# HG changeset patch # User Wolfgang Rosenauer # Date 1655042704 -7200 # Node ID 90e3d0cf8567f872d12b613acab6916911fbf4ca # Parent 56ecd2ae6e6130275631e2c2d4e97163b1e904c0 Firefox 101.x release diff -r 56ecd2ae6e61 -r 90e3d0cf8567 MozillaFirefox/MozillaFirefox.changes --- a/MozillaFirefox/MozillaFirefox.changes Sun May 01 18:18:56 2022 +0200 +++ b/MozillaFirefox/MozillaFirefox.changes Sun Jun 12 16:05:04 2022 +0200 @@ -1,4 +1,114 @@ ------------------------------------------------------------------- +Fri Jun 10 20:45:37 UTC 2022 - Andreas Stieger + +- Mozilla Firefox 101.0.1: + * Fixed context menus not appearing when right-clicking + Picture-in-Picture windows on some Linux systems (bmo#1771914) + * Various stability fixes + +------------------------------------------------------------------- +Sun May 29 08:02:45 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Firefox 101.0 + * Reading is now easier with the prefers-contrast media query, + which allows sites to detect if the user has requested that web + content is presented with a higher (or lower) contrast + * All non-configured MIME types can now be assigned a custom + action upon download completion + * allows users to use as many microphones as you want, at the + same time, during video conferencing. The most exciting benefit + is that you can easily switch your microphones at any time + (if your conferencing service provider enables this flexibility) + MFSA 2022-20 (bsc#1200027) + * CVE-2022-31736 (bmo#1735923) + Cross-Origin resource's length leaked + * CVE-2022-31737 (bmo#1743767) + Heap buffer overflow in WebGL + * CVE-2022-31738 (bmo#1756388) + Browser window spoof using fullscreen mode + * CVE-2022-31739 (bmo#1765049) + Attacker-influenced path traversal when saving downloaded files + * CVE-2022-31740 (bmo#1766806) + Register allocation problem in WASM on arm64 + * CVE-2022-31741 (bmo#1767590) + Uninitialized variable leads to invalid memory read + * CVE-2022-31742 (bmo#1730434) + Querying a WebAuthn token with a large number of allowCredential + entries may have leaked cross-origin information + * CVE-2022-31743 (bmo#1747388) + HTML Parsing incorrectly ended HTML comments prematurely + * CVE-2022-31744 (bmo#1757604) + CSP bypass enabling stylesheet injection + * CVE-2022-31745 (bmo#1760944) + Incorrect Assertion caused by unoptimized array shift operations + * CVE-2022-1919 (bmo#1761275) + Memory Corruption when manipulating webp images + * CVE-2022-31747 (bmo#1760765, bmo#1765610, bmo#1766283, + bmo#1767365, bmo#1768559, bmo#1768734) + Memory safety bugs fixed in Firefox 101 and Firefox ESR 91.10 + * CVE-2022-31748 (bmo#1713773, bmo#1762201, bmo#1762469, + bmo#1762770, bmo#1764878, bmo#1765226, bmo#1765782, bmo#1765973, + bmo#1767177, bmo#1767181, bmo#1768232, bmo#1768251, bmo#1769869) + Memory safety bugs fixed in Firefox 101 +- requires + * NSS 3.78.1 + * rust-cbindgen 0.23.0 + * rust 1.59 + +------------------------------------------------------------------- +Fri May 20 15:03:50 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Firefox 100.0.2 + MFSA 2022-19 (bsc#1199768) + * CVE-2022-1802 (bmo#1770137) + Prototype pollution in Top-Level Await implementation + * CVE-2022-1529 (bmo#1770048) + Untrusted input used in JavaScript object indexing, leading + to prototype pollution + +------------------------------------------------------------------- +Wed May 18 20:27:49 UTC 2022 - Andreas Stieger + +- Mozilla Firefox 100.0.1: + * Fixed: Fixed an issue with subtitles in Picture-in-Picture + mode while using Netflix (bmo#1768818) + * Fixed: Fixed an issue where some commands were unavailable in + the Picture-in-Picture window (bmo#1768201) + +------------------------------------------------------------------- +Sun May 1 21:31:01 UTC 2022 - Wolfgang Rosenauer + +- Mozilla Firefox 100.0 + * subtitle support in PiP + * spell checking supports multiple languages in parallel + * more details here + https://www.mozilla.org/en-US/firefox/100.0/releasenotes + MFSA 2022-16 (boo#1198970) + * CVE-2022-29914 (bmo#1746448) + Fullscreen notification bypass using popups + * CVE-2022-29909 (bmo#1755081) + Bypassing permission prompt in nested browsing contexts + * CVE-2022-29916 (bmo#1760674) + Leaking browser history with CSS variables + * CVE-2022-29911 (bmo#1761981) + iframe Sandbox bypass + * CVE-2022-29912 (bmo#1692655) + Reader mode bypassed SameSite cookies + * CVE-2022-29910 (bmo#1757138) + Firefox for Android forgot HTTP Strict Transport Security + settings + * CVE-2022-29915 (bmo#1751678) + Leaking cross-origin redirect through the Performance API + * CVE-2022-29917 (bmo#1684739, bmo#1706441, bmo#1753298, + bmo#1762614, bmo#1762620, bmo#1764778) + Memory safety bugs fixed in Firefox 100 and Firefox ESR 91.9 + * CVE-2022-29918 (bmo#1744043, bmo#1747178, bmo#1753535, + bmo#1754017, bmo#1755847, bmo#1756172, bmo#1757477, + bmo#1758223, bmo#1760160, bmo#1761481, bmo#1761771) + Memory safety bugs fixed in Firefox 100 +- requires NSS 3.77 + +------------------------------------------------------------------- Tue Apr 12 19:30:30 UTC 2022 - Andreas Stieger - Mozilla Firefox 99.0.1 diff -r 56ecd2ae6e61 -r 90e3d0cf8567 MozillaFirefox/MozillaFirefox.spec --- a/MozillaFirefox/MozillaFirefox.spec Sun May 01 18:18:56 2022 +0200 +++ b/MozillaFirefox/MozillaFirefox.spec Sun Jun 12 16:05:04 2022 +0200 @@ -28,9 +28,9 @@ # orig_suffix b3 # major 69 # mainver %major.99 -%define major 99 +%define major 101 %define mainver %major.0.1 -%define orig_version 99.0.1 +%define orig_version 101.0.1 %define orig_suffix %{nil} %define update_channel release %define branding 1 @@ -103,7 +103,7 @@ # Newer sle/leap/tw use parallel versioned rust releases which have # a different method for provides that we can use to request a # specific version -BuildRequires: rust+cargo >= 1.57 +BuildRequires: rust+cargo >= 1.59 %endif %if 0%{useccache} != 0 BuildRequires: ccache @@ -114,7 +114,7 @@ BuildRequires: libproxy-devel BuildRequires: makeinfo BuildRequires: mozilla-nspr-devel >= 4.33 -BuildRequires: mozilla-nss-devel >= 3.76.1 +BuildRequires: mozilla-nss-devel >= 3.78.1 BuildRequires: nasm >= 2.14 BuildRequires: nodejs >= 10.22.1 %if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000 @@ -124,7 +124,7 @@ BuildRequires: python3 >= 3.5 BuildRequires: python3-devel %endif -BuildRequires: rust-cbindgen >= 0.19.0 +BuildRequires: rust-cbindgen >= 0.23.0 BuildRequires: unzip BuildRequires: update-desktop-files BuildRequires: xorg-x11-libXt-devel diff -r 56ecd2ae6e61 -r 90e3d0cf8567 MozillaFirefox/create-tar.sh --- a/MozillaFirefox/create-tar.sh Sun May 01 18:18:56 2022 +0200 +++ b/MozillaFirefox/create-tar.sh Sun Jun 12 16:05:04 2022 +0200 @@ -37,7 +37,6 @@ fi SOURCE_TARBALL="$PRODUCT-$VERSION$VERSION_SUFFIX.source.tar.xz" -PREV_SOURCE_TARBALL="$PRODUCT-$PREV_VERSION$PREV_VERSION_SUFFIX.source.tar.xz" FTP_URL="https://ftp.mozilla.org/pub/$PRODUCT/releases/$VERSION$VERSION_SUFFIX/source" FTP_CANDIDATES_BASE_URL="https://ftp.mozilla.org/pub/$PRODUCT/candidates" # Make first letter of PRODCUT upper case @@ -146,48 +145,22 @@ fi } -function locales_parse_file() { - FILE="$1" - cat "$FILE" | python -c "import json; import sys; \ - print('\n'.join(['{} {}'.format(key, value['revision']) \ - for key, value in sorted(json.load(sys.stdin).items())]));" -} - -function locales_parse_url() { +function locales_parse() { URL="$1" curl -s "$URL" | python -c "import json; import sys; \ print('\n'.join(['{} {}'.format(key, value['changeset']) \ for key, value in sorted(json.load(sys.stdin)['locales'].items())]));" } -function extract_locales_file() { - # still need to extract the locale information from the archive - echo "extract locale changesets" - tar -xf $SOURCE_TARBALL $LOCALE_FILE -} - function locales_unchanged() { BUILD_ID="$1" PREV_BUILD_ID=$(get_build_number "$PREV_VERSION$PREV_VERSION_SUFFIX") # If no json-file for one of the versions can be found, we say "they changed" prev_url=$(locales_get "$PREV_VERSION$PREV_VERSION_SUFFIX" "$PREV_BUILD_ID") || return 1 - prev_content=$(locales_parse_url "$prev_url") || exit 1 + curr_url=$(locales_get "$VERSION$VERSION_SUFFIX" "$BUILD_ID") || return 1 - curr_url=$(locales_get "$VERSION$VERSION_SUFFIX" "$BUILD_ID") - if [ $? -ne 0 ]; then - # We did not find a locales file upstream on the servers - if [ -e $SOURCE_TARBALL ]; then - # We can find out what the locales are, by extracting the json-file from the tar-ball - # instead of getting it from the server - extract_locales_file || return 1 - curr_content=$(locales_parse_file "$LOCALE_FILE") || exit 1 - else - # We can't know what the locales are in the current version - return 1 - fi - else - curr_content=$(locales_parse_url "$curr_url") || exit 1 - fi + prev_content=$(locales_parse "$prev_url") || exit 1 + curr_content=$(locales_parse "$curr_url") || exit 1 diff -y --suppress-common-lines -d <(echo "$prev_content") <(echo "$curr_content") } @@ -238,7 +211,9 @@ # we might have an upstream archive already and can skip the checkout if [ -e $SOURCE_TARBALL ]; then if [ -z ${SKIP_LOCALES+x} ] && [ $LOCALES_CHANGED -ne 0 ]; then - extract_locales_file + # still need to extract the locale information from the archive + echo "extract locale changesets" + tar -xf $SOURCE_TARBALL $LOCALE_FILE fi get_source_stamp "$BUILD_ID" else @@ -353,11 +328,3 @@ echo "Moving l10n-$PREV_VERSION$PREV_VERSION_SUFFIX.tar.xz to l10n-$VERSION$VERSION_SUFFIX.tar.xz" mv "l10n-$PREV_VERSION$PREV_VERSION_SUFFIX.tar.xz" "l10n-$VERSION$VERSION_SUFFIX.tar.xz" fi - -if [ -e $PREV_SOURCE_TARBALL ]; then - echo "" - echo "Deleting old sources tarball $PREV_SOURCE_TARBALL" - $(ask_cont_abort_question "Is this ok?") || exit 0 - rm "$PREV_SOURCE_TARBALL" - rm "$PREV_SOURCE_TARBALL.asc" -fi diff -r 56ecd2ae6e61 -r 90e3d0cf8567 MozillaFirefox/tar_stamps --- a/MozillaFirefox/tar_stamps Sun May 01 18:18:56 2022 +0200 +++ b/MozillaFirefox/tar_stamps Sun Jun 12 16:05:04 2022 +0200 @@ -1,10 +1,10 @@ PRODUCT="firefox" CHANNEL="release" -VERSION="99.0.1" +VERSION="101.0.1" VERSION_SUFFIX="" -PREV_VERSION="99.0" +PREV_VERSION="101.0" PREV_VERSION_SUFFIX="" #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release" -RELEASE_TAG="0f814a8ab240bb6df6bbc5a88865f979e03f0f68" -RELEASE_TIMESTAMP="20220411174855" +RELEASE_TAG="c66093146ac832a0748f0f8a31139664abf73a42" +RELEASE_TIMESTAMP="20220608170832" diff -r 56ecd2ae6e61 -r 90e3d0cf8567 mozilla-kde.patch --- a/mozilla-kde.patch Sun May 01 18:18:56 2022 +0200 +++ b/mozilla-kde.patch Sun Jun 12 16:05:04 2022 +0200 @@ -3,7 +3,7 @@ # Date 1559294891 -7200 # Fri May 31 11:28:11 2019 +0200 # Node ID c2aa7198fb925e7fde96abf65b6f68b9b755f112 -# Parent 8d1110b6918acc4e7d3f655d1e55f4b4ff630abe +# Parent eeedc49c16aba3b50d1547315a88091a1c765904 Description: Add KDE integration to Firefox (toolkit parts) Author: Wolfgang Rosenauer Author: Lubos Lunak @@ -13,12 +13,12 @@ diff --git a/modules/libpref/Preferences.cpp b/modules/libpref/Preferences.cpp --- a/modules/libpref/Preferences.cpp +++ b/modules/libpref/Preferences.cpp -@@ -84,16 +84,17 @@ - #include "plbase64.h" +@@ -88,16 +88,17 @@ #include "PLDHashTable.h" #include "plstr.h" #include "prlink.h" #include "xpcpublic.h" + #include "js/RootingAPI.h" #ifdef MOZ_BACKGROUNDTASKS # include "mozilla/BackgroundTasks.h" #endif @@ -31,7 +31,7 @@ #ifdef MOZ_MEMORY # include "mozmemory.h" #endif -@@ -4634,16 +4635,27 @@ nsresult Preferences::InitInitialObjects +@@ -4767,16 +4768,27 @@ nsresult Preferences::InitInitialObjects "unix.js" # if defined(_AIX) , @@ -59,7 +59,7 @@ // Load jar:$app/omni.jar!/defaults/preferences/*.js // or jar:$gre/omni.jar!/defaults/preferences/*.js. -@@ -4708,17 +4720,17 @@ nsresult Preferences::InitInitialObjects +@@ -4841,17 +4853,17 @@ nsresult Preferences::InitInitialObjects } nsCOMPtr path = do_QueryInterface(elem); @@ -81,7 +81,7 @@ diff --git a/modules/libpref/moz.build b/modules/libpref/moz.build --- a/modules/libpref/moz.build +++ b/modules/libpref/moz.build -@@ -118,16 +118,20 @@ EXPORTS.mozilla += [ +@@ -120,16 +120,20 @@ EXPORTS.mozilla += [ ] EXPORTS.mozilla += sorted(["!" + g for g in gen_h]) @@ -828,7 +828,7 @@ ] elif CONFIG["MOZ_WIDGET_TOOLKIT"] == "windows": UNIFIED_SOURCES += [ -@@ -126,16 +128,17 @@ include("/ipc/chromium/chromium-config.m +@@ -130,16 +132,17 @@ include("/ipc/chromium/chromium-config.m FINAL_LIBRARY = "xul" LOCAL_INCLUDES += [ @@ -1263,7 +1263,7 @@ diff --git a/widget/gtk/moz.build b/widget/gtk/moz.build --- a/widget/gtk/moz.build +++ b/widget/gtk/moz.build -@@ -136,16 +136,17 @@ FINAL_LIBRARY = "xul" +@@ -154,16 +154,17 @@ FINAL_LIBRARY = "xul" LOCAL_INCLUDES += [ "/layout/base", @@ -1277,7 +1277,7 @@ "/widget/headless", ] - if CONFIG["MOZ_X11"]: + if CONFIG["MOZ_X11"] or CONFIG["MOZ_WAYLAND"]: LOCAL_INCLUDES += [ "/widget/x11", ] @@ -1825,7 +1825,7 @@ # include "prmem.h" # include "plbase64.h" -@@ -2071,62 +2072,77 @@ nsLocalFile::SetPersistentDescriptor(con +@@ -2071,20 +2072,29 @@ nsLocalFile::SetPersistentDescriptor(con NS_IMETHODIMP nsLocalFile::Reveal() { @@ -1834,47 +1834,10 @@ } #ifdef MOZ_WIDGET_GTK -- nsCOMPtr giovfs = do_GetService(NS_GIOSERVICE_CONTRACTID); ++ nsAutoCString url; + nsCOMPtr giovfs = do_GetService(NS_GIOSERVICE_CONTRACTID); - if (!giovfs) { -- return NS_ERROR_FAILURE; -- } -+ nsAutoCString url; - - bool isDirectory; - if (NS_FAILED(IsDirectory(&isDirectory))) { - return NS_ERROR_FAILURE; - } - -+ nsCOMPtr giovfs = do_GetService(NS_GIOSERVICE_CONTRACTID); - if (isDirectory) { -- return giovfs->ShowURIForInput(mPath); -+ url = mPath; - } - if (NS_SUCCEEDED(giovfs->OrgFreedesktopFileManager1ShowItems(mPath))) { - return NS_OK; - } - nsCOMPtr parentDir; - nsAutoCString dirPath; - if (NS_FAILED(GetParent(getter_AddRefs(parentDir)))) { - return NS_ERROR_FAILURE; - } - if (NS_FAILED(parentDir->GetNativePath(dirPath))) { - return NS_ERROR_FAILURE; - } - -- return giovfs->ShowURIForInput(dirPath); -+ url = dirPath; - #elif defined(MOZ_WIDGET_COCOA) - CFURLRef url; - if (NS_SUCCEEDED(GetCFURL(&url))) { - nsresult rv = CocoaFileUtils::RevealFileInFinder(url); - ::CFRelease(url); - return rv; - } - return NS_ERROR_FAILURE; - #else - return NS_ERROR_FAILURE; - #endif ++ url = mPath; + if(nsKDEUtils::kdeSupport()) { + nsTArray command; + command.AppendElement( "REVEAL"_ns ); @@ -1883,10 +1846,18 @@ + } + + if (!giovfs) -+ return NS_ERROR_FAILURE; + return NS_ERROR_FAILURE; +- } + -+ return giovfs->ShowURIForInput(url); - } + return giovfs->RevealFile(this); + #elif defined(MOZ_WIDGET_COCOA) + CFURLRef url; + if (NS_SUCCEEDED(GetCFURL(&url))) { + nsresult rv = CocoaFileUtils::RevealFileInFinder(url); + ::CFRelease(url); + return rv; + } +@@ -2096,16 +2106,23 @@ nsLocalFile::Reveal() { NS_IMETHODIMP nsLocalFile::Launch() { @@ -1901,11 +1872,12 @@ + command.AppendElement( mPath ); + return nsKDEUtils::command( command ) ? NS_OK : NS_ERROR_FAILURE; + } ++ nsCOMPtr giovfs = do_GetService(NS_GIOSERVICE_CONTRACTID); if (!giovfs) { return NS_ERROR_FAILURE; } - return giovfs->ShowURIForInput(mPath); + return giovfs->LaunchFile(mPath); #elif defined(MOZ_WIDGET_ANDROID) // Not supported on GeckoView diff -r 56ecd2ae6e61 -r 90e3d0cf8567 mozilla-silence-no-return-type.patch --- a/mozilla-silence-no-return-type.patch Sun May 01 18:18:56 2022 +0200 +++ b/mozilla-silence-no-return-type.patch Sun Jun 12 16:05:04 2022 +0200 @@ -1,10 +1,10 @@ # HG changeset patch -# Parent 1191efd2ea64c4081a1825176a50e872a525d4da +# Parent 6d59717f59a1c0dc50140e750d665c7e98de3e66 diff --git a/Cargo.lock b/Cargo.lock --- a/Cargo.lock +++ b/Cargo.lock -@@ -2196,18 +2196,16 @@ name = "glsl-to-cxx" +@@ -2207,18 +2207,16 @@ name = "glsl-to-cxx" version = "0.1.0" dependencies = [ "glsl", @@ -26,16 +26,15 @@ diff --git a/Cargo.toml b/Cargo.toml --- a/Cargo.toml +++ b/Cargo.toml -@@ -106,13 +106,13 @@ moz_asserts = { path = "mozglue/static/r - async-task = { git = "https://github.com/smol-rs/async-task", rev="f6488e35beccb26eb6e85847b02aa78a42cd3d0e" } - chardetng = { git = "https://github.com/hsivonen/chardetng", rev="3484d3e3ebdc8931493aa5df4d7ee9360a90e76b" } +@@ -109,12 +109,13 @@ chardetng = { git = "https://github.com/ chardetng_c = { git = "https://github.com/hsivonen/chardetng_c", rev="ed8a4c6f900a90d4dbc1d64b856e61490a1c3570" } coremidi = { git = "https://github.com/chris-zen/coremidi.git", rev="fc68464b5445caf111e41f643a2e69ccce0b4f83" } + fog = { path = "toolkit/components/glean/api" } libudev-sys = { path = "dom/webauthn/libudev-sys" } - packed_simd = { git = "https://github.com/hsivonen/packed_simd", rev="8b4bd7d8229660a749dbe419a57ea01df9de5453" } + packed_simd = { package = "packed_simd_2", git = "https://github.com/hsivonen/packed_simd", rev="c149d0a519bf878567c7630096737669ec2ff15f" } midir = { git = "https://github.com/mozilla/midir.git", rev = "4c11f0ffb5d6a10de4aff40a7b81218b33b94e6f" } minidump_writer_linux = { git = "https://github.com/msirringhaus/minidump_writer_linux.git", rev = "029ac0d54b237f27dc7d8d4e51bc0fb076e5e852" } -- + +glslopt = { path = "third_party/rust/glslopt/" } # Patch mio 0.6 to use winapi 0.3 and miow 0.3, getting rid of winapi 0.2. # There is not going to be new version of mio 0.6, mio now being >= 0.7.11.