CVS commit: pkgsrc/www/firefox115

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/www/firefox115
From: "David H. Gutteridge" <gutteridge%netbsd.org@localhost>
Date: Wed, 30 Apr 2025 02:41:35 +0000

Module Name:    pkgsrc
Committed By:   gutteridge
Date:           Wed Apr 30 02:41:35 UTC 2025

Modified Files:
        pkgsrc/www/firefox115: Makefile distinfo

Log Message:
firefox115: update to 115.23

Mozilla Foundation Security Advisory 2025-30
Security Vulnerabilities fixed in Firefox ESR 115.23

Announced
    April 29, 2025
Impact
    high
Products
    Firefox ESR
Fixed in

        Firefox ESR 115.23

#CVE-2025-2817: Privilege escalation in Firefox Updater

Reporter
    Dong-uk Kim (@justlikebono)
Impact
    high

Description

Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the 
user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation.
References

    Bug 1917536

#CVE-2025-4082: WebGL shader attribute memory corruption in Firefox for macOS

Reporter
    un3xploitable & GF
Impact
    high

Description

Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges.
This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.
References

    Bug 1937097

#CVE-2025-4083: Process isolation bypass using "javascript:" URI links in cross-origin frames

Reporter
    Nika Layzell
Impact
    high

Description

A process isolation vulnerability in Firefox stemmed from improper handling of javascript: URIs, which could allow content to execute in the top-level document's process instead of the intended 
frame, potentially enabling a sandbox escape.
References

    Bug 1958350

#CVE-2025-4084: Potential local code execution in "copy as cURL" command

Reporter
    Ameen Basha M K
Impact
    moderate

Description

Due to insufficient escaping of the ampersand character in the "copy as cURL" feature, an attacker could trick a user into using this command, potentially leading to local code execution on the 
user's system.
This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.
References

    Bug 1949994, 1960198


To generate a diff of this commit:
cvs rdiff -u -r1.47 -r1.48 pkgsrc/www/firefox115/Makefile
cvs rdiff -u -r1.24 -r1.25 pkgsrc/www/firefox115/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/firefox115/Makefile
diff -u pkgsrc/www/firefox115/Makefile:1.47 pkgsrc/www/firefox115/Makefile:1.48
--- pkgsrc/www/firefox115/Makefile:1.47 Thu Apr 24 14:16:03 2025
+++ pkgsrc/www/firefox115/Makefile      Wed Apr 30 02:41:35 2025
@@ -1,12 +1,11 @@
-# $NetBSD: Makefile,v 1.47 2025/04/24 14:16:03 wiz Exp $
+# $NetBSD: Makefile,v 1.48 2025/04/30 02:41:35 gutteridge Exp $
 
 FIREFOX_VER=           ${MOZ_BRANCH}${MOZ_BRANCH_MINOR}
-MOZ_BRANCH=            115.22
+MOZ_BRANCH=            115.23
 MOZ_BRANCH_MINOR=      .0esr
 
 DISTNAME=      firefox-${FIREFOX_VER}.source
 PKGNAME=       ${DISTNAME:S/.source//:S/b/beta/:S/esr//:S/firefox-/firefox115-/}
-PKGREVISION=   3
 CATEGORIES=    www
 MASTER_SITES+= ${MASTER_SITE_MOZILLA:=firefox/releases/${FIREFOX_VER}/source/}
 MASTER_SITES+= ${MASTER_SITE_MOZILLA_ALL:=firefox/releases/${FIREFOX_VER}/source/}

Index: pkgsrc/www/firefox115/distinfo
diff -u pkgsrc/www/firefox115/distinfo:1.24 pkgsrc/www/firefox115/distinfo:1.25
--- pkgsrc/www/firefox115/distinfo:1.24 Fri Apr  4 00:21:26 2025
+++ pkgsrc/www/firefox115/distinfo      Wed Apr 30 02:41:35 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.24 2025/04/04 00:21:26 gutteridge Exp $
+$NetBSD: distinfo,v 1.25 2025/04/30 02:41:35 gutteridge Exp $
 
-BLAKE2s (firefox-115.22.0esr.source.tar.xz) = 5970be8e111e1e3aa3daed9f3d6edd2c7d763ce86c4fa27bc01c79c857638acf
-SHA512 (firefox-115.22.0esr.source.tar.xz) = 339c65a062e1d7db7de12deb12c515d048443d00216bff251c08cbb47bec211d9597611c8c0213499f977a44e28b5c7cf5db9b17ac2f92865e42c4a25c32f4a8
-Size (firefox-115.22.0esr.source.tar.xz) = 506552492 bytes
+BLAKE2s (firefox-115.23.0esr.source.tar.xz) = 0303bb54fbfed23fe6ca291067c0ed61366ed6733d7b7679c763604d3b573efa
+SHA512 (firefox-115.23.0esr.source.tar.xz) = 5a169330481b795c9fc2ed7a66147d5058fe78484deb373c65c57bed994505cb2900530fc60e47cd76ace22c940e33a36f65543dee3f135b09f60b5384a29362
+Size (firefox-115.23.0esr.source.tar.xz) = 519850976 bytes
 BLAKE2s (nodejs-output-115.0.tgz) = 95d25628b865aa71e85c63001f4054d03ff58b273ca05784a021fa176b2b1425
 SHA512 (nodejs-output-115.0.tgz) = 345108033cfbff90e3244bb5591b307e1fcf56c7290b5112e949d400bdadf08c1e4a6d109b5f7264ac417c2cc4e76371cc14678417f6cb017649cc883bdbb4d4
 Size (nodejs-output-115.0.tgz) = 221458 bytes

Prev by Date: CVS commit: pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index