pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/pkgsrc-2020Q3]: pkgsrc/www/firefox78 Pullup ticket #6370 - requested ...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/8a66189627a6
branches:  pkgsrc-2020Q3
changeset: 442480:8a66189627a6
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Tue Nov 24 18:29:25 2020 +0000

description:
Pullup ticket #6370 - requested by nia
www/firefox78: security fix

NOTE: This also includes the changes from pullup tickets #6363 and #6369.

Revisions pulled up:
- www/firefox78/Makefile                                        1.9,1.13
- www/firefox78/distinfo                                        1.5-1.6
- www/firefox78/patches/patch-js_src_jit_ProcessExecutableMemory.cpp 1.1
- www/firefox78/patches/patch-js_src_vm_ArrayBufferObject.cpp   1.1

---
   Module Name: pkgsrc
   Committed By:        nia
   Date:                Tue Nov 10 02:59:28 UTC 2020

   Modified Files:
        pkgsrc/www/firefox78: Makefile distinfo
   Added Files:
        pkgsrc/www/firefox78/patches:
            patch-js_src_jit_ProcessExecutableMemory.cpp
            patch-js_src_vm_ArrayBufferObject.cpp

   Log Message:
   firefox78: Update to 78.4.1. Apply MPROTECT patches from mozjs.

   Security Vulnerabilities fixed in Firefox 82.0.3, Firefox ESR 78.4.1, and Thunderbird 78.4.2

   #CVE-2020-26950: Write side effects in MCallGetProperty opcode not accounted for

---
   Module Name: pkgsrc
   Committed By:        nia
   Date:                Wed Nov 18 12:33:45 UTC 2020

   Modified Files:
        pkgsrc/www/firefox78: Makefile distinfo

   Log Message:
   firefox78: Update to 78.5.0

   Security Vulnerabilities fixed in Firefox ESR 78.5

       #CVE-2020-26951: Parsing mismatches could confuse and bypass security
       sanitizer for chrome privileged code

       #CVE-2020-16012: Variable time processing of cross-origin images during
       drawImage calls

       #CVE-2020-26953: Fullscreen could be enabled without displaying the security
       UI

       #CVE-2020-26956: XSS through paste (manual and clipboard API)

       #CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME
       type restrictions

       #CVE-2020-26959: Use-after-free in WebRequestService

       #CVE-2020-26960: Potential use-after-free in uses of nsTArray

       #CVE-2020-15999: Heap buffer overflow in freetype

       #CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses

       #CVE-2020-26965: Software keyboards may have remembered typed passwords

       #CVE-2020-26966: Single-word search queries were also broadcast to local
       network

       #CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5

diffstat:

 www/firefox78/Makefile                                             |   8 +-
 www/firefox78/distinfo                                             |  12 +-
 www/firefox78/patches/patch-js_src_jit_ProcessExecutableMemory.cpp |  38 ++++++++++
 www/firefox78/patches/patch-js_src_vm_ArrayBufferObject.cpp        |  24 ++++++
 4 files changed, 71 insertions(+), 11 deletions(-)

diffs (123 lines):

diff -r 50bcf783b8d1 -r 8a66189627a6 www/firefox78/Makefile
--- a/www/firefox78/Makefile    Tue Nov 24 18:28:37 2020 +0000
+++ b/www/firefox78/Makefile    Tue Nov 24 18:29:25 2020 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.6.2.1 2020/10/23 15:36:35 bsiegert Exp $
+# $NetBSD: Makefile,v 1.6.2.2 2020/11/24 18:29:25 bsiegert Exp $
 
 FIREFOX_VER=           ${MOZ_BRANCH}${MOZ_BRANCH_MINOR}
-MOZ_BRANCH=            78.4
+MOZ_BRANCH=            78.5
 MOZ_BRANCH_MINOR=      .0esr
 
 DISTNAME=      firefox-${FIREFOX_VER}.source
@@ -36,10 +36,6 @@
 LDFLAGS.Linux+=                -lnspr4
 LDFLAGS.SunOS+=                -lm
 
-NOT_PAX_MPROTECT_SAFE+=        lib/${PKGBASE}/${MOZILLA}
-NOT_PAX_MPROTECT_SAFE+=        lib/${PKGBASE}/${MOZILLA}-bin
-NOT_PAX_MPROTECT_SAFE+=        lib/${PKGBASE}/plugin-container
-
 ALL_ENV+=              MOZ_APP_NAME=${MOZILLA}
 
 # Avoid ld "invalid section index" errors.
diff -r 50bcf783b8d1 -r 8a66189627a6 www/firefox78/distinfo
--- a/www/firefox78/distinfo    Tue Nov 24 18:28:37 2020 +0000
+++ b/www/firefox78/distinfo    Tue Nov 24 18:29:25 2020 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.3.2.1 2020/10/23 15:36:35 bsiegert Exp $
+$NetBSD: distinfo,v 1.3.2.2 2020/11/24 18:29:25 bsiegert Exp $
 
-SHA1 (firefox-78.4.0esr.source.tar.xz) = 4cf96aeedca03d6f84ade360aeb43cae4819342a
-RMD160 (firefox-78.4.0esr.source.tar.xz) = 376ae67b15060906557bb19cd5be385dcf5e6138
-SHA512 (firefox-78.4.0esr.source.tar.xz) = d9de975e9acf7dab6186db877fe2df87a0e9e3c016e884473ecb188025a31032b1fe7f202598285970ed7a48268c7f3e265657708725da4eb7846db85a036246
-Size (firefox-78.4.0esr.source.tar.xz) = 335094656 bytes
+SHA1 (firefox-78.5.0esr.source.tar.xz) = ae46913563ffe92efa7cdaacb818435a4c3d4492
+RMD160 (firefox-78.5.0esr.source.tar.xz) = 53bf565b08f8c743f22e5f61fca8fd98da062a6c
+SHA512 (firefox-78.5.0esr.source.tar.xz) = 0d16013342b6e8d67adb5c111177ea4796db4fb593da8aa254d0d95bdf33fad798c2dbb235d44db4177c32dd2d7b3ac26b938b476342753ee8d6c83d968d0281
+Size (firefox-78.5.0esr.source.tar.xz) = 333995288 bytes
 SHA1 (patch-aa) = 11060461fdaca5661e89651b8ded4a59d2abc4d7
 SHA1 (patch-browser_app_profile_firefox.js) = 89cea0a66457c96ad0b94aaa524aa5942ad781d0
 SHA1 (patch-build_moz.configure_rust.configure) = ee9e207e67709f3c9455b4d22f5f254890e99ca8
@@ -20,8 +20,10 @@
 SHA1 (patch-ipc_chromium_src_base_message__pump__libevent.cc) = 4a6606da590cfb8d855bde58b9c6f90e98d0870c
 SHA1 (patch-ipc_chromium_src_base_platform__thread__posix.cc) = 35d20981d33ccdb1d8ffb8039e48798777f11658
 SHA1 (patch-ipc_glue_GeckoChildProcessHost.cpp) = 260c29bacd8bf265951b7a412f850bf2b292c836
+SHA1 (patch-js_src_jit_ProcessExecutableMemory.cpp) = c75e9ea7124c18be1a051106fcc407ddd1e82e46
 SHA1 (patch-js_src_jsfriendapi.h) = 6bbb895b882ee24929f011751c42732215e153a2
 SHA1 (patch-js_src_util_NativeStack.cpp) = a0a16d8d8d78d3cc3f4d2a508586f1a7821f7dba
+SHA1 (patch-js_src_vm_ArrayBufferObject.cpp) = ca117633d2aae52d82ec349a0bfb0c03b87898b4
 SHA1 (patch-media_ffvpx_libavutil_arm_bswap.h) = de58daa0fd23d4fec50426602b65c9ea5862558a
 SHA1 (patch-media_libcubeb_src_cubeb__alsa.c) = 31536f36cb33f16da309527b50eda9b721608115
 SHA1 (patch-media_libcubeb_src_moz.build) = e4e64a1135cf4157ae5b6f7c1710ebd076953479
diff -r 50bcf783b8d1 -r 8a66189627a6 www/firefox78/patches/patch-js_src_jit_ProcessExecutableMemory.cpp
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/firefox78/patches/patch-js_src_jit_ProcessExecutableMemory.cpp        Tue Nov 24 18:29:25 2020 +0000
@@ -0,0 +1,38 @@
+$NetBSD: patch-js_src_jit_ProcessExecutableMemory.cpp,v 1.1.2.2 2020/11/24 18:29:25 bsiegert Exp $
+
+PaX MPROTECT safety for NetBSD.
+
+--- js/src/jit/ProcessExecutableMemory.cpp.orig        2020-10-27 23:47:06.000000000 +0000
++++ js/src/jit/ProcessExecutableMemory.cpp
+@@ -362,9 +362,16 @@ static void* ReserveProcessExecutableMem
+   // Note that randomAddr is just a hint: if the address is not available
+   // mmap will pick a different address.
+   void* randomAddr = ComputeRandomAllocationAddress();
++#ifdef PROT_MPROTECT
++  void* p = MozTaggedAnonymousMmap(randomAddr, bytes,
++                                   PROT_MPROTECT(PROT_EXEC | PROT_WRITE | PROT_READ),
++                                   MAP_PRIVATE | MAP_ANON, -1, 0,
++                                   "js-executable-memory");
++#else
+   void* p = MozTaggedAnonymousMmap(randomAddr, bytes, PROT_NONE,
+                                    MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1,
+                                    0, "js-executable-memory");
++#endif
+   if (p == MAP_FAILED) {
+     return nullptr;
+   }
+@@ -409,8 +416,12 @@ static unsigned ProtectionSettingToFlags
+ 
+ static MOZ_MUST_USE bool CommitPages(void* addr, size_t bytes,
+                                      ProtectionSetting protection) {
+-  void* p = MozTaggedAnonymousMmap(
+-      addr, bytes, ProtectionSettingToFlags(protection),
++  void* p = MozTaggedAnonymousMmap(addr, bytes,
++#ifdef PROT_MPROTECT
++      ProtectionSettingToFlags(protection) | PROT_MPROTECT(PROT_EXEC | PROT_WRITE | PROT_READ),
++#else
++      ProtectionSettingToFlags(protection),
++#endif
+       MAP_FIXED | MAP_PRIVATE | MAP_ANON, -1, 0, "js-executable-memory");
+   if (p == MAP_FAILED) {
+     return false;
diff -r 50bcf783b8d1 -r 8a66189627a6 www/firefox78/patches/patch-js_src_vm_ArrayBufferObject.cpp
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/www/firefox78/patches/patch-js_src_vm_ArrayBufferObject.cpp       Tue Nov 24 18:29:25 2020 +0000
@@ -0,0 +1,24 @@
+$NetBSD: patch-js_src_vm_ArrayBufferObject.cpp,v 1.1.2.2 2020/11/24 18:29:25 bsiegert Exp $
+
+PaX MPROTECT safety for NetBSD.
+
+--- js/src/vm/ArrayBufferObject.cpp.orig       2020-10-27 23:48:08.000000000 +0000
++++ js/src/vm/ArrayBufferObject.cpp
+@@ -165,9 +165,17 @@ void* js::MapBufferMemory(size_t mappedS
+     return nullptr;
+   }
+ #else   // XP_WIN
++
++#ifdef PROT_MPROTECT
++  void* data =
++      MozTaggedAnonymousMmap(nullptr, mappedSize,
++                             PROT_MPROTECT(PROT_EXEC | PROT_WRITE | PROT_READ),
++                             MAP_PRIVATE | MAP_ANON, -1, 0, "wasm-reserved");
++#else
+   void* data =
+       MozTaggedAnonymousMmap(nullptr, mappedSize, PROT_NONE,
+                              MAP_PRIVATE | MAP_ANON, -1, 0, "wasm-reserved");
++#endif
+   if (data == MAP_FAILED) {
+     return nullptr;
+   }



Home | Main Index | Thread Index | Old Index