gnu: icecat: Apply fixes for CVE-2015-{0801,0807,0815,0816}.

Actually, CVE-2015-0801 and CVE-2015-0816 were already patched in
4c153a9125, but the corresponding CVEs
were not yet announced.

* gnu/packages/patches/icecat-bug-1146339.patch: Rename to ...
* gnu/packages/patches/icecat-CVE-2015-0801.patch: ... this.
* gnu/packages/patches/icecat-bug-1144991.patch: Rename to ...
* gnu/packages/patches/icecat-CVE-2015-0816.patch: ... this.
* gnu/packages/patches/icecat-CVE-2015-0807.patch,
  gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them, and adapt to renamed files.
* gnu/packages/gnuzilla.scm (icecat): Add patches, and adapt to renamed files.

gnu-system.am

@@ -438,9 +438,13 @@ dist_patch_DATA =						\
   gnu/packages/patches/gtkglext-disable-disable-deprecated.patch \
   gnu/packages/patches/hop-bigloo-4.0b.patch			\
   gnu/packages/patches/icecat-bug-1127780.patch			\
-  gnu/packages/patches/icecat-bug-1144991.patch			\
   gnu/packages/patches/icecat-bug-1145870.patch			\
-  gnu/packages/patches/icecat-bug-1146339.patch			\
+  gnu/packages/patches/icecat-CVE-2015-0801.patch		\
+  gnu/packages/patches/icecat-CVE-2015-0807.patch		\
+  gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch		\
+  gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch		\
+  gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch		\
+  gnu/packages/patches/icecat-CVE-2015-0816.patch		\
   gnu/packages/patches/icecat-CVE-2015-0817.patch		\
   gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch		\
   gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch		\

gnu/packages/gnuzilla.scm

@@ -225,13 +225,17 @@ standards.")
       (sha256
        (base32
         "1rr4axghaypdkrf60i1qp6dz4cd29ya02fs3vyffvp4x9kgcq2dd"))
-      (patches (map search-patch '("icecat-bug-1127780.patch"
+      (patches (map search-patch '("icecat-CVE-2015-0815-pt1.patch"
+                                   "icecat-CVE-2015-0815-pt2.patch"
+                                   "icecat-bug-1127780.patch"
+                                   "icecat-CVE-2015-0807.patch"
+                                   "icecat-CVE-2015-0815-pt3.patch"
                                    "icecat-CVE-2015-0817.patch"
-                                   "icecat-bug-1144991.patch"
+                                   "icecat-CVE-2015-0816.patch"
                                    "icecat-CVE-2015-0818-pt1.patch"
                                    "icecat-bug-1145870.patch"
                                    "icecat-CVE-2015-0818-pt2.patch"
-                                   "icecat-bug-1146339.patch")))))
+                                   "icecat-CVE-2015-0801.patch")))))
     (build-system gnu-build-system)
     (inputs
      `(("alsa-lib" ,alsa-lib)

gnu/packages/patches/icecat-CVE-2015-0807.patch

@@ -0,0 +1,30 @@
+From 1b97832a8ae9983e4f15befe142f5ea0626707f1 Mon Sep 17 00:00:00 2001
+From: Christoph Kerschbaumer <mozilla@christophkerschbaumer.com>
+Date: Thu, 19 Feb 2015 13:43:40 -0800
+Subject: [PATCH] Bug 1111834 - CORS request after preflight should not follow
+ 30x redirect. r=sicking, a=lmandel
+
+---
+ dom/base/Navigator.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/dom/base/Navigator.cpp b/dom/base/Navigator.cpp
+index 020e370..727b7cb7 100644
+--- a/dom/base/Navigator.cpp
++++ b/dom/base/Navigator.cpp
+@@ -1278,6 +1278,12 @@ Navigator::SendBeacon(const nsAString& aUrl,
+       !contentType.Equals(APPLICATION_WWW_FORM_URLENCODED) &&
+       !contentType.Equals(MULTIPART_FORM_DATA) &&
+       !contentType.Equals(TEXT_PLAIN)) {
++
++    // we need to set the sameOriginChecker as a notificationCallback
++    // so we can tell the channel not to follow redirects
++    nsCOMPtr<nsIInterfaceRequestor> soc = nsContentUtils::GetSameOriginChecker();
++    channel->SetNotificationCallbacks(soc);
++
+     nsCOMPtr<nsIChannel> preflightChannel;
+     nsTArray<nsCString> unsafeHeaders;
+     unsafeHeaders.AppendElement(NS_LITERAL_CSTRING("Content-Type"));
+-- 
+2.2.1
+

gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch

@@ -0,0 +1,63 @@
+From 6fb9d1d2bee806abb2f67cee05a8573450a017df Mon Sep 17 00:00:00 2001
+From: Steve Fink <sfink@mozilla.com>
+Date: Mon, 12 Jan 2015 14:19:27 -0800
+Subject: [PATCH] Bug 1137326 - Fix out of bounds error in
+ JS_iterateCompartments. r=terrence, a=abillings
+
+---
+ js/src/gc/Zone.h | 11 ++++++-----
+ js/src/jsapi.h   |  5 +++--
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/js/src/gc/Zone.h b/js/src/gc/Zone.h
+index cbbde6b..612defe 100644
+--- a/js/src/gc/Zone.h
++++ b/js/src/gc/Zone.h
+@@ -389,21 +389,22 @@ struct CompartmentsInZoneIter
+     // This is for the benefit of CompartmentsIterT::comp.
+     friend class mozilla::Maybe<CompartmentsInZoneIter>;
+   private:
+-    JSCompartment **it, **end;
++    JS::Zone *zone;
++    JSCompartment **it;
+ 
+     CompartmentsInZoneIter()
+-      : it(nullptr), end(nullptr)
++      : zone(nullptr), it(nullptr)
+     {}
+ 
+   public:
+-    explicit CompartmentsInZoneIter(JS::Zone *zone) {
++    explicit CompartmentsInZoneIter(JS::Zone *zone) : zone(zone) {
+         it = zone->compartments.begin();
+-        end = zone->compartments.end();
+     }
+ 
+     bool done() const {
+         JS_ASSERT(it);
+-        return it == end;
++        return it < zone->compartments.begin() ||
++               it >= zone->compartments.end();
+     }
+     void next() {
+         JS_ASSERT(!done());
+diff --git a/js/src/jsapi.h b/js/src/jsapi.h
+index 5ae1f86..40fdb37 100644
+--- a/js/src/jsapi.h
++++ b/js/src/jsapi.h
+@@ -1780,9 +1780,10 @@ JS_LeaveCompartment(JSContext *cx, JSCompartment *oldCompartment);
+ typedef void (*JSIterateCompartmentCallback)(JSRuntime *rt, void *data, JSCompartment *compartment);
+ 
+ /*
+- * This function calls |compartmentCallback| on every compartment.  Beware that
++ * This function calls |compartmentCallback| on every compartment. Beware that
+  * there is no guarantee that the compartment will survive after the callback
+- * returns.
++ * returns. Also, if the callback can GC, there is no guarantee that every
++ * compartment will be visited.
+  */
+ extern JS_PUBLIC_API(void)
+ JS_IterateCompartments(JSRuntime *rt, void *data,
+-- 
+2.2.1
+

gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch

@@ -0,0 +1,89 @@
+From f6d39ec03896eaf5d30d79d8165263c98e957749 Mon Sep 17 00:00:00 2001
+From: Nathan Froyd <froydnj@mozilla.com>
+Date: Fri, 6 Feb 2015 16:19:36 -0500
+Subject: [PATCH] Bug 1036515 - Narrow the scope of unlocking mMonitor in
+ nsTimerImpl::PostTimerEvents. r=bsmedberg, a=abillings
+
+---
+ xpcom/threads/TimerThread.cpp | 55 ++++++++++++++++++++++---------------------
+ 1 file changed, 28 insertions(+), 27 deletions(-)
+
+diff --git a/xpcom/threads/TimerThread.cpp b/xpcom/threads/TimerThread.cpp
+index bd586c9..b95846f 100644
+--- a/xpcom/threads/TimerThread.cpp
++++ b/xpcom/threads/TimerThread.cpp
+@@ -239,43 +239,44 @@ NS_IMETHODIMP TimerThread::Run()
+           RemoveTimerInternal(timer);
+           timer = nullptr;
+ 
++#ifdef DEBUG_TIMERS
++          if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) {
++            PR_LOG(GetTimerLog(), PR_LOG_DEBUG,
++                   ("Timer thread woke up %fms from when it was supposed to\n",
++                    fabs((now - timerRef->mTimeout).ToMilliseconds())));
++          }
++#endif
++
+           {
+             // We release mMonitor around the Fire call to avoid deadlock.
+             MonitorAutoUnlock unlock(mMonitor);
+ 
+-#ifdef DEBUG_TIMERS
+-            if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) {
+-              PR_LOG(GetTimerLog(), PR_LOG_DEBUG,
+-                     ("Timer thread woke up %fms from when it was supposed to\n",
+-                      fabs((now - timerRef->mTimeout).ToMilliseconds())));
+-            }
+-#endif
+ 
+             // We are going to let the call to PostTimerEvent here handle the
+             // release of the timer so that we don't end up releasing the timer
+             // on the TimerThread instead of on the thread it targets.
+             timerRef = nsTimerImpl::PostTimerEvent(timerRef.forget());
++          }
+ 
+-            if (timerRef) {
+-              // We got our reference back due to an error.
+-              // Unhook the nsRefPtr, and release manually so we can get the
+-              // refcount.
+-              nsrefcnt rc = timerRef.forget().take()->Release();
+-              (void)rc;
+-
+-              // The nsITimer interface requires that its users keep a reference
+-              // to the timers they use while those timers are initialized but
+-              // have not yet fired.  If this ever happens, it is a bug in the
+-              // code that created and used the timer.
+-              //
+-              // Further, note that this should never happen even with a
+-              // misbehaving user, because nsTimerImpl::Release checks for a
+-              // refcount of 1 with an armed timer (a timer whose only reference
+-              // is from the timer thread) and when it hits this will remove the
+-              // timer from the timer thread and thus destroy the last reference,
+-              // preventing this situation from occurring.
+-              MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!");
+-            }
++          if (timerRef) {
++            // We got our reference back due to an error.
++            // Unhook the nsRefPtr, and release manually so we can get the
++            // refcount.
++            nsrefcnt rc = timerRef.forget().take()->Release();
++            (void)rc;
++
++            // The nsITimer interface requires that its users keep a reference
++            // to the timers they use while those timers are initialized but
++            // have not yet fired.  If this ever happens, it is a bug in the
++            // code that created and used the timer.
++            //
++            // Further, note that this should never happen even with a
++            // misbehaving user, because nsTimerImpl::Release checks for a
++            // refcount of 1 with an armed timer (a timer whose only reference
++            // is from the timer thread) and when it hits this will remove the
++            // timer from the timer thread and thus destroy the last reference,
++            // preventing this situation from occurring.
++            MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!");
+           }
+ 
+           if (mShutdown)
+-- 
+2.2.1
+

gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch

@@ -0,0 +1,37 @@
+From e7fc74f6a281c12a4a406f2dd20ff2c27a61484d Mon Sep 17 00:00:00 2001
+From: Brian Hackett <bhackett1024@gmail.com>
+Date: Sun, 8 Mar 2015 22:10:01 -0400
+Subject: [PATCH] Bug 1138199. r=billm, a=lmandel
+
+---
+ js/src/ds/LifoAlloc.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/js/src/ds/LifoAlloc.h b/js/src/ds/LifoAlloc.h
+index 7617cf5..b112353 100644
+--- a/js/src/ds/LifoAlloc.h
++++ b/js/src/ds/LifoAlloc.h
+@@ -193,14 +193,14 @@ class LifoAlloc
+ 
+     // Append used chunks to the end of this LifoAlloc. We act as if all the
+     // chunks in |this| are used, even if they're not, so memory may be wasted.
+-    void appendUsed(BumpChunk *start, BumpChunk *latest, BumpChunk *end) {
+-        JS_ASSERT(start && latest &&  end);
++    void appendUsed(BumpChunk *otherFirst, BumpChunk *otherLatest, BumpChunk *otherLast) {
++        JS_ASSERT(otherFirst && otherLatest && otherLast);
+         if (last)
+-            last->setNext(start);
++            last->setNext(otherFirst);
+         else
+-            first = latest = start;
+-        last = end;
+-        this->latest = latest;
++            first = otherFirst;
++        latest = otherLatest;
++        last = otherLast;
+     }
+ 
+     void incrementCurSize(size_t size) {
+-- 
+2.2.1
+