packages/firefox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!187 fix CVE-2020-15675,CVE-2021-23972,CVE-2021-23954

Browse Source 
From: @technology208 
Reviewed-by: @wk333 
Signed-off-by: @wk333
This commit is contained in:
openeuler-ci-bot 2024-07-15 08:18:59 +00:00 committed by Gitee
commit fab404007e
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
4 changed files with 242 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
CVE-2020-15675.patch Normal file
View File

@ -0,0 +1,52 @@
From 9a2c51887bff5742c072bf4f3c3794b349f51545 Mon Sep 17 00:00:00 2001
From: Jeff Gilbert <jgilbert@mozilla.com>
Date: Fri, 12 Jul 2024 10:27:35 +0800
Subject: [PATCH] Bug 1654211 - Hold WeakPtr to PresistentBufferProvider in BorrowedSourceSurface. r=gfx-reviewers,nical
Reference:https://hg.mozilla.org/mozilla-central/rev/0ec8df5bd92b
---
gfx/layers/CanvasRenderer.h | 2 +-
gfx/layers/PersistentBufferProvider.h | 6 +++++-
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/gfx/layers/CanvasRenderer.h b/gfx/layers/CanvasRenderer.h
index 7e03e295b0..ca3ae088cc 100644
--- a/gfx/layers/CanvasRenderer.h
+++ b/gfx/layers/CanvasRenderer.h
@@ -95,7 +95,7 @@ struct CanvasRendererData final {
class BorrowedSourceSurface final {
public:
- PersistentBufferProvider* const mReturnTo;
+ const WeakPtr<PersistentBufferProvider> mReturnTo;
const RefPtr<gfx::SourceSurface> mSurf; /// non-null
BorrowedSourceSurface(PersistentBufferProvider*, RefPtr<gfx::SourceSurface>);
diff --git a/gfx/layers/PersistentBufferProvider.h b/gfx/layers/PersistentBufferProvider.h
index f0d8aeccb9..85cfee8805 100644
--- a/gfx/layers/PersistentBufferProvider.h
+++ b/gfx/layers/PersistentBufferProvider.h
@@ -14,6 +14,8 @@
#include "mozilla/RefCounted.h"
#include "mozilla/gfx/Types.h"
#include "mozilla/Vector.h"
+#include "mozilla/WeakPtr.h"
+
namespace mozilla {
@@ -34,7 +36,9 @@ class TextureClient;
* from the provider again, the provider will guarantee the contents of the
* previously returned DrawTarget is persisted into the one newly returned.
*/
-class PersistentBufferProvider : public RefCounted<PersistentBufferProvider> {
+class PersistentBufferProvider : public RefCounted<PersistentBufferProvider>,
+ public SupportsWeakPtr<PersistentBufferProvider> {
+
public:
MOZ_DECLARE_REFCOUNTED_VIRTUAL_TYPENAME(PersistentBufferProvider)
--
2.27.0

26
CVE-2021-23954.patch Normal file
View File

@ -0,0 +1,26 @@
From e8a9a73762cb5f9cd823282ec915b437df9ae99a Mon Sep 17 00:00:00 2001
From: André Bargull <andre.bargull@gmail.com>
Date: Fri, 12 Jul 2024 17:47:10 +0800
Subject: [PATCH] Add TDZCheckCache. r=yulia, a=RyanVM
Reference:https://hg.mozilla.org/integration/autoland/rev/fb3c410ea9732eaa74444b7f0b13cdef31f7b582
---
js/src/frontend/BytecodeEmitter.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/js/src/frontend/BytecodeEmitter.cpp b/js/src/frontend/BytecodeEmitter.cpp
index 422977f..2573b60 100644
--- a/js/src/frontend/BytecodeEmitter.cpp
+++ b/js/src/frontend/BytecodeEmitter.cpp
@@ -4310,6 +4310,8 @@ bool BytecodeEmitter::emitAssignmentOrInit(ParseNodeKind kind, ParseNode* lhs,
}
bool BytecodeEmitter::emitShortCircuitAssignment(AssignmentNode* node) {
+ TDZCheckCache tdzCache(this);
+
JSOp op;
switch (node->getKind()) {
case ParseNodeKind::CoalesceAssignExpr:
--
2.27.0

154
CVE-2021-23972.patch Normal file
View File

@ -0,0 +1,154 @@
From d52e9042bcec41a40b97b309b65aa32dc27379b2 Mon Sep 17 00:00:00 2001
From: Kershaw Chang <kershaw@mozilla.com>
Date: Fri, 12 Jul 2024 16:46:48 +0800
Subject: [PATCH] Show auth spoofing warning prompt for cached response r=necko-reviewers,dragana
Reference:https://hg.mozilla.org/integration/autoland/rev/3d26a1f3b809522af0152918341a4b5ff924e4bb
---
netwerk/protocol/http/nsHttpChannel.cpp | 11 +++
netwerk/test/unit/test_SuperfluousAuth.js | 100 ++++++++++++++++++++++
netwerk/test/unit/xpcshell.ini | 1 +
3 files changed, 112 insertions(+)
create mode 100644 netwerk/test/unit/test_SuperfluousAuth.js
diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
index 2cb1f8d9fd..181c3ac785 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -7365,6 +7365,17 @@ nsresult nsHttpChannel::ContinueOnStartRequest4(nsresult result) {
if (mFallingBack) return NS_OK;
+ if (NS_SUCCEEDED(mStatus) && mResponseHead && mAuthProvider) {
+ uint32_t httpStatus = mResponseHead->Status();
+ if (httpStatus != 401 && httpStatus != 407) {
+ nsresult rv = mAuthProvider->CheckForSuperfluousAuth();
+ if (NS_FAILED(rv)) {
+ LOG((" CheckForSuperfluousAuth failed (%08x)",
+ static_cast<uint32_t>(rv)));
+ }
+ }
+ }
+
return CallOnStartRequest();
}
diff --git a/netwerk/test/unit/test_SuperfluousAuth.js b/netwerk/test/unit/test_SuperfluousAuth.js
new file mode 100644
index 0000000000..24b69186c8
--- /dev/null
+++ b/netwerk/test/unit/test_SuperfluousAuth.js
@@ -0,0 +1,100 @@
+/*
+
+Create two http requests with the same URL in which has a user name. We allow
+first http request to be loaded and saved in the cache, so the second request
+will be served from the cache. However, we disallow loading by returning 1
+in the prompt service. In the end, the second request will be failed.
+
+*/
+
+"use strict";
+
+const { HttpServer } = ChromeUtils.import("resource://testing-common/httpd.js");
+
+const { MockRegistrar } = ChromeUtils.import(
+ "resource://testing-common/MockRegistrar.jsm"
+);
+
+var httpProtocolHandler = Cc[
+ "@mozilla.org/network/protocol;1?name=http"
+].getService(Ci.nsIHttpProtocolHandler);
+
+XPCOMUtils.defineLazyGetter(this, "URL", function() {
+ return "http://foo@localhost:" + httpServer.identity.primaryPort;
+});
+
+var httpServer = null;
+
+const gMockPromptService = {
+ firstTimeCalled: false,
+ confirmExBC() {
+ if (!this.firstTimeCalled) {
+ this.firstTimeCalled = true;
+ return 0;
+ }
+
+ return 1;
+ },
+
+ QueryInterface: ChromeUtils.generateQI(["nsIPromptService"]),
+};
+
+var gMockPromptServiceCID = MockRegistrar.register(
+ "@mozilla.org/embedcomp/prompt-service;1",
+ gMockPromptService
+);
+
+registerCleanupFunction(() => {
+ MockRegistrar.unregister(gMockPromptServiceCID);
+});
+
+function makeChan(uri) {
+ let chan = NetUtil.newChannel({
+ uri,
+ loadUsingSystemPrincipal: true,
+ }).QueryInterface(Ci.nsIHttpChannel);
+ chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI;
+ return chan;
+}
+
+const responseBody = "body";
+
+function contentHandler(metadata, response) {
+ response.setHeader("Content-Type", "text/plain");
+ response.setHeader("ETag", "Just testing");
+ response.setHeader("Cache-Control", "max-age=99999");
+ response.setHeader("Content-Length", "" + responseBody.length);
+ response.bodyOutputStream.write(responseBody, responseBody.length);
+}
+
+function run_test() {
+ do_get_profile();
+
+ Services.prefs.setBoolPref("network.http.rcwn.enabled", false);
+
+ httpServer = new HttpServer();
+ httpServer.registerPathHandler("/content", contentHandler);
+ httpServer.start(-1);
+
+ httpProtocolHandler.EnsureHSTSDataReady().then(function() {
+ var chan1 = makeChan(URL + "/content");
+ chan1.asyncOpen(new ChannelListener(firstTimeThrough, null));
+ var chan2 = makeChan(URL + "/content");
+ chan2.asyncOpen(
+ new ChannelListener(secondTimeThrough, null, CL_EXPECT_FAILURE)
+ );
+ });
+
+ do_test_pending();
+}
+
+function firstTimeThrough(request, buffer) {
+ Assert.equal(buffer, responseBody);
+ Assert.ok(gMockPromptService.firstTimeCalled, "Prompt service invoked");
+}
+
+function secondTimeThrough(request, buffer) {
+ Assert.equal(request.status, Cr.NS_ERROR_ABORT);
+ httpServer.stop(do_test_finished);
+}
+
diff --git a/netwerk/test/unit/xpcshell.ini b/netwerk/test/unit/xpcshell.ini
index 1cd274b004..3e6762f0dc 100644
--- a/netwerk/test/unit/xpcshell.ini
+++ b/netwerk/test/unit/xpcshell.ini
@@ -434,3 +434,4 @@ skip-if = true || asan || tsan || os == 'win' || os =='android'
[test_trr_case_sensitivity.js]
skip-if = os == "android"
[test_trr_proxy.js]
+[test_SuperfluousAuth.js]
--
2.27.0

12
firefox.spec
View File

@ -88,7 +88,7 @@
Summary: Mozilla Firefox Web browser Summary: Mozilla Firefox Web browser
Name: firefox Name: firefox
Version: 79.0 Version: 79.0
Release: 25 Release: 26
URL: https://www.mozilla.org/firefox/ URL: https://www.mozilla.org/firefox/
License: MPLv1.1 or GPLv2+ or LGPLv2+ License: MPLv1.1 or GPLv2+ or LGPLv2+
Source0: https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz Source0: https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@ -204,7 +204,9 @@ Patch660: CVE-2022-34481.patch
Patch661: CVE-2020-26979.patch Patch661: CVE-2020-26979.patch
Patch662: CVE-2023-6209.patch Patch662: CVE-2023-6209.patch
Patch663: CVE-2022-45406.patch Patch663: CVE-2022-45406.patch
Patch664: CVE-2020-15675.patch
Patch665: CVE-2021-23972.patch
Patch666: CVE-2021-23954.patch
%if %{?system_nss} %if %{?system_nss}
BuildRequires: pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version} BuildRequires: pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
BuildRequires: nss-static >= %{nss_version} BuildRequires: nss-static >= %{nss_version}
@ -402,6 +404,9 @@ tar -xf %{SOURCE3}
%patch661 -p1 %patch661 -p1
%patch662 -p1 %patch662 -p1
%patch663 -p1 %patch663 -p1
%patch664 -p1
%patch665 -p1
%patch666 -p1
%{__rm} -f .mozconfig %{__rm} -f .mozconfig
%{__cp} %{SOURCE10} .mozconfig %{__cp} %{SOURCE10} .mozconfig
@ -850,6 +855,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%endif %endif
%changelog %changelog
* Fri Jul 12 2024 technology208 <technology@208suo.com> - 79.0-26
- Fix CVE-2020-15675,CVE-2021-23972,CVE-2021-23954
* Thu Jul 11 2024 technology208 <technology@208suo.com> - 79.0-25 * Thu Jul 11 2024 technology208 <technology@208suo.com> - 79.0-25
- Fix CVE-2022-45406 - Fix CVE-2022-45406