From 2a666e9cfddc5ec25831618bc376ab4ca6692527 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Fri, 16 Jan 2015 03:52:05 -0500 Subject: gnu: icecat: Add fixes for CVE-2014-{8634,8638,8639,8641}. * gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch, gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch, gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch, gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch, gnu/packages/patches/icecat-CVE-2014-8639.patch, gnu/packages/patches/icecat-CVE-2014-8641.patch, gnu/packages/patches/icecat-armhf-xpcom.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches. --- gnu-system.am | 7 + gnu/packages/gnuzilla.scm | 11 +- .../patches/icecat-CVE-2014-8634-pt1.patch | 410 +++++++++++++++++++++ .../patches/icecat-CVE-2014-8634-pt2.patch | 30 ++ .../patches/icecat-CVE-2014-8638-pt1.patch | 27 ++ .../patches/icecat-CVE-2014-8638-pt2.patch | 149 ++++++++ gnu/packages/patches/icecat-CVE-2014-8639.patch | 92 +++++ gnu/packages/patches/icecat-CVE-2014-8641.patch | 29 ++ gnu/packages/patches/icecat-armhf-xpcom.patch | 25 ++ 9 files changed, 778 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch create mode 100644 gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch create mode 100644 gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch create mode 100644 gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch create mode 100644 gnu/packages/patches/icecat-CVE-2014-8639.patch create mode 100644 gnu/packages/patches/icecat-CVE-2014-8641.patch create mode 100644 gnu/packages/patches/icecat-armhf-xpcom.patch diff --git a/gnu-system.am b/gnu-system.am index 58baec7313..a5f6a8369d 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -387,6 +387,7 @@ dist_patch_DATA = \ gnu/packages/patches/guix-test-networking.patch \ gnu/packages/patches/gtkglext-disable-disable-deprecated.patch \ gnu/packages/patches/hop-bigloo-4.0b.patch \ + gnu/packages/patches/icecat-armhf-xpcom.patch \ gnu/packages/patches/icecat-CVE-2014-1587-bug-1042567.patch \ gnu/packages/patches/icecat-CVE-2014-1587-bug-1072847.patch \ gnu/packages/patches/icecat-CVE-2014-1587-bug-1079729.patch \ @@ -396,6 +397,12 @@ dist_patch_DATA = \ gnu/packages/patches/icecat-CVE-2014-1592.patch \ gnu/packages/patches/icecat-CVE-2014-1593.patch \ gnu/packages/patches/icecat-CVE-2014-1594.patch \ + gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch \ + gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch \ + gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch \ + gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch \ + gnu/packages/patches/icecat-CVE-2014-8639.patch \ + gnu/packages/patches/icecat-CVE-2014-8641.patch \ gnu/packages/patches/irrlicht-mesa-10.patch \ gnu/packages/patches/jbig2dec-ignore-testtest.patch \ gnu/packages/patches/kmod-module-directory.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 8e397464ac..9c6b39f3d2 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013 Andreas Enge ;;; Copyright © 2013, 2014 Ludovic Courtès -;;; Copyright © 2014 Mark H Weaver +;;; Copyright © 2014, 2015 Mark H Weaver ;;; Copyright © 2015 Sou Bunnbu ;;; ;;; This file is part of GNU Guix. @@ -231,7 +231,14 @@ standards.") "icecat-CVE-2014-1590.patch" "icecat-CVE-2014-1592.patch" "icecat-CVE-2014-1593.patch" - "icecat-CVE-2014-1594.patch"))))) + "icecat-CVE-2014-1594.patch" + "icecat-armhf-xpcom.patch" + "icecat-CVE-2014-8639.patch" + "icecat-CVE-2014-8634-pt1.patch" + "icecat-CVE-2014-8634-pt2.patch" + "icecat-CVE-2014-8641.patch" + "icecat-CVE-2014-8638-pt1.patch" + "icecat-CVE-2014-8638-pt2.patch"))))) (build-system gnu-build-system) (inputs `(("alsa-lib" ,alsa-lib) diff --git a/gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch b/gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch new file mode 100644 index 0000000000..3d2f81e24a --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch @@ -0,0 +1,410 @@ +From 4f447768a2ff6bf37d462e033c11e20c733129ba Mon Sep 17 00:00:00 2001 +From: Jan de Mooij +Date: Tue, 16 Dec 2014 22:52:51 +0100 +Subject: [PATCH] Bug 1109889 - Share more exception handling code. r=nbp, + a=abillings + +--- + js/src/jit/Ion.cpp | 11 ++++++++++- + js/src/jit/IonMacroAssembler.cpp | 8 ++++---- + js/src/jit/JitCompartment.h | 8 ++++++-- + js/src/jit/arm/MacroAssembler-arm.cpp | 11 ++--------- + js/src/jit/arm/MacroAssembler-arm.h | 6 ++++-- + js/src/jit/arm/Trampoline-arm.cpp | 4 ++-- + js/src/jit/mips/MacroAssembler-mips.cpp | 11 ++--------- + js/src/jit/mips/MacroAssembler-mips.h | 7 +++++-- + js/src/jit/mips/Trampoline-mips.cpp | 4 ++-- + js/src/jit/shared/MacroAssembler-x86-shared.h | 3 +++ + js/src/jit/x64/MacroAssembler-x64.cpp | 11 ++--------- + js/src/jit/x64/MacroAssembler-x64.h | 3 +-- + js/src/jit/x64/Trampoline-x64.cpp | 4 ++-- + js/src/jit/x86/MacroAssembler-x86.cpp | 11 ++--------- + js/src/jit/x86/MacroAssembler-x86.h | 3 +-- + js/src/jit/x86/Trampoline-x86.cpp | 4 ++-- + 16 files changed, 50 insertions(+), 59 deletions(-) + +diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp +index 9635742..a77f9b4 100644 +--- a/js/src/jit/Ion.cpp ++++ b/js/src/jit/Ion.cpp +@@ -150,6 +150,7 @@ JitRuntime::JitRuntime() + : execAlloc_(nullptr), + ionAlloc_(nullptr), + exceptionTail_(nullptr), ++ exceptionTailParallel_(nullptr), + bailoutTail_(nullptr), + enterJIT_(nullptr), + bailoutHandler_(nullptr), +@@ -198,10 +199,18 @@ JitRuntime::initialize(JSContext *cx) + return false; + + IonSpew(IonSpew_Codegen, "# Emitting exception tail stub"); +- exceptionTail_ = generateExceptionTailStub(cx); ++ ++ void *handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleException); ++ void *handlerParallel = JS_FUNC_TO_DATA_PTR(void *, jit::HandleParallelFailure); ++ ++ exceptionTail_ = generateExceptionTailStub(cx, handler); + if (!exceptionTail_) + return false; + ++ exceptionTailParallel_ = generateExceptionTailStub(cx, handlerParallel); ++ if (!exceptionTailParallel_) ++ return false; ++ + IonSpew(IonSpew_Codegen, "# Emitting bailout tail stub"); + bailoutTail_ = generateBailoutTailStub(cx); + if (!bailoutTail_) +diff --git a/js/src/jit/IonMacroAssembler.cpp b/js/src/jit/IonMacroAssembler.cpp +index 2326fe1..9f7cc8f 100644 +--- a/js/src/jit/IonMacroAssembler.cpp ++++ b/js/src/jit/IonMacroAssembler.cpp +@@ -1030,18 +1030,18 @@ MacroAssembler::handleFailure(ExecutionMode executionMode) + sps_->skipNextReenter(); + leaveSPSFrame(); + +- void *handler; ++ JitCode *excTail; + switch (executionMode) { + case SequentialExecution: +- handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleException); ++ excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail(); + break; + case ParallelExecution: +- handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleParallelFailure); ++ excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTailParallel(); + break; + default: + MOZ_ASSUME_UNREACHABLE("No such execution mode"); + } +- MacroAssemblerSpecific::handleFailureWithHandler(handler); ++ jump(excTail); + + // Doesn't actually emit code, but balances the leave() + if (sps_) +diff --git a/js/src/jit/JitCompartment.h b/js/src/jit/JitCompartment.h +index 486a29d..475a685 100644 +--- a/js/src/jit/JitCompartment.h ++++ b/js/src/jit/JitCompartment.h +@@ -153,8 +153,9 @@ class JitRuntime + // need for explicit interrupt checks. + JSC::ExecutableAllocator *ionAlloc_; + +- // Shared post-exception-handler tail ++ // Shared exception-handler tail. + JitCode *exceptionTail_; ++ JitCode *exceptionTailParallel_; + + // Shared post-bailout-handler tail. + JitCode *bailoutTail_; +@@ -214,7 +215,7 @@ class JitRuntime + InlineList backedgeList_; + + private: +- JitCode *generateExceptionTailStub(JSContext *cx); ++ JitCode *generateExceptionTailStub(JSContext *cx, void *handler); + JitCode *generateBailoutTailStub(JSContext *cx); + JitCode *generateEnterJIT(JSContext *cx, EnterJitType type); + JitCode *generateArgumentsRectifier(JSContext *cx, ExecutionMode mode, void **returnAddrOut); +@@ -287,6 +288,9 @@ class JitRuntime + JitCode *getExceptionTail() const { + return exceptionTail_; + } ++ JitCode *getExceptionTailParallel() const { ++ return exceptionTailParallel_; ++ } + + JitCode *getBailoutTail() const { + return bailoutTail_; +diff --git a/js/src/jit/arm/MacroAssembler-arm.cpp b/js/src/jit/arm/MacroAssembler-arm.cpp +index b34483c..63b3ff2 100644 +--- a/js/src/jit/arm/MacroAssembler-arm.cpp ++++ b/js/src/jit/arm/MacroAssembler-arm.cpp +@@ -3984,25 +3984,18 @@ MacroAssemblerARMCompat::callWithABI(const Address &fun, MoveOp::Type result) + } + + void +-MacroAssemblerARMCompat::handleFailureWithHandler(void *handler) ++MacroAssemblerARMCompat::handleFailureWithHandlerTail(void *handler) + { + // Reserve space for exception information. + int size = (sizeof(ResumeFromException) + 7) & ~7; + ma_sub(Imm32(size), sp); + ma_mov(sp, r0); + +- // Ask for an exception handler. ++ // Call the handler. + setupUnalignedABICall(1, r1); + passABIArg(r0); + callWithABI(handler); + +- JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail(); +- branch(excTail); +-} +- +-void +-MacroAssemblerARMCompat::handleFailureWithHandlerTail() +-{ + Label entryFrame; + Label catch_; + Label finally; +diff --git a/js/src/jit/arm/MacroAssembler-arm.h b/js/src/jit/arm/MacroAssembler-arm.h +index 00e8a03..6ccc0be 100644 +--- a/js/src/jit/arm/MacroAssembler-arm.h ++++ b/js/src/jit/arm/MacroAssembler-arm.h +@@ -711,6 +711,9 @@ class MacroAssemblerARMCompat : public MacroAssemblerARM + void jump(Label *label) { + as_b(label); + } ++ void jump(JitCode *code) { ++ branch(code); ++ } + void jump(Register reg) { + ma_bx(reg); + } +@@ -1202,8 +1205,7 @@ class MacroAssemblerARMCompat : public MacroAssemblerARM + + void linkExitFrame(); + void linkParallelExitFrame(const Register &pt); +- void handleFailureWithHandler(void *handler); +- void handleFailureWithHandlerTail(); ++ void handleFailureWithHandlerTail(void *handler); + + ///////////////////////////////////////////////////////////////// + // Common interface. +diff --git a/js/src/jit/arm/Trampoline-arm.cpp b/js/src/jit/arm/Trampoline-arm.cpp +index e539c00..693dad8 100644 +--- a/js/src/jit/arm/Trampoline-arm.cpp ++++ b/js/src/jit/arm/Trampoline-arm.cpp +@@ -928,11 +928,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx) + } + + JitCode * +-JitRuntime::generateExceptionTailStub(JSContext *cx) ++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler) + { + MacroAssembler masm; + +- masm.handleFailureWithHandlerTail(); ++ masm.handleFailureWithHandlerTail(handler); + + Linker linker(masm); + AutoFlushICache afc("ExceptionTailStub"); +diff --git a/js/src/jit/mips/MacroAssembler-mips.cpp b/js/src/jit/mips/MacroAssembler-mips.cpp +index cee93a5..256434d 100644 +--- a/js/src/jit/mips/MacroAssembler-mips.cpp ++++ b/js/src/jit/mips/MacroAssembler-mips.cpp +@@ -3139,25 +3139,18 @@ MacroAssemblerMIPSCompat::callWithABI(const Address &fun, MoveOp::Type result) + } + + void +-MacroAssemblerMIPSCompat::handleFailureWithHandler(void *handler) ++MacroAssemblerMIPSCompat::handleFailureWithHandlerTail(void *handler) + { + // Reserve space for exception information. + int size = (sizeof(ResumeFromException) + StackAlignment) & ~(StackAlignment - 1); + ma_subu(StackPointer, StackPointer, Imm32(size)); + ma_move(a0, StackPointer); // Use a0 since it is a first function argument + +- // Ask for an exception handler. ++ // Call the handler. + setupUnalignedABICall(1, a1); + passABIArg(a0); + callWithABI(handler); + +- JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail(); +- branch(excTail); +-} +- +-void +-MacroAssemblerMIPSCompat::handleFailureWithHandlerTail() +-{ + Label entryFrame; + Label catch_; + Label finally; +diff --git a/js/src/jit/mips/MacroAssembler-mips.h b/js/src/jit/mips/MacroAssembler-mips.h +index ed1f566..899a50e 100644 +--- a/js/src/jit/mips/MacroAssembler-mips.h ++++ b/js/src/jit/mips/MacroAssembler-mips.h +@@ -481,6 +481,10 @@ class MacroAssemblerMIPSCompat : public MacroAssemblerMIPS + as_nop(); + } + ++ void jump(JitCode *code) { ++ branch(code); ++ } ++ + void neg32(Register reg) { + ma_negu(reg, reg); + } +@@ -842,8 +846,7 @@ public: + + void linkExitFrame(); + void linkParallelExitFrame(const Register &pt); +- void handleFailureWithHandler(void *handler); +- void handleFailureWithHandlerTail(); ++ void handleFailureWithHandlerTail(void *handler); + + ///////////////////////////////////////////////////////////////// + // Common interface. +diff --git a/js/src/jit/mips/Trampoline-mips.cpp b/js/src/jit/mips/Trampoline-mips.cpp +index b456845..64c2385 100644 +--- a/js/src/jit/mips/Trampoline-mips.cpp ++++ b/js/src/jit/mips/Trampoline-mips.cpp +@@ -960,11 +960,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx) + + + JitCode * +-JitRuntime::generateExceptionTailStub(JSContext *cx) ++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler) + { + MacroAssembler masm; + +- masm.handleFailureWithHandlerTail(); ++ masm.handleFailureWithHandlerTail(handler); + + Linker linker(masm); + AutoFlushICache afc("ExceptionTailStub"); +diff --git a/js/src/jit/shared/MacroAssembler-x86-shared.h b/js/src/jit/shared/MacroAssembler-x86-shared.h +index 01d1a4b..779cf83 100644 +--- a/js/src/jit/shared/MacroAssembler-x86-shared.h ++++ b/js/src/jit/shared/MacroAssembler-x86-shared.h +@@ -287,6 +287,9 @@ class MacroAssemblerX86Shared : public Assembler + void jump(Label *label) { + jmp(label); + } ++ void jump(JitCode *code) { ++ jmp(code); ++ } + void jump(RepatchLabel *label) { + jmp(label); + } +diff --git a/js/src/jit/x64/MacroAssembler-x64.cpp b/js/src/jit/x64/MacroAssembler-x64.cpp +index 9a9f995..0db799c 100644 +--- a/js/src/jit/x64/MacroAssembler-x64.cpp ++++ b/js/src/jit/x64/MacroAssembler-x64.cpp +@@ -287,24 +287,17 @@ MacroAssemblerX64::callWithABI(Address fun, MoveOp::Type result) + } + + void +-MacroAssemblerX64::handleFailureWithHandler(void *handler) ++MacroAssemblerX64::handleFailureWithHandlerTail(void *handler) + { + // Reserve space for exception information. + subq(Imm32(sizeof(ResumeFromException)), rsp); + movq(rsp, rax); + +- // Ask for an exception handler. ++ // Call the handler. + setupUnalignedABICall(1, rcx); + passABIArg(rax); + callWithABI(handler); + +- JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail(); +- jmp(excTail); +-} +- +-void +-MacroAssemblerX64::handleFailureWithHandlerTail() +-{ + Label entryFrame; + Label catch_; + Label finally; +diff --git a/js/src/jit/x64/MacroAssembler-x64.h b/js/src/jit/x64/MacroAssembler-x64.h +index 2c11e9a..5010549 100644 +--- a/js/src/jit/x64/MacroAssembler-x64.h ++++ b/js/src/jit/x64/MacroAssembler-x64.h +@@ -1288,8 +1288,7 @@ class MacroAssemblerX64 : public MacroAssemblerX86Shared + void callWithABI(AsmJSImmPtr imm, MoveOp::Type result = MoveOp::GENERAL); + void callWithABI(Address fun, MoveOp::Type result = MoveOp::GENERAL); + +- void handleFailureWithHandler(void *handler); +- void handleFailureWithHandlerTail(); ++ void handleFailureWithHandlerTail(void *handler); + + void makeFrameDescriptor(Register frameSizeReg, FrameType type) { + shlq(Imm32(FRAMESIZE_SHIFT), frameSizeReg); +diff --git a/js/src/jit/x64/Trampoline-x64.cpp b/js/src/jit/x64/Trampoline-x64.cpp +index 72f4592..3b83850 100644 +--- a/js/src/jit/x64/Trampoline-x64.cpp ++++ b/js/src/jit/x64/Trampoline-x64.cpp +@@ -785,11 +785,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx) + } + + JitCode * +-JitRuntime::generateExceptionTailStub(JSContext *cx) ++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler) + { + MacroAssembler masm; + +- masm.handleFailureWithHandlerTail(); ++ masm.handleFailureWithHandlerTail(handler); + + Linker linker(masm); + JitCode *code = linker.newCode(cx, JSC::OTHER_CODE); +diff --git a/js/src/jit/x86/MacroAssembler-x86.cpp b/js/src/jit/x86/MacroAssembler-x86.cpp +index d36f4d3..57a0f85 100644 +--- a/js/src/jit/x86/MacroAssembler-x86.cpp ++++ b/js/src/jit/x86/MacroAssembler-x86.cpp +@@ -281,24 +281,17 @@ MacroAssemblerX86::callWithABI(const Address &fun, MoveOp::Type result) + } + + void +-MacroAssemblerX86::handleFailureWithHandler(void *handler) ++MacroAssemblerX86::handleFailureWithHandlerTail(void *handler) + { + // Reserve space for exception information. + subl(Imm32(sizeof(ResumeFromException)), esp); + movl(esp, eax); + +- // Ask for an exception handler. ++ // Call the handler. + setupUnalignedABICall(1, ecx); + passABIArg(eax); + callWithABI(handler); + +- JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail(); +- jmp(excTail); +-} +- +-void +-MacroAssemblerX86::handleFailureWithHandlerTail() +-{ + Label entryFrame; + Label catch_; + Label finally; +diff --git a/js/src/jit/x86/MacroAssembler-x86.h b/js/src/jit/x86/MacroAssembler-x86.h +index 17de7a7..7e578c8 100644 +--- a/js/src/jit/x86/MacroAssembler-x86.h ++++ b/js/src/jit/x86/MacroAssembler-x86.h +@@ -1086,8 +1086,7 @@ class MacroAssemblerX86 : public MacroAssemblerX86Shared + void callWithABI(const Address &fun, MoveOp::Type result = MoveOp::GENERAL); + + // Used from within an Exit frame to handle a pending exception. +- void handleFailureWithHandler(void *handler); +- void handleFailureWithHandlerTail(); ++ void handleFailureWithHandlerTail(void *handler); + + void makeFrameDescriptor(Register frameSizeReg, FrameType type) { + shll(Imm32(FRAMESIZE_SHIFT), frameSizeReg); +diff --git a/js/src/jit/x86/Trampoline-x86.cpp b/js/src/jit/x86/Trampoline-x86.cpp +index 0a2f0de..9fd2c00 100644 +--- a/js/src/jit/x86/Trampoline-x86.cpp ++++ b/js/src/jit/x86/Trampoline-x86.cpp +@@ -827,11 +827,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx) + } + + JitCode * +-JitRuntime::generateExceptionTailStub(JSContext *cx) ++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler) + { + MacroAssembler masm; + +- masm.handleFailureWithHandlerTail(); ++ masm.handleFailureWithHandlerTail(handler); + + Linker linker(masm); + JitCode *code = linker.newCode(cx, JSC::OTHER_CODE); +-- +2.1.2 + diff --git a/gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch b/gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch new file mode 100644 index 0000000000..d7f68e9df3 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch @@ -0,0 +1,30 @@ +From e5de31c8f927b1aa06dde02c356cda33beb463d9 Mon Sep 17 00:00:00 2001 +From: Kyle Huey +Date: Fri, 19 Dec 2014 18:16:17 -0800 +Subject: [PATCH] Bug 1111737. r=smaug, a=bkerensa + +--- + content/base/src/nsScriptLoader.cpp | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/content/base/src/nsScriptLoader.cpp b/content/base/src/nsScriptLoader.cpp +index a6a4c34..7f3a76e 100644 +--- a/content/base/src/nsScriptLoader.cpp ++++ b/content/base/src/nsScriptLoader.cpp +@@ -812,7 +812,12 @@ NotifyOffThreadScriptLoadCompletedRunnable::Run() + { + MOZ_ASSERT(NS_IsMainThread()); + +- nsresult rv = mLoader->ProcessOffThreadRequest(mRequest, &mToken); ++ // We want these to be dropped on the main thread, once we return from this ++ // function. ++ nsRefPtr request = mRequest.forget(); ++ nsRefPtr loader = mLoader.forget(); ++ ++ nsresult rv = loader->ProcessOffThreadRequest(request, &mToken); + + if (mToken) { + // The result of the off thread parse was not actually needed to process +-- +2.1.2 + diff --git a/gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch b/gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch new file mode 100644 index 0000000000..83ee5fc79e --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch @@ -0,0 +1,27 @@ +From 0c4a326295bdb37742fe23f0395916d2ba8ade53 Mon Sep 17 00:00:00 2001 +From: Christoph Kerschbaumer +Date: Wed, 19 Nov 2014 16:03:39 -0800 +Subject: [PATCH 1/2] Bug 1080987 - navigator.sendBeacon() needs to sent origin + header. r=sicking, a=bkerensa + +--- + dom/base/Navigator.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/dom/base/Navigator.cpp b/dom/base/Navigator.cpp +index 0f03ad3..020e370 100644 +--- a/dom/base/Navigator.cpp ++++ b/dom/base/Navigator.cpp +@@ -1265,6 +1265,9 @@ Navigator::SendBeacon(const nsAString& aUrl, + principal, + true); + ++ rv = cors->Init(channel, true); ++ NS_ENSURE_SUCCESS(rv, false); ++ + // Start a preflight if cross-origin and content type is not whitelisted + rv = secMan->CheckSameOriginURI(documentURI, uri, false); + bool crossOrigin = NS_FAILED(rv); +-- +2.1.2 + diff --git a/gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch b/gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch new file mode 100644 index 0000000000..4e439efb89 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch @@ -0,0 +1,149 @@ +From 0d47e593c685313571aaa00cb7341b458123c82f Mon Sep 17 00:00:00 2001 +From: Christoph Kerschbaumer +Date: Wed, 19 Nov 2014 16:03:30 -0800 +Subject: [PATCH 2/2] Bug 1080987 - navigator.sendBeacon() needs to sent origin + header - test. r=sicking, a=bkerensa + +--- + .../beacon/beacon-originheader-handler.sjs | 41 ++++++++++++++ + dom/tests/mochitest/beacon/mochitest.ini | 2 + + .../mochitest/beacon/test_beaconOriginHeader.html | 64 ++++++++++++++++++++++ + 3 files changed, 107 insertions(+) + create mode 100644 dom/tests/mochitest/beacon/beacon-originheader-handler.sjs + create mode 100644 dom/tests/mochitest/beacon/test_beaconOriginHeader.html + +diff --git a/dom/tests/mochitest/beacon/beacon-originheader-handler.sjs b/dom/tests/mochitest/beacon/beacon-originheader-handler.sjs +new file mode 100644 +index 0000000..baed22c +--- /dev/null ++++ b/dom/tests/mochitest/beacon/beacon-originheader-handler.sjs +@@ -0,0 +1,41 @@ ++/* ++ * TestSever customized specifically for the needs of: ++ * Bug 1080987 - navigator.sendBeacon() needs to sent origin header ++ */ ++ ++function handleRequest(request, response) ++{ ++ response.setHeader("Cache-Control", "no-cache", false); ++ response.setHeader("Content-Type", "text/plain", false); ++ ++ // case XHR-REQUEST: the xhr-request tries to query the ++ // stored header from the beacon request. ++ if (request.queryString == "queryheader") { ++ var header = getState("originHeader"); ++ // if the beacon already stored the header - return. ++ if (header) { ++ response.write(header); ++ setState("originHeader", ""); ++ return; ++ } ++ // otherwise wait for the beacon request ++ response.processAsync(); ++ setObjectState("xhr-response", response); ++ return; ++ } ++ ++ // case BEACON-REQUEST: get the beacon header and ++ // store the header on the server. ++ var header = request.getHeader("origin"); ++ setState("originHeader", header); ++ ++ // if there is an xhr-request waiting, return the header now. ++ getObjectState("xhr-response", function(xhrResponse) { ++ if (!xhrResponse) { ++ return; ++ } ++ setState("originHeader", ""); ++ xhrResponse.write(header); ++ xhrResponse.finish(); ++ }); ++} +diff --git a/dom/tests/mochitest/beacon/mochitest.ini b/dom/tests/mochitest/beacon/mochitest.ini +index f65276e..6681fa4 100644 +--- a/dom/tests/mochitest/beacon/mochitest.ini ++++ b/dom/tests/mochitest/beacon/mochitest.ini +@@ -2,8 +2,10 @@ + skip-if = buildapp == 'b2g' || e10s + support-files = beacon-frame.html + beacon-handler.sjs ++ beacon-originheader-handler.sjs + + [test_beacon.html] + [test_beaconFrame.html] + [test_beaconPreflight.html] + [test_beaconContentPolicy.html] ++[test_beaconOriginHeader.html] +diff --git a/dom/tests/mochitest/beacon/test_beaconOriginHeader.html b/dom/tests/mochitest/beacon/test_beaconOriginHeader.html +new file mode 100644 +index 0000000..b5684a9 +--- /dev/null ++++ b/dom/tests/mochitest/beacon/test_beaconOriginHeader.html +@@ -0,0 +1,64 @@ ++ ++ ++ ++ Bug 1080987 - navigator.sendBeacon() needs to sent origin header ++ ++ ++ ++ ++ ++

++ ++ ++ ++ ++ ++ +-- +2.1.2 + diff --git a/gnu/packages/patches/icecat-CVE-2014-8639.patch b/gnu/packages/patches/icecat-CVE-2014-8639.patch new file mode 100644 index 0000000000..2610765f43 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2014-8639.patch @@ -0,0 +1,92 @@ +From f80b2eefd451b8ed0fd783d9b9ed0412c8d46efd Mon Sep 17 00:00:00 2001 +From: Patrick McManus +Date: Thu, 11 Dec 2014 13:55:16 -0500 +Subject: [PATCH] bug 1095859 - proxy tweak r=valentin.gosu a=bkerensa + +--- + netwerk/protocol/http/nsHttpChannel.cpp | 7 ++++++- + netwerk/test/unit/test_auth_proxy.js | 29 +++++++++++++++++++++++++++++ + 2 files changed, 35 insertions(+), 1 deletion(-) + +diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp +index f20e033..35e71c7 100644 +--- a/netwerk/protocol/http/nsHttpChannel.cpp ++++ b/netwerk/protocol/http/nsHttpChannel.cpp +@@ -1237,7 +1237,12 @@ nsHttpChannel::ProcessResponse() + // notify "http-on-examine-response" observers + gHttpHandler->OnExamineResponse(this); + +- SetCookie(mResponseHead->PeekHeader(nsHttp::Set_Cookie)); ++ // Cookies should not be handled on proxy failure either. ++ // This would be consolidated with ProcessSecurityHeaders but it should ++ // happen after OnExamineResponse. ++ if (!mTransaction->ProxyConnectFailed() && (httpStatus != 407)) { ++ SetCookie(mResponseHead->PeekHeader(nsHttp::Set_Cookie)); ++ } + + // handle unused username and password in url (see bug 232567) + if (httpStatus != 401 && httpStatus != 407) { +diff --git a/netwerk/test/unit/test_auth_proxy.js b/netwerk/test/unit/test_auth_proxy.js +index 6af4e98..9275d6d 100644 +--- a/netwerk/test/unit/test_auth_proxy.js ++++ b/netwerk/test/unit/test_auth_proxy.js +@@ -172,6 +172,12 @@ var listener = { + // If we expect 200, the request should have succeeded + do_check_eq(this.expectedCode == 200, request.requestSucceeded); + ++ var cookie = ""; ++ try { ++ cookie = request.getRequestHeader("Cookie"); ++ } catch (e) { } ++ do_check_eq(cookie, ""); ++ + } catch (e) { + do_throw("Unexpected exception: " + e); + } +@@ -261,6 +267,25 @@ function test_all_ok() { + do_test_pending(); + } + ++function test_proxy_407_cookie() { ++ var chan = makeChan(); ++ chan.notificationCallbacks = new Requestor(FLAG_RETURN_FALSE, 0); ++ chan.setRequestHeader("X-Set-407-Cookie", "1", false); ++ listener.expectedCode = 407; // Proxy Unauthorized ++ chan.asyncOpen(listener, null); ++ ++ do_test_pending(); ++} ++ ++function test_proxy_200_cookie() { ++ var chan = makeChan(); ++ chan.notificationCallbacks = new Requestor(0, 0); ++ chan.setRequestHeader("X-Set-407-Cookie", "1", false); ++ listener.expectedCode = 200; // OK ++ chan.asyncOpen(listener, null); ++ do_test_pending(); ++} ++ + function test_host_returnfalse() { + dump("\ntest: host returnfalse\n"); + var chan = makeChan(); +@@ -301,6 +326,7 @@ function test_proxy_wrongpw_host_returnfalse() { + } + + var tests = [test_proxy_returnfalse, test_proxy_wrongpw, test_all_ok, ++ test_proxy_407_cookie, test_proxy_200_cookie, + test_host_returnfalse, test_host_wrongpw, + test_proxy_wrongpw_host_wrongpw, test_proxy_wrongpw_host_returnfalse]; + +@@ -331,6 +357,9 @@ function proxyAuthHandler(metadata, response) { + "Unauthorized by HTTP proxy"); + response.setHeader("Proxy-Authenticate", + 'Basic realm="' + realm + '"', false); ++ if (metadata.hasHeader("X-Set-407-Cookie")) { ++ response.setHeader("Set-Cookie", "chewy", false); ++ } + body = "failed"; + response.bodyOutputStream.write(body, body.length); + } +-- +2.1.2 + diff --git a/gnu/packages/patches/icecat-CVE-2014-8641.patch b/gnu/packages/patches/icecat-CVE-2014-8641.patch new file mode 100644 index 0000000000..ec42861945 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2014-8641.patch @@ -0,0 +1,29 @@ +From e36a3dd359ff0ac9c8796d41bedc884218d479e7 Mon Sep 17 00:00:00 2001 +From: Paul Adenot +Date: Tue, 16 Dec 2014 18:45:40 +0100 +Subject: [PATCH] Bug 1108455. r=kinetik, a=sledru + +--- + media/libcubeb/src/cubeb_wasapi.cpp | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/media/libcubeb/src/cubeb_wasapi.cpp b/media/libcubeb/src/cubeb_wasapi.cpp +index 135aa86..5387a4f 100644 +--- a/media/libcubeb/src/cubeb_wasapi.cpp ++++ b/media/libcubeb/src/cubeb_wasapi.cpp +@@ -365,10 +365,8 @@ wasapi_stream_render_loop(LPVOID stream) + assert(padding <= stm->buffer_frame_count); + + if (stm->draining) { +- if (padding == 0) { +- stm->state_callback(stm, stm->user_ptr, CUBEB_STATE_DRAINED); +- is_playing = false; +- } ++ stm->state_callback(stm, stm->user_ptr, CUBEB_STATE_DRAINED); ++ is_playing = false; + continue; + } + +-- +2.1.2 + diff --git a/gnu/packages/patches/icecat-armhf-xpcom.patch b/gnu/packages/patches/icecat-armhf-xpcom.patch new file mode 100644 index 0000000000..e92c8bbf1e --- /dev/null +++ b/gnu/packages/patches/icecat-armhf-xpcom.patch @@ -0,0 +1,25 @@ +From 06198585dae1e4079b4b52b49827fd5b826030b7 Mon Sep 17 00:00:00 2001 +From: Douglas Crosher +Date: Sun, 16 Nov 2014 00:29:23 +1100 +Subject: [PATCH] Bug 1050258 - ARM hard-float XPCOM: correct argument passing. + r=mjrosenb, a=bkerensa + +--- + xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp b/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp +index 946b7e3..c1c536b 100644 +--- a/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp ++++ b/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp +@@ -224,6 +224,7 @@ static inline void copy_dword(uint32_t* &ireg_args, + *(uint64_t *)ireg_args = data; + ireg_args += 2; + } else { ++ ireg_args = end; + if ((uint32_t)stack_args & 4) { + stack_args++; + } +-- +2.1.2 + -- cgit v1.2.3