- Mozilla Firefox 133.0

https://www.mozilla.org/en-US/firefox/133.0/releasenotes
  MFSA 2024-63 (bsc#1233695)
  * CVE-2024-11691 (bmo#1914707, bmo#1924184)
    Memory corruption in Apple GPU drivers
  * CVE-2024-11700 (bmo#1836921)
    Potential Tapjacking Exploit for Intent Confirmation on Android
  * CVE-2024-11692 (bmo#1909535)
    Select list elements could be shown over another site
  * CVE-2024-11701 (bmo#1914797)
    Misleading Address Bar State During Navigation Interruption
  * CVE-2024-11702 (bmo#1918884)
    Inadequate Clipboard Protection in Private Browsing Mode on
    Android
  * CVE-2024-11693 (bmo#1921458)
    Download Protections were bypassed by .library-ms files on
    Windows
  * CVE-2024-11694 (bmo#1924167)
    CSP Bypass and XSS Exposure via Web Compatibility Shims
  * CVE-2024-11695 (bmo#1925496)
    URL Bar Spoofing via Manipulated Punycode and Whitespace Characters
  * CVE-2024-11703 (bmo#1928779)
    Password access without authentication via PIN bypass on Android
  * CVE-2024-11696 (bmo#1929600)
    Unhandled Exception in Add-on Signature Verification
  * CVE-2024-11697 (bmo#1842187)
    Improper Keypress Handling in Executable File Confirmation Dialog
  * CVE-2024-11704 (bmo#1899402)
    Potential Double-Free Vulnerability in PKCS#7 Decryption Handling
  * CVE-2024-11698 (bmo#1916152)

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1191

MozillaFirefox.changes

@@ -1,3 +1,49 @@
+-------------------------------------------------------------------
+Mon Nov 25 11:00:38 UTC 2024 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 133.0
+  https://www.mozilla.org/en-US/firefox/133.0/releasenotes
+  MFSA 2024-63 (bsc#1233695)
+  * CVE-2024-11691 (bmo#1914707, bmo#1924184)
+    Memory corruption in Apple GPU drivers
+  * CVE-2024-11700 (bmo#1836921)
+    Potential Tapjacking Exploit for Intent Confirmation on Android
+  * CVE-2024-11692 (bmo#1909535)
+    Select list elements could be shown over another site
+  * CVE-2024-11701 (bmo#1914797)
+    Misleading Address Bar State During Navigation Interruption
+  * CVE-2024-11702 (bmo#1918884)
+    Inadequate Clipboard Protection in Private Browsing Mode on
+    Android
+  * CVE-2024-11693 (bmo#1921458)
+    Download Protections were bypassed by .library-ms files on
+    Windows
+  * CVE-2024-11694 (bmo#1924167)
+    CSP Bypass and XSS Exposure via Web Compatibility Shims
+  * CVE-2024-11695 (bmo#1925496)
+    URL Bar Spoofing via Manipulated Punycode and Whitespace Characters
+  * CVE-2024-11703 (bmo#1928779)
+    Password access without authentication via PIN bypass on Android
+  * CVE-2024-11696 (bmo#1929600)
+    Unhandled Exception in Add-on Signature Verification
+  * CVE-2024-11697 (bmo#1842187)
+    Improper Keypress Handling in Executable File Confirmation Dialog
+  * CVE-2024-11704 (bmo#1899402)
+    Potential Double-Free Vulnerability in PKCS#7 Decryption Handling
+  * CVE-2024-11698 (bmo#1916152)
+    Fullscreen Lock-Up When Modal Dialog Interrupts Transition on macOS
+  * CVE-2024-11705 (bmo#1921768)
+    Null Pointer Dereference in NSC_DeriveKey
+  * CVE-2024-11706 (bmo#1923767)
+    Null Pointer Dereference in PKCS#12 Utility
+  * CVE-2024-11708 (bmo#1922912)
+    Data race with PlaybackParams
+  * CVE-2024-11699 (bmo#1880582, bmo#1929911)
+    Memory safety bugs fixed in Firefox 133, Firefox ESR 128.5,
+    and Thunderbird 128.5
+- requires NSS 3.106
+- remove obsolete mozilla-python313.patch
+
 -------------------------------------------------------------------
 Sat Nov 23 17:52:32 UTC 2024 - Dirk Müller <dmueller@suse.com>
 

MozillaFirefox.spec

@@ -28,9 +28,9 @@
 # orig_suffix b3
 # major 69
 # mainver %%major.99
-%define major          132
+%define major          133
-%define mainver        %major.0.2
+%define mainver        %major.0
-%define orig_version   132.0.2
+%define orig_version   133.0
 %define orig_suffix    %{nil}
 %define update_channel release
 %define branding       1
@@ -114,7 +114,7 @@ BuildRequires:  libiw-devel
 BuildRequires:  libproxy-devel
 BuildRequires:  makeinfo
 BuildRequires:  mozilla-nspr-devel >= 4.35
-BuildRequires:  mozilla-nss-devel >= 3.105
+BuildRequires:  mozilla-nss-devel >= 3.106
 BuildRequires:  nasm >= 2.14
 BuildRequires:  nodejs >= 12.22.12
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
@@ -222,7 +222,6 @@ Patch19:        mozilla-bmo531915.patch
 Patch20:        one_swizzle_to_rule_them_all.patch
 Patch21:        svg-rendering.patch
 Patch24:        mozilla-bmo1746799.patch
-Patch25:        mozilla-python313.patch
 # Firefox/browser
 Patch102:       firefox-branded-icons.patch
 %endif
@@ -725,7 +724,7 @@ exit 0
 %{progdir}/crashreporter
 #%{progdir}/crashreporter.ini
 #%{progdir}/Throbber-small.gif
-%{progdir}/minidump-analyzer
+#%{progdir}/minidump-analyzer
 #%{progdir}/browser/crashreporter-override.ini
 %endif
 %{_datadir}/applications/%{desktop_file_name}.desktop

firefox-132.0.2.source.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:329e1764f4b4e13f11dcf1fd7b3c6d8f80e512e8b7ed5bf65fbe44749c2610e9
-size 570535648

firefox-132.0.2.source.tar.xz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmcxUm8ACgkQ4207E/PZ
-MnT0wRAArmyYe/mq41VRqfNWiImndL87tEhJcdi+6GWvnP0Rj7IYi2Wl5ACxuHbk
-dDNP0J8af/ICqpuKmSLfGHfsA8ANBSXncQ1LR3YByutiDHjQ+iRwwwn9wIGrA7PA
-56QKa7WoexeKQiegkL02f4C8f9RNbfI64CNyUknEpj8VQRcbttpx1NSCcCQBc1OZ
-SqBtXJyvdkZVVXi5VeWID+0jpduKcdMMH/n6mAqre8LQlIvISasPfBYkXa+zNHwd
-WtBVgRelbvoqPJWXLBbiiH0y5Tr5MeJZn+JzW7wszc2XosqG5skf8cUkXBWdx8Gd
-2X0TCd8xxMN5YuAVyOVRT8qn+/6sZebM/6Wwovf8D4hKgf91yxR4aqLpLApuLWc6
-54EJkXGYyZsQyXCi5SmzMAvwuCKiIYVgPFYctMsrw7GXajkznIXqOg/VRDB0YpQg
-ius2QTt44NF6Vp7u+NHyI87QYX4HjmMkziqgdqP72K+Qgx+mta93ebleoIMiHykC
-+IP14/OMjZXbSD6N+fGX64Jog5LnAyV+ld4bk2SzsKJkfXWojhIYe0qdZRFL3fDd
-7ERd/LIWeYOPdRHpKfMqh9b7jqp2I9ssC+JmhECXKNc2tFKKWtbJ5EpbGcgnfaqH
-kcqZNfyeGl228SfHolCzssA5JudW2LsyKOHpRwJ0y6ZHChfSrjQ=
-=POwe
------END PGP SIGNATURE-----

firefox-133.0.source.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:492b2c9a3b6d215e38ce490624e8b2b9473419accdeaddb24ba00bc6adc3cc60
+size 582165112

firefox-133.0.source.tar.xz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmc/e7sACgkQ4207E/PZ
+MnRqQw//TaAudMwOpvyStSBd1C+W0fOFV+aFNMLGdjflWwyPKt3qR59NcChlFivv
+dRx7ag9KKOFeECF661WXodC3l67f/DqxFsvJz6HM2WIE9XWUG3TxDLoSJyRtoiLQ
+MYZY3KrbiwFn+ZgCCp37UbJYlFZ1O7vWyoGaAOUA0sr7Mfizs2DWEzh4+u70RAgM
+EhpSCi2Vm3dPDVGDaLvT62JyS2F100bcdU6Wbae8UP3VarZCAl3J0JH8R9rEaj3R
+qjgCFUHe8i+U/GtTzgsbW7d3/hENj9HX+b9sLEImSqqX9Lo6YRlO09IrWwoHrijr
+MFUI/JgH52YTofB9ucvZfQkvyNEug0oFGhfTcYnyvOtDzE2oIjPVSSCgnkyXWxTm
+r/EKxN0zWTGRGaGBCtkcrsbMXaAxjfd71CkjsmoUdge5/nERBfUN1TGgZQrq/6Dh
+f/edsUiQxSIjTkI40Xt3NhXPQozWm8WSD87pVm2FSQH9k3rEGnUssLCIO4SRgrDL
+Evs5KBtJmasn8o/G4KQK08CzraPuDXEWqd7o8Tjz2fXnEDi6ChkJZyPMjnEFbwOy
+PvaN5YauaqgOKO3Uo408YE+zcTcSEEqiG+sBYOseMo/K1fmIBRhQxpYMU6r8FWiE
+XjfE63U5tk+LJl2RKNqdg4Dw6SBC5T7qfwpQXJfs/rdrImZ+fhE=
+=g/x2
+-----END PGP SIGNATURE-----

l10n-132.0.2.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:101ebdc00d8f913a6cfeabf2dfeb4262307e096f4afde07c942853065729a813
-size 34999896

l10n-133.0.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:767905b231198d4b0cdbc00970cd4de63315bf63fb1d88bf53c844d4e694f8fe
+size 35102084

mozilla-python313.patch

@@ -1,45 +0,0 @@
-Taken from https://hg.mozilla.org/mozilla-central/rev/7a8dbd4de3c70d6a6ac98469a9b92e4877019e0c
-
---- a/python/mozbuild/mozbuild/action/node.py
-+++ b/python/mozbuild/mozbuild/action/node.py
-@@ -1,19 +1,20 @@
- # This Source Code Form is subject to the terms of the Mozilla Public
- # License, v. 2.0. If a copy of the MPL was not distributed with this
- # file, You can obtain one at http://mozilla.org/MPL/2.0/.
- 
--import pipes
- import subprocess
- import sys
- 
- import buildconfig
- import six
- 
-+from mozbuild.shellutil import quote as shell_quote
-+
- SCRIPT_ALLOWLIST = [buildconfig.topsrcdir + "/devtools/client/shared/build/build.js"]
- 
- ALLOWLIST_ERROR = """
- %s is not
- in SCRIPT_ALLOWLIST in python/mozbuild/mozbuild/action/node.py.
- Using NodeJS from moz.build is currently in beta, and node
- scripts to be executed need to be added to the allowlist and
- reviewed by a build peer so that we can get a better sense of
-@@ -42,18 +43,17 @@ def execute_node_cmd(node_cmd_list):
- 
-     The node script is expected to output lines for all of the dependencies
-     to stdout, each prefixed by the string "dep:".  These lines will make up
-     the returned set of dependencies.  Any line not so-prefixed will simply be
-     printed to stderr instead.
-     """
- 
-     try:
--        printable_cmd = " ".join(pipes.quote(arg) for arg in node_cmd_list)
--        print('Executing "{}"'.format(printable_cmd), file=sys.stderr)
-+        print('Executing "{}"'.format(shell_quote(*node_cmd_list)), file=sys.stderr)
-         sys.stderr.flush()
- 
-         # We need to redirect stderr to a pipe because
-         # https://github.com/nodejs/node/issues/14752 causes issues with make.
-         proc = subprocess.Popen(
-             node_cmd_list, stdout=subprocess.PIPE, stderr=subprocess.PIPE
-         )

tar_stamps

@@ -1,10 +1,10 @@
 PRODUCT="firefox"
 CHANNEL="release"
-VERSION="132.0.2"
+VERSION="133.0"
 VERSION_SUFFIX=""
-PREV_VERSION="132.0.1"
+PREV_VERSION="132.0.2"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release"
-RELEASE_TAG="60f8744af5044d16783c2c71ca09d27f3932afce"
+RELEASE_TAG="8141aab3ba856d7cbae6c851dd71f2e0cb69649c"
-RELEASE_TIMESTAMP="20241110231641"
+RELEASE_TIMESTAMP="20241121140525"