Hello community, here is the log from the commit of package MozillaThunderbird for openSUSE:Factory checked in at 2016-08-12 15:34:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/MozillaThunderbird (Old) and /work/SRC/openSUSE:Factory/.MozillaThunderbird.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "MozillaThunderbird" Changes: -------- --- /work/SRC/openSUSE:Factory/MozillaThunderbird/MozillaThunderbird.changes 2016-08-03 11:37:23.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.MozillaThunderbird.new/MozillaThunderbird.changes 2016-08-12 15:34:54.000000000 +0200 @@ -1,0 +2,7 @@ +Fri Aug 5 13:47:12 UTC 2016 - pcerny@suse.com + +- Fix for possible buffer overrun (bsc#990856) + CVE-2016-6354 (bmo#1292534) + [mozilla-flex_buffer_overrun.patch] + +------------------------------------------------------------------- New: ---- mozilla-flex_buffer_overrun.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ MozillaThunderbird.spec ++++++ --- /var/tmp/diff_new_pack.KE2QXi/_old 2016-08-12 15:34:59.000000000 +0200 +++ /var/tmp/diff_new_pack.KE2QXi/_new 2016-08-12 15:34:59.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package MozillaThunderbird # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. # 2006-2016 Wolfgang Rosenauer <wr@rosenauer.org> # # All modifications and additions to the file contributed by third parties @@ -108,6 +108,8 @@ Patch9: mozilla-binutils-visibility.patch # Thunderbird/mail Patch20: tb-ssldap.patch +# hotfix +Patch150: mozilla-flex_buffer_overrun.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: coreutils fileutils textutils /bin/sh Recommends: libcanberra0 @@ -204,6 +206,7 @@ %patch6 -p1 %patch8 -p1 %patch9 -p1 +%patch150 -p1 popd # comm-central patches %patch20 -p1 ++++++ mozilla-flex_buffer_overrun.patch ++++++ # HG changeset patch # Parent c8e8364b303892fdb5a574b96411d2d8f699a15e Patch lexical parser files generated by flex which may be potentially exploitable in a buffer overrun. These seem to come from an upstream projects (CMU Sphinx and ANGLE) so it should be fixed there in the first place. CVE-2016-6354 https://bugzilla.suse.com/show_bug.cgi?id=990856 diff --git a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp --- a/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp +++ b/gfx/angle/src/compiler/preprocessor/Tokenizer.cpp @@ -1375,17 +1375,17 @@ static int yy_get_next_buffer (yyscan_t if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) /* don't do the read, it's not guaranteed to return an EOF, * just force an EOF */ YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; else { - yy_size_t num_to_read = + int num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; while ( num_to_read <= 0 ) { /* Not enough room in the buffer - grow it. */ /* just a shorter name for the current buffer */ YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; diff --git a/gfx/angle/src/compiler/translator/glslang_lex.cpp b/gfx/angle/src/compiler/translator/glslang_lex.cpp --- a/gfx/angle/src/compiler/translator/glslang_lex.cpp +++ b/gfx/angle/src/compiler/translator/glslang_lex.cpp @@ -2269,17 +2269,17 @@ static int yy_get_next_buffer (yyscan_t if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) /* don't do the read, it's not guaranteed to return an EOF, * just force an EOF */ YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; else { - yy_size_t num_to_read = + int num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; while ( num_to_read <= 0 ) { /* Not enough room in the buffer - grow it. */ /* just a shorter name for the current buffer */ YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE; diff --git a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c --- a/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c +++ b/media/sphinxbase/src/libsphinxbase/lm/jsgf_scanner.c @@ -1242,17 +1242,17 @@ static int yy_get_next_buffer (yyscan_t if ( YY_CURRENT_BUFFER_LVALUE->yy_buffer_status == YY_BUFFER_EOF_PENDING ) /* don't do the read, it's not guaranteed to return an EOF, * just force an EOF */ YY_CURRENT_BUFFER_LVALUE->yy_n_chars = yyg->yy_n_chars = 0; else { - yy_size_t num_to_read = + int num_to_read = YY_CURRENT_BUFFER_LVALUE->yy_buf_size - number_to_move - 1; while ( num_to_read <= 0 ) { /* Not enough room in the buffer - grow it. */ /* just a shorter name for the current buffer */ YY_BUFFER_STATE b = YY_CURRENT_BUFFER_LVALUE;