--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package thunderbird
The package Thunderbird got the usual update to a new ESR version with
an update to 60.6.1.
This update fixes some known CVEs.
The changes to the packaging can be seen within the following diff output:
diff -puNr thunderbird-60.5.1/debian/changelog
thunderbird-60.6.1/debian/changelog
--- thunderbird-60.5.1/debian/changelog 2019-02-14 20:01:03.000000000 +0100
+++ thunderbird-60.6.1/debian/changelog 2019-03-27 18:22:51.000000000 +0100
@@ -1,3 +1,32 @@
+thunderbird (1:60.6.1-1) unstable; urgency=medium
+
+ [ intrigeri ]
+ * [2013645] d/rules: drop useless usage of dpkg-parsechangelog
+
+ [ Carsten Schoenert ]
+ * [daf1252] New upstream version 60.6.1
+ Fixed CVE issues in upstream version 60.6.0 (MFSA 2019-11)
+ CVE-2019-9790: Use-after-free when removing in-use DOM elements
+ CVE-2019-9791: Type inference is incorrect for constructors entered
+ through on-stack replacement with IonMonkey
+ CVE-2019-9792: IonMonkey leaks JS_OPTIMIZED_OUT magic value to script
+ CVE-2019-9793: Improper bounds checks when Spectre mitigations are disabled
+ CVE-2019-9794: Command line arguments not discarded during execution
+ CVE-2019-9795: Type-confusion in IonMonkey JIT compiler
+ CVE-2019-9796: Use-after-free with SMIL animation controller
+ CVE-2018-18506: Proxy Auto-Configuration file can define localhost access
+ to be proxied
+ CVE-2019-9788: Memory safety bugs fixed in Firefox 66, Firefox ESR 60.6,
+ and Thunderbird 60.6
+ Fixed CVE issues in upstream version 60.6.1 (MFSA 2019-12)
+ CVE-2019-9810: IonMonkey MArraySlice has incorrect alias information
+ CVE-2019-9813: Ionmonkey type confusion with __proto__ mutations
+ * [f88a505] rebuild patch queue from patch-queue branch
+ added patch:
+ fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
+
+ -- Carsten Schoenert <c.schoen...@t-online.de> Wed, 27 Mar 2019 18:22:51
+0100
+
thunderbird (1:60.5.1-1) unstable; urgency=medium
[ Alexander Nitsch ]
diff -puNr
thunderbird-60.5.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch
thunderbird-60.6.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch
---
thunderbird-60.5.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch
2019-02-14 19:46:50.000000000 +0100
+++
thunderbird-60.6.1/debian/patches/debian-hacks/stop-configure-if-with-system-bz2-was-passed-but-no-.patch
2019-03-26 21:53:39.000000000 +0100
@@ -8,10 +8,10 @@ Subject: stop configure if '--with-syste
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/old-configure.in b/old-configure.in
-index f78c54d..506c08e 100644
+index 8ac71d1..5769ef6 100644
--- a/old-configure.in
+++ b/old-configure.in
-@@ -1825,7 +1825,7 @@ if test -z "$BZ2_DIR" -o "$BZ2_DIR" = no; then
+@@ -1826,7 +1826,7 @@ if test -z "$BZ2_DIR" -o "$BZ2_DIR" = no; then
MOZ_SYSTEM_BZ2=
else
AC_CHECK_LIB(bz2, BZ2_bzread, [MOZ_SYSTEM_BZ2=1 MOZ_BZ2_LIBS="-lbz2"],
diff -puNr
thunderbird-60.5.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
thunderbird-60.6.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
---
thunderbird-60.5.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
1970-01-01 01:00:00.000000000 +0100
+++
thunderbird-60.6.1/debian/patches/fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
2019-03-26 21:53:39.000000000 +0100
@@ -0,0 +1,49 @@
+From: Rob Lemley <r...@thunderbird.net>
+Date: Thu, 21 Feb 2019 15:14:17 -0500
+Subject: Bug 1526744 - find-dupes.py: Calculate md5 by chunk.
+
+Read the file in chunks and use md5.update() rather than reading the entire
+file into RAM and calculating the hash all at once. This prevents out of memory
+errors on build systems with low RAM.
+---
+ toolkit/mozapps/installer/find-dupes.py | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/toolkit/mozapps/installer/find-dupes.py
b/toolkit/mozapps/installer/find-dupes.py
+index 3935b79..0ff7efc 100644
+--- a/toolkit/mozapps/installer/find-dupes.py
++++ b/toolkit/mozapps/installer/find-dupes.py
+@@ -39,19 +39,29 @@ def is_l10n_file(path):
+ def normalize_path(p):
+ return normalize_osx_path(p)
+
++def md5hash_size(fp, chunk_size=1024*10):
++ md5 = hashlib.md5()
++ size = 0
++ while True:
++ data = fp.read(chunk_size)
++ if not data:
++ break
++ md5.update(data)
++ size += len(data)
++
++ return md5.digest(), size
+
+ def find_dupes(source, allowed_dupes, bail=True):
+ allowed_dupes = set(allowed_dupes)
+ md5s = OrderedDict()
+ for p, f in UnpackFinder(source):
+- content = f.open().read()
+- m = hashlib.md5(content).digest()
++ m, content_size = md5hash_size(f.open())
+ if m not in md5s:
+ if isinstance(f, DeflatedFile):
+ compressed = f.file.compressed_size
+ else:
+- compressed = len(content)
+- md5s[m] = (len(content), compressed, [])
++ compressed = content_size
++ md5s[m] = (content_size, compressed, [])
+ md5s[m][2].append(p)
+ total = 0
+ total_compressed = 0
diff -puNr
thunderbird-60.5.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
thunderbird-60.6.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
---
thunderbird-60.5.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
2019-02-14 19:46:50.000000000 +0100
+++
thunderbird-60.6.1/debian/patches/porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
2019-03-26 21:53:39.000000000 +0100
@@ -59,10 +59,10 @@ index 112b6a1..0000000
-
-#endif // mozilla_LinuxSignal_h
diff --git a/mfbt/moz.build b/mfbt/moz.build
-index 81c4a42..fb43cc6 100644
+index 87c7d3f..587dbc5 100644
--- a/mfbt/moz.build
+++ b/mfbt/moz.build
-@@ -129,10 +129,6 @@ if CONFIG['OS_ARCH'] == 'WINNT':
+@@ -120,10 +120,6 @@ if CONFIG['OS_ARCH'] == 'WINNT':
EXPORTS.mozilla += [
'WindowsVersion.h',
]
@@ -74,7 +74,7 @@ index 81c4a42..fb43cc6 100644
UNIFIED_SOURCES += [
'Assertions.cpp',
diff --git a/tools/profiler/core/platform-linux-android.cpp
b/tools/profiler/core/platform-linux-android.cpp
-index 119ce9f..352dd9a 100644
+index 09eb943..79f0067 100644
--- a/tools/profiler/core/platform-linux-android.cpp
+++ b/tools/profiler/core/platform-linux-android.cpp
@@ -60,7 +60,6 @@
diff -puNr
thunderbird-60.5.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
thunderbird-60.6.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
---
thunderbird-60.5.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
2019-02-14 19:46:50.000000000 +0100
+++
thunderbird-60.6.1/debian/patches/porting-kfreebsd-hurd/FTBFS-hurd-fixing-unsupported-platform-Hurd.patch
2019-03-26 21:53:39.000000000 +0100
@@ -209,12 +209,12 @@ index 1c7eca0..661387b 100644
if (!CrashReporter::CreateNotificationPipeForChild(&childCrashFd,
&childCrashRemapFd)) {
diff --git a/js/src/wasm/WasmSignalHandlers.cpp
b/js/src/wasm/WasmSignalHandlers.cpp
-index bc28491..0d89430 100644
+index 70f1517..8bf475d 100644
--- a/js/src/wasm/WasmSignalHandlers.cpp
+++ b/js/src/wasm/WasmSignalHandlers.cpp
-@@ -126,7 +126,7 @@ struct AutoSignalHandler {
- #define EPC_sig(p) ((p)->sc_pc)
- #define RFP_sig(p) ((p)->sc_regs[30])
+@@ -131,7 +131,7 @@ struct AutoSignalHandler {
+ #define R01_sig(p) ((p)->sc_frame.fixreg[1])
+ #define R32_sig(p) ((p)->sc_frame.srr0)
#endif
-#elif defined(__linux__) || defined(__sun)
+#elif defined(__linux__) || defined(__sun) || defined(__GNU__)
diff -puNr
thunderbird-60.5.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch
thunderbird-60.6.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch
---
thunderbird-60.5.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch
2019-02-14 19:46:50.000000000 +0100
+++
thunderbird-60.6.1/debian/patches/prefs/Set-javascript.options.showInConsole.patch
2019-03-26 21:53:39.000000000 +0100
@@ -7,10 +7,10 @@ Subject: Set javascript.options.showInCo
1 file changed, 5 insertions(+)
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
-index f5a2ec4..5624ded 100644
+index 776e10f..e911c73 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
-@@ -1474,6 +1474,7 @@ pref("javascript.options.jit.full_debug_checks", false);
+@@ -1473,6 +1473,7 @@ pref("javascript.options.jit.full_debug_checks", false);
// memory, but makes things like Function.prototype.toSource()
// fail.
pref("javascript.options.discardSystemSource", false);
@@ -18,7 +18,7 @@ index f5a2ec4..5624ded 100644
// Many of the the following preferences tune the SpiderMonkey GC, if you
// change the defaults here please also consider changing them in
-@@ -1481,6 +1482,10 @@ pref("javascript.options.discardSystemSource", false);
+@@ -1480,6 +1481,10 @@ pref("javascript.options.discardSystemSource", false);
// JSGC_MAX_MALLOC_BYTES
// How much malloc memory can be allocated before triggering a GC, in MB.
diff -puNr thunderbird-60.5.1/debian/patches/series
thunderbird-60.6.1/debian/patches/series
--- thunderbird-60.5.1/debian/patches/series 2019-02-14 19:46:50.000000000
+0100
+++ thunderbird-60.6.1/debian/patches/series 2019-03-26 21:53:39.000000000
+0100
@@ -37,3 +37,4 @@ fixes/Build-also-gdata-provider-as-xpi-f
porting-armel/Bug-1463035-Remove-MOZ_SIGNAL_TRAMPOLINE.-r-darchons.patch
porting-armel/Avoid-using-vmrs-vmsr-on-armel.patch
porting-powerpc/powerpc-Don-t-use-static-page-sizes-on-powerpc.patch
+fixes/Bug-1526744-find-dupes.py-Calculate-md5-by-chunk.patch
diff -puNr thunderbird-60.5.1/debian/rules thunderbird-60.6.1/debian/rules
--- thunderbird-60.5.1/debian/rules 2019-02-14 19:46:50.000000000 +0100
+++ thunderbird-60.6.1/debian/rules 2019-03-26 21:29:31.000000000 +0100
@@ -67,7 +67,6 @@ endif
LDFLAGS += -Wl,--stats
export MOZ_BUILD_DATE := $(SOURCE_DATE_EPOCH)
-export BUILD_DATE := $(shell dpkg-parsechangelog --show-field=Date)
export MOZCONFIG=$(shell pwd)/mozconfig.thunderbird
export MOZILLA_OFFICIAL=1
export DEB_BUILD_GNU_TYPE
@@ -190,8 +189,8 @@ override_dh_install-indep:
mkdir -p
debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider/
GDATA_PROVIDER=`find -type f -name "gdata-provider*.xpi"` &&\
unzip -d
debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider/
$(CURDIR)/$$GDATA_PROVIDER
- find
debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider
-newermt '$(BUILD_DATE)' -print0 | \
- xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+ find
debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider
-newermt '@$(SOURCE_DATE_EPOCH)' -print0 | \
+ xargs -0r touch --no-dereference --date='@$(SOURCE_DATE_EPOCH)'
ID=`grep "em:id"
$(CURDIR)/debian/calendar-google-provider/usr/share/xul-ext/calendar-google-provider/install.rdf
| sed -e s"/<em:id>"// -e s",</em:id>",, -e 's/^[ ]*//' | head -n1` ;\
mkdir -p mkdir -p
$(CURDIR)/debian/calendar-google-provider/usr/lib/thunderbird/extensions/ ;\
ln -sf /usr/share/xul-ext/calendar-google-provider
$(CURDIR)/debian/calendar-google-provider/usr/lib/thunderbird/extensions/$$ID
@@ -208,8 +207,8 @@ override_dh_install-indep:
# sometimes there are temporary build files in lightning
@echo " --> searching for temporary build files in 'lightning' ..."
@for i in `find debian/lightning/ -name ".mkdir.done*"`; do echo remove
$$i && rm $$i; done
- find debian/lightning/usr/share/lightning -newermt '$(BUILD_DATE)'
-print0 | \
- xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
+ find debian/lightning/usr/share/lightning -newermt
'@$(SOURCE_DATE_EPOCH)' -print0 | \
+ xargs -0r touch --no-dereference --date='@$(SOURCE_DATE_EPOCH)'
for LANG in lightning-l10n/*; do \
locale=`basename $${LANG}`; \
echo "locale calendar $${locale}
chrome/calendar-$${locale}/locale/$${locale}/calendar/" >>
debian/lightning/usr/share/lightning/chrome.manifest ;\
unblock thunderbird/1:60.6.1-1
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-4-amd64 (SMP w/6 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---