d92848dcf91117307be64418 SOURCES/thunderbird-langpacks-115.3.1-20230929.tar.xz
+cb287fa47bd8bdff66aacb2143a3c244250bae88 SOURCES/thunderbird-115.9.0.processed-source.tar.xz
+12f6297fbc364c63712e13e30d289b37840a865f SOURCES/thunderbird-langpacks-115.9.0-20240318.tar.xz

SOURCES/CVE-2023-44488-libvpx.patch

@@ -0,0 +1,127 @@
+From 263682c9a29395055f3b3afe2d97be1828a6223f Mon Sep 17 00:00:00 2001
+From: Jerome Jiang <jianj@google.com>
+Date: Thu, 30 Jun 2022 13:48:56 -0400
+Subject: [PATCH] Fix bug with smaller width bigger size
+
+Fixed previous patch that clusterfuzz failed on.
+
+Bug: webm:1642
+Change-Id: If0e08e72abd2e042efe4dcfac21e4cc51afdfdb9
+---
+ test/resize_test.cc          | 11 +++--------
+ vp9/common/vp9_alloccommon.c | 13 ++++++-------
+ vp9/encoder/vp9_encoder.c    | 27 +++++++++++++++++++++++++--
+ 3 files changed, 34 insertions(+), 17 deletions(-)
+
+diff --git a/test/resize_test.cc b/test/resize_test.cc
+index fd1c2a92de6..20ad2229b46 100644
+--- a/test/resize_test.cc
++++ b/test/resize_test.cc
+@@ -102,11 +102,8 @@ void ScaleForFrameNumber(unsigned int frame, unsigned int initial_w,
+     if (frame < 30) {
+       return;
+     }
+-    if (frame < 100) {
+-      *w = initial_w * 7 / 10;
+-      *h = initial_h * 16 / 10;
+-      return;
+-    }
++    *w = initial_w * 7 / 10;
++    *h = initial_h * 16 / 10;
+     return;
+   }
+   if (frame < 10) {
+@@ -559,9 +556,7 @@ TEST_P(ResizeRealtimeTest, TestExternalResizeWorks) {
+   }
+ }
+ 
+-// TODO(https://crbug.com/webm/1642): This causes a segfault in
+-// init_encode_frame_mb_context().
+-TEST_P(ResizeRealtimeTest, DISABLED_TestExternalResizeSmallerWidthBiggerSize) {
++TEST_P(ResizeRealtimeTest, TestExternalResizeSmallerWidthBiggerSize) {
+   ResizingVideoSource video;
+   video.flag_codec_ = true;
+   video.smaller_width_larger_size_ = true;
+diff --git a/vp9/common/vp9_alloccommon.c b/vp9/common/vp9_alloccommon.c
+index e53883f621d..9e73e40ea09 100644
+--- a/vp9/common/vp9_alloccommon.c
++++ b/vp9/common/vp9_alloccommon.c
+@@ -135,13 +135,6 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
+     cm->free_mi(cm);
+     if (cm->alloc_mi(cm, new_mi_size)) goto fail;
+   }
+-
+-  if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
+-    // Create the segmentation map structure and set to 0.
+-    free_seg_map(cm);
+-    if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
+-  }
+-
+   if (cm->above_context_alloc_cols < cm->mi_cols) {
+     vpx_free(cm->above_context);
+     cm->above_context = (ENTROPY_CONTEXT *)vpx_calloc(
+@@ -156,6 +149,12 @@ int vp9_alloc_context_buffers(VP9_COMMON *cm, int width, int height) {
+     cm->above_context_alloc_cols = cm->mi_cols;
+   }
+ 
++  if (cm->seg_map_alloc_size < cm->mi_rows * cm->mi_cols) {
++    // Create the segmentation map structure and set to 0.
++    free_seg_map(cm);
++    if (alloc_seg_map(cm, cm->mi_rows * cm->mi_cols)) goto fail;
++  }
++
+   if (vp9_alloc_loop_filter(cm)) goto fail;
+ 
+   return 0;
+diff --git a/vp9/encoder/vp9_encoder.c b/vp9/encoder/vp9_encoder.c
+index 69a4e3c314f..e3ba294c32f 100644
+--- a/vp9/encoder/vp9_encoder.c
++++ b/vp9/encoder/vp9_encoder.c
+@@ -2047,6 +2047,17 @@ static void alloc_copy_partition_data(VP9_COMP *cpi) {
+   }
+ }
+ 
++static void free_copy_partition_data(VP9_COMP *cpi) {
++  vpx_free(cpi->prev_partition);
++  cpi->prev_partition = NULL;
++  vpx_free(cpi->prev_segment_id);
++  cpi->prev_segment_id = NULL;
++  vpx_free(cpi->prev_variance_low);
++  cpi->prev_variance_low = NULL;
++  vpx_free(cpi->copied_frame_cnt);
++  cpi->copied_frame_cnt = NULL;
++}
++
+ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
+   VP9_COMMON *const cm = &cpi->common;
+   RATE_CONTROL *const rc = &cpi->rc;
+@@ -2126,6 +2137,8 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
+     new_mi_size = cm->mi_stride * calc_mi_size(cm->mi_rows);
+     if (cm->mi_alloc_size < new_mi_size) {
+       vp9_free_context_buffers(cm);
++      vp9_free_pc_tree(&cpi->td);
++      vpx_free(cpi->mbmi_ext_base);
+       alloc_compressor_data(cpi);
+       realloc_segmentation_maps(cpi);
+       cpi->initial_width = cpi->initial_height = 0;
+@@ -2144,8 +2157,18 @@ void vp9_change_config(struct VP9_COMP *cpi, const VP9EncoderConfig *oxcf) {
+     update_frame_size(cpi);
+ 
+   if (last_w != cpi->oxcf.width || last_h != cpi->oxcf.height) {
+-    memset(cpi->consec_zero_mv, 0,
+-           cm->mi_rows * cm->mi_cols * sizeof(*cpi->consec_zero_mv));
++    vpx_free(cpi->consec_zero_mv);
++    CHECK_MEM_ERROR(
++        &cm->error, cpi->consec_zero_mv,
++        vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(*cpi->consec_zero_mv)));
++
++    vpx_free(cpi->skin_map);
++    CHECK_MEM_ERROR(
++        &cm->error, cpi->skin_map,
++        vpx_calloc(cm->mi_rows * cm->mi_cols, sizeof(cpi->skin_map[0])));
++
++    free_copy_partition_data(cpi);
++    alloc_copy_partition_data(cpi);
+     if (cpi->oxcf.aq_mode == CYCLIC_REFRESH_AQ)
+       vp9_cyclic_refresh_reset_resize(cpi);
+     rc->rc_1_frame = 0;

SOURCES/build-rhel7-lower-node-min-version.patch

@@ -1,11 +1,11 @@
---- firefox-102.4.0/python/mozbuild/mozbuild/nodeutil.py.lower-node-min-version	2022-10-10 17:55:56.000000000 +0200
-+++ firefox-102.4.0/python/mozbuild/mozbuild/nodeutil.py	2022-10-17 14:57:47.476182627 +0200
+--- firefox-115.8.0/python/mozbuild/mozbuild/nodeutil.py.lower-node-min-version	2024-02-12 21:53:56.000000000 +0200
++++ firefox-115.8.0/python/mozbuild/mozbuild/nodeutil.py	2024-02-14 16:48:12.476182627 +0200
 @@ -13,7 +13,7 @@ from mozboot.util import get_tools_dir
- from mozfile import which
+ from packaging.version import Version
  from six import PY3
  
--NODE_MIN_VERSION = StrictVersion("12.22.12")
-+NODE_MIN_VERSION = StrictVersion("10.24.0")
- NPM_MIN_VERSION = StrictVersion("6.14.16")
+-NODE_MIN_VERSION = Version("12.22.12")
++NODE_MIN_VERSION = Version("10.24.0")
+ NPM_MIN_VERSION = Version("6.14.16")
  
  

SOURCES/expat-CVE-2023-52425.patch

@@ -0,0 +1,375 @@
+# erAck: backport of expat CVE-2023-52425 DoS fix
+# https://github.com/libexpat/libexpat/commit/34b598c5f594b015c513c73f06e7ced3323edbf1
+#
+--- thunderbird-115.9.0/parser/expat/lib/expat.h.expat-CVE-2023-52425	2024-03-11 20:36:11.000000000 +0100
++++ thunderbird-115.9.0/parser/expat/lib/expat.h	2024-03-13 20:46:45.648505015 +0100
+@@ -1045,6 +1045,10 @@ XMLPARSEAPI(const XML_Feature *)
+ XML_GetFeatureList(void);
+ 
+ 
++/* Added in Expat 2.6.0. */
++XMLPARSEAPI(XML_Bool)
++XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled);
++
+ /* Expat follows the semantic versioning convention.
+    See http://semver.org.
+ */
+--- thunderbird-115.9.0/parser/expat/lib/internal.h.expat-CVE-2023-52425	2024-03-11 20:36:11.000000000 +0100
++++ thunderbird-115.9.0/parser/expat/lib/internal.h	2024-03-14 00:14:39.334319725 +0100
+@@ -80,6 +80,7 @@
+ # endif
+ #endif
+ 
++#include "expat.h" // so we can use type XML_Parser below
+ 
+ #ifdef __cplusplus
+ extern "C" {
+@@ -90,6 +91,9 @@ void
+ align_limit_to_full_utf8_characters(const char * from, const char ** fromLimRef);
+ 
+ 
++extern XML_Bool g_reparseDeferralEnabledDefault; // written ONLY in runtests.c
++extern unsigned int g_parseAttempts;             // used for testing only
++
+ #ifdef __cplusplus
+ }
+ #endif
+--- thunderbird-115.9.0/parser/expat/lib/xmlparse.c.expat-CVE-2023-52425	2024-03-11 20:36:11.000000000 +0100
++++ thunderbird-115.9.0/parser/expat/lib/xmlparse.c	2024-03-13 22:55:14.844756009 +0100
+@@ -6,6 +6,7 @@
+ 
+ #define _GNU_SOURCE                     /* syscall prototype */
+ 
++#include <stdbool.h>
+ #include <stddef.h>
+ #include <string.h>                     /* memset(), memcpy() */
+ #include <assert.h>
+@@ -89,6 +90,9 @@ typedef char ICHAR;
+ /* Round up n to be a multiple of sz, where sz is a power of 2. */
+ #define ROUND_UP(n, sz) (((n) + ((sz) - 1)) & ~((sz) - 1))
+ 
++/* Do safe (NULL-aware) pointer arithmetic */
++#define EXPAT_SAFE_PTR_DIFF(p, q) (((p) && (q)) ? ((p) - (q)) : 0)
++
+ /* Handle the case where memmove() doesn't exist. */
+ #ifndef HAVE_MEMMOVE
+ #ifdef HAVE_BCOPY
+@@ -98,6 +102,8 @@ typedef char ICHAR;
+ #endif /* HAVE_BCOPY */
+ #endif /* HAVE_MEMMOVE */
+ 
++#define EXPAT_MIN(a, b) (((a) < (b)) ? (a) : (b))
++
+ #include "internal.h"
+ #include "xmltok.h"
+ #include "xmlrole.h"
+@@ -476,6 +482,9 @@ parserInit(XML_Parser parser, const XML_
+    ? 0 \
+    : ((*((pool)->ptr)++ = c), 1))
+ 
++XML_Bool g_reparseDeferralEnabledDefault = XML_TRUE; // write ONLY in runtests.c
++unsigned int g_parseAttempts = 0;                    // used for testing only
++
+ struct XML_ParserStruct {
+   /* The first member must be userData so that the XML_GetUserData
+      macro works. */
+@@ -491,6 +500,9 @@ struct XML_ParserStruct {
+   const char *m_bufferLim;
+   XML_Index m_parseEndByteIndex;
+   const char *m_parseEndPtr;
++  size_t m_partialTokenBytesBefore; /* used in heuristic to avoid O(n^2) */
++  XML_Bool m_reparseDeferralEnabled;
++  int m_lastBufferRequestSize;
+   XML_Char *m_dataBuf;
+   XML_Char *m_dataBufEnd;
+   XML_StartElementHandler m_startElementHandler;
+@@ -647,6 +659,9 @@ struct XML_ParserStruct {
+ #define bufferEnd (parser->m_bufferEnd)
+ #define parseEndByteIndex (parser->m_parseEndByteIndex)
+ #define parseEndPtr (parser->m_parseEndPtr)
++#define partialTokenBytesBefore (parser->m_partialTokenBytesBefore)
++#define reparseDeferralEnabled (parser->m_reparseDeferralEnabled)
++#define lastBufferRequestSize (parser->m_lastBufferRequestSize)
+ #define bufferLim (parser->m_bufferLim)
+ #define dataBuf (parser->m_dataBuf)
+ #define dataBufEnd (parser->m_dataBufEnd)
+@@ -887,6 +902,47 @@ get_hash_secret_salt(XML_Parser parser)
+   return parser->m_hash_secret_salt;
+ }
+ 
++static enum XML_Error
++callProcessor(XML_Parser parser, const char *start, const char *end,
++              const char **endPtr) {
++  const size_t have_now = EXPAT_SAFE_PTR_DIFF(end, start);
++
++  if (parser->m_reparseDeferralEnabled
++      && ! parser->m_parsingStatus.finalBuffer) {
++    // Heuristic: don't try to parse a partial token again until the amount of
++    // available data has increased significantly.
++    const size_t had_before = parser->m_partialTokenBytesBefore;
++    // ...but *do* try anyway if we're close to causing a reallocation.
++    size_t available_buffer
++        = EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer);
++#if XML_CONTEXT_BYTES > 0
++    available_buffer -= EXPAT_MIN(available_buffer, XML_CONTEXT_BYTES);
++#endif
++    available_buffer
++        += EXPAT_SAFE_PTR_DIFF(parser->m_bufferLim, parser->m_bufferEnd);
++    // m_lastBufferRequestSize is never assigned a value < 0, so the cast is ok
++    const bool enough
++        = (have_now >= 2 * had_before)
++          || ((size_t)parser->m_lastBufferRequestSize > available_buffer);
++
++    if (! enough) {
++      *endPtr = start; // callers may expect this to be set
++      return XML_ERROR_NONE;
++    }
++  }
++  g_parseAttempts += 1;
++  const enum XML_Error ret = parser->m_processor(parser, start, end, endPtr);
++  if (ret == XML_ERROR_NONE) {
++    // if we consumed nothing, remember what we had on this parse attempt.
++    if (*endPtr == start) {
++      parser->m_partialTokenBytesBefore = have_now;
++    } else {
++      parser->m_partialTokenBytesBefore = 0;
++    }
++  }
++  return ret;
++}
++
+ static XML_Bool  /* only valid for root parser */
+ startParsing(XML_Parser parser)
+ {
+@@ -1075,6 +1131,9 @@ parserInit(XML_Parser parser, const XML_
+   bufferEnd = buffer;
+   parseEndByteIndex = 0;
+   parseEndPtr = NULL;
++  partialTokenBytesBefore = 0;
++  reparseDeferralEnabled = g_reparseDeferralEnabledDefault;
++  lastBufferRequestSize = 0;
+   declElementType = NULL;
+   declAttributeId = NULL;
+   declEntity = NULL;
+@@ -1232,6 +1291,7 @@ XML_ExternalEntityParserCreate(XML_Parse
+      to worry which hash secrets each table has.
+   */
+   unsigned long oldhash_secret_salt;
++  XML_Bool oldReparseDeferralEnabled;
+ 
+   /* Validate the oldParser parameter before we pull everything out of it */
+   if (oldParser == NULL)
+@@ -1276,6 +1336,7 @@ XML_ExternalEntityParserCreate(XML_Parse
+      to worry which hash secrets each table has.
+   */
+   oldhash_secret_salt = hash_secret_salt;
++  oldReparseDeferralEnabled = reparseDeferralEnabled;
+ 
+ #ifdef XML_DTD
+   if (!context)
+@@ -1330,6 +1391,7 @@ XML_ExternalEntityParserCreate(XML_Parse
+   defaultExpandInternalEntities = oldDefaultExpandInternalEntities;
+   ns_triplets = oldns_triplets;
+   hash_secret_salt = oldhash_secret_salt;
++  reparseDeferralEnabled = oldReparseDeferralEnabled;
+   parentParser = oldParser;
+ #ifdef XML_DTD
+   paramEntityParsing = oldParamEntityParsing;
+@@ -1850,39 +1912,8 @@ XML_Parse(XML_Parser parser, const char
+     ps_parsing = XML_PARSING;
+   }
+ 
+-  if (len == 0) {
+-    ps_finalBuffer = (XML_Bool)isFinal;
+-    if (!isFinal)
+-      return XML_STATUS_OK;
+-    positionPtr = bufferPtr;
+-    parseEndPtr = bufferEnd;
+-
+-    /* If data are left over from last buffer, and we now know that these
+-       data are the final chunk of input, then we have to check them again
+-       to detect errors based on that fact.
+-    */
+-    errorCode = processor(parser, bufferPtr, parseEndPtr, &bufferPtr);
+-
+-    if (errorCode == XML_ERROR_NONE) {
+-      switch (ps_parsing) {
+-      case XML_SUSPENDED:
+-        XmlUpdatePosition(encoding, positionPtr, bufferPtr, &position);
+-        positionPtr = bufferPtr;
+-        return XML_STATUS_SUSPENDED;
+-      case XML_INITIALIZED:
+-      case XML_PARSING:
+-        ps_parsing = XML_FINISHED;
+-        /* fall through */
+-      default:
+-        return XML_STATUS_OK;
+-      }
+-    }
+-    eventEndPtr = eventPtr;
+-    processor = errorProcessor;
+-    return XML_STATUS_ERROR;
+-  }
+ #ifndef XML_CONTEXT_BYTES
+-  else if (bufferPtr == bufferEnd) {
++  if (bufferPtr == bufferEnd) {
+     const char *end;
+     int nLeftOver;
+     enum XML_Status result;
+@@ -1899,11 +1930,14 @@ XML_Parse(XML_Parser parser, const char
+        processor = errorProcessor;
+        return XML_STATUS_ERROR;
+     }
++    // though this isn't a buffer request, we assume that `len` is the app's
++    // preferred buffer fill size, and therefore save it here.
++    lastBufferRequestSize = len;
+     parseEndByteIndex += len;
+     positionPtr = s;
+     ps_finalBuffer = (XML_Bool)isFinal;
+ 
+-    errorCode = processor(parser, s, parseEndPtr = s + len, &end);
++    errorCode = callProcessor(parser, s, parseEndPtr = s + len, &end);
+ 
+     if (errorCode != XML_ERROR_NONE) {
+       eventEndPtr = eventPtr;
+@@ -1930,6 +1964,8 @@ XML_Parse(XML_Parser parser, const char
+     XmlUpdatePosition(encoding, positionPtr, end, &position);
+     nLeftOver = s + len - end;
+     if (nLeftOver) {
++#if 0
++// erAck: replace with XML_GetBuffer() below.
+       if (buffer == NULL || nLeftOver > bufferLim - buffer) {
+         /* avoid _signed_ integer overflow */
+         char *temp = NULL;
+@@ -1939,6 +1975,28 @@ XML_Parse(XML_Parser parser, const char
+                 ? (char *)MALLOC(bytesToAllocate)
+                 : (char *)REALLOC(buffer, bytesToAllocate));
+         }
++#endif
++#if 1
++// erAck: the original patch context had a call to XML_GetBuffer() instead:
++      // Back up and restore the parsing status to avoid XML_ERROR_SUSPENDED
++      // (and XML_ERROR_FINISHED) from XML_GetBuffer.
++      const enum XML_Parsing originalStatus = ps_parsing;
++      ps_parsing = XML_PARSING;
++      void *const temp = XML_GetBuffer(parser, nLeftOver);
++      ps_parsing = originalStatus;
++#endif
++      // GetBuffer may have overwritten this, but we want to remember what the
++      // app requested, not how many bytes were left over after parsing.
++      lastBufferRequestSize = len;
++#if 1
++      if (temp == NULL) {
++        // NOTE: parser->m_errorCode has already been set by XML_GetBuffer().
++        eventPtr = eventEndPtr = NULL;
++        processor = errorProcessor;
++        return XML_STATUS_ERROR;
++      }
++#endif
++#if 0
+         if (temp == NULL) {
+           errorCode = XML_ERROR_NO_MEMORY;
+           eventPtr = eventEndPtr = NULL;
+@@ -1948,6 +2006,7 @@ XML_Parse(XML_Parser parser, const char
+         buffer = temp;
+         bufferLim = buffer + bytesToAllocate;
+       }
++#endif
+       memcpy(buffer, end, nLeftOver);
+     }
+     bufferPtr = buffer;
+@@ -1959,15 +2018,14 @@ XML_Parse(XML_Parser parser, const char
+     return result;
+   }
+ #endif  /* not defined XML_CONTEXT_BYTES */
+-  else {
+-    void *buff = XML_GetBuffer(parser, len);
+-    if (buff == NULL)
+-      return XML_STATUS_ERROR;
+-    else {
+-      memcpy(buff, s, len);
+-      return XML_ParseBuffer(parser, len, isFinal);
+-    }
++  void *buff = XML_GetBuffer(parser, len);
++  if (buff == NULL)
++    return XML_STATUS_ERROR;
++  if (len > 0) {
++    assert(s != NULL); // make sure s==NULL && len!=0 was rejected above
++    memcpy(buff, s, len);
+   }
++  return XML_ParseBuffer(parser, len, isFinal);
+ }
+ 
+ enum XML_Status XMLCALL
+@@ -2001,7 +2059,7 @@ XML_ParseBuffer(XML_Parser parser, int l
+   parseEndByteIndex += len;
+   ps_finalBuffer = (XML_Bool)isFinal;
+ 
+-  errorCode = processor(parser, start, parseEndPtr, &bufferPtr);
++  errorCode = callProcessor(parser, start, parseEndPtr, &bufferPtr);
+ 
+   if (errorCode != XML_ERROR_NONE) {
+     eventEndPtr = eventPtr;
+@@ -2047,7 +2105,11 @@ XML_GetBuffer(XML_Parser parser, int len
+   default: ;
+   }
+ 
+-  if (len > bufferLim - bufferEnd) {
++  // whether or not the request succeeds, `len` seems to be the app's preferred
++  // buffer fill size; remember it.
++  lastBufferRequestSize = len;
++  if (len > EXPAT_SAFE_PTR_DIFF(bufferLim, bufferEnd)
++      || buffer == NULL) {
+ #ifdef XML_CONTEXT_BYTES
+     int keep;
+ #endif  /* defined XML_CONTEXT_BYTES */
+@@ -2063,7 +2125,9 @@ XML_GetBuffer(XML_Parser parser, int len
+       keep = XML_CONTEXT_BYTES;
+     neededSize += keep;
+ #endif  /* defined XML_CONTEXT_BYTES */
+-    if (neededSize  <= bufferLim - buffer) {
++    if (buffer && bufferPtr
++        && neededSize
++               <= EXPAT_SAFE_PTR_DIFF(bufferLim, buffer)) {
+ #ifdef XML_CONTEXT_BYTES
+       if (keep < bufferPtr - buffer) {
+         int offset = (int)(bufferPtr - buffer) - keep;
+@@ -2072,8 +2136,11 @@ XML_GetBuffer(XML_Parser parser, int len
+         bufferPtr -= offset;
+       }
+ #else
+-      memmove(buffer, bufferPtr, bufferEnd - bufferPtr);
+-      bufferEnd = buffer + (bufferEnd - bufferPtr);
++      memmove(buffer, bufferPtr,
++              EXPAT_SAFE_PTR_DIFF(bufferEnd, bufferPtr));
++      bufferEnd
++          = buffer
++            + EXPAT_SAFE_PTR_DIFF(bufferEnd, bufferPtr);
+       bufferPtr = buffer;
+ #endif  /* not defined XML_CONTEXT_BYTES */
+     }
+@@ -2171,7 +2238,7 @@ XML_ResumeParser(XML_Parser parser)
+   }
+   ps_parsing = XML_PARSING;
+ 
+-  errorCode = processor(parser, bufferPtr, parseEndPtr, &bufferPtr);
++  errorCode = callProcessor(parser, bufferPtr, parseEndPtr, &bufferPtr);
+ 
+   if (errorCode != XML_ERROR_NONE) {
+     eventEndPtr = eventPtr;
+@@ -2481,6 +2548,15 @@ MOZ_XML_ProcessingEntityValue(XML_Parser
+ }
+ /* END MOZILLA CHANGE */
+ 
++XML_Bool XMLCALL
++XML_SetReparseDeferralEnabled(XML_Parser parser, XML_Bool enabled) {
++  if (parser != NULL && (enabled == XML_TRUE || enabled == XML_FALSE)) {
++    parser->m_reparseDeferralEnabled = enabled;
++    return XML_TRUE;
++  }
++  return XML_FALSE;
++}
++
+ /* Initially tag->rawName always points into the parse buffer;
+    for those TAG instances opened while the current parse buffer was
+    processed, and not yet closed, we need to store tag->rawName in a more

SOURCES/thunderbird-redhat-default-prefs.js

@@ -2,7 +2,7 @@ pref("app.update.enabled", false);
 pref("app.update.autoInstallEnabled", false);
 /* Allow users to set custom colors*/
 /* pref("browser.display.use_system_colors",   true);*/
-pref("general.useragent.vendor", "AlmaLinux");
+pref("general.useragent.vendor", "Red Hat");
 pref("general.useragent.vendorSub", "THUNDERBIRD_RPM_VR");
 pref("intl.locale.matchOS", true);
 pref("mail.shell.checkDefaultClient", false);

SPECS/thunderbird.spec

@@ -23,7 +23,7 @@ function dist_to_rhel_minor(str, start)
   end
   match = string.match(str, ".el8")
   if match then
-     return 9
+     return 10
   end
   match = string.match(str, ".module%+el9.%d+")
   if match then
@@ -35,7 +35,7 @@ function dist_to_rhel_minor(str, start)
   end
   match = string.match(str, ".el9")
   if match then
-     return 3
+     return 4
   end
   return -1
 end}
@@ -134,8 +134,8 @@ end}
 
 Summary:        Mozilla Thunderbird mail/newsgroup client
 Name:           thunderbird
-Version:        115.3.1
-Release:        1%{?dist}.alma.plus
+Version:        115.9.0
+Release:        1%{?dist}
 URL:            http://www.mozilla.org/projects/thunderbird/
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 
@@ -143,14 +143,19 @@ License:        MPLv1.1 or GPLv2+ or LGPLv2+
 ExcludeArch:    %{ix86}
 %endif
 %if 0%{?rhel} == 8
+  # Started to ship on aarch64 in RHEL 8.2, on s390x in RHEL 8.3
   %if %{rhel_minor_version} == 1
-ExcludeArch:    %{ix86} aarch64 s390x
+ExcludeArch:    %{ix86} s390x aarch64
   %else
+    %if %{rhel_minor_version} == 2
+ExcludeArch:    %{ix86} s390x
+    %else
 ExcludeArch:    %{ix86}
+    %endif
   %endif
 %endif
 %if 0%{?rhel} == 7
-ExcludeArch:    aarch64 s390 ppc
+ExcludeArch:    aarch64 s390 ppc ppc64
 %endif
 
 # We can't use the official tarball as it contains some test files that use
@@ -160,7 +165,7 @@ ExcludeArch:    aarch64 s390 ppc
 #Source0:        https://archive.mozilla.org/pub/thunderbird/releases/%%{version}%%{?pre_version}/source/thunderbird-%%{version}%%{?pre_version}.processed-source.tar.xz
 Source0:        thunderbird-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz
 %if %{with langpacks}
-Source1:        thunderbird-langpacks-%{version}-20230929.tar.xz
+Source1:        thunderbird-langpacks-%{version}-20240318.tar.xz
 %endif
 Source2:        cbindgen-vendor.tar.xz
 Source3:        process-official-tarball
@@ -213,6 +218,10 @@ Patch154:       firefox-nss-addon-hack.patch
 # ARM run-time patch
 Patch155:       rhbz-1354671.patch
 
+# ---- Security patches ----
+Patch301:       CVE-2023-44488-libvpx.patch
+Patch302:       expat-CVE-2023-52425.patch
+
 # BUILD REQURES/REQUIRES
 %if %{?system_nss} && !0%{?bundle_nss}
 BuildRequires:  pkgconfig(nspr) >= %{nspr_version}
@@ -283,11 +292,9 @@ BuildRequires:  rustfmt >= %{rust_version}
 BuildRequires:  rust >= %{rust_version}
 %endif
 
-Requires:       thunderbird-librnp%{?_isa}
-
 %if 0%{?rhel} == 9
 BuildRequires:  cargo
-BuildRequires:  clang clang-libs llvm
+BuildRequires:  clang clang-libs llvm llvm-devel
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  python3-devel
@@ -887,32 +894,18 @@ Provides: bundled(crate(zeitstempel)) = 0.1.1
 %description
 Mozilla Thunderbird is a standalone mail and newsgroup client.
 
-%package librnp-rnp
-Summary: OpenPGP implementation for Thunderbird based on RNP
-Requires: %{name}%{?_isa} = %{?epoch:%{epoch}:}%{version}-%{release}
-Provides: thunderbird-librnp
-Provides: thunderbird-librnp%{?_isa}
-Conflicts: thunderbird-librnp%{?_isa}
-%description librnp-rnp
-The thunderbird-librnp-rnp package contains an OpenPGP implementation
-based on RNP.
-%files librnp-rnp
-%{mozappdir}/librnp.so
-%{mozappdir}/rnp-cli
-%{mozappdir}/rnpkeys
-
 %prep
 echo "Build environment"
 echo "--------------------------------------------"
-echo "dist                  %{?dist}"
-echo "RHEL 8 minor version: %{?rhel_minor_version}"
-echo "bundle_nss            %{?bundle_nss}"
-echo "system_nss            %{?system_nss}"
-echo "use_rust_ts           %{?use_rust_ts}"
-echo "use_dts               %{?use_dts}"
-echo "use_nodejs_scl        %{?use_nodejs_scl}"
-echo "use_llvm_ts           %{?use_llvm_ts}"
-echo "use_python3_scl       %{?use_python3_scl}"
+echo "dist                %{?dist}"
+echo "RHEL minor version: %{?rhel_minor_version}"
+echo "bundle_nss          %{?bundle_nss}"
+echo "system_nss          %{?system_nss}"
+echo "use_rust_ts         %{?use_rust_ts}"
+echo "use_dts             %{?use_dts}"
+echo "use_nodejs_scl      %{?use_nodejs_scl}"
+echo "use_llvm_ts         %{?use_llvm_ts}"
+echo "use_python3_scl     %{?use_python3_scl}"
 echo "--------------------------------------------"
 
 %setup -q
@@ -961,6 +954,12 @@ echo "--------------------------------------------"
 %patch -P155 -p1 -b .rhbz-1354671
 %endif
 
+# ---- Security patches ----
+cd media/libvpx/libvpx
+%patch -P301 -p1 -b .CVE-2023-44488-libvpx
+cd -
+%patch -P302 -p1 -b .expat-CVE-2023-52425
+
 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
 %{__cp} %{SOURCE24} mozilla-api-key
@@ -1022,6 +1021,13 @@ echo "ac_add_options --with-mozilla-api-keyfile=`pwd`/mozilla-api-key" >> .mozco
 echo "ac_add_options --with-google-location-service-api-keyfile=`pwd`/google-loc-api-key" >> .mozconfig
 echo "ac_add_options --with-google-safebrowsing-api-keyfile=`pwd`/google-api-key" >> .mozconfig
 
+# May result in empty --with-libclang-path= in earlier versions.
+# So far this is needed only for c8s/c9s.
+%if (0%{?rhel} == 8 && %{rhel_minor_version} >= 10) || (0%{?rhel} == 9 && %{rhel_minor_version} >= 4)
+# Clang 17 upstream's detection fails, tell it where to look.
+echo "ac_add_options --with-libclang-path=`llvm-config --libdir`" >> .mozconfig
+%endif
+
 echo 'export NODEJS="%{_buildrootdir}/bin/node-stdout-nonblocking-wrapper"' >> .mozconfig
 
 # Remove executable bit to make brp-mangle-shebangs happy.
@@ -1406,18 +1412,16 @@ touch $RPM_BUILD_ROOT%{mozappdir}/components/compreg.dat
 touch $RPM_BUILD_ROOT%{mozappdir}/components/xpti.dat
 
 # Removing librnp.so - we cannot deliver librnp with botan crypto backend RHELs
-# %if !%{?use_openssl_for_librnp}
-# %{__rm} -rf %{buildroot}%{mozappdir}/librnp.so %{buildroot}%{mozappdir}/rnp-cli %{buildroot}%{mozappdir}/rnpkeys
-# %endif
+%if !%{?use_openssl_for_librnp}
+%{__rm} -rf %{buildroot}%{mozappdir}/librnp.so %{buildroot}%{mozappdir}/rnp-cli %{buildroot}%{mozappdir}/rnpkeys
+%endif
 
 # Register as an application to be visible in the software center
 mkdir -p $RPM_BUILD_ROOT%{_datadir}/metainfo
 %{__cp} -p comm/mail/branding/%{name}/net.thunderbird.Thunderbird.appdata.xml $RPM_BUILD_ROOT%{_datadir}/metainfo/thunderbird.appdata.xml
 sed -i -e 's|<icon .*|<icon type="stock">thunderbird</icon>|' "$RPM_BUILD_ROOT%{_datadir}/metainfo/thunderbird.appdata.xml"
 
-#===============================================================================
-
-%clean
+# Clean the created bundled rpms.
 rm -rf %{_srcrpmdir}/libffi*.src.rpm
 find %{_rpmdir} -name "libffi*.rpm" -delete
 rm -rf %{_srcrpmdir}/openssl*.src.rpm
@@ -1427,6 +1431,8 @@ find %{_rpmdir} -name "nss*.rpm" -delete
 rm -rf %{_srcrpmdir}/nspr*.src.rpm
 find %{_rpmdir} -name "nspr*.rpm" -delete
 
+#===============================================================================
+
 %post
 update-desktop-database &> /dev/null || :
 touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@@ -1510,11 +1516,33 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 #===============================================================================
 
 %changelog
-* Thu Oct 05 2023 Eduard Abdullin <eabdullin@almalinux.org> - 102.15.1-1.alma.plus
-- Enable openpgp
+* Mon Mar 18 2024 Eike Rathke <erack@redhat.com> - 115.9.0-1
+- Update to 115.9.0 build1
+- Fix expat CVE-2023-52425
 
-* Thu Oct 05 2023 Eduard Abdullin <eabdullin@almalinux.org> - 115.3.1-1.alma
-- Debrand for AlmaLinux
+* Mon Feb 19 2024 Eike Rathke <erack@redhat.com> - 115.8.0-1
+- Update to 115.8.0 build1
+
+* Mon Jan 22 2024 Eike Rathke <erack@redhat.com> - 115.7.0-1
+- Update to 115.7.0 build1
+
+* Mon Dec 18 2023 Eike Rathke <erack@redhat.com> - 115.6.0-1
+- Update to 115.6.0 build2
+
+* Tue Nov 21 2023 Eike Rathke <erack@redhat.com> - 115.5.0-1
+- Update to 115.5.0 build1
+
+* Wed Oct 25 2023 Eike Rathke <erack@redhat.com> - 115.4.1-1
+- Update to 115.4.1 build1
+
+* Tue Oct 24 2023 Anton Bobrov <abobrov@redhat.com> - 115.4.0-3
+- Update to 115.4.0 build3
+
+* Sat Oct 21 2023 Eike Rathke <erack@redhat.com> - 115.4.0-2
+- Update to 115.4.0 build2
+
+* Fri Oct 20 2023 Eike Rathke <erack@redhat.com> - 115.4.0-1
+- Update to 115.4.0 build1
 
 * Fri Sep 29 2023 Eike Rathke <erack@redhat.com> - 115.3.1-1
 - Update to 115.3.1 build1
@@ -1527,6 +1555,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 
 * Thu May 04 2023 Eike Rathke <erack@redhat.com> - 102.11.0-1
 - Update to 102.11.0 build1
+
 * Tue Apr 11 2023 Eike Rathke <erack@redhat.com> - 102.10.0-2
 - Update to 102.10.0 build2
 
@@ -1535,13 +1564,16 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 
 * Mon Mar 13 2023 Eike Rathke <erack@redhat.com> - 102.9.0-2
 - Update to 102.9.0 build1
+
 * Wed Feb 15 2023 Eike Rathke <erack@redhat.com> - 102.8.0-2
 - Update to 102.8.0 build2
+
 * Fri Feb 10 2023 Eike Rathke <erack@redhat.com> - 102.8.0-1
 - Update to 102.8.0 build1
 
 * Tue Jan 31 2023 Eike Rathke <erack@redhat.com> - 102.7.1-2
 - Update to 102.7.1 build2
+
 * Tue Jan 24 2023 Eike Rathke <erack@redhat.com> - 102.7.1-1
 - Update to 102.7.1 build1
 
@@ -1550,6 +1582,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 
 * Tue Dec 13 2022 Eike Rathke <erack@redhat.com> - 102.6.0-2
 - Update to 102.6.0 build2
+
 * Fri Dec 09 2022 Eike Rathke <erack@redhat.com> - 102.6.0-1
 - Update to 102.6.0 build1
 
@@ -1558,6 +1591,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 
 * Tue Nov 15 2022 Eike Rathke <erack@redhat.com> - 102.5.0-2
 - Update to 102.5.0 build2
+
 * Fri Nov 11 2022 Eike Rathke <erack@redhat.com> - 102.5.0-1
 - Update to 102.5.0 build1