summaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-04-02 01:02:12 -0400
committerMark H Weaver <mhw@netris.org>2015-04-02 01:42:46 -0400
commitb7178dc45d21081ef38795ee2179404a02ac0b2e (patch)
tree1cac5ef096b76f1837d27ee24f57785d8b768a6d /gnu
parent5fd5e83da60626650c2c3136a4913b0401a446e9 (diff)
gnu: icecat: Apply fixes for CVE-2015-{0801,0807,0815,0816}.
Actually, CVE-2015-0801 and CVE-2015-0816 were already patched in 4c153a9125fa0913077b06b5ed537958ae4ca163, but the corresponding CVEs were not yet announced. * gnu/packages/patches/icecat-bug-1146339.patch: Rename to ... * gnu/packages/patches/icecat-CVE-2015-0801.patch: ... this. * gnu/packages/patches/icecat-bug-1144991.patch: Rename to ... * gnu/packages/patches/icecat-CVE-2015-0816.patch: ... this. * gnu/packages/patches/icecat-CVE-2015-0807.patch, gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch, gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch, gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch: New files. * gnu-system.am (dist_patch_DATA): Add them, and adapt to renamed files. * gnu/packages/gnuzilla.scm (icecat): Add patches, and adapt to renamed files.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/packages/gnuzilla.scm10
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0801.patch (renamed from gnu/packages/patches/icecat-bug-1146339.patch)0
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0807.patch30
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch63
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch89
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch37
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0816.patch (renamed from gnu/packages/patches/icecat-bug-1144991.patch)0
7 files changed, 226 insertions, 3 deletions
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 1e9deb8bff..f4a68fb186 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -225,13 +225,17 @@ standards.")
(sha256
(base32
"1rr4axghaypdkrf60i1qp6dz4cd29ya02fs3vyffvp4x9kgcq2dd"))
- (patches (map search-patch '("icecat-bug-1127780.patch"
+ (patches (map search-patch '("icecat-CVE-2015-0815-pt1.patch"
+ "icecat-CVE-2015-0815-pt2.patch"
+ "icecat-bug-1127780.patch"
+ "icecat-CVE-2015-0807.patch"
+ "icecat-CVE-2015-0815-pt3.patch"
"icecat-CVE-2015-0817.patch"
- "icecat-bug-1144991.patch"
+ "icecat-CVE-2015-0816.patch"
"icecat-CVE-2015-0818-pt1.patch"
"icecat-bug-1145870.patch"
"icecat-CVE-2015-0818-pt2.patch"
- "icecat-bug-1146339.patch")))))
+ "icecat-CVE-2015-0801.patch")))))
(build-system gnu-build-system)
(inputs
`(("alsa-lib" ,alsa-lib)
diff --git a/gnu/packages/patches/icecat-bug-1146339.patch b/gnu/packages/patches/icecat-CVE-2015-0801.patch
index 9d858523b9..9d858523b9 100644
--- a/gnu/packages/patches/icecat-bug-1146339.patch
+++ b/gnu/packages/patches/icecat-CVE-2015-0801.patch
diff --git a/gnu/packages/patches/icecat-CVE-2015-0807.patch b/gnu/packages/patches/icecat-CVE-2015-0807.patch
new file mode 100644
index 0000000000..833bc36d6b
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0807.patch
@@ -0,0 +1,30 @@
+From 1b97832a8ae9983e4f15befe142f5ea0626707f1 Mon Sep 17 00:00:00 2001
+From: Christoph Kerschbaumer <mozilla@christophkerschbaumer.com>
+Date: Thu, 19 Feb 2015 13:43:40 -0800
+Subject: [PATCH] Bug 1111834 - CORS request after preflight should not follow
+ 30x redirect. r=sicking, a=lmandel
+
+---
+ dom/base/Navigator.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/dom/base/Navigator.cpp b/dom/base/Navigator.cpp
+index 020e370..727b7cb7 100644
+--- a/dom/base/Navigator.cpp
++++ b/dom/base/Navigator.cpp
+@@ -1278,6 +1278,12 @@ Navigator::SendBeacon(const nsAString& aUrl,
+ !contentType.Equals(APPLICATION_WWW_FORM_URLENCODED) &&
+ !contentType.Equals(MULTIPART_FORM_DATA) &&
+ !contentType.Equals(TEXT_PLAIN)) {
++
++ // we need to set the sameOriginChecker as a notificationCallback
++ // so we can tell the channel not to follow redirects
++ nsCOMPtr<nsIInterfaceRequestor> soc = nsContentUtils::GetSameOriginChecker();
++ channel->SetNotificationCallbacks(soc);
++
+ nsCOMPtr<nsIChannel> preflightChannel;
+ nsTArray<nsCString> unsafeHeaders;
+ unsafeHeaders.AppendElement(NS_LITERAL_CSTRING("Content-Type"));
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch
new file mode 100644
index 0000000000..1dd5e20c67
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch
@@ -0,0 +1,63 @@
+From 6fb9d1d2bee806abb2f67cee05a8573450a017df Mon Sep 17 00:00:00 2001
+From: Steve Fink <sfink@mozilla.com>
+Date: Mon, 12 Jan 2015 14:19:27 -0800
+Subject: [PATCH] Bug 1137326 - Fix out of bounds error in
+ JS_iterateCompartments. r=terrence, a=abillings
+
+---
+ js/src/gc/Zone.h | 11 ++++++-----
+ js/src/jsapi.h | 5 +++--
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/js/src/gc/Zone.h b/js/src/gc/Zone.h
+index cbbde6b..612defe 100644
+--- a/js/src/gc/Zone.h
++++ b/js/src/gc/Zone.h
+@@ -389,21 +389,22 @@ struct CompartmentsInZoneIter
+ // This is for the benefit of CompartmentsIterT::comp.
+ friend class mozilla::Maybe<CompartmentsInZoneIter>;
+ private:
+- JSCompartment **it, **end;
++ JS::Zone *zone;
++ JSCompartment **it;
+
+ CompartmentsInZoneIter()
+- : it(nullptr), end(nullptr)
++ : zone(nullptr), it(nullptr)
+ {}
+
+ public:
+- explicit CompartmentsInZoneIter(JS::Zone *zone) {
++ explicit CompartmentsInZoneIter(JS::Zone *zone) : zone(zone) {
+ it = zone->compartments.begin();
+- end = zone->compartments.end();
+ }
+
+ bool done() const {
+ JS_ASSERT(it);
+- return it == end;
++ return it < zone->compartments.begin() ||
++ it >= zone->compartments.end();
+ }
+ void next() {
+ JS_ASSERT(!done());
+diff --git a/js/src/jsapi.h b/js/src/jsapi.h
+index 5ae1f86..40fdb37 100644
+--- a/js/src/jsapi.h
++++ b/js/src/jsapi.h
+@@ -1780,9 +1780,10 @@ JS_LeaveCompartment(JSContext *cx, JSCompartment *oldCompartment);
+ typedef void (*JSIterateCompartmentCallback)(JSRuntime *rt, void *data, JSCompartment *compartment);
+
+ /*
+- * This function calls |compartmentCallback| on every compartment. Beware that
++ * This function calls |compartmentCallback| on every compartment. Beware that
+ * there is no guarantee that the compartment will survive after the callback
+- * returns.
++ * returns. Also, if the callback can GC, there is no guarantee that every
++ * compartment will be visited.
+ */
+ extern JS_PUBLIC_API(void)
+ JS_IterateCompartments(JSRuntime *rt, void *data,
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch
new file mode 100644
index 0000000000..0a0cbed177
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch
@@ -0,0 +1,89 @@
+From f6d39ec03896eaf5d30d79d8165263c98e957749 Mon Sep 17 00:00:00 2001
+From: Nathan Froyd <froydnj@mozilla.com>
+Date: Fri, 6 Feb 2015 16:19:36 -0500
+Subject: [PATCH] Bug 1036515 - Narrow the scope of unlocking mMonitor in
+ nsTimerImpl::PostTimerEvents. r=bsmedberg, a=abillings
+
+---
+ xpcom/threads/TimerThread.cpp | 55 ++++++++++++++++++++++---------------------
+ 1 file changed, 28 insertions(+), 27 deletions(-)
+
+diff --git a/xpcom/threads/TimerThread.cpp b/xpcom/threads/TimerThread.cpp
+index bd586c9..b95846f 100644
+--- a/xpcom/threads/TimerThread.cpp
++++ b/xpcom/threads/TimerThread.cpp
+@@ -239,43 +239,44 @@ NS_IMETHODIMP TimerThread::Run()
+ RemoveTimerInternal(timer);
+ timer = nullptr;
+
++#ifdef DEBUG_TIMERS
++ if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) {
++ PR_LOG(GetTimerLog(), PR_LOG_DEBUG,
++ ("Timer thread woke up %fms from when it was supposed to\n",
++ fabs((now - timerRef->mTimeout).ToMilliseconds())));
++ }
++#endif
++
+ {
+ // We release mMonitor around the Fire call to avoid deadlock.
+ MonitorAutoUnlock unlock(mMonitor);
+
+-#ifdef DEBUG_TIMERS
+- if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) {
+- PR_LOG(GetTimerLog(), PR_LOG_DEBUG,
+- ("Timer thread woke up %fms from when it was supposed to\n",
+- fabs((now - timerRef->mTimeout).ToMilliseconds())));
+- }
+-#endif
+
+ // We are going to let the call to PostTimerEvent here handle the
+ // release of the timer so that we don't end up releasing the timer
+ // on the TimerThread instead of on the thread it targets.
+ timerRef = nsTimerImpl::PostTimerEvent(timerRef.forget());
++ }
+
+- if (timerRef) {
+- // We got our reference back due to an error.
+- // Unhook the nsRefPtr, and release manually so we can get the
+- // refcount.
+- nsrefcnt rc = timerRef.forget().take()->Release();
+- (void)rc;
+-
+- // The nsITimer interface requires that its users keep a reference
+- // to the timers they use while those timers are initialized but
+- // have not yet fired. If this ever happens, it is a bug in the
+- // code that created and used the timer.
+- //
+- // Further, note that this should never happen even with a
+- // misbehaving user, because nsTimerImpl::Release checks for a
+- // refcount of 1 with an armed timer (a timer whose only reference
+- // is from the timer thread) and when it hits this will remove the
+- // timer from the timer thread and thus destroy the last reference,
+- // preventing this situation from occurring.
+- MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!");
+- }
++ if (timerRef) {
++ // We got our reference back due to an error.
++ // Unhook the nsRefPtr, and release manually so we can get the
++ // refcount.
++ nsrefcnt rc = timerRef.forget().take()->Release();
++ (void)rc;
++
++ // The nsITimer interface requires that its users keep a reference
++ // to the timers they use while those timers are initialized but
++ // have not yet fired. If this ever happens, it is a bug in the
++ // code that created and used the timer.
++ //
++ // Further, note that this should never happen even with a
++ // misbehaving user, because nsTimerImpl::Release checks for a
++ // refcount of 1 with an armed timer (a timer whose only reference
++ // is from the timer thread) and when it hits this will remove the
++ // timer from the timer thread and thus destroy the last reference,
++ // preventing this situation from occurring.
++ MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!");
+ }
+
+ if (mShutdown)
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch
new file mode 100644
index 0000000000..5ac053df78
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch
@@ -0,0 +1,37 @@
+From e7fc74f6a281c12a4a406f2dd20ff2c27a61484d Mon Sep 17 00:00:00 2001
+From: Brian Hackett <bhackett1024@gmail.com>
+Date: Sun, 8 Mar 2015 22:10:01 -0400
+Subject: [PATCH] Bug 1138199. r=billm, a=lmandel
+
+---
+ js/src/ds/LifoAlloc.h | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/js/src/ds/LifoAlloc.h b/js/src/ds/LifoAlloc.h
+index 7617cf5..b112353 100644
+--- a/js/src/ds/LifoAlloc.h
++++ b/js/src/ds/LifoAlloc.h
+@@ -193,14 +193,14 @@ class LifoAlloc
+
+ // Append used chunks to the end of this LifoAlloc. We act as if all the
+ // chunks in |this| are used, even if they're not, so memory may be wasted.
+- void appendUsed(BumpChunk *start, BumpChunk *latest, BumpChunk *end) {
+- JS_ASSERT(start && latest && end);
++ void appendUsed(BumpChunk *otherFirst, BumpChunk *otherLatest, BumpChunk *otherLast) {
++ JS_ASSERT(otherFirst && otherLatest && otherLast);
+ if (last)
+- last->setNext(start);
++ last->setNext(otherFirst);
+ else
+- first = latest = start;
+- last = end;
+- this->latest = latest;
++ first = otherFirst;
++ latest = otherLatest;
++ last = otherLast;
+ }
+
+ void incrementCurSize(size_t size) {
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-bug-1144991.patch b/gnu/packages/patches/icecat-CVE-2015-0816.patch
index 5632e37eb3..5632e37eb3 100644
--- a/gnu/packages/patches/icecat-bug-1144991.patch
+++ b/gnu/packages/patches/icecat-CVE-2015-0816.patch