Firefox 85.0 firefox85 tip
authorWolfgang Rosenauer <wr@rosenauer.org>
Thu, 28 Jan 2021 23:39:24 +0100
branchfirefox85
changeset 1154 71a92b4d0527
parent 1153 fdd746757dda
Firefox 85.0
MozillaFirefox/MozillaFirefox.changes
MozillaFirefox/MozillaFirefox.spec
MozillaFirefox/mozilla-pipewire-0-3.patch
MozillaFirefox/tar_stamps
mozilla-fix-top-level-asm.patch
mozilla-pgo.patch
mozilla-pipewire-0-3.patch
mozilla-reduce-rust-debuginfo.patch
series
--- a/MozillaFirefox/MozillaFirefox.changes	Sun Jan 24 11:01:55 2021 +0100
+++ b/MozillaFirefox/MozillaFirefox.changes	Thu Jan 28 23:39:24 2021 +0100
@@ -1,4 +1,53 @@
 -------------------------------------------------------------------
+Sun Jan 24 11:53:58 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 85.0
+  * Adobe Flash is completely history
+  * supercookie protection
+  * new bookmark handling and features
+  MFSA 2021-03 (bsc#1181414)
+  * CVE-2021-23953 (bmo#1683940)
+    Cross-origin information leakage via redirected PDF requests
+  * CVE-2021-23954 (bmo#1684020)
+    Type confusion when using logical assignment operators in
+    JavaScript switch statements
+  * CVE-2021-23955 (bmo#1684837)
+    Clickjacking across tabs through misusing requestPointerLock
+  * CVE-2021-23956 (bmo#1338637)
+    File picker dialog could have been used to disclose a
+    complete directory
+  * CVE-2021-23957 (bmo#1584582)
+    Iframe sandbox could have been bypassed on Android via the
+    intent URL scheme
+  * CVE-2021-23958 (bmo#1642747)
+    Screen sharing permission leaked across tabs
+  * CVE-2021-23959 (bmo#1659035)
+    Cross-Site Scripting in error pages on Firefox for Android
+  * CVE-2021-23960 (bmo#1675755)
+    Use-after-poison for incorrectly redeclared JavaScript
+    variables during GC
+  * CVE-2021-23961 (bmo#1677940)
+    More internal network hosts could have been probed by a
+    malicious webpage
+  * CVE-2021-23962 (bmo#1677194)
+    Use-after-poison in
+    <code>nsTreeBodyFrame::RowCountChanged</code>
+  * CVE-2021-23963 (bmo#1680793)
+    Permission prompt inaccessible after asking for additional
+    permissions
+  * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526, bmo#1674278,
+    bmo#1674835, bmo#1675097, bmo#1675844, bmo#1675868, bmo#1677590,
+    bmo#1677888, bmo#1680410, bmo#1681268, bmo#1682068, bmo#1682938,
+    bmo#1683736, bmo#1685260, bmo#1685925)
+    Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7
+  * CVE-2021-23965 (bmo#1670378, bmo#1673555, bmo#1676812, bmo#1678582,
+    bmo#1684497)
+    Memory safety bugs fixed in Firefox 85
+- requires NSS 3.60.1
+- requires rust 1.47
+- remove obsolete mozilla-pipewire-0-3.patch
+
+-------------------------------------------------------------------
 Mon Jan 11 18:02:01 UTC 2021 - Matthias Mailänder <mailaender@opensuse.org>
 
 - Fix AppStream screenshot links
--- a/MozillaFirefox/MozillaFirefox.spec	Sun Jan 24 11:01:55 2021 +0100
+++ b/MozillaFirefox/MozillaFirefox.spec	Thu Jan 28 23:39:24 2021 +0100
@@ -2,7 +2,7 @@
 # spec file for package MozillaFirefox
 #
 # Copyright (c) 2021 SUSE LLC
-#               2006-2020 Wolfgang Rosenauer <wr@rosenauer.org>
+#               2006-2021 Wolfgang Rosenauer <wr@rosenauer.org>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,9 +29,9 @@
 # orig_suffix b3
 # major 69
 # mainver %major.99
-%define major          84
-%define mainver        %major.0.2
-%define orig_version   84.0.2
+%define major          85
+%define mainver        %major.0
+%define orig_version   85.0
 %define orig_suffix    %{nil}
 %define update_channel release
 %define branding       1
@@ -92,7 +92,7 @@
 %else
 BuildRequires:  gcc-c++
 %endif
-BuildRequires:  cargo >= 1.44
+BuildRequires:  cargo >= 1.47
 BuildRequires:  ccache
 BuildRequires:  libXcomposite-devel
 BuildRequires:  libcurl-devel
@@ -101,7 +101,7 @@
 BuildRequires:  libproxy-devel
 BuildRequires:  makeinfo
 BuildRequires:  mozilla-nspr-devel >= 4.29
-BuildRequires:  mozilla-nss-devel >= 3.59.1
+BuildRequires:  mozilla-nss-devel >= 3.60.1
 BuildRequires:  nasm >= 2.14
 BuildRequires:  nodejs10 >= 10.22.1
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
@@ -111,7 +111,7 @@
 BuildRequires:  python3 >= 3.5
 BuildRequires:  python3-devel
 %endif
-BuildRequires:  rust >= 1.44
+BuildRequires:  rust >= 1.47
 BuildRequires:  rust-cbindgen >= 0.15.0
 BuildRequires:  unzip
 BuildRequires:  update-desktop-files
@@ -207,7 +207,6 @@
 Patch20:        mozilla-fix-top-level-asm.patch
 Patch21:        mozilla-bmo1504834-part4.patch
 Patch22:        mozilla-bmo849632.patch
-Patch23:        mozilla-pipewire-0-3.patch
 Patch24:        mozilla-bmo1602730.patch
 Patch25:        mozilla-bmo998749.patch
 Patch26:        mozilla-bmo1626236.patch
@@ -347,9 +346,6 @@
 %patch20 -p1
 %patch21 -p1
 %patch22 -p1
-%if %{with_pipewire0_3}
-%patch23 -p1
-%endif
 %patch24 -p1
 %patch25 -p1
 %patch26 -p1
--- a/MozillaFirefox/mozilla-pipewire-0-3.patch	Sun Jan 24 11:01:55 2021 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,1 +0,0 @@
-../mozilla-pipewire-0-3.patch
\ No newline at end of file
--- a/MozillaFirefox/tar_stamps	Sun Jan 24 11:01:55 2021 +0100
+++ b/MozillaFirefox/tar_stamps	Thu Jan 28 23:39:24 2021 +0100
@@ -1,11 +1,11 @@
 PRODUCT="firefox"
 CHANNEL="release"
-VERSION="84.0.2"
+VERSION="85.0"
 VERSION_SUFFIX=""
-PREV_VERSION="84.0.1"
+PREV_VERSION="84.0.2"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 
 RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release"
-RELEASE_TAG="7e22d68e1ebfc0839092237feeefad46cfbd8651"
-RELEASE_TIMESTAMP="20210105180113"
+RELEASE_TAG="cd908cffd02e1563b2218d985873f958a2e2c55d"
+RELEASE_TIMESTAMP="20210118153634"
--- a/mozilla-fix-top-level-asm.patch	Sun Jan 24 11:01:55 2021 +0100
+++ b/mozilla-fix-top-level-asm.patch	Thu Jan 28 23:39:24 2021 +0100
@@ -49,7 +49,7 @@
      ]
  
  if CONFIG["CC_TYPE"] in ("clang", "gcc"):
-     CXXFLAGS += ["-Wno-shadow"]
+     CXXFLAGS += ["-Wno-shadow", "-Wno-error=stack-protector"]
      SOURCES["../chromium/sandbox/linux/services/syscall_wrappers.cc"].flags += [
          "-Wno-empty-body",
      ]
--- a/mozilla-pgo.patch	Sun Jan 24 11:01:55 2021 +0100
+++ b/mozilla-pgo.patch	Thu Jan 28 23:39:24 2021 +0100
@@ -1,11 +1,11 @@
 # HG changeset patch
 # User Wolfgang Rosenauer <wr@rosenauer.org>
-# Parent  431962e810598b34327620fb99e06768e9a29c38
+# Parent  41df71ef2798d6bd6a67cfc4c4f26b8d41b8ccca
 
 diff --git a/build/moz.configure/lto-pgo.configure b/build/moz.configure/lto-pgo.configure
 --- a/build/moz.configure/lto-pgo.configure
 +++ b/build/moz.configure/lto-pgo.configure
-@@ -223,23 +223,23 @@ def lto(value, c_compiler, ld64_known_go
+@@ -235,23 +235,23 @@ def lto(
                  "configure."
              )
  
@@ -32,25 +32,6 @@
              # choose a poor default.  Rust compilation by default uses the
              # pentium4 CPU on x86:
              #
-@@ -263,17 +263,17 @@ def lto(value, c_compiler, ld64_known_go
-                 ldflags.append("-mllvm:-mcpu=x86-64")
-             # We do not need special flags for arm64.  Hooray for fixed-length
-             # instruction sets.
-         else:
-             num_cores = multiprocessing.cpu_count()
-             if len(value) and value[0].lower() == "full":
-                 cflags.append("-flto")
-             else:
--                cflags.append("-flto=thin")
-+                cflags.append("-flto")
-             cflags.append("-flifetime-dse=1")
- 
-             ldflags.append("-flto=%s" % num_cores)
-             ldflags.append("-flifetime-dse=1")
- 
-         # Tell LTO not to inline functions above a certain size, to mitigate
-         # binary size growth while still getting good performance.
-         # (For hot functions, PGO will put a multiplier on this limit.)
 diff --git a/build/pgo/profileserver.py b/build/pgo/profileserver.py
 --- a/build/pgo/profileserver.py
 +++ b/build/pgo/profileserver.py
@@ -173,35 +154,10 @@
      CXXFLAGS += ["-Wno-error=shadow"]
 +
 +CXXFLAGS += ['-fno-devirtualize']
-diff --git a/python/mozbuild/mozbuild/build_commands.py b/python/mozbuild/mozbuild/build_commands.py
---- a/python/mozbuild/mozbuild/build_commands.py
-+++ b/python/mozbuild/mozbuild/build_commands.py
-@@ -121,19 +121,18 @@ class Build(MachCommandBase):
-                 silent=not verbose,
-                 ensure_exit_code=False,
-                 append_env=append_env,
-             )
-             if status != 0:
-                 return status
- 
-             pgo_env = os.environ.copy()
--            pgo_env["LLVM_PROFDATA"] = instr.config_environment.substs.get(
--                "LLVM_PROFDATA"
--            )
-+            if instr.config_environment.substs.get('CC_TYPE') != 'gcc':
-+                pgo_env["LLVM_PROFDATA"] = instr.config_environment.substs.get("LLVM_PROFDATA")
-             pgo_env["JARLOG_FILE"] = mozpath.join(orig_topobjdir, "jarlog/en-US.log")
-             pgo_cmd = [
-                 instr.virtualenv_manager.python_path,
-                 mozpath.join(self.topsrcdir, "build/pgo/profileserver.py"),
-             ]
-             subprocess.check_call(
-                 pgo_cmd, cwd=instr.topobjdir, env=ensure_subprocess_env(pgo_env)
-             )
 diff --git a/toolkit/components/terminator/nsTerminator.cpp b/toolkit/components/terminator/nsTerminator.cpp
 --- a/toolkit/components/terminator/nsTerminator.cpp
 +++ b/toolkit/components/terminator/nsTerminator.cpp
-@@ -413,16 +413,21 @@ void nsTerminator::StartWatchdog() {
+@@ -425,16 +425,21 @@ void nsTerminator::StartWatchdog() {
        // Defend against overflow
        crashAfterMS = INT32_MAX;
      } else {
--- a/mozilla-pipewire-0-3.patch	Sun Jan 24 11:01:55 2021 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,163 +0,0 @@
-diff -up firefox-83.0/browser/actors/WebRTCParent.jsm.pw6 firefox-83.0/browser/actors/WebRTCParent.jsm
---- firefox-83.0/browser/actors/WebRTCParent.jsm.pw6	2020-11-12 19:04:30.000000000 +0100
-+++ firefox-83.0/browser/actors/WebRTCParent.jsm	2020-11-25 10:28:32.492865982 +0100
-@@ -45,6 +45,9 @@ XPCOMUtils.defineLazyServiceGetter(
-   "nsIOSPermissionRequest"
- );
- 
-+const PIPEWIRE_PORTAL_NAME = "####_PIPEWIRE_PORTAL_####";
-+const PIPEWIRE_ID = 0xaffffff;
-+
- class WebRTCParent extends JSWindowActorParent {
-   didDestroy() {
-     webrtcUI.forgetStreamsFromBrowserContext(this.browsingContext);
-@@ -753,6 +756,8 @@ function prompt(aActor, aBrowser, aReque
-         );
-         menupopup.appendChild(doc.createXULElement("menuseparator"));
- 
-+        let isPipeWire = false;
-+
-         // Build the list of 'devices'.
-         let monitorIndex = 1;
-         for (let i = 0; i < devices.length; ++i) {
-@@ -774,6 +779,29 @@ function prompt(aActor, aBrowser, aReque
-             }
-           } else {
-             name = device.name;
-+            // When we share content by PipeWire add only one item to the device
-+            // list. When it's selected PipeWire portal dialog is opened and
-+            // user confirms actual window/screen sharing there.
-+            // Don't mark it as scary as there's an extra confirmation step by
-+            // PipeWire portal dialog.
-+            if (name == PIPEWIRE_PORTAL_NAME && device.id == PIPEWIRE_ID) {
-+              isPipeWire = true;
-+              let name;
-+              try {
-+                name = stringBundle.getString("getUserMedia.sharePipeWirePortal.label");
-+              } catch (err) {
-+                name = "Use operating system settings"
-+              }
-+              let item = addDeviceToList(
-+                menupopup,
-+                name,
-+                i,
-+                type
-+              );
-+              item.deviceId = device.id;
-+              item.mediaSource = type;
-+              break;
-+            }
-             if (type == "application") {
-               // The application names returned by the platform are of the form:
-               // <window count>\x1e<application name>
-@@ -888,39 +916,41 @@ function prompt(aActor, aBrowser, aReque
-             perms.EXPIRE_SESSION
-           );
- 
--          video.deviceId = deviceId;
--          let constraints = {
--            video: { mediaSource: type, deviceId: { exact: deviceId } },
--          };
--          chromeWin.navigator.mediaDevices.getUserMedia(constraints).then(
--            stream => {
--              if (video.deviceId != deviceId) {
--                // The user has selected a different device or closed the panel
--                // before getUserMedia finished.
--                stream.getTracks().forEach(t => t.stop());
--                return;
--              }
--              video.srcObject = stream;
--              video.stream = stream;
--              doc.getElementById("webRTC-preview").hidden = false;
--              video.onloadedmetadata = function(e) {
--                video.play();
--              };
--            },
--            err => {
--              if (
--                err.name == "OverconstrainedError" &&
--                err.constraint == "deviceId"
--              ) {
--                // Window has disappeared since enumeration, which can happen.
--                // No preview for you.
--                return;
-+          if (!isPipeWire) {
-+            video.deviceId = deviceId;
-+            let constraints = {
-+              video: { mediaSource: type, deviceId: { exact: deviceId } },
-+            };
-+            chromeWin.navigator.mediaDevices.getUserMedia(constraints).then(
-+              stream => {
-+                if (video.deviceId != deviceId) {
-+                  // The user has selected a different device or closed the panel
-+                  // before getUserMedia finished.
-+                  stream.getTracks().forEach(t => t.stop());
-+                  return;
-+                }
-+                video.srcObject = stream;
-+                video.stream = stream;
-+                doc.getElementById("webRTC-preview").hidden = false;
-+                video.onloadedmetadata = function(e) {
-+                  video.play();
-+                };
-+              },
-+              err => {
-+                if (
-+                  err.name == "OverconstrainedError" &&
-+                  err.constraint == "deviceId"
-+                ) {
-+                  // Window has disappeared since enumeration, which can happen.
-+                  // No preview for you.
-+                  return;
-+                }
-+                Cu.reportError(
-+                  `error in preview: ${err.message} ${err.constraint}`
-+                );
-               }
--              Cu.reportError(
--                `error in preview: ${err.message} ${err.constraint}`
--              );
--            }
--          );
-+            );
-+          }
-         };
-         menupopup.addEventListener("command", menupopup._commandEventListener);
-       }
-diff -up firefox-83.0/browser/locales/en-US/chrome/browser/browser.properties.pw6 firefox-83.0/browser/locales/en-US/chrome/browser/browser.properties
---- firefox-83.0/browser/locales/en-US/chrome/browser/browser.properties.pw6	2020-11-12 19:04:30.000000000 +0100
-+++ firefox-83.0/browser/locales/en-US/chrome/browser/browser.properties	2020-11-25 09:24:26.378857626 +0100
-@@ -764,6 +764,7 @@ getUserMedia.selectWindowOrScreen.label=
- getUserMedia.selectWindowOrScreen.accesskey=W
- getUserMedia.pickWindowOrScreen.label = Select Window or Screen
- getUserMedia.shareEntireScreen.label = Entire screen
-+getUserMedia.sharePipeWirePortal.label = Use operating system settings
- # LOCALIZATION NOTE (getUserMedia.shareMonitor.label):
- # %S is screen number (digits 1, 2, etc)
- # Example: Screen 1, Screen 2,..
-diff -up firefox-83.0/third_party/libwebrtc/webrtc/modules/desktop_capture/linux/base_capturer_pipewire.cc.pw6 firefox-83.0/third_party/libwebrtc/webrtc/modules/desktop_capture/linux/base_capturer_pipewire.cc
---- firefox-83.0/third_party/libwebrtc/webrtc/modules/desktop_capture/linux/base_capturer_pipewire.cc.pw6	2020-11-25 09:24:26.358857788 +0100
-+++ firefox-83.0/third_party/libwebrtc/webrtc/modules/desktop_capture/linux/base_capturer_pipewire.cc	2020-11-25 09:24:26.378857626 +0100
-@@ -879,17 +879,17 @@ void BaseCapturerPipeWire::CaptureFrame(
-   callback_->OnCaptureResult(Result::SUCCESS, std::move(result));
- }
- 
-+#define PIPEWIRE_ID   0xaffffff
-+#define PIPEWIRE_NAME "####_PIPEWIRE_PORTAL_####"
-+
- bool BaseCapturerPipeWire::GetSourceList(SourceList* sources) {
--  RTC_DCHECK(sources->size() == 0);
--  // List of available screens is already presented by the xdg-desktop-portal.
--  // But we have to add an empty source as the code expects it.
--  sources->push_back({0});
-+  sources->push_back({PIPEWIRE_ID, 0, PIPEWIRE_NAME});
-   return true;
- }
- 
- bool BaseCapturerPipeWire::SelectSource(SourceId id) {
-   // Screen selection is handled by the xdg-desktop-portal.
--  return true;
-+  return id == PIPEWIRE_ID;
- }
- 
- // static
--- a/mozilla-reduce-rust-debuginfo.patch	Sun Jan 24 11:01:55 2021 +0100
+++ b/mozilla-reduce-rust-debuginfo.patch	Thu Jan 28 23:39:24 2021 +0100
@@ -3,7 +3,7 @@
 # Date 1560754926 -7200
 #      Mon Jun 17 09:02:06 2019 +0200
 # Node ID 428161c3b9599083e1b8710eda1760f1f707ab11
-# Parent  f5e9431a99bb1d122ccd76411f08ac6f3236c19f
+# Parent  2a004fe4d56123f6e73a9436d1a290bbfc5e0b6b
 #Description: reduce the rust debuginfo level on selected architectures where
 # compiling with debuginfo=2 causes the OOM killer to interrupt the build on
 # launchpad builders. Initially this was only on 32 bit architectures, but with
@@ -12,20 +12,19 @@
 diff --git a/build/moz.configure/toolchain.configure b/build/moz.configure/toolchain.configure
 --- a/build/moz.configure/toolchain.configure
 +++ b/build/moz.configure/toolchain.configure
-@@ -2138,19 +2138,19 @@ imply_option("RUSTC_OPT_LEVEL", "2", whe
- def rustc_opt_level(opt_level_option, moz_optimize):
-     if opt_level_option:
-         return opt_level_option[0]
-     else:
-         return "1" if moz_optimize.optimize else "0"
+@@ -2145,18 +2145,19 @@ def rustc_opt_level(opt_level_option, mo
  
  
  @depends(
--    rustc_opt_level, debug_rust, "--enable-debug-symbols", "--enable-frame-pointers"
-+    rustc_opt_level, debug_rust, "--enable-debug-symbols", "--enable-frame-pointers", host
+     rustc_opt_level,
+     debug_rust,
+     target,
+     "--enable-debug-symbols",
+     "--enable-frame-pointers",
++    host,
  )
--def rust_compile_flags(opt_level, debug_rust, debug_symbols, frame_pointers):
-+def rust_compile_flags(opt_level, debug_rust, debug_symbols, frame_pointers, host):
+-def rust_compile_flags(opt_level, debug_rust, target, debug_symbols, frame_pointers):
++def rust_compile_flags(opt_level, debug_rust, target, debug_symbols, frame_pointers, host):
      # Cargo currently supports only two interesting profiles for building:
      # development and release. Those map (roughly) to --enable-debug and
      # --disable-debug in Gecko, respectively.
@@ -34,7 +33,7 @@
      # optimization level. Since Cargo only supports 2 profiles, we're in
      # a bit of a bind.
      #
-@@ -2163,16 +2163,18 @@ def rust_compile_flags(opt_level, debug_
+@@ -2169,16 +2170,18 @@ def rust_compile_flags(opt_level, debug_
  
      # opt-level=0 implies -C debug-assertions, which may not be desired
      # unless Rust debugging is enabled.
--- a/series	Sun Jan 24 11:01:55 2021 +0100
+++ b/series	Thu Jan 28 23:39:24 2021 +0100
@@ -19,7 +19,6 @@
 mozilla-fix-top-level-asm.patch
 mozilla-bmo1504834-part4.patch
 mozilla-bmo849632.patch
-mozilla-pipewire-0-3.patch
 mozilla-bmo1602730.patch
 mozilla-bmo998749.patch
 mozilla-bmo1626236.patch