summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-08-12 17:41:15 -0400
committerMark H Weaver <mhw@netris.org>2015-08-12 20:37:44 -0400
commitc037a0f7ce79d8d67e08694ae20e407b1280d84e (patch)
tree60e6810db94ef46a96682ed2bd80acdec23b5fff
parentf74c577ce08399106a7ed4abe1b7d26e82fefd10 (diff)
gnu: icecat: Add fixes for CVE-2015-{4473,4482,4488,4489,4491,4492}.
WARNING: CVE-2015-4473 may not be fully addressed here, because I was unable to backport some of the patches (for upstream bugs 1182711 and 1146213). I was also unable to backport CVE-2015-4484 (upstream bug 1171540) and CVE-2015-4487 (upstream bug 1171603). I was unable to find any commit in the upstream repository that claims to address bug 1105914 (CVE-2015-4478). * gnu/packages/patches/icecat-CVE-2015-4473-partial.patch, gnu/packages/patches/icecat-CVE-2015-4482.patch, gnu/packages/patches/icecat-CVE-2015-4488.patch, gnu/packages/patches/icecat-CVE-2015-4489.patch, gnu/packages/patches/icecat-CVE-2015-4491.patch, gnu/packages/patches/icecat-CVE-2015-4492.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
-rw-r--r--gnu-system.am6
-rw-r--r--gnu/packages/gnuzilla.scm8
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-4473-partial.patch120
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-4482.patch28
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-4488.patch21
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-4489.patch21
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-4491.patch41
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-4492.patch81
8 files changed, 325 insertions, 1 deletions
diff --git a/gnu-system.am b/gnu-system.am
index dc945c9b96..f9db6acc51 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -483,6 +483,12 @@ dist_patch_DATA = \
gnu/packages/patches/hwloc-gather-topology-lstopo.patch \
gnu/packages/patches/hydra-automake-1.15.patch \
gnu/packages/patches/hydra-disable-darcs-test.patch \
+ gnu/packages/patches/icecat-CVE-2015-4473-partial.patch \
+ gnu/packages/patches/icecat-CVE-2015-4482.patch \
+ gnu/packages/patches/icecat-CVE-2015-4488.patch \
+ gnu/packages/patches/icecat-CVE-2015-4489.patch \
+ gnu/packages/patches/icecat-CVE-2015-4491.patch \
+ gnu/packages/patches/icecat-CVE-2015-4492.patch \
gnu/packages/patches/icecat-CVE-2015-4495.patch \
gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch \
gnu/packages/patches/icecat-freetype-2.6.patch \
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 0200039f5c..bfd1f5dc7b 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -240,7 +240,13 @@ standards.")
(sha256
(base32
"11wx29mb5pcg4mgk07a6vjwh52ca90k0x4m9wv0v3y5dmp88f01p"))
- (patches (map search-patch '("icecat-CVE-2015-4495.patch"
+ (patches (map search-patch '("icecat-CVE-2015-4473-partial.patch"
+ "icecat-CVE-2015-4482.patch"
+ "icecat-CVE-2015-4488.patch"
+ "icecat-CVE-2015-4489.patch"
+ "icecat-CVE-2015-4491.patch"
+ "icecat-CVE-2015-4492.patch"
+ "icecat-CVE-2015-4495.patch"
"icecat-enable-acceleration-and-webgl.patch"
"icecat-freetype-2.6.patch"
"icecat-libvpx-1.4.patch")))
diff --git a/gnu/packages/patches/icecat-CVE-2015-4473-partial.patch b/gnu/packages/patches/icecat-CVE-2015-4473-partial.patch
new file mode 100644
index 0000000000..184a8c5092
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4473-partial.patch
@@ -0,0 +1,120 @@
+Backported to icecat-31.8 from the upstream esr38 branch.
+
+From 1a7eac06fab3b8ffca09936498887f99e233bcba Mon Sep 17 00:00:00 2001
+From: Randell Jesup <rjesup@jesup.org>
+Date: Thu, 9 Jul 2015 20:18:34 -0400
+Subject: [PATCH] Bug 1178890 - Update timer arrays after sleep to account for
+ time sleeping. r=bwc, r=froydnj, a=sledru
+
+--- icecat-31.8.0/xpcom/threads/TimerThread.cpp.orig 1969-12-31 19:00:00.000000000 -0500
++++ icecat-31.8.0/xpcom/threads/TimerThread.cpp 2015-08-12 16:38:11.789371171 -0400
+@@ -28,7 +28,8 @@
+ mShutdown(false),
+ mWaiting(false),
+ mNotified(false),
+- mSleeping(false)
++ mSleeping(false),
++ mLastTimerEventLoopRun(TimeStamp::Now())
+ {
+ }
+
+@@ -222,6 +223,7 @@
+ } else {
+ waitFor = PR_INTERVAL_NO_TIMEOUT;
+ TimeStamp now = TimeStamp::Now();
++ mLastTimerEventLoopRun = now;
+ nsTimerImpl *timer = nullptr;
+
+ if (!mTimers.IsEmpty()) {
+@@ -411,6 +413,7 @@
+ // This function must be called from within a lock
+ int32_t TimerThread::AddTimerInternal(nsTimerImpl *aTimer)
+ {
++ mMonitor.AssertCurrentThreadOwns();
+ if (mShutdown)
+ return -1;
+
+@@ -434,6 +437,7 @@
+
+ bool TimerThread::RemoveTimerInternal(nsTimerImpl *aTimer)
+ {
++ mMonitor.AssertCurrentThreadOwns();
+ if (!mTimers.RemoveElement(aTimer))
+ return false;
+
+@@ -443,6 +447,10 @@
+
+ void TimerThread::ReleaseTimerInternal(nsTimerImpl *aTimer)
+ {
++ if (!mShutdown) {
++ // copied to a local array before releasing in shutdown
++ mMonitor.AssertCurrentThreadOwns();
++ }
+ // Order is crucial here -- see nsTimerImpl::Release.
+ aTimer->mArmed = false;
+ NS_RELEASE(aTimer);
+@@ -450,21 +458,39 @@
+
+ void TimerThread::DoBeforeSleep()
+ {
++ // Mainthread
++ MonitorAutoLock lock(mMonitor);
++ mLastTimerEventLoopRun = TimeStamp::Now();
+ mSleeping = true;
+ }
+
++// Note: wake may be notified without preceding sleep notification
+ void TimerThread::DoAfterSleep()
+ {
+- mSleeping = true; // wake may be notified without preceding sleep notification
++ // Mainthread
++ TimeStamp now = TimeStamp::Now();
++
++ MonitorAutoLock lock(mMonitor);
++
++ // an over-estimate of time slept, usually small
++ TimeDuration slept = now - mLastTimerEventLoopRun;
++
++ // Adjust all old timers to expire roughly similar times in the future
++ // compared to when we went to sleep, by adding the time we slept to the
++ // target time. It's slightly possible a few will end up slightly in the
++ // past and fire immediately, but ordering should be preserved. All
++ // timers retain the exact same order (and relative times) as before
++ // going to sleep.
+ for (uint32_t i = 0; i < mTimers.Length(); i ++) {
+ nsTimerImpl *timer = mTimers[i];
+- // get and set the delay to cause its timeout to be recomputed
+- uint32_t delay;
+- timer->GetDelay(&delay);
+- timer->SetDelay(delay);
++ timer->mTimeout += slept;
+ }
+-
+ mSleeping = false;
++ mLastTimerEventLoopRun = now;
++
++ // Wake up the timer thread to process the updated array
++ mNotified = true;
++ mMonitor.Notify();
+ }
+
+
+--- icecat-31.8.0/xpcom/threads/TimerThread.h.orig 1969-12-31 19:00:00.000000000 -0500
++++ icecat-31.8.0/xpcom/threads/TimerThread.h 2015-08-12 16:38:38.542408062 -0400
+@@ -59,7 +59,7 @@
+ mozilla::Atomic<bool> mInitInProgress;
+ bool mInitialized;
+
+- // These two internal helper methods must be called while mLock is held.
++ // These two internal helper methods must be called while mMonitor is held.
+ // AddTimerInternal returns the position where the timer was added in the
+ // list, or -1 if it failed.
+ int32_t AddTimerInternal(nsTimerImpl *aTimer);
+@@ -73,6 +73,7 @@
+ bool mWaiting;
+ bool mNotified;
+ bool mSleeping;
++ TimeStamp mLastTimerEventLoopRun;
+
+ nsTArray<nsTimerImpl*> mTimers;
+ };
diff --git a/gnu/packages/patches/icecat-CVE-2015-4482.patch b/gnu/packages/patches/icecat-CVE-2015-4482.patch
new file mode 100644
index 0000000000..41f0a3d0fc
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4482.patch
@@ -0,0 +1,28 @@
+From 932a017c745d40d661602f6145c95c9226d8450d Mon Sep 17 00:00:00 2001
+From: Stephen Pohl <spohl.mozilla.bugs@gmail.com>
+Date: Sat, 18 Jul 2015 18:42:15 -0700
+Subject: [PATCH] Bug 1184500 - Improve handling of index names in MAR files.
+ r=rstrong, a=lmandel
+
+---
+ modules/libmar/src/mar_read.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/modules/libmar/src/mar_read.c b/modules/libmar/src/mar_read.c
+index c647370..2013b0f 100644
+--- a/modules/libmar/src/mar_read.c
++++ b/modules/libmar/src/mar_read.c
+@@ -96,6 +96,10 @@ static int mar_consume_index(MarFile *mar, char **buf, const char *buf_end) {
+ ++(*buf);
+ }
+ namelen = (*buf - name);
++ /* must ensure that namelen is valid */
++ if (namelen < 0) {
++ return -1;
++ }
+ /* consume null byte */
+ if (*buf == buf_end)
+ return -1;
+--
+2.4.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-4488.patch b/gnu/packages/patches/icecat-CVE-2015-4488.patch
new file mode 100644
index 0000000000..cee0905be0
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4488.patch
@@ -0,0 +1,21 @@
+Backported to icecat-31.8 from the upstream esr38 branch.
+
+From 103fb14ff54753305508448ba0e374247a463552 Mon Sep 17 00:00:00 2001
+From: Daniel Holbert <dholbert@cs.stanford.edu>
+Date: Fri, 19 Jun 2015 15:56:12 -0700
+Subject: [PATCH] Bug 1176270 - Handle self-assignment in
+ StyleAnimationValue::operator=. r=dbaron, a=sledru
+
+--- icecat-31.8.0/layout/style/nsStyleAnimation.cpp.orig 1969-12-31 19:00:00.000000000 -0500
++++ icecat-31.8.0/layout/style/nsStyleAnimation.cpp 2015-08-12 16:00:39.418122049 -0400
+@@ -3517,6 +3517,10 @@
+ nsStyleAnimation::Value&
+ nsStyleAnimation::Value::operator=(const Value& aOther)
+ {
++ if (this == &aOther) {
++ return *this;
++ }
++
+ FreeValue();
+
+ mUnit = aOther.mUnit;
diff --git a/gnu/packages/patches/icecat-CVE-2015-4489.patch b/gnu/packages/patches/icecat-CVE-2015-4489.patch
new file mode 100644
index 0000000000..4140891e3a
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4489.patch
@@ -0,0 +1,21 @@
+Backported to icecat-31.8 from the upstream esr38 branch.
+
+From 95231c1bca9c9495393b795513bea71a21a6ec2f Mon Sep 17 00:00:00 2001
+From: Birunthan Mohanathas <birunthan@mohanathas.com>
+Date: Tue, 21 Jul 2015 09:42:58 -0700
+Subject: [PATCH] Bug 1182723 - Properly handle self-assignment in
+ nsTArray::operator=. r=mccr8, a=abillings
+
+--- icecat-31.8.0/xpcom/glue/nsTArray.h.orig 2015-08-12 16:03:56.353746969 -0400
++++ icecat-31.8.0/xpcom/glue/nsTArray.h 2015-08-12 16:06:52.144553848 -0400
+@@ -811,7 +811,9 @@
+ // array. It is optimized to reuse existing storage if possible.
+ // @param other The array object to copy.
+ self_type& operator=(const self_type& other) {
+- ReplaceElementsAt(0, Length(), other.Elements(), other.Length());
++ if (this != &other) {
++ ReplaceElementsAt(0, Length(), other.Elements(), other.Length());
++ }
+ return *this;
+ }
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-4491.patch b/gnu/packages/patches/icecat-CVE-2015-4491.patch
new file mode 100644
index 0000000000..c16885cfc7
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4491.patch
@@ -0,0 +1,41 @@
+From c154557bc0aa7e310824717f3e829dd82e6726e4 Mon Sep 17 00:00:00 2001
+From: Lee Salzman <lsalzman@mozilla.com>
+Date: Tue, 21 Jul 2015 13:16:44 -0400
+Subject: [PATCH] Bug 1184009 - Limit image preview sizes. r=acomminos,
+ a=lmandel
+
+--HG--
+extra : transplant_source : %9B%86%13%60%B2%97%F1%8Fb%CB%9C%8D%FBWo%C9%EBPs1
+---
+ widget/gtk/nsFilePicker.cpp | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/widget/gtk/nsFilePicker.cpp b/widget/gtk/nsFilePicker.cpp
+index 0b5a8dc..3c0d543 100644
+--- a/widget/gtk/nsFilePicker.cpp
++++ b/widget/gtk/nsFilePicker.cpp
+@@ -101,13 +101,16 @@ UpdateFilePreviewWidget(GtkFileChooser *file_chooser,
+ return;
+ }
+
+- GdkPixbuf *preview_pixbuf;
++ GdkPixbuf *preview_pixbuf = nullptr;
+ // Only scale down images that are too big
+ if (preview_width > MAX_PREVIEW_SIZE || preview_height > MAX_PREVIEW_SIZE) {
+- preview_pixbuf = gdk_pixbuf_new_from_file_at_size(image_filename,
+- MAX_PREVIEW_SIZE,
+- MAX_PREVIEW_SIZE,
+- nullptr);
++ if (ceil(preview_width / double(MAX_PREVIEW_SIZE) + 1.0) *
++ ceil(preview_height / double(MAX_PREVIEW_SIZE) + 1.0) < 0x7FFFFF) {
++ preview_pixbuf = gdk_pixbuf_new_from_file_at_size(image_filename,
++ MAX_PREVIEW_SIZE,
++ MAX_PREVIEW_SIZE,
++ nullptr);
++ }
+ }
+ else {
+ preview_pixbuf = gdk_pixbuf_new_from_file(image_filename, nullptr);
+--
+2.4.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-4492.patch b/gnu/packages/patches/icecat-CVE-2015-4492.patch
new file mode 100644
index 0000000000..5d401f5a32
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4492.patch
@@ -0,0 +1,81 @@
+From 9d5f21ee3a754d20bca4513f55553ea6694a7b25 Mon Sep 17 00:00:00 2001
+From: Andrea Marchesini <amarchesini@mozilla.com>
+Date: Wed, 29 Jul 2015 16:10:15 -0400
+Subject: [PATCH] Bug 1185820 - XMLHttpRequest::Open() in worker should count
+ the recursion using a uint32_t and not a boolean. r=khuey, a=lmandel
+
+--HG--
+extra : transplant_source : %8F%89%24%FF%A1%F7d%5B%BE%E9%FC3%C6%E1%AC%27r%5Eq%16
+extra : histedit_source : 5857f0cedf1cfb5361e6f404a094719814a2b415
+---
+ dom/workers/XMLHttpRequest.cpp | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
+index aac97ab..7099279 100644
+--- a/dom/workers/XMLHttpRequest.cpp
++++ b/dom/workers/XMLHttpRequest.cpp
+@@ -100,6 +100,7 @@ public:
+ // Only touched on the worker thread.
+ uint32_t mOuterEventStreamId;
+ uint32_t mOuterChannelId;
++ uint32_t mOpenCount;
+ uint64_t mLastLoaded;
+ uint64_t mLastTotal;
+ uint64_t mLastUploadLoaded;
+@@ -109,7 +110,6 @@ public:
+ bool mLastUploadLengthComputable;
+ bool mSeenLoadStart;
+ bool mSeenUploadLoadStart;
+- bool mOpening;
+
+ // Only touched on the main thread.
+ bool mUploadEventListenersAttached;
+@@ -122,10 +122,10 @@ public:
+ : mWorkerPrivate(nullptr), mXMLHttpRequestPrivate(aXHRPrivate),
+ mMozAnon(aMozAnon), mMozSystem(aMozSystem),
+ mInnerEventStreamId(0), mInnerChannelId(0), mOutstandingSendCount(0),
+- mOuterEventStreamId(0), mOuterChannelId(0), mLastLoaded(0), mLastTotal(0),
+- mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false),
++ mOuterEventStreamId(0), mOuterChannelId(0), mOpenCount(0), mLastLoaded(0),
++ mLastTotal(0), mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false),
+ mLastLengthComputable(false), mLastUploadLengthComputable(false),
+- mSeenLoadStart(false), mSeenUploadLoadStart(false), mOpening(false),
++ mSeenLoadStart(false), mSeenUploadLoadStart(false),
+ mUploadEventListenersAttached(false), mMainThreadSeenLoadStart(false),
+ mInOpen(false), mArrayBufferResponseWasTransferred(false)
+ { }
+@@ -1850,7 +1850,7 @@ XMLHttpRequest::SendInternal(const nsAString& aStringBody,
+ mWorkerPrivate->AssertIsOnWorkerThread();
+
+ // No send() calls when open is running.
+- if (mProxy->mOpening) {
++ if (mProxy->mOpenCount) {
+ aRv.Throw(NS_ERROR_FAILURE);
+ return;
+ }
+@@ -1945,15 +1945,17 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl,
+ mBackgroundRequest, mWithCredentials,
+ mTimeout);
+
+- mProxy->mOpening = true;
++ ++mProxy->mOpenCount;
+ if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) {
+- mProxy->mOpening = false;
+- ReleaseProxy();
++ if (!--mProxy->mOpenCount) {
++ ReleaseProxy();
++ }
++
+ aRv.Throw(NS_ERROR_FAILURE);
+ return;
+ }
+
+- mProxy->mOpening = false;
++ --mProxy->mOpenCount;
+ mProxy->mIsSyncXHR = !aAsync;
+ }
+
+--
+2.4.3
+