Accepting request 1295686 from mozilla:Factory

- Mozilla Firefox 141.0 * https://www.mozilla.org/en-US/firefox/141.0/releasenotes/ MFSA 2025-56 (bsc#1246664) * CVE-2025-8027 (bmo#1968423) JavaScript engine only wrote partial return value to stack * CVE-2025-8028 (bmo#1971581) Large branch table could lead to truncated instruction * CVE-2025-8041 (bmo#1670725) Incorrect URL truncation in Firefox for Android * CVE-2025-8042 (bmo#1791322) Sandboxed iframe could start downloads * CVE-2025-8029 (bmo#1928021) javascript: URLs executed on object and embed tags * CVE-2025-8036 (bmo#1960834) DNS rebinding circumvents CORS * CVE-2025-8037 (bmo#1964767) Nameless cookies shadow secure cookies * CVE-2025-8030 (bmo#1968414) Potential user-assisted code execution in “Copy as cURL” command * CVE-2025-8043 (bmo#1970209) Incorrect URL truncation * CVE-2025-8031 (bmo#1971719) Incorrect URL stripping in CSP reports * CVE-2025-8032 (bmo#1974407) XSLT documents could bypass CSP * CVE-2025-8038 (bmo#1808979) CSP frame-src was not correctly enforced for paths * CVE-2025-8039 (bmo#1970997) Search terms persisted in URL bar * CVE-2025-8033 (bmo#1973990) OBS-URL: https://build.opensuse.org/request/show/1295686 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=461
2025-07-26 11:39:47 +00:00
parent 331649180e 907f9ebbb3
commit 493f603b75
10 changed files with 89 additions and 40 deletions
--- a/MozillaFirefox.changes
+++ b/MozillaFirefox.changes
@@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Sun Jul 20 06:23:40 UTC 2025 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 141.0
+  * https://www.mozilla.org/en-US/firefox/141.0/releasenotes/
+  MFSA 2025-56 (bsc#1246664)
+  * CVE-2025-8027 (bmo#1968423)
+    JavaScript engine only wrote partial return value to stack
+  * CVE-2025-8028 (bmo#1971581)
+    Large branch table could lead to truncated instruction
+  * CVE-2025-8041 (bmo#1670725)
+    Incorrect URL truncation in Firefox for Android
+  * CVE-2025-8042 (bmo#1791322)
+    Sandboxed iframe could start downloads
+  * CVE-2025-8029 (bmo#1928021)
+    javascript: URLs executed on object and embed tags
+  * CVE-2025-8036 (bmo#1960834)
+    DNS rebinding circumvents CORS
+  * CVE-2025-8037 (bmo#1964767)
+    Nameless cookies shadow secure cookies
+  * CVE-2025-8030 (bmo#1968414)
+    Potential user-assisted code execution in “Copy as cURL” command
+  * CVE-2025-8043 (bmo#1970209)
+    Incorrect URL truncation
+  * CVE-2025-8031 (bmo#1971719)
+    Incorrect URL stripping in CSP reports
+  * CVE-2025-8032 (bmo#1974407)
+    XSLT documents could bypass CSP
+  * CVE-2025-8038 (bmo#1808979)
+    CSP frame-src was not correctly enforced for paths
+  * CVE-2025-8039 (bmo#1970997)
+    Search terms persisted in URL bar
+  * CVE-2025-8033 (bmo#1973990)
+    Incorrect JavaScript state machine for generators
+  * CVE-2025-8044 (bmo#1933572, bmo#1971116)
+    Memory safety bugs fixed in Firefox 141 and Thunderbird 141
+  * CVE-2025-8034 (bmo#1970422, bmo#1970422, bmo#1970422, bmo#1970422)
+    Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR
+    128.13, Thunderbird ESR 128.13, Firefox ESR 140.1,
+    Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141
+  * CVE-2025-8040 (bmo#1975058, bmo#1975058, bmo#1975998, bmo#1975998)
+    Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird
+    ESR 140.1, Firefox 141 and Thunderbird 141
+  * CVE-2025-8035 (bmo#1975961, bmo#1975961, bmo#1975961)
+    Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird
+    ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox
+    141 and Thunderbird 141
+- requires NSS 3.113
+
 -------------------------------------------------------------------
 Sun Jun 29 07:33:44 UTC 2025 - Wolfgang Rosenauer <wr@rosenauer.org>

--- a/MozillaFirefox.spec
+++ b/MozillaFirefox.spec
@@ -28,9 +28,9 @@
 # orig_suffix b3
 # major 69
 # mainver %%major.99
-%define major          140
-%define mainver        %major.0.2
-%define orig_version   140.0.2
+%define major          141
+%define mainver        %major.0
+%define orig_version   141.0
 %define orig_suffix    %{nil}
 %define update_channel release
 %define branding       1
@@ -114,7 +114,7 @@ BuildRequires:  libiw-devel
 BuildRequires:  libproxy-devel
 BuildRequires:  makeinfo
 BuildRequires:  mozilla-nspr-devel >= 4.36
-BuildRequires:  mozilla-nss-devel >= 3.112
+BuildRequires:  mozilla-nss-devel >= 3.113
 BuildRequires:  nasm >= 2.14
 BuildRequires:  nodejs >= 12.22.12
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
--- a/firefox-140.0.2.source.tar.xz
+++ b/firefox-140.0.2.source.tar.xz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:70ae55a840f5d5656a74e224607af3748d2187f880d129e28afe64433c8a5c03
-size 639762328
--- a/firefox-140.0.2.source.tar.xz.asc
+++ b/firefox-140.0.2.source.tar.xz.asc
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEECb7tY/NGKi3/qzuHXstkl8GiAlYFAmheoCoACgkQXstkl8Gi
-AlaRUw//Qu/eGTX3Vh46+62OKlLUr9yuwbBbhiiGFsHN3OY1oZEvRqHrg4Vaqrz8
-1bCX4UU3Z2zb9hzSYJb6Yt3J6Cw3u00HPDGe0vJNxSJlGmce/V3VB649GW/+V/RK
-QxkDD0Nt583+h3frki0ssionBz5SxO4IktE6HpoVcVQ840lX7lCtr495FGoUFSqI
-muQmPsr1iLQveYYSR7P9Eoth7aqEWWTMA6ZhswKAA7Kxv/Z1Zw/cb/tJFHCdxv8u
-h3Tl+fVxntfVRZwjZ3LVpYIAL2k/u5OpGYPnupzkG1xy3WM1qbqCvVpwR13bQKi+
-UrumhU3BERtumSerTlJ/lfrroQpaWQeEvIRs7N6ye+bGVCobFwJU40b4Mvy+bi2o
-UVh26UdoXw4wDTprhYggIfBz3RJmXoS2E8rSbd1F/RfbcILoRvKON/MTRCMiVkhp
-gtWrx+T+PU196HLheJHI7JiLwcPGfGwKd1d762jjAGRZwClovkh3yaug2ck1V74U
-fBS6yeQvpQNOFQHw9fYmTK50zL0Vkv1MQR5JmL562X0mz5riJt1ggAyb1bCVk+2f
-Sh0F9LojSFMpA8HKUpPqd4muB5ZRP+n95MseietMA9HqR8IBhTKDr2qk5B4Ky3jV
-RJgjXplY4s0ibwut3k/15YyCWJO2gBPrnNxTNsaGCv1smHcUaHo=
-=cxSq
-----END PGP SIGNATURE-----
--- a/firefox-141.0.source.tar.xz
+++ b/firefox-141.0.source.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:80982a84bb7ca41a67ac073321de96f74e0c25f296d19ca432b11fc2a33535c8
+size 640751136
--- a/firefox-141.0.source.tar.xz.asc
+++ b/firefox-141.0.source.tar.xz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEECb7tY/NGKi3/qzuHXstkl8GiAlYFAmh5UfEACgkQXstkl8Gi
+AlbV6A/+JPOR3wn5Qc6Y+NZJQO1R5PO/Un98yxqAuK4Gx0CGoYET1i34gPW56jVZ
+4FnuzYonhVJfotAimEz7EWwIOl5KyssWwc9skMrNjKFGPP9y0zYqbKnVo5eUsZFW
+NjyXOiUt8h61I1YiTPYghEHSda+KNZWh/vO8WdqLnQ5ViIUKAgEbCrpyfzk4j69f
+gRKLnZClbEIxgrc1DsN10jvzT517nlsGX8Kz4Pq3MgBnqjnMFeH8ShkTQMS41ifi
+OxLu2OV2MxXutGUwoQv4TomkFK8g+qzHWF0gDkdYHyYQRnq7c1BmXZQvdNi36IYb
+HA5XdW+8yei5llmf0qqRELC6sSbJMqLMX5nXjd320g/h1dv4b3Sm/WLqtbY476uF
+IB16Y1OfSVuqerJi6ZQC0SbNv+KXy7RiT0ldmYChJJ33okfGGpmbh/370B1pcKhk
+JGb003LlNaClPNwIo4gdDr682bvCOAaCb1l4VyTvFWnU5Loiljl9GMTla2JCjjzL
+I2OJJudTVF4sVVKvdOVh3o6oqfAJa6xmczL7Fs97TmQp9QVF2W42sZxbDhEdIuNa
+dGE93uZmnBuX0DWh7cJa5i+IHzvPjrMepKgRam6WEr8+MD76mDNx0IkNtmUv599m
+iBNH6p1dCOTX3PVUleqgeHUxLoBfRbUS5/J2GhVnMSrqx2c1thg=
+=xWIL
+-----END PGP SIGNATURE-----
--- a/l10n-140.0.2.tar.xz
+++ b/l10n-140.0.2.tar.xz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fabe3ab53ebd9301441cac4a9e074c342addae82d820788aa38b181d8f901987
-size 37721796
--- a/l10n-141.0.tar.xz
+++ b/l10n-141.0.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:368365388ffd3e0df0ba01a1ce204f352cbb56a4e84169b74c9673e6e5cc40b0
+size 38256992
--- a/mozilla-silence-no-return-type.patch
+++ b/mozilla-silence-no-return-type.patch
@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  4fbe42370941f5652d0735686debee5f4b0d6e0e
+# Parent  df83073d2834936ee6a66cdb875fca6f63767297

 diff --git a/gfx/skia/skia/include/codec/SkEncodedOrigin.h b/gfx/skia/skia/include/codec/SkEncodedOrigin.h
 --- a/gfx/skia/skia/include/codec/SkEncodedOrigin.h
@@ -406,7 +406,7 @@ diff --git a/third_party/libwebrtc/api/video/video_frame_buffer.cc b/third_party
 diff --git a/third_party/libwebrtc/api/video_codecs/video_codec.cc b/third_party/libwebrtc/api/video_codecs/video_codec.cc
 --- a/third_party/libwebrtc/api/video_codecs/video_codec.cc
 +++ b/third_party/libwebrtc/api/video_codecs/video_codec.cc
-@@ -161,16 +161,17 @@ const char* CodecTypeToPayloadString(Vid
+@@ -153,16 +153,17 @@ const char* CodecTypeToPayloadString(Vid
     case kVideoCodecH264:
       return kPayloadNameH264;
     case kVideoCodecGeneric:
@@ -466,7 +466,7 @@ diff --git a/third_party/libwebrtc/api/video_codecs/video_encoder_software_fallb
 diff --git a/third_party/libwebrtc/call/adaptation/video_stream_adapter.cc b/third_party/libwebrtc/call/adaptation/video_stream_adapter.cc
 --- a/third_party/libwebrtc/call/adaptation/video_stream_adapter.cc
 +++ b/third_party/libwebrtc/call/adaptation/video_stream_adapter.cc
-@@ -163,16 +163,17 @@ const char* Adaptation::StatusToString(A
+@@ -172,16 +172,17 @@ const char* Adaptation::StatusToString(A
     case Status::kInsufficientInput:
       return "kInsufficientInput";
     case Status::kAdaptationDisabled:
@@ -484,7 +484,7 @@ diff --git a/third_party/libwebrtc/call/adaptation/video_stream_adapter.cc b/thi
                        VideoStreamInputState input_state)
     : validation_id_(validation_id),
       status_(Status::kValid),
-@@ -385,16 +386,17 @@ VideoStreamAdapter::RestrictionsOrState 
+@@ -394,16 +395,17 @@ VideoStreamAdapter::RestrictionsOrState 
     case DegradationPreference::MAINTAIN_RESOLUTION: {
       // Scale up framerate.
       return IncreaseFramerate(input_state, current_restrictions_);
@@ -502,7 +502,7 @@ diff --git a/third_party/libwebrtc/call/adaptation/video_stream_adapter.cc b/thi
   ++adaptation_validation_id_;
   RestrictionsOrState restrictions_or_state =
       GetAdaptationDownStep(input_state, current_restrictions_);
-@@ -467,16 +469,17 @@ VideoStreamAdapter::GetAdaptationDownSte
+@@ -474,16 +476,17 @@ VideoStreamAdapter::GetAdaptationDownSte
     }
     case DegradationPreference::MAINTAIN_RESOLUTION: {
       return DecreaseFramerate(input_state, current_restrictions);
@@ -520,7 +520,7 @@ diff --git a/third_party/libwebrtc/call/adaptation/video_stream_adapter.cc b/thi
   int target_pixels =
       GetLowerResolutionThan(input_state.frame_size_pixels().value());
   // Use single active stream if set, this stream could be lower than the input.
-@@ -620,16 +623,18 @@ Adaptation VideoStreamAdapter::GetAdaptD
+@@ -627,16 +630,18 @@ Adaptation VideoStreamAdapter::GetAdaptD
     case DegradationPreference::MAINTAIN_FRAMERATE:
       return GetAdaptationDown();
     case DegradationPreference::BALANCED: {
@@ -538,11 +538,11 @@ diff --git a/third_party/libwebrtc/call/adaptation/video_stream_adapter.cc b/thi
     const VideoStreamInputState& input_state) const {
   // Adapt twice if the first adaptation did not decrease resolution.
   auto first_step = GetAdaptationDownStep(input_state, current_restrictions_);
-   if (!absl::holds_alternative<RestrictionsWithCounters>(first_step)) {
+   if (!std::holds_alternative<RestrictionsWithCounters>(first_step)) {
 diff --git a/third_party/libwebrtc/call/rtp_payload_params.cc b/third_party/libwebrtc/call/rtp_payload_params.cc
 --- a/third_party/libwebrtc/call/rtp_payload_params.cc
 +++ b/third_party/libwebrtc/call/rtp_payload_params.cc
-@@ -426,17 +426,18 @@ std::optional<FrameDependencyStructure> 
+@@ -425,17 +425,18 @@ std::optional<FrameDependencyStructure> 
     case VideoCodecType::kVideoCodecH264:
       return MinimalisticStructure(
           /*num_spatial_layers=*/1,
@@ -646,7 +646,7 @@ diff --git a/third_party/libwebrtc/modules/audio_processing/agc2/rnn_vad/rnn_fc.
 --- a/third_party/libwebrtc/modules/audio_processing/agc2/rnn_vad/rnn_fc.cc
 +++ b/third_party/libwebrtc/modules/audio_processing/agc2/rnn_vad/rnn_fc.cc
@@ -55,16 +55,18 @@ std::vector<float> PreprocessWeights(rtc
- rtc::FunctionView<float(float)> GetActivationFunction(
+ FunctionView<float(float)> GetActivationFunction(
     ActivationFunction activation_function) {
   switch (activation_function) {
     case ActivationFunction::kTansigApproximated:
@@ -903,7 +903,7 @@ diff --git a/third_party/libwebrtc/modules/video_coding/h26x_packet_buffer.cc b/
 
 bool HasSps(const H26xPacketBuffer::Packet& packet) {
   auto& h264_header =
-       absl::get<RTPVideoHeaderH264>(packet.video_header.video_type_header);
+       std::get<RTPVideoHeaderH264>(packet.video_header.video_type_header);
   return absl::c_any_of(h264_header.nalus, [](const auto& nalu_info) {
     return nalu_info.type == H264::NaluType::kSps;
   });
--- a/8
+++ b/8
@@ -1,10 +1,10 @@
 PRODUCT="firefox"
 CHANNEL="release"
-VERSION="140.0.2"
+VERSION="141.0"
 VERSION_SUFFIX=""
-PREV_VERSION="140.0"
+PREV_VERSION="140.0.4"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release"
-RELEASE_TAG="b27c61d0860f58ea4ebe4ccfa187f8e0b8e6ee8c"
-RELEASE_TIMESTAMP="20250627085530"
+RELEASE_TAG="985915ed555fa507cbb70d1d1d6df88cdec1f581"
+RELEASE_TIMESTAMP="20250717180000"