[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#926283: marked as done (unblock: thunderbird/1:60.6.1-1)

Your message dated Thu, 04 Apr 2019 19:21:38 +0000
with message-id <E1hC7ve-0005ZP-Jp@respighi.debian.org>
and subject line unblock thunderbird
has caused the Debian Bug report #926283,
regarding unblock: thunderbird/1:60.6.1-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
926283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926283
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package thunderbird

The package Thunderbird got the usual update to a new ESR version with
an update to 60.6.1.
This update fixes some known CVEs.

The changes to the packaging can be seen within the following diff output:

diff -puNr thunderbird-60.5.1/debian/changelog thunderbird-60.6.1/debian/changelog
--- thunderbird-60.5.1/debian/changelog	2019-02-14 20:01:03.000000000 +0100
+++ thunderbird-60.6.1/debian/changelog	2019-03-27 18:22:51.000000000 +0100
@@ -1,3 +1,32 @@
+thunderbird (1:60.6.1-1) unstable; urgency=medium
+
+  [ intrigeri ]
+  * [2013645] d/rules: drop useless usage of dpkg-parsechangelog
+
+  [ Carsten Schoenert ]
+  * [daf1252] New upstream version 60.6.1
+    Fixed CVE issues in upstream version 60.6.0 (MFSA 2019-11)
+    CVE-2019-9790: Use-after-free when removing in-use DOM elements
+    CVE-2019-9791: Type inference is incorrect for constructors entered 
+                   through on-stack replacement with IonMonkey
+    CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
+    CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled
+    CVE-2019-9794: Command line arguments not discarded during execution
+    CVE-2019-9795: Type-confusion in IonMonkey JIT compiler
+    CVE-2019-9796: Use-after-free with SMIL animation controller
+    CVE-2018-18506: Proxy Auto-Configuration file can define localhost access
+                    to be proxied
+    CVE-2019-9788: Memory safety bugs fixed in Firefox 66, Firefox ESR 60.6,
+                   and Thunderbird 60.6
+    Fixed CVE issues in upstream version 60.6.1 (MFSA 2019-12)
+    CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information
+    CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations
+  * [f88a505] rebuild patch queue from patch-queue branch
+    added patch:
+    fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
+
+ -- Carsten Schoenert <c.schoenert@t-online.de>  Wed, 27 Mar 2019 18:22:51 +0100
+
 thunderbird (1:60.5.1-1) unstable; urgency=medium
 
   [ Alexander Nitsch ]
diff -puNr thunderbird-60.5.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch thunderbird-60.6.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch
--- thunderbird-60.5.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch	2019-02-14 19:46:50.000000000 +0100
+++ thunderbird-60.6.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch	2019-03-26 21:53:39.000000000 +0100
@@ -8,10 +8,10 @@ Subject: stop configure if '--with-syste
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/old-configure.in b/old-configure.in
-index f78c54d..506c08e 100644
+index 8ac71d1..5769ef6 100644
 --- a/old-configure.in
 +++ b/old-configure.in
-@@ -1825,7 +1825,7 @@ if test -z "$BZ2_DIR" -o "$BZ2_DIR" = no; then
+@@ -1826,7 +1826,7 @@ if test -z "$BZ2_DIR" -o "$BZ2_DIR" = no; then
      MOZ_SYSTEM_BZ2=
  else
      AC_CHECK_LIB(bz2, BZ2_bzread, [MOZ_SYSTEM_BZ2=1 MOZ_BZ2_LIBS="-lbz2"],
diff -puNr thunderbird-60.5.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch thunderbird-60.6.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
--- thunderbird-60.5.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch	1970-01-01 01:00:00.000000000 +0100
+++ thunderbird-60.6.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch	2019-03-26 21:53:39.000000000 +0100
@@ -0,0 +1,49 @@
+From: Rob Lemley <rob@thunderbird.net>
+Date: Thu, 21 Feb 2019 15:14:17 -0500
+Subject: Bug 1526744 - find-dupes.py: Calculate md5 by chunk.
+
+Read the file in chunks and use md5.update() rather than reading the entire
+file into RAM and calculating the hash all at once. This prevents out of memory
+errors on build systems with low RAM.
+---
+ toolkit/mozapps/installer/find-dupes.py | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/toolkit/mozapps/installer/find-dupes.py b/toolkit/mozapps/installer/find-dupes.py
+index 3935b79..0ff7efc 100644
+--- a/toolkit/mozapps/installer/find-dupes.py
++++ b/toolkit/mozapps/installer/find-dupes.py
+@@ -39,19 +39,29 @@ def is_l10n_file(path):
+ def normalize_path(p):
+     return normalize_osx_path(p)
+ 
++def md5hash_size(fp, chunk_size=1024*10):
++    md5 = hashlib.md5()
++    size = 0
++    while True:
++        data = fp.read(chunk_size)
++        if not data:
++            break
++        md5.update(data)
++        size += len(data)
++
++    return md5.digest(), size
+ 
+ def find_dupes(source, allowed_dupes, bail=True):
+     allowed_dupes = set(allowed_dupes)
+     md5s = OrderedDict()
+     for p, f in UnpackFinder(source):
+-        content = f.open().read()
+-        m = hashlib.md5(content).digest()
++        m, content_size = md5hash_size(f.open())
+         if m not in md5s:
+             if isinstance(f, DeflatedFile):
+                 compressed = f.file.compressed_size
+             else:
+-                compressed = len(content)
+-            md5s[m] = (len(content), compressed, [])
++                compressed = content_size
++            md5s[m] = (content_size, compressed, [])
+         md5s[m][2].append(p)
+     total = 0
+     total_compressed = 0
diff -puNr thunderbird-60.5.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch thunderbird-60.6.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
--- thunderbird-60.5.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch	2019-02-14 19:46:50.000000000 +0100
+++ thunderbird-60.6.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch	2019-03-26 21:53:39.000000000 +0100
@@ -59,10 +59,10 @@ index 112b6a1..0000000
 -
 -#endif  // mozilla_LinuxSignal_h
 diff --git a/mfbt/moz.build b/mfbt/moz.build
-index 81c4a42..fb43cc6 100644
+index 87c7d3f..587dbc5 100644
 --- a/mfbt/moz.build
 +++ b/mfbt/moz.build
-@@ -129,10 +129,6 @@ if CONFIG['OS_ARCH'] == 'WINNT':
+@@ -120,10 +120,6 @@ if CONFIG['OS_ARCH'] == 'WINNT':
      EXPORTS.mozilla += [
          'WindowsVersion.h',
      ]
@@ -74,7 +74,7 @@ index 81c4a42..fb43cc6 100644
  UNIFIED_SOURCES += [
      'Assertions.cpp',
 diff --git a/tools/profiler/core/platform-linux-android.cpp b/tools/profiler/core/platform-linux-android.cpp
-index 119ce9f..352dd9a 100644
+index 09eb943..79f0067 100644
 --- a/tools/profiler/core/platform-linux-android.cpp
 +++ b/tools/profiler/core/platform-linux-android.cpp
 @@ -60,7 +60,6 @@
diff -puNr thunderbird-60.5.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch thunderbird-60.6.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
--- thunderbird-60.5.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch	2019-02-14 19:46:50.000000000 +0100
+++ thunderbird-60.6.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch	2019-03-26 21:53:39.000000000 +0100
@@ -209,12 +209,12 @@ index 1c7eca0..661387b 100644
      if (!CrashReporter::CreateNotificationPipeForChild(&childCrashFd,
                                                         &childCrashRemapFd)) {
 diff --git a/js/src/wasm/WasmSignalHandlers.cpp b/js/src/wasm/WasmSignalHandlers.cpp
-index bc28491..0d89430 100644
+index 70f1517..8bf475d 100644
 --- a/js/src/wasm/WasmSignalHandlers.cpp
 +++ b/js/src/wasm/WasmSignalHandlers.cpp
-@@ -126,7 +126,7 @@ struct AutoSignalHandler {
- #define EPC_sig(p) ((p)->sc_pc)
- #define RFP_sig(p) ((p)->sc_regs[30])
+@@ -131,7 +131,7 @@ struct AutoSignalHandler {
+ #define R01_sig(p) ((p)->sc_frame.fixreg[1])
+ #define R32_sig(p) ((p)->sc_frame.srr0)
  #endif
 -#elif defined(__linux__) || defined(__sun)
 +#elif defined(__linux__) || defined(__sun) || defined(__GNU__)
diff -puNr thunderbird-60.5.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch thunderbird-60.6.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch
--- thunderbird-60.5.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch	2019-02-14 19:46:50.000000000 +0100
+++ thunderbird-60.6.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch	2019-03-26 21:53:39.000000000 +0100
@@ -7,10 +7,10 @@ Subject: Set javascript.options.showInCo
  1 file changed, 5 insertions(+)
 
 diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
-index f5a2ec4..5624ded 100644
+index 776e10f..e911c73 100644
 --- a/modules/libpref/init/all.js
 +++ b/modules/libpref/init/all.js
-@@ -1474,6 +1474,7 @@ pref("javascript.options.jit.full_debug_checks", false);
+@@ -1473,6 +1473,7 @@ pref("javascript.options.jit.full_debug_checks", false);
  // memory, but makes things like Function.prototype.toSource()
  // fail.
  pref("javascript.options.discardSystemSource", false);
@@ -18,7 +18,7 @@ index f5a2ec4..5624ded 100644
  
  // Many of the the following preferences tune the SpiderMonkey GC, if you
  // change the defaults here please also consider changing them in
-@@ -1481,6 +1482,10 @@ pref("javascript.options.discardSystemSource", false);
+@@ -1480,6 +1481,10 @@ pref("javascript.options.discardSystemSource", false);
  
  // JSGC_MAX_MALLOC_BYTES
  // How much malloc memory can be allocated before triggering a GC, in MB.
diff -puNr thunderbird-60.5.1/debian/patches/series thunderbird-60.6.1/debian/patches/series
--- thunderbird-60.5.1/debian/patches/series	2019-02-14 19:46:50.000000000 +0100
+++ thunderbird-60.6.1/debian/patches/series	2019-03-26 21:53:39.000000000 +0100
@@ -37,3 +37,4 @@ fixes/Build-also-gdata-provider-as-xpi-f
 porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
 porting-armel/Avoid-using-vmrs-vmsr-on-armel.patch
 porting-powerpc/powerpc-Don-t-use-static-page-sizes-on-powerpc.patch
+fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
diff -puNr thunderbird-60.5.1/debian/rules thunderbird-60.6.1/debian/rules
--- thunderbird-60.5.1/debian/rules	2019-02-14 19:46:50.000000000 +0100
+++ thunderbird-60.6.1/debian/rules	2019-03-26 21:29:31.000000000 +0100
@@ -67,7 +67,6 @@ endif
 LDFLAGS += -Wl,--stats
 
 export MOZ_BUILD_DATE := $(SOURCE_DATE_EPOCH)
-export BUILD_DATE := $(shell dpkg-parsechangelog --show-field=Date)
 export MOZCONFIG=$(shell pwd)/mozconfig.thunderbird
 export MOZILLA_OFFICIAL=1
 export DEB_BUILD_GNU_TYPE
@@ -190,8 +189,8 @@ override_dh_install-indep:
 	mkdir -p debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider/
 	GDATA_PROVIDER=`find -type f -name "gdata-provider*.xpi"` &&\
 		unzip -d debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider/ $(CURDIR)/$$GDATA_PROVIDER
-	find debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider -newermt '$(BUILD_DATE)' -print0 | \
-		xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+	find debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider -newermt '@$(SOURCE_DATE_EPOCH)' -print0 | \
+		xargs -0r touch --no-dereference --date='@$(SOURCE_DATE_EPOCH)'
 	ID=`grep "em:id" $(CURDIR)/debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider/install.rdf | sed -e s"/<em:id>"// -e s",</em:id>",, -e 's/^[ ]*//' | head -n1` ;\
 	mkdir -p mkdir -p $(CURDIR)/debian/calendar-google-provider/usr/lib/thunderbird/extensions/ ;\
 	ln -sf /usr/share/xul-ext/calendar-google-provider $(CURDIR)/debian/calendar-google-provider/usr/lib/thunderbird/extensions/$$ID
@@ -208,8 +207,8 @@ override_dh_install-indep:
 	# sometimes there are temporary build files in lightning
 	@echo "    --> searching for temporary build files in 'lightning' ..."
 	@for i in `find debian/lightning/ -name ".mkdir.done*"`; do echo remove $$i && rm $$i; done
-	find debian/lightning/usr/share/lightning -newermt '$(BUILD_DATE)' -print0 | \
-		xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+	find debian/lightning/usr/share/lightning -newermt '@$(SOURCE_DATE_EPOCH)' -print0 | \
+		xargs -0r touch --no-dereference --date='@$(SOURCE_DATE_EPOCH)'
 	for LANG in lightning-l10n/*; do \
 		locale=`basename $${LANG}`; \
 		echo "locale calendar $${locale} chrome/calendar-$${locale}/locale/$${locale}/calendar/" >> debian/lightning/usr/share/lightning/chrome.manifest ;\

unblock thunderbird/1:60.6.1-1

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-4-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Unblocked thunderbird.

--- End Message ---
Reply to: