Bug#926283: unblock: thunderbird/1:60.6.1-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#926283: unblock: thunderbird/1:60.6.1-1
From: Carsten Schoenert <c.schoenert@t-online.de>
Date: Tue, 02 Apr 2019 23:25:02 +0200
Message-id: <[🔎] 155424030291.8754.18369198580344059228.reportbug@i5.cruise.homelinux.net>
Reply-to: Carsten Schoenert <c.schoenert@t-online.de>, 926283@bugs.debian.org
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package thunderbird

The package Thunderbird got the usual update to a new ESR version with
an update to 60.6.1.
This update fixes some known CVEs.

The changes to the packaging can be seen within the following diff output:

diff -puNr thunderbird-60.5.1/debian/changelog thunderbird-60.6.1/debian/changelog
--- thunderbird-60.5.1/debian/changelog	2019-02-14 20:01:03.000000000 +0100
+++ thunderbird-60.6.1/debian/changelog	2019-03-27 18:22:51.000000000 +0100
@@ -1,3 +1,32 @@
+thunderbird (1:60.6.1-1) unstable; urgency=medium
+
+  [ intrigeri ]
+  * [2013645] d/rules: drop useless usage of dpkg-parsechangelog
+
+  [ Carsten Schoenert ]
+  * [daf1252] New upstream version 60.6.1
+    Fixed CVE issues in upstream version 60.6.0 (MFSA 2019-11)
+    CVE-2019-9790: Use-after-free when removing in-use DOM elements
+    CVE-2019-9791: Type inference is incorrect for constructors entered 
+                   through on-stack replacement with IonMonkey
+    CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
+    CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled
+    CVE-2019-9794: Command line arguments not discarded during execution
+    CVE-2019-9795: Type-confusion in IonMonkey JIT compiler
+    CVE-2019-9796: Use-after-free with SMIL animation controller
+    CVE-2018-18506: Proxy Auto-Configuration file can define localhost access
+                    to be proxied
+    CVE-2019-9788: Memory safety bugs fixed in Firefox 66, Firefox ESR 60.6,
+                   and Thunderbird 60.6
+    Fixed CVE issues in upstream version 60.6.1 (MFSA 2019-12)
+    CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information
+    CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations
+  * [f88a505] rebuild patch queue from patch-queue branch
+    added patch:
+    fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
+
+ -- Carsten Schoenert <c.schoenert@t-online.de>  Wed, 27 Mar 2019 18:22:51 +0100
+
 thunderbird (1:60.5.1-1) unstable; urgency=medium
 
   [ Alexander Nitsch ]
diff -puNr thunderbird-60.5.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch thunderbird-60.6.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch
--- thunderbird-60.5.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch	2019-02-14 19:46:50.000000000 +0100
+++ thunderbird-60.6.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch	2019-03-26 21:53:39.000000000 +0100
@@ -8,10 +8,10 @@ Subject: stop configure if '--with-syste
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/old-configure.in b/old-configure.in
-index f78c54d..506c08e 100644
+index 8ac71d1..5769ef6 100644
 --- a/old-configure.in
 +++ b/old-configure.in
-@@ -1825,7 +1825,7 @@ if test -z "$BZ2_DIR" -o "$BZ2_DIR" = no; then
+@@ -1826,7 +1826,7 @@ if test -z "$BZ2_DIR" -o "$BZ2_DIR" = no; then
      MOZ_SYSTEM_BZ2=
  else
      AC_CHECK_LIB(bz2, BZ2_bzread, [MOZ_SYSTEM_BZ2=1 MOZ_BZ2_LIBS="-lbz2"],
diff -puNr thunderbird-60.5.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch thunderbird-60.6.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
--- thunderbird-60.5.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch	1970-01-01 01:00:00.000000000 +0100
+++ thunderbird-60.6.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch	2019-03-26 21:53:39.000000000 +0100
@@ -0,0 +1,49 @@
+From: Rob Lemley <rob@thunderbird.net>
+Date: Thu, 21 Feb 2019 15:14:17 -0500
+Subject: Bug 1526744 - find-dupes.py: Calculate md5 by chunk.
+
+Read the file in chunks and use md5.update() rather than reading the entire
+file into RAM and calculating the hash all at once. This prevents out of memory
+errors on build systems with low RAM.
+---
+ toolkit/mozapps/installer/find-dupes.py | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/toolkit/mozapps/installer/find-dupes.py b/toolkit/mozapps/installer/find-dupes.py
+index 3935b79..0ff7efc 100644
+--- a/toolkit/mozapps/installer/find-dupes.py
++++ b/toolkit/mozapps/installer/find-dupes.py
+@@ -39,19 +39,29 @@ def is_l10n_file(path):
+ def normalize_path(p):
+     return normalize_osx_path(p)
+ 
++def md5hash_size(fp, chunk_size=1024*10):
++    md5 = hashlib.md5()
++    size = 0
++    while True:
++        data = fp.read(chunk_size)
++        if not data:
++            break
++        md5.update(data)
++        size += len(data)
++
++    return md5.digest(), size
+ 
+ def find_dupes(source, allowed_dupes, bail=True):
+     allowed_dupes = set(allowed_dupes)
+     md5s = OrderedDict()
+     for p, f in UnpackFinder(source):
+-        content = f.open().read()
+-        m = hashlib.md5(content).digest()
++        m, content_size = md5hash_size(f.open())
+         if m not in md5s:
+             if isinstance(f, DeflatedFile):
+                 compressed = f.file.compressed_size
+             else:
+-                compressed = len(content)
+-            md5s[m] = (len(content), compressed, [])
++                compressed = content_size
++            md5s[m] = (content_size, compressed, [])
+         md5s[m][2].append(p)
+     total = 0
+     total_compressed = 0
diff -puNr thunderbird-60.5.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch thunderbird-60.6.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
--- thunderbird-60.5.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch	2019-02-14 19:46:50.000000000 +0100
+++ thunderbird-60.6.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch	2019-03-26 21:53:39.000000000 +0100
@@ -59,10 +59,10 @@ index 112b6a1..0000000
 -
 -#endif  // mozilla_LinuxSignal_h
 diff --git a/mfbt/moz.build b/mfbt/moz.build
-index 81c4a42..fb43cc6 100644
+index 87c7d3f..587dbc5 100644
 --- a/mfbt/moz.build
 +++ b/mfbt/moz.build
-@@ -129,10 +129,6 @@ if CONFIG['OS_ARCH'] == 'WINNT':
+@@ -120,10 +120,6 @@ if CONFIG['OS_ARCH'] == 'WINNT':
      EXPORTS.mozilla += [
          'WindowsVersion.h',
      ]
@@ -74,7 +74,7 @@ index 81c4a42..fb43cc6 100644
  UNIFIED_SOURCES += [
      'Assertions.cpp',
 diff --git a/tools/profiler/core/platform-linux-android.cpp b/tools/profiler/core/platform-linux-android.cpp
-index 119ce9f..352dd9a 100644
+index 09eb943..79f0067 100644
 --- a/tools/profiler/core/platform-linux-android.cpp
 +++ b/tools/profiler/core/platform-linux-android.cpp
 @@ -60,7 +60,6 @@
diff -puNr thunderbird-60.5.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch thunderbird-60.6.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
--- thunderbird-60.5.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch	2019-02-14 19:46:50.000000000 +0100
+++ thunderbird-60.6.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch	2019-03-26 21:53:39.000000000 +0100
@@ -209,12 +209,12 @@ index 1c7eca0..661387b 100644
      if (!CrashReporter::CreateNotificationPipeForChild(&childCrashFd,
                                                         &childCrashRemapFd)) {
 diff --git a/js/src/wasm/WasmSignalHandlers.cpp b/js/src/wasm/WasmSignalHandlers.cpp
-index bc28491..0d89430 100644
+index 70f1517..8bf475d 100644
 --- a/js/src/wasm/WasmSignalHandlers.cpp
 +++ b/js/src/wasm/WasmSignalHandlers.cpp
-@@ -126,7 +126,7 @@ struct AutoSignalHandler {
- #define EPC_sig(p) ((p)->sc_pc)
- #define RFP_sig(p) ((p)->sc_regs[30])
+@@ -131,7 +131,7 @@ struct AutoSignalHandler {
+ #define R01_sig(p) ((p)->sc_frame.fixreg[1])
+ #define R32_sig(p) ((p)->sc_frame.srr0)
  #endif
 -#elif defined(__linux__) || defined(__sun)
 +#elif defined(__linux__) || defined(__sun) || defined(__GNU__)
diff -puNr thunderbird-60.5.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch thunderbird-60.6.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch
--- thunderbird-60.5.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch	2019-02-14 19:46:50.000000000 +0100
+++ thunderbird-60.6.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch	2019-03-26 21:53:39.000000000 +0100
@@ -7,10 +7,10 @@ Subject: Set javascript.options.showInCo
  1 file changed, 5 insertions(+)
 
 diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
-index f5a2ec4..5624ded 100644
+index 776e10f..e911c73 100644
 --- a/modules/libpref/init/all.js
 +++ b/modules/libpref/init/all.js
-@@ -1474,6 +1474,7 @@ pref("javascript.options.jit.full_debug_checks", false);
+@@ -1473,6 +1473,7 @@ pref("javascript.options.jit.full_debug_checks", false);
  // memory, but makes things like Function.prototype.toSource()
  // fail.
  pref("javascript.options.discardSystemSource", false);
@@ -18,7 +18,7 @@ index f5a2ec4..5624ded 100644
  
  // Many of the the following preferences tune the SpiderMonkey GC, if you
  // change the defaults here please also consider changing them in
-@@ -1481,6 +1482,10 @@ pref("javascript.options.discardSystemSource", false);
+@@ -1480,6 +1481,10 @@ pref("javascript.options.discardSystemSource", false);
  
  // JSGC_MAX_MALLOC_BYTES
  // How much malloc memory can be allocated before triggering a GC, in MB.
diff -puNr thunderbird-60.5.1/debian/patches/series thunderbird-60.6.1/debian/patches/series
--- thunderbird-60.5.1/debian/patches/series	2019-02-14 19:46:50.000000000 +0100
+++ thunderbird-60.6.1/debian/patches/series	2019-03-26 21:53:39.000000000 +0100
@@ -37,3 +37,4 @@ fixes/Build-also-gdata-provider-as-xpi-f
 porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
 porting-armel/Avoid-using-vmrs-vmsr-on-armel.patch
 porting-powerpc/powerpc-Don-t-use-static-page-sizes-on-powerpc.patch
+fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
diff -puNr thunderbird-60.5.1/debian/rules thunderbird-60.6.1/debian/rules
--- thunderbird-60.5.1/debian/rules	2019-02-14 19:46:50.000000000 +0100
+++ thunderbird-60.6.1/debian/rules	2019-03-26 21:29:31.000000000 +0100
@@ -67,7 +67,6 @@ endif
 LDFLAGS += -Wl,--stats
 
 export MOZ_BUILD_DATE := $(SOURCE_DATE_EPOCH)
-export BUILD_DATE := $(shell dpkg-parsechangelog --show-field=Date)
 export MOZCONFIG=$(shell pwd)/mozconfig.thunderbird
 export MOZILLA_OFFICIAL=1
 export DEB_BUILD_GNU_TYPE
@@ -190,8 +189,8 @@ override_dh_install-indep:
 	mkdir -p debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider/
 	GDATA_PROVIDER=`find -type f -name "gdata-provider*.xpi"` &&\
 		unzip -d debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider/ $(CURDIR)/$$GDATA_PROVIDER
-	find debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider -newermt '$(BUILD_DATE)' -print0 | \
-		xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+	find debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider -newermt '@$(SOURCE_DATE_EPOCH)' -print0 | \
+		xargs -0r touch --no-dereference --date='@$(SOURCE_DATE_EPOCH)'
 	ID=`grep "em:id" $(CURDIR)/debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider/install.rdf | sed -e s"/<em:id>"// -e s",</em:id>",, -e 's/^[ ]*//' | head -n1` ;\
 	mkdir -p mkdir -p $(CURDIR)/debian/calendar-google-provider/usr/lib/thunderbird/extensions/ ;\
 	ln -sf /usr/share/xul-ext/calendar-google-provider $(CURDIR)/debian/calendar-google-provider/usr/lib/thunderbird/extensions/$$ID
@@ -208,8 +207,8 @@ override_dh_install-indep:
 	# sometimes there are temporary build files in lightning
 	@echo "    --> searching for temporary build files in 'lightning' ..."
 	@for i in `find debian/lightning/ -name ".mkdir.done*"`; do echo remove $$i && rm $$i; done
-	find debian/lightning/usr/share/lightning -newermt '$(BUILD_DATE)' -print0 | \
-		xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+	find debian/lightning/usr/share/lightning -newermt '@$(SOURCE_DATE_EPOCH)' -print0 | \
+		xargs -0r touch --no-dereference --date='@$(SOURCE_DATE_EPOCH)'
 	for LANG in lightning-l10n/*; do \
 		locale=`basename $${LANG}`; \
 		echo "locale calendar $${locale} chrome/calendar-$${locale}/locale/$${locale}/calendar/" >> debian/lightning/usr/share/lightning/chrome.manifest ;\

unblock thunderbird/1:60.6.1-1

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to:
Follow-Ups:
- Bug#926283: marked as done (unblock: thunderbird/1:60.6.1-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Prev by Date: Bug#925321: RM: openjdk-8/8u171-b11-2
Next by Date: Bug#925576: unblock: python-trustme/0.4.0-2
Previous by thread: Re: Apache 2.4.39 in Buster ?
Next by thread: Bug#926283: marked as done (unblock: thunderbird/1:60.6.1-1)
Index(es):
- Date
- Thread