From aeb0620d417f4cfb8b2fd3e8c89ec99930ba83e83235b9c135e4f5a08459cdb5 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Fri, 29 Sep 2023 08:31:52 +0000 Subject: [PATCH] - Mozilla Firefox 118.0.1 MFSA 2023-44 (bsc#1215814) * CVE-2023-5217 (bmo#1855550), Heap buffer overflow in libvpx - Mozilla Firefox 118.0 MFSA 2023-41 (bsc#1215575) * CVE-2023-5168 (bmo#1846683) Out-of-bounds write in FilterNodeD2D1 * CVE-2023-5169 (bmo#1846685) Out-of-bounds write in PathOps * CVE-2023-5170 (bmo#1846686) Memory leak from a privileged process * CVE-2023-5171 (bmo#1851599) Use-after-free in Ion Compiler * CVE-2023-5172 (bmo#1852218) Memory Corruption in Ion Hints * CVE-2023-5173 (bmo#1823172) Out-of-bounds write in HTTP Alternate Services * CVE-2023-5174 (bmo#1848454) Double-free in process spawning on Windows * CVE-2023-5175 (bmo#1849704) Use-after-free of ImageBitmap during process shutdown * CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824, bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983, bmo#1851195) Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 - requires NSS 3.93 - deactivated KDE integration temporarily OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1108 --- MozillaFirefox.changes | 34 +++++++++++++++++++++++++++- MozillaFirefox.spec | 22 +++++++++--------- firefox-117.0.1.source.tar.xz | 3 --- firefox-117.0.1.source.tar.xz.asc | 16 ------------- firefox-118.0.1.source.tar.xz | 3 +++ firefox-118.0.1.source.tar.xz.asc | 16 +++++++++++++ l10n-117.0.1.tar.xz | 3 --- l10n-118.0.1.tar.xz | 3 +++ mozilla-silence-no-return-type.patch | 10 ++++---- tar_stamps | 8 +++---- 10 files changed, 75 insertions(+), 43 deletions(-) delete mode 100644 firefox-117.0.1.source.tar.xz delete mode 100644 firefox-117.0.1.source.tar.xz.asc create mode 100644 firefox-118.0.1.source.tar.xz create mode 100644 firefox-118.0.1.source.tar.xz.asc delete mode 100644 l10n-117.0.1.tar.xz create mode 100644 l10n-118.0.1.tar.xz diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes index bdb79ef0..56a51076 100644 --- a/MozillaFirefox.changes +++ b/MozillaFirefox.changes @@ -1,7 +1,39 @@ ------------------------------------------------------------------- -Sat Sep 23 07:29:25 UTC 2023 - Wolfgang Rosenauer +Fri Sep 29 06:50:26 UTC 2023 - Wolfgang Rosenauer +- Mozilla Firefox 118.0.1 + MFSA 2023-44 (bsc#1215814) + * CVE-2023-5217 (bmo#1855550), + Heap buffer overflow in libvpx + +------------------------------------------------------------------- +Mon Sep 25 06:35:49 UTC 2023 - Wolfgang Rosenauer + +- Mozilla Firefox 118.0 + MFSA 2023-41 (bsc#1215575) + * CVE-2023-5168 (bmo#1846683) + Out-of-bounds write in FilterNodeD2D1 + * CVE-2023-5169 (bmo#1846685) + Out-of-bounds write in PathOps + * CVE-2023-5170 (bmo#1846686) + Memory leak from a privileged process + * CVE-2023-5171 (bmo#1851599) + Use-after-free in Ion Compiler + * CVE-2023-5172 (bmo#1852218) + Memory Corruption in Ion Hints + * CVE-2023-5173 (bmo#1823172) + Out-of-bounds write in HTTP Alternate Services + * CVE-2023-5174 (bmo#1848454) + Double-free in process spawning on Windows + * CVE-2023-5175 (bmo#1849704) + Use-after-free of ImageBitmap during process shutdown + * CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824, bmo#1843962, + bmo#1848890, bmo#1850180, bmo#1850983, bmo#1851195) + Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, + and Thunderbird 115.3 +- requires NSS 3.93 - add mozilla-bmo1822730.patch +- deactivated KDE integration temporarily ------------------------------------------------------------------- Tue Sep 12 17:04:01 UTC 2023 - Andreas Stieger diff --git a/MozillaFirefox.spec b/MozillaFirefox.spec index 7315af78..f802ab14 100644 --- a/MozillaFirefox.spec +++ b/MozillaFirefox.spec @@ -28,9 +28,9 @@ # orig_suffix b3 # major 69 # mainver %%major.99 -%define major 117 +%define major 118 %define mainver %major.0.1 -%define orig_version 117.0.1 +%define orig_version 118.0.1 %define orig_suffix %{nil} %define update_channel release %define branding 1 @@ -73,7 +73,7 @@ BuildArch: i686 %define desktop_file_name %{progname} %define firefox_appid \{ec8030f7-c20a-464f-9b0e-13a3a9e97384\} %define __provides_exclude ^lib.*\\.so.*$ -%define __requires_exclude ^(libmoz.*|liblgpllibs.*|libxul.*)$ +%define __requires_exclude ^(libmoz.*|liblgpllibs.*|libxul.*|libgk.*)$ %define localize 1 %ifarch %ix86 x86_64 %define crashreporter 1 @@ -114,7 +114,7 @@ BuildRequires: libiw-devel BuildRequires: libproxy-devel BuildRequires: makeinfo BuildRequires: mozilla-nspr-devel >= 4.35 -BuildRequires: mozilla-nss-devel >= 3.92 +BuildRequires: mozilla-nss-devel >= 3.93 BuildRequires: nasm >= 2.14 BuildRequires: nodejs >= 12.22.12 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 @@ -209,7 +209,7 @@ Source20: https://ftp.mozilla.org/pub/%{srcname}/releases/%{version}%{orig Source21: https://ftp.mozilla.org/pub/%{srcname}/releases/%{version}%{orig_suffix}/KEY#/mozilla.keyring # Gecko/Toolkit Patch1: mozilla-nongnome-proxies.patch -Patch2: mozilla-kde.patch +#Patch2: mozilla-kde.patch Patch3: mozilla-ntlm-full-path.patch Patch4: mozilla-aarch64-startup-crash.patch Patch5: mozilla-fix-aarch64-libopus.patch @@ -230,7 +230,7 @@ Patch22: mozilla-partial-revert-1768632.patch Patch23: mozilla-rust-disable-future-incompat.patch Patch24: mozilla-bmo1822730.patch # Firefox/browser -Patch101: firefox-kde.patch +#Patch101: firefox-kde.patch Patch102: firefox-branded-icons.patch %endif BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -349,11 +349,11 @@ sed -i "s|potential_python_binary = f\"python3.{i}\"|potential_python_binary = f export PYTHON3=/usr/bin/python3.9 %endif -kdehelperversion=$(cat toolkit/xre/nsKDEUtils.cpp | grep '#define KMOZILLAHELPER_VERSION' | cut -d ' ' -f 3) -if test "$kdehelperversion" != %{kde_helper_version}; then - echo fix kde helper version in the .spec file - exit 1 -fi +#kdehelperversion=$(cat toolkit/xre/nsKDEUtils.cpp | grep '#define KMOZILLAHELPER_VERSION' | cut -d ' ' -f 3) +#if test "$kdehelperversion" != %{kde_helper_version}; then +# echo fix kde helper version in the .spec file +# exit 1 +#fi # When doing only_print_mozconfig, this file isn't necessarily available, so skip it cp %{SOURCE4} .obsenv.sh diff --git a/firefox-117.0.1.source.tar.xz b/firefox-117.0.1.source.tar.xz deleted file mode 100644 index dc38a4d0..00000000 --- a/firefox-117.0.1.source.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:7ea4203b5cf9e59f80043597e2c9020291754fcab784a337586b5f5e1370c416 -size 509601584 diff --git a/firefox-117.0.1.source.tar.xz.asc b/firefox-117.0.1.source.tar.xz.asc deleted file mode 100644 index 85fcd003..00000000 --- a/firefox-117.0.1.source.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmT/6zUACgkQ4207E/PZ -MnQICQ/8CJ26x43i1AZrHfUhvhF1nW+ZA75WNXK3yTn681tc6wYoznWDDMSy8JdR -bWGzYm1NsJeQcMUkj4qjlXYwigihfh5e6DNkWzd4bLR8HTWmhyb+1EyGx/E86W1M -n3xU0l67jQA7/ZXNdoVn6O9YVjyLiw4lLByaWe/i9+5S5TwUK9/n+7zibgflYvM3 -/A6syl9OC06MFAQ7CPnUk+OrVz6BXRQKPsInKFFsSCRuzLtUozWIzxgStRija5rG -75oU3zDmJKyVAx5BJsM94l0e9LnUQKs0oqCuPdu2eHHN5QZzQyGurfMbP1sNMqRd -OmGuwNI/HgRRAYVLH4b/avEVqd3jpPcK8OyOfdBz4AnorWhNllNNx55/Vmn8jVV5 -lklHoyJRYb845m9Af2iQEnPJEbeOcaO2E6w46TtiqWY+0vw499BlCjXiBEreG3oT -r883CmqGhsQa35WrYWFGx+Gay7YyTBDu3L8cXme3PQkBWpAPd4V/ykQhzJ0yXBWg -bKRAhRNH8lVKe3WgXp2xBdfWQefSq8kiWGS1JQV94FKcvP0XPzqEx8Lf5qPdJi+L -yXHFGBmOAjFeAhwWgkOP+YAjHviwoB0bid7J9hlH3z2+XaXeuQrRMG37gOfz0QZJ -ca9EXMKcqhM2Nj9HntDGSaVztwkENrx4fv6vlQiWVQPrdyDedQw= -=nEbC ------END PGP SIGNATURE----- diff --git a/firefox-118.0.1.source.tar.xz b/firefox-118.0.1.source.tar.xz new file mode 100644 index 00000000..6f82a232 --- /dev/null +++ b/firefox-118.0.1.source.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a3f4da56d13605d615a740c739e3504261649d040bc473ae2ed609336d79fd95 +size 516965884 diff --git a/firefox-118.0.1.source.tar.xz.asc b/firefox-118.0.1.source.tar.xz.asc new file mode 100644 index 00000000..cedb4789 --- /dev/null +++ b/firefox-118.0.1.source.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmUU6KkACgkQ4207E/PZ +MnSeHA//Z+OBeffry1qQzZnDDd7o6guO0G6Ka8t/jGB2wRzg0DoO2hiOVHLlDkcJ +0cuuASs2HoPcT8T0S3Km2hJgrL9oiMAOUCadCWbfbR3g9BxY8uuJwy82BT9fCMA5 +A4lK7eFN2+t0CQ9ULu9AW9+iFhbpKRPzigD2ITeySCOY1P+I+wRm1lzo0i/cKbdU +A+S01RUzWFIG6F3ZDB3imAtJ4G/0rAgfxqfI1W991rz5JQAhOVmUnCROFKqdzOm6 +7TI51Id+TgLxRSrWVff7aKGMxFTWbuiTNjwT30SwwDMrBMeuvSygE0e3tv/4nVwg +BfmxIN+ka693LBVugSH+qh+JgOYYxr7FITI81AY74U6es9rpa+Nom4uOEpqnD75B +KdIvNTllJUGInMxZ2noE9ztFkXJO/eFmuZYnMBUONo+K3pyNXhaRi/X4VPpWC+VI +etcMJ/gThDNslVndtgT206+AE7s8EWTs+Xy26wxAjCy1/O9TaDxT7WmVX7/P3df9 ++ueztR9EqWMveb23PZyl48l72MnJ/55IjsNnVjs66Hs6ZfjtokYoYTYzSTbu393s +KjkZzU/24D/DtXp9vdfryikyqZTavSdEeZJpW5rSOHxFWHSq8c1T7bRVGYpN3k/i +qwO38UKUeQwR9z6d0suIlniH2FqnzQUmKEPxOldWUsWRoktL47g= +=6aDx +-----END PGP SIGNATURE----- diff --git a/l10n-117.0.1.tar.xz b/l10n-117.0.1.tar.xz deleted file mode 100644 index 53b2b69f..00000000 --- a/l10n-117.0.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e83c4ccd6549bf0e8ba1d13cedc9fc8293423d35e970b5127526d558b7c54c34 -size 30033556 diff --git a/l10n-118.0.1.tar.xz b/l10n-118.0.1.tar.xz new file mode 100644 index 00000000..1f9e753b --- /dev/null +++ b/l10n-118.0.1.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cecf0f23bdcd4ae10575451b34e575b97d957b71f38a180342d416df204202fe +size 30167788 diff --git a/mozilla-silence-no-return-type.patch b/mozilla-silence-no-return-type.patch index 7c5e3dc4..784c166f 100644 --- a/mozilla-silence-no-return-type.patch +++ b/mozilla-silence-no-return-type.patch @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 505c5ac5cad0268fe81c67d39f70cbab3bff616a +# Parent f809af927a59e945c76f51c25b1044fb42748c24 diff --git a/gfx/skia/skia/include/codec/SkEncodedOrigin.h b/gfx/skia/skia/include/codec/SkEncodedOrigin.h --- a/gfx/skia/skia/include/codec/SkEncodedOrigin.h @@ -722,7 +722,7 @@ diff --git a/third_party/libwebrtc/modules/audio_processing/agc2/input_volume_st diff --git a/third_party/libwebrtc/modules/audio_processing/agc2/rnn_vad/rnn_fc.cc b/third_party/libwebrtc/modules/audio_processing/agc2/rnn_vad/rnn_fc.cc --- a/third_party/libwebrtc/modules/audio_processing/agc2/rnn_vad/rnn_fc.cc +++ b/third_party/libwebrtc/modules/audio_processing/agc2/rnn_vad/rnn_fc.cc -@@ -54,16 +54,18 @@ std::vector PreprocessWeights(rtc +@@ -55,16 +55,18 @@ std::vector PreprocessWeights(rtc rtc::FunctionView GetActivationFunction( ActivationFunction activation_function) { switch (activation_function) { @@ -948,12 +948,12 @@ diff --git a/third_party/libwebrtc/modules/rtp_rtcp/source/rtp_sender_audio.cc b + return ""; } - constexpr char kIncludeCaptureClockOffset[] = - "WebRTC-IncludeCaptureClockOffset"; - } // namespace RTPSenderAudio::RTPSenderAudio(Clock* clock, RTPSender* rtp_sender) + : clock_(clock), + rtp_sender_(rtp_sender), + absolute_capture_time_sender_(clock) { diff --git a/third_party/libwebrtc/modules/video_coding/codecs/vp8/default_temporal_layers.cc b/third_party/libwebrtc/modules/video_coding/codecs/vp8/default_temporal_layers.cc --- a/third_party/libwebrtc/modules/video_coding/codecs/vp8/default_temporal_layers.cc +++ b/third_party/libwebrtc/modules/video_coding/codecs/vp8/default_temporal_layers.cc diff --git a/tar_stamps b/tar_stamps index 7e478a63..dccc9e1f 100644 --- a/tar_stamps +++ b/tar_stamps @@ -1,10 +1,10 @@ PRODUCT="firefox" CHANNEL="release" -VERSION="117.0.1" +VERSION="118.0.1" VERSION_SUFFIX="" -PREV_VERSION="117.0" +PREV_VERSION="118.0" PREV_VERSION_SUFFIX="" #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release" -RELEASE_TAG="e245ca2125a6eb1e2d08cc9e5824f15e1e67a566" -RELEASE_TIMESTAMP="20230912013654" +RELEASE_TAG="68e4c357d26c5a1f075a1ec0c696d4fe684ed881" +RELEASE_TIMESTAMP="20230927232528"