CVS commit: pkgsrc/www/firefox128

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/firefox128
From: "David H. Gutteridge" <gutteridge%netbsd.org@localhost>
Date: Wed, 30 Apr 2025 00:20:01 +0000

Module Name:    pkgsrc
Committed By:   gutteridge
Date:           Wed Apr 30 00:20:01 UTC 2025

Modified Files:
        pkgsrc/www/firefox128: Makefile distinfo

Log Message:
firefox128: update to 128.10

Mozilla Foundation Security Advisory 2025-29
Security Vulnerabilities fixed in Firefox ESR 128.10

Announced
    April 29, 2025
Impact
    high
Products
    Firefox ESR
Fixed in

        Firefox ESR 128.10

#CVE-2025-2817: Privilege escalation in Firefox Updater

Reporter
    Dong-uk Kim (@justlikebono)
Impact
    high

Description

Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the 
user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation.
References

    Bug 1917536

#CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for macOS

Reporter
    un3xploitable & GF
Impact
    high

Description

Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges.
This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.
References

    Bug 1937097

#CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames

Reporter
    Nika Layzell
Impact
    high

Description

A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended 
frame, potentially enabling a sandbox escape.
References

    Bug 1958350

#CVE-2025-4084: Potential local code execution in "copy as cURL" command

Reporter
    Ameen Basha M K
Impact
    moderate

Description

Due to insufficient escaping of the special characters in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's 
system.
This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.
References

    Bug 1949994, 1956698, 1960198

#CVE-2025-4087: Unsafe attribute access during XPath parsing

Reporter
    Ivan Fratric
Impact
    moderate

Description

A vulnerability was identified in Firefox where XPath parsing could trigger undefined behavior due to missing null checks during attribute access. This could lead to out-of-bounds read access and 
potentially, memory corruption.
References

    Bug 1952465

#CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10

Reporter
    Maurice Dauer and the Mozilla Fuzzing Team
Impact
    moderate

Description

Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort 
some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10

#CVE-2025-4093: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10

Reporter
    Andrew McCreight
Impact
    high

Description

Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run 
arbitrary code.
References

    Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10


To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 pkgsrc/www/firefox128/Makefile
cvs rdiff -u -r1.13 -r1.14 pkgsrc/www/firefox128/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/firefox128/Makefile
diff -u pkgsrc/www/firefox128/Makefile:1.22 pkgsrc/www/firefox128/Makefile:1.23
--- pkgsrc/www/firefox128/Makefile:1.22 Thu Apr 24 14:16:03 2025
+++ pkgsrc/www/firefox128/Makefile      Wed Apr 30 00:20:00 2025
@@ -1,12 +1,11 @@
-# $NetBSD: Makefile,v 1.22 2025/04/24 14:16:03 wiz Exp $
+# $NetBSD: Makefile,v 1.23 2025/04/30 00:20:00 gutteridge Exp $
 
 FIREFOX_VER=           ${MOZ_BRANCH}${MOZ_BRANCH_MINOR}
-MOZ_BRANCH=            128.9
+MOZ_BRANCH=            128.10
 MOZ_BRANCH_MINOR=      .0esr
 
 DISTNAME=      firefox-${FIREFOX_VER}.source
 PKGNAME=       ${DISTNAME:S/.source//:S/b/beta/:S/esr//:S/firefox-/firefox128-/}
-PKGREVISION=   3
 CATEGORIES=    www
 MASTER_SITES+= ${MASTER_SITE_MOZILLA:=firefox/releases/${FIREFOX_VER}/source/}
 MASTER_SITES+= ${MASTER_SITE_MOZILLA_ALL:=firefox/releases/${FIREFOX_VER}/source/}

Index: pkgsrc/www/firefox128/distinfo
diff -u pkgsrc/www/firefox128/distinfo:1.13 pkgsrc/www/firefox128/distinfo:1.14
--- pkgsrc/www/firefox128/distinfo:1.13 Wed Apr  2 18:32:39 2025
+++ pkgsrc/www/firefox128/distinfo      Wed Apr 30 00:20:00 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.13 2025/04/02 18:32:39 gutteridge Exp $
+$NetBSD: distinfo,v 1.14 2025/04/30 00:20:00 gutteridge Exp $
 
-BLAKE2s (firefox-128.9.0esr.source.tar.xz) = 658a1b8318e4a3ac9119feb3396b4a2dfbc314d2efc846db87036a1bcf873c18
-SHA512 (firefox-128.9.0esr.source.tar.xz) = c0c8ac8374291cc93279064c73c17786c6f4fba7505ebc2cbd7a4ce7c82710620abdae7be15f60c43f9d10c3614fc9fd31f094e787105d528031c6f0510f7339
-Size (firefox-128.9.0esr.source.tar.xz) = 562959584 bytes
+BLAKE2s (firefox-128.10.0esr.source.tar.xz) = e60a8ab307cee03a6fceea3a2d047a4a5aa5e7485864b2063d4f273d16bed84e
+SHA512 (firefox-128.10.0esr.source.tar.xz) = c0f349cba626e6ec16ff0b52b7d21e05681acd1377fd1111992860f8079373f631ff997d833a3596c72a6d8c6e4f1d051927fa719f1d37a72553dcbd5348659c
+Size (firefox-128.10.0esr.source.tar.xz) = 556644356 bytes
 BLAKE2s (nodejs-output-128.0.tgz) = a55b907ebe308948b99b9150d2530204c8fe2a5fda5ac371dd1163a6db43bcbc
 SHA512 (nodejs-output-128.0.tgz) = fba59ec14c43556749cac7a9233278e8dcd7779d5ba530ede67009bf1887c5d72dd31e3f440164b646738b465d852b882522caf7ed9aa4f81f53e588bdd3adec
 Size (nodejs-output-128.0.tgz) = 227482 bytes

Prev by Date: CVS commit: pkgsrc/mk/platform
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/mk/platform
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index