Accepting request 1160726 from mozilla:Factory

- Mozilla Firefox 124.0.1
  https://www.mozilla.org/en-US/firefox/124.0.1/releasenotes/
  MFSA 2024-15 (bsc#1221850)
  * CVE-2024-29943 (bmo#1886849)
    Out-of-bounds access via Range Analysis bypass
  * CVE-2024-29944 (bmo#1886852)
    Privileged JavaScript Execution via Event Handlers
  Mozilla Firefox 124.0
  https://www.mozilla.org/en-US/firefox/124.0/releasenotes/
  MFSA 2024-12 (bsc#1221327)
  * CVE-2024-2605 (bmo#1872920)
    Windows Error Reporter could be used as a Sandbox escape vector
  * CVE-2024-2606 (bmo#1879237)
    Mishandling of WASM register values
  * CVE-2024-2607 (bmo#1879939)
    JIT code failed to save return registers on Armv7-A
  * CVE-2024-2608 (bmo#1880692)
    Integer overflow could have led to out of bounds write
  * CVE-2023-5388 (bmo#1780432)
    NSS susceptible to timing attack against RSA decryption
  * CVE-2024-2609 (bmo#1866100)
    Permission prompt input delay could expire when not in focus
  * CVE-2024-2610 (bmo#1871112)
    Improper handling of html and body tags enabled CSP nonce leakage
  * CVE-2024-2611 (bmo#1876675)
    Clickjacking vulnerability could have led to a user accidentally
    granting permissions
  * CVE-2024-2612 (bmo#1879444)
    Self referencing object could have potentially led to a use-
    after-free

OBS-URL: https://build.opensuse.org/request/show/1160726
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=423

MozillaFirefox.changes

@@ -1,3 +1,47 @@
+-------------------------------------------------------------------
+Fri Mar 22 09:53:26 UTC 2024 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 124.0.1
+  https://www.mozilla.org/en-US/firefox/124.0.1/releasenotes/
+  MFSA 2024-15 (bsc#1221850)
+  * CVE-2024-29943 (bmo#1886849)
+    Out-of-bounds access via Range Analysis bypass
+  * CVE-2024-29944 (bmo#1886852)
+    Privileged JavaScript Execution via Event Handlers
+  Mozilla Firefox 124.0
+  https://www.mozilla.org/en-US/firefox/124.0/releasenotes/
+  MFSA 2024-12 (bsc#1221327)
+  * CVE-2024-2605 (bmo#1872920)
+    Windows Error Reporter could be used as a Sandbox escape vector
+  * CVE-2024-2606 (bmo#1879237)
+    Mishandling of WASM register values
+  * CVE-2024-2607 (bmo#1879939)
+    JIT code failed to save return registers on Armv7-A
+  * CVE-2024-2608 (bmo#1880692)
+    Integer overflow could have led to out of bounds write
+  * CVE-2023-5388 (bmo#1780432)
+    NSS susceptible to timing attack against RSA decryption
+  * CVE-2024-2609 (bmo#1866100)
+    Permission prompt input delay could expire when not in focus
+  * CVE-2024-2610 (bmo#1871112)
+    Improper handling of html and body tags enabled CSP nonce leakage
+  * CVE-2024-2611 (bmo#1876675)
+    Clickjacking vulnerability could have led to a user accidentally
+    granting permissions
+  * CVE-2024-2612 (bmo#1879444)
+    Self referencing object could have potentially led to a use-
+    after-free
+  * CVE-2024-2613 (bmo#1875701)
+    Improper handling of QUIC ACK frame data could have led to OOM
+  * CVE-2024-2614 (bmo#1685358, bmo#1861016, bmo#1880405, bmo#1881093)
+    Memory safety bugs fixed in Firefox 124, Firefox ESR 115.9,
+    and Thunderbird 115.9
+  * CVE-2024-2615 (bmo#1881074, bmo#1881650, bmo#1882438)
+    Memory safety bugs fixed in Firefox 124
+- requires
+  NSS = 3.98
+  rust-cbindgen >= 0.26
+
 -------------------------------------------------------------------
 Fri Mar  8 06:16:48 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
 

MozillaFirefox.spec

@@ -2,7 +2,7 @@
 # spec file for package MozillaFirefox
 #
 # Copyright (c) 2024 SUSE LLC
-# Copyright (c) 2006-2023 Wolfgang Rosenauer <wr@rosenauer.org>
+# Copyright (c) 2006-2024 Wolfgang Rosenauer <wr@rosenauer.org>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -28,9 +28,9 @@
 # orig_suffix b3
 # major 69
 # mainver %%major.99
-%define major          123
+%define major          124
 %define mainver        %major.0.1
-%define orig_version   123.0.1
+%define orig_version   124.0.1
 %define orig_suffix    %{nil}
 %define update_channel release
 %define branding       1
@@ -114,7 +114,7 @@ BuildRequires:  libiw-devel
 BuildRequires:  libproxy-devel
 BuildRequires:  makeinfo
 BuildRequires:  mozilla-nspr-devel >= 4.35
-BuildRequires:  mozilla-nss-devel >= 3.97
+BuildRequires:  mozilla-nss-devel >= 3.98
 BuildRequires:  nasm >= 2.14
 BuildRequires:  nodejs >= 12.22.12
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
@@ -134,7 +134,7 @@ BuildRequires:  python3-curses
 BuildRequires:  python3-devel
 %endif
 %endif
-BuildRequires:  rust-cbindgen >= 0.24.3
+BuildRequires:  rust-cbindgen >= 0.26
 BuildRequires:  unzip
 BuildRequires:  update-desktop-files
 BuildRequires:  xorg-x11-libXt-devel

firefox-123.0.1.source.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d5dcb955b65e0f164a90cac0760724486e36e896221b98f244801dfd045d741c
-size 545230176

firefox-123.0.1.source.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmXlv0EACgkQ4207E/PZ
-MnSVrA//aY2Ggkr5OBlPBaGPGqLRdOEYG7ZGOO11yOKTa0R8iLpJLdx1Zfs7DUut
-XG63VPONcC0JH5Qlo9u/OOK40axdA4LhtxVygCDDLlT1Myw9Pjil+ALzndDmLYiJ
-YrqROMCaQ1dZUGIU2ygM59r73NZi5RL22ERxU7HRmzRpXNLz05qe13NUFbaGThEu
-jPqL2xLggifAdVAE47MzGFo4/pZWX1/0dkwXrPDymhB7CkTeGvRVlid6x/WCjGS8
-A5Tw0Ta5TWbY6s4CDdJQMgvogscc4WoruR3/flZbxth2leOowWDqcLjT2mhawkgE
-ewlrlAx64lGwqliinZiSk90DslRCFLXk3EcMHnp7+hOzp0l65HfV5dgFxbX9DesG
-b0DK3jJJegPfFpI3dLbXEcvZE87OJHSCslZuor0HS67ptImXY+ZYjz30YxtGnC45
-8hoyOLSePHkdDrFFcTJBbsMj5eIpFTGxblzA3y6CL7Go2sRnF2VylGTB0lXnDaAS
-ve97nEQIhZY2mNWFgZMINe/CouCX0/7y8rnoPr2RAPG4Zmf1mHbuMpCuUpgMF6Wa
-JxfHgPyzmdaTnhHbuj/Yf1sCZPPh5o/HIkOaNihxfe/tBgADWEiaZDjfmsp4qX8a
-NOKnqvKgxSEK+jVyrgaU9I1XrQwk/wnhfS6FMk5yo1hM6hHjYEo=
-=NmM8
------END PGP SIGNATURE-----

firefox-124.0.1.source.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ddac16aea855e057ff6be3c143f7155cc20f452e1f45eb6288ff27e9346ab843
+size 545772696

firefox-124.0.1.source.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmX9BREACgkQ4207E/PZ
+MnS6Wg//ZhAUGE9w8UO6FCksRmZjSZF6aMfmEX/8v5D3gpPXK68gQDZR4vGvGedM
+aNNmvlP6s6/xBPZfkiriRsq+c+N4Ls6MUfSvis7AjbyNAAVFp1UdlFLlCGrCrIxI
+Wt9pyD/IDPHwg6aktLRw+BcqnPLhdlOZ5xYbUp2PMbjNNHwFphOMCQWsvj7fbkfl
+OoKAQvrT/MeFVQV3lp6TX8WU0773Zlbsu355t8ZnQEZV4eiZeZh9jRU8HjaWYmU/
+yinP346y7CdVrfPt6c/ROB8Z0Noz5mrBqJ7DDzHffq1GRCeFxaM4bBy0dNAh7t87
+kErkdHFRh28WkWlfcmoe6uiW4ZLluAFxwnGftw9fSDZA1gAUwoj4qQmWB5RpI1lm
+tODN3vOqqSEGB5VQ53b6/HMZeCX7m6eKu9JsCS9PStLLdWM+JrlfVIvX3c4Hcpud
+ifHFZNufdaf5wQqzwwJnUaikyYfhk4oJOPZxKnfhdLoHzw9QcptHTtpn56r71g6l
+Hzhshl62Lpg7GU6CVxyaxYLiwtPY75LmFqK2GTolmfKGgNQzZTuq+jsmEMbxEbTW
+S5V3wRimggfVVj3MO7ybkwWVRKR5BqNzc+ArZ/b8BjMgABSfCiD/9uGwNhLgoBOZ
+35ZSTzcRIKm9uX8bRvnrFenkkMMX2BXJBlX0LLDzRs21c7FGk0U=
+=7WuV
+-----END PGP SIGNATURE-----

l10n-123.0.1.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:db489606750a6d8b1752d6f99228cb5811ca0f8bbc5a9c576f892220f4326b9d
-size 31107184

l10n-124.0.1.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b5a2654acb77950eb3b18d4418cf338194e838a0f3dbd26dff52ede3d6c7cb18
+size 32588820

mozilla-kde.patch

@@ -283,7 +283,7 @@ diff --git a/toolkit/system/unixproxy/nsUnixSystemProxySettings.cpp b/toolkit/sy
  nsUnixSystemProxySettings::GetMainThreadOnly(bool* aMainThreadOnly) {
    // dbus prevents us from being threadsafe, but this routine should not block
    // anyhow
-@@ -391,21 +395,46 @@ nsresult nsUnixSystemProxySettings::GetP
+@@ -388,21 +392,46 @@ nsresult nsUnixSystemProxySettings::GetP
    return NS_OK;
  }
  
@@ -1255,15 +1255,15 @@ diff --git a/widget/gtk/nsFilePicker.cpp b/widget/gtk/nsFilePicker.cpp
  
    mFilters.AppendElement(filter);
    mFilterNames.AppendElement(name);
-@@ -412,16 +416,39 @@ nsresult nsFilePicker::Show(nsIFilePicke
-   return NS_OK;
- }
- 
- NS_IMETHODIMP
+@@ -416,16 +420,39 @@ NS_IMETHODIMP
  nsFilePicker::Open(nsIFilePickerShownCallback* aCallback) {
    // Can't show two dialogs concurrently with the same filepicker
    if (mFileChooser) return NS_ERROR_NOT_AVAILABLE;
  
+   if (MaybeBlockFilePicker(aCallback)) {
+     return NS_OK;
+   }
+ 
 +  // KDE file picker is not handled via callback
 +  if (nsKDEUtils::kdeSupport()) {
 +    mCallback = aCallback;
@@ -1295,7 +1295,7 @@ diff --git a/widget/gtk/nsFilePicker.cpp b/widget/gtk/nsFilePicker.cpp
    GtkFileChooserAction action = GetGtkFileChooserAction(mMode);
  
    const gchar* accept_button;
-@@ -703,16 +730,215 @@ void nsFilePicker::Done(void* file_choos
+@@ -707,16 +734,215 @@ void nsFilePicker::Done(void* file_choos
      mCallback->Done(result);
      mCallback = nullptr;
    } else {
@@ -1670,13 +1670,13 @@ diff --git a/xpcom/components/ManifestParser.cpp b/xpcom/components/ManifestPars
 diff --git a/xpcom/components/moz.build b/xpcom/components/moz.build
 --- a/xpcom/components/moz.build
 +++ b/xpcom/components/moz.build
-@@ -66,16 +66,17 @@ LOCAL_INCLUDES += [
-     "!..",
+@@ -67,16 +67,17 @@ LOCAL_INCLUDES += [
      "../base",
      "../build",
      "../ds",
      "/chrome",
      "/js/xpconnect/loader",
+     "/js/xpconnect/src",
      "/layout/build",
      "/modules/libjar",
 +    "/toolkit/xre",

mozilla-silence-no-return-type.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  d1908d68e16e148fcc012caac881a03417eccc7e
+# Parent  831d03cde86aa6b8803d5ac431e2d28bf85c9289
 
 diff --git a/gfx/skia/skia/include/codec/SkEncodedOrigin.h b/gfx/skia/skia/include/codec/SkEncodedOrigin.h
 --- a/gfx/skia/skia/include/codec/SkEncodedOrigin.h
@@ -875,6 +875,28 @@ diff --git a/third_party/libwebrtc/modules/audio_processing/transient/transient_
                                                   int sample_rate_hz,
                                                   int detector_rate_hz,
                                                   int num_channels)
+diff --git a/third_party/libwebrtc/modules/congestion_controller/goog_cc/goog_cc_network_control.cc b/third_party/libwebrtc/modules/congestion_controller/goog_cc/goog_cc_network_control.cc
+--- a/third_party/libwebrtc/modules/congestion_controller/goog_cc/goog_cc_network_control.cc
++++ b/third_party/libwebrtc/modules/congestion_controller/goog_cc/goog_cc_network_control.cc
+@@ -90,16 +90,18 @@ BandwidthLimitedCause GetBandwidthLimite
+       // Probes may not be sent in this state.
+       return BandwidthLimitedCause::kLossLimitedBwe;
+     case LossBasedState::kIncreasing:
+       // Probes may be sent in this state.
+       return BandwidthLimitedCause::kLossLimitedBweIncreasing;
+     case LossBasedState::kDelayBasedEstimate:
+       return BandwidthLimitedCause::kDelayBasedLimited;
+   }
++  // just return something by default
++  return BandwidthLimitedCause::kLossLimitedBwe;
+ }
+ 
+ }  // namespace
+ 
+ GoogCcNetworkController::GoogCcNetworkController(NetworkControllerConfig config,
+                                                  GoogCcConfig goog_cc_config)
+     : key_value_config_(config.key_value_config ? config.key_value_config
+                                                 : &trial_based_config_),
 diff --git a/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_portal.cc b/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_portal.cc
 --- a/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_portal.cc
 +++ b/third_party/libwebrtc/modules/desktop_capture/linux/wayland/screencast_portal.cc
@@ -957,7 +979,7 @@ diff --git a/third_party/libwebrtc/modules/rtp_rtcp/source/rtp_sender.cc b/third
 diff --git a/third_party/libwebrtc/modules/rtp_rtcp/source/rtp_sender_audio.cc b/third_party/libwebrtc/modules/rtp_rtcp/source/rtp_sender_audio.cc
 --- a/third_party/libwebrtc/modules/rtp_rtcp/source/rtp_sender_audio.cc
 +++ b/third_party/libwebrtc/modules/rtp_rtcp/source/rtp_sender_audio.cc
-@@ -41,16 +41,17 @@ namespace {
+@@ -42,16 +42,17 @@ namespace {
      case AudioFrameType::kEmptyFrame:
        return "empty";
      case AudioFrameType::kAudioFrameSpeech:
@@ -1020,7 +1042,7 @@ diff --git a/third_party/libwebrtc/modules/video_coding/codecs/vp8/temporal_laye
 diff --git a/third_party/libwebrtc/video/adaptation/video_stream_encoder_resource_manager.cc b/third_party/libwebrtc/video/adaptation/video_stream_encoder_resource_manager.cc
 --- a/third_party/libwebrtc/video/adaptation/video_stream_encoder_resource_manager.cc
 +++ b/third_party/libwebrtc/video/adaptation/video_stream_encoder_resource_manager.cc
-@@ -58,16 +58,17 @@ bool IsFramerateScalingEnabled(Degradati
+@@ -59,16 +59,17 @@ bool IsFramerateScalingEnabled(Degradati
  std::string ToString(VideoAdaptationReason reason) {
    switch (reason) {
      case VideoAdaptationReason::kQuality:

tar_stamps

@@ -1,10 +1,10 @@
 PRODUCT="firefox"
 CHANNEL="release"
-VERSION="123.0.1"
+VERSION="124.0.1"
 VERSION_SUFFIX=""
-PREV_VERSION="123.0"
+PREV_VERSION="123.0.1"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release"
-RELEASE_TAG="652f653a58f0acdc1413e45ab35eae68a95cd1af"
-RELEASE_TIMESTAMP="20240304104836"
+RELEASE_TAG="f0a24d8f29033faf04f6fe98453cdb5c2ac4a96f"
+RELEASE_TIMESTAMP="20240321230221"