- Mozilla Firefox 118.0.1

MFSA 2023-44 (bsc#1215814) * CVE-2023-5217 (bmo#1855550), Heap buffer overflow in libvpx - Mozilla Firefox 118.0 MFSA 2023-41 (bsc#1215575) * CVE-2023-5168 (bmo#1846683) Out-of-bounds write in FilterNodeD2D1 * CVE-2023-5169 (bmo#1846685) Out-of-bounds write in PathOps * CVE-2023-5170 (bmo#1846686) Memory leak from a privileged process * CVE-2023-5171 (bmo#1851599) Use-after-free in Ion Compiler * CVE-2023-5172 (bmo#1852218) Memory Corruption in Ion Hints * CVE-2023-5173 (bmo#1823172) Out-of-bounds write in HTTP Alternate Services * CVE-2023-5174 (bmo#1848454) Double-free in process spawning on Windows * CVE-2023-5175 (bmo#1849704) Use-after-free of ImageBitmap during process shutdown * CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824, bmo#1843962, bmo#1848890, bmo#1850180, bmo#1850983, bmo#1851195) Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3, and Thunderbird 115.3 - requires NSS 3.93 - deactivated KDE integration temporarily OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=1108
2023-09-29 08:31:52 +00:00 · 2023-09-29 08:31:52 +00:00 · aeb0620d41
commit aeb0620d41
parent 24d80f3612
10 changed files with 75 additions and 43 deletions
--- a/MozillaFirefox.changes
+++ b/MozillaFirefox.changes
@ -1,7 +1,39 @@
 -------------------------------------------------------------------
-Sat Sep 23 07:29:25 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
+Fri Sep 29 06:50:26 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>

+- Mozilla Firefox 118.0.1
+  MFSA 2023-44 (bsc#1215814)
+  * CVE-2023-5217 (bmo#1855550),
+    Heap buffer overflow in libvpx
+
+-------------------------------------------------------------------
+Mon Sep 25 06:35:49 UTC 2023 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 118.0
+  MFSA 2023-41 (bsc#1215575)
+  * CVE-2023-5168 (bmo#1846683)
+    Out-of-bounds write in FilterNodeD2D1
+  * CVE-2023-5169 (bmo#1846685)
+    Out-of-bounds write in PathOps
+  * CVE-2023-5170 (bmo#1846686)
+    Memory leak from a privileged process
+  * CVE-2023-5171 (bmo#1851599)
+    Use-after-free in Ion Compiler
+  * CVE-2023-5172 (bmo#1852218)
+    Memory Corruption in Ion Hints
+  * CVE-2023-5173 (bmo#1823172)
+    Out-of-bounds write in HTTP Alternate Services
+  * CVE-2023-5174 (bmo#1848454)
+    Double-free in process spawning on Windows
+  * CVE-2023-5175 (bmo#1849704)
+    Use-after-free of ImageBitmap during process shutdown
+  * CVE-2023-5176 (bmo#1836353, bmo#1842674, bmo#1843824, bmo#1843962,
+    bmo#1848890, bmo#1850180, bmo#1850983, bmo#1851195)
+    Memory safety bugs fixed in Firefox 118, Firefox ESR 115.3,
+    and Thunderbird 115.3
+- requires NSS 3.93
 - add mozilla-bmo1822730.patch
+- deactivated KDE integration temporarily

 -------------------------------------------------------------------
 Tue Sep 12 17:04:01 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de>
--- a/MozillaFirefox.spec
+++ b/MozillaFirefox.spec
@ -28,9 +28,9 @@
 # orig_suffix b3
 # major 69
 # mainver %%major.99
-%define major          117
+%define major          118
 %define mainver        %major.0.1
-%define orig_version   117.0.1
+%define orig_version   118.0.1
 %define orig_suffix    %{nil}
 %define update_channel release
 %define branding       1
@ -73,7 +73,7 @@ BuildArch:      i686
 %define desktop_file_name %{progname}
 %define firefox_appid \{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}
 %define __provides_exclude ^lib.*\\.so.*$
-%define __requires_exclude ^(libmoz.*|liblgpllibs.*|libxul.*)$
+%define __requires_exclude ^(libmoz.*|liblgpllibs.*|libxul.*|libgk.*)$
 %define localize 1
 %ifarch %ix86 x86_64
 %define crashreporter 1
@ -114,7 +114,7 @@ BuildRequires:  libiw-devel
 BuildRequires:  libproxy-devel
 BuildRequires:  makeinfo
 BuildRequires:  mozilla-nspr-devel >= 4.35
-BuildRequires:  mozilla-nss-devel >= 3.92
+BuildRequires:  mozilla-nss-devel >= 3.93
 BuildRequires:  nasm >= 2.14
 BuildRequires:  nodejs >= 12.22.12
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
@ -209,7 +209,7 @@ Source20:       https://ftp.mozilla.org/pub/%{srcname}/releases/%{version}%{orig
 Source21:       https://ftp.mozilla.org/pub/%{srcname}/releases/%{version}%{orig_suffix}/KEY#/mozilla.keyring
 # Gecko/Toolkit
 Patch1:         mozilla-nongnome-proxies.patch
-Patch2:         mozilla-kde.patch
+#Patch2:         mozilla-kde.patch
 Patch3:         mozilla-ntlm-full-path.patch
 Patch4:         mozilla-aarch64-startup-crash.patch
 Patch5:         mozilla-fix-aarch64-libopus.patch
@ -230,7 +230,7 @@ Patch22:        mozilla-partial-revert-1768632.patch
 Patch23:        mozilla-rust-disable-future-incompat.patch
 Patch24:        mozilla-bmo1822730.patch
 # Firefox/browser
-Patch101:       firefox-kde.patch
+#Patch101:       firefox-kde.patch
 Patch102:       firefox-branded-icons.patch
 %endif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@ -349,11 +349,11 @@ sed -i "s|potential_python_binary = f\"python3.{i}\"|potential_python_binary = f
 export PYTHON3=/usr/bin/python3.9
 %endif

-kdehelperversion=$(cat toolkit/xre/nsKDEUtils.cpp | grep '#define KMOZILLAHELPER_VERSION' | cut -d ' ' -f 3)
-if test "$kdehelperversion" != %{kde_helper_version}; then
-  echo fix kde helper version in the .spec file
-  exit 1
-fi
+#kdehelperversion=$(cat toolkit/xre/nsKDEUtils.cpp | grep '#define KMOZILLAHELPER_VERSION' | cut -d ' ' -f 3)
+#if test "$kdehelperversion" != %{kde_helper_version}; then
+#  echo fix kde helper version in the .spec file
+#  exit 1
+#fi

 # When doing only_print_mozconfig, this file isn't necessarily available, so skip it
 cp %{SOURCE4} .obsenv.sh
--- a/firefox-117.0.1.source.tar.xz
+++ b/firefox-117.0.1.source.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7ea4203b5cf9e59f80043597e2c9020291754fcab784a337586b5f5e1370c416
-size 509601584
--- a/firefox-117.0.1.source.tar.xz.asc
+++ b/firefox-117.0.1.source.tar.xz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmT/6zUACgkQ4207E/PZ
-MnQICQ/8CJ26x43i1AZrHfUhvhF1nW+ZA75WNXK3yTn681tc6wYoznWDDMSy8JdR
-bWGzYm1NsJeQcMUkj4qjlXYwigihfh5e6DNkWzd4bLR8HTWmhyb+1EyGx/E86W1M
-n3xU0l67jQA7/ZXNdoVn6O9YVjyLiw4lLByaWe/i9+5S5TwUK9/n+7zibgflYvM3
-/A6syl9OC06MFAQ7CPnUk+OrVz6BXRQKPsInKFFsSCRuzLtUozWIzxgStRija5rG
-75oU3zDmJKyVAx5BJsM94l0e9LnUQKs0oqCuPdu2eHHN5QZzQyGurfMbP1sNMqRd
-OmGuwNI/HgRRAYVLH4b/avEVqd3jpPcK8OyOfdBz4AnorWhNllNNx55/Vmn8jVV5
-lklHoyJRYb845m9Af2iQEnPJEbeOcaO2E6w46TtiqWY+0vw499BlCjXiBEreG3oT
-r883CmqGhsQa35WrYWFGx+Gay7YyTBDu3L8cXme3PQkBWpAPd4V/ykQhzJ0yXBWg
-bKRAhRNH8lVKe3WgXp2xBdfWQefSq8kiWGS1JQV94FKcvP0XPzqEx8Lf5qPdJi+L
-yXHFGBmOAjFeAhwWgkOP+YAjHviwoB0bid7J9hlH3z2+XaXeuQrRMG37gOfz0QZJ
-ca9EXMKcqhM2Nj9HntDGSaVztwkENrx4fv6vlQiWVQPrdyDedQw=
-=nEbC
-----END PGP SIGNATURE-----
--- a/firefox-118.0.1.source.tar.xz
+++ b/firefox-118.0.1.source.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a3f4da56d13605d615a740c739e3504261649d040bc473ae2ed609336d79fd95
+size 516965884
--- a/firefox-118.0.1.source.tar.xz.asc
+++ b/firefox-118.0.1.source.tar.xz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEErdcHlHlwDcrf3VM34207E/PZMnQFAmUU6KkACgkQ4207E/PZ
+MnSeHA//Z+OBeffry1qQzZnDDd7o6guO0G6Ka8t/jGB2wRzg0DoO2hiOVHLlDkcJ
+0cuuASs2HoPcT8T0S3Km2hJgrL9oiMAOUCadCWbfbR3g9BxY8uuJwy82BT9fCMA5
+A4lK7eFN2+t0CQ9ULu9AW9+iFhbpKRPzigD2ITeySCOY1P+I+wRm1lzo0i/cKbdU
+A+S01RUzWFIG6F3ZDB3imAtJ4G/0rAgfxqfI1W991rz5JQAhOVmUnCROFKqdzOm6
+7TI51Id+TgLxRSrWVff7aKGMxFTWbuiTNjwT30SwwDMrBMeuvSygE0e3tv/4nVwg
+BfmxIN+ka693LBVugSH+qh+JgOYYxr7FITI81AY74U6es9rpa+Nom4uOEpqnD75B
+KdIvNTllJUGInMxZ2noE9ztFkXJO/eFmuZYnMBUONo+K3pyNXhaRi/X4VPpWC+VI
+etcMJ/gThDNslVndtgT206+AE7s8EWTs+Xy26wxAjCy1/O9TaDxT7WmVX7/P3df9
+ueztR9EqWMveb23PZyl48l72MnJ/55IjsNnVjs66Hs6ZfjtokYoYTYzSTbu393s
+KjkZzU/24D/DtXp9vdfryikyqZTavSdEeZJpW5rSOHxFWHSq8c1T7bRVGYpN3k/i
+qwO38UKUeQwR9z6d0suIlniH2FqnzQUmKEPxOldWUsWRoktL47g=
+=6aDx
+-----END PGP SIGNATURE-----
--- a/l10n-117.0.1.tar.xz
+++ b/l10n-117.0.1.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e83c4ccd6549bf0e8ba1d13cedc9fc8293423d35e970b5127526d558b7c54c34
-size 30033556
--- a/l10n-118.0.1.tar.xz
+++ b/l10n-118.0.1.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cecf0f23bdcd4ae10575451b34e575b97d957b71f38a180342d416df204202fe
+size 30167788
--- a/mozilla-silence-no-return-type.patch
+++ b/mozilla-silence-no-return-type.patch
@ -1,5 +1,5 @@
 # HG changeset patch
-# Parent  505c5ac5cad0268fe81c67d39f70cbab3bff616a
+# Parent  f809af927a59e945c76f51c25b1044fb42748c24

 diff --git a/gfx/skia/skia/include/codec/SkEncodedOrigin.h b/gfx/skia/skia/include/codec/SkEncodedOrigin.h
 --- a/gfx/skia/skia/include/codec/SkEncodedOrigin.h
@ -722,7 +722,7 @@ diff --git a/third_party/libwebrtc/modules/audio_processing/agc2/input_volume_st
 diff --git a/third_party/libwebrtc/modules/audio_processing/agc2/rnn_vad/rnn_fc.cc b/third_party/libwebrtc/modules/audio_processing/agc2/rnn_vad/rnn_fc.cc
 --- a/third_party/libwebrtc/modules/audio_processing/agc2/rnn_vad/rnn_fc.cc
 +++ b/third_party/libwebrtc/modules/audio_processing/agc2/rnn_vad/rnn_fc.cc
-@@ -54,16 +54,18 @@ std::vector<float> PreprocessWeights(rtc
+@@ -55,16 +55,18 @@ std::vector<float> PreprocessWeights(rtc
 rtc::FunctionView<float(float)> GetActivationFunction(
     ActivationFunction activation_function) {
   switch (activation_function) {
@ -948,12 +948,12 @@ diff --git a/third_party/libwebrtc/modules/rtp_rtcp/source/rtp_sender_audio.cc b
 +  return "";
 }
 
- constexpr char kIncludeCaptureClockOffset[] =
-     "WebRTC-IncludeCaptureClockOffset";
- 
 }  // namespace
 
 RTPSenderAudio::RTPSenderAudio(Clock* clock, RTPSender* rtp_sender)
+     : clock_(clock),
+       rtp_sender_(rtp_sender),
+       absolute_capture_time_sender_(clock) {
 diff --git a/third_party/libwebrtc/modules/video_coding/codecs/vp8/default_temporal_layers.cc b/third_party/libwebrtc/modules/video_coding/codecs/vp8/default_temporal_layers.cc
 --- a/third_party/libwebrtc/modules/video_coding/codecs/vp8/default_temporal_layers.cc
 +++ b/third_party/libwebrtc/modules/video_coding/codecs/vp8/default_temporal_layers.cc
--- a/8
+++ b/8
@ -1,10 +1,10 @@
 PRODUCT="firefox"
 CHANNEL="release"
-VERSION="117.0.1"
+VERSION="118.0.1"
 VERSION_SUFFIX=""
-PREV_VERSION="117.0"
+PREV_VERSION="118.0"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release"
-RELEASE_TAG="e245ca2125a6eb1e2d08cc9e5824f15e1e67a566"
-RELEASE_TIMESTAMP="20230912013654"
+RELEASE_TAG="68e4c357d26c5a1f075a1ec0c696d4fe684ed881"
+RELEASE_TIMESTAMP="20230927232528"