diff --git a/gnu-system.am b/gnu-system.am index b760fa0d31..c2a6e2be7d 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -438,9 +438,13 @@ dist_patch_DATA = \ gnu/packages/patches/gtkglext-disable-disable-deprecated.patch \ gnu/packages/patches/hop-bigloo-4.0b.patch \ gnu/packages/patches/icecat-bug-1127780.patch \ - gnu/packages/patches/icecat-bug-1144991.patch \ gnu/packages/patches/icecat-bug-1145870.patch \ - gnu/packages/patches/icecat-bug-1146339.patch \ + gnu/packages/patches/icecat-CVE-2015-0801.patch \ + gnu/packages/patches/icecat-CVE-2015-0807.patch \ + gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch \ + gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch \ + gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch \ + gnu/packages/patches/icecat-CVE-2015-0816.patch \ gnu/packages/patches/icecat-CVE-2015-0817.patch \ gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch \ gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 1e9deb8bff..f4a68fb186 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -225,13 +225,17 @@ standards.") (sha256 (base32 "1rr4axghaypdkrf60i1qp6dz4cd29ya02fs3vyffvp4x9kgcq2dd")) - (patches (map search-patch '("icecat-bug-1127780.patch" + (patches (map search-patch '("icecat-CVE-2015-0815-pt1.patch" + "icecat-CVE-2015-0815-pt2.patch" + "icecat-bug-1127780.patch" + "icecat-CVE-2015-0807.patch" + "icecat-CVE-2015-0815-pt3.patch" "icecat-CVE-2015-0817.patch" - "icecat-bug-1144991.patch" + "icecat-CVE-2015-0816.patch" "icecat-CVE-2015-0818-pt1.patch" "icecat-bug-1145870.patch" "icecat-CVE-2015-0818-pt2.patch" - "icecat-bug-1146339.patch"))))) + "icecat-CVE-2015-0801.patch"))))) (build-system gnu-build-system) (inputs `(("alsa-lib" ,alsa-lib) diff --git a/gnu/packages/patches/icecat-bug-1146339.patch b/gnu/packages/patches/icecat-CVE-2015-0801.patch similarity index 100% rename from gnu/packages/patches/icecat-bug-1146339.patch rename to gnu/packages/patches/icecat-CVE-2015-0801.patch diff --git a/gnu/packages/patches/icecat-CVE-2015-0807.patch b/gnu/packages/patches/icecat-CVE-2015-0807.patch new file mode 100644 index 0000000000..833bc36d6b --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0807.patch @@ -0,0 +1,30 @@ +From 1b97832a8ae9983e4f15befe142f5ea0626707f1 Mon Sep 17 00:00:00 2001 +From: Christoph Kerschbaumer +Date: Thu, 19 Feb 2015 13:43:40 -0800 +Subject: [PATCH] Bug 1111834 - CORS request after preflight should not follow + 30x redirect. r=sicking, a=lmandel + +--- + dom/base/Navigator.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/dom/base/Navigator.cpp b/dom/base/Navigator.cpp +index 020e370..727b7cb7 100644 +--- a/dom/base/Navigator.cpp ++++ b/dom/base/Navigator.cpp +@@ -1278,6 +1278,12 @@ Navigator::SendBeacon(const nsAString& aUrl, + !contentType.Equals(APPLICATION_WWW_FORM_URLENCODED) && + !contentType.Equals(MULTIPART_FORM_DATA) && + !contentType.Equals(TEXT_PLAIN)) { ++ ++ // we need to set the sameOriginChecker as a notificationCallback ++ // so we can tell the channel not to follow redirects ++ nsCOMPtr soc = nsContentUtils::GetSameOriginChecker(); ++ channel->SetNotificationCallbacks(soc); ++ + nsCOMPtr preflightChannel; + nsTArray unsafeHeaders; + unsafeHeaders.AppendElement(NS_LITERAL_CSTRING("Content-Type")); +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch new file mode 100644 index 0000000000..1dd5e20c67 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch @@ -0,0 +1,63 @@ +From 6fb9d1d2bee806abb2f67cee05a8573450a017df Mon Sep 17 00:00:00 2001 +From: Steve Fink +Date: Mon, 12 Jan 2015 14:19:27 -0800 +Subject: [PATCH] Bug 1137326 - Fix out of bounds error in + JS_iterateCompartments. r=terrence, a=abillings + +--- + js/src/gc/Zone.h | 11 ++++++----- + js/src/jsapi.h | 5 +++-- + 2 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/js/src/gc/Zone.h b/js/src/gc/Zone.h +index cbbde6b..612defe 100644 +--- a/js/src/gc/Zone.h ++++ b/js/src/gc/Zone.h +@@ -389,21 +389,22 @@ struct CompartmentsInZoneIter + // This is for the benefit of CompartmentsIterT::comp. + friend class mozilla::Maybe; + private: +- JSCompartment **it, **end; ++ JS::Zone *zone; ++ JSCompartment **it; + + CompartmentsInZoneIter() +- : it(nullptr), end(nullptr) ++ : zone(nullptr), it(nullptr) + {} + + public: +- explicit CompartmentsInZoneIter(JS::Zone *zone) { ++ explicit CompartmentsInZoneIter(JS::Zone *zone) : zone(zone) { + it = zone->compartments.begin(); +- end = zone->compartments.end(); + } + + bool done() const { + JS_ASSERT(it); +- return it == end; ++ return it < zone->compartments.begin() || ++ it >= zone->compartments.end(); + } + void next() { + JS_ASSERT(!done()); +diff --git a/js/src/jsapi.h b/js/src/jsapi.h +index 5ae1f86..40fdb37 100644 +--- a/js/src/jsapi.h ++++ b/js/src/jsapi.h +@@ -1780,9 +1780,10 @@ JS_LeaveCompartment(JSContext *cx, JSCompartment *oldCompartment); + typedef void (*JSIterateCompartmentCallback)(JSRuntime *rt, void *data, JSCompartment *compartment); + + /* +- * This function calls |compartmentCallback| on every compartment. Beware that ++ * This function calls |compartmentCallback| on every compartment. Beware that + * there is no guarantee that the compartment will survive after the callback +- * returns. ++ * returns. Also, if the callback can GC, there is no guarantee that every ++ * compartment will be visited. + */ + extern JS_PUBLIC_API(void) + JS_IterateCompartments(JSRuntime *rt, void *data, +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch new file mode 100644 index 0000000000..0a0cbed177 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch @@ -0,0 +1,89 @@ +From f6d39ec03896eaf5d30d79d8165263c98e957749 Mon Sep 17 00:00:00 2001 +From: Nathan Froyd +Date: Fri, 6 Feb 2015 16:19:36 -0500 +Subject: [PATCH] Bug 1036515 - Narrow the scope of unlocking mMonitor in + nsTimerImpl::PostTimerEvents. r=bsmedberg, a=abillings + +--- + xpcom/threads/TimerThread.cpp | 55 ++++++++++++++++++++++--------------------- + 1 file changed, 28 insertions(+), 27 deletions(-) + +diff --git a/xpcom/threads/TimerThread.cpp b/xpcom/threads/TimerThread.cpp +index bd586c9..b95846f 100644 +--- a/xpcom/threads/TimerThread.cpp ++++ b/xpcom/threads/TimerThread.cpp +@@ -239,43 +239,44 @@ NS_IMETHODIMP TimerThread::Run() + RemoveTimerInternal(timer); + timer = nullptr; + ++#ifdef DEBUG_TIMERS ++ if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) { ++ PR_LOG(GetTimerLog(), PR_LOG_DEBUG, ++ ("Timer thread woke up %fms from when it was supposed to\n", ++ fabs((now - timerRef->mTimeout).ToMilliseconds()))); ++ } ++#endif ++ + { + // We release mMonitor around the Fire call to avoid deadlock. + MonitorAutoUnlock unlock(mMonitor); + +-#ifdef DEBUG_TIMERS +- if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) { +- PR_LOG(GetTimerLog(), PR_LOG_DEBUG, +- ("Timer thread woke up %fms from when it was supposed to\n", +- fabs((now - timerRef->mTimeout).ToMilliseconds()))); +- } +-#endif + + // We are going to let the call to PostTimerEvent here handle the + // release of the timer so that we don't end up releasing the timer + // on the TimerThread instead of on the thread it targets. + timerRef = nsTimerImpl::PostTimerEvent(timerRef.forget()); ++ } + +- if (timerRef) { +- // We got our reference back due to an error. +- // Unhook the nsRefPtr, and release manually so we can get the +- // refcount. +- nsrefcnt rc = timerRef.forget().take()->Release(); +- (void)rc; +- +- // The nsITimer interface requires that its users keep a reference +- // to the timers they use while those timers are initialized but +- // have not yet fired. If this ever happens, it is a bug in the +- // code that created and used the timer. +- // +- // Further, note that this should never happen even with a +- // misbehaving user, because nsTimerImpl::Release checks for a +- // refcount of 1 with an armed timer (a timer whose only reference +- // is from the timer thread) and when it hits this will remove the +- // timer from the timer thread and thus destroy the last reference, +- // preventing this situation from occurring. +- MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!"); +- } ++ if (timerRef) { ++ // We got our reference back due to an error. ++ // Unhook the nsRefPtr, and release manually so we can get the ++ // refcount. ++ nsrefcnt rc = timerRef.forget().take()->Release(); ++ (void)rc; ++ ++ // The nsITimer interface requires that its users keep a reference ++ // to the timers they use while those timers are initialized but ++ // have not yet fired. If this ever happens, it is a bug in the ++ // code that created and used the timer. ++ // ++ // Further, note that this should never happen even with a ++ // misbehaving user, because nsTimerImpl::Release checks for a ++ // refcount of 1 with an armed timer (a timer whose only reference ++ // is from the timer thread) and when it hits this will remove the ++ // timer from the timer thread and thus destroy the last reference, ++ // preventing this situation from occurring. ++ MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!"); + } + + if (mShutdown) +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch new file mode 100644 index 0000000000..5ac053df78 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch @@ -0,0 +1,37 @@ +From e7fc74f6a281c12a4a406f2dd20ff2c27a61484d Mon Sep 17 00:00:00 2001 +From: Brian Hackett +Date: Sun, 8 Mar 2015 22:10:01 -0400 +Subject: [PATCH] Bug 1138199. r=billm, a=lmandel + +--- + js/src/ds/LifoAlloc.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/js/src/ds/LifoAlloc.h b/js/src/ds/LifoAlloc.h +index 7617cf5..b112353 100644 +--- a/js/src/ds/LifoAlloc.h ++++ b/js/src/ds/LifoAlloc.h +@@ -193,14 +193,14 @@ class LifoAlloc + + // Append used chunks to the end of this LifoAlloc. We act as if all the + // chunks in |this| are used, even if they're not, so memory may be wasted. +- void appendUsed(BumpChunk *start, BumpChunk *latest, BumpChunk *end) { +- JS_ASSERT(start && latest && end); ++ void appendUsed(BumpChunk *otherFirst, BumpChunk *otherLatest, BumpChunk *otherLast) { ++ JS_ASSERT(otherFirst && otherLatest && otherLast); + if (last) +- last->setNext(start); ++ last->setNext(otherFirst); + else +- first = latest = start; +- last = end; +- this->latest = latest; ++ first = otherFirst; ++ latest = otherLatest; ++ last = otherLast; + } + + void incrementCurSize(size_t size) { +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-bug-1144991.patch b/gnu/packages/patches/icecat-CVE-2015-0816.patch similarity index 100% rename from gnu/packages/patches/icecat-bug-1144991.patch rename to gnu/packages/patches/icecat-CVE-2015-0816.patch