From 059635d256f0b280e03e0ff2784064686269f737 Mon Sep 17 00:00:00 2001 From: bsiegert Date: Fri, 10 Jan 2020 13:56:19 +0000 Subject: Pullup ticket #6113 - requested by nia www/firefox68: security fix (zero-day) Revisions pulled up: - www/firefox68/Makefile 1.7-1.8 - www/firefox68/distinfo 1.6-1.7 - www/firefox68/patches/patch-rust-1.39.0 deleted --- Module Name: pkgsrc Committed By: nia Date: Wed Jan 8 21:49:32 UTC 2020 Modified Files: pkgsrc/www/firefox68: Makefile distinfo Removed Files: pkgsrc/www/firefox68/patches: patch-rust-1.39.0 Log Message: firefox68: Update to 68.4.0 Security Vulnerabilities fixed in Firefox ESR 68.4: # CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows # CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting # CVE-2019-17017: Type Confusion in XPCVariant.cpp # CVE-2019-17021: Heap address disclosure in parent process during content process initialization on Windows # CVE-2019-17022: CSS sanitization does not escape HTML tags # CVE-2019-17024: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4 --- Module Name: pkgsrc Committed By: nia Date: Thu Jan 9 20:51:59 UTC 2020 Modified Files: pkgsrc/www/firefox68: Makefile distinfo Log Message: firefox68: Update to 68.4.1 This release fixes one zero-day vulnerability: CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw --- www/firefox68/Makefile | 6 +- www/firefox68/distinfo | 11 +- www/firefox68/patches/patch-rust-1.39.0 | 176 -------------------------------- 3 files changed, 8 insertions(+), 185 deletions(-) delete mode 100644 www/firefox68/patches/patch-rust-1.39.0 diff --git a/www/firefox68/Makefile b/www/firefox68/Makefile index baa6f3157d9..aadfee8fb79 100644 --- a/www/firefox68/Makefile +++ b/www/firefox68/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.5 2019/12/08 20:09:41 nia Exp $ +# $NetBSD: Makefile,v 1.5.4.1 2020/01/10 13:56:19 bsiegert Exp $ FIREFOX_VER= ${MOZ_BRANCH}${MOZ_BRANCH_MINOR} -MOZ_BRANCH= 68.3 -MOZ_BRANCH_MINOR= .0esr +MOZ_BRANCH= 68.4 +MOZ_BRANCH_MINOR= .1esr DISTNAME= firefox-${FIREFOX_VER}.source PKGNAME= ${DISTNAME:S/.source//:S/b/beta/:S/esr//:S/firefox-/firefox68-/} diff --git a/www/firefox68/distinfo b/www/firefox68/distinfo index f2ba79ecea0..481b690c1f1 100644 --- a/www/firefox68/distinfo +++ b/www/firefox68/distinfo @@ -1,9 +1,9 @@ -$NetBSD: distinfo,v 1.5 2019/12/08 20:09:41 nia Exp $ +$NetBSD: distinfo,v 1.5.4.1 2020/01/10 13:56:19 bsiegert Exp $ -SHA1 (firefox-68.3.0esr.source.tar.xz) = 220c262c5cb2ee81d29c58a5afe4522c9880cf2b -RMD160 (firefox-68.3.0esr.source.tar.xz) = 7cf26bd69a7414cdd78ab196e9add78b7235ef7c -SHA512 (firefox-68.3.0esr.source.tar.xz) = f99a4a18aa1b4472152fc6de68ef56ee071c1adfc70a907c10943f8436758c9adc0fe05a90b894ea521cc0c30782e6e2c29f04747d7edf3e55080fa0c4ebf8c3 -Size (firefox-68.3.0esr.source.tar.xz) = 312378276 bytes +SHA1 (firefox-68.4.1esr.source.tar.xz) = f11c0ecc0f17435149a2bce83f490bbd329e276d +RMD160 (firefox-68.4.1esr.source.tar.xz) = 78098317b75b079a475a0bcb8a5f012178c1a643 +SHA512 (firefox-68.4.1esr.source.tar.xz) = 8dd85096f1223b2ab396cc3b89a9f1b113f01ce8919af08a278d077cc4380c108a66b6379c75d85311aa3c54a7804f4d51f718b309fe107ff7c44aca7e4386ed +Size (firefox-68.4.1esr.source.tar.xz) = 318559576 bytes SHA1 (patch-aa) = 1f292aae7d37bd480ba834324b737bfebee52503 SHA1 (patch-browser_app_profile_firefox.js) = 076cc2892547bac07fe907533f4e821f13f5738e SHA1 (patch-build_moz.configure_old.configure) = 05963b12fd908d90e3378b30cff7e48291b8a447 @@ -30,7 +30,6 @@ SHA1 (patch-media_libcubeb_src_cubeb__oss.c) = 103f751d5a7bc14a81a6ed43e1afc722b SHA1 (patch-media_libcubeb_src_moz.build) = dcca90cb5132442877712cd7b1f4e832c93d2655 SHA1 (patch-media_libcubeb_update.sh) = 4508319d8534a0cc983e4767c2142169af9e5033 SHA1 (patch-media_libpng_pngpriv.h) = c8084332560017cd7c9b519b61d125fa28af0dbc -SHA1 (patch-rust-1.39.0) = 73f41832022fb42c6d84131b6daf9396a1fea284 SHA1 (patch-toolkit_components_terminator_nsTerminator.cpp) = e5700d95302ef9672b404ab19e13ef7ba3ede5cf SHA1 (patch-toolkit_library_moz.build) = 102e3713552c26f76e8b4e473846bb8fbc44b278 SHA1 (patch-toolkit_modules_subprocess_subprocess__shared__unix.js) = 22a39e54e042ab2270a3cb54e4e307c8900cad12 diff --git a/www/firefox68/patches/patch-rust-1.39.0 b/www/firefox68/patches/patch-rust-1.39.0 deleted file mode 100644 index 7beea32e644..00000000000 --- a/www/firefox68/patches/patch-rust-1.39.0 +++ /dev/null @@ -1,176 +0,0 @@ -$NetBSD: patch-rust-1.39.0,v 1.1 2019/11/18 12:09:15 ryoon Exp $ - -From 9696bc1795c75b1b527e2b70d9baf3ced9e3c154 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= -Date: Mon, 23 Sep 2019 17:54:37 +0200 -Subject: [PATCH] ir: Make Ord and PartialOrd implementations agree. - -See https://github.com/rust-lang/rust/issues/64710. - -Bogus implementations were introduced in 230545e7c, d3e39dc62, and 379bb1663. - ---- third_party/rust/bindgen/src/ir/analysis/has_vtable.rs.orig 2019-10-16 19:30:29.000000000 +0000 -+++ third_party/rust/bindgen/src/ir/analysis/has_vtable.rs -@@ -9,17 +9,17 @@ use std::ops; - use {HashMap, Entry}; - - /// The result of the `HasVtableAnalysis` for an individual item. --#[derive(Copy, Clone, Debug, PartialEq, Eq, Ord)] -+#[derive(Copy, Clone, Debug, PartialEq, Eq, PartialOrd, Ord)] - pub enum HasVtableResult { -- /// The item has a vtable, but the actual vtable pointer is in a base -- /// member. -- BaseHasVtable, -+ /// The item does not have a vtable pointer. -+ No, - - /// The item has a vtable and the actual vtable pointer is within this item. - SelfHasVtable, - -- /// The item does not have a vtable pointer. -- No -+ /// The item has a vtable, but the actual vtable pointer is in a base -+ /// member. -+ BaseHasVtable, - } - - impl Default for HasVtableResult { -@@ -28,21 +28,6 @@ impl Default for HasVtableResult { - } - } - --impl cmp::PartialOrd for HasVtableResult { -- fn partial_cmp(&self, rhs: &Self) -> Option { -- use self::HasVtableResult::*; -- -- match (*self, *rhs) { -- (x, y) if x == y => Some(cmp::Ordering::Equal), -- (BaseHasVtable, _) => Some(cmp::Ordering::Greater), -- (_, BaseHasVtable) => Some(cmp::Ordering::Less), -- (SelfHasVtable, _) => Some(cmp::Ordering::Greater), -- (_, SelfHasVtable) => Some(cmp::Ordering::Less), -- _ => unreachable!(), -- } -- } --} -- - impl HasVtableResult { - /// Take the least upper bound of `self` and `rhs`. - pub fn join(self, rhs: Self) -> Self { -$NetBSD: patch-rust-1.39.0,v 1.1 2019/11/18 12:09:15 ryoon Exp $ - ---- third_party/rust/bindgen/src/ir/analysis/sizedness.rs.orig 2019-10-16 19:30:29.000000000 +0000 -+++ third_party/rust/bindgen/src/ir/analysis/sizedness.rs -@@ -22,13 +22,14 @@ use {HashMap, Entry}; - /// - /// We initially assume that all types are `ZeroSized` and then update our - /// understanding as we learn more about each type. --#[derive(Copy, Clone, Debug, PartialEq, Eq, Ord)] -+#[derive(Copy, Clone, Debug, PartialEq, Eq, PartialOrd, Ord)] - pub enum SizednessResult { -- /// Has some size that is known to be greater than zero. That doesn't mean -- /// it has a static size, but it is not zero sized for sure. In other words, -- /// it might contain an incomplete array or some other dynamically sized -- /// type. -- NonZeroSized, -+ /// The type is zero-sized. -+ /// -+ /// This means that if it is a C++ type, and is not being used as a base -+ /// member, then we must add an `_address` byte to enforce the -+ /// unique-address-per-distinct-object-instance rule. -+ ZeroSized, - - /// Whether this type is zero-sized or not depends on whether a type - /// parameter is zero-sized or not. -@@ -52,12 +53,11 @@ pub enum SizednessResult { - /// https://github.com/rust-lang-nursery/rust-bindgen/issues/586 - DependsOnTypeParam, - -- /// The type is zero-sized. -- /// -- /// This means that if it is a C++ type, and is not being used as a base -- /// member, then we must add an `_address` byte to enforce the -- /// unique-address-per-distinct-object-instance rule. -- ZeroSized, -+ /// Has some size that is known to be greater than zero. That doesn't mean -+ /// it has a static size, but it is not zero sized for sure. In other words, -+ /// it might contain an incomplete array or some other dynamically sized -+ /// type. -+ NonZeroSized, - } - - impl Default for SizednessResult { -@@ -66,21 +66,6 @@ impl Default for SizednessResult { - } - } - --impl cmp::PartialOrd for SizednessResult { -- fn partial_cmp(&self, rhs: &Self) -> Option { -- use self::SizednessResult::*; -- -- match (*self, *rhs) { -- (x, y) if x == y => Some(cmp::Ordering::Equal), -- (NonZeroSized, _) => Some(cmp::Ordering::Greater), -- (_, NonZeroSized) => Some(cmp::Ordering::Less), -- (DependsOnTypeParam, _) => Some(cmp::Ordering::Greater), -- (_, DependsOnTypeParam) => Some(cmp::Ordering::Less), -- _ => unreachable!(), -- } -- } --} -- - impl SizednessResult { - /// Take the least upper bound of `self` and `rhs`. - pub fn join(self, rhs: Self) -> Self { -$NetBSD: patch-rust-1.39.0,v 1.1 2019/11/18 12:09:15 ryoon Exp $ - ---- third_party/rust/bindgen/src/ir/derive.rs.orig 2019-10-16 19:30:29.000000000 +0000 -+++ third_party/rust/bindgen/src/ir/derive.rs -@@ -92,10 +92,10 @@ pub trait CanDeriveOrd { - /// - /// Initially we assume that we can derive trait for all types and then - /// update our understanding as we learn more about each type. --#[derive(Debug, Copy, Clone, PartialEq, Eq, Ord)] -+#[derive(Debug, Copy, Clone, PartialEq, Eq, PartialOrd, Ord)] - pub enum CanDerive { -- /// No, we cannot. -- No, -+ /// Yes, we can derive automatically. -+ Yes, - - /// The only thing that stops us from automatically deriving is that - /// array with more than maximum number of elements is used. -@@ -103,8 +103,8 @@ pub enum CanDerive { - /// This means we probably can "manually" implement such trait. - Manually, - -- /// Yes, we can derive automatically. -- Yes, -+ /// No, we cannot. -+ No, - } - - impl Default for CanDerive { -@@ -113,22 +113,6 @@ impl Default for CanDerive { - } - } - --impl cmp::PartialOrd for CanDerive { -- fn partial_cmp(&self, rhs: &Self) -> Option { -- use self::CanDerive::*; -- -- let ordering = match (*self, *rhs) { -- (x, y) if x == y => cmp::Ordering::Equal, -- (No, _) => cmp::Ordering::Greater, -- (_, No) => cmp::Ordering::Less, -- (Manually, _) => cmp::Ordering::Greater, -- (_, Manually) => cmp::Ordering::Less, -- _ => unreachable!() -- }; -- Some(ordering) -- } --} -- - impl CanDerive { - /// Take the least upper bound of `self` and `rhs`. - pub fn join(self, rhs: Self) -> Self { -- cgit v1.2.3