commit MozillaThunderbird for openSUSE:Factory

Fri, 12 Aug 2016 06:35:19 -0700 

Hello community,

here is the log from the commit of package MozillaThunderbird for 
openSUSE:Factory checked in at 2016-08-12 15:34:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/MozillaThunderbird (Old)
 and      /work/SRC/openSUSE:Factory/.MozillaThunderbird.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "MozillaThunderbird"

Changes:
--------
--- /work/SRC/openSUSE:Factory/MozillaThunderbird/MozillaThunderbird.changes    
2016-08-03 11:37:23.000000000 +0200
+++ 
/work/SRC/openSUSE:Factory/.MozillaThunderbird.new/MozillaThunderbird.changes   
    2016-08-12 15:34:54.000000000 +0200
@@ -1,0 +2,7 @@
+Fri Aug  5 13:47:12 UTC 2016 - [email protected]
+
+- Fix for possible buffer overrun (bsc#990856)
+  CVE-2016-6354 (bmo#1292534)
+  [mozilla-flex_buffer_overrun.patch]
+
+-------------------------------------------------------------------

New:
----
  mozilla-flex_buffer_overrun.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ MozillaThunderbird.spec ++++++
--- /var/tmp/diff_new_pack.KE2QXi/_old  2016-08-12 15:34:59.000000000 +0200
+++ /var/tmp/diff_new_pack.KE2QXi/_new  2016-08-12 15:34:59.000000000 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package MozillaThunderbird
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #               2006-2016 Wolfgang Rosenauer <[email protected]>
 #
 # All modifications and additions to the file contributed by third parties
@@ -108,6 +108,8 @@
 Patch9:         mozilla-binutils-visibility.patch
 # Thunderbird/mail
 Patch20:        tb-ssldap.patch
+# hotfix
+Patch150:       mozilla-flex_buffer_overrun.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 PreReq:         coreutils fileutils textutils /bin/sh
 Recommends:     libcanberra0
@@ -204,6 +206,7 @@
 %patch6 -p1
 %patch8 -p1
 %patch9 -p1
+%patch150 -p1
 popd
 # comm-central patches
 %patch20 -p1


++++++ mozilla-flex_buffer_overrun.patch ++++++
# HG changeset patch
# Parent  c8e8364b303892fdb5a574b96411d2d8f699a15e
Patch lexical parser files generated by flex which may be potentially
exploitable in a buffer overrun. These seem to come from an upstream projects
(CMU Sphinx and ANGLE) so it should be fixed there in the first place.

CVE-2016-6354

https://bugzilla.suse.com/show_bug.cgi?id=990856

diff --git a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp 
b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp
--- a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp
+++ b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp
@@ -1375,17 +1375,17 @@ static int yy_get_next_buffer (yyscan_t 
        if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == 
YY_BUFFER_EOF_PENDING )
                /* don't do the read, it's not guaranteed to return an EOF,
                 * just force an EOF
                 */
                YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0;
 
        else
                {
-                       yy_size_t num_to_read =
+                       int num_to_read =
                        YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move 
- 1;
 
                while ( num_to_read <= 0 )
                        { /* Not enough room in the buffer - grow it. */
 
                        /* just a shorter name for the current buffer */
                        YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
 
diff --git a/gfx/angle/src/compiler/translator/glslang_lex.cpp 
b/gfx/angle/src/compiler/translator/glslang_lex.cpp
--- a/gfx/angle/src/compiler/translator/glslang_lex.cpp
+++ b/gfx/angle/src/compiler/translator/glslang_lex.cpp
@@ -2269,17 +2269,17 @@ static int yy_get_next_buffer (yyscan_t 
        if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == 
YY_BUFFER_EOF_PENDING )
                /* don't do the read, it's not guaranteed to return an EOF,
                 * just force an EOF
                 */
                YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0;
 
        else
                {
-                       yy_size_t num_to_read =
+                       int num_to_read =
                        YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move 
- 1;
 
                while ( num_to_read <= 0 )
                        { /* Not enough room in the buffer - grow it. */
 
                        /* just a shorter name for the current buffer */
                        YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;
 
diff --git a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c 
b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c
--- a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c
+++ b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c
@@ -1242,17 +1242,17 @@ static int yy_get_next_buffer (yyscan_t 
        if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == 
YY_BUFFER_EOF_PENDING )
                /* don't do the read, it's not guaranteed to return an EOF,
                 * just force an EOF
                 */
                YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0;
 
        else
                {
-                       yy_size_t num_to_read =
+                       int num_to_read =
                        YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move 
- 1;
 
                while ( num_to_read <= 0 )
                        { /* Not enough room in the buffer - grow it. */
 
                        /* just a shorter name for the current buffer */
                        YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;

Reply via email to