[pkgsrc/trunk]: pkgsrc/www/seamonkey seamonkey: update to 2.49.3

[maya <maya%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/7aa335b2a80d
branches:  trunk
changeset: 382309:7aa335b2a80d
user:      maya <maya%pkgsrc.org@localhost>
date:      Tue Jun 26 23:29:24 2018 +0000

description:
seamonkey: update to 2.49.3

remove patches for security fixes now upstream.


seamonkey is now based on firefox 52.7.3 ESR.
SeaMonkey 2.49.3 shares most parts of the mail and news code with Thunderbird.
Please read the Thunderbird 52.7.0 release notes for specific changes and
security fixes in this release.

SeaMonkey-specific changes
seamonkey official linux builds are based on GTK3 (no change for us)

diffstat:

 www/seamonkey/Makefile                                                               |   5 +-
 www/seamonkey/distinfo                                                               |  14 +-
 www/seamonkey/patches/patch-CVE-2018-5146                                            |  82 ----------
 www/seamonkey/patches/patch-mozilla_gfx_layers_opengl_CompositingRenderTargetOGL.cpp |  21 --
 www/seamonkey/patches/patch-mozilla_gfx_layers_opengl_CompositingRenderTargetOGL.h   |  21 --
 5 files changed, 7 insertions(+), 136 deletions(-)

diffs (180 lines):

diff -r a1b4c0718b15 -r 7aa335b2a80d www/seamonkey/Makefile
--- a/www/seamonkey/Makefile    Tue Jun 26 21:50:22 2018 +0000
+++ b/www/seamonkey/Makefile    Tue Jun 26 23:29:24 2018 +0000
@@ -1,9 +1,8 @@
-# $NetBSD: Makefile,v 1.176 2018/04/16 14:35:19 wiz Exp $
+# $NetBSD: Makefile,v 1.177 2018/06/26 23:29:24 maya Exp $
 
 DISTNAME=      seamonkey-${SM_VER}.source
 PKGNAME=       seamonkey-${SM_VER:S/b/beta/}
-PKGREVISION=   6
-SM_VER=                2.49.2
+SM_VER=                2.49.3
 CATEGORIES=    www
 MASTER_SITES=  ${MASTER_SITE_MOZILLA:=seamonkey/releases/${SM_VER}/source/}
 EXTRACT_SUFX=  .tar.xz
diff -r a1b4c0718b15 -r 7aa335b2a80d www/seamonkey/distinfo
--- a/www/seamonkey/distinfo    Tue Jun 26 21:50:22 2018 +0000
+++ b/www/seamonkey/distinfo    Tue Jun 26 23:29:24 2018 +0000
@@ -1,11 +1,9 @@
-$NetBSD: distinfo,v 1.151 2018/03/26 22:56:07 maya Exp $
+$NetBSD: distinfo,v 1.152 2018/06/26 23:29:24 maya Exp $
 
-SHA1 (seamonkey-2.49.2.source.tar.xz) = 843ff7e74e488d03bdbf72237a1973c50887494b
-RMD160 (seamonkey-2.49.2.source.tar.xz) = 9f79789a5d44985d96f8549f537ad01f23c1fc2c
-SHA512 (seamonkey-2.49.2.source.tar.xz) = 6f69f7fb0a2de8086231b615b62b350edf6c903d2fde90ee4c79e316cfcf5a413097df9afe1397dbfe680e264f6be14c2c147be7ba11c5dbd73a1e9e01b8857e
-Size (seamonkey-2.49.2.source.tar.xz) = 229980312 bytes
-SHA1 (patch-CVE-2018-5146) = 121d8511b4aef0a784ae12d12c35cd4282c9ab83
-SHA1 (patch-CVE-2018-5147) = 1c44a5e2f0a81b58ebc8343028019e4681ee246c
+SHA1 (seamonkey-2.49.3.source.tar.xz) = 9a6d681f96d87c12081c75cd7c018b93c68ea9ae
+RMD160 (seamonkey-2.49.3.source.tar.xz) = 75e4058b46d001253b34ba7039af30ce52092854
+SHA512 (seamonkey-2.49.3.source.tar.xz) = f38add67c7528809adda55d2ee165d953c34080b6b75aaebed6f904e82c6f6a1ec243d53b6f4f4b875123fd2c7831758909e1baccdf3d9e58ed4747625d8f59f
+Size (seamonkey-2.49.3.source.tar.xz) = 231547028 bytes
 SHA1 (patch-ao) = e466058ed1899a64a9ab5b57290ff2baad1ea03c
 SHA1 (patch-ldap_c-sdk_include_portable.h) = ce0b643fa031b74bf7d74eedc4f3729807aef799
 SHA1 (patch-mail_app_Makefile.in) = da6ac87ffdcff733f11218cb11f8ef316bb1bc18
@@ -37,8 +35,6 @@
 SHA1 (patch-mozilla_gfx_gl_GLContextProviderGLX.cpp) = d4d0cdf25ae15f7cc07d1ad213ec7d2b015e4168
 SHA1 (patch-mozilla_gfx_graphite2_moz-gr-update.sh) = 22365f3d536b929a73e8e5d99a34f5857b5b2d35
 SHA1 (patch-mozilla_gfx_graphite2_src_Bidi.cpp) = fb97becdfeeea742e8c0bc51e10efc124a2a11f3
-SHA1 (patch-mozilla_gfx_layers_opengl_CompositingRenderTargetOGL.cpp) = 296b7d67033aad8d3f914caa97574b44be9a0a47
-SHA1 (patch-mozilla_gfx_layers_opengl_CompositingRenderTargetOGL.h) = 52ce2aa5557ff6dc74d4ae1e931f20be3c4dbe78
 SHA1 (patch-mozilla_gfx_moz.build) = c3bb9f947bb6cb19d890fba83bd9dd4ac29d2ebf
 SHA1 (patch-mozilla_gfx_skia_generate__mozbuild.py) = 9850cc0636728061cad1297716bdf43d6ef5d063
 SHA1 (patch-mozilla_gfx_skia_moz.build) = e7337cf958e2ab9f422573519eb4ee0666319964
diff -r a1b4c0718b15 -r 7aa335b2a80d www/seamonkey/patches/patch-CVE-2018-5146
--- a/www/seamonkey/patches/patch-CVE-2018-5146 Tue Jun 26 21:50:22 2018 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,82 +0,0 @@
-$NetBSD: patch-CVE-2018-5146,v 1.1 2018/03/16 23:25:56 maya Exp $
-
-CVE-2018-5146: Prevent out-of-bounds write in codebook decoding.
-
-Codebooks that are not an exact divisor of the partition size are now
-truncated to fit within the partition.
-
---- mozilla/media/libvorbis/lib/vorbis_codebook.c.orig 2018-02-05 11:49:22.000000000 +0000
-+++ mozilla/media/libvorbis/lib/vorbis_codebook.c
-@@ -387,7 +387,7 @@ long vorbis_book_decodevs_add(codebook *
-       t[i] = book->valuelist+entry[i]*book->dim;
-     }
-     for(i=0,o=0;i<book->dim;i++,o+=step)
--      for (j=0;j<step;j++)
-+      for (j=0;o+j<n && j<step;j++)
-         a[o+j]+=t[j][i];
-   }
-   return(0);
-@@ -399,41 +399,12 @@ long vorbis_book_decodev_add(codebook *b
-     int i,j,entry;
-     float *t;
- 
--    if(book->dim>8){
--      for(i=0;i<n;){
--        entry = decode_packed_entry_number(book,b);
--        if(entry==-1)return(-1);
--        t     = book->valuelist+entry*book->dim;
--        for (j=0;j<book->dim;)
--          a[i++]+=t[j++];
--      }
--    }else{
--      for(i=0;i<n;){
--        entry = decode_packed_entry_number(book,b);
--        if(entry==-1)return(-1);
--        t     = book->valuelist+entry*book->dim;
--        j=0;
--        switch((int)book->dim){
--        case 8:
--          a[i++]+=t[j++];
--        case 7:
--          a[i++]+=t[j++];
--        case 6:
--          a[i++]+=t[j++];
--        case 5:
--          a[i++]+=t[j++];
--        case 4:
--          a[i++]+=t[j++];
--        case 3:
--          a[i++]+=t[j++];
--        case 2:
--          a[i++]+=t[j++];
--        case 1:
--          a[i++]+=t[j++];
--        case 0:
--          break;
--        }
--      }
-+    for(i=0;i<n;){
-+      entry = decode_packed_entry_number(book,b);
-+      if(entry==-1)return(-1);
-+      t     = book->valuelist+entry*book->dim;
-+      for(j=0;i<n && j<book->dim;)
-+        a[i++]+=t[j++];
-     }
-   }
-   return(0);
-@@ -471,12 +442,13 @@ long vorbis_book_decodevv_add(codebook *
-   long i,j,entry;
-   int chptr=0;
-   if(book->used_entries>0){
--    for(i=offset/ch;i<(offset+n)/ch;){
-+    int m=(offset+n)/ch;
-+    for(i=offset/ch;i<m;){
-       entry = decode_packed_entry_number(book,b);
-       if(entry==-1)return(-1);
-       {
-         const float *t = book->valuelist+entry*book->dim;
--        for (j=0;j<book->dim;j++){
-+        for (j=0;i<m && j<book->dim;j++){
-           a[chptr++][i]+=t[j];
-           if(chptr==ch){
-             chptr=0;
diff -r a1b4c0718b15 -r 7aa335b2a80d www/seamonkey/patches/patch-mozilla_gfx_layers_opengl_CompositingRenderTargetOGL.cpp
--- a/www/seamonkey/patches/patch-mozilla_gfx_layers_opengl_CompositingRenderTargetOGL.cpp      Tue Jun 26 21:50:22 2018 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,21 +0,0 @@
-$NetBSD: patch-mozilla_gfx_layers_opengl_CompositingRenderTargetOGL.cpp,v 1.1 2018/03/26 22:56:07 maya Exp $
-
-CVE-2018-5148: Use-after-free in compositor
-
-A use-after-free vulnerability can occur in the compositor during
-certain graphics operations when a raw pointer is used instead of a
-reference counted one. This results in a potentially exploitable crash
-
-Bug 1440717 - Use RefPtr for CompositingRenderTargetOGL::mGL. r=Bas, a=ritu
-
---- mozilla/gfx/layers/opengl/CompositingRenderTargetOGL.cpp.orig      2018-02-05 11:48:12.000000000 +0000
-+++ mozilla/gfx/layers/opengl/CompositingRenderTargetOGL.cpp
-@@ -60,7 +60,7 @@ CompositingRenderTargetOGL::BindRenderTa
-         msg.AppendPrintf("Framebuffer not complete -- CheckFramebufferStatus returned 0x%x, "
-                          "GLContext=%p, IsOffscreen()=%d, mFBO=%d, aFBOTextureTarget=0x%x, "
-                          "aRect.width=%d, aRect.height=%d",
--                         result, mGL, mGL->IsOffscreen(), mFBO, mInitParams.mFBOTextureTarget,
-+                         result, mGL.get(), mGL->IsOffscreen(), mFBO, mInitParams.mFBOTextureTarget,
-                          mInitParams.mSize.width, mInitParams.mSize.height);
-         NS_WARNING(msg.get());
-       }
diff -r a1b4c0718b15 -r 7aa335b2a80d www/seamonkey/patches/patch-mozilla_gfx_layers_opengl_CompositingRenderTargetOGL.h
--- a/www/seamonkey/patches/patch-mozilla_gfx_layers_opengl_CompositingRenderTargetOGL.h        Tue Jun 26 21:50:22 2018 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,21 +0,0 @@
-$NetBSD: patch-mozilla_gfx_layers_opengl_CompositingRenderTargetOGL.h,v 1.1 2018/03/26 22:56:07 maya Exp $
-
-CVE-2018-5148: Use-after-free in compositor
-
-A use-after-free vulnerability can occur in the compositor during
-certain graphics operations when a raw pointer is used instead of a
-reference counted one. This results in a potentially exploitable crash
-
-Bug 1440717 - Use RefPtr for CompositingRenderTargetOGL::mGL. r=Bas, a=ritu
-
---- mozilla/gfx/layers/opengl/CompositingRenderTargetOGL.h.orig        2018-02-05 11:48:08.000000000 +0000
-+++ mozilla/gfx/layers/opengl/CompositingRenderTargetOGL.h
-@@ -184,7 +184,7 @@ private:
-    * the target is always cleared at the end of a frame.
-    */
-   RefPtr<CompositorOGL> mCompositor;
--  GLContext* mGL;
-+  RefPtr<GLContext> mGL;
-   GLuint mTextureHandle;
-   GLuint mFBO;
- };