Accepting request 912837 from mozilla:Factory

superseding the 91.0 version as another security and hotfix release - Mozilla Firefox 91.0.1 * Fixed an issue causing buttons on the tab bar to be resized when loading certain websites (bmo#1704404) * Fixed an issue which caused tabs from private windows to be visible in non-private windows when viewing switch-to-tab results in the address bar panel (bmo#1720369) * Various stability fixes MFSA 2021-37 (bsc#1189547) * CVE-2021-29991 (bmo#1724896) Header Splitting possible with HTTP/3 Responses - Mozilla Firefox 91.0 MFSA 2021-33 (bsc#1188891) * CVE-2021-29986 (bmo#1696138) Race condition when resolving DNS names could have led to memory corruption * CVE-2021-29981 (bmo#1707774) Live range splitting could have led to conflicting assignments in the JIT * CVE-2021-29988 (bmo#1717922) Memory corruption as a result of incorrect style treatment * CVE-2021-29983 (bmo#1719088) Firefox for Android could get stuck in fullscreen mode * CVE-2021-29984 (bmo#1720031) Incorrect instruction reordering during JIT optimization * CVE-2021-29980 (bmo#1722204) Uninitialized memory in a canvas object could have led to memory corruption * CVE-2021-29987 (bmo#1716129) Users could have been tricked into accepting unwanted OBS-URL: https://build.opensuse.org/request/show/912837 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/MozillaFirefox?expand=0&rev=342
2021-08-19 08:00:42 +00:00 · 2021-08-19 08:00:42 +00:00 · 8987d4f394
commit 8987d4f394
parent 0de0e1650d 08f2bc94ea
10 changed files with 118 additions and 78 deletions
--- a/MozillaFirefox.changes
+++ b/MozillaFirefox.changes
@ -1,3 +1,57 @@
+-------------------------------------------------------------------
+Wed Aug 18 06:34:01 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 91.0.1
+  * Fixed an issue causing buttons on the tab bar to be resized when
+    loading certain websites (bmo#1704404)
+  * Fixed an issue which caused tabs from private windows to be
+    visible in non-private windows when viewing switch-to-tab results
+    in the address bar panel (bmo#1720369)
+  * Various stability fixes
+  MFSA 2021-37 (bsc#1189547)
+  * CVE-2021-29991 (bmo#1724896)
+    Header Splitting possible with HTTP/3 Responses
+
+-------------------------------------------------------------------
+Mon Aug  9 14:55:22 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 91.0
+  MFSA 2021-33 (bsc#1188891)
+  * CVE-2021-29986 (bmo#1696138)
+    Race condition when resolving DNS names could have led to
+    memory corruption
+  * CVE-2021-29981 (bmo#1707774)
+    Live range splitting could have led to conflicting
+    assignments in the JIT
+  * CVE-2021-29988 (bmo#1717922)
+    Memory corruption as a result of incorrect style treatment
+  * CVE-2021-29983 (bmo#1719088)
+    Firefox for Android could get stuck in fullscreen mode
+  * CVE-2021-29984 (bmo#1720031)
+    Incorrect instruction reordering during JIT optimization
+  * CVE-2021-29980 (bmo#1722204)
+    Uninitialized memory in a canvas object could have led to
+    memory corruption
+  * CVE-2021-29987 (bmo#1716129)
+    Users could have been tricked into accepting unwanted
+    permissions on Linux
+  * CVE-2021-29985 (bmo#1722083)
+    Use-after-free media channels
+  * CVE-2021-29982 (bmo#1715318)
+    Single bit data leak due to incorrect JIT optimization and
+    type confusion
+  * CVE-2021-29989 (bmo#1662676, bmo#1666184, bmo#1719178,
+    bmo#1719998, bmo#1720568)
+    Memory safety bugs fixed in Firefox 91 and Firefox ESR 78.13
+  * CVE-2021-29990 (bmo#1544190, bmo#1716481, bmo#1717778,
+    bmo#1719319, bmo#1722073)
+    Memory safety bugs fixed in Firefox 91
+- requires
+  * rustc/cargo >= 1.51
+  * NSPR >= 4.32
+  * NSS >= 3.68
+- force-disable webrender on BE platforms
+
 -------------------------------------------------------------------
 Sat Jul 24 07:15:54 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>

--- a/MozillaFirefox.spec
+++ b/MozillaFirefox.spec
@ -32,9 +32,9 @@
 # orig_suffix b3
 # major 69
 # mainver %major.99
-%define major          90
-%define mainver        %major.0.2
-%define orig_version   90.0.2
+%define major          91
+%define mainver        %major.0.1
+%define orig_version   91.0.1
 %define orig_suffix    %{nil}
 %define update_channel release
 %define branding       1
@ -54,6 +54,9 @@
 # define if ccache should be used or not
 %define useccache     1

+# SLE-12 doesn't have this macro
+%{!?_rpmmacrodir: %global _rpmmacrodir %{_rpmconfigdir}/macros.d}
+
 # Firefox only supports i686
 %ifarch %ix86
 ExclusiveArch:  i586 i686
@ -100,7 +103,15 @@ BuildRequires:  gcc9-c++
 %else
 BuildRequires:  gcc-c++
 %endif
-BuildRequires:  cargo >= 1.47
+%if 0%{?suse_version} < 1550 && 0%{?sle_version} < 150300
+BuildRequires:  cargo >= 1.51
+BuildRequires:  rust >= 1.51
+%else
+# Newer sle/leap/tw use parallel versioned rust releases which have
+# a different method for provides that we can use to request a
+# specific version
+BuildRequires:  rust+cargo >= 1.51
+%endif
 %if 0%{useccache} != 0
 BuildRequires:  ccache
 %endif
@ -110,8 +121,8 @@ BuildRequires:  libidl-devel
 BuildRequires:  libiw-devel
 BuildRequires:  libproxy-devel
 BuildRequires:  makeinfo
-BuildRequires:  mozilla-nspr-devel >= 4.31
-BuildRequires:  mozilla-nss-devel >= 3.66
+BuildRequires:  mozilla-nspr-devel >= 4.32
+BuildRequires:  mozilla-nss-devel >= 3.68
 BuildRequires:  nasm >= 2.14
 BuildRequires:  nodejs >= 10.22.1
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
@ -121,7 +132,6 @@ BuildRequires:  python36
 BuildRequires:  python3 >= 3.5
 BuildRequires:  python3-devel
 %endif
-BuildRequires:  rust >= 1.47
 BuildRequires:  rust-cbindgen >= 0.19.0
 BuildRequires:  unzip
 BuildRequires:  update-desktop-files
@ -367,6 +377,12 @@ sed -i "s/python3/python36/g" mach
 export PYTHON3=/usr/bin/python36
 %endif

+# Webrender does not support big endian yet, so we are forcing it off
+# see: https://bugzilla.mozilla.org/show_bug.cgi?id=1716707
+%ifarch s390x ppc64
+echo 'pref("gfx.webrender.force-disabled", true);' >> %{SOURCE9}
+%endif
+
 #
 kdehelperversion=$(cat toolkit/xre/nsKDEUtils.cpp | grep '#define KMOZILLAHELPER_VERSION' | cut -d ' ' -f 3)
 if test "$kdehelperversion" != %{kde_helper_version}; then
@ -652,11 +668,8 @@ cp %{SOURCE17} %{buildroot}%{_datadir}/gnome-shell/search-providers
 #
 mkdir -p %{buildroot}%{_datadir}/mozilla/extensions/%{firefox_appid}
 mkdir -p %{buildroot}%{_libdir}/mozilla/extensions/%{firefox_appid}
-%if %branding
 # Install symbolic icon for GNOME
-mkdir -p %{buildroot}%{gnome_dir}/share/icons/hicolor/symbolic/apps/
-cp %{_builddir}/%{srcname}-%{orig_version}/browser/branding/official/content/identity-icons-brand.svg \
-   %{buildroot}%{gnome_dir}/share/icons/hicolor/symbolic/apps/%{progname}-symbolic.svg
+%if %branding
 for size in 16 22 24 32 48 64 128 256; do
 %else
 for size in 16 32 48; do
--- a/firefox-90.0.2.source.tar.xz
+++ b/firefox-90.0.2.source.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:35c45dbc21a7bd59e5daa6b3fef7a08c51ff0a1333f47a355bb1cbc840c3ff59
-size 380670372
--- a/firefox-90.0.2.source.tar.xz.asc
+++ b/firefox-90.0.2.source.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmD4mxoACgkQ6+QekPbx
-L20sbhAAsWHM4fg9Bg1SloKaRKFHIsrOXJv2rT/5vpdNtnwglzec4oTktsPmXBLH
-LcjUR7vYYN62XzrkyKWnmq2zq9NVUlP6gLNURx6M9WCeIDznjBpnUiqQFmUjJgBD
-vMaB/Onm6cOq4AThnCcHb25klkbhYHuHrjQur8Gr2fkfsxt3blltn/RvSbL2Z4WQ
-u4HciF5du5kx5nXxZ062lyOyDGsoN2VG/TrhB22k68KxBD3vH+eHq9QVGpH2RhM4
-8CLRuC6TcodRJ4fcIvvX84k4Va27+YL70z3Zn27vg8eK/GAuJ7GFwA+aJyClq4jt
-dKKkWFgJODySCc4iHRv6JHdkHI8UolChUQPPciQnPJ3Q6FvO8XaDpLP+l4Y90pJc
-kvaDddrHE/L2cSqyqGv5YgElNyqYZwtFtj84cQ/d6VpwUu8k8+wl0XPxmliFqz7b
-Jb1oniJ/Yq4ncZ6vj+JvC8QIcWncKI5OvKeKSBH6hSMj1EX2ckJW3BqEkmrwIpi3
-LtY2K1d6CLHrVzhBoDTcyjBbee7DY2RFbRZfbI7/QfqcEzW3TVa10b/fWjvKkWLW
-a+vvW3swN0vzlQPESTRsWaMT1jzU8UgFt7XuukXJam+QrkZ3er0GjUQEn++5HZpS
-mF/C/17CMP0vGKFXyhuNYfT+Ivq0EJ9t/4Y7mV7M8GBLGOAm6Qk=
-=89GF
-----END PGP SIGNATURE-----
--- a/firefox-91.0.1.source.tar.xz
+++ b/firefox-91.0.1.source.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b95854ec9cb3e4409e5a1cf203c2b228146c6e3f9f3240d304cecec6b256f962
+size 389052264
--- a/firefox-91.0.1.source.tar.xz.asc
+++ b/firefox-91.0.1.source.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEQ2D+IQnEl2MYb44h6+QekPbxL20FAmEarIwACgkQ6+QekPbx
+L22+/w/+OxM6mlW3I9ZHXEzVMyP+6SirZDm0AQdVj4VXsNcJfqUI1BCLhunq5J02
+T/nEeZlIQEiZd7WOc05Vv0AKRSs+AWbx66KIGM7N34c9lOJisJ74oIIGlbv7cHG1
+MqE+DS5WrzsO6QFzZMp/zpq9k4HSibOjSM4Vm50uqLiaQSmZoc4j2G1JBhKZqhdG
+/vAFFdQ87A+Sk4V0TOMgalqFP3WTdcmhCBAL/L8j8asChIsMY1WPxd9In32z4HTO
+NZ5zqWZUjSl5LqjzwT50ISLspE1PQTx+IdlTWrlMAkyvZt7waVIwv4fxSDaiwukf
+GdNgdAVseiOHbEkxfwzkPtOqRItYVqnCcgUXa17s70OmjuInRXZyd9+SdDlkxUok
+UDDxEKnyPjZnXFCEHwgKm0CDoR9hfDQfYRxqC29vd94gLU4mgoevnoeSogIeiA9W
+5LwQTO0XoAATji5Z9V2rhg1SVDHK4ZGeKo6ZRRGhGFdHrUkWZRMoxvvG74fEiUmG
+tN758R3P9of0mXFgP6j4hRnZ5gseg6uf6sZGrrk7dsY5C96whFhl29ON0bnqTnIk
+4XxaSTIVhNRRn120j3B2Fi7+hvg3Z1tnHt9R9K43ZO9kQkEUKiW6teSXi2q9ncVU
+rcN5Jjn/liAaMoHl9qLzCptYvv9B1oZIQBXzO13XpOVphxNCzjw=
+=IFs4
+-----END PGP SIGNATURE-----
--- a/l10n-90.0.2.tar.xz
+++ b/l10n-90.0.2.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f84e59fe121846f3e2d5a2249417a2619d773d3cf58f4296284c8e3ea2aeef43
-size 51649404
--- a/l10n-91.0.1.tar.xz
+++ b/l10n-91.0.1.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:51fc69a958d5f792b3d0ef94d4f9da9313685df94597eb21a0fb58e15eb9e64b
+size 51031676
--- a/mozilla-reduce-rust-debuginfo.patch
+++ b/mozilla-reduce-rust-debuginfo.patch
@ -1,54 +1,28 @@
-# HG changeset patch
-# User msirringhaus@suse.de
-# Date 1560754926 -7200
-#      Mon Jun 17 09:02:06 2019 +0200
-# Node ID 428161c3b9599083e1b8710eda1760f1f707ab11
-# Parent  d55730171edb1935dec80234eba336787ff0e4e8
-#Description: reduce the rust debuginfo level on selected architectures where
-# compiling with debuginfo=2 causes the OOM killer to interrupt the build on
-# launchpad builders. Initially this was only on 32 bit architectures, but with
-# firefox 63 it started happening frequently on arm64 and ppc64el too.
-
 diff --git a/build/moz.configure/rust.configure b/build/moz.configure/rust.configure
 --- a/build/moz.configure/rust.configure
 +++ b/build/moz.configure/rust.configure
-@@ -603,18 +603,19 @@ set_config("CARGO_PROFILE_DEV_OPT_LEVEL"
- 
- 
- @depends(
-     rustc_opt_level,
-     debug_rust,
-     target,
-     "--enable-debug-symbols",
+@@ -610,6 +610,7 @@ set_config("CARGO_PROFILE_DEV_OPT_LEVEL"
     "--enable-frame-pointers",
-+    host,
+     path_remapping,
+     path_remappings,
+    host
 )
-def rust_compile_flags(opt_level, debug_rust, target, debug_symbols, frame_pointers):
-+def rust_compile_flags(opt_level, debug_rust, target, debug_symbols, frame_pointers, host):
+ def rust_compile_flags(
+     opt_level,
+@@ -619,6 +620,7 @@ def rust_compile_flags(
+     frame_pointers,
+     path_remapping,
+     path_remappings,
+    host
+ ):
     # Cargo currently supports only two interesting profiles for building:
     # development and release. Those map (roughly) to --enable-debug and
-     # --disable-debug in Gecko, respectively.
-     #
-     # But we'd also like to support an additional axis of control for
-     # optimization level. Since Cargo only supports 2 profiles, we're in
-     # a bit of a bind.
-     #
-@@ -627,16 +628,18 @@ def rust_compile_flags(opt_level, debug_
- 
-     # opt-level=0 implies -C debug-assertions, which may not be desired
-     # unless Rust debugging is enabled.
-     if opt_level == "0" and not debug_rust:
-         debug_assertions = False
+@@ -642,6 +644,8 @@ def rust_compile_flags(
 
     if debug_symbols:
         debug_info = "2"
-+        if host.bitness == 32 or host.cpu == 'aarch64' or host.cpu == 'ppc64':
+        if host.bitness == 32 or host.cpu == 'aarch64' or host.cpu == 'ppc64' or host.cpu == 's390x':
 +            debug_info = '1'
 
     opts = []
 
-     if debug_assertions is not None:
-         opts.append("debug-assertions=%s" % ("yes" if debug_assertions else "no"))
-     if debug_info is not None:
-         opts.append("debuginfo=%s" % debug_info)
-     if frame_pointers:
--- a/9
+++ b/9
@ -1,11 +1,10 @@
 PRODUCT="firefox"
 CHANNEL="release"
-VERSION="90.0.2"
+VERSION="91.0.1"
 VERSION_SUFFIX=""
-PREV_VERSION="90.0.1"
+PREV_VERSION="91.0"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
-
 RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release"
-RELEASE_TAG="cda19fb46018c9cb8dc5e6127ebb2cfd04aa9be4"
-RELEASE_TIMESTAMP="20210721174149"
+RELEASE_TAG="7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5"
+RELEASE_TIMESTAMP="20210816143654"