# HG changeset patch # User Wolfgang Rosenauer # Date 1496563013 -7200 # Node ID 214d22b0c31c98ecf53b1218e66016e18d8447ff # Parent 453d34bf1834c05b2f2f3375e2688a328dd60b20# Parent 224d8137f02ca1a9875eef87208d71dd951204ca merge from firefox53 diff -r 453d34bf1834 -r 214d22b0c31c MozillaFirefox/MozillaFirefox.changes --- a/MozillaFirefox/MozillaFirefox.changes Mon Apr 17 09:40:14 2017 +0200 +++ b/MozillaFirefox/MozillaFirefox.changes Sun Jun 04 09:56:53 2017 +0200 @@ -1,7 +1,22 @@ ------------------------------------------------------------------- -Mon Apr 17 07:39:42 UTC 2017 - wr@rosenauer.org - -- update to Firefox 53.0b10 +Thu Jun 1 04:25:05 UTC 2017 - kah0922@gmail.com + +- remove -fno-inline-small-functions and explicitely optimize with + -O2 for openSUSE > 13.2/Leap 42 to work with gcc7 (boo#1040105) + +------------------------------------------------------------------- +Wed Apr 26 12:37:38 UTC 2017 - wr@rosenauer.org + +- switch to Mozilla's geolocation service (boo#1026989) +- removed mozilla-preferences.patch obsoleted by overriding via + firefox.js +- fixed KDE integration to avoid crash caused by filepicker + (boo#1015998) + +------------------------------------------------------------------- +Mon Apr 17 12:52:10 UTC 2017 - wr@rosenauer.org + +- update to Firefox 53.0 * requires NSS 3.29.5 * Lightweight themes are now applied in private browsing windows * Reader Mode now displays estimated reading time for the page @@ -15,6 +30,86 @@ * Media playback on new tabs is blocked until the tab is visible * Permission notifications have a cleaner design and cannot be easily missed + MFSA 2017-10 + * CVE-2017-5456 (bmo#1344415) + Sandbox escape allowing local file system access + * CVE-2017-5442 (bmo#1347979) + Use-after-free during style changes + * CVE-2017-5443 (bmo#1342661) + Out-of-bounds write during BinHex decoding + * CVE-2017-5429 (bmo#1341096, bmo#1342823, bmo#1343261, bmo#1348894, + bmo#1348941, bmo#1349340, bmo#1350844, bmo#1352926, bmo#1353088) + Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and + Firefox ESR 52.1 + * CVE-2017-5464 (bmo#1347075) + Memory corruption with accessibility and DOM manipulation + * CVE-2017-5465 (bmo#1347617) + Out-of-bounds read in ConvolvePixel + * CVE-2017-5466 (bmo#1353975) + Origin confusion when reloading isolated data:text/html URL + * CVE-2017-5467 (bmo#1347262) + Memory corruption when drawing Skia content + * CVE-2017-5460 (bmo#1343642) + Use-after-free in frame selection + * CVE-2017-5461 (bmo#1344380) + Out-of-bounds write in Base64 encoding in NSS + * CVE-2017-5448 (bmo#1346648) + Out-of-bounds write in ClearKeyDecryptor + * CVE-2017-5449 (bmo#1340127) + Crash during bidirectional unicode manipulation with animation + * CVE-2017-5446 (bmo#1343505) + Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data + * CVE-2017-5447 (bmo#1343552) + Out-of-bounds read during glyph processing + * CVE-2017-5444 (bmo#1344461) + Buffer overflow while parsing application/http-index-format content + * CVE-2017-5445 (bmo#1344467) + Uninitialized values used while parsing application/http-index-format + content + * CVE-2017-5468 (bmo#1329521) + Incorrect ownership model for Private Browsing information + * CVE-2017-5469 (bmo#1292534) + Potential Buffer overflow in flex-generated code + * CVE-2017-5440 (bmo#1336832) + Use-after-free in txExecutionState destructor during XSLT processing + * CVE-2017-5441 (bmo#1343795) + Use-after-free with selection during scroll events + * CVE-2017-5439 (bmo#1336830) + Use-after-free in nsTArray Length() during XSLT processing + * CVE-2017-5438 (bmo#1336828) + Use-after-free in nsAutoPtr during XSLT processing + * CVE-2017-5437 (bmo#1343453) + Vulnerabilities in Libevent library + * CVE-2017-5436 (bmo#1345461) + Out-of-bounds write with malicious font in Graphite 2 + * CVE-2017-5435 (bmo#1350683) + Use-after-free during transaction processing in the editor + * CVE-2017-5434 (bmo#1349946) + Use-after-free during focus handling + * CVE-2017-5433 (bmo#1347168) + Use-after-free in SMIL animation functions + * CVE-2017-5432 (bmo#1346654) + Use-after-free in text input selection + * CVE-2017-5430 (bmo#1329796, bmo#1337418, bmo#1339722, bmo#1340482, + bmo#1342101, bmo#1344081, bmo#1344305, bmo#1344686, + bmo#1346140, bmo#1346419, bmo#1348143, bmo#1349621, + bmo#1349719, bmo#1353476) + Memory safety bugs fixed in Firefox 53 and Firefox ESR 52.1 + * CVE-2017-5459 (bmo#1333858) + Buffer overflow in WebGL + * CVE-2017-5458 (bmo#1229426) + Drag and drop of javascript: URLs can allow for self-XSS + * CVE-2017-5455 (bmo#1341191) + Sandbox escape through internal feed reader APIs + * CVE-2017-5454 (bmo#1349276) + Sandbox escape allowing file system read access through file picker + * CVE-2017-5451 (bmo#1273537) + Addressbar spoofing with onblur event + * CVE-2017-5453 (bmo#1321247) + HTML injection into RSS Reader feed preview page through + TITLE element + * CVE-2017-5462 (bmo#1345089) + DRBG flaw in NSS - removed browser(npapi) provides as these plugins are deprecated - switch used compiler to gcc5 (FF requires gcc >= 4.9 now) for Leap 42 diff -r 453d34bf1834 -r 214d22b0c31c MozillaFirefox/MozillaFirefox.spec --- a/MozillaFirefox/MozillaFirefox.spec Mon Apr 17 09:40:14 2017 +0200 +++ b/MozillaFirefox/MozillaFirefox.spec Sun Jun 04 09:56:53 2017 +0200 @@ -18,10 +18,11 @@ # changed with every update -%define major 52 +%define major 53 %define mainver %major.99 %define update_channel beta -%define releasedate 20170404000000 +%define branding 1 +%define releasedate 20170602000000 # PIE, full relro (x86_64 for now) %define build_hardened 1 @@ -33,15 +34,9 @@ %endif # general build definitions -%if "%{update_channel}" != "aurora" %define progname firefox %define pkgname MozillaFirefox %define appname Firefox -%else -%define progname firefox-dev -%define pkgname firefox-dev-edition -%define appname Firefox Developer Edition -%endif %define progdir %{_prefix}/%_lib/%{progname} %define gnome_dir %{_prefix} %define desktop_file_name %{progname} @@ -54,11 +49,6 @@ # Note: these are for the openSUSE Firefox builds ONLY. For your own distribution, # please get your own set of keys. %define _google_api_key AIzaSyD1hTe85_a14kr1Ks8T3Ce75rvbR1_Dx7Q -%if %update_channel == "aurora" -%define branding 0 -%else -%define branding 1 -%endif %define localize 1 %ifarch %ix86 x86_64 %define crashreporter 1 @@ -117,10 +107,8 @@ Provides: firefox = %{version}-%{release} %endif Provides: web_browser -%if "%{update_channel}" != "aurora" Provides: appdata() Provides: appdata(firefox.appdata.xml) -%endif # this is needed to match this package with the kde4 helper package without the main package # having a hard requirement on the kde4 package %define kde_helper_version 6 @@ -147,11 +135,11 @@ Source15: firefox-appdata.xml Source16: MozillaFirefox.changes Source17: l10n_changesets.txt +Source18: mozilla-api-key # Gecko/Toolkit Patch1: mozilla-nongnome-proxies.patch Patch2: mozilla-shared-nss-db.patch Patch3: mozilla-kde.patch -Patch4: mozilla-preferences.patch Patch5: mozilla-language.patch Patch6: mozilla-ntlm-full-path.patch Patch7: mozilla-openaes-decl.patch @@ -179,6 +167,7 @@ %if 0%{?suse_version} < 1220 Obsoletes: libproxy1-pacrunner-mozjs <= 0.4.7 %endif +##BuildArch: i686 x86_64 aarch64 ppc64le %description Mozilla Firefox is a standalone web browser, designed for standards @@ -261,12 +250,13 @@ %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 %patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 -#%patch9 -p1 +%ifarch %ix86 +%patch9 -p1 +%endif %patch10 -p1 # Firefox %patch101 -p1 @@ -299,9 +289,9 @@ export CC=gcc-5 %endif export CFLAGS="%{optflags} -fno-strict-aliasing" -# boo#986541: add -fno-delete-null-pointer-checks and -fno-inline-small-functions for gcc6 +# boo#986541: add -fno-delete-null-pointer-checks for gcc6 %if 0%{?suse_version} > 1320 -export CFLAGS="$CFLAGS -fno-delete-null-pointer-checks -fno-inline-small-functions" +export CFLAGS="$CFLAGS -fno-delete-null-pointer-checks" %endif %ifarch %arm export CFLAGS="${CFLAGS/-g / }" @@ -338,6 +328,10 @@ %if 0%{?build_hardened} ac_add_options --enable-pie %endif +# gcc7 (boo#104105) +%if 0%{?suse_version} > 1320 +ac_add_options --enable-optimize="-g -O2" +%endif %ifarch %ix86 %arm %if 0%{?suse_version} > 1230 ac_add_options --disable-optimize @@ -361,6 +355,7 @@ ac_add_options --enable-startup-notification #ac_add_options --enable-chrome-format=jar ac_add_options --enable-update-channel=%{update_channel} +ac_add_options --with-mozilla-api-keyfile=%{SOURCE18} %if %branding ac_add_options --enable-official-branding %endif @@ -465,10 +460,8 @@ mkdir -p %{buildroot}%{_datadir}/mime/packages cp %{SOURCE8} %{buildroot}%{_datadir}/mime/packages/%{progname}.xml # appdata -%if "%{update_channel}" != "aurora" mkdir -p %{buildroot}%{_datadir}/appdata cp %{SOURCE15} %{buildroot}%{_datadir}/appdata/%{desktop_file_name}.appdata.xml -%endif # install man-page mkdir -p %{buildroot}%{_mandir}/man1/ cp %{SOURCE11} %{buildroot}%{_mandir}/man1/%{progname}.1 @@ -613,9 +606,7 @@ %{gnome_dir}/share/icons/hicolor/ %{_bindir}/%{progname} %doc %{_mandir}/man1/%{progname}.1.gz -%if "%{update_channel}" != "aurora" %{_datadir}/appdata/ -%endif %files devel %defattr(-,root,root) diff -r 453d34bf1834 -r 214d22b0c31c MozillaFirefox/create-tar.sh --- a/MozillaFirefox/create-tar.sh Mon Apr 17 09:40:14 2017 +0200 +++ b/MozillaFirefox/create-tar.sh Sun Jun 04 09:56:53 2017 +0200 @@ -7,8 +7,8 @@ CHANNEL="beta" BRANCH="releases/mozilla-$CHANNEL" -RELEASE_TAG="FIREFOX_53_0b10_RELEASE" -VERSION="52.99" +RELEASE_TAG="FIREFOX_54_0b13_RELEASE" +VERSION="53.99" # mozilla if [ -d mozilla ]; then diff -r 453d34bf1834 -r 214d22b0c31c MozillaFirefox/firefox.js --- a/MozillaFirefox/firefox.js Mon Apr 17 09:40:14 2017 +0200 +++ b/MozillaFirefox/firefox.js Sun Jun 04 09:56:53 2017 +0200 @@ -1,1 +1,3 @@ +pref("intl.locale.matchOS", true); pref("browser.preferences.instantApply", true); +pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); diff -r 453d34bf1834 -r 214d22b0c31c MozillaFirefox/l10n_changesets.txt --- a/MozillaFirefox/l10n_changesets.txt Mon Apr 17 09:40:14 2017 +0200 +++ b/MozillaFirefox/l10n_changesets.txt Sun Jun 04 09:56:53 2017 +0200 @@ -31,7 +31,7 @@ ff fd37d118280c fi db0a67c30074 fr 54307652740e -fy-NL c4757daf69d7 +fy-NL 085a47bc877c ga-IE 8d20d03ac938 gd fc9ab54d84a9 gl 849e4e3a3fc9 @@ -46,8 +46,8 @@ id f390b2688780 is 9ee7f7c99512 it ed1aa37dd8c7 -ja 3ef479bfde1a -ja-JP-mac 80958cf82100 +ja ed7c7ca5cbd2 +ja-JP-mac c95055d36190 ka 3b036c9e61a6 kab 364adce77c72 kk 08696f7c8a1a diff -r 453d34bf1834 -r 214d22b0c31c MozillaFirefox/mozilla-api-key --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/MozillaFirefox/mozilla-api-key Sun Jun 04 09:56:53 2017 +0200 @@ -0,0 +1,1 @@ +4605624048be48fda932495844d16fbb diff -r 453d34bf1834 -r 214d22b0c31c MozillaFirefox/mozilla-preferences.patch --- a/MozillaFirefox/mozilla-preferences.patch Mon Apr 17 09:40:14 2017 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1 +0,0 @@ -../mozilla-preferences.patch \ No newline at end of file diff -r 453d34bf1834 -r 214d22b0c31c firefox-branded-icons.patch diff -r 453d34bf1834 -r 214d22b0c31c firefox-kde.patch diff -r 453d34bf1834 -r 214d22b0c31c firefox-no-default-ualocale.patch diff -r 453d34bf1834 -r 214d22b0c31c mozilla-kde.patch --- a/mozilla-kde.patch Mon Apr 17 09:40:14 2017 +0200 +++ b/mozilla-kde.patch Sun Jun 04 09:56:53 2017 +0200 @@ -1,5 +1,5 @@ # HG changeset patch -# Parent 2b1505c8ca6fc80da9cf517b029a93c452cb9876 +# Parent 564e9441f71b5bc368c33697428f756f5914eb04 Description: Add KDE integration to Firefox (toolkit parts) Author: Wolfgang Rosenauer Author: Lubos Lunak @@ -3325,7 +3325,7 @@ mFilters.AppendElement(filter); mFilterNames.AppendElement(name); -@@ -371,16 +375,32 @@ nsFilePicker::Show(int16_t *aReturn) +@@ -371,16 +375,34 @@ nsFilePicker::Show(int16_t *aReturn) NS_IMETHODIMP nsFilePicker::Open(nsIFilePickerShownCallback *aCallback) @@ -3339,6 +3339,7 @@ + int16_t result; + mCallback = aCallback; + mRunning = true; ++ NS_ADDREF_THIS(); + kdeFileDialog(&result); + if (mCallback) { + mCallback->Done(result); @@ -3347,6 +3348,7 @@ + mResult = result; + } + mRunning = false; ++ NS_RELEASE_THIS(); + return NS_OK; + } + @@ -3358,7 +3360,7 @@ GtkFileChooserAction action = GetGtkFileChooserAction(mMode); -@@ -603,8 +623,235 @@ nsFilePicker::Done(GtkWidget* file_choos +@@ -603,8 +625,235 @@ nsFilePicker::Done(GtkWidget* file_choos if (mCallback) { mCallback->Done(result); mCallback = nullptr; diff -r 453d34bf1834 -r 214d22b0c31c mozilla-preferences.patch --- a/mozilla-preferences.patch Mon Apr 17 09:40:14 2017 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,32 +0,0 @@ -From: Wolfgang Rosenauer -Subject: use system locale if available -This setting used to live in the branding-openSUSE package but this is causing too much -confusion and therefore is currently the only setting we switch in the unbranded -package unconditionally. - -# HG changeset patch -# Parent 8c1bfc96b05ef1836aad6e9f2af323f63ed1b69c -# Parent 35b625807600ea4a5a3c49bd1cab22fac5188406 - -diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js ---- a/modules/libpref/init/all.js -+++ b/modules/libpref/init/all.js -@@ -1790,17 +1790,17 @@ pref("converter.html2txt.always_include_ - - pref("intl.accept_languages", "chrome://global/locale/intl.properties"); - pref("intl.menuitems.alwaysappendaccesskeys","chrome://global/locale/intl.properties"); - pref("intl.menuitems.insertseparatorbeforeaccesskeys","chrome://global/locale/intl.properties"); - pref("intl.charset.detector", "chrome://global/locale/intl.properties"); - pref("intl.charset.fallback.override", ""); - pref("intl.charset.fallback.tld", true); - pref("intl.ellipsis", "chrome://global-platform/locale/intl.properties"); --pref("intl.locale.matchOS", false); -+pref("intl.locale.matchOS", true); - // fallback charset list for Unicode conversion (converting from Unicode) - // currently used for mail send only to handle symbol characters (e.g Euro, trademark, smartquotes) - // for ISO-8859-1 - pref("intl.fallbackCharsetList.ISO-8859-1", "windows-1252"); - pref("font.language.group", "chrome://global/locale/intl.properties"); - - // Android-specific pref to use key-events-only mode for IME-unaware webapps. - #ifdef MOZ_WIDGET_ANDROID diff -r 453d34bf1834 -r 214d22b0c31c series --- a/series Mon Apr 17 09:40:14 2017 +0200 +++ b/series Sun Jun 04 09:56:53 2017 +0200 @@ -2,7 +2,6 @@ mozilla-nongnome-proxies.patch mozilla-shared-nss-db.patch mozilla-kde.patch -mozilla-preferences.patch mozilla-language.patch mozilla-ntlm-full-path.patch mozilla-idldir.patch