diff options
author | bsiegert <bsiegert@pkgsrc.org> | 2020-11-24 18:29:25 +0000 |
---|---|---|
committer | bsiegert <bsiegert@pkgsrc.org> | 2020-11-24 18:29:25 +0000 |
commit | 907743da3eba302e2b0afae6a748b667d8882cc6 (patch) | |
tree | 715e5c1fa36b614f7402f2cb97ba965fbe957b78 | |
parent | ca3b38ca15c1c03a4ac79ae5f619bd683d9f1a5c (diff) | |
download | pkgsrc-907743da3eba302e2b0afae6a748b667d8882cc6.tar.gz |
Pullup ticket #6370 - requested by nia
www/firefox78: security fix
NOTE: This also includes the changes from pullup tickets #6363 and #6369.
Revisions pulled up:
- www/firefox78/Makefile 1.9,1.13
- www/firefox78/distinfo 1.5-1.6
- www/firefox78/patches/patch-js_src_jit_ProcessExecutableMemory.cpp 1.1
- www/firefox78/patches/patch-js_src_vm_ArrayBufferObject.cpp 1.1
---
Module Name: pkgsrc
Committed By: nia
Date: Tue Nov 10 02:59:28 UTC 2020
Modified Files:
pkgsrc/www/firefox78: Makefile distinfo
Added Files:
pkgsrc/www/firefox78/patches:
patch-js_src_jit_ProcessExecutableMemory.cpp
patch-js_src_vm_ArrayBufferObject.cpp
Log Message:
firefox78: Update to 78.4.1. Apply MPROTECT patches from mozjs.
Security Vulnerabilities fixed in Firefox 82.0.3, Firefox ESR 78.4.1, and Thunderbird 78.4.2
#CVE-2020-26950: Write side effects in MCallGetProperty opcode not accounted for
---
Module Name: pkgsrc
Committed By: nia
Date: Wed Nov 18 12:33:45 UTC 2020
Modified Files:
pkgsrc/www/firefox78: Makefile distinfo
Log Message:
firefox78: Update to 78.5.0
Security Vulnerabilities fixed in Firefox ESR 78.5
#CVE-2020-26951: Parsing mismatches could confuse and bypass security
sanitizer for chrome privileged code
#CVE-2020-16012: Variable time processing of cross-origin images during
drawImage calls
#CVE-2020-26953: Fullscreen could be enabled without displaying the security
UI
#CVE-2020-26956: XSS through paste (manual and clipboard API)
#CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME
type restrictions
#CVE-2020-26959: Use-after-free in WebRequestService
#CVE-2020-26960: Potential use-after-free in uses of nsTArray
#CVE-2020-15999: Heap buffer overflow in freetype
#CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses
#CVE-2020-26965: Software keyboards may have remembered typed passwords
#CVE-2020-26966: Single-word search queries were also broadcast to local
network
#CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5
-rw-r--r-- | www/firefox78/Makefile | 8 | ||||
-rw-r--r-- | www/firefox78/distinfo | 12 | ||||
-rw-r--r-- | www/firefox78/patches/patch-js_src_jit_ProcessExecutableMemory.cpp | 38 | ||||
-rw-r--r-- | www/firefox78/patches/patch-js_src_vm_ArrayBufferObject.cpp | 24 |
4 files changed, 71 insertions, 11 deletions
diff --git a/www/firefox78/Makefile b/www/firefox78/Makefile index 15a084eafe0..5a91c91c1c7 100644 --- a/www/firefox78/Makefile +++ b/www/firefox78/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.6.2.1 2020/10/23 15:36:35 bsiegert Exp $ +# $NetBSD: Makefile,v 1.6.2.2 2020/11/24 18:29:25 bsiegert Exp $ FIREFOX_VER= ${MOZ_BRANCH}${MOZ_BRANCH_MINOR} -MOZ_BRANCH= 78.4 +MOZ_BRANCH= 78.5 MOZ_BRANCH_MINOR= .0esr DISTNAME= firefox-${FIREFOX_VER}.source @@ -36,10 +36,6 @@ LDFLAGS.FreeBSD+= -lplc4 -lnspr4 LDFLAGS.Linux+= -lnspr4 LDFLAGS.SunOS+= -lm -NOT_PAX_MPROTECT_SAFE+= lib/${PKGBASE}/${MOZILLA} -NOT_PAX_MPROTECT_SAFE+= lib/${PKGBASE}/${MOZILLA}-bin -NOT_PAX_MPROTECT_SAFE+= lib/${PKGBASE}/plugin-container - ALL_ENV+= MOZ_APP_NAME=${MOZILLA} # Avoid ld "invalid section index" errors. diff --git a/www/firefox78/distinfo b/www/firefox78/distinfo index ba67cc66f3b..77df01e9b41 100644 --- a/www/firefox78/distinfo +++ b/www/firefox78/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.3.2.1 2020/10/23 15:36:35 bsiegert Exp $ +$NetBSD: distinfo,v 1.3.2.2 2020/11/24 18:29:25 bsiegert Exp $ -SHA1 (firefox-78.4.0esr.source.tar.xz) = 4cf96aeedca03d6f84ade360aeb43cae4819342a -RMD160 (firefox-78.4.0esr.source.tar.xz) = 376ae67b15060906557bb19cd5be385dcf5e6138 -SHA512 (firefox-78.4.0esr.source.tar.xz) = d9de975e9acf7dab6186db877fe2df87a0e9e3c016e884473ecb188025a31032b1fe7f202598285970ed7a48268c7f3e265657708725da4eb7846db85a036246 -Size (firefox-78.4.0esr.source.tar.xz) = 335094656 bytes +SHA1 (firefox-78.5.0esr.source.tar.xz) = ae46913563ffe92efa7cdaacb818435a4c3d4492 +RMD160 (firefox-78.5.0esr.source.tar.xz) = 53bf565b08f8c743f22e5f61fca8fd98da062a6c +SHA512 (firefox-78.5.0esr.source.tar.xz) = 0d16013342b6e8d67adb5c111177ea4796db4fb593da8aa254d0d95bdf33fad798c2dbb235d44db4177c32dd2d7b3ac26b938b476342753ee8d6c83d968d0281 +Size (firefox-78.5.0esr.source.tar.xz) = 333995288 bytes SHA1 (patch-aa) = 11060461fdaca5661e89651b8ded4a59d2abc4d7 SHA1 (patch-browser_app_profile_firefox.js) = 89cea0a66457c96ad0b94aaa524aa5942ad781d0 SHA1 (patch-build_moz.configure_rust.configure) = ee9e207e67709f3c9455b4d22f5f254890e99ca8 @@ -20,8 +20,10 @@ SHA1 (patch-gfx_thebes_gfxPlatform.cpp) = f6f8996f0818a1b890698c7cc5054d49cb1e89 SHA1 (patch-ipc_chromium_src_base_message__pump__libevent.cc) = 4a6606da590cfb8d855bde58b9c6f90e98d0870c SHA1 (patch-ipc_chromium_src_base_platform__thread__posix.cc) = 35d20981d33ccdb1d8ffb8039e48798777f11658 SHA1 (patch-ipc_glue_GeckoChildProcessHost.cpp) = 260c29bacd8bf265951b7a412f850bf2b292c836 +SHA1 (patch-js_src_jit_ProcessExecutableMemory.cpp) = c75e9ea7124c18be1a051106fcc407ddd1e82e46 SHA1 (patch-js_src_jsfriendapi.h) = 6bbb895b882ee24929f011751c42732215e153a2 SHA1 (patch-js_src_util_NativeStack.cpp) = a0a16d8d8d78d3cc3f4d2a508586f1a7821f7dba +SHA1 (patch-js_src_vm_ArrayBufferObject.cpp) = ca117633d2aae52d82ec349a0bfb0c03b87898b4 SHA1 (patch-media_ffvpx_libavutil_arm_bswap.h) = de58daa0fd23d4fec50426602b65c9ea5862558a SHA1 (patch-media_libcubeb_src_cubeb__alsa.c) = 31536f36cb33f16da309527b50eda9b721608115 SHA1 (patch-media_libcubeb_src_moz.build) = e4e64a1135cf4157ae5b6f7c1710ebd076953479 diff --git a/www/firefox78/patches/patch-js_src_jit_ProcessExecutableMemory.cpp b/www/firefox78/patches/patch-js_src_jit_ProcessExecutableMemory.cpp new file mode 100644 index 00000000000..54635786aed --- /dev/null +++ b/www/firefox78/patches/patch-js_src_jit_ProcessExecutableMemory.cpp @@ -0,0 +1,38 @@ +$NetBSD: patch-js_src_jit_ProcessExecutableMemory.cpp,v 1.1.2.2 2020/11/24 18:29:25 bsiegert Exp $ + +PaX MPROTECT safety for NetBSD. + +--- js/src/jit/ProcessExecutableMemory.cpp.orig 2020-10-27 23:47:06.000000000 +0000 ++++ js/src/jit/ProcessExecutableMemory.cpp +@@ -362,9 +362,16 @@ static void* ReserveProcessExecutableMem + // Note that randomAddr is just a hint: if the address is not available + // mmap will pick a different address. + void* randomAddr = ComputeRandomAllocationAddress(); ++#ifdef PROT_MPROTECT ++ void* p = MozTaggedAnonymousMmap(randomAddr, bytes, ++ PROT_MPROTECT(PROT_EXEC | PROT_WRITE | PROT_READ), ++ MAP_PRIVATE | MAP_ANON, -1, 0, ++ "js-executable-memory"); ++#else + void* p = MozTaggedAnonymousMmap(randomAddr, bytes, PROT_NONE, + MAP_NORESERVE | MAP_PRIVATE | MAP_ANON, -1, + 0, "js-executable-memory"); ++#endif + if (p == MAP_FAILED) { + return nullptr; + } +@@ -409,8 +416,12 @@ static unsigned ProtectionSettingToFlags + + static MOZ_MUST_USE bool CommitPages(void* addr, size_t bytes, + ProtectionSetting protection) { +- void* p = MozTaggedAnonymousMmap( +- addr, bytes, ProtectionSettingToFlags(protection), ++ void* p = MozTaggedAnonymousMmap(addr, bytes, ++#ifdef PROT_MPROTECT ++ ProtectionSettingToFlags(protection) | PROT_MPROTECT(PROT_EXEC | PROT_WRITE | PROT_READ), ++#else ++ ProtectionSettingToFlags(protection), ++#endif + MAP_FIXED | MAP_PRIVATE | MAP_ANON, -1, 0, "js-executable-memory"); + if (p == MAP_FAILED) { + return false; diff --git a/www/firefox78/patches/patch-js_src_vm_ArrayBufferObject.cpp b/www/firefox78/patches/patch-js_src_vm_ArrayBufferObject.cpp new file mode 100644 index 00000000000..b8822c10c75 --- /dev/null +++ b/www/firefox78/patches/patch-js_src_vm_ArrayBufferObject.cpp @@ -0,0 +1,24 @@ +$NetBSD: patch-js_src_vm_ArrayBufferObject.cpp,v 1.1.2.2 2020/11/24 18:29:25 bsiegert Exp $ + +PaX MPROTECT safety for NetBSD. + +--- js/src/vm/ArrayBufferObject.cpp.orig 2020-10-27 23:48:08.000000000 +0000 ++++ js/src/vm/ArrayBufferObject.cpp +@@ -165,9 +165,17 @@ void* js::MapBufferMemory(size_t mappedS + return nullptr; + } + #else // XP_WIN ++ ++#ifdef PROT_MPROTECT ++ void* data = ++ MozTaggedAnonymousMmap(nullptr, mappedSize, ++ PROT_MPROTECT(PROT_EXEC | PROT_WRITE | PROT_READ), ++ MAP_PRIVATE | MAP_ANON, -1, 0, "wasm-reserved"); ++#else + void* data = + MozTaggedAnonymousMmap(nullptr, mappedSize, PROT_NONE, + MAP_PRIVATE | MAP_ANON, -1, 0, "wasm-reserved"); ++#endif + if (data == MAP_FAILED) { + return nullptr; + } |