From b7e1035064474ce67c2068e4428de2d3b1fa341329dec679241e1800af41ba66 Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Tue, 8 Aug 2017 19:59:47 +0000 Subject: [PATCH 1/2] - update to Firefox 52.3esr (boo#1052829) MFSA 2017-19 * CVE-2017-7798 (bmo#1371586, bmo#1372112) XUL injection in the style editor in devtools * CVE-2017-7800 (bmo#1374047) Use-after-free in WebSockets during disconnection * CVE-2017-7801 (bmo#1371259) Use-after-free with marquee during window resizing * CVE-2017-7784 (bmo#1376087) Use-after-free with image observers * CVE-2017-7802 (bmo#1378147) Use-after-free resizing image elements * CVE-2017-7785 (bmo#1356985) Buffer overflow manipulating ARIA attributes in DOM * CVE-2017-7786 (bmo#1365189) Buffer overflow while painting non-displayable SVG * CVE-2017-7753 (bmo#1353312) Out-of-bounds read with cached style data and pseudo-elements# * CVE-2017-7787 (bmo#1322896) Same-origin policy bypass with iframes through page reloads * CVE-2017-7807 (bmo#1376459) Domain hijacking through AppCache fallback * CVE-2017-7792 (bmo#1368652) Buffer overflow viewing certificates with an extremely long OID * CVE-2017-7804 (bmo#1372849) Memory protection bypass through WindowsDllDetourPatcher * CVE-2017-7791 (bmo#1365875) Spoofing following page navigation with data: protocol and modal alerts * CVE-2017-7782 (bmo#1344034) WindowsDllDetourPatcher allocates memory without DEP protections OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=598 --- MozillaFirefox.changes | 38 ++++++++++++++++++++++++++++++++++++ MozillaFirefox.spec | 4 ++-- compare-locales.tar.xz | 4 ++-- create-tar.sh | 4 ++-- firefox-52.2.1-source.tar.xz | 3 --- firefox-52.3.0-source.tar.xz | 3 +++ l10n-52.2.1.tar.xz | 3 --- l10n-52.3.0.tar.xz | 3 +++ source-stamp.txt | 2 +- 9 files changed, 51 insertions(+), 13 deletions(-) delete mode 100644 firefox-52.2.1-source.tar.xz create mode 100644 firefox-52.3.0-source.tar.xz delete mode 100644 l10n-52.2.1.tar.xz create mode 100644 l10n-52.3.0.tar.xz diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes index 4b8eb3c..78a6dcb 100644 --- a/MozillaFirefox.changes +++ b/MozillaFirefox.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Tue Aug 8 18:13:34 UTC 2017 - wr@rosenauer.org + +- update to Firefox 52.3esr (boo#1052829) + MFSA 2017-19 + * CVE-2017-7798 (bmo#1371586, bmo#1372112) + XUL injection in the style editor in devtools + * CVE-2017-7800 (bmo#1374047) + Use-after-free in WebSockets during disconnection + * CVE-2017-7801 (bmo#1371259) + Use-after-free with marquee during window resizing + * CVE-2017-7784 (bmo#1376087) + Use-after-free with image observers + * CVE-2017-7802 (bmo#1378147) + Use-after-free resizing image elements + * CVE-2017-7785 (bmo#1356985) + Buffer overflow manipulating ARIA attributes in DOM + * CVE-2017-7786 (bmo#1365189) + Buffer overflow while painting non-displayable SVG + * CVE-2017-7753 (bmo#1353312) + Out-of-bounds read with cached style data and pseudo-elements# + * CVE-2017-7787 (bmo#1322896) + Same-origin policy bypass with iframes through page reloads + * CVE-2017-7807 (bmo#1376459) + Domain hijacking through AppCache fallback + * CVE-2017-7792 (bmo#1368652) + Buffer overflow viewing certificates with an extremely long OID + * CVE-2017-7804 (bmo#1372849) + Memory protection bypass through WindowsDllDetourPatcher + * CVE-2017-7791 (bmo#1365875) + Spoofing following page navigation with data: protocol and modal alerts + * CVE-2017-7782 (bmo#1344034) + WindowsDllDetourPatcher allocates memory without DEP protections + * CVE-2017-7803 (bmo#1377426) + CSP containing 'sandbox' improperly applied + * CVE-2017-7779 + Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3 + ------------------------------------------------------------------- Wed Jul 5 07:26:32 UTC 2017 - astieger@suse.com diff --git a/MozillaFirefox.spec b/MozillaFirefox.spec index bec71f5..764c651 100644 --- a/MozillaFirefox.spec +++ b/MozillaFirefox.spec @@ -19,9 +19,9 @@ # changed with every update %define major 52 -%define mainver %major.2.1 +%define mainver %major.3.0 %define update_channel esr52 -%define releasedate 20170629000000 +%define releasedate 20170807000000 # PIE, full relro (x86_64 for now) %define build_hardened 1 diff --git a/compare-locales.tar.xz b/compare-locales.tar.xz index a36a751..eb66ea3 100644 --- a/compare-locales.tar.xz +++ b/compare-locales.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:b14ec1fcbda280d664f73c0cc109dfe70dfd9c82ee73e6b6effcfb91b683e974 -size 28824 +oid sha256:0c012241138a66dea1995518f245898791d94cb31d11b2472c889dbe464418bb +size 28392 diff --git a/create-tar.sh b/create-tar.sh index e5aae72..f24c3ea 100644 --- a/create-tar.sh +++ b/create-tar.sh @@ -7,8 +7,8 @@ CHANNEL="esr52" BRANCH="releases/mozilla-$CHANNEL" -RELEASE_TAG="FIREFOX_52_2_1esr_RELEASE" -VERSION="52.2.1" +RELEASE_TAG="FIREFOX_52_3_0esr_RELEASE" +VERSION="52.3.0" # mozilla if [ -d mozilla ]; then diff --git a/firefox-52.2.1-source.tar.xz b/firefox-52.2.1-source.tar.xz deleted file mode 100644 index 5dccf44..0000000 --- a/firefox-52.2.1-source.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ba0a07c30a18029a82304b99ab6d309e297fd4daf154b28dd3fd355b2da58b61 -size 228016352 diff --git a/firefox-52.3.0-source.tar.xz b/firefox-52.3.0-source.tar.xz new file mode 100644 index 0000000..f45968b --- /dev/null +++ b/firefox-52.3.0-source.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:81cda681a593c1737ff6a448e73288beab6e1499f638002f5cfaa6726896420b +size 223189032 diff --git a/l10n-52.2.1.tar.xz b/l10n-52.2.1.tar.xz deleted file mode 100644 index 5533b14..0000000 --- a/l10n-52.2.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fcc7a6c7f1666fc216a43418dcb698001ca97e1ad2de1620364b50ef79d6c9a7 -size 49291392 diff --git a/l10n-52.3.0.tar.xz b/l10n-52.3.0.tar.xz new file mode 100644 index 0000000..7b8c734 --- /dev/null +++ b/l10n-52.3.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:20761eb9dd53c5880410fa1a94574f14b75e443b5bc8efe383d27c40a3e241c9 +size 45075116 diff --git a/source-stamp.txt b/source-stamp.txt index 3fbcfd0..afd795f 100644 --- a/source-stamp.txt +++ b/source-stamp.txt @@ -1,2 +1,2 @@ -REV=512efd480dac +REV=20a1a6ad46d5 REPO=http://hg.mozilla.org/releases/mozilla-esr52 From 00cbc455c91e63c61574d136299c1e3b9da43cba7057e57ecd1c189f6f0c65df Mon Sep 17 00:00:00 2001 From: Wolfgang Rosenauer Date: Wed, 9 Aug 2017 10:10:53 +0000 Subject: [PATCH 2/2] Accepting request 515330 from home:Andreas_Schwab:Factory - mozilla-ucontext.patch: use ucontext_t instead of struct ucontext OBS-URL: https://build.opensuse.org/request/show/515330 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=599 --- MozillaFirefox.changes | 5 + MozillaFirefox.spec | 2 + mozilla-ucontext.patch | 203 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 210 insertions(+) create mode 100644 mozilla-ucontext.patch diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes index 78a6dcb..c842c97 100644 --- a/MozillaFirefox.changes +++ b/MozillaFirefox.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Aug 9 09:47:39 UTC 2017 - schwab@suse.de + +- mozilla-ucontext.patch: use ucontext_t instead of struct ucontext + ------------------------------------------------------------------- Tue Aug 8 18:13:34 UTC 2017 - wr@rosenauer.org diff --git a/MozillaFirefox.spec b/MozillaFirefox.spec index 764c651..8f6d3a4 100644 --- a/MozillaFirefox.spec +++ b/MozillaFirefox.spec @@ -158,6 +158,7 @@ Patch7: mozilla-openaes-decl.patch Patch8: mozilla-no-stdcxx-check.patch Patch9: mozilla-reduce-files-per-UnifiedBindings.patch Patch10: mozilla-aarch64-startup-crash.patch +Patch11: mozilla-ucontext.patch # Firefox/browser Patch101: firefox-kde.patch Patch102: firefox-no-default-ualocale.patch @@ -267,6 +268,7 @@ cd $RPM_BUILD_DIR/mozilla %patch8 -p1 %patch9 -p1 %patch10 -p1 +%patch11 -p1 # Firefox %patch101 -p1 %patch102 -p1 diff --git a/mozilla-ucontext.patch b/mozilla-ucontext.patch new file mode 100644 index 0000000..276ed89 --- /dev/null +++ b/mozilla-ucontext.patch @@ -0,0 +1,203 @@ +Index: mozilla/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc +=================================================================== +--- mozilla.orig/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc ++++ mozilla/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.cc +@@ -40,15 +40,15 @@ namespace google_breakpad { + + #if defined(__i386__) + +-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) { ++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) { + return uc->uc_mcontext.gregs[REG_ESP]; + } + +-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) { ++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) { + return uc->uc_mcontext.gregs[REG_EIP]; + } + +-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc, ++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc, + const struct _libc_fpstate* fp) { + const greg_t* regs = uc->uc_mcontext.gregs; + +@@ -88,15 +88,15 @@ void UContextReader::FillCPUContext(RawC + + #elif defined(__x86_64) + +-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) { ++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) { + return uc->uc_mcontext.gregs[REG_RSP]; + } + +-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) { ++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) { + return uc->uc_mcontext.gregs[REG_RIP]; + } + +-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc, ++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc, + const struct _libc_fpstate* fpregs) { + const greg_t* regs = uc->uc_mcontext.gregs; + +@@ -145,15 +145,15 @@ void UContextReader::FillCPUContext(RawC + + #elif defined(__ARM_EABI__) + +-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) { ++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) { + return uc->uc_mcontext.arm_sp; + } + +-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) { ++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) { + return uc->uc_mcontext.arm_pc; + } + +-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc) { ++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc) { + out->context_flags = MD_CONTEXT_ARM_FULL; + + out->iregs[0] = uc->uc_mcontext.arm_r0; +@@ -184,15 +184,15 @@ void UContextReader::FillCPUContext(RawC + + #elif defined(__aarch64__) + +-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) { ++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) { + return uc->uc_mcontext.sp; + } + +-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) { ++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) { + return uc->uc_mcontext.pc; + } + +-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc, ++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc, + const struct fpsimd_context* fpregs) { + out->context_flags = MD_CONTEXT_ARM64_FULL; + +@@ -210,15 +210,15 @@ void UContextReader::FillCPUContext(RawC + + #elif defined(__mips__) + +-uintptr_t UContextReader::GetStackPointer(const struct ucontext* uc) { ++uintptr_t UContextReader::GetStackPointer(const ucontext_t* uc) { + return uc->uc_mcontext.gregs[MD_CONTEXT_MIPS_REG_SP]; + } + +-uintptr_t UContextReader::GetInstructionPointer(const struct ucontext* uc) { ++uintptr_t UContextReader::GetInstructionPointer(const ucontext_t* uc) { + return uc->uc_mcontext.pc; + } + +-void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext *uc) { ++void UContextReader::FillCPUContext(RawContextCPU *out, const ucontext_t *uc) { + #if _MIPS_SIM == _ABI64 + out->context_flags = MD_CONTEXT_MIPS64_FULL; + #elif _MIPS_SIM == _ABIO32 +Index: mozilla/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.h +=================================================================== +--- mozilla.orig/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.h ++++ mozilla/toolkit/crashreporter/google-breakpad/src/client/linux/dump_writer_common/ucontext_reader.h +@@ -41,21 +41,21 @@ namespace google_breakpad { + + // Wraps platform-dependent implementations of accessors to ucontext structs. + struct UContextReader { +- static uintptr_t GetStackPointer(const struct ucontext* uc); ++ static uintptr_t GetStackPointer(const ucontext_t* uc); + +- static uintptr_t GetInstructionPointer(const struct ucontext* uc); ++ static uintptr_t GetInstructionPointer(const ucontext_t* uc); + + // Juggle a arch-specific ucontext into a minidump format + // out: the minidump structure + // info: the collection of register structures. + #if defined(__i386__) || defined(__x86_64) +- static void FillCPUContext(RawContextCPU *out, const ucontext *uc, ++ static void FillCPUContext(RawContextCPU *out, const ucontext_t *uc, + const struct _libc_fpstate* fp); + #elif defined(__aarch64__) +- static void FillCPUContext(RawContextCPU *out, const ucontext *uc, ++ static void FillCPUContext(RawContextCPU *out, const ucontext_t *uc, + const struct fpsimd_context* fpregs); + #else +- static void FillCPUContext(RawContextCPU *out, const ucontext *uc); ++ static void FillCPUContext(RawContextCPU *out, const ucontext_t *uc); + #endif + }; + +Index: mozilla/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.cc +=================================================================== +--- mozilla.orig/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.cc ++++ mozilla/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.cc +@@ -439,9 +439,9 @@ bool ExceptionHandler::HandleSignal(int + // Fill in all the holes in the struct to make Valgrind happy. + memset(&g_crash_context_, 0, sizeof(g_crash_context_)); + memcpy(&g_crash_context_.siginfo, info, sizeof(siginfo_t)); +- memcpy(&g_crash_context_.context, uc, sizeof(struct ucontext)); ++ memcpy(&g_crash_context_.context, uc, sizeof(ucontext_t)); + #if defined(__aarch64__) +- struct ucontext* uc_ptr = (struct ucontext*)uc; ++ ucontext_t* uc_ptr = (ucontext_t*)uc; + struct fpsimd_context* fp_ptr = + (struct fpsimd_context*)&uc_ptr->uc_mcontext.__reserved; + if (fp_ptr->head.magic == FPSIMD_MAGIC) { +@@ -452,7 +452,7 @@ bool ExceptionHandler::HandleSignal(int + // FP state is not part of user ABI on ARM Linux. + // In case of MIPS Linux FP state is already part of struct ucontext + // and 'float_state' is not a member of CrashContext. +- struct ucontext* uc_ptr = (struct ucontext*)uc; ++ ucontext_t* uc_ptr = (ucontext_t*)uc; + if (uc_ptr->uc_mcontext.fpregs) { + memcpy(&g_crash_context_.float_state, uc_ptr->uc_mcontext.fpregs, + sizeof(g_crash_context_.float_state)); +@@ -476,7 +476,7 @@ bool ExceptionHandler::SimulateSignalDel + // ExceptionHandler::HandleSignal(). + siginfo.si_code = SI_USER; + siginfo.si_pid = getpid(); +- struct ucontext context; ++ ucontext_t context; + getcontext(&context); + return HandleSignal(sig, &siginfo, &context); + } +Index: mozilla/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.h +=================================================================== +--- mozilla.orig/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.h ++++ mozilla/toolkit/crashreporter/google-breakpad/src/client/linux/handler/exception_handler.h +@@ -191,7 +191,7 @@ class ExceptionHandler { + struct CrashContext { + siginfo_t siginfo; + pid_t tid; // the crashing thread. +- struct ucontext context; ++ ucontext_t context; + #if !defined(__ARM_EABI__) && !defined(__mips__) + // #ifdef this out because FP state is not part of user ABI for Linux ARM. + // In case of MIPS Linux FP state is already part of struct +Index: mozilla/toolkit/crashreporter/google-breakpad/src/client/linux/microdump_writer/microdump_writer.cc +=================================================================== +--- mozilla.orig/toolkit/crashreporter/google-breakpad/src/client/linux/microdump_writer/microdump_writer.cc ++++ mozilla/toolkit/crashreporter/google-breakpad/src/client/linux/microdump_writer/microdump_writer.cc +@@ -571,7 +571,7 @@ class MicrodumpWriter { + + void* Alloc(unsigned bytes) { return dumper_->allocator()->Alloc(bytes); } + +- const struct ucontext* const ucontext_; ++ const ucontext_t* const ucontext_; + #if !defined(__ARM_EABI__) && !defined(__mips__) + const google_breakpad::fpstate_t* const float_state_; + #endif +Index: mozilla/toolkit/crashreporter/google-breakpad/src/client/linux/minidump_writer/minidump_writer.cc +=================================================================== +--- mozilla.orig/toolkit/crashreporter/google-breakpad/src/client/linux/minidump_writer/minidump_writer.cc ++++ mozilla/toolkit/crashreporter/google-breakpad/src/client/linux/minidump_writer/minidump_writer.cc +@@ -1247,7 +1247,7 @@ class MinidumpWriter { + const int fd_; // File descriptor where the minidum should be written. + const char* path_; // Path to the file where the minidum should be written. + +- const struct ucontext* const ucontext_; // also from the signal handler ++ const ucontext_t* const ucontext_; // also from the signal handler + #if !defined(__ARM_EABI__) && !defined(__mips__) + const google_breakpad::fpstate_t* const float_state_; // ditto + #endif