From c037a0f7ce79d8d67e08694ae20e407b1280d84e Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 12 Aug 2015 17:41:15 -0400 Subject: gnu: icecat: Add fixes for CVE-2015-{4473,4482,4488,4489,4491,4492}. WARNING: CVE-2015-4473 may not be fully addressed here, because I was unable to backport some of the patches (for upstream bugs 1182711 and 1146213). I was also unable to backport CVE-2015-4484 (upstream bug 1171540) and CVE-2015-4487 (upstream bug 1171603). I was unable to find any commit in the upstream repository that claims to address bug 1105914 (CVE-2015-4478). * gnu/packages/patches/icecat-CVE-2015-4473-partial.patch, gnu/packages/patches/icecat-CVE-2015-4482.patch, gnu/packages/patches/icecat-CVE-2015-4488.patch, gnu/packages/patches/icecat-CVE-2015-4489.patch, gnu/packages/patches/icecat-CVE-2015-4491.patch, gnu/packages/patches/icecat-CVE-2015-4492.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches. --- gnu-system.am | 6 ++ gnu/packages/gnuzilla.scm | 8 +- .../patches/icecat-CVE-2015-4473-partial.patch | 120 +++++++++++++++++++++ gnu/packages/patches/icecat-CVE-2015-4482.patch | 28 +++++ gnu/packages/patches/icecat-CVE-2015-4488.patch | 21 ++++ gnu/packages/patches/icecat-CVE-2015-4489.patch | 21 ++++ gnu/packages/patches/icecat-CVE-2015-4491.patch | 41 +++++++ gnu/packages/patches/icecat-CVE-2015-4492.patch | 81 ++++++++++++++ 8 files changed, 325 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/icecat-CVE-2015-4473-partial.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4482.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4488.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4489.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4491.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-4492.patch diff --git a/gnu-system.am b/gnu-system.am index dc945c9b96..f9db6acc51 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -483,6 +483,12 @@ dist_patch_DATA = \ gnu/packages/patches/hwloc-gather-topology-lstopo.patch \ gnu/packages/patches/hydra-automake-1.15.patch \ gnu/packages/patches/hydra-disable-darcs-test.patch \ + gnu/packages/patches/icecat-CVE-2015-4473-partial.patch \ + gnu/packages/patches/icecat-CVE-2015-4482.patch \ + gnu/packages/patches/icecat-CVE-2015-4488.patch \ + gnu/packages/patches/icecat-CVE-2015-4489.patch \ + gnu/packages/patches/icecat-CVE-2015-4491.patch \ + gnu/packages/patches/icecat-CVE-2015-4492.patch \ gnu/packages/patches/icecat-CVE-2015-4495.patch \ gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch \ gnu/packages/patches/icecat-freetype-2.6.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 0200039f5c..bfd1f5dc7b 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -240,7 +240,13 @@ standards.") (sha256 (base32 "11wx29mb5pcg4mgk07a6vjwh52ca90k0x4m9wv0v3y5dmp88f01p")) - (patches (map search-patch '("icecat-CVE-2015-4495.patch" + (patches (map search-patch '("icecat-CVE-2015-4473-partial.patch" + "icecat-CVE-2015-4482.patch" + "icecat-CVE-2015-4488.patch" + "icecat-CVE-2015-4489.patch" + "icecat-CVE-2015-4491.patch" + "icecat-CVE-2015-4492.patch" + "icecat-CVE-2015-4495.patch" "icecat-enable-acceleration-and-webgl.patch" "icecat-freetype-2.6.patch" "icecat-libvpx-1.4.patch"))) diff --git a/gnu/packages/patches/icecat-CVE-2015-4473-partial.patch b/gnu/packages/patches/icecat-CVE-2015-4473-partial.patch new file mode 100644 index 0000000000..184a8c5092 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4473-partial.patch @@ -0,0 +1,120 @@ +Backported to icecat-31.8 from the upstream esr38 branch. + +From 1a7eac06fab3b8ffca09936498887f99e233bcba Mon Sep 17 00:00:00 2001 +From: Randell Jesup +Date: Thu, 9 Jul 2015 20:18:34 -0400 +Subject: [PATCH] Bug 1178890 - Update timer arrays after sleep to account for + time sleeping. r=bwc, r=froydnj, a=sledru + +--- icecat-31.8.0/xpcom/threads/TimerThread.cpp.orig 1969-12-31 19:00:00.000000000 -0500 ++++ icecat-31.8.0/xpcom/threads/TimerThread.cpp 2015-08-12 16:38:11.789371171 -0400 +@@ -28,7 +28,8 @@ + mShutdown(false), + mWaiting(false), + mNotified(false), +- mSleeping(false) ++ mSleeping(false), ++ mLastTimerEventLoopRun(TimeStamp::Now()) + { + } + +@@ -222,6 +223,7 @@ + } else { + waitFor = PR_INTERVAL_NO_TIMEOUT; + TimeStamp now = TimeStamp::Now(); ++ mLastTimerEventLoopRun = now; + nsTimerImpl *timer = nullptr; + + if (!mTimers.IsEmpty()) { +@@ -411,6 +413,7 @@ + // This function must be called from within a lock + int32_t TimerThread::AddTimerInternal(nsTimerImpl *aTimer) + { ++ mMonitor.AssertCurrentThreadOwns(); + if (mShutdown) + return -1; + +@@ -434,6 +437,7 @@ + + bool TimerThread::RemoveTimerInternal(nsTimerImpl *aTimer) + { ++ mMonitor.AssertCurrentThreadOwns(); + if (!mTimers.RemoveElement(aTimer)) + return false; + +@@ -443,6 +447,10 @@ + + void TimerThread::ReleaseTimerInternal(nsTimerImpl *aTimer) + { ++ if (!mShutdown) { ++ // copied to a local array before releasing in shutdown ++ mMonitor.AssertCurrentThreadOwns(); ++ } + // Order is crucial here -- see nsTimerImpl::Release. + aTimer->mArmed = false; + NS_RELEASE(aTimer); +@@ -450,21 +458,39 @@ + + void TimerThread::DoBeforeSleep() + { ++ // Mainthread ++ MonitorAutoLock lock(mMonitor); ++ mLastTimerEventLoopRun = TimeStamp::Now(); + mSleeping = true; + } + ++// Note: wake may be notified without preceding sleep notification + void TimerThread::DoAfterSleep() + { +- mSleeping = true; // wake may be notified without preceding sleep notification ++ // Mainthread ++ TimeStamp now = TimeStamp::Now(); ++ ++ MonitorAutoLock lock(mMonitor); ++ ++ // an over-estimate of time slept, usually small ++ TimeDuration slept = now - mLastTimerEventLoopRun; ++ ++ // Adjust all old timers to expire roughly similar times in the future ++ // compared to when we went to sleep, by adding the time we slept to the ++ // target time. It's slightly possible a few will end up slightly in the ++ // past and fire immediately, but ordering should be preserved. All ++ // timers retain the exact same order (and relative times) as before ++ // going to sleep. + for (uint32_t i = 0; i < mTimers.Length(); i ++) { + nsTimerImpl *timer = mTimers[i]; +- // get and set the delay to cause its timeout to be recomputed +- uint32_t delay; +- timer->GetDelay(&delay); +- timer->SetDelay(delay); ++ timer->mTimeout += slept; + } +- + mSleeping = false; ++ mLastTimerEventLoopRun = now; ++ ++ // Wake up the timer thread to process the updated array ++ mNotified = true; ++ mMonitor.Notify(); + } + + +--- icecat-31.8.0/xpcom/threads/TimerThread.h.orig 1969-12-31 19:00:00.000000000 -0500 ++++ icecat-31.8.0/xpcom/threads/TimerThread.h 2015-08-12 16:38:38.542408062 -0400 +@@ -59,7 +59,7 @@ + mozilla::Atomic mInitInProgress; + bool mInitialized; + +- // These two internal helper methods must be called while mLock is held. ++ // These two internal helper methods must be called while mMonitor is held. + // AddTimerInternal returns the position where the timer was added in the + // list, or -1 if it failed. + int32_t AddTimerInternal(nsTimerImpl *aTimer); +@@ -73,6 +73,7 @@ + bool mWaiting; + bool mNotified; + bool mSleeping; ++ TimeStamp mLastTimerEventLoopRun; + + nsTArray mTimers; + }; diff --git a/gnu/packages/patches/icecat-CVE-2015-4482.patch b/gnu/packages/patches/icecat-CVE-2015-4482.patch new file mode 100644 index 0000000000..41f0a3d0fc --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4482.patch @@ -0,0 +1,28 @@ +From 932a017c745d40d661602f6145c95c9226d8450d Mon Sep 17 00:00:00 2001 +From: Stephen Pohl +Date: Sat, 18 Jul 2015 18:42:15 -0700 +Subject: [PATCH] Bug 1184500 - Improve handling of index names in MAR files. + r=rstrong, a=lmandel + +--- + modules/libmar/src/mar_read.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/modules/libmar/src/mar_read.c b/modules/libmar/src/mar_read.c +index c647370..2013b0f 100644 +--- a/modules/libmar/src/mar_read.c ++++ b/modules/libmar/src/mar_read.c +@@ -96,6 +96,10 @@ static int mar_consume_index(MarFile *mar, char **buf, const char *buf_end) { + ++(*buf); + } + namelen = (*buf - name); ++ /* must ensure that namelen is valid */ ++ if (namelen < 0) { ++ return -1; ++ } + /* consume null byte */ + if (*buf == buf_end) + return -1; +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-4488.patch b/gnu/packages/patches/icecat-CVE-2015-4488.patch new file mode 100644 index 0000000000..cee0905be0 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4488.patch @@ -0,0 +1,21 @@ +Backported to icecat-31.8 from the upstream esr38 branch. + +From 103fb14ff54753305508448ba0e374247a463552 Mon Sep 17 00:00:00 2001 +From: Daniel Holbert +Date: Fri, 19 Jun 2015 15:56:12 -0700 +Subject: [PATCH] Bug 1176270 - Handle self-assignment in + StyleAnimationValue::operator=. r=dbaron, a=sledru + +--- icecat-31.8.0/layout/style/nsStyleAnimation.cpp.orig 1969-12-31 19:00:00.000000000 -0500 ++++ icecat-31.8.0/layout/style/nsStyleAnimation.cpp 2015-08-12 16:00:39.418122049 -0400 +@@ -3517,6 +3517,10 @@ + nsStyleAnimation::Value& + nsStyleAnimation::Value::operator=(const Value& aOther) + { ++ if (this == &aOther) { ++ return *this; ++ } ++ + FreeValue(); + + mUnit = aOther.mUnit; diff --git a/gnu/packages/patches/icecat-CVE-2015-4489.patch b/gnu/packages/patches/icecat-CVE-2015-4489.patch new file mode 100644 index 0000000000..4140891e3a --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4489.patch @@ -0,0 +1,21 @@ +Backported to icecat-31.8 from the upstream esr38 branch. + +From 95231c1bca9c9495393b795513bea71a21a6ec2f Mon Sep 17 00:00:00 2001 +From: Birunthan Mohanathas +Date: Tue, 21 Jul 2015 09:42:58 -0700 +Subject: [PATCH] Bug 1182723 - Properly handle self-assignment in + nsTArray::operator=. r=mccr8, a=abillings + +--- icecat-31.8.0/xpcom/glue/nsTArray.h.orig 2015-08-12 16:03:56.353746969 -0400 ++++ icecat-31.8.0/xpcom/glue/nsTArray.h 2015-08-12 16:06:52.144553848 -0400 +@@ -811,7 +811,9 @@ + // array. It is optimized to reuse existing storage if possible. + // @param other The array object to copy. + self_type& operator=(const self_type& other) { +- ReplaceElementsAt(0, Length(), other.Elements(), other.Length()); ++ if (this != &other) { ++ ReplaceElementsAt(0, Length(), other.Elements(), other.Length()); ++ } + return *this; + } + diff --git a/gnu/packages/patches/icecat-CVE-2015-4491.patch b/gnu/packages/patches/icecat-CVE-2015-4491.patch new file mode 100644 index 0000000000..c16885cfc7 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4491.patch @@ -0,0 +1,41 @@ +From c154557bc0aa7e310824717f3e829dd82e6726e4 Mon Sep 17 00:00:00 2001 +From: Lee Salzman +Date: Tue, 21 Jul 2015 13:16:44 -0400 +Subject: [PATCH] Bug 1184009 - Limit image preview sizes. r=acomminos, + a=lmandel + +--HG-- +extra : transplant_source : %9B%86%13%60%B2%97%F1%8Fb%CB%9C%8D%FBWo%C9%EBPs1 +--- + widget/gtk/nsFilePicker.cpp | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/widget/gtk/nsFilePicker.cpp b/widget/gtk/nsFilePicker.cpp +index 0b5a8dc..3c0d543 100644 +--- a/widget/gtk/nsFilePicker.cpp ++++ b/widget/gtk/nsFilePicker.cpp +@@ -101,13 +101,16 @@ UpdateFilePreviewWidget(GtkFileChooser *file_chooser, + return; + } + +- GdkPixbuf *preview_pixbuf; ++ GdkPixbuf *preview_pixbuf = nullptr; + // Only scale down images that are too big + if (preview_width > MAX_PREVIEW_SIZE || preview_height > MAX_PREVIEW_SIZE) { +- preview_pixbuf = gdk_pixbuf_new_from_file_at_size(image_filename, +- MAX_PREVIEW_SIZE, +- MAX_PREVIEW_SIZE, +- nullptr); ++ if (ceil(preview_width / double(MAX_PREVIEW_SIZE) + 1.0) * ++ ceil(preview_height / double(MAX_PREVIEW_SIZE) + 1.0) < 0x7FFFFF) { ++ preview_pixbuf = gdk_pixbuf_new_from_file_at_size(image_filename, ++ MAX_PREVIEW_SIZE, ++ MAX_PREVIEW_SIZE, ++ nullptr); ++ } + } + else { + preview_pixbuf = gdk_pixbuf_new_from_file(image_filename, nullptr); +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-4492.patch b/gnu/packages/patches/icecat-CVE-2015-4492.patch new file mode 100644 index 0000000000..5d401f5a32 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4492.patch @@ -0,0 +1,81 @@ +From 9d5f21ee3a754d20bca4513f55553ea6694a7b25 Mon Sep 17 00:00:00 2001 +From: Andrea Marchesini +Date: Wed, 29 Jul 2015 16:10:15 -0400 +Subject: [PATCH] Bug 1185820 - XMLHttpRequest::Open() in worker should count + the recursion using a uint32_t and not a boolean. r=khuey, a=lmandel + +--HG-- +extra : transplant_source : %8F%89%24%FF%A1%F7d%5B%BE%E9%FC3%C6%E1%AC%27r%5Eq%16 +extra : histedit_source : 5857f0cedf1cfb5361e6f404a094719814a2b415 +--- + dom/workers/XMLHttpRequest.cpp | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp +index aac97ab..7099279 100644 +--- a/dom/workers/XMLHttpRequest.cpp ++++ b/dom/workers/XMLHttpRequest.cpp +@@ -100,6 +100,7 @@ public: + // Only touched on the worker thread. + uint32_t mOuterEventStreamId; + uint32_t mOuterChannelId; ++ uint32_t mOpenCount; + uint64_t mLastLoaded; + uint64_t mLastTotal; + uint64_t mLastUploadLoaded; +@@ -109,7 +110,6 @@ public: + bool mLastUploadLengthComputable; + bool mSeenLoadStart; + bool mSeenUploadLoadStart; +- bool mOpening; + + // Only touched on the main thread. + bool mUploadEventListenersAttached; +@@ -122,10 +122,10 @@ public: + : mWorkerPrivate(nullptr), mXMLHttpRequestPrivate(aXHRPrivate), + mMozAnon(aMozAnon), mMozSystem(aMozSystem), + mInnerEventStreamId(0), mInnerChannelId(0), mOutstandingSendCount(0), +- mOuterEventStreamId(0), mOuterChannelId(0), mLastLoaded(0), mLastTotal(0), +- mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false), ++ mOuterEventStreamId(0), mOuterChannelId(0), mOpenCount(0), mLastLoaded(0), ++ mLastTotal(0), mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false), + mLastLengthComputable(false), mLastUploadLengthComputable(false), +- mSeenLoadStart(false), mSeenUploadLoadStart(false), mOpening(false), ++ mSeenLoadStart(false), mSeenUploadLoadStart(false), + mUploadEventListenersAttached(false), mMainThreadSeenLoadStart(false), + mInOpen(false), mArrayBufferResponseWasTransferred(false) + { } +@@ -1850,7 +1850,7 @@ XMLHttpRequest::SendInternal(const nsAString& aStringBody, + mWorkerPrivate->AssertIsOnWorkerThread(); + + // No send() calls when open is running. +- if (mProxy->mOpening) { ++ if (mProxy->mOpenCount) { + aRv.Throw(NS_ERROR_FAILURE); + return; + } +@@ -1945,15 +1945,17 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl, + mBackgroundRequest, mWithCredentials, + mTimeout); + +- mProxy->mOpening = true; ++ ++mProxy->mOpenCount; + if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) { +- mProxy->mOpening = false; +- ReleaseProxy(); ++ if (!--mProxy->mOpenCount) { ++ ReleaseProxy(); ++ } ++ + aRv.Throw(NS_ERROR_FAILURE); + return; + } + +- mProxy->mOpening = false; ++ --mProxy->mOpenCount; + mProxy->mIsSyncXHR = !aAsync; + } + +-- +2.4.3 + -- cgit 1.4.1