gnu: icecat: Apply fixes for CVE-2015-{0817,0818} and other selected bugs.

* gnu/packages/patches/icecat-CVE-2015-0817.patch,
  gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch,
  gnu/packages/patches/icecat-bug-1127780.patch,
  gnu/packages/patches/icecat-bug-1144991.patch,
  gnu/packages/patches/icecat-bug-1145870.patch,
  gnu/packages/patches/icecat-bug-1146339.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat): Add patches.
This commit is contained in:
Mark H Weaver 2015-03-25 08:20:49 -04:00
parent 614c218842
commit 4c153a9125
9 changed files with 460 additions and 1 deletions

View File

@ -432,6 +432,13 @@ dist_patch_DATA = \
gnu/packages/patches/guix-test-networking.patch \
gnu/packages/patches/gtkglext-disable-disable-deprecated.patch \
gnu/packages/patches/hop-bigloo-4.0b.patch \
gnu/packages/patches/icecat-bug-1127780.patch \
gnu/packages/patches/icecat-bug-1144991.patch \
gnu/packages/patches/icecat-bug-1145870.patch \
gnu/packages/patches/icecat-bug-1146339.patch \
gnu/packages/patches/icecat-CVE-2015-0817.patch \
gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch \
gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch \
gnu/packages/patches/irrlicht-mesa-10.patch \
gnu/packages/patches/jbig2dec-ignore-testtest.patch \
gnu/packages/patches/kmod-module-directory.patch \

View File

@ -224,7 +224,14 @@ standards.")
version "/" name "-" version ".tar.bz2"))
(sha256
(base32
"1rr4axghaypdkrf60i1qp6dz4cd29ya02fs3vyffvp4x9kgcq2dd"))))
"1rr4axghaypdkrf60i1qp6dz4cd29ya02fs3vyffvp4x9kgcq2dd"))
(patches (map search-patch '("icecat-bug-1127780.patch"
"icecat-CVE-2015-0817.patch"
"icecat-bug-1144991.patch"
"icecat-CVE-2015-0818-pt1.patch"
"icecat-bug-1145870.patch"
"icecat-CVE-2015-0818-pt2.patch"
"icecat-bug-1146339.patch")))))
(build-system gnu-build-system)
(inputs
`(("alsa-lib" ,alsa-lib)

View File

@ -0,0 +1,44 @@
From cedbdf8290018fbef65458e9e438c72adf2c2775 Mon Sep 17 00:00:00 2001
From: Steve Fink <sfink@mozilla.com>
Date: Thu, 19 Mar 2015 15:46:24 -0700
Subject: [PATCH] Bug 1145255. r=luke, a=lmandel
---
js/src/jit/AsmJS.cpp | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/js/src/jit/AsmJS.cpp b/js/src/jit/AsmJS.cpp
index 302b5ab..1b8eed6 100644
--- a/js/src/jit/AsmJS.cpp
+++ b/js/src/jit/AsmJS.cpp
@@ -14,6 +14,7 @@
#include "jsmath.h"
#include "jsprf.h"
+#include "jsutil.h"
#include "jsworkers.h"
#include "prmjtime.h"
@@ -3432,9 +3433,17 @@ FoldMaskedArrayIndex(FunctionCompiler &f, ParseNode **indexExpr, int32_t *mask,
if (IsLiteralOrConstInt(f, maskNode, &mask2)) {
// Flag the access to skip the bounds check if the mask ensures that an 'out of
// bounds' access can not occur based on the current heap length constraint.
- if (mask2 == 0 ||
- CountLeadingZeroes32(f.m().minHeapLength() - 1) <= CountLeadingZeroes32(mask2)) {
+ if (mask2 == 0) {
*needsBoundsCheck = NO_BOUNDS_CHECK;
+ } else {
+ uint32_t minHeap = f.m().minHeapLength();
+ uint32_t minHeapZeroes = CountLeadingZeroes32(minHeap - 1);
+ uint32_t maskZeroes = CountLeadingZeroes32(mask2);
+ if ((minHeapZeroes < maskZeroes) ||
+ (IsPowerOfTwo(minHeap) && minHeapZeroes == maskZeroes))
+ {
+ *needsBoundsCheck = NO_BOUNDS_CHECK;
+ }
}
*mask &= mask2;
*indexExpr = indexNode;
--
2.2.1

View File

@ -0,0 +1,67 @@
From 79dddb16aaa58f5b5cef49dac6d234f500af3baf Mon Sep 17 00:00:00 2001
From: Olli Pettay <Olli.Pettay@helsinki.fi>
Date: Thu, 19 Mar 2015 21:53:32 -0400
Subject: [PATCH] Bug 1144988 - Don't let other pages to load while doing
scroll-to-anchor. r=bz, a=lmandel
---
docshell/base/nsDocShell.cpp | 23 ++++++++++++++---------
docshell/base/nsDocShell.h | 1 +
2 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index 887c910..14ff3f2 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -4204,8 +4204,8 @@ nsDocShell::IsPrintingOrPP(bool aDisplayErrorDialog)
bool
nsDocShell::IsNavigationAllowed(bool aDisplayPrintErrorDialog)
{
- bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) && !mFiredUnloadEvent;
- if (!isAllowed) {
+ bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) &&
+ !mFiredUnloadEvent && !mBlockNavigation; if (!isAllowed) {
return false;
}
if (!mContentViewer) {
@@ -9321,13 +9321,18 @@ nsDocShell::InternalLoad(nsIURI * aURI,
GetCurScrollPos(ScrollOrientation_X, &cx);
GetCurScrollPos(ScrollOrientation_Y, &cy);
- // ScrollToAnchor doesn't necessarily cause us to scroll the window;
- // the function decides whether a scroll is appropriate based on the
- // arguments it receives. But even if we don't end up scrolling,
- // ScrollToAnchor performs other important tasks, such as informing
- // the presShell that we have a new hash. See bug 680257.
- rv = ScrollToAnchor(curHash, newHash, aLoadType);
- NS_ENSURE_SUCCESS(rv, rv);
+ {
+ AutoRestore<bool> scrollingToAnchor(mBlockNavigation);
+ mBlockNavigation = true;
+
+ // ScrollToAnchor doesn't necessarily cause us to scroll the window;
+ // the function decides whether a scroll is appropriate based on the
+ // arguments it receives. But even if we don't end up scrolling,
+ // ScrollToAnchor performs other important tasks, such as informing
+ // the presShell that we have a new hash. See bug 680257.
+ rv = ScrollToAnchor(curHash, newHash, aLoadType);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
// Reset mLoadType to its original value once we exit this block,
// because this short-circuited load might have started after a
diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h
index c191777..be353ee 100644
--- a/docshell/base/nsDocShell.h
+++ b/docshell/base/nsDocShell.h
@@ -835,6 +835,7 @@ protected:
bool mInPrivateBrowsing;
bool mUseRemoteTabs;
bool mDeviceSizeIsPageSize;
+ bool mBlockNavigation;
// Because scriptability depends on the mAllowJavascript values of our
// ancestors, we cache the effective scriptability and recompute it when
--
2.2.1

View File

@ -0,0 +1,28 @@
From 83364c747c421b191f9d4012896a9e5a1d5223ad Mon Sep 17 00:00:00 2001
From: Kyle Huey <khuey@kylehuey.com>
Date: Fri, 20 Mar 2015 19:15:13 -0700
Subject: [PATCH] Bug 1144988. r=bz a=lmandel
---
docshell/base/nsDocShell.cpp | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index 4cddcef..bdf88a5cf 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -1322,9 +1322,10 @@ nsDocShell::LoadURI(nsIURI * aURI,
// Note: we allow loads to get through here even if mFiredUnloadEvent is
// true; that case will get handled in LoadInternal or LoadHistoryEntry.
- if (IsPrintingOrPP()) {
+ if (IsPrintingOrPP() || mBlockNavigation) {
return NS_OK; // JS may not handle returning of an error code
}
+
nsCOMPtr<nsIURI> referrer;
nsCOMPtr<nsIInputStream> postStream;
nsCOMPtr<nsIInputStream> headersStream;
--
2.2.1

View File

@ -0,0 +1,25 @@
From cf1de3d04302841aaa05aed8364da3399cbca9b4 Mon Sep 17 00:00:00 2001
From: Bobby Holley <bobbyholley@gmail.com>
Date: Tue, 17 Feb 2015 17:47:12 -0500
Subject: [PATCH] Bug 1127780 - Add null check. r=bz, a=bkerensa
---
js/xpconnect/wrappers/XrayWrapper.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/js/xpconnect/wrappers/XrayWrapper.h b/js/xpconnect/wrappers/XrayWrapper.h
index ead095f1..cc8c580 100644
--- a/js/xpconnect/wrappers/XrayWrapper.h
+++ b/js/xpconnect/wrappers/XrayWrapper.h
@@ -131,7 +131,7 @@ class XrayWrapper : public Base {
{
if (!Base::getPrototypeOf(cx, wrapper, protop))
return false;
- if (WrapperFactory::IsXrayWrapper(protop))
+ if (!protop || WrapperFactory::IsXrayWrapper(protop))
return true;
protop.set(JS_GetObjectPrototype(cx, wrapper));
--
2.2.1

View File

@ -0,0 +1,76 @@
From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001
From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Thu, 19 Mar 2015 18:58:44 -0400
Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a
URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that
doesn't have the same scheme. r=bholley, a=abillings
---
caps/src/nsScriptSecurityManager.cpp | 38 +++++++++++++++++++++++++-----------
1 file changed, 27 insertions(+), 11 deletions(-)
diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp
index 3587358..6577b95 100644
--- a/caps/src/nsScriptSecurityManager.cpp
+++ b/caps/src/nsScriptSecurityManager.cpp
@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
NS_ENSURE_SUCCESS(rv, rv);
if (hasFlags) {
if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) {
+
+ // For now, don't change behavior for resource:// or moz-icon:// and
+ // just allow them.
if (!targetScheme.EqualsLiteral("chrome")) {
- // for now don't change behavior for resource: or moz-icon:
return NS_OK;
}
- // allow load only if chrome package is whitelisted
+ // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE
+ // target if ALLOW_CHROME is set.
+ //
+ // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell
+ // loads (since docshell loads run the loaded content with its origin
+ // principal). So we're effectively allowing resource://, chrome://,
+ // and moz-icon:// source URIs to load resource://, chrome://, and
+ // moz-icon:// files, so long as they're not loading it as a document.
+ bool sourceIsUIResource;
+ rv = NS_URIChainHasFlags(sourceBaseURI,
+ nsIProtocolHandler::URI_IS_UI_RESOURCE,
+ &sourceIsUIResource);
+ NS_ENSURE_SUCCESS(rv, rv);
+ if (sourceIsUIResource) {
+ return NS_OK;
+ }
+
+ // Allow the load only if the chrome package is whitelisted.
nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService(
NS_CHROMEREGISTRY_CONTRACTID));
if (reg) {
@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
}
}
- // resource: and chrome: are equivalent, securitywise
- // That's bogus!! Fix this. But watch out for
- // the view-source stylesheet?
- bool sourceIsChrome;
- rv = NS_URIChainHasFlags(sourceBaseURI,
- nsIProtocolHandler::URI_IS_UI_RESOURCE,
- &sourceIsChrome);
- NS_ENSURE_SUCCESS(rv, rv);
- if (sourceIsChrome) {
+ // Special-case the hidden window: it's allowed to load
+ // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this.
+ nsAutoCString sourceSpec;
+ if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) &&
+ sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) {
return NS_OK;
}
+
if (reportErrors) {
ReportError(nullptr, errorTag, sourceURI, aTargetURI);
}
--
2.2.1

View File

@ -0,0 +1,43 @@
From a40e2ebc2ab57dacb539d4e49ed4193764ff7112 Mon Sep 17 00:00:00 2001
From: Kyle Huey <khuey@kylehuey.com>
Date: Fri, 20 Mar 2015 19:05:56 -0700
Subject: [PATCH] Bug 1145870. r=bz a=lmandel
---
docshell/base/nsDocShell.cpp | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index 14ff3f2..4cddcef 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -8900,6 +8900,8 @@ nsDocShell::InternalLoad(nsIURI * aURI,
NS_ENSURE_TRUE(!mIsBeingDestroyed, NS_ERROR_NOT_AVAILABLE);
+ NS_ENSURE_TRUE(!mBlockNavigation, NS_ERROR_UNEXPECTED);
+
// wyciwyg urls can only be loaded through history. Any normal load of
// wyciwyg through docshell is illegal. Disallow such loads.
if (aLoadType & LOAD_CMD_NORMAL) {
@@ -12570,7 +12572,7 @@ nsDocShell::OnLinkClick(nsIContent* aContent,
{
NS_ASSERTION(NS_IsMainThread(), "wrong thread");
- if (!IsOKToLoadURI(aURI)) {
+ if (!IsOKToLoadURI(aURI) || mBlockNavigation) {
return NS_OK;
}
@@ -12626,7 +12628,7 @@ nsDocShell::OnLinkClickSync(nsIContent *aContent,
*aRequest = nullptr;
}
- if (!IsOKToLoadURI(aURI)) {
+ if (!IsOKToLoadURI(aURI) || mBlockNavigation) {
return NS_OK;
}
--
2.2.1

View File

@ -0,0 +1,162 @@
From 4ca86283a71427f27e810d77c8e75418f6428457 Mon Sep 17 00:00:00 2001
From: Olli Pettay <Olli.Pettay@helsinki.fi>
Date: Mon, 23 Mar 2015 22:23:53 -0400
Subject: [PATCH] Bug 1146339 - Do anchor scrolling right before dispatching
popstate/hashchange. r=bz, a=lmandel
---
docshell/base/nsDocShell.cpp | 64 +++++++++++++++++++++-----------------------
docshell/base/nsDocShell.h | 1 -
2 files changed, 30 insertions(+), 35 deletions(-)
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index bdf88a5cf..efb6a6e 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -1322,7 +1322,7 @@ nsDocShell::LoadURI(nsIURI * aURI,
// Note: we allow loads to get through here even if mFiredUnloadEvent is
// true; that case will get handled in LoadInternal or LoadHistoryEntry.
- if (IsPrintingOrPP() || mBlockNavigation) {
+ if (IsPrintingOrPP()) {
return NS_OK; // JS may not handle returning of an error code
}
@@ -4206,7 +4206,8 @@ bool
nsDocShell::IsNavigationAllowed(bool aDisplayPrintErrorDialog)
{
bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) &&
- !mFiredUnloadEvent && !mBlockNavigation; if (!isAllowed) {
+ !mFiredUnloadEvent;
+ if (!isAllowed) {
return false;
}
if (!mContentViewer) {
@@ -8901,8 +8902,6 @@ nsDocShell::InternalLoad(nsIURI * aURI,
NS_ENSURE_TRUE(!mIsBeingDestroyed, NS_ERROR_NOT_AVAILABLE);
- NS_ENSURE_TRUE(!mBlockNavigation, NS_ERROR_UNEXPECTED);
-
// wyciwyg urls can only be loaded through history. Any normal load of
// wyciwyg through docshell is illegal. Disallow such loads.
if (aLoadType & LOAD_CMD_NORMAL) {
@@ -9324,19 +9323,6 @@ nsDocShell::InternalLoad(nsIURI * aURI,
GetCurScrollPos(ScrollOrientation_X, &cx);
GetCurScrollPos(ScrollOrientation_Y, &cy);
- {
- AutoRestore<bool> scrollingToAnchor(mBlockNavigation);
- mBlockNavigation = true;
-
- // ScrollToAnchor doesn't necessarily cause us to scroll the window;
- // the function decides whether a scroll is appropriate based on the
- // arguments it receives. But even if we don't end up scrolling,
- // ScrollToAnchor performs other important tasks, such as informing
- // the presShell that we have a new hash. See bug 680257.
- rv = ScrollToAnchor(curHash, newHash, aLoadType);
- NS_ENSURE_SUCCESS(rv, rv);
- }
-
// Reset mLoadType to its original value once we exit this block,
// because this short-circuited load might have started after a
// normal, network load, and we don't want to clobber its load type.
@@ -9424,16 +9410,6 @@ nsDocShell::InternalLoad(nsIURI * aURI,
mOSHE->SetCacheKey(cacheKey);
}
- /* restore previous position of scroller(s), if we're moving
- * back in history (bug 59774)
- */
- if (mOSHE && (aLoadType == LOAD_HISTORY || aLoadType == LOAD_RELOAD_NORMAL))
- {
- nscoord bx, by;
- mOSHE->GetScrollPosition(&bx, &by);
- SetCurScrollPosEx(bx, by);
- }
-
/* Restore the original LSHE if we were loading something
* while short-circuited load was initiated.
*/
@@ -9471,12 +9447,36 @@ nsDocShell::InternalLoad(nsIURI * aURI,
SetDocCurrentStateObj(mOSHE);
+ // Inform the favicon service that the favicon for oldURI also
+ // applies to aURI.
+ CopyFavicon(currentURI, aURI, mInPrivateBrowsing);
+
+ nsRefPtr<nsGlobalWindow> win = mScriptGlobal ?
+ mScriptGlobal->GetCurrentInnerWindowInternal() : nullptr;
+
+ // ScrollToAnchor doesn't necessarily cause us to scroll the window;
+ // the function decides whether a scroll is appropriate based on the
+ // arguments it receives. But even if we don't end up scrolling,
+ // ScrollToAnchor performs other important tasks, such as informing
+ // the presShell that we have a new hash. See bug 680257.
+ rv = ScrollToAnchor(curHash, newHash, aLoadType);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ /* restore previous position of scroller(s), if we're moving
+ * back in history (bug 59774)
+ */
+ if (mOSHE && (aLoadType == LOAD_HISTORY ||
+ aLoadType == LOAD_RELOAD_NORMAL)) {
+ nscoord bx, by;
+ mOSHE->GetScrollPosition(&bx, &by);
+ SetCurScrollPosEx(bx, by);
+ }
+
// Dispatch the popstate and hashchange events, as appropriate.
//
// The event dispatch below can cause us to re-enter script and
// destroy the docshell, nulling out mScriptGlobal. Hold a stack
// reference to avoid null derefs. See bug 914521.
- nsRefPtr<nsGlobalWindow> win = mScriptGlobal;
if (win) {
// Fire a hashchange event URIs differ, and only in their hashes.
bool doHashchange = sameExceptHashes && !curHash.Equals(newHash);
@@ -9492,10 +9492,6 @@ nsDocShell::InternalLoad(nsIURI * aURI,
}
}
- // Inform the favicon service that the favicon for oldURI also
- // applies to aURI.
- CopyFavicon(currentURI, aURI, mInPrivateBrowsing);
-
return NS_OK;
}
}
@@ -12573,7 +12569,7 @@ nsDocShell::OnLinkClick(nsIContent* aContent,
{
NS_ASSERTION(NS_IsMainThread(), "wrong thread");
- if (!IsOKToLoadURI(aURI) || mBlockNavigation) {
+ if (!IsOKToLoadURI(aURI)) {
return NS_OK;
}
@@ -12629,7 +12625,7 @@ nsDocShell::OnLinkClickSync(nsIContent *aContent,
*aRequest = nullptr;
}
- if (!IsOKToLoadURI(aURI) || mBlockNavigation) {
+ if (!IsOKToLoadURI(aURI)) {
return NS_OK;
}
diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h
index be353ee..c191777 100644
--- a/docshell/base/nsDocShell.h
+++ b/docshell/base/nsDocShell.h
@@ -835,7 +835,6 @@ protected:
bool mInPrivateBrowsing;
bool mUseRemoteTabs;
bool mDeviceSizeIsPageSize;
- bool mBlockNavigation;
// Because scriptability depends on the mAllowJavascript values of our
// ancestors, we cache the effective scriptability and recompute it when
--
2.2.1