From c037a0f7ce79d8d67e08694ae20e407b1280d84e Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 12 Aug 2015 17:41:15 -0400 Subject: gnu: icecat: Add fixes for CVE-2015-{4473,4482,4488,4489,4491,4492}. WARNING: CVE-2015-4473 may not be fully addressed here, because I was unable to backport some of the patches (for upstream bugs 1182711 and 1146213). I was also unable to backport CVE-2015-4484 (upstream bug 1171540) and CVE-2015-4487 (upstream bug 1171603). I was unable to find any commit in the upstream repository that claims to address bug 1105914 (CVE-2015-4478). * gnu/packages/patches/icecat-CVE-2015-4473-partial.patch, gnu/packages/patches/icecat-CVE-2015-4482.patch, gnu/packages/patches/icecat-CVE-2015-4488.patch, gnu/packages/patches/icecat-CVE-2015-4489.patch, gnu/packages/patches/icecat-CVE-2015-4491.patch, gnu/packages/patches/icecat-CVE-2015-4492.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches. --- .../patches/icecat-CVE-2015-4473-partial.patch | 120 +++++++++++++++++++++ 1 file changed, 120 insertions(+) create mode 100644 gnu/packages/patches/icecat-CVE-2015-4473-partial.patch (limited to 'gnu/packages/patches/icecat-CVE-2015-4473-partial.patch') diff --git a/gnu/packages/patches/icecat-CVE-2015-4473-partial.patch b/gnu/packages/patches/icecat-CVE-2015-4473-partial.patch new file mode 100644 index 0000000000..184a8c5092 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-4473-partial.patch @@ -0,0 +1,120 @@ +Backported to icecat-31.8 from the upstream esr38 branch. + +From 1a7eac06fab3b8ffca09936498887f99e233bcba Mon Sep 17 00:00:00 2001 +From: Randell Jesup +Date: Thu, 9 Jul 2015 20:18:34 -0400 +Subject: [PATCH] Bug 1178890 - Update timer arrays after sleep to account for + time sleeping. r=bwc, r=froydnj, a=sledru + +--- icecat-31.8.0/xpcom/threads/TimerThread.cpp.orig 1969-12-31 19:00:00.000000000 -0500 ++++ icecat-31.8.0/xpcom/threads/TimerThread.cpp 2015-08-12 16:38:11.789371171 -0400 +@@ -28,7 +28,8 @@ + mShutdown(false), + mWaiting(false), + mNotified(false), +- mSleeping(false) ++ mSleeping(false), ++ mLastTimerEventLoopRun(TimeStamp::Now()) + { + } + +@@ -222,6 +223,7 @@ + } else { + waitFor = PR_INTERVAL_NO_TIMEOUT; + TimeStamp now = TimeStamp::Now(); ++ mLastTimerEventLoopRun = now; + nsTimerImpl *timer = nullptr; + + if (!mTimers.IsEmpty()) { +@@ -411,6 +413,7 @@ + // This function must be called from within a lock + int32_t TimerThread::AddTimerInternal(nsTimerImpl *aTimer) + { ++ mMonitor.AssertCurrentThreadOwns(); + if (mShutdown) + return -1; + +@@ -434,6 +437,7 @@ + + bool TimerThread::RemoveTimerInternal(nsTimerImpl *aTimer) + { ++ mMonitor.AssertCurrentThreadOwns(); + if (!mTimers.RemoveElement(aTimer)) + return false; + +@@ -443,6 +447,10 @@ + + void TimerThread::ReleaseTimerInternal(nsTimerImpl *aTimer) + { ++ if (!mShutdown) { ++ // copied to a local array before releasing in shutdown ++ mMonitor.AssertCurrentThreadOwns(); ++ } + // Order is crucial here -- see nsTimerImpl::Release. + aTimer->mArmed = false; + NS_RELEASE(aTimer); +@@ -450,21 +458,39 @@ + + void TimerThread::DoBeforeSleep() + { ++ // Mainthread ++ MonitorAutoLock lock(mMonitor); ++ mLastTimerEventLoopRun = TimeStamp::Now(); + mSleeping = true; + } + ++// Note: wake may be notified without preceding sleep notification + void TimerThread::DoAfterSleep() + { +- mSleeping = true; // wake may be notified without preceding sleep notification ++ // Mainthread ++ TimeStamp now = TimeStamp::Now(); ++ ++ MonitorAutoLock lock(mMonitor); ++ ++ // an over-estimate of time slept, usually small ++ TimeDuration slept = now - mLastTimerEventLoopRun; ++ ++ // Adjust all old timers to expire roughly similar times in the future ++ // compared to when we went to sleep, by adding the time we slept to the ++ // target time. It's slightly possible a few will end up slightly in the ++ // past and fire immediately, but ordering should be preserved. All ++ // timers retain the exact same order (and relative times) as before ++ // going to sleep. + for (uint32_t i = 0; i < mTimers.Length(); i ++) { + nsTimerImpl *timer = mTimers[i]; +- // get and set the delay to cause its timeout to be recomputed +- uint32_t delay; +- timer->GetDelay(&delay); +- timer->SetDelay(delay); ++ timer->mTimeout += slept; + } +- + mSleeping = false; ++ mLastTimerEventLoopRun = now; ++ ++ // Wake up the timer thread to process the updated array ++ mNotified = true; ++ mMonitor.Notify(); + } + + +--- icecat-31.8.0/xpcom/threads/TimerThread.h.orig 1969-12-31 19:00:00.000000000 -0500 ++++ icecat-31.8.0/xpcom/threads/TimerThread.h 2015-08-12 16:38:38.542408062 -0400 +@@ -59,7 +59,7 @@ + mozilla::Atomic mInitInProgress; + bool mInitialized; + +- // These two internal helper methods must be called while mLock is held. ++ // These two internal helper methods must be called while mMonitor is held. + // AddTimerInternal returns the position where the timer was added in the + // list, or -1 if it failed. + int32_t AddTimerInternal(nsTimerImpl *aTimer); +@@ -73,6 +73,7 @@ + bool mWaiting; + bool mNotified; + bool mSleeping; ++ TimeStamp mLastTimerEventLoopRun; + + nsTArray mTimers; + }; -- cgit 1.4.1