packages/firefox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:2a2e9de9566ebb8ab3b82a660a710f8fb831fa48
Branches Tags
packages:main
...
compare: packages:a97e1bb8bafd8653840617e7b2b4d2f06992df18
Branches Tags
packages:main

10 Commits
2a2e9de956 ... a97e1bb8ba

Author SHA1 Message Date
openeuler-ci-bot
a97e1bb8ba
!236 Fix CVE-2021-43539 
From: @jackssir 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-11-18 02:39:12 +00:00
lvfei
7bdb98bf34 Fix CVE-2021-43539 2024-11-12 17:42:35 +08:00
openeuler-ci-bot
2bfdfd1c87
!231 fix CVE-2021-29970 
From: @jackssir 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-11-05 11:13:06 +00:00
lvfei
e5ea77c89a CVE-2021-29970 2024-11-01 16:42:52 +08:00
openeuler-ci-bot
d9f63c88f9
!223 修复CVE-2023-1945 
From: @happyworker 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-10-10 08:54:27 +00:00
happyworker
03d7fe9120 CVE-2023-1945 2024-10-10 14:37:31 +08:00
openeuler-ci-bot
398f070801
!206 Fix CVE-2024-0745 
From: @jackssir 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-08-29 03:12:03 +00:00
lvfei
23764a17b9 Fix CVE-2024-0745 2024-08-19 10:05:13 +08:00
openeuler-ci-bot
1c68bce452
!196 Fix CVE-2022-29912 
From: @jackssir 
Reviewed-by: @wk333 
Signed-off-by: @wk333
 2024-08-06 02:12:09 +00:00
lvfei
e38af95494 Fix CVE-2022-29912 2024-08-05 17:48:58 +08:00
6 changed files with 381 additions and 1 deletions
Show Stats Expand all files Collapse all files

41
CVE-2021-29970.patch Normal file
View File

@ -0,0 +1,41 @@
From 454d20cad04692c443e7a66dd53f0918b22a5638 Mon Sep 17 00:00:00 2001
From: Eitan Isaacson <eitan@monotonous.org>
Date: Tue, 08 Jun 2021 22:21:05 +0000 (2021-06-09)
Subject: [PATCH] CVE-2021-29970
---
accessible/base/SelectionManager.cpp | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/accessible/base/SelectionManager.cpp b/accessible/base/SelectionManager.cpp
index 5b37cf1528..c86841d20c 100644
--- a/accessible/base/SelectionManager.cpp
+++ b/accessible/base/SelectionManager.cpp
@@ -101,6 +101,24 @@ void SelectionManager::RemoveDocSelectionListener(PresShell* aPresShell) {
// selection.
Selection* spellSel = frameSel->GetSelection(SelectionType::eSpellCheck);
spellSel->RemoveSelectionListener(this);
+
+ if (mCurrCtrlNormalSel) {
+ if (mCurrCtrlNormalSel->GetPresShell() == aPresShell) {
+ // Remove 'this' registered as selection listener for the normal selection
+ // if we are removing listeners for its PresShell.
+ mCurrCtrlNormalSel->RemoveSelectionListener(this);
+ mCurrCtrlNormalSel = nullptr;
+ }
+ }
+
+ if (mCurrCtrlSpellSel) {
+ if (mCurrCtrlSpellSel->GetPresShell() == aPresShell) {
+ // Remove 'this' registered as selection listener for the spellcheck
+ // selection if we are removing listeners for its PresShell.
+ mCurrCtrlSpellSel->RemoveSelectionListener(this);
+ mCurrCtrlSpellSel = nullptr;
+ }
+ }
}
void SelectionManager::ProcessTextSelChangeEvent(AccEvent* aEvent) {
--
2.27.0

61
CVE-2021-43539.patch Normal file
View File

@ -0,0 +1,61 @@
From 1784bcb159d7dd8c65f6c016dcca6ed5b2982d2b Mon Sep 17 00:00:00 2001
From: Asumu Takikawa <asumu@igalia.com>
Date: Mon, 15 Nov 2021 16:26:57 +0000 (2021-11-16)
Subject: [PATCH] CVE-2021-43539
---
js/src/jit/CodeGenerator.cpp | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
index 81e723f196..a703024aa1 100644
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -7914,35 +7914,36 @@ void CodeGenerator::visitWasmCall(LWasmCall* lir) {
const wasm::CallSiteDesc& desc = mir->desc();
const wasm::CalleeDesc& callee = mir->callee();
+ CodeOffset retOffset;
switch (callee.which()) {
case wasm::CalleeDesc::Func:
- masm.call(desc, callee.funcIndex());
+ retOffset = masm.call(desc, callee.funcIndex());
reloadRegs = false;
switchRealm = false;
break;
case wasm::CalleeDesc::Import:
- masm.wasmCallImport(desc, callee);
+ retOffset = masm.wasmCallImport(desc, callee);
break;
case wasm::CalleeDesc::AsmJSTable:
case wasm::CalleeDesc::WasmTable:
- masm.wasmCallIndirect(desc, callee, needsBoundsCheck);
+ retOffset = masm.wasmCallIndirect(desc, callee, needsBoundsCheck);
reloadRegs = switchRealm = callee.which() == wasm::CalleeDesc::WasmTable;
break;
case wasm::CalleeDesc::Builtin:
- masm.call(desc, callee.builtin());
+ retOffset = masm.call(desc, callee.builtin());
reloadRegs = false;
switchRealm = false;
break;
case wasm::CalleeDesc::BuiltinInstanceMethod:
- masm.wasmCallBuiltinInstanceMethod(desc, mir->instanceArg(),
- callee.builtin(),
- mir->builtinMethodFailureMode());
+ retOffset = masm.wasmCallBuiltinInstanceMethod(
+ desc, mir->instanceArg(), callee.builtin(),
+ mir->builtinMethodFailureMode());
switchRealm = false;
break;
}
// Note the assembler offset for the associated LSafePoint.
- markSafepointAt(masm.currentOffset(), lir);
+ markSafepointAt(retOffset.offset(), lir);
// Now that all the outbound in-memory args are on the stack, note the
// required lower boundary point of the associated StackMap.
--
2.33.0

184
CVE-2022-29912.patch Normal file
View File

@ -0,0 +1,184 @@
From caacc07b2d65aa1ba292681cc4f4f607bf9161dc Mon Sep 17 00:00:00 2001
From: Gijs Kruitbosch <gijskruitbosch@gmail.com>
Date: Thu, 24 Mar 2022 14:35:35 +0000 (2022-03-24)
Subject: [PATCH] CVE-2022-29912
---
browser/actors/AboutReaderParent.jsm | 7 ++
toolkit/components/reader/AboutReader.jsm | 7 +-
toolkit/components/reader/ReaderMode.jsm | 82 ++++++++---------------
3 files changed, 40 insertions(+), 56 deletions(-)
diff --git a/browser/actors/AboutReaderParent.jsm b/browser/actors/AboutReaderParent.jsm
index 20bb1b3be3..9c5fd812f7 100644
--- a/browser/actors/AboutReaderParent.jsm
+++ b/browser/actors/AboutReaderParent.jsm
@@ -155,6 +155,13 @@ class AboutReaderParent extends JSWindowActorParent {
this.callListeners(message);
break;
}
+
+ case "RedirectTo": {
+ gCachedArticles.set(message.data.newURL, message.data.article);
+ // This is setup as a query so we can navigate the page after we've
+ // cached the relevant info in the parent.
+ return true;
+ }
default:
this.callListeners(message);
diff --git a/toolkit/components/reader/AboutReader.jsm b/toolkit/components/reader/AboutReader.jsm
index 4904b525fb..3a1e95411c 100644
--- a/toolkit/components/reader/AboutReader.jsm
+++ b/toolkit/components/reader/AboutReader.jsm
@@ -743,7 +743,12 @@ AboutReader.prototype = {
try {
article = await ReaderMode.downloadAndParseDocument(url);
} catch (e) {
- if (e && e.newURL) {
+ if (e?.newURL && this._actor) {
+ await this._actor.sendQuery("RedirectTo", {
+ newURL: e.newURL,
+ article: e.article,
+ });
+
let readerURL = "about:reader?url=" + encodeURIComponent(e.newURL);
this._win.location.replace(readerURL);
return;
diff --git a/toolkit/components/reader/ReaderMode.jsm b/toolkit/components/reader/ReaderMode.jsm
index 57694c9467..33b80f2c67 100644
--- a/toolkit/components/reader/ReaderMode.jsm
+++ b/toolkit/components/reader/ReaderMode.jsm
@@ -80,7 +80,7 @@ var ReaderMode = {
*/
enterReaderMode(docShell, win) {
let url = win.document.location.href;
- let readerURL = "about:reader?url=" + encodeURIComponent(url);
+ let originalURL = this.getOriginalUrl(url);
let webNav = docShell.QueryInterface(Ci.nsIWebNavigation);
let sh = webNav.sessionHistory;
if (webNav.canGoForward) {
@@ -181,8 +181,8 @@ var ReaderMode = {
},
getOriginalUrlObjectForDisplay(url) {
- let originalUrl = this.getOriginalUrl(url);
- if (originalUrl) {
+ let originalUrl = this.getOriginalUrl(url);
+ if (originalUrl) {
let uriObj;
try {
uriObj = Services.uriFixup.createFixupURI(
@@ -229,10 +229,11 @@ var ReaderMode = {
* @resolves JS object representing the article, or null if no article is found.
*/
async downloadAndParseDocument(url) {
- let doc = await this._downloadDocument(url);
- if (!doc) {
+ let result = await this._downloadDocument(url, docContentType);
+ if (!result?.doc) {
return null;
}
+ let { doc, newURL } = result;
if (
!Readerable.shouldCheckUri(doc.documentURIObject) ||
!Readerable.shouldCheckUri(doc.baseURIObject, true)
@@ -241,7 +242,14 @@ var ReaderMode = {
return null;
}
- return this._readerParse(doc);
+ let article = await this._readerParse(doc);
+ // If we have to redirect, reject to the caller with the parsed article,
+ // so we can update the URL before displaying it.
+ if (newURL) {
+ return Promise.reject({ newURL, article });
+ }
+ // Otherwise, we can just continue with the article.
+ return article;
},
_downloadDocument(url) {
@@ -276,49 +284,7 @@ var ReaderMode = {
histogram.add(DOWNLOAD_ERROR_NO_DOC);
return;
}
-
- // Manually follow a meta refresh tag if one exists.
- let meta = doc.querySelector("meta[http-equiv=refresh]");
- if (meta) {
- let content = meta.getAttribute("content");
- if (content) {
- let urlIndex = content.toUpperCase().indexOf("URL=");
- if (urlIndex > -1) {
- let baseURI = Services.io.newURI(url);
- let newURI = Services.io.newURI(
- content.substring(urlIndex + 4),
- null,
- baseURI
- );
- let newURL = newURI.spec;
- let ssm = Services.scriptSecurityManager;
- let flags =
- ssm.LOAD_IS_AUTOMATIC_DOCUMENT_REPLACEMENT |
- ssm.DISALLOW_INHERIT_PRINCIPAL;
- try {
- ssm.checkLoadURIStrWithPrincipal(
- doc.nodePrincipal,
- newURL,
- flags
- );
- } catch (ex) {
- let errorMsg =
- "Reader mode disallowed meta refresh (reason: " + ex + ").";
-
- if (Services.prefs.getBoolPref("reader.errors.includeURLs")) {
- errorMsg += " Refresh target URI: '" + newURL + "'.";
- }
- reject(errorMsg);
- return;
- }
- // Otherwise, pass an object indicating our new URL:
- if (!baseURI.equalsExceptRef(newURI)) {
- reject({ newURL });
- return;
- }
- }
- }
- }
+
let responseURL = xhr.responseURL;
let givenURL = url;
// Convert these to real URIs to make sure the escaping (or lack
@@ -332,16 +298,22 @@ var ReaderMode = {
givenURL = Services.io.newURI(givenURL).specIgnoringRef;
} catch (ex) {
/* Ignore errors - we'll use what we had before */
+ }
+ if (xhr.responseType != "document") {
+ let initialText = doc;
+ let parser = new DOMParser();
+ doc = parser.parseFromString(`<pre></pre>`, "text/html");
+ doc.querySelector("pre").textContent = initialText;
}
+ // We treat redirects as download successes here:
+ histogram.add(DOWNLOAD_SUCCESS);
+ let result = { doc };
if (responseURL != givenURL) {
- // We were redirected without a meta refresh tag.
- // Force redirect to the correct place:
- reject({ newURL: xhr.responseURL });
- return;
+ result.newURL = xhr.responseURL;
}
- resolve(doc);
- histogram.add(DOWNLOAD_SUCCESS);
+
+ resolve(result);
};
xhr.send();
});
--
2.33.0

35
CVE-2023-1945.patch Normal file
View File

@ -0,0 +1,35 @@
From 7798fafb53081cb22407bc4371247413146fda7b Mon Sep 17 00:00:00 2001
From: Dimi <dlee@mozilla.com>
Date: Thu, 10 Oct 2024 14:33:37 +0800
Subject: [PATCH] Init variable length prefix set in constructor. r=timhuang, a=RyanVM
---
toolkit/components/url-classifier/LookupCache.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/toolkit/components/url-classifier/LookupCache.cpp b/toolkit/components/url-classifier/LookupCache.cpp
index d0b03054f1..0931c93048 100644
--- a/toolkit/components/url-classifier/LookupCache.cpp
+++ b/toolkit/components/url-classifier/LookupCache.cpp
@@ -171,7 +171,8 @@ LookupCache::LookupCache(const nsACString& aTableName,
: mPrimed(false),
mTableName(aTableName),
mProvider(aProvider),
- mRootStoreDirectory(aRootStoreDir) {
+ mRootStoreDirectory(aRootStoreDir),
+ mVLPrefixSet(nullptr) {
UpdateRootDirHandle(mRootStoreDirectory);
}
@@ -192,6 +193,8 @@ nsresult LookupCache::Open() {
}
nsresult LookupCache::Init() {
+ MOZ_ASSERT(!mVLPrefixSet);
+
mVLPrefixSet = new VariableLengthPrefixSet();
nsresult rv = mVLPrefixSet->Init(mTableName);
NS_ENSURE_SUCCESS(rv, rv);
--
2.27.0

34
CVE-2024-0745.patch Normal file
View File

@ -0,0 +1,34 @@
From ac6bc755e84784d3bea75eb63b9156c49e95019c Mon Sep 17 00:00:00 2001
From: Karl Tomlinson <karlt+@karlt.net>
Date: Sun, 07 Jan 2024 23:24:05 +0000 (7 months ago)
Subject: [PATCH] CVE-2024-0745
---
dom/media/webaudio/OscillatorNode.cpp | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/dom/media/webaudio/OscillatorNode.cpp b/dom/media/webaudio/OscillatorNode.cpp
index 2089ce170c..1427f9ece0 100644
--- a/dom/media/webaudio/OscillatorNode.cpp
+++ b/dom/media/webaudio/OscillatorNode.cpp
@@ -293,7 +293,8 @@ class OscillatorNodeEngine final : public AudioNodeEngine {
return;
}
- if (ticks + WEBAUDIO_BLOCK_SIZE <= mStart || ticks >= mStop) {
+ if (ticks + WEBAUDIO_BLOCK_SIZE <= mStart || ticks >= mStop ||
+ mStop <= mStart) {
ComputeSilence(aOutput);
} else {
@@ -302,6 +303,7 @@ class OscillatorNodeEngine final : public AudioNodeEngine {
uint32_t start, end;
FillBounds(output, ticks, start, end);
+ MOZ_ASSERT(start < end);
// Synthesize the correct waveform.
switch (mType) {
--
2.33.0

27
firefox.spec
View File

@ -88,7 +88,7 @@
Summary: Mozilla Firefox Web browser
Name: firefox
Version: 79.0
Release: 29
Release: 34
URL: https://www.mozilla.org/firefox/
License: MPLv1.1 or GPLv2+ or LGPLv2+
Source0: https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@ -210,6 +210,11 @@ Patch666: CVE-2021-23954.patch
Patch667: CVE-2021-29984.patch
Patch668: CVE-2021-29988.patch
Patch669: CVE-2021-23998.patch
Patch670: CVE-2022-29912.patch
Patch671: CVE-2024-0745.patch
Patch672: CVE-2023-1945.patch
Patch673: CVE-2021-29970.patch
Patch674: CVE-2021-43539.patch
%if %{?system_nss}
BuildRequires: pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
@ -414,6 +419,11 @@ tar -xf %{SOURCE3}
%patch667 -p1
%patch668 -p1
%patch669 -p1
%patch670 -p1
%patch671 -p1
%patch672 -p1
%patch673 -p1
%patch674 -p1
%{__rm} -f .mozconfig
%{__cp} %{SOURCE10} .mozconfig
@ -862,6 +872,21 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%endif
%changelog
* Wed Nov 06 2024 lvfei <lvfei@kylinos.cn> - 79.0-34
- Fix CVE-2021-43539
* Fri Nov 01 2024 lvfei <lvfei@kylinos.cn> - 79.0-33
- Fix CVE-2021-29970
* Wed Aug 14 2024 happyworker <208suo@208suo.com> - 79.0-32
- Fix CVE-2023-1945
* Wed Aug 14 2024 lvfei <lvfei@kylinos.cn> - 79.0-31
- Fix CVE-2024-0745
* Sat Aug 03 2024 lvfei <lvfei@kylinos.cn> - 79.0-30
- Fix CVE-2022-29912
* Mon Jul 22 2024 technology208 <technology@208suo.com> - 79.0-29
- Fix CVE-2021-23998