From 5b06ba2de64a2d74d320e9a0b401777fa0c893875a30e52c971120332878ddd3 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Tue, 21 May 2024 08:22:00 +0000 Subject: [PATCH] - Mozilla Firefox 126.0 https://www.mozilla.org/en-US/firefox/126.0/releasenotes MFSA 2024-21 (bsc#1224056) * CVE-2024-4764 (bmo#1879093) Use-after-free when audio input connected with multiple consumers * CVE-2024-4367 (bmo#1893645) Arbitrary JavaScript execution in PDF.js * CVE-2024-4765 (bmo#1871109) Web application manifests could have been overwritten via hash collision * CVE-2024-4766 (bmo#1871214, bmo#1871217) Fullscreen notification could have been obscured on Firefox for Android * CVE-2024-4767 (bmo#1878577) IndexedDB files retained in private browsing mode * CVE-2024-4768 (bmo#1886082) Potential permissions request bypass via clickjacking * CVE-2024-4769 (bmo#1886108) Cross-origin responses could be distinguished between script and non-script content-types * CVE-2024-4770 (bmo#1893270) Use-after-free could occur when printing to PDF * CVE-2024-4771 (bmo#1893891) Failed allocation could lead to use-after-free * CVE-2024-4772 (bmo#1870579) Use of insecure rand() function to generate nonce * CVE-2024-4773 (bmo#1875248) URL bar could be cleared after network error * CVE-2024-4774 (bmo#1886598) Undefined behavior in ShmemCharMapHashEntry() OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1150 --- MozillaFirefox.changes | 47 ++++++++++++++++++++++ MozillaFirefox.spec | 15 ++++--- firefox-125.0.3.source.tar.xz | 3 -- firefox-125.0.3.source.tar.xz.asc | 16 -------- firefox-126.0.source.tar.xz | 3 ++ firefox-126.0.source.tar.xz.asc | 16 ++++++++ l10n-125.0.3.tar.xz | 3 -- l10n-126.0.tar.xz | 3 ++ mozilla-kde.patch | 23 ++++++----- mozilla-libproxy-fix.patch | 25 ------------ mozilla-rust-disable-future-incompat.patch | 15 +++---- tar_stamps | 8 ++-- 12 files changed, 102 insertions(+), 75 deletions(-) delete mode 100644 firefox-125.0.3.source.tar.xz delete mode 100644 firefox-125.0.3.source.tar.xz.asc create mode 100644 firefox-126.0.source.tar.xz create mode 100644 firefox-126.0.source.tar.xz.asc delete mode 100644 l10n-125.0.3.tar.xz create mode 100644 l10n-126.0.tar.xz delete mode 100644 mozilla-libproxy-fix.patch diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes index ed7dcd76..5cdfed5a 100644 --- a/MozillaFirefox.changes +++ b/MozillaFirefox.changes @@ -1,3 +1,50 @@ +------------------------------------------------------------------- +Wed May 15 08:46:30 UTC 2024 - Wolfgang Rosenauer + +- Mozilla Firefox 126.0 + https://www.mozilla.org/en-US/firefox/126.0/releasenotes + MFSA 2024-21 (bsc#1224056) + * CVE-2024-4764 (bmo#1879093) + Use-after-free when audio input connected with multiple consumers + * CVE-2024-4367 (bmo#1893645) + Arbitrary JavaScript execution in PDF.js + * CVE-2024-4765 (bmo#1871109) + Web application manifests could have been overwritten via + hash collision + * CVE-2024-4766 (bmo#1871214, bmo#1871217) + Fullscreen notification could have been obscured on Firefox + for Android + * CVE-2024-4767 (bmo#1878577) + IndexedDB files retained in private browsing mode + * CVE-2024-4768 (bmo#1886082) + Potential permissions request bypass via clickjacking + * CVE-2024-4769 (bmo#1886108) + Cross-origin responses could be distinguished between script + and non-script content-types + * CVE-2024-4770 (bmo#1893270) + Use-after-free could occur when printing to PDF + * CVE-2024-4771 (bmo#1893891) + Failed allocation could lead to use-after-free + * CVE-2024-4772 (bmo#1870579) + Use of insecure rand() function to generate nonce + * CVE-2024-4773 (bmo#1875248) + URL bar could be cleared after network error + * CVE-2024-4774 (bmo#1886598) + Undefined behavior in ShmemCharMapHashEntry() + * CVE-2024-4775 (bmo#1887332) + Invalid memory access in the built-in profiler + * CVE-2024-4776 (bmo#1887343) + Window may remain disabled after file dialog is shown in + full-screen + * CVE-2024-4777 (bmo#1878199, bmo#1893340) + Memory safety bugs fixed in Firefox 126, Firefox ESR 115.11, + and Thunderbird 115.11 + * CVE-2024-4778 (bmo#1838834, bmo#1889291, bmo#1889595, + bmo#1890204, bmo#1891545) + Memory safety bugs fixed in Firefox 126 +- requires NSS 3.100 +- removed obsolete mozilla-libproxy-fix.patch + ------------------------------------------------------------------- Mon Apr 29 18:17:48 UTC 2024 - Andreas Stieger diff --git a/MozillaFirefox.spec b/MozillaFirefox.spec index f2387167..a8039b5b 100644 --- a/MozillaFirefox.spec +++ b/MozillaFirefox.spec @@ -28,9 +28,9 @@ # orig_suffix b3 # major 69 # mainver %%major.99 -%define major 125 -%define mainver %major.0.3 -%define orig_version 125.0.3 +%define major 126 +%define mainver %major.0 +%define orig_version 126.0 %define orig_suffix %{nil} %define update_channel release %define branding 1 @@ -114,7 +114,7 @@ BuildRequires: libiw-devel BuildRequires: libproxy-devel BuildRequires: makeinfo BuildRequires: mozilla-nspr-devel >= 4.35 -BuildRequires: mozilla-nss-devel >= 3.99 +BuildRequires: mozilla-nss-devel >= 3.100 BuildRequires: nasm >= 2.14 BuildRequires: nodejs >= 12.22.12 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 @@ -229,7 +229,6 @@ Patch21: svg-rendering.patch Patch22: mozilla-partial-revert-1768632.patch Patch23: mozilla-rust-disable-future-incompat.patch Patch24: mozilla-bmo1822730.patch -Patch25: mozilla-libproxy-fix.patch # Firefox/browser Patch101: firefox-kde.patch Patch102: firefox-branded-icons.patch @@ -735,10 +734,10 @@ exit 0 %{progdir}/platform.ini %if %crashreporter %{progdir}/crashreporter -%{progdir}/crashreporter.ini -%{progdir}/Throbber-small.gif +#%{progdir}/crashreporter.ini +#%{progdir}/Throbber-small.gif %{progdir}/minidump-analyzer -%{progdir}/browser/crashreporter-override.ini +#%{progdir}/browser/crashreporter-override.ini %endif %{_datadir}/applications/%{desktop_file_name}.desktop %{_datadir}/mime/packages/%{progname}.xml diff --git a/firefox-125.0.3.source.tar.xz b/firefox-125.0.3.source.tar.xz deleted file mode 100644 index 53ebe41e..00000000 --- a/firefox-125.0.3.source.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:461c66b85e4a0345dcce422d3b66212489f3cca8f22a9a8f43a07a0c98bd5616 -size 551590872 diff --git a/firefox-125.0.3.source.tar.xz.asc b/firefox-125.0.3.source.tar.xz.asc deleted file mode 100644 index 25f6bf20..00000000 --- a/firefox-125.0.3.source.tar.xz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmYtMEEACgkQ4207E/PZ -MnSBeA/9E8S6inlmYrxQ2wf0LKnDKZmT06XUvlcKWy68F1RdEWNLqjMOV+o60rug -/Gjnp6DT2yTMsXnoaO1Re89HGKHkZ1KbuevzjLUyXvQzNUbkCuA+5zqZEwa+16g7 -rxFpho7iEO5LkYB7PoQxks8AY+JaXlZreXMJ8I5wQ5+KnM8tQE1ZcoAFz2J5Oc9Y -DHtVbzq09V6dh5B0oTjGxsWB65YqhxTc3zCpQ8nNB5IV6MwU99emfcI7usLWtdyP -goTDXYCYlsORn0pTGkAL5GeXWgh4yAxOW5Fr3Cfv9oADFCTVFK07A7n8Y9fbuT5b -9ZgUkBPjuwf3pFcQAXRerrPCbbo4SqMY88tcUNXhOjbwxGXplxBd+A1v/3I3wv5y -jk3FGLHrlUX4AvBhMsajvUu6cpqPfVfDaKDRLpvJkPMTFz0Gv9Log8BnhQ852hkq -/y0vvdY8znIvWM9pca97AtQVhhamKuAo7kqh996g8eT5Wa2pBbSuuKWteT1i+61Z -iLsg8mcfnEgoP7w+KOgiSKvuG738MHvxMV/aQdR2AXLOCkltr4gqXytXhYsPLvJg -qfeUdLqgYPu64vyhETzdfxqL4Ivaj25ikSXILO+iKJo5cMQP4j7g1oZAq7Qtt/Yi -wC2cgmMKhn0fNB7f9csyyJV33jI55u56A7iO6p1Z4HCFbbTtI8k= -=0RYQ ------END PGP SIGNATURE----- diff --git a/firefox-126.0.source.tar.xz b/firefox-126.0.source.tar.xz new file mode 100644 index 00000000..d6387274 --- /dev/null +++ b/firefox-126.0.source.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:910e82a1999ec229e5bc5090a39cec9c575e8bafcac2c54f9bb5c699bd868526 +size 552065476 diff --git a/firefox-126.0.source.tar.xz.asc b/firefox-126.0.source.tar.xz.asc new file mode 100644 index 00000000..f431cb67 --- /dev/null +++ b/firefox-126.0.source.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmY9XrkACgkQ4207E/PZ +MnT6RQ//S0b1dy2LR3WqwnZvdZRjT9jbmdJw7RKopN4KAaZmeL5qo4eBOWxkECqw +TrZZiqX44Mm1DdIJG0NKP7D95WMAJuJQntV5VFJMZKtdtmD1UHMymMKOqYia21tr +5pxrwEYAPP7t3zZIoCDmcgdwArWkdt+wJSNCTrTjaJQdygP02bex2lZl7HE7wsrp +02/SAjl83iOkx2x+W9LeR889PGrrOe4c2Z0fHaqGtBJVOBR/1JJwjJT2td0CCjmD +wAsI/O2nxwL+kMTB/8sexcYFdM2QDBmMOYJb82sb7mkc3y1xsCMhpGylmhXGFS3c +en44BdNAHCTn91g/MlhIjUCPljWG+YkitE2/7GKotpOQTNH9rr2UET3aPzvwAZyf +Gl5U9VN8u++ZCvVXrtmve1P2vOkJnUcq+MBxTgiBlFyqhvhww9KP7nIQslBzUhWc +X25OKQVXHyfYLS3s+xP2ynCG7cXXbV3jSDBS7FcbiHqdaL4d1d9gnGj1/+77KOJA +3aZ8ARLc1x9V/mc9HuyLrcletcpMhhusgY2fc/ae8i6Dh5nL+GY06x1Fv5JtNDR0 +XgJR6IflalT2EDeMOvRHWuWl1wPi8KVD3DRZiOKqBOuln2nZSyV2cpXozAgA87zE +qanJq7bkFkl4YFMkBBytDUq85t4K9ztAlzTR0UeyKR4AuLRZuww= +=5nXv +-----END PGP SIGNATURE----- diff --git a/l10n-125.0.3.tar.xz b/l10n-125.0.3.tar.xz deleted file mode 100644 index aef35497..00000000 --- a/l10n-125.0.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:67744c91e271a3e28c59a5b7d4136c0f338fdee73c633ebfcb350cb9a05a4df7 -size 31332840 diff --git a/l10n-126.0.tar.xz b/l10n-126.0.tar.xz new file mode 100644 index 00000000..8de18dbb --- /dev/null +++ b/l10n-126.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7fb67354817ee6319fbe56189ef248105bc3025983dabfe654992f31a86c7f98 +size 31696716 diff --git a/mozilla-kde.patch b/mozilla-kde.patch index bf2723ea..b5b9b92c 100644 --- a/mozilla-kde.patch +++ b/mozilla-kde.patch @@ -50,7 +50,7 @@ Co-authored-by: Björn Bidar diff --git a/modules/libpref/Preferences.cpp b/modules/libpref/Preferences.cpp --- a/modules/libpref/Preferences.cpp +++ b/modules/libpref/Preferences.cpp -@@ -90,16 +90,17 @@ +@@ -92,16 +92,17 @@ #include "PLDHashTable.h" #include "prdtoa.h" #include "prlink.h" @@ -727,7 +727,7 @@ diff --git a/uriloader/exthandler/HandlerServiceParent.cpp b/uriloader/exthandle using mozilla::dom::RemoteHandlerApp; namespace { -@@ -305,18 +305,18 @@ mozilla::ipc::IPCResult HandlerServicePa +@@ -309,18 +309,18 @@ mozilla::ipc::IPCResult HandlerServicePa mozilla::ipc::IPCResult HandlerServiceParent::RecvExistsForProtocolOS( const nsACString& aProtocolScheme, bool* aHandlerExists) { if (aProtocolScheme.Length() > MAX_SCHEME_LENGTH) { @@ -771,7 +771,7 @@ diff --git a/uriloader/exthandler/moz.build b/uriloader/exthandler/moz.build ] elif CONFIG["MOZ_WIDGET_TOOLKIT"] == "windows": UNIFIED_SOURCES += [ -@@ -129,15 +131,16 @@ include("/ipc/chromium/chromium-config.m +@@ -130,15 +132,16 @@ include("/ipc/chromium/chromium-config.m FINAL_LIBRARY = "xul" LOCAL_INCLUDES += [ @@ -991,7 +991,7 @@ new file mode 100644 diff --git a/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp b/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp --- a/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp +++ b/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp -@@ -1,48 +1,51 @@ +@@ -1,27 +1,30 @@ /* -*- Mode: C++; tab-width: 3; indent-tabs-mode: nil; c-basic-offset: 2 -*- * * This Source Code Form is subject to the terms of the Mozilla Public @@ -1004,6 +1004,8 @@ diff --git a/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp b/uriloader/exthandler #include "nsIGIOService.h" #include "nsNetCID.h" #include "nsIIOService.h" + #include "nsLocalFile.h" + #ifdef MOZ_ENABLE_DBUS # include "nsDBusHandlerApp.h" #endif @@ -1016,10 +1018,13 @@ diff --git a/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp b/uriloader/exthandler + return nsCommonRegistry::LoadURL(aURI); } - NS_IMETHODIMP - nsMIMEInfoUnix::GetHasDefaultHandler(bool* _retval) { - // if a default app is set, it means the application has been set from - // either /etc/mailcap or ${HOME}/.mailcap, in which case we don't want to + NS_IMETHODIMP nsMIMEInfoUnix::GetDefaultExecutable(nsIFile** aExecutable) { + // This needs to be implemented before FirefoxBridge will work on Linux. + // To implement this and be consistent, GetHasDefaultHandler and + // LaunchDefaultWithFile should probably be made to be consistent. + // Right now, they aren't. GetHasDefaultHandler reports true in cases + // where calling LaunchDefaultWithFile will fail due to not finding the +@@ -37,25 +40,25 @@ nsMIMEInfoUnix::GetHasDefaultHandler(boo // give the GNOME answer. if (GetDefaultApplication()) { return nsMIMEInfoImpl::GetHasDefaultHandler(_retval); @@ -1048,7 +1053,7 @@ diff --git a/uriloader/exthandler/unix/nsMIMEInfoUnix.cpp b/uriloader/exthandler if (*_retval) return NS_OK; return NS_OK; -@@ -54,16 +57,31 @@ nsresult nsMIMEInfoUnix::LaunchDefaultWi +@@ -67,16 +70,31 @@ nsresult nsMIMEInfoUnix::LaunchDefaultWi // give the GNOME answer. if (GetDefaultApplication()) { return nsMIMEInfoImpl::LaunchDefaultWithFile(aFile); diff --git a/mozilla-libproxy-fix.patch b/mozilla-libproxy-fix.patch deleted file mode 100644 index 3789564a..00000000 --- a/mozilla-libproxy-fix.patch +++ /dev/null @@ -1,25 +0,0 @@ -# HG changeset patch -# User Wolfgang Rosenauer -# Parent 302a32e4a14475d3bae305decad92870ec37bbe5 - -diff --git a/toolkit/system/unixproxy/nsLibProxySettings.cpp b/toolkit/system/unixproxy/nsLibProxySettings.cpp ---- a/toolkit/system/unixproxy/nsLibProxySettings.cpp -+++ b/toolkit/system/unixproxy/nsLibProxySettings.cpp -@@ -94,11 +94,17 @@ nsresult nsUnixSystemProxySettings::GetP - - c++; - } - - free(proxyArray); - return NS_OK; - } - -+NS_IMETHODIMP -+nsUnixSystemProxySettings::GetSystemWPADSetting(bool* aSystemWPADSetting) { -+ *aSystemWPADSetting = false; -+ return NS_OK; -+} -+ - NS_IMPL_COMPONENT_FACTORY(nsUnixSystemProxySettings) { - return do_AddRef(new nsUnixSystemProxySettings()).downcast(); - } diff --git a/mozilla-rust-disable-future-incompat.patch b/mozilla-rust-disable-future-incompat.patch index 522e3559..75a1200a 100644 --- a/mozilla-rust-disable-future-incompat.patch +++ b/mozilla-rust-disable-future-incompat.patch @@ -1,20 +1,21 @@ # HG changeset patch -# Parent fa3b49f090f8b4a1af0510a675d2674a420fcbc6 +# Parent 83a5e219b271976ee9dfa46b74ecc1c1c6d49f94 diff --git a/Cargo.toml b/Cargo.toml --- a/Cargo.toml +++ b/Cargo.toml -@@ -219,8 +219,13 @@ webext-storage = { git = "https://github +@@ -234,8 +234,14 @@ mio_0_8 = { package = "mio", git = "http path = "third_party/rust/mio-0.6.23" [patch."https://github.com/mozilla/uniffi-rs.git"] - uniffi = "=0.25.3" - uniffi_bindgen = "=0.25.3" - uniffi_build = "=0.25.3" - uniffi_macros = "=0.25.3" - weedle2 = "=4.0.0" + uniffi = "0.27.1" + uniffi_bindgen = "0.27.1" + uniffi_build = "0.27.1" + uniffi_macros = "0.27.1" + weedle2 = "=5.0.0" + +# Package code v0.1.4 uses code "that will be rejected by a future version of Rust" +# Shut up such messages for now to make the build succeed +[future-incompat-report] +frequency = "never" ++ diff --git a/tar_stamps b/tar_stamps index d7d6c8ae..8f08aa24 100644 --- a/tar_stamps +++ b/tar_stamps @@ -1,10 +1,10 @@ PRODUCT="firefox" CHANNEL="release" -VERSION="125.0.3" +VERSION="126.0" VERSION_SUFFIX="" -PREV_VERSION="125.0.2" +PREV_VERSION="125.0.3" PREV_VERSION_SUFFIX="" #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release" -RELEASE_TAG="899257fc1af08f2b141cd16d4b6151c0e0b47a9a" -RELEASE_TIMESTAMP="20240425211020" +RELEASE_TAG="3db775a2083d15ae699bdc129ad9c51f323ace70" +RELEASE_TIMESTAMP="20240509170740"