- Mozilla Firefox 126.0

https://www.mozilla.org/en-US/firefox/126.0/releasenotes MFSA 2024-21 (bsc#1224056) * CVE-2024-4764 (bmo#1879093) Use-after-free when audio input connected with multiple consumers * CVE-2024-4367 (bmo#1893645) Arbitrary JavaScript execution in PDF.js * CVE-2024-4765 (bmo#1871109) Web application manifests could have been overwritten via hash collision * CVE-2024-4766 (bmo#1871214, bmo#1871217) Fullscreen notification could have been obscured on Firefox for Android * CVE-2024-4767 (bmo#1878577) IndexedDB files retained in private browsing mode * CVE-2024-4768 (bmo#1886082) Potential permissions request bypass via clickjacking * CVE-2024-4769 (bmo#1886108) Cross-origin responses could be distinguished between script and non-script content-types * CVE-2024-4770 (bmo#1893270) Use-after-free could occur when printing to PDF * CVE-2024-4771 (bmo#1893891) Failed allocation could lead to use-after-free * CVE-2024-4772 (bmo#1870579) Use of insecure rand() function to generate nonce * CVE-2024-4773 (bmo#1875248) URL bar could be cleared after network error * CVE-2024-4774 (bmo#1886598) Undefined behavior in ShmemCharMapHashEntry() OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1150
2024-05-21 08:22:00 +00:00 · 2024-05-21 08:22:00 +00:00 · 20c3e10797
commit 20c3e10797
parent 08721dc7bb
12 changed files with 102 additions and 75 deletions
--- a/MozillaFirefox.changes
+++ b/MozillaFirefox.changes
@ -1,3 +1,50 @@
+-------------------------------------------------------------------
+Wed May 15 08:46:30 UTC 2024 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 126.0
+  https://www.mozilla.org/en-US/firefox/126.0/releasenotes
+  MFSA 2024-21 (bsc#1224056)
+  * CVE-2024-4764 (bmo#1879093)
+    Use-after-free when audio input connected with multiple consumers
+  * CVE-2024-4367 (bmo#1893645)
+    Arbitrary JavaScript execution in PDF.js
+  * CVE-2024-4765 (bmo#1871109)
+    Web application manifests could have been overwritten via
+    hash collision
+  * CVE-2024-4766 (bmo#1871214, bmo#1871217)
+    Fullscreen notification could have been obscured on Firefox
+    for Android
+  * CVE-2024-4767 (bmo#1878577)
+    IndexedDB files retained in private browsing mode
+  * CVE-2024-4768 (bmo#1886082)
+    Potential permissions request bypass via clickjacking
+  * CVE-2024-4769 (bmo#1886108)
+    Cross-origin responses could be distinguished between script
+    and non-script content-types
+  * CVE-2024-4770 (bmo#1893270)
+    Use-after-free could occur when printing to PDF
+  * CVE-2024-4771 (bmo#1893891)
+    Failed allocation could lead to use-after-free
+  * CVE-2024-4772 (bmo#1870579)
+    Use of insecure rand() function to generate nonce
+  * CVE-2024-4773 (bmo#1875248)
+    URL bar could be cleared after network error
+  * CVE-2024-4774 (bmo#1886598)
+    Undefined behavior in ShmemCharMapHashEntry()
+  * CVE-2024-4775 (bmo#1887332)
+    Invalid memory access in the built-in profiler
+  * CVE-2024-4776 (bmo#1887343)
+    Window may remain disabled after file dialog is shown in
+    full-screen
+  * CVE-2024-4777 (bmo#1878199, bmo#1893340)
+    Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11,
+    and Thunderbird 115.11
+  * CVE-2024-4778 (bmo#1838834, bmo#1889291, bmo#1889595,
+    bmo#1890204, bmo#1891545)
+    Memory safety bugs fixed in Firefox 126
+- requires NSS 3.100
+- removed obsolete mozilla-libproxy-fix.patch
+
 -------------------------------------------------------------------
 Mon Apr 29 18:17:48 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>

--- a/MozillaFirefox.spec
+++ b/MozillaFirefox.spec
@ -28,9 +28,9 @@
 # orig_suffix b3
 # major 69
 # mainver %%major.99
-%define major          125
-%define mainver        %major.0.3
-%define orig_version   125.0.3
+%define major          126
+%define mainver        %major.0
+%define orig_version   126.0
 %define orig_suffix    %{nil}
 %define update_channel release
 %define branding       1
@ -114,7 +114,7 @@ BuildRequires:  libiw-devel
 BuildRequires:  libproxy-devel
 BuildRequires:  makeinfo
 BuildRequires:  mozilla-nspr-devel >= 4.35
-BuildRequires:  mozilla-nss-devel >= 3.99
+BuildRequires:  mozilla-nss-devel >= 3.100
 BuildRequires:  nasm >= 2.14
 BuildRequires:  nodejs >= 12.22.12
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
@ -229,7 +229,6 @@ Patch21:        svg-rendering.patch
 Patch22:        mozilla-partial-revert-1768632.patch
 Patch23:        mozilla-rust-disable-future-incompat.patch
 Patch24:        mozilla-bmo1822730.patch
-Patch25:        mozilla-libproxy-fix.patch
 # Firefox/browser
 Patch101:       firefox-kde.patch
 Patch102:       firefox-branded-icons.patch
@ -735,10 +734,10 @@ exit 0
 %{progdir}/platform.ini
 %if %crashreporter
 %{progdir}/crashreporter
-%{progdir}/crashreporter.ini
-%{progdir}/Throbber-small.gif
+#%{progdir}/crashreporter.ini
+#%{progdir}/Throbber-small.gif
 %{progdir}/minidump-analyzer
-%{progdir}/browser/crashreporter-override.ini
+#%{progdir}/browser/crashreporter-override.ini
 %endif
 %{_datadir}/applications/%{desktop_file_name}.desktop
 %{_datadir}/mime/packages/%{progname}.xml
--- a/firefox-125.0.3.source.tar.xz
+++ b/firefox-125.0.3.source.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:461c66b85e4a0345dcce422d3b66212489f3cca8f22a9a8f43a07a0c98bd5616
-size 551590872
--- a/firefox-125.0.3.source.tar.xz.asc
+++ b/firefox-125.0.3.source.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmYtMEEACgkQ4207E/PZ
-MnSBeA/9E8S6inlmYrxQ2wf0LKnDKZmT06XUvlcKWy68F1RdEWNLqjMOV+o60rug
-/Gjnp6DT2yTMsXnoaO1Re89HGKHkZ1KbuevzjLUyXvQzNUbkCuA+5zqZEwa+16g7
-rxFpho7iEO5LkYB7PoQxks8AY+JaXlZreXMJ8I5wQ5+KnM8tQE1ZcoAFz2J5Oc9Y
-DHtVbzq09V6dh5B0oTjGxsWB65YqhxTc3zCpQ8nNB5IV6MwU99emfcI7usLWtdyP
-goTDXYCYlsORn0pTGkAL5GeXWgh4yAxOW5Fr3Cfv9oADFCTVFK07A7n8Y9fbuT5b
-9ZgUkBPjuwf3pFcQAXRerrPCbbo4SqMY88tcUNXhOjbwxGXplxBd+A1v/3I3wv5y
-jk3FGLHrlUX4AvBhMsajvUu6cpqPfVfDaKDRLpvJkPMTFz0Gv9Log8BnhQ852hkq
-/y0vvdY8znIvWM9pca97AtQVhhamKuAo7kqh996g8eT5Wa2pBbSuuKWteT1i+61Z
-iLsg8mcfnEgoP7w+KOgiSKvuG738MHvxMV/aQdR2AXLOCkltr4gqXytXhYsPLvJg
-qfeUdLqgYPu64vyhETzdfxqL4Ivaj25ikSXILO+iKJo5cMQP4j7g1oZAq7Qtt/Yi
-wC2cgmMKhn0fNB7f9csyyJV33jI55u56A7iO6p1Z4HCFbbTtI8k=
-=0RYQ
-----END PGP SIGNATURE-----
--- a/firefox-126.0.source.tar.xz
+++ b/firefox-126.0.source.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:910e82a1999ec229e5bc5090a39cec9c575e8bafcac2c54f9bb5c699bd868526
+size 552065476
--- a/firefox-126.0.source.tar.xz.asc
+++ b/firefox-126.0.source.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmY9XrkACgkQ4207E/PZ
+MnT6RQ//S0b1dy2LR3WqwnZvdZRjT9jbmdJw7RKopN4KAaZmeL5qo4eBOWxkECqw
+TrZZiqX44Mm1DdIJG0NKP7D95WMAJuJQntV5VFJMZKtdtmD1UHMymMKOqYia21tr
+5pxrwEYAPP7t3zZIoCDmcgdwArWkdt+wJSNCTrTjaJQdygP02bex2lZl7HE7wsrp
+02/SAjl83iOkx2x+W9LeR889PGrrOe4c2Z0fHaqGtBJVOBR/1JJwjJT2td0CCjmD
+wAsI/O2nxwL+kMTB/8sexcYFdM2QDBmMOYJb82sb7mkc3y1xsCMhpGylmhXGFS3c
+en44BdNAHCTn91g/MlhIjUCPljWG+YkitE2/7GKotpOQTNH9rr2UET3aPzvwAZyf
+Gl5U9VN8u++ZCvVXrtmve1P2vOkJnUcq+MBxTgiBlFyqhvhww9KP7nIQslBzUhWc
+X25OKQVXHyfYLS3s+xP2ynCG7cXXbV3jSDBS7FcbiHqdaL4d1d9gnGj1/+77KOJA
+3aZ8ARLc1x9V/mc9HuyLrcletcpMhhusgY2fc/ae8i6Dh5nL+GY06x1Fv5JtNDR0
+XgJR6IflalT2EDeMOvRHWuWl1wPi8KVD3DRZiOKqBOuln2nZSyV2cpXozAgA87zE
+qanJq7bkFkl4YFMkBBytDUq85t4K9ztAlzTR0UeyKR4AuLRZuww=
+=5nXv
+-----END PGP SIGNATURE-----
--- a/l10n-125.0.3.tar.xz
+++ b/l10n-125.0.3.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:67744c91e271a3e28c59a5b7d4136c0f338fdee73c633ebfcb350cb9a05a4df7
-size 31332840
--- a/l10n-126.0.tar.xz
+++ b/l10n-126.0.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7fb67354817ee6319fbe56189ef248105bc3025983dabfe654992f31a86c7f98
+size 31696716
--- a/mozilla-kde.patch
+++ b/mozilla-kde.patch
@ -50,7 +50,7 @@ Co-authored-by: Björn Bidar <bjorn.bidar@thaodan.de>
 diff --git a/modules/libpref/Preferences.cpp b/modules/libpref/Preferences.cpp
 --- a/modules/libpref/Preferences.cpp
 +++ b/modules/libpref/Preferences.cpp
-@@ -90,16 +90,17 @@
+@@ -92,16 +92,17 @@
 #include "PLDHashTable.h"
 #include "prdtoa.h"
 #include "prlink.h"
@ -727,7 +727,7 @@ diff --git a/uriloader/exthandler/HandlerServiceParent.cpp b/uriloader/exthandle
 using mozilla::dom::RemoteHandlerApp;
 
 namespace {
-@@ -305,18 +305,18 @@ mozilla::ipc::IPCResult HandlerServicePa
+@@ -309,18 +309,18 @@ mozilla::ipc::IPCResult HandlerServicePa
 mozilla::ipc::IPCResult HandlerServiceParent::RecvExistsForProtocolOS(
     const nsACString& aProtocolScheme, bool* aHandlerExists) {
   if (aProtocolScheme.Length() > MAX_SCHEME_LENGTH) {
@ -771,7 +771,7 @@ diff --git a/uriloader/exthandler/moz.build b/uriloader/exthandler/moz.build
     ]
 elif CONFIG["MOZ_WIDGET_TOOLKIT"] == "windows":
     UNIFIED_SOURCES += [
-@@ -129,15 +131,16 @@ include("/ipc/chromium/chromium-config.m
+@@ -130,15 +132,16 @@ include("/ipc/chromium/chromium-config.m
 FINAL_LIBRARY = "xul"
 
 LOCAL_INCLUDES += [
@ -991,7 +991,7 @@ new file mode 100644
 diff --git a/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp b/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp
 --- a/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp
 +++ b/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp
-@@ -1,48 +1,51 @@
+@@ -1,27 +1,30 @@
 /* -*- Mode: C++; tab-width: 3; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
@ -1004,6 +1004,8 @@ diff --git a/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp b/uriloader/exthandler
 #include "nsIGIOService.h"
 #include "nsNetCID.h"
 #include "nsIIOService.h"
+ #include "nsLocalFile.h"
+ 
 #ifdef MOZ_ENABLE_DBUS
 #  include "nsDBusHandlerApp.h"
 #endif
@ -1016,10 +1018,13 @@ diff --git a/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp b/uriloader/exthandler
 +  return nsCommonRegistry::LoadURL(aURI);
 }
 
- NS_IMETHODIMP
- nsMIMEInfoUnix::GetHasDefaultHandler(bool* _retval) {
-   // if a default app is set, it means the application has been set from
-   // either /etc/mailcap or ${HOME}/.mailcap, in which case we don't want to
+ NS_IMETHODIMP nsMIMEInfoUnix::GetDefaultExecutable(nsIFile** aExecutable) {
+   // This needs to be implemented before FirefoxBridge will work on Linux.
+   // To implement this and be consistent, GetHasDefaultHandler and
+   // LaunchDefaultWithFile should probably be made to be consistent.
+   // Right now, they aren't. GetHasDefaultHandler reports true in cases
+   // where calling LaunchDefaultWithFile will fail due to not finding the
+@@ -37,25 +40,25 @@ nsMIMEInfoUnix::GetHasDefaultHandler(boo
   // give the GNOME answer.
   if (GetDefaultApplication()) {
     return nsMIMEInfoImpl::GetHasDefaultHandler(_retval);
@ -1048,7 +1053,7 @@ diff --git a/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp b/uriloader/exthandler
   if (*_retval) return NS_OK;
 
   return NS_OK;
-@@ -54,16 +57,31 @@ nsresult nsMIMEInfoUnix::LaunchDefaultWi
+@@ -67,16 +70,31 @@ nsresult nsMIMEInfoUnix::LaunchDefaultWi
   // give the GNOME answer.
   if (GetDefaultApplication()) {
     return nsMIMEInfoImpl::LaunchDefaultWithFile(aFile);
--- a/mozilla-libproxy-fix.patch
+++ b/mozilla-libproxy-fix.patch
@ -1,25 +0,0 @@
-# HG changeset patch
-# User Wolfgang Rosenauer <wr@rosenauer.org>
-# Parent  302a32e4a14475d3bae305decad92870ec37bbe5
-
-diff --git a/toolkit/system/unixproxy/nsLibProxySettings.cpp b/toolkit/system/unixproxy/nsLibProxySettings.cpp
--- a/toolkit/system/unixproxy/nsLibProxySettings.cpp
-+++ b/toolkit/system/unixproxy/nsLibProxySettings.cpp
-@@ -94,11 +94,17 @@ nsresult nsUnixSystemProxySettings::GetP
- 
-     c++;
-   }
- 
-   free(proxyArray);
-   return NS_OK;
- }
- 
-+NS_IMETHODIMP
-+nsUnixSystemProxySettings::GetSystemWPADSetting(bool* aSystemWPADSetting) {
-+  *aSystemWPADSetting = false;
-+  return NS_OK;
-+}
-+
- NS_IMPL_COMPONENT_FACTORY(nsUnixSystemProxySettings) {
-   return do_AddRef(new nsUnixSystemProxySettings()).downcast<nsISupports>();
- }
--- a/mozilla-rust-disable-future-incompat.patch
+++ b/mozilla-rust-disable-future-incompat.patch
@ -1,20 +1,21 @@
 # HG changeset patch
-# Parent  fa3b49f090f8b4a1af0510a675d2674a420fcbc6
+# Parent  83a5e219b271976ee9dfa46b74ecc1c1c6d49f94

 diff --git a/Cargo.toml b/Cargo.toml
 --- a/Cargo.toml
 +++ b/Cargo.toml
-@@ -219,8 +219,13 @@ webext-storage = { git = "https://github
+@@ -234,8 +234,14 @@ mio_0_8 = { package = "mio", git = "http
 path = "third_party/rust/mio-0.6.23"
 
 [patch."https://github.com/mozilla/uniffi-rs.git"]
- uniffi = "=0.25.3"
- uniffi_bindgen = "=0.25.3"
- uniffi_build = "=0.25.3"
- uniffi_macros = "=0.25.3"
- weedle2 = "=4.0.0"
+ uniffi = "0.27.1"
+ uniffi_bindgen = "0.27.1"
+ uniffi_build = "0.27.1"
+ uniffi_macros = "0.27.1"
+ weedle2 = "=5.0.0"
 +
 +# Package code v0.1.4 uses code "that will be rejected by a future version of Rust"
 +# Shut up such messages for now to make the build succeed
 +[future-incompat-report]
 +frequency = "never"
+
--- a/8
+++ b/8
@ -1,10 +1,10 @@
 PRODUCT="firefox"
 CHANNEL="release"
-VERSION="125.0.3"
+VERSION="126.0"
 VERSION_SUFFIX=""
-PREV_VERSION="125.0.2"
+PREV_VERSION="125.0.3"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release"
-RELEASE_TAG="899257fc1af08f2b141cd16d4b6151c0e0b47a9a"
-RELEASE_TIMESTAMP="20240425211020"
+RELEASE_TAG="3db775a2083d15ae699bdc129ad9c51f323ace70"
+RELEASE_TIMESTAMP="20240509170740"