Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package thunderbird The package Thunderbird got the usual update to a new ESR version with an update to 60.6.1. This update fixes some known CVEs. The changes to the packaging can be seen within the following diff output: diff -puNr thunderbird-60.5.1/debian/changelog thunderbird-60.6.1/debian/changelog --- thunderbird-60.5.1/debian/changelog 2019-02-14 20:01:03.000000000 +0100 +++ thunderbird-60.6.1/debian/changelog 2019-03-27 18:22:51.000000000 +0100 @@ -1,3 +1,32 @@ +thunderbird (1:60.6.1-1) unstable; urgency=medium + + [ intrigeri ] + * [2013645] d/rules: drop useless usage of dpkg-parsechangelog + + [ Carsten Schoenert ] + * [daf1252] New upstream version 60.6.1 + Fixed CVE issues in upstream version 60.6.0 (MFSA 2019-11) + CVE-2019-9790: Use-after-free when removing in-use DOM elements + CVE-2019-9791: Type inference is incorrect for constructors entered + through on-stack replacement with IonMonkey + CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script + CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled + CVE-2019-9794: Command line arguments not discarded during execution + CVE-2019-9795: Type-confusion in IonMonkey JIT compiler + CVE-2019-9796: Use-after-free with SMIL animation controller + CVE-2018-18506: Proxy Auto-Configuration file can define localhost access + to be proxied + CVE-2019-9788: Memory safety bugs fixed in Firefox 66, Firefox ESR 60.6, + and Thunderbird 60.6 + Fixed CVE issues in upstream version 60.6.1 (MFSA 2019-12) + CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information + CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations + * [f88a505] rebuild patch queue from patch-queue branch + added patch: + fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch + + -- Carsten Schoenert <c.schoen...@t-online.de> Wed, 27 Mar 2019 18:22:51 +0100 + thunderbird (1:60.5.1-1) unstable; urgency=medium [ Alexander Nitsch ] diff -puNr thunderbird-60.5.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch thunderbird-60.6.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch --- thunderbird-60.5.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch 2019-02-14 19:46:50.000000000 +0100 +++ thunderbird-60.6.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch 2019-03-26 21:53:39.000000000 +0100 @@ -8,10 +8,10 @@ Subject: stop configure if '--with-syste 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/old-configure.in b/old-configure.in -index f78c54d..506c08e 100644 +index 8ac71d1..5769ef6 100644 --- a/old-configure.in +++ b/old-configure.in -@@ -1825,7 +1825,7 @@ if test -z "$BZ2_DIR" -o "$BZ2_DIR" = no; then +@@ -1826,7 +1826,7 @@ if test -z "$BZ2_DIR" -o "$BZ2_DIR" = no; then MOZ_SYSTEM_BZ2= else AC_CHECK_LIB(bz2, BZ2_bzread, [MOZ_SYSTEM_BZ2=1 MOZ_BZ2_LIBS="-lbz2"], diff -puNr thunderbird-60.5.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch thunderbird-60.6.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch --- thunderbird-60.5.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch 1970-01-01 01:00:00.000000000 +0100 +++ thunderbird-60.6.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch 2019-03-26 21:53:39.000000000 +0100 @@ -0,0 +1,49 @@ +From: Rob Lemley <r...@thunderbird.net> +Date: Thu, 21 Feb 2019 15:14:17 -0500 +Subject: Bug 1526744 - find-dupes.py: Calculate md5 by chunk. + +Read the file in chunks and use md5.update() rather than reading the entire +file into RAM and calculating the hash all at once. This prevents out of memory +errors on build systems with low RAM. +--- + toolkit/mozapps/installer/find-dupes.py | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/toolkit/mozapps/installer/find-dupes.py b/toolkit/mozapps/installer/find-dupes.py +index 3935b79..0ff7efc 100644 +--- a/toolkit/mozapps/installer/find-dupes.py ++++ b/toolkit/mozapps/installer/find-dupes.py +@@ -39,19 +39,29 @@ def is_l10n_file(path): + def normalize_path(p): + return normalize_osx_path(p) + ++def md5hash_size(fp, chunk_size=1024*10): ++ md5 = hashlib.md5() ++ size = 0 ++ while True: ++ data = fp.read(chunk_size) ++ if not data: ++ break ++ md5.update(data) ++ size += len(data) ++ ++ return md5.digest(), size + + def find_dupes(source, allowed_dupes, bail=True): + allowed_dupes = set(allowed_dupes) + md5s = OrderedDict() + for p, f in UnpackFinder(source): +- content = f.open().read() +- m = hashlib.md5(content).digest() ++ m, content_size = md5hash_size(f.open()) + if m not in md5s: + if isinstance(f, DeflatedFile): + compressed = f.file.compressed_size + else: +- compressed = len(content) +- md5s[m] = (len(content), compressed, []) ++ compressed = content_size ++ md5s[m] = (content_size, compressed, []) + md5s[m][2].append(p) + total = 0 + total_compressed = 0 diff -puNr thunderbird-60.5.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch thunderbird-60.6.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch --- thunderbird-60.5.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch 2019-02-14 19:46:50.000000000 +0100 +++ thunderbird-60.6.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch 2019-03-26 21:53:39.000000000 +0100 @@ -59,10 +59,10 @@ index 112b6a1..0000000 - -#endif // mozilla_LinuxSignal_h diff --git a/mfbt/moz.build b/mfbt/moz.build -index 81c4a42..fb43cc6 100644 +index 87c7d3f..587dbc5 100644 --- a/mfbt/moz.build +++ b/mfbt/moz.build -@@ -129,10 +129,6 @@ if CONFIG['OS_ARCH'] == 'WINNT': +@@ -120,10 +120,6 @@ if CONFIG['OS_ARCH'] == 'WINNT': EXPORTS.mozilla += [ 'WindowsVersion.h', ] @@ -74,7 +74,7 @@ index 81c4a42..fb43cc6 100644 UNIFIED_SOURCES += [ 'Assertions.cpp', diff --git a/tools/profiler/core/platform-linux-android.cpp b/tools/profiler/core/platform-linux-android.cpp -index 119ce9f..352dd9a 100644 +index 09eb943..79f0067 100644 --- a/tools/profiler/core/platform-linux-android.cpp +++ b/tools/profiler/core/platform-linux-android.cpp @@ -60,7 +60,6 @@ diff -puNr thunderbird-60.5.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch thunderbird-60.6.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch --- thunderbird-60.5.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch 2019-02-14 19:46:50.000000000 +0100 +++ thunderbird-60.6.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch 2019-03-26 21:53:39.000000000 +0100 @@ -209,12 +209,12 @@ index 1c7eca0..661387b 100644 if (!CrashReporter::CreateNotificationPipeForChild(&childCrashFd, &childCrashRemapFd)) { diff --git a/js/src/wasm/WasmSignalHandlers.cpp b/js/src/wasm/WasmSignalHandlers.cpp -index bc28491..0d89430 100644 +index 70f1517..8bf475d 100644 --- a/js/src/wasm/WasmSignalHandlers.cpp +++ b/js/src/wasm/WasmSignalHandlers.cpp -@@ -126,7 +126,7 @@ struct AutoSignalHandler { - #define EPC_sig(p) ((p)->sc_pc) - #define RFP_sig(p) ((p)->sc_regs[30]) +@@ -131,7 +131,7 @@ struct AutoSignalHandler { + #define R01_sig(p) ((p)->sc_frame.fixreg[1]) + #define R32_sig(p) ((p)->sc_frame.srr0) #endif -#elif defined(__linux__) || defined(__sun) +#elif defined(__linux__) || defined(__sun) || defined(__GNU__) diff -puNr thunderbird-60.5.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch thunderbird-60.6.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch --- thunderbird-60.5.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch 2019-02-14 19:46:50.000000000 +0100 +++ thunderbird-60.6.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch 2019-03-26 21:53:39.000000000 +0100 @@ -7,10 +7,10 @@ Subject: Set javascript.options.showInCo 1 file changed, 5 insertions(+) diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js -index f5a2ec4..5624ded 100644 +index 776e10f..e911c73 100644 --- a/modules/libpref/init/all.js +++ b/modules/libpref/init/all.js -@@ -1474,6 +1474,7 @@ pref("javascript.options.jit.full_debug_checks", false); +@@ -1473,6 +1473,7 @@ pref("javascript.options.jit.full_debug_checks", false); // memory, but makes things like Function.prototype.toSource() // fail. pref("javascript.options.discardSystemSource", false); @@ -18,7 +18,7 @@ index f5a2ec4..5624ded 100644 // Many of the the following preferences tune the SpiderMonkey GC, if you // change the defaults here please also consider changing them in -@@ -1481,6 +1482,10 @@ pref("javascript.options.discardSystemSource", false); +@@ -1480,6 +1481,10 @@ pref("javascript.options.discardSystemSource", false); // JSGC_MAX_MALLOC_BYTES // How much malloc memory can be allocated before triggering a GC, in MB. diff -puNr thunderbird-60.5.1/debian/patches/series thunderbird-60.6.1/debian/patches/series --- thunderbird-60.5.1/debian/patches/series 2019-02-14 19:46:50.000000000 +0100 +++ thunderbird-60.6.1/debian/patches/series 2019-03-26 21:53:39.000000000 +0100 @@ -37,3 +37,4 @@ fixes/Build-also-gdata-provider-as-xpi-f porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch porting-armel/Avoid-using-vmrs-vmsr-on-armel.patch porting-powerpc/powerpc-Don-t-use-static-page-sizes-on-powerpc.patch +fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch diff -puNr thunderbird-60.5.1/debian/rules thunderbird-60.6.1/debian/rules --- thunderbird-60.5.1/debian/rules 2019-02-14 19:46:50.000000000 +0100 +++ thunderbird-60.6.1/debian/rules 2019-03-26 21:29:31.000000000 +0100 @@ -67,7 +67,6 @@ endif LDFLAGS += -Wl,--stats export MOZ_BUILD_DATE := $(SOURCE_DATE_EPOCH) -export BUILD_DATE := $(shell dpkg-parsechangelog --show-field=Date) export MOZCONFIG=$(shell pwd)/mozconfig.thunderbird export MOZILLA_OFFICIAL=1 export DEB_BUILD_GNU_TYPE @@ -190,8 +189,8 @@ override_dh_install-indep: mkdir -p debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider/ GDATA_PROVIDER=`find -type f -name "gdata-provider*.xpi"` &&\ unzip -d debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider/ $(CURDIR)/$$GDATA_PROVIDER - find debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider -newermt '$(BUILD_DATE)' -print0 | \ - xargs -0r touch --no-dereference --date='$(BUILD_DATE)' + find debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider -newermt '@$(SOURCE_DATE_EPOCH)' -print0 | \ + xargs -0r touch --no-dereference --date='@$(SOURCE_DATE_EPOCH)' ID=`grep "em:id" $(CURDIR)/debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider/install.rdf | sed -e s"/<em:id>"// -e s",</em:id>",, -e 's/^[ ]*//' | head -n1` ;\ mkdir -p mkdir -p $(CURDIR)/debian/calendar-google-provider/usr/lib/thunderbird/extensions/ ;\ ln -sf /usr/share/xul-ext/calendar-google-provider $(CURDIR)/debian/calendar-google-provider/usr/lib/thunderbird/extensions/$$ID @@ -208,8 +207,8 @@ override_dh_install-indep: # sometimes there are temporary build files in lightning @echo " --> searching for temporary build files in 'lightning' ..." @for i in `find debian/lightning/ -name ".mkdir.done*"`; do echo remove $$i && rm $$i; done - find debian/lightning/usr/share/lightning -newermt '$(BUILD_DATE)' -print0 | \ - xargs -0r touch --no-dereference --date='$(BUILD_DATE)' + find debian/lightning/usr/share/lightning -newermt '@$(SOURCE_DATE_EPOCH)' -print0 | \ + xargs -0r touch --no-dereference --date='@$(SOURCE_DATE_EPOCH)' for LANG in lightning-l10n/*; do \ locale=`basename $${LANG}`; \ echo "locale calendar $${locale} chrome/calendar-$${locale}/locale/$${locale}/calendar/" >> debian/lightning/usr/share/lightning/chrome.manifest ;\ unblock thunderbird/1:60.6.1-1 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-4-amd64 (SMP w/6 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled