diff --git a/gnu-system.am b/gnu-system.am index 153d395b57..1f2ebdf29e 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -432,6 +432,13 @@ dist_patch_DATA = \ gnu/packages/patches/guix-test-networking.patch \ gnu/packages/patches/gtkglext-disable-disable-deprecated.patch \ gnu/packages/patches/hop-bigloo-4.0b.patch \ + gnu/packages/patches/icecat-bug-1127780.patch \ + gnu/packages/patches/icecat-bug-1144991.patch \ + gnu/packages/patches/icecat-bug-1145870.patch \ + gnu/packages/patches/icecat-bug-1146339.patch \ + gnu/packages/patches/icecat-CVE-2015-0817.patch \ + gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch \ + gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch \ gnu/packages/patches/irrlicht-mesa-10.patch \ gnu/packages/patches/jbig2dec-ignore-testtest.patch \ gnu/packages/patches/kmod-module-directory.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 1d450cda64..1e9deb8bff 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -224,7 +224,14 @@ standards.") version "/" name "-" version ".tar.bz2")) (sha256 (base32 - "1rr4axghaypdkrf60i1qp6dz4cd29ya02fs3vyffvp4x9kgcq2dd")))) + "1rr4axghaypdkrf60i1qp6dz4cd29ya02fs3vyffvp4x9kgcq2dd")) + (patches (map search-patch '("icecat-bug-1127780.patch" + "icecat-CVE-2015-0817.patch" + "icecat-bug-1144991.patch" + "icecat-CVE-2015-0818-pt1.patch" + "icecat-bug-1145870.patch" + "icecat-CVE-2015-0818-pt2.patch" + "icecat-bug-1146339.patch"))))) (build-system gnu-build-system) (inputs `(("alsa-lib" ,alsa-lib) diff --git a/gnu/packages/patches/icecat-CVE-2015-0817.patch b/gnu/packages/patches/icecat-CVE-2015-0817.patch new file mode 100644 index 0000000000..bb530a535d --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0817.patch @@ -0,0 +1,44 @@ +From cedbdf8290018fbef65458e9e438c72adf2c2775 Mon Sep 17 00:00:00 2001 +From: Steve Fink +Date: Thu, 19 Mar 2015 15:46:24 -0700 +Subject: [PATCH] Bug 1145255. r=luke, a=lmandel + +--- + js/src/jit/AsmJS.cpp | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/js/src/jit/AsmJS.cpp b/js/src/jit/AsmJS.cpp +index 302b5ab..1b8eed6 100644 +--- a/js/src/jit/AsmJS.cpp ++++ b/js/src/jit/AsmJS.cpp +@@ -14,6 +14,7 @@ + + #include "jsmath.h" + #include "jsprf.h" ++#include "jsutil.h" + #include "jsworkers.h" + #include "prmjtime.h" + +@@ -3432,9 +3433,17 @@ FoldMaskedArrayIndex(FunctionCompiler &f, ParseNode **indexExpr, int32_t *mask, + if (IsLiteralOrConstInt(f, maskNode, &mask2)) { + // Flag the access to skip the bounds check if the mask ensures that an 'out of + // bounds' access can not occur based on the current heap length constraint. +- if (mask2 == 0 || +- CountLeadingZeroes32(f.m().minHeapLength() - 1) <= CountLeadingZeroes32(mask2)) { ++ if (mask2 == 0) { + *needsBoundsCheck = NO_BOUNDS_CHECK; ++ } else { ++ uint32_t minHeap = f.m().minHeapLength(); ++ uint32_t minHeapZeroes = CountLeadingZeroes32(minHeap - 1); ++ uint32_t maskZeroes = CountLeadingZeroes32(mask2); ++ if ((minHeapZeroes < maskZeroes) || ++ (IsPowerOfTwo(minHeap) && minHeapZeroes == maskZeroes)) ++ { ++ *needsBoundsCheck = NO_BOUNDS_CHECK; ++ } + } + *mask &= mask2; + *indexExpr = indexNode; +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch new file mode 100644 index 0000000000..5d396eed6b --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch @@ -0,0 +1,67 @@ +From 79dddb16aaa58f5b5cef49dac6d234f500af3baf Mon Sep 17 00:00:00 2001 +From: Olli Pettay +Date: Thu, 19 Mar 2015 21:53:32 -0400 +Subject: [PATCH] Bug 1144988 - Don't let other pages to load while doing + scroll-to-anchor. r=bz, a=lmandel + +--- + docshell/base/nsDocShell.cpp | 23 ++++++++++++++--------- + docshell/base/nsDocShell.h | 1 + + 2 files changed, 15 insertions(+), 9 deletions(-) + +diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp +index 887c910..14ff3f2 100644 +--- a/docshell/base/nsDocShell.cpp ++++ b/docshell/base/nsDocShell.cpp +@@ -4204,8 +4204,8 @@ nsDocShell::IsPrintingOrPP(bool aDisplayErrorDialog) + bool + nsDocShell::IsNavigationAllowed(bool aDisplayPrintErrorDialog) + { +- bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) && !mFiredUnloadEvent; +- if (!isAllowed) { ++ bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) && ++ !mFiredUnloadEvent && !mBlockNavigation; if (!isAllowed) { + return false; + } + if (!mContentViewer) { +@@ -9321,13 +9321,18 @@ nsDocShell::InternalLoad(nsIURI * aURI, + GetCurScrollPos(ScrollOrientation_X, &cx); + GetCurScrollPos(ScrollOrientation_Y, &cy); + +- // ScrollToAnchor doesn't necessarily cause us to scroll the window; +- // the function decides whether a scroll is appropriate based on the +- // arguments it receives. But even if we don't end up scrolling, +- // ScrollToAnchor performs other important tasks, such as informing +- // the presShell that we have a new hash. See bug 680257. +- rv = ScrollToAnchor(curHash, newHash, aLoadType); +- NS_ENSURE_SUCCESS(rv, rv); ++ { ++ AutoRestore scrollingToAnchor(mBlockNavigation); ++ mBlockNavigation = true; ++ ++ // ScrollToAnchor doesn't necessarily cause us to scroll the window; ++ // the function decides whether a scroll is appropriate based on the ++ // arguments it receives. But even if we don't end up scrolling, ++ // ScrollToAnchor performs other important tasks, such as informing ++ // the presShell that we have a new hash. See bug 680257. ++ rv = ScrollToAnchor(curHash, newHash, aLoadType); ++ NS_ENSURE_SUCCESS(rv, rv); ++ } + + // Reset mLoadType to its original value once we exit this block, + // because this short-circuited load might have started after a +diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h +index c191777..be353ee 100644 +--- a/docshell/base/nsDocShell.h ++++ b/docshell/base/nsDocShell.h +@@ -835,6 +835,7 @@ protected: + bool mInPrivateBrowsing; + bool mUseRemoteTabs; + bool mDeviceSizeIsPageSize; ++ bool mBlockNavigation; + + // Because scriptability depends on the mAllowJavascript values of our + // ancestors, we cache the effective scriptability and recompute it when +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch new file mode 100644 index 0000000000..4eac5df4db --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch @@ -0,0 +1,28 @@ +From 83364c747c421b191f9d4012896a9e5a1d5223ad Mon Sep 17 00:00:00 2001 +From: Kyle Huey +Date: Fri, 20 Mar 2015 19:15:13 -0700 +Subject: [PATCH] Bug 1144988. r=bz a=lmandel + +--- + docshell/base/nsDocShell.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp +index 4cddcef..bdf88a5cf 100644 +--- a/docshell/base/nsDocShell.cpp ++++ b/docshell/base/nsDocShell.cpp +@@ -1322,9 +1322,10 @@ nsDocShell::LoadURI(nsIURI * aURI, + + // Note: we allow loads to get through here even if mFiredUnloadEvent is + // true; that case will get handled in LoadInternal or LoadHistoryEntry. +- if (IsPrintingOrPP()) { ++ if (IsPrintingOrPP() || mBlockNavigation) { + return NS_OK; // JS may not handle returning of an error code + } ++ + nsCOMPtr referrer; + nsCOMPtr postStream; + nsCOMPtr headersStream; +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-bug-1127780.patch b/gnu/packages/patches/icecat-bug-1127780.patch new file mode 100644 index 0000000000..c433616087 --- /dev/null +++ b/gnu/packages/patches/icecat-bug-1127780.patch @@ -0,0 +1,25 @@ +From cf1de3d04302841aaa05aed8364da3399cbca9b4 Mon Sep 17 00:00:00 2001 +From: Bobby Holley +Date: Tue, 17 Feb 2015 17:47:12 -0500 +Subject: [PATCH] Bug 1127780 - Add null check. r=bz, a=bkerensa + +--- + js/xpconnect/wrappers/XrayWrapper.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/js/xpconnect/wrappers/XrayWrapper.h b/js/xpconnect/wrappers/XrayWrapper.h +index ead095f1..cc8c580 100644 +--- a/js/xpconnect/wrappers/XrayWrapper.h ++++ b/js/xpconnect/wrappers/XrayWrapper.h +@@ -131,7 +131,7 @@ class XrayWrapper : public Base { + { + if (!Base::getPrototypeOf(cx, wrapper, protop)) + return false; +- if (WrapperFactory::IsXrayWrapper(protop)) ++ if (!protop || WrapperFactory::IsXrayWrapper(protop)) + return true; + + protop.set(JS_GetObjectPrototype(cx, wrapper)); +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-bug-1144991.patch b/gnu/packages/patches/icecat-bug-1144991.patch new file mode 100644 index 0000000000..5632e37eb3 --- /dev/null +++ b/gnu/packages/patches/icecat-bug-1144991.patch @@ -0,0 +1,76 @@ +From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001 +From: Boris Zbarsky +Date: Thu, 19 Mar 2015 18:58:44 -0400 +Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a + URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that + doesn't have the same scheme. r=bholley, a=abillings + +--- + caps/src/nsScriptSecurityManager.cpp | 38 +++++++++++++++++++++++++----------- + 1 file changed, 27 insertions(+), 11 deletions(-) + +diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp +index 3587358..6577b95 100644 +--- a/caps/src/nsScriptSecurityManager.cpp ++++ b/caps/src/nsScriptSecurityManager.cpp +@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, + NS_ENSURE_SUCCESS(rv, rv); + if (hasFlags) { + if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) { ++ ++ // For now, don't change behavior for resource:// or moz-icon:// and ++ // just allow them. + if (!targetScheme.EqualsLiteral("chrome")) { +- // for now don't change behavior for resource: or moz-icon: + return NS_OK; + } + +- // allow load only if chrome package is whitelisted ++ // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE ++ // target if ALLOW_CHROME is set. ++ // ++ // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell ++ // loads (since docshell loads run the loaded content with its origin ++ // principal). So we're effectively allowing resource://, chrome://, ++ // and moz-icon:// source URIs to load resource://, chrome://, and ++ // moz-icon:// files, so long as they're not loading it as a document. ++ bool sourceIsUIResource; ++ rv = NS_URIChainHasFlags(sourceBaseURI, ++ nsIProtocolHandler::URI_IS_UI_RESOURCE, ++ &sourceIsUIResource); ++ NS_ENSURE_SUCCESS(rv, rv); ++ if (sourceIsUIResource) { ++ return NS_OK; ++ } ++ ++ // Allow the load only if the chrome package is whitelisted. + nsCOMPtr reg(do_GetService( + NS_CHROMEREGISTRY_CONTRACTID)); + if (reg) { +@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, + } + } + +- // resource: and chrome: are equivalent, securitywise +- // That's bogus!! Fix this. But watch out for +- // the view-source stylesheet? +- bool sourceIsChrome; +- rv = NS_URIChainHasFlags(sourceBaseURI, +- nsIProtocolHandler::URI_IS_UI_RESOURCE, +- &sourceIsChrome); +- NS_ENSURE_SUCCESS(rv, rv); +- if (sourceIsChrome) { ++ // Special-case the hidden window: it's allowed to load ++ // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this. ++ nsAutoCString sourceSpec; ++ if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) && ++ sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) { + return NS_OK; + } ++ + if (reportErrors) { + ReportError(nullptr, errorTag, sourceURI, aTargetURI); + } +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-bug-1145870.patch b/gnu/packages/patches/icecat-bug-1145870.patch new file mode 100644 index 0000000000..34a018c697 --- /dev/null +++ b/gnu/packages/patches/icecat-bug-1145870.patch @@ -0,0 +1,43 @@ +From a40e2ebc2ab57dacb539d4e49ed4193764ff7112 Mon Sep 17 00:00:00 2001 +From: Kyle Huey +Date: Fri, 20 Mar 2015 19:05:56 -0700 +Subject: [PATCH] Bug 1145870. r=bz a=lmandel + +--- + docshell/base/nsDocShell.cpp | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp +index 14ff3f2..4cddcef 100644 +--- a/docshell/base/nsDocShell.cpp ++++ b/docshell/base/nsDocShell.cpp +@@ -8900,6 +8900,8 @@ nsDocShell::InternalLoad(nsIURI * aURI, + + NS_ENSURE_TRUE(!mIsBeingDestroyed, NS_ERROR_NOT_AVAILABLE); + ++ NS_ENSURE_TRUE(!mBlockNavigation, NS_ERROR_UNEXPECTED); ++ + // wyciwyg urls can only be loaded through history. Any normal load of + // wyciwyg through docshell is illegal. Disallow such loads. + if (aLoadType & LOAD_CMD_NORMAL) { +@@ -12570,7 +12572,7 @@ nsDocShell::OnLinkClick(nsIContent* aContent, + { + NS_ASSERTION(NS_IsMainThread(), "wrong thread"); + +- if (!IsOKToLoadURI(aURI)) { ++ if (!IsOKToLoadURI(aURI) || mBlockNavigation) { + return NS_OK; + } + +@@ -12626,7 +12628,7 @@ nsDocShell::OnLinkClickSync(nsIContent *aContent, + *aRequest = nullptr; + } + +- if (!IsOKToLoadURI(aURI)) { ++ if (!IsOKToLoadURI(aURI) || mBlockNavigation) { + return NS_OK; + } + +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-bug-1146339.patch b/gnu/packages/patches/icecat-bug-1146339.patch new file mode 100644 index 0000000000..9d858523b9 --- /dev/null +++ b/gnu/packages/patches/icecat-bug-1146339.patch @@ -0,0 +1,162 @@ +From 4ca86283a71427f27e810d77c8e75418f6428457 Mon Sep 17 00:00:00 2001 +From: Olli Pettay +Date: Mon, 23 Mar 2015 22:23:53 -0400 +Subject: [PATCH] Bug 1146339 - Do anchor scrolling right before dispatching + popstate/hashchange. r=bz, a=lmandel + +--- + docshell/base/nsDocShell.cpp | 64 +++++++++++++++++++++----------------------- + docshell/base/nsDocShell.h | 1 - + 2 files changed, 30 insertions(+), 35 deletions(-) + +diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp +index bdf88a5cf..efb6a6e 100644 +--- a/docshell/base/nsDocShell.cpp ++++ b/docshell/base/nsDocShell.cpp +@@ -1322,7 +1322,7 @@ nsDocShell::LoadURI(nsIURI * aURI, + + // Note: we allow loads to get through here even if mFiredUnloadEvent is + // true; that case will get handled in LoadInternal or LoadHistoryEntry. +- if (IsPrintingOrPP() || mBlockNavigation) { ++ if (IsPrintingOrPP()) { + return NS_OK; // JS may not handle returning of an error code + } + +@@ -4206,7 +4206,8 @@ bool + nsDocShell::IsNavigationAllowed(bool aDisplayPrintErrorDialog) + { + bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) && +- !mFiredUnloadEvent && !mBlockNavigation; if (!isAllowed) { ++ !mFiredUnloadEvent; ++ if (!isAllowed) { + return false; + } + if (!mContentViewer) { +@@ -8901,8 +8902,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, + + NS_ENSURE_TRUE(!mIsBeingDestroyed, NS_ERROR_NOT_AVAILABLE); + +- NS_ENSURE_TRUE(!mBlockNavigation, NS_ERROR_UNEXPECTED); +- + // wyciwyg urls can only be loaded through history. Any normal load of + // wyciwyg through docshell is illegal. Disallow such loads. + if (aLoadType & LOAD_CMD_NORMAL) { +@@ -9324,19 +9323,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, + GetCurScrollPos(ScrollOrientation_X, &cx); + GetCurScrollPos(ScrollOrientation_Y, &cy); + +- { +- AutoRestore scrollingToAnchor(mBlockNavigation); +- mBlockNavigation = true; +- +- // ScrollToAnchor doesn't necessarily cause us to scroll the window; +- // the function decides whether a scroll is appropriate based on the +- // arguments it receives. But even if we don't end up scrolling, +- // ScrollToAnchor performs other important tasks, such as informing +- // the presShell that we have a new hash. See bug 680257. +- rv = ScrollToAnchor(curHash, newHash, aLoadType); +- NS_ENSURE_SUCCESS(rv, rv); +- } +- + // Reset mLoadType to its original value once we exit this block, + // because this short-circuited load might have started after a + // normal, network load, and we don't want to clobber its load type. +@@ -9424,16 +9410,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, + mOSHE->SetCacheKey(cacheKey); + } + +- /* restore previous position of scroller(s), if we're moving +- * back in history (bug 59774) +- */ +- if (mOSHE && (aLoadType == LOAD_HISTORY || aLoadType == LOAD_RELOAD_NORMAL)) +- { +- nscoord bx, by; +- mOSHE->GetScrollPosition(&bx, &by); +- SetCurScrollPosEx(bx, by); +- } +- + /* Restore the original LSHE if we were loading something + * while short-circuited load was initiated. + */ +@@ -9471,12 +9447,36 @@ nsDocShell::InternalLoad(nsIURI * aURI, + + SetDocCurrentStateObj(mOSHE); + ++ // Inform the favicon service that the favicon for oldURI also ++ // applies to aURI. ++ CopyFavicon(currentURI, aURI, mInPrivateBrowsing); ++ ++ nsRefPtr win = mScriptGlobal ? ++ mScriptGlobal->GetCurrentInnerWindowInternal() : nullptr; ++ ++ // ScrollToAnchor doesn't necessarily cause us to scroll the window; ++ // the function decides whether a scroll is appropriate based on the ++ // arguments it receives. But even if we don't end up scrolling, ++ // ScrollToAnchor performs other important tasks, such as informing ++ // the presShell that we have a new hash. See bug 680257. ++ rv = ScrollToAnchor(curHash, newHash, aLoadType); ++ NS_ENSURE_SUCCESS(rv, rv); ++ ++ /* restore previous position of scroller(s), if we're moving ++ * back in history (bug 59774) ++ */ ++ if (mOSHE && (aLoadType == LOAD_HISTORY || ++ aLoadType == LOAD_RELOAD_NORMAL)) { ++ nscoord bx, by; ++ mOSHE->GetScrollPosition(&bx, &by); ++ SetCurScrollPosEx(bx, by); ++ } ++ + // Dispatch the popstate and hashchange events, as appropriate. + // + // The event dispatch below can cause us to re-enter script and + // destroy the docshell, nulling out mScriptGlobal. Hold a stack + // reference to avoid null derefs. See bug 914521. +- nsRefPtr win = mScriptGlobal; + if (win) { + // Fire a hashchange event URIs differ, and only in their hashes. + bool doHashchange = sameExceptHashes && !curHash.Equals(newHash); +@@ -9492,10 +9492,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, + } + } + +- // Inform the favicon service that the favicon for oldURI also +- // applies to aURI. +- CopyFavicon(currentURI, aURI, mInPrivateBrowsing); +- + return NS_OK; + } + } +@@ -12573,7 +12569,7 @@ nsDocShell::OnLinkClick(nsIContent* aContent, + { + NS_ASSERTION(NS_IsMainThread(), "wrong thread"); + +- if (!IsOKToLoadURI(aURI) || mBlockNavigation) { ++ if (!IsOKToLoadURI(aURI)) { + return NS_OK; + } + +@@ -12629,7 +12625,7 @@ nsDocShell::OnLinkClickSync(nsIContent *aContent, + *aRequest = nullptr; + } + +- if (!IsOKToLoadURI(aURI) || mBlockNavigation) { ++ if (!IsOKToLoadURI(aURI)) { + return NS_OK; + } + +diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h +index be353ee..c191777 100644 +--- a/docshell/base/nsDocShell.h ++++ b/docshell/base/nsDocShell.h +@@ -835,7 +835,6 @@ protected: + bool mInPrivateBrowsing; + bool mUseRemoteTabs; + bool mDeviceSizeIsPageSize; +- bool mBlockNavigation; + + // Because scriptability depends on the mAllowJavascript values of our + // ancestors, we cache the effective scriptability and recompute it when +-- +2.2.1 +