1
0
MozillaFirefox/mozilla-sandbox-fips.patch
Wolfgang Rosenauer 5afd51282e - Mozilla Firefox 81.0
* https://www.mozilla.org/en-US/firefox/81.0/releasenotes
  MFSA 2020-42 (bsc#1176756)
  * CVE-2020-15675 (bmo#1654211)
    Use-After-Free in WebGL
  * CVE-2020-15677 (bmo#1641487)
    Download origin spoofing via redirect
  * CVE-2020-15676 (bmo#1646140)
    XSS when pasting attacker-controlled data into a
    contenteditable element
  * CVE-2020-15678 (bmo#1660211)
    When recursing through layers while scrolling, an iterator
    may have become invalid, resulting in a potential use-after-
    free scenario
  * CVE-2020-15673 (bmo#1648493, bmo#1660800)
    Memory safety bugs fixed in Firefox 81 and Firefox ESR 78.3
  * CVE-2020-15674 (bmo#1656063, bmo#1656064, bmo#1656067, bmo#1660293)
    Memory safety bugs fixed in Firefox 81
- requires
  NSPR 4.28
  NSS 3.56
- removed obsolete patches
  * mozilla-system-nspr.patch
  * mozilla-bmo1661715.patch
  * mozilla-silence-no-return-type.patch
- skip post-build-checks for 15.0 and 15.1
- add revert-795c8762b16b.patch to fix LTO builds with gcc
  (related to bmo#1644409)
- Use %limit_build macro again for aarch64 and armv7, instead of

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=858
2020-09-22 14:04:54 +00:00

50 lines
2.2 KiB
Diff

From: meissner@suse.com, cgrobertson@suse.com
Subject: allow Firefox to access addtional process information
References:
http://bugzilla.suse.com/show_bug.cgi?id=1167132
bsc#1174284 - Firefox tab just crashed in FIPS mode
diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
--- a/security/sandbox/linux/Sandbox.cpp
+++ b/security/sandbox/linux/Sandbox.cpp
@@ -647,16 +647,17 @@ void SetMediaPluginSandbox(const char* a
SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath,
strerror(errno));
MOZ_CRASH("failed while trying to open the plugin file ");
}
auto files = new SandboxOpenedFiles();
files->Add(std::move(plugin));
files->Add("/dev/urandom", true);
+ files->Add("/dev/random", true);
files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey.
files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
files->Add("/proc/cpuinfo"); // Info also available via CPUID instruction.
files->Add("/proc/sys/crypto/fips_enabled"); // Needed for NSS in clearkey.
#ifdef __i386__
files->Add("/proc/self/auxv"); // Info also in process's address space.
#endif
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
@@ -308,16 +308,18 @@ void SandboxBrokerPolicyFactory::InitCon
policy->AddDir(rdwr, "/dev/dri");
}
// Bug 1575985: WASM library sandbox needs RW access to /dev/null
policy->AddPath(rdwr, "/dev/null");
// Read permissions
policy->AddPath(rdonly, "/dev/urandom");
+ policy->AddPath(rdonly, "/dev/random");
+ policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
policy->AddPath(rdonly, "/proc/cpuinfo");
policy->AddPath(rdonly, "/proc/meminfo");
policy->AddDir(rdonly, "/sys/devices/cpu");
policy->AddDir(rdonly, "/sys/devices/system/cpu");
policy->AddDir(rdonly, "/lib");
policy->AddDir(rdonly, "/lib64");
policy->AddDir(rdonly, "/usr/lib");
policy->AddDir(rdonly, "/usr/lib32");