--- a/MozillaFirefox/MozillaFirefox.changes Sun Jan 24 11:01:55 2021 +0100
+++ b/MozillaFirefox/MozillaFirefox.changes Thu Jan 28 23:39:24 2021 +0100
@@ -1,4 +1,53 @@
-------------------------------------------------------------------
+Sun Jan 24 11:53:58 UTC 2021 - Wolfgang Rosenauer <wr@rosenauer.org>
+
+- Mozilla Firefox 85.0
+ * Adobe Flash is completely history
+ * supercookie protection
+ * new bookmark handling and features
+ MFSA 2021-03 (bsc#1181414)
+ * CVE-2021-23953 (bmo#1683940)
+ Cross-origin information leakage via redirected PDF requests
+ * CVE-2021-23954 (bmo#1684020)
+ Type confusion when using logical assignment operators in
+ JavaScript switch statements
+ * CVE-2021-23955 (bmo#1684837)
+ Clickjacking across tabs through misusing requestPointerLock
+ * CVE-2021-23956 (bmo#1338637)
+ File picker dialog could have been used to disclose a
+ complete directory
+ * CVE-2021-23957 (bmo#1584582)
+ Iframe sandbox could have been bypassed on Android via the
+ intent URL scheme
+ * CVE-2021-23958 (bmo#1642747)
+ Screen sharing permission leaked across tabs
+ * CVE-2021-23959 (bmo#1659035)
+ Cross-Site Scripting in error pages on Firefox for Android
+ * CVE-2021-23960 (bmo#1675755)
+ Use-after-poison for incorrectly redeclared JavaScript
+ variables during GC
+ * CVE-2021-23961 (bmo#1677940)
+ More internal network hosts could have been probed by a
+ malicious webpage
+ * CVE-2021-23962 (bmo#1677194)
+ Use-after-poison in
+ <code>nsTreeBodyFrame::RowCountChanged</code>
+ * CVE-2021-23963 (bmo#1680793)
+ Permission prompt inaccessible after asking for additional
+ permissions
+ * CVE-2021-23964 (bmo#1662507, bmo#1666285, bmo#1673526, bmo#1674278,
+ bmo#1674835, bmo#1675097, bmo#1675844, bmo#1675868, bmo#1677590,
+ bmo#1677888, bmo#1680410, bmo#1681268, bmo#1682068, bmo#1682938,
+ bmo#1683736, bmo#1685260, bmo#1685925)
+ Memory safety bugs fixed in Firefox 85 and Firefox ESR 78.7
+ * CVE-2021-23965 (bmo#1670378, bmo#1673555, bmo#1676812, bmo#1678582,
+ bmo#1684497)
+ Memory safety bugs fixed in Firefox 85
+- requires NSS 3.60.1
+- requires rust 1.47
+- remove obsolete mozilla-pipewire-0-3.patch
+
+-------------------------------------------------------------------
Mon Jan 11 18:02:01 UTC 2021 - Matthias Mailänder <mailaender@opensuse.org>
- Fix AppStream screenshot links
--- a/MozillaFirefox/MozillaFirefox.spec Sun Jan 24 11:01:55 2021 +0100
+++ b/MozillaFirefox/MozillaFirefox.spec Thu Jan 28 23:39:24 2021 +0100
@@ -2,7 +2,7 @@
# spec file for package MozillaFirefox
#
# Copyright (c) 2021 SUSE LLC
-# 2006-2020 Wolfgang Rosenauer <wr@rosenauer.org>
+# 2006-2021 Wolfgang Rosenauer <wr@rosenauer.org>
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -29,9 +29,9 @@
# orig_suffix b3
# major 69
# mainver %major.99
-%define major 84
-%define mainver %major.0.2
-%define orig_version 84.0.2
+%define major 85
+%define mainver %major.0
+%define orig_version 85.0
%define orig_suffix %{nil}
%define update_channel release
%define branding 1
@@ -92,7 +92,7 @@
%else
BuildRequires: gcc-c++
%endif
-BuildRequires: cargo >= 1.44
+BuildRequires: cargo >= 1.47
BuildRequires: ccache
BuildRequires: libXcomposite-devel
BuildRequires: libcurl-devel
@@ -101,7 +101,7 @@
BuildRequires: libproxy-devel
BuildRequires: makeinfo
BuildRequires: mozilla-nspr-devel >= 4.29
-BuildRequires: mozilla-nss-devel >= 3.59.1
+BuildRequires: mozilla-nss-devel >= 3.60.1
BuildRequires: nasm >= 2.14
BuildRequires: nodejs10 >= 10.22.1
%if 0%{?sle_version} >= 120000 && 0%{?sle_version} < 150000
@@ -111,7 +111,7 @@
BuildRequires: python3 >= 3.5
BuildRequires: python3-devel
%endif
-BuildRequires: rust >= 1.44
+BuildRequires: rust >= 1.47
BuildRequires: rust-cbindgen >= 0.15.0
BuildRequires: unzip
BuildRequires: update-desktop-files
@@ -207,7 +207,6 @@
Patch20: mozilla-fix-top-level-asm.patch
Patch21: mozilla-bmo1504834-part4.patch
Patch22: mozilla-bmo849632.patch
-Patch23: mozilla-pipewire-0-3.patch
Patch24: mozilla-bmo1602730.patch
Patch25: mozilla-bmo998749.patch
Patch26: mozilla-bmo1626236.patch
@@ -347,9 +346,6 @@
%patch20 -p1
%patch21 -p1
%patch22 -p1
-%if %{with_pipewire0_3}
-%patch23 -p1
-%endif
%patch24 -p1
%patch25 -p1
%patch26 -p1
--- a/MozillaFirefox/mozilla-pipewire-0-3.patch Sun Jan 24 11:01:55 2021 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1 +0,0 @@
-../mozilla-pipewire-0-3.patch
\ No newline at end of file
--- a/MozillaFirefox/tar_stamps Sun Jan 24 11:01:55 2021 +0100
+++ b/MozillaFirefox/tar_stamps Thu Jan 28 23:39:24 2021 +0100
@@ -1,11 +1,11 @@
PRODUCT="firefox"
CHANNEL="release"
-VERSION="84.0.2"
+VERSION="85.0"
VERSION_SUFFIX=""
-PREV_VERSION="84.0.1"
+PREV_VERSION="84.0.2"
PREV_VERSION_SUFFIX=""
#SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-release"
-RELEASE_TAG="7e22d68e1ebfc0839092237feeefad46cfbd8651"
-RELEASE_TIMESTAMP="20210105180113"
+RELEASE_TAG="cd908cffd02e1563b2218d985873f958a2e2c55d"
+RELEASE_TIMESTAMP="20210118153634"
--- a/mozilla-fix-top-level-asm.patch Sun Jan 24 11:01:55 2021 +0100
+++ b/mozilla-fix-top-level-asm.patch Thu Jan 28 23:39:24 2021 +0100
@@ -49,7 +49,7 @@
]
if CONFIG["CC_TYPE"] in ("clang", "gcc"):
- CXXFLAGS += ["-Wno-shadow"]
+ CXXFLAGS += ["-Wno-shadow", "-Wno-error=stack-protector"]
SOURCES["../chromium/sandbox/linux/services/syscall_wrappers.cc"].flags += [
"-Wno-empty-body",
]
--- a/mozilla-pgo.patch Sun Jan 24 11:01:55 2021 +0100
+++ b/mozilla-pgo.patch Thu Jan 28 23:39:24 2021 +0100
@@ -1,11 +1,11 @@
# HG changeset patch
# User Wolfgang Rosenauer <wr@rosenauer.org>
-# Parent 431962e810598b34327620fb99e06768e9a29c38
+# Parent 41df71ef2798d6bd6a67cfc4c4f26b8d41b8ccca
diff --git a/build/moz.configure/lto-pgo.configure b/build/moz.configure/lto-pgo.configure
--- a/build/moz.configure/lto-pgo.configure
+++ b/build/moz.configure/lto-pgo.configure
-@@ -223,23 +223,23 @@ def lto(value, c_compiler, ld64_known_go
+@@ -235,23 +235,23 @@ def lto(
"configure."
)
@@ -32,25 +32,6 @@
# choose a poor default. Rust compilation by default uses the
# pentium4 CPU on x86:
#
-@@ -263,17 +263,17 @@ def lto(value, c_compiler, ld64_known_go
- ldflags.append("-mllvm:-mcpu=x86-64")
- # We do not need special flags for arm64. Hooray for fixed-length
- # instruction sets.
- else:
- num_cores = multiprocessing.cpu_count()
- if len(value) and value[0].lower() == "full":
- cflags.append("-flto")
- else:
-- cflags.append("-flto=thin")
-+ cflags.append("-flto")
- cflags.append("-flifetime-dse=1")
-
- ldflags.append("-flto=%s" % num_cores)
- ldflags.append("-flifetime-dse=1")
-
- # Tell LTO not to inline functions above a certain size, to mitigate
- # binary size growth while still getting good performance.
- # (For hot functions, PGO will put a multiplier on this limit.)
diff --git a/build/pgo/profileserver.py b/build/pgo/profileserver.py
--- a/build/pgo/profileserver.py
+++ b/build/pgo/profileserver.py
@@ -173,35 +154,10 @@
CXXFLAGS += ["-Wno-error=shadow"]
+
+CXXFLAGS += ['-fno-devirtualize']
-diff --git a/python/mozbuild/mozbuild/build_commands.py b/python/mozbuild/mozbuild/build_commands.py
---- a/python/mozbuild/mozbuild/build_commands.py
-+++ b/python/mozbuild/mozbuild/build_commands.py
-@@ -121,19 +121,18 @@ class Build(MachCommandBase):
- silent=not verbose,
- ensure_exit_code=False,
- append_env=append_env,
- )
- if status != 0:
- return status
-
- pgo_env = os.environ.copy()
-- pgo_env["LLVM_PROFDATA"] = instr.config_environment.substs.get(
-- "LLVM_PROFDATA"
-- )
-+ if instr.config_environment.substs.get('CC_TYPE') != 'gcc':
-+ pgo_env["LLVM_PROFDATA"] = instr.config_environment.substs.get("LLVM_PROFDATA")
- pgo_env["JARLOG_FILE"] = mozpath.join(orig_topobjdir, "jarlog/en-US.log")
- pgo_cmd = [
- instr.virtualenv_manager.python_path,
- mozpath.join(self.topsrcdir, "build/pgo/profileserver.py"),
- ]
- subprocess.check_call(
- pgo_cmd, cwd=instr.topobjdir, env=ensure_subprocess_env(pgo_env)
- )
diff --git a/toolkit/components/terminator/nsTerminator.cpp b/toolkit/components/terminator/nsTerminator.cpp
--- a/toolkit/components/terminator/nsTerminator.cpp
+++ b/toolkit/components/terminator/nsTerminator.cpp
-@@ -413,16 +413,21 @@ void nsTerminator::StartWatchdog() {
+@@ -425,16 +425,21 @@ void nsTerminator::StartWatchdog() {
// Defend against overflow
crashAfterMS = INT32_MAX;
} else {
--- a/mozilla-pipewire-0-3.patch Sun Jan 24 11:01:55 2021 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,163 +0,0 @@
-diff -up firefox-83.0/browser/actors/WebRTCParent.jsm.pw6 firefox-83.0/browser/actors/WebRTCParent.jsm
---- firefox-83.0/browser/actors/WebRTCParent.jsm.pw6 2020-11-12 19:04:30.000000000 +0100
-+++ firefox-83.0/browser/actors/WebRTCParent.jsm 2020-11-25 10:28:32.492865982 +0100
-@@ -45,6 +45,9 @@ XPCOMUtils.defineLazyServiceGetter(
- "nsIOSPermissionRequest"
- );
-
-+const PIPEWIRE_PORTAL_NAME = "####_PIPEWIRE_PORTAL_####";
-+const PIPEWIRE_ID = 0xaffffff;
-+
- class WebRTCParent extends JSWindowActorParent {
- didDestroy() {
- webrtcUI.forgetStreamsFromBrowserContext(this.browsingContext);
-@@ -753,6 +756,8 @@ function prompt(aActor, aBrowser, aReque
- );
- menupopup.appendChild(doc.createXULElement("menuseparator"));
-
-+ let isPipeWire = false;
-+
- // Build the list of 'devices'.
- let monitorIndex = 1;
- for (let i = 0; i < devices.length; ++i) {
-@@ -774,6 +779,29 @@ function prompt(aActor, aBrowser, aReque
- }
- } else {
- name = device.name;
-+ // When we share content by PipeWire add only one item to the device
-+ // list. When it's selected PipeWire portal dialog is opened and
-+ // user confirms actual window/screen sharing there.
-+ // Don't mark it as scary as there's an extra confirmation step by
-+ // PipeWire portal dialog.
-+ if (name == PIPEWIRE_PORTAL_NAME && device.id == PIPEWIRE_ID) {
-+ isPipeWire = true;
-+ let name;
-+ try {
-+ name = stringBundle.getString("getUserMedia.sharePipeWirePortal.label");
-+ } catch (err) {
-+ name = "Use operating system settings"
-+ }
-+ let item = addDeviceToList(
-+ menupopup,
-+ name,
-+ i,
-+ type
-+ );
-+ item.deviceId = device.id;
-+ item.mediaSource = type;
-+ break;
-+ }
- if (type == "application") {
- // The application names returned by the platform are of the form:
- // <window count>\x1e<application name>
-@@ -888,39 +916,41 @@ function prompt(aActor, aBrowser, aReque
- perms.EXPIRE_SESSION
- );
-
-- video.deviceId = deviceId;
-- let constraints = {
-- video: { mediaSource: type, deviceId: { exact: deviceId } },
-- };
-- chromeWin.navigator.mediaDevices.getUserMedia(constraints).then(
-- stream => {
-- if (video.deviceId != deviceId) {
-- // The user has selected a different device or closed the panel
-- // before getUserMedia finished.
-- stream.getTracks().forEach(t => t.stop());
-- return;
-- }
-- video.srcObject = stream;
-- video.stream = stream;
-- doc.getElementById("webRTC-preview").hidden = false;
-- video.onloadedmetadata = function(e) {
-- video.play();
-- };
-- },
-- err => {
-- if (
-- err.name == "OverconstrainedError" &&
-- err.constraint == "deviceId"
-- ) {
-- // Window has disappeared since enumeration, which can happen.
-- // No preview for you.
-- return;
-+ if (!isPipeWire) {
-+ video.deviceId = deviceId;
-+ let constraints = {
-+ video: { mediaSource: type, deviceId: { exact: deviceId } },
-+ };
-+ chromeWin.navigator.mediaDevices.getUserMedia(constraints).then(
-+ stream => {
-+ if (video.deviceId != deviceId) {
-+ // The user has selected a different device or closed the panel
-+ // before getUserMedia finished.
-+ stream.getTracks().forEach(t => t.stop());
-+ return;
-+ }
-+ video.srcObject = stream;
-+ video.stream = stream;
-+ doc.getElementById("webRTC-preview").hidden = false;
-+ video.onloadedmetadata = function(e) {
-+ video.play();
-+ };
-+ },
-+ err => {
-+ if (
-+ err.name == "OverconstrainedError" &&
-+ err.constraint == "deviceId"
-+ ) {
-+ // Window has disappeared since enumeration, which can happen.
-+ // No preview for you.
-+ return;
-+ }
-+ Cu.reportError(
-+ `error in preview: ${err.message} ${err.constraint}`
-+ );
- }
-- Cu.reportError(
-- `error in preview: ${err.message} ${err.constraint}`
-- );
-- }
-- );
-+ );
-+ }
- };
- menupopup.addEventListener("command", menupopup._commandEventListener);
- }
-diff -up firefox-83.0/browser/locales/en-US/chrome/browser/browser.properties.pw6 firefox-83.0/browser/locales/en-US/chrome/browser/browser.properties
---- firefox-83.0/browser/locales/en-US/chrome/browser/browser.properties.pw6 2020-11-12 19:04:30.000000000 +0100
-+++ firefox-83.0/browser/locales/en-US/chrome/browser/browser.properties 2020-11-25 09:24:26.378857626 +0100
-@@ -764,6 +764,7 @@ getUserMedia.selectWindowOrScreen.label=
- getUserMedia.selectWindowOrScreen.accesskey=W
- getUserMedia.pickWindowOrScreen.label = Select Window or Screen
- getUserMedia.shareEntireScreen.label = Entire screen
-+getUserMedia.sharePipeWirePortal.label = Use operating system settings
- # LOCALIZATION NOTE (getUserMedia.shareMonitor.label):
- # %S is screen number (digits 1, 2, etc)
- # Example: Screen 1, Screen 2,..
-diff -up firefox-83.0/third_party/libwebrtc/webrtc/modules/desktop_capture/linux/base_capturer_pipewire.cc.pw6 firefox-83.0/third_party/libwebrtc/webrtc/modules/desktop_capture/linux/base_capturer_pipewire.cc
---- firefox-83.0/third_party/libwebrtc/webrtc/modules/desktop_capture/linux/base_capturer_pipewire.cc.pw6 2020-11-25 09:24:26.358857788 +0100
-+++ firefox-83.0/third_party/libwebrtc/webrtc/modules/desktop_capture/linux/base_capturer_pipewire.cc 2020-11-25 09:24:26.378857626 +0100
-@@ -879,17 +879,17 @@ void BaseCapturerPipeWire::CaptureFrame(
- callback_->OnCaptureResult(Result::SUCCESS, std::move(result));
- }
-
-+#define PIPEWIRE_ID 0xaffffff
-+#define PIPEWIRE_NAME "####_PIPEWIRE_PORTAL_####"
-+
- bool BaseCapturerPipeWire::GetSourceList(SourceList* sources) {
-- RTC_DCHECK(sources->size() == 0);
-- // List of available screens is already presented by the xdg-desktop-portal.
-- // But we have to add an empty source as the code expects it.
-- sources->push_back({0});
-+ sources->push_back({PIPEWIRE_ID, 0, PIPEWIRE_NAME});
- return true;
- }
-
- bool BaseCapturerPipeWire::SelectSource(SourceId id) {
- // Screen selection is handled by the xdg-desktop-portal.
-- return true;
-+ return id == PIPEWIRE_ID;
- }
-
- // static
--- a/mozilla-reduce-rust-debuginfo.patch Sun Jan 24 11:01:55 2021 +0100
+++ b/mozilla-reduce-rust-debuginfo.patch Thu Jan 28 23:39:24 2021 +0100
@@ -3,7 +3,7 @@
# Date 1560754926 -7200
# Mon Jun 17 09:02:06 2019 +0200
# Node ID 428161c3b9599083e1b8710eda1760f1f707ab11
-# Parent f5e9431a99bb1d122ccd76411f08ac6f3236c19f
+# Parent 2a004fe4d56123f6e73a9436d1a290bbfc5e0b6b
#Description: reduce the rust debuginfo level on selected architectures where
# compiling with debuginfo=2 causes the OOM killer to interrupt the build on
# launchpad builders. Initially this was only on 32 bit architectures, but with
@@ -12,20 +12,19 @@
diff --git a/build/moz.configure/toolchain.configure b/build/moz.configure/toolchain.configure
--- a/build/moz.configure/toolchain.configure
+++ b/build/moz.configure/toolchain.configure
-@@ -2138,19 +2138,19 @@ imply_option("RUSTC_OPT_LEVEL", "2", whe
- def rustc_opt_level(opt_level_option, moz_optimize):
- if opt_level_option:
- return opt_level_option[0]
- else:
- return "1" if moz_optimize.optimize else "0"
+@@ -2145,18 +2145,19 @@ def rustc_opt_level(opt_level_option, mo
@depends(
-- rustc_opt_level, debug_rust, "--enable-debug-symbols", "--enable-frame-pointers"
-+ rustc_opt_level, debug_rust, "--enable-debug-symbols", "--enable-frame-pointers", host
+ rustc_opt_level,
+ debug_rust,
+ target,
+ "--enable-debug-symbols",
+ "--enable-frame-pointers",
++ host,
)
--def rust_compile_flags(opt_level, debug_rust, debug_symbols, frame_pointers):
-+def rust_compile_flags(opt_level, debug_rust, debug_symbols, frame_pointers, host):
+-def rust_compile_flags(opt_level, debug_rust, target, debug_symbols, frame_pointers):
++def rust_compile_flags(opt_level, debug_rust, target, debug_symbols, frame_pointers, host):
# Cargo currently supports only two interesting profiles for building:
# development and release. Those map (roughly) to --enable-debug and
# --disable-debug in Gecko, respectively.
@@ -34,7 +33,7 @@
# optimization level. Since Cargo only supports 2 profiles, we're in
# a bit of a bind.
#
-@@ -2163,16 +2163,18 @@ def rust_compile_flags(opt_level, debug_
+@@ -2169,16 +2170,18 @@ def rust_compile_flags(opt_level, debug_
# opt-level=0 implies -C debug-assertions, which may not be desired
# unless Rust debugging is enabled.
--- a/series Sun Jan 24 11:01:55 2021 +0100
+++ b/series Thu Jan 28 23:39:24 2021 +0100
@@ -19,7 +19,6 @@
mozilla-fix-top-level-asm.patch
mozilla-bmo1504834-part4.patch
mozilla-bmo849632.patch
-mozilla-pipewire-0-3.patch
mozilla-bmo1602730.patch
mozilla-bmo998749.patch
mozilla-bmo1626236.patch