diff --git a/cbindgen-vendor.tar.xz b/cbindgen-vendor.tar.xz deleted file mode 100644 index c429578cdb021576b0a5b32e67feddfb16827ee5..0000000000000000000000000000000000000000 Binary files a/cbindgen-vendor.tar.xz and /dev/null differ diff --git a/download b/download new file mode 100644 index 0000000000000000000000000000000000000000..673ec0b43454d5a10356f5769e544ec8fad363f5 --- /dev/null +++ b/download @@ -0,0 +1,5 @@ +9030c1f285ee079a4c386e525e57a2b1 cbindgen-vendor.tar.xz +5b7e3326f4484ce1ab685e74f8477a26 nspr-4.32.0-1.el8_1.src.rpm +770fbbfb259e656b8f3879934137d10c nss-3.67.0-7.el8_1.src.rpm +decbd451b2ad766e001af9bf99e75548 thunderbird-91.7.0.processed-source.tar.xz +4aaa4c730658fc8b60372812053b874e thunderbird-langpacks-91.7.0-20220308.tar.xz diff --git a/expat-CVE-2022-25235.patch b/expat-CVE-2022-25235.patch new file mode 100644 index 0000000000000000000000000000000000000000..ac495b151c5c10255892bb232e3f389d1f906234 --- /dev/null +++ b/expat-CVE-2022-25235.patch @@ -0,0 +1,49 @@ +diff -up thunderbird-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235 thunderbird-91.7.0/parser/expat/lib/xmltok.c +--- thunderbird-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235 2022-03-02 17:57:38.364361168 +0100 ++++ thunderbird-91.7.0/parser/expat/lib/xmltok.c 2022-03-02 17:58:22.235512399 +0100 +@@ -65,13 +65,6 @@ + + ((((byte)[2]) >> 5) & 1)] \ + & (1u << (((byte)[2]) & 0x1F))) + +-#define UTF8_GET_NAMING(pages, p, n) \ +- ((n) == 2 \ +- ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p)) \ +- : ((n) == 3 \ +- ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) \ +- : 0)) +- + /* Detection of invalid UTF-8 sequences is based on Table 3.1B + of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/ + with the additional restriction of not allowing the Unicode +diff -up thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235 thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c +--- thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235 2022-03-02 17:57:38.365361172 +0100 ++++ thunderbird-91.7.0/parser/expat/lib/xmltok_impl.c 2022-03-02 18:04:51.240853247 +0100 +@@ -34,7 +34,7 @@ + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (!IS_NAME_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -62,7 +62,7 @@ + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (!IS_NMSTRT_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -1090,6 +1090,10 @@ PREFIX(prologTok)(const ENCODING *enc, c + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ ++ if (IS_INVALID_CHAR(enc, ptr, n)) { \ ++ *nextTokPtr = ptr; \ ++ return XML_TOK_INVALID; \ ++ } \ + if (IS_NMSTRT_CHAR(enc, ptr, n)) { \ + ptr += n; \ + tok = XML_TOK_NAME; \ diff --git a/expat-CVE-2022-25236.patch b/expat-CVE-2022-25236.patch new file mode 100644 index 0000000000000000000000000000000000000000..84cafd27b767c02e4a4580a9fa7cc01b3bb97579 --- /dev/null +++ b/expat-CVE-2022-25236.patch @@ -0,0 +1,40 @@ +diff -up thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 thunderbird-91.7.0/parser/expat/lib/xmlparse.c +--- thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 2022-03-02 18:08:40.085642028 +0100 ++++ thunderbird-91.7.0/parser/expat/lib/xmlparse.c 2022-03-02 18:13:31.838667958 +0100 +@@ -700,8 +700,7 @@ XML_ParserCreate(const XML_Char *encodin + XML_Parser XMLCALL + XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) + { +- XML_Char tmp[2]; +- *tmp = nsSep; ++ XML_Char tmp[2] = {nsSep, 0}; + return XML_ParserCreate_MM(encodingName, NULL, tmp); + } + #endif +@@ -1276,8 +1275,7 @@ XML_ExternalEntityParserCreate(XML_Parse + would be otherwise. + */ + if (ns) { +- XML_Char tmp[2]; +- *tmp = namespaceSeparator; ++ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0}; + parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd); + } + else { +@@ -3667,6 +3665,16 @@ addBinding(XML_Parser parser, PREFIX *pr + if (!mustBeXML && isXMLNS + && (len > xmlnsLen || uri[len] != xmlnsNamespace[len])) + isXMLNS = XML_FALSE; ++ // NOTE: While Expat does not validate namespace URIs against RFC 3986, ++ // we have to at least make sure that the XML processor on top of ++ // Expat (that is splitting tag names by namespace separator into ++ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused ++ // by an attacker putting additional namespace separator characters ++ // into namespace declarations. That would be ambiguous and not to ++ // be expected. ++ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) { ++ return XML_ERROR_SYNTAX; ++ } + } + isXML = isXML && len == xmlLen; + isXMLNS = isXMLNS && len == xmlnsLen; diff --git a/expat-CVE-2022-25315.patch b/expat-CVE-2022-25315.patch new file mode 100644 index 0000000000000000000000000000000000000000..4d4efb7977313fe084fb1ddf83c764770dfbd650 --- /dev/null +++ b/expat-CVE-2022-25315.patch @@ -0,0 +1,24 @@ +diff -up thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 thunderbird-91.7.0/parser/expat/lib/xmlparse.c +--- thunderbird-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 2022-03-02 18:17:50.966583254 +0100 ++++ thunderbird-91.7.0/parser/expat/lib/xmlparse.c 2022-03-02 18:19:27.636924735 +0100 +@@ -2479,6 +2479,7 @@ storeRawNames(XML_Parser parser) + while (tag) { + int bufSize; + int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1); ++ size_t rawNameLen; + char *rawNameBuf = tag->buf + nameLen; + /* Stop if already stored. Since tagStack is a stack, we can stop + at the first entry that has already been copied; everything +@@ -2490,7 +2491,11 @@ storeRawNames(XML_Parser parser) + /* For re-use purposes we need to ensure that the + size of tag->buf is a multiple of sizeof(XML_Char). + */ +- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); ++ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); ++ /* Detect and prevent integer overflow. */ ++ if (rawNameLen > (size_t)INT_MAX - nameLen) ++ return XML_FALSE; ++ bufSize = nameLen + (int)rawNameLen; + if (bufSize > tag->bufEnd - tag->buf) { + char *temp = (char *)REALLOC(tag->buf, bufSize); + if (temp == NULL) diff --git a/nspr-4.32.0-1.el8_1.src.rpm b/nspr-4.32.0-1.el8_1.src.rpm deleted file mode 100644 index e7d0296f49bc259b9f70315fd2751e4bee7d67e3..0000000000000000000000000000000000000000 Binary files a/nspr-4.32.0-1.el8_1.src.rpm and /dev/null differ diff --git a/nss-3.67.0-7.el8_1.src.rpm b/nss-3.67.0-7.el8_1.src.rpm deleted file mode 100644 index 1fcafc06c7876b1813718f72eb5e6e3f153d9203..0000000000000000000000000000000000000000 Binary files a/nss-3.67.0-7.el8_1.src.rpm and /dev/null differ diff --git a/thunderbird-91.6.0.processed-source.tar.xz b/thunderbird-91.6.0.processed-source.tar.xz deleted file mode 100644 index 129cdf9fd2aaf1820f7ebd8d28e94aeb848be825..0000000000000000000000000000000000000000 --- a/thunderbird-91.6.0.processed-source.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c3b5ed97f2b1f7f08331e83d5917a6e86abed62c158eae462ff615f57d709ad6 -size 410308696 diff --git a/thunderbird-langpacks-91.6.0-20220207.tar.xz b/thunderbird-langpacks-91.6.0-20220207.tar.xz deleted file mode 100644 index 1f6b92cee37f57d22e7c3ce06cd3cb96b957341d..0000000000000000000000000000000000000000 Binary files a/thunderbird-langpacks-91.6.0-20220207.tar.xz and /dev/null differ diff --git a/thunderbird-anolis-default-prefs.js.el7 b/thunderbird-redhat-default-prefs.js.rhel7 similarity index 96% rename from thunderbird-anolis-default-prefs.js.el7 rename to thunderbird-redhat-default-prefs.js.rhel7 index a3f8698dd8f69bc5b3dc1f79feeb3dee741f168e..4d01b7833b018d0bf5fe31dab6d5e578aadc53ec 100644 --- a/thunderbird-anolis-default-prefs.js.el7 +++ b/thunderbird-redhat-default-prefs.js.rhel7 @@ -2,7 +2,7 @@ pref("app.update.enabled", false); pref("app.update.autoInstallEnabled", false); /* Allow users to set custom colors*/ /* pref("browser.display.use_system_colors", true);*/ -pref("general.useragent.vendor", "Anolis OS"); +pref("general.useragent.vendor", "Red Hat"); pref("general.useragent.vendorSub", "THUNDERBIRD_RPM_VR"); pref("intl.locale.matchOS", true); pref("mail.shell.checkDefaultClient", false); diff --git a/thunderbird.spec b/thunderbird.spec index 649297af1411c4e28a5998ec888c1a1b665ccf3c..20b78496647ed175edd7de9b172678b75c53a5a3 100644 --- a/thunderbird.spec +++ b/thunderbird.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 # Set for local builds only %global disable_toolsets 0 @@ -129,8 +128,8 @@ end} %global build_langpacks 1 Summary: Mozilla Thunderbird mail/newsgroup client Name: thunderbird -Version: 91.6.0 -Release: 1%{anolis_release}%{?dist} +Version: 91.7.0 +Release: 2%{?dist} URL: http://www.mozilla.org/projects/thunderbird/ License: MPLv1.1 or GPLv2+ or LGPLv2+ Group: Applications/Internet @@ -146,17 +145,17 @@ ExcludeArch: %{ix86} %endif %endif %if 0%{?rhel} == 7 -ExcludeArch: s390 ppc +ExcludeArch: aarch64 s390 ppc %endif # We can't use the official tarball as it contains some test files that use -# licenses that are rejected by Anolis Legal. +# licenses that are rejected by Red Hat Legal. # The official tarball has to be always processed by the process-official-tarball # script. # Link to official tarball: https://archive.mozilla.org/pub/thunderbird/releases/%%{version}%%{?pre_version}/source/thunderbird-%%{version}%%{?pre_version}.source.tar.xz Source0: thunderbird-%{version}%{?pre_version}.processed-source.tar.xz %if %{build_langpacks} -Source1: thunderbird-langpacks-%{version}%{?ext_version}-20220207.tar.xz +Source1: thunderbird-langpacks-%{version}%{?ext_version}-20220308.tar.xz %endif Source2: cbindgen-vendor.tar.xz Source3: get-calendar-langpacks.sh @@ -168,7 +167,7 @@ Source21: thunderbird.sh.in Source24: mozilla-api-key Source27: google-api-key Source28: node-stdout-nonblocking-wrapper -Source701: thunderbird-anolis-default-prefs.js.el7 +Source701: thunderbird-redhat-default-prefs.js.rhel7 Source403: nss-3.67.0-7.el8_1.src.rpm Source401: nss-setup-flags-env.inc @@ -203,6 +202,9 @@ Patch512: mozilla-bmo849632.patch Patch513: mozilla-bmo998749.patch Patch514: mozilla-s390x-skia-gradient.patch Patch515: mozilla-bmo1626236.patch +Patch516: expat-CVE-2022-25235.patch +Patch517: expat-CVE-2022-25236.patch +Patch518: expat-CVE-2022-25315.patch %if %{?system_nss} %if !0%{?bundle_nss} @@ -429,6 +431,9 @@ echo "use_rustts %{?use_rustts}" %patch513 -p1 -b .mozilla-bmo998749 %patch514 -p1 -b .mozilla-s390x-skia-gradient %patch515 -p1 -b .mozilla-bmo1626236 +%patch516 -p1 -b .expat-CVE-2022-25235 +%patch517 -p1 -b .expat-CVE-2022-25236 +%patch518 -p1 -b .expat-CVE-2022-25315 %patch237 -p1 -b .disable-openpgp-in-thunderbird @@ -869,9 +874,9 @@ ls %{_buildrootdir} export MACH_USE_SYSTEM_PYTHON=1 %if 0%{?use_llvmts} #scl enable llvm-toolset-%{llvm_version} './mach build -v' - ./mach build -v + ./mach build -v || exit 1 %else - ./mach build -v + ./mach build -v || exit 1 %endif # Look for the reason we get: /usr/lib/rpm/debugedit: canonicalization unexpectedly shrank by one character readelf -wl objdir/dist/bin/libxul.so | grep "/" @@ -1118,8 +1123,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #=============================================================================== %changelog -* Wed Feb 16 2022 Liwei Ge - 91.6.0-1.0.1 -- Rebrand for Anolis +* Tue Mar 08 2022 Eike Rathke - 91.7.0-2 +- Update to 91.7.0 build2 + +* Thu Mar 03 2022 Eike Rathke - 91.7.0-1 +- Update to 91.7.0 build1 * Mon Feb 07 2022 Eike Rathke - 91.6.0-1 - Update to 91.6.0 build1