Firefox 101.x release firefox101 tip
authorWolfgang Rosenauer <wr@rosenauer.org>
Sun, 12 Jun 2022 16:05:04 +0200
branchfirefox101
changeset 1174 90e3d0cf8567
parent 1173 56ecd2ae6e61
Firefox 101.x release
MozillaFirefox/MozillaFirefox.changes
MozillaFirefox/MozillaFirefox.spec
MozillaFirefox/create-tar.sh
MozillaFirefox/tar_stamps
mozilla-kde.patch
mozilla-silence-no-return-type.patch
--- a/MozillaFirefox/MozillaFirefox.changes	Sun May 01 18:18:56 2022 +0200
+++ b/MozillaFirefox/MozillaFirefox.changes	Sun Jun 12 16:05:04 2022 +0200
@@ -1,4 +1,114 @@
 -------------------------------------------------------------------
+Fri Jun 10 20:45:37 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 101.0.1:
+  * Fixed context menus not appearing when right-clicking
+    Picture-in-Picture windows on some Linux systems (bmo#1771914)
+  * Various stability fixes
+
+-------------------------------------------------------------------
+Sun May 29 08:02:45 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 101.0
+  * Reading is now easier with the prefers-contrast media query,
+    which allows sites to detect if the user has requested that web
+    content is presented with a higher (or lower) contrast
+  * All non-configured MIME types can now be assigned a custom
+    action upon download completion
+  * allows users to use as many microphones as you want, at the
+    same time, during video conferencing. The most exciting benefit
+    is that you can easily switch your microphones at any time
+    (if your conferencing service provider enables this flexibility)
+  MFSA 2022-20 (bsc#1200027)
+  * CVE-2022-31736 (bmo#1735923)
+    Cross-Origin resource's length leaked
+  * CVE-2022-31737 (bmo#1743767)
+    Heap buffer overflow in WebGL
+  * CVE-2022-31738 (bmo#1756388)
+    Browser window spoof using fullscreen mode
+  * CVE-2022-31739 (bmo#1765049)
+    Attacker-influenced path traversal when saving downloaded files
+  * CVE-2022-31740 (bmo#1766806)
+    Register allocation problem in WASM on arm64
+  * CVE-2022-31741 (bmo#1767590)
+    Uninitialized variable leads to invalid memory read
+  * CVE-2022-31742 (bmo#1730434)
+    Querying a WebAuthn token with a large number of allowCredential
+    entries may have leaked cross-origin information
+  * CVE-2022-31743 (bmo#1747388)
+    HTML Parsing incorrectly ended HTML comments prematurely
+  * CVE-2022-31744 (bmo#1757604)
+    CSP bypass enabling stylesheet injection
+  * CVE-2022-31745 (bmo#1760944)
+    Incorrect Assertion caused by unoptimized array shift operations
+  * CVE-2022-1919 (bmo#1761275)
+    Memory Corruption when manipulating webp images
+  * CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283,
+    bmo#1767365, bmo#1768559, bmo#1768734)
+    Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10
+  * CVE-2022-31748 (bmo#1713773, bmo#1762201, bmo#1762469,
+    bmo#1762770, bmo#1764878, bmo#1765226, bmo#1765782, bmo#1765973,
+    bmo#1767177, bmo#1767181, bmo#1768232, bmo#1768251, bmo#1769869)
+    Memory safety bugs fixed in Firefox 101
+- requires
+  * NSS 3.78.1
+  * rust-cbindgen 0.23.0
+  * rust 1.59
+
+-------------------------------------------------------------------
+Fri May 20 15:03:50 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 100.0.2
+  MFSA 2022-19 (bsc#1199768)
+  * CVE-2022-1802 (bmo#1770137)
+    Prototype pollution in Top-Level Await implementation
+  * CVE-2022-1529 (bmo#1770048)
+    Untrusted input used in JavaScript object indexing, leading
+    to prototype pollution
+
+-------------------------------------------------------------------
+Wed May 18 20:27:49 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Mozilla Firefox 100.0.1:
+  * Fixed: Fixed an issue with subtitles in Picture-in-Picture
+    mode while using Netflix (bmo#1768818)
+  * Fixed: Fixed an issue where some commands were unavailable in
+    the Picture-in-Picture window (bmo#1768201)
+
+-------------------------------------------------------------------
+Sun May  1 21:31:01 UTC 2022 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 100.0
+  * subtitle support in PiP
+  * spell checking supports multiple languages in parallel
+  * more details here
+    https://www.mozilla.org/en-US/firefox/100.0/releasenotes
+  MFSA 2022-16 (boo#1198970)
+  * CVE-2022-29914 (bmo#1746448)
+    Fullscreen notification bypass using popups
+  * CVE-2022-29909 (bmo#1755081)
+    Bypassing permission prompt in nested browsing contexts
+  * CVE-2022-29916 (bmo#1760674)
+    Leaking browser history with CSS variables
+  * CVE-2022-29911 (bmo#1761981)
+    iframe Sandbox bypass
+  * CVE-2022-29912 (bmo#1692655)
+    Reader mode bypassed SameSite cookies
+  * CVE-2022-29910 (bmo#1757138)
+    Firefox for Android forgot HTTP Strict Transport Security
+    settings
+  * CVE-2022-29915 (bmo#1751678)
+    Leaking cross-origin redirect through the Performance API
+  * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298,
+    bmo#1762614, bmo#1762620, bmo#1764778)
+    Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9
+  * CVE-2022-29918 (bmo#1744043, bmo#1747178, bmo#1753535,
+    bmo#1754017, bmo#1755847, bmo#1756172, bmo#1757477,
+    bmo#1758223, bmo#1760160, bmo#1761481, bmo#1761771)
+    Memory safety bugs fixed in Firefox 100
+- requires NSS 3.77
+
+-------------------------------------------------------------------
 Tue Apr 12 19:30:30 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
 
 - Mozilla Firefox 99.0.1
--- a/MozillaFirefox/MozillaFirefox.spec	Sun May 01 18:18:56 2022 +0200
+++ b/MozillaFirefox/MozillaFirefox.spec	Sun Jun 12 16:05:04 2022 +0200
@@ -28,9 +28,9 @@
 # orig_suffix b3
 # major 69
 # mainver %major.99
-%define major          99
+%define major          101
 %define mainver        %major.0.1
-%define orig_version   99.0.1
+%define orig_version   101.0.1
 %define orig_suffix    %{nil}
 %define update_channel release
 %define branding       1
@@ -103,7 +103,7 @@
 # Newer sle/leap/tw use parallel versioned rust releases which have
 # a different method for provides that we can use to request a
 # specific version
-BuildRequires:  rust+cargo >= 1.57
+BuildRequires:  rust+cargo >= 1.59
 %endif
 %if 0%{useccache} != 0
 BuildRequires:  ccache
@@ -114,7 +114,7 @@
 BuildRequires:  libproxy-devel
 BuildRequires:  makeinfo
 BuildRequires:  mozilla-nspr-devel >= 4.33
-BuildRequires:  mozilla-nss-devel >= 3.76.1
+BuildRequires:  mozilla-nss-devel >= 3.78.1
 BuildRequires:  nasm >= 2.14
 BuildRequires:  nodejs >= 10.22.1
 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
@@ -124,7 +124,7 @@
 BuildRequires:  python3 >= 3.5
 BuildRequires:  python3-devel
 %endif
-BuildRequires:  rust-cbindgen >= 0.19.0
+BuildRequires:  rust-cbindgen >= 0.23.0
 BuildRequires:  unzip
 BuildRequires:  update-desktop-files
 BuildRequires:  xorg-x11-libXt-devel
--- a/MozillaFirefox/create-tar.sh	Sun May 01 18:18:56 2022 +0200
+++ b/MozillaFirefox/create-tar.sh	Sun Jun 12 16:05:04 2022 +0200
@@ -37,7 +37,6 @@
 fi
 
 SOURCE_TARBALL="$PRODUCT-$VERSION$VERSION_SUFFIX.source.tar.xz"
-PREV_SOURCE_TARBALL="$PRODUCT-$PREV_VERSION$PREV_VERSION_SUFFIX.source.tar.xz"
 FTP_URL="https://ftp.mozilla.org/pub/$PRODUCT/releases/$VERSION$VERSION_SUFFIX/source"
 FTP_CANDIDATES_BASE_URL="https://ftp.mozilla.org/pub/$PRODUCT/candidates"
 # Make first letter of PRODCUT upper case
@@ -146,48 +145,22 @@
   fi
 }
 
-function locales_parse_file() {
-  FILE="$1"
-  cat "$FILE" | python -c "import json; import sys; \
-             print('\n'.join(['{} {}'.format(key, value['revision']) \
-                for key, value in sorted(json.load(sys.stdin).items())]));"
-}
-
-function locales_parse_url() {
+function locales_parse() {
   URL="$1"
   curl -s "$URL" | python -c "import json; import sys; \
              print('\n'.join(['{} {}'.format(key, value['changeset']) \
                 for key, value in sorted(json.load(sys.stdin)['locales'].items())]));"
 }
 
-function extract_locales_file() {
-    # still need to extract the locale information from the archive
-    echo "extract locale changesets"
-    tar -xf $SOURCE_TARBALL $LOCALE_FILE
-}
-
 function locales_unchanged() {
   BUILD_ID="$1"
   PREV_BUILD_ID=$(get_build_number "$PREV_VERSION$PREV_VERSION_SUFFIX")
   # If no json-file for one of the versions can be found, we say "they changed"
   prev_url=$(locales_get "$PREV_VERSION$PREV_VERSION_SUFFIX" "$PREV_BUILD_ID") || return 1
-  prev_content=$(locales_parse_url "$prev_url") || exit 1
+  curr_url=$(locales_get "$VERSION$VERSION_SUFFIX" "$BUILD_ID")           || return 1
 
-  curr_url=$(locales_get "$VERSION$VERSION_SUFFIX" "$BUILD_ID")
-  if [ $? -ne 0 ]; then
-    # We did not find a locales file upstream on the servers
-    if [ -e $SOURCE_TARBALL ]; then
-        # We can find out what the locales are, by extracting the json-file from the tar-ball
-        # instead of getting it from the server
-        extract_locales_file || return 1
-        curr_content=$(locales_parse_file "$LOCALE_FILE") || exit 1
-      else 
-        # We can't know what the locales are in the current version
-        return 1
-      fi
-  else
-    curr_content=$(locales_parse_url "$curr_url") || exit 1
-  fi
+  prev_content=$(locales_parse "$prev_url") || exit 1
+  curr_content=$(locales_parse "$curr_url") || exit 1
 
   diff -y --suppress-common-lines -d <(echo "$prev_content") <(echo "$curr_content")
 }
@@ -238,7 +211,9 @@
 # we might have an upstream archive already and can skip the checkout
 if [ -e $SOURCE_TARBALL ]; then
   if [ -z ${SKIP_LOCALES+x} ] && [ $LOCALES_CHANGED -ne 0 ]; then
-    extract_locales_file
+    # still need to extract the locale information from the archive
+    echo "extract locale changesets"
+    tar -xf $SOURCE_TARBALL $LOCALE_FILE
   fi
   get_source_stamp "$BUILD_ID"
 else
@@ -353,11 +328,3 @@
   echo "Moving l10n-$PREV_VERSION$PREV_VERSION_SUFFIX.tar.xz to l10n-$VERSION$VERSION_SUFFIX.tar.xz"
   mv "l10n-$PREV_VERSION$PREV_VERSION_SUFFIX.tar.xz" "l10n-$VERSION$VERSION_SUFFIX.tar.xz"
 fi
-
-if [ -e $PREV_SOURCE_TARBALL ]; then
-    echo ""
-    echo "Deleting old sources tarball $PREV_SOURCE_TARBALL"
-    $(ask_cont_abort_question "Is this ok?") || exit 0
-    rm "$PREV_SOURCE_TARBALL"
-    rm "$PREV_SOURCE_TARBALL.asc"
-fi
--- a/MozillaFirefox/tar_stamps	Sun May 01 18:18:56 2022 +0200
+++ b/MozillaFirefox/tar_stamps	Sun Jun 12 16:05:04 2022 +0200
@@ -1,10 +1,10 @@
 PRODUCT="firefox"
 CHANNEL="release"
-VERSION="99.0.1"
+VERSION="101.0.1"
 VERSION_SUFFIX=""
-PREV_VERSION="99.0"
+PREV_VERSION="101.0"
 PREV_VERSION_SUFFIX=""
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release"
-RELEASE_TAG="0f814a8ab240bb6df6bbc5a88865f979e03f0f68"
-RELEASE_TIMESTAMP="20220411174855"
+RELEASE_TAG="c66093146ac832a0748f0f8a31139664abf73a42"
+RELEASE_TIMESTAMP="20220608170832"
--- a/mozilla-kde.patch	Sun May 01 18:18:56 2022 +0200
+++ b/mozilla-kde.patch	Sun Jun 12 16:05:04 2022 +0200
@@ -3,7 +3,7 @@
 # Date 1559294891 -7200
 #      Fri May 31 11:28:11 2019 +0200
 # Node ID c2aa7198fb925e7fde96abf65b6f68b9b755f112
-# Parent  8d1110b6918acc4e7d3f655d1e55f4b4ff630abe
+# Parent  eeedc49c16aba3b50d1547315a88091a1c765904
 Description: Add KDE integration to Firefox (toolkit parts)
 Author: Wolfgang Rosenauer <wolfgang@rosenauer.org>
 Author: Lubos Lunak <lunak@suse.com>
@@ -13,12 +13,12 @@
 diff --git a/modules/libpref/Preferences.cpp b/modules/libpref/Preferences.cpp
 --- a/modules/libpref/Preferences.cpp
 +++ b/modules/libpref/Preferences.cpp
-@@ -84,16 +84,17 @@
- #include "plbase64.h"
+@@ -88,16 +88,17 @@
  #include "PLDHashTable.h"
  #include "plstr.h"
  #include "prlink.h"
  #include "xpcpublic.h"
+ #include "js/RootingAPI.h"
  #ifdef MOZ_BACKGROUNDTASKS
  #  include "mozilla/BackgroundTasks.h"
  #endif
@@ -31,7 +31,7 @@
  #ifdef MOZ_MEMORY
  #  include "mozmemory.h"
  #endif
-@@ -4634,16 +4635,27 @@ nsresult Preferences::InitInitialObjects
+@@ -4767,16 +4768,27 @@ nsresult Preferences::InitInitialObjects
      "unix.js"
  #  if defined(_AIX)
      ,
@@ -59,7 +59,7 @@
  
    // Load jar:$app/omni.jar!/defaults/preferences/*.js
    // or jar:$gre/omni.jar!/defaults/preferences/*.js.
-@@ -4708,17 +4720,17 @@ nsresult Preferences::InitInitialObjects
+@@ -4841,17 +4853,17 @@ nsresult Preferences::InitInitialObjects
        }
  
        nsCOMPtr<nsIFile> path = do_QueryInterface(elem);
@@ -81,7 +81,7 @@
 diff --git a/modules/libpref/moz.build b/modules/libpref/moz.build
 --- a/modules/libpref/moz.build
 +++ b/modules/libpref/moz.build
-@@ -118,16 +118,20 @@ EXPORTS.mozilla += [
+@@ -120,16 +120,20 @@ EXPORTS.mozilla += [
  ]
  EXPORTS.mozilla += sorted(["!" + g for g in gen_h])
  
@@ -828,7 +828,7 @@
      ]
  elif CONFIG["MOZ_WIDGET_TOOLKIT"] == "windows":
      UNIFIED_SOURCES += [
-@@ -126,16 +128,17 @@ include("/ipc/chromium/chromium-config.m
+@@ -130,16 +132,17 @@ include("/ipc/chromium/chromium-config.m
  FINAL_LIBRARY = "xul"
  
  LOCAL_INCLUDES += [
@@ -1263,7 +1263,7 @@
 diff --git a/widget/gtk/moz.build b/widget/gtk/moz.build
 --- a/widget/gtk/moz.build
 +++ b/widget/gtk/moz.build
-@@ -136,16 +136,17 @@ FINAL_LIBRARY = "xul"
+@@ -154,16 +154,17 @@ FINAL_LIBRARY = "xul"
  
  LOCAL_INCLUDES += [
      "/layout/base",
@@ -1277,7 +1277,7 @@
      "/widget/headless",
  ]
  
- if CONFIG["MOZ_X11"]:
+ if CONFIG["MOZ_X11"] or CONFIG["MOZ_WAYLAND"]:
      LOCAL_INCLUDES += [
          "/widget/x11",
      ]
@@ -1825,7 +1825,7 @@
  #  include "prmem.h"
  #  include "plbase64.h"
  
-@@ -2071,62 +2072,77 @@ nsLocalFile::SetPersistentDescriptor(con
+@@ -2071,20 +2072,29 @@ nsLocalFile::SetPersistentDescriptor(con
  
  NS_IMETHODIMP
  nsLocalFile::Reveal() {
@@ -1834,47 +1834,10 @@
    }
  
  #ifdef MOZ_WIDGET_GTK
--  nsCOMPtr<nsIGIOService> giovfs = do_GetService(NS_GIOSERVICE_CONTRACTID);
++  nsAutoCString url;
+   nsCOMPtr<nsIGIOService> giovfs = do_GetService(NS_GIOSERVICE_CONTRACTID);
 -  if (!giovfs) {
--    return NS_ERROR_FAILURE;
--  }
-+  nsAutoCString url;
- 
-   bool isDirectory;
-   if (NS_FAILED(IsDirectory(&isDirectory))) {
-     return NS_ERROR_FAILURE;
-   }
- 
-+  nsCOMPtr<nsIGIOService> giovfs = do_GetService(NS_GIOSERVICE_CONTRACTID);
-   if (isDirectory) {
--    return giovfs->ShowURIForInput(mPath);
-+    url = mPath;
-   }
-   if (NS_SUCCEEDED(giovfs->OrgFreedesktopFileManager1ShowItems(mPath))) {
-     return NS_OK;
-   }
-   nsCOMPtr<nsIFile> parentDir;
-   nsAutoCString dirPath;
-   if (NS_FAILED(GetParent(getter_AddRefs(parentDir)))) {
-     return NS_ERROR_FAILURE;
-   }
-   if (NS_FAILED(parentDir->GetNativePath(dirPath))) {
-     return NS_ERROR_FAILURE;
-   }
- 
--  return giovfs->ShowURIForInput(dirPath);
-+  url = dirPath;
- #elif defined(MOZ_WIDGET_COCOA)
-   CFURLRef url;
-   if (NS_SUCCEEDED(GetCFURL(&url))) {
-     nsresult rv = CocoaFileUtils::RevealFileInFinder(url);
-     ::CFRelease(url);
-     return rv;
-   }
-   return NS_ERROR_FAILURE;
- #else
-   return NS_ERROR_FAILURE;
- #endif
++  url = mPath;
 +  if(nsKDEUtils::kdeSupport()) {
 +    nsTArray<nsCString> command;
 +    command.AppendElement( "REVEAL"_ns );
@@ -1883,10 +1846,18 @@
 +  }
 +
 +  if (!giovfs)
-+    return NS_ERROR_FAILURE;
+     return NS_ERROR_FAILURE;
+-  }
 +
-+  return giovfs->ShowURIForInput(url);
- }
+   return giovfs->RevealFile(this);
+ #elif defined(MOZ_WIDGET_COCOA)
+   CFURLRef url;
+   if (NS_SUCCEEDED(GetCFURL(&url))) {
+     nsresult rv = CocoaFileUtils::RevealFileInFinder(url);
+     ::CFRelease(url);
+     return rv;
+   }
+@@ -2096,16 +2106,23 @@ nsLocalFile::Reveal() {
  
  NS_IMETHODIMP
  nsLocalFile::Launch() {
@@ -1901,11 +1872,12 @@
 +    command.AppendElement( mPath );
 +    return nsKDEUtils::command( command ) ? NS_OK : NS_ERROR_FAILURE;
 +  }
++
    nsCOMPtr<nsIGIOService> giovfs = do_GetService(NS_GIOSERVICE_CONTRACTID);
    if (!giovfs) {
      return NS_ERROR_FAILURE;
    }
  
-   return giovfs->ShowURIForInput(mPath);
+   return giovfs->LaunchFile(mPath);
  #elif defined(MOZ_WIDGET_ANDROID)
    // Not supported on GeckoView
--- a/mozilla-silence-no-return-type.patch	Sun May 01 18:18:56 2022 +0200
+++ b/mozilla-silence-no-return-type.patch	Sun Jun 12 16:05:04 2022 +0200
@@ -1,10 +1,10 @@
 # HG changeset patch
-# Parent  1191efd2ea64c4081a1825176a50e872a525d4da
+# Parent  6d59717f59a1c0dc50140e750d665c7e98de3e66
 
 diff --git a/Cargo.lock b/Cargo.lock
 --- a/Cargo.lock
 +++ b/Cargo.lock
-@@ -2196,18 +2196,16 @@ name = "glsl-to-cxx"
+@@ -2207,18 +2207,16 @@ name = "glsl-to-cxx"
  version = "0.1.0"
  dependencies = [
   "glsl",
@@ -26,16 +26,15 @@
 diff --git a/Cargo.toml b/Cargo.toml
 --- a/Cargo.toml
 +++ b/Cargo.toml
-@@ -106,13 +106,13 @@ moz_asserts = { path = "mozglue/static/r
- async-task = { git = "https://github.com/smol-rs/async-task", rev="f6488e35beccb26eb6e85847b02aa78a42cd3d0e" }
- chardetng = { git = "https://github.com/hsivonen/chardetng", rev="3484d3e3ebdc8931493aa5df4d7ee9360a90e76b" }
+@@ -109,12 +109,13 @@ chardetng = { git = "https://github.com/
  chardetng_c = { git = "https://github.com/hsivonen/chardetng_c", rev="ed8a4c6f900a90d4dbc1d64b856e61490a1c3570" }
  coremidi = { git = "https://github.com/chris-zen/coremidi.git", rev="fc68464b5445caf111e41f643a2e69ccce0b4f83" }
+ fog = { path = "toolkit/components/glean/api" }
  libudev-sys = { path = "dom/webauthn/libudev-sys" }
- packed_simd = { git = "https://github.com/hsivonen/packed_simd", rev="8b4bd7d8229660a749dbe419a57ea01df9de5453" }
+ packed_simd = { package = "packed_simd_2", git = "https://github.com/hsivonen/packed_simd", rev="c149d0a519bf878567c7630096737669ec2ff15f" }
  midir = { git = "https://github.com/mozilla/midir.git", rev = "4c11f0ffb5d6a10de4aff40a7b81218b33b94e6f" }
  minidump_writer_linux = { git = "https://github.com/msirringhaus/minidump_writer_linux.git", rev = "029ac0d54b237f27dc7d8d4e51bc0fb076e5e852" }
--
+ 
 +glslopt = { path = "third_party/rust/glslopt/" }
  # Patch mio 0.6 to use winapi 0.3 and miow 0.3, getting rid of winapi 0.2.
  # There is not going to be new version of mio 0.6, mio now being >= 0.7.11.