gnu: icecat: Add fixes for CVE-2015-{4473,4482,4488,4489,4491,4492}.

WARNING: CVE-2015-4473 may not be fully addressed here, because I was unable to backport some of the patches (for upstream bugs 1182711 and 1146213). I was also unable to backport CVE-2015-4484 (upstream bug 1171540) and CVE-2015-4487 (upstream bug 1171603). I was unable to find any commit in the upstream repository that claims to address bug 1105914 (CVE-2015-4478). * gnu/packages/patches/icecat-CVE-2015-4473-partial.patch, gnu/packages/patches/icecat-CVE-2015-4482.patch, gnu/packages/patches/icecat-CVE-2015-4488.patch, gnu/packages/patches/icecat-CVE-2015-4489.patch, gnu/packages/patches/icecat-CVE-2015-4491.patch, gnu/packages/patches/icecat-CVE-2015-4492.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
author: Mark H Weaver <mhw@netris.org> 2015-08-12 17:41:15 -0400
committer: Mark H Weaver <mhw@netris.org> 2015-08-12 20:37:44 -0400
commit: c037a0f7ce79d8d67e08694ae20e407b1280d84e (patch)
tree: 60e6810db94ef46a96682ed2bd80acdec23b5fff /gnu/packages/patches/icecat-CVE-2015-4492.patch
parent: f74c577ce08399106a7ed4abe1b7d26e82fefd10 (diff)
download: guix-c037a0f7ce79d8d67e08694ae20e407b1280d84e.tar.gz
1 files changed, 81 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-4492.patch b/gnu/packages/patches/icecat-CVE-2015-4492.patch
new file mode 100644
index 0000000000..5d401f5a32
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4492.patch
@@ -0,0 +1,81 @@
+From 9d5f21ee3a754d20bca4513f55553ea6694a7b25 Mon Sep 17 00:00:00 2001
+From: Andrea Marchesini <amarchesini@mozilla.com>
+Date: Wed, 29 Jul 2015 16:10:15 -0400
+Subject: [PATCH] Bug 1185820 - XMLHttpRequest::Open() in worker should count
+ the recursion using a uint32_t and not a boolean. r=khuey, a=lmandel
+
+--HG--
+extra : transplant_source : %8F%89%24%FF%A1%F7d%5B%BE%E9%FC3%C6%E1%AC%27r%5Eq%16
+extra : histedit_source : 5857f0cedf1cfb5361e6f404a094719814a2b415
+---
+ dom/workers/XMLHttpRequest.cpp | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
+index aac97ab..7099279 100644
+--- a/dom/workers/XMLHttpRequest.cpp
++++ b/dom/workers/XMLHttpRequest.cpp
+@@ -100,6 +100,7 @@ public:
+   // Only touched on the worker thread.
+   uint32_t mOuterEventStreamId;
+   uint32_t mOuterChannelId;
++  uint32_t mOpenCount;
+   uint64_t mLastLoaded;
+   uint64_t mLastTotal;
+   uint64_t mLastUploadLoaded;
+@@ -109,7 +110,6 @@ public:
+   bool mLastUploadLengthComputable;
+   bool mSeenLoadStart;
+   bool mSeenUploadLoadStart;
+-  bool mOpening;
+ 
+   // Only touched on the main thread.
+   bool mUploadEventListenersAttached;
+@@ -122,10 +122,10 @@ public:
+   : mWorkerPrivate(nullptr), mXMLHttpRequestPrivate(aXHRPrivate),
+     mMozAnon(aMozAnon), mMozSystem(aMozSystem),
+     mInnerEventStreamId(0), mInnerChannelId(0), mOutstandingSendCount(0),
+-    mOuterEventStreamId(0), mOuterChannelId(0), mLastLoaded(0), mLastTotal(0),
+-    mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false),
++    mOuterEventStreamId(0), mOuterChannelId(0), mOpenCount(0), mLastLoaded(0),
++    mLastTotal(0), mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false),
+     mLastLengthComputable(false), mLastUploadLengthComputable(false),
+-    mSeenLoadStart(false), mSeenUploadLoadStart(false), mOpening(false),
++    mSeenLoadStart(false), mSeenUploadLoadStart(false),
+     mUploadEventListenersAttached(false), mMainThreadSeenLoadStart(false),
+     mInOpen(false), mArrayBufferResponseWasTransferred(false)
+   { }
+@@ -1850,7 +1850,7 @@ XMLHttpRequest::SendInternal(const nsAString& aStringBody,
+   mWorkerPrivate->AssertIsOnWorkerThread();
+ 
+   // No send() calls when open is running.
+-  if (mProxy->mOpening) {
++  if (mProxy->mOpenCount) {
+     aRv.Throw(NS_ERROR_FAILURE);
+     return;
+   }
+@@ -1945,15 +1945,17 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl,
+                      mBackgroundRequest, mWithCredentials,
+                      mTimeout);
+ 
+-  mProxy->mOpening = true;
++  ++mProxy->mOpenCount;
+   if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) {
+-    mProxy->mOpening = false;
+-    ReleaseProxy();
++    if (!--mProxy->mOpenCount) {
++      ReleaseProxy();
++    }
++
+     aRv.Throw(NS_ERROR_FAILURE);
+     return;
+   }
+ 
+-  mProxy->mOpening = false;
++  --mProxy->mOpenCount;
+   mProxy->mIsSyncXHR = !aAsync;
+ }
+ 
+-- 
+2.4.3
+
author	Mark H Weaver <mhw@netris.org>	2015-08-12 17:41:15 -0400
committer	Mark H Weaver <mhw@netris.org>	2015-08-12 20:37:44 -0400
commit	c037a0f7ce79d8d67e08694ae20e407b1280d84e (patch)
tree	60e6810db94ef46a96682ed2bd80acdec23b5fff /gnu/packages/patches/icecat-CVE-2015-4492.patch
parent	f74c577ce08399106a7ed4abe1b7d26e82fefd10 (diff)
download	guix-c037a0f7ce79d8d67e08694ae20e407b1280d84e.tar.gz