- update to Firefox 52.1.0esr (boo#1035082)

MFSA 2017-12
  * CVE-2017-5443 (bmo#1342661)
    Out-of-bounds write during BinHex decoding
  * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
     bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
    Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
    Firefox ESR 52.1
  * CVE-2017-5464 (bmo#1347075)
    Memory corruption with accessibility and DOM manipulation
  * CVE-2017-5465 (bmo#1347617)
    Out-of-bounds read in ConvolvePixel
  * CVE-2017-5466 (bmo#1353975)
    Origin confusion when reloading isolated data:text/html URL
  * CVE-2017-5467 (bmo#1347262)
    Memory corruption when drawing Skia content
  * CVE-2017-5460 (bmo#1343642)
    Use-after-free in frame selection
  * CVE-2017-5461 (bmo#1344380)
    Out-of-bounds write in Base64 encoding in NSS
  * CVE-2017-5448 (bmo#1346648)
    Out-of-bounds write in ClearKeyDecryptor
  * CVE-2017-5449 (bmo#1340127)
    Crash during bidirectional unicode manipulation with animation
  * CVE-2017-5446 (bmo#1343505)
    Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
  * CVE-2017-5447 (bmo#1343552)
    Out-of-bounds read during glyph processing
  * CVE-2017-5444 (bmo#1344461)
    Buffer overflow while parsing application/http-index-format content

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=583

MozillaFirefox.changes

@@ -1,4 +1,94 @@
 -------------------------------------------------------------------
+Wed Apr 12 21:43:16 UTC 2017 - wr@rosenauer.org
+
+- update to Firefox 52.1.0esr (boo#1035082)
+  MFSA 2017-12
+  * CVE-2017-5443 (bmo#1342661)
+    Out-of-bounds write during BinHex decoding
+  * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894,
+     bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088)
+    Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and
+    Firefox ESR 52.1
+  * CVE-2017-5464 (bmo#1347075)
+    Memory corruption with accessibility and DOM manipulation
+  * CVE-2017-5465 (bmo#1347617)
+    Out-of-bounds read in ConvolvePixel
+  * CVE-2017-5466 (bmo#1353975)
+    Origin confusion when reloading isolated data:text/html URL
+  * CVE-2017-5467 (bmo#1347262)
+    Memory corruption when drawing Skia content
+  * CVE-2017-5460 (bmo#1343642)
+    Use-after-free in frame selection
+  * CVE-2017-5461 (bmo#1344380)
+    Out-of-bounds write in Base64 encoding in NSS
+  * CVE-2017-5448 (bmo#1346648)
+    Out-of-bounds write in ClearKeyDecryptor
+  * CVE-2017-5449 (bmo#1340127)
+    Crash during bidirectional unicode manipulation with animation
+  * CVE-2017-5446 (bmo#1343505)
+    Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
+  * CVE-2017-5447 (bmo#1343552)
+    Out-of-bounds read during glyph processing
+  * CVE-2017-5444 (bmo#1344461)
+    Buffer overflow while parsing application/http-index-format content
+  * CVE-2017-5445 (bmo#1344467)
+    Uninitialized values used while parsing application/http-index-format
+    content
+  * CVE-2017-5442 (bmo#1347979)
+    Use-after-free during style changes
+  * CVE-2017-5469 (bmo#1292534)
+    Potential Buffer overflow in flex-generated code
+  * CVE-2017-5440 (bmo#1336832)
+    Use-after-free in txExecutionState destructor during XSLT processing
+  * CVE-2017-5441 (bmo#1343795)
+    Use-after-free with selection during scroll events
+  * CVE-2017-5439 (bmo#1336830)
+    Use-after-free in nsTArray Length() during XSLT processing
+  * CVE-2017-5438 (bmo#1336828)
+    Use-after-free in nsAutoPtr during XSLT processing
+  * CVE-2017-5437 (bmo#1343453)
+    Vulnerabilities in Libevent library
+  * CVE-2017-5436 (bmo#1345461)
+    Out-of-bounds write with malicious font in Graphite 2
+  * CVE-2017-5435 (bmo#1350683)
+    Use-after-free during transaction processing in the editor
+  * CVE-2017-5434 (bmo#1349946)
+    Use-after-free during focus handling
+  * CVE-2017-5433 (bmo#1347168)
+    Use-after-free in SMIL animation functions
+  * CVE-2017-5432 (bmo#1346654)
+    Use-after-free in text input selection
+  * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482,
+     bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, bmo#1346140,
+     bmo#1346419, bmo#1348143, bmo#1349621, bmo#1349719, bmo#1353476)
+    Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1
+  * CVE-2017-5459 (bmo#1333858)
+    Buffer overflow in WebGL
+  * CVE-2017-5462 (bmo#1345089)
+    DRBG flaw in NSS
+  * CVE-2017-5455 (bmo#1341191)
+    Sandbox escape through internal feed reader APIs
+  * CVE-2017-5454 (bmo#1349276)
+    Sandbox escape allowing file system read access through file
+    picker
+  * CVE-2017-5456 (bmo#1344415)
+    Sandbox escape allowing local file system access
+  * CVE-2017-5451 (bmo#1273537)
+    Addressbar spoofing with onblur event
+- requires NSS 3.28.4
+- rebased patches
+
+-------------------------------------------------------------------
+Mon Apr  3 06:28:34 UTC 2017 - wr@rosenauer.org
+
+- switch package to use ESR52 branch
+  * enables plugin support by default
+  * service workers are disabled by default
+  * push notifications are disabled by default
+  * WebAssembly (wasm) is disabled
+  * Less use of multiprocess architecture Electrolysis (e10s)
+
++-------------------------------------------------------------------
 Mon Apr  3 06:16:26 UTC 2017 - wr@rosenauer.org
 
 - update to Firefox 52.0.2

MozillaFirefox.spec

@@ -19,9 +19,9 @@
 
 # changed with every update
 %define major 52
-%define mainver %major.0.2
-%define update_channel release
-%define releasedate 20170324000000
+%define mainver %major.1.0
+%define update_channel esr52
+%define releasedate 20170413000000
 
 # PIE, full relro (x86_64 for now)
 %define build_hardened 1
@@ -82,7 +82,7 @@ BuildRequires:  libnotify-devel
 BuildRequires:  libproxy-devel
 BuildRequires:  makeinfo
 BuildRequires:  mozilla-nspr-devel >= 4.13.1
-BuildRequires:  mozilla-nss-devel >= 3.28.3
+BuildRequires:  mozilla-nss-devel >= 3.28.4
 BuildRequires:  nss-shared-helper-devel
 BuildRequires:  python-devel
 BuildRequires:  startup-notification-devel

compare-locales.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:47a67f091ed6167646536b7532002d2d2e1a0b7e9abb7403efb8e0097c6b7450
-size 28392
+oid sha256:5be68698db7c554bdfdbcd64bb49468f6a4239ac9cceddfb6e2df3047b4bad31
+size 28360

create-tar.sh

@@ -5,10 +5,10 @@
 # "moz_source_stamp": "c1de04f39fa956cfce83f6065b0e709369215ed5"
 # http://ftp.mozilla.org/pub/firefox/candidates/48.0-candidates/build2/l10n_changesets.txt
 
-CHANNEL="release"
+CHANNEL="esr52"
 BRANCH="releases/mozilla-$CHANNEL"
-RELEASE_TAG="FIREFOX_52_0_2_RELEASE"
-VERSION="52.0.2"
+RELEASE_TAG="3ea0e075203185d7f2d42f439455e97735bd1b20"
+VERSION="52.1.0"
 
 # mozilla
 if [ -d mozilla ]; then
@@ -54,7 +54,7 @@ for locale in $(awk '{ print $1; }' mozilla/browser/locales/shipped-locales); do
       echo "reading changeset information for $locale"
       _changeset=$(grep ^$locale l10n_changesets.txt | awk '{ print $2; }')
       echo "fetching $locale changeset $_changeset ..."
-      hg clone http://hg.mozilla.org/releases/l10n/mozilla-$CHANNEL/$locale l10n/$locale
+      hg clone http://hg.mozilla.org/releases/l10n/mozilla-release/$locale l10n/$locale
       [ "$RELEASE_TAG" == "default" ] || hg -R l10n/$locale up -C -r $_changeset
       ;;
   esac

firefox-52.0.2-source.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:588891ce97cd4e8999c2d436247e11d854b32afb0ccc7a01bee6a45ba6abe68e
-size 222520096

firefox-52.1.0-source.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:79a8b253bc37c54f0e98c384cbcbc2123e17452d987d4b9824de2ec867357b17
+size 223223316

l10n-52.0.2.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3bdb01f7490f3a9f7ddfcb3fd6960f1c9788e01cde4f8ac0d06181105862ca24
-size 45022808

l10n-52.1.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:44f49d7171d54d98cb65eeb21c4669cf832faa1f125ca4ada17ed8d1e799f9ad
+size 45022468

mozilla-kde.patch

@@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  5c8ae59424f5318bf7a387257771bf95d3893063
+# Parent  5f1979729aa3c6bc50f7097202991e73be677e5e
 Description: Add KDE integration to Firefox (toolkit parts)
 Author: Wolfgang Rosenauer <wolfgang@rosenauer.org>
 Author: Lubos Lunak <lunak@suse.com>
@@ -276,7 +276,7 @@ diff --git a/toolkit/components/downloads/nsDownloadManager.cpp b/toolkit/compon
 diff --git a/toolkit/content/jar.mn b/toolkit/content/jar.mn
 --- a/toolkit/content/jar.mn
 +++ b/toolkit/content/jar.mn
-@@ -71,29 +71,33 @@ toolkit.jar:
+@@ -70,29 +70,33 @@ toolkit.jar:
     content/global/bindings/button.xml          (widgets/button.xml)
     content/global/bindings/checkbox.xml        (widgets/checkbox.xml)
     content/global/bindings/colorpicker.xml     (widgets/colorpicker.xml)
@@ -310,18 +310,6 @@ diff --git a/toolkit/content/jar.mn b/toolkit/content/jar.mn
     content/global/bindings/scale.xml           (widgets/scale.xml)
     content/global/bindings/scrollbar.xml       (widgets/scrollbar.xml)
     content/global/bindings/scrollbox.xml       (widgets/scrollbox.xml)
-@@ -113,9 +117,9 @@ toolkit.jar:
-    content/global/bindings/videocontrols.css   (widgets/videocontrols.css)
- *  content/global/bindings/wizard.xml          (widgets/wizard.xml)
- #ifdef XP_MACOSX
-    content/global/macWindowMenu.js
- #endif
-    content/global/svg/svgBindings.xml          (/layout/svg/resources/content/svgBindings.xml)
-    content/global/gmp-sources/eme-adobe.json   (gmp-sources/eme-adobe.json)
-    content/global/gmp-sources/openh264.json    (gmp-sources/openh264.json)
--   content/global/gmp-sources/widevinecdm.json (gmp-sources/widevinecdm.json)
-\ No newline at end of file
-+   content/global/gmp-sources/widevinecdm.json (gmp-sources/widevinecdm.json)
 diff --git a/toolkit/content/widgets/dialog-kde.xml b/toolkit/content/widgets/dialog-kde.xml
 new file mode 100644
 --- /dev/null

source-stamp.txt

@@ -1,2 +1,2 @@
-REV=e81854d6ce91
-REPO=http://hg.mozilla.org/releases/mozilla-release
+REV=3ea0e0752031
+REPO=http://hg.mozilla.org/releases/mozilla-esr52