From 73321592e7455cf23e31284292b638ebc5c1481e Mon Sep 17 00:00:00 2001 From: Martin Stransky Date: Wed, 22 Mar 2017 10:12:21 +0100 Subject: [PATCH] Added fix for CVE-2017-5428, Added fix for mozbz#1158076 --- firefox.spec | 10 ++- mozilla-1158076.patch | 185 ++++++++++++++++++++++++++++++++++++++++++ mozilla-1348168.patch | 88 ++++++++++++++++++++ 3 files changed, 282 insertions(+), 1 deletion(-) create mode 100644 mozilla-1158076.patch create mode 100644 mozilla-1348168.patch diff --git a/firefox.spec b/firefox.spec index 71b1bb8..2ae80f6 100644 --- a/firefox.spec +++ b/firefox.spec @@ -103,7 +103,7 @@ Summary: Mozilla Firefox Web browser Name: firefox Version: 52.0 -Release: 5%{?pre_tag}%{?dist} +Release: 6%{?pre_tag}%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ Group: Applications/Internet @@ -153,6 +153,8 @@ Patch406: mozilla-256180.patch # Rebase Gtk3 widget code to latest trunk to # fix various rendering problems Patch407: widget-rebase.patch +Patch408: mozilla-1348168.patch +Patch409: mozilla-1158076.patch # Debian patches Patch500: mozilla-440908.patch @@ -317,6 +319,8 @@ cd %{tarballdir} # Rebase Gtk3 widget code to latest trunk to # fix various rendering problems %patch407 -p1 -b .widget-rebase +%patch408 -p1 -b .1348168 +%patch409 -p1 -b .1158076 # Debian extension patch %patch500 -p1 -b .440908 @@ -835,6 +839,10 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog +* Wed Mar 22 2017 Martin Stransky - 52.0-6 +- Added fix for CVE-2017-5428 +- Added fix for mozbz#1158076 + * Mon Mar 13 2017 Martin Stransky - 52.0-5 - Enable ALSA backend behind pref (rhbz#1431371) diff --git a/mozilla-1158076.patch b/mozilla-1158076.patch new file mode 100644 index 0000000..8a90be5 --- /dev/null +++ b/mozilla-1158076.patch @@ -0,0 +1,185 @@ +diff -up firefox-52.0/modules/libpref/init/all.js.1158076 firefox-52.0/modules/libpref/init/all.js +--- firefox-52.0/modules/libpref/init/all.js.1158076 2017-03-22 10:05:22.318067553 +0100 ++++ firefox-52.0/modules/libpref/init/all.js 2017-03-22 10:07:15.360555913 +0100 +@@ -4646,6 +4646,7 @@ pref("gfx.apitrace.enabled",false); + pref("gfx.content.use-native-pushlayer", true); + #ifdef MOZ_WIDGET_GTK + pref("gfx.xrender.enabled",false); ++pref("widget.allow-gtk-dark-theme", false); + #endif + #endif + +diff -up firefox-52.0/widget/gtk/mozgtk/mozgtk.c.1158076 firefox-52.0/widget/gtk/mozgtk/mozgtk.c +--- firefox-52.0/widget/gtk/mozgtk/mozgtk.c.1158076 2017-03-22 10:05:22.313067576 +0100 ++++ firefox-52.0/widget/gtk/mozgtk/mozgtk.c 2017-03-22 10:08:34.122199432 +0100 +@@ -522,6 +522,7 @@ STUB(gdk_x11_display_get_type) + STUB(gtk_box_new) + STUB(gtk_cairo_should_draw_window) + STUB(gtk_cairo_transform_to_window) ++STUB(gtk_css_provider_get_named) + STUB(gtk_combo_box_text_append) + STUB(gtk_drag_set_icon_surface) + STUB(gtk_get_major_version) +@@ -548,6 +549,7 @@ STUB(gtk_scale_new) + STUB(gtk_scrollbar_new) + STUB(gtk_style_context_add_class) + STUB(gtk_style_context_add_region) ++STUB(gtk_style_context_add_provider_for_screen) + STUB(gtk_style_context_get) + STUB(gtk_style_context_get_background_color) + STUB(gtk_style_context_get_border) +@@ -573,6 +575,7 @@ STUB(gtk_style_context_set_path) + STUB(gtk_style_context_set_parent) + STUB(gtk_style_context_set_state) + STUB(gtk_style_properties_lookup_property) ++STUB(gtk_style_provider_get_type) + STUB(gtk_tree_view_column_get_button) + STUB(gtk_widget_get_preferred_size) + STUB(gtk_widget_get_state_flags) +diff -up firefox-52.0/widget/gtk/nsLookAndFeel.cpp.1158076 firefox-52.0/widget/gtk/nsLookAndFeel.cpp +--- firefox-52.0/widget/gtk/nsLookAndFeel.cpp.1158076 2017-03-22 10:05:22.314067571 +0100 ++++ firefox-52.0/widget/gtk/nsLookAndFeel.cpp 2017-03-22 10:07:56.914367838 +0100 +@@ -50,9 +50,9 @@ nsLookAndFeel::nsLookAndFeel() + mStyle(nullptr), + #endif + mDefaultFontCached(false), mButtonFontCached(false), +- mFieldFontCached(false), mMenuFontCached(false) ++ mFieldFontCached(false), mMenuFontCached(false), ++ mInitialized(false) + { +- Init(); + } + + nsLookAndFeel::~nsLookAndFeel() +@@ -224,6 +224,8 @@ GetBorderColors(GtkStyleContext* aContex + nsresult + nsLookAndFeel::NativeGetColor(ColorID aID, nscolor& aColor) + { ++ EnsureInit(); ++ + #if (MOZ_WIDGET_GTK == 3) + GdkRGBA gdk_color; + #endif +@@ -675,6 +677,8 @@ nsLookAndFeel::GetIntImpl(IntID aID, int + return res; + res = NS_OK; + ++ // We use delayed initialization by EnsureInit() here ++ // to ensure mozilla::Preferences is available (see Bug 1158076). + switch (aID) { + case eIntID_CaretBlinkTime: + { +@@ -837,6 +841,7 @@ nsLookAndFeel::GetIntImpl(IntID aID, int + aResult = NS_STYLE_TEXT_DECORATION_STYLE_WAVY; + break; + case eIntID_MenuBarDrag: ++ EnsureInit(); + aResult = sMenuSupportsDrag; + break; + case eIntID_ScrollbarButtonAutoRepeatBehavior: +@@ -877,6 +882,7 @@ nsLookAndFeel::GetFloatImpl(FloatID aID, + aResult = 1.0f; + break; + case eFloatID_CaretAspectRatio: ++ EnsureInit(); + aResult = sCaretRatio; + break; + default: +@@ -1057,11 +1063,15 @@ nsLookAndFeel::GetFontImpl(FontID aID, n + } + + void +-nsLookAndFeel::Init() ++nsLookAndFeel::EnsureInit() + { + GdkColor colorValue; + GdkColor *colorValuePtr; + ++ if (mInitialized) ++ return; ++ mInitialized = true; ++ + #if (MOZ_WIDGET_GTK == 2) + NS_ASSERTION(!mStyle, "already initialized"); + // GtkInvisibles come with a refcount that is not floating +@@ -1133,17 +1143,40 @@ nsLookAndFeel::Init() + // ask Gtk to create it explicitly. Otherwise we may end up + // with wrong color theme, see Bug 972382 + GtkSettings *settings = gtk_settings_get_for_screen(gdk_screen_get_default()); ++ bool e10sActive = mozilla::BrowserTabsRemoteAutostart(); ++ ++ if (!e10sActive || XRE_IsContentProcess()) { ++ // Disable dark theme in processes with web content because it ++ // interacts poorly with widget styling (see bug 1216658). ++ // To avoid triggering reload of theme settings unnecessarily, only set the ++ // setting when necessary. ++ const gchar* dark_setting = "gtk-application-prefer-dark-theme"; ++ gboolean dark; ++ g_object_get(settings, dark_setting, &dark, nullptr); ++ ++ bool allowDarkEnv = PR_GetEnv("MOZ_ALLOW_GTK_DARK_THEME") != nullptr; ++ bool allowDarkPref = ++ mozilla::Preferences::GetBool("widget.allow-gtk-dark-theme", false); + +- // Disable dark theme because it interacts poorly with widget styling in +- // web content (see bug 1216658). +- // To avoid triggering reload of theme settings unnecessarily, only set the +- // setting when necessary. +- const gchar* dark_setting = "gtk-application-prefer-dark-theme"; +- gboolean dark; +- g_object_get(settings, dark_setting, &dark, nullptr); ++ if (dark && !allowDarkEnv && !allowDarkPref) { ++ g_object_set(settings, dark_setting, FALSE, nullptr); ++ } + +- if (dark && !PR_GetEnv("MOZ_ALLOW_GTK_DARK_THEME")) { +- g_object_set(settings, dark_setting, FALSE, nullptr); ++ // Allow Gtk+ theme override for web content only. ++ if (e10sActive) { ++ auto contentThemeName = ++ mozilla::Preferences::GetCString("widget.content-gtk-theme"); ++ if (!contentThemeName.IsEmpty()) { ++ // TODO: It should be enough to change theme by "gtk-theme-name" ++ // settings but that does not have any effect here. Maybe we ++ // call it too late? ++ GtkCssProvider *styleProvider = ++ gtk_css_provider_get_named(contentThemeName, NULL); ++ gtk_style_context_add_provider_for_screen(gdk_screen_get_default(), ++ GTK_STYLE_PROVIDER(styleProvider), ++ GTK_STYLE_PROVIDER_PRIORITY_APPLICATION); ++ } ++ } + } + + // Scrollbar colors +@@ -1439,6 +1472,7 @@ nsLookAndFeel::Init() + char16_t + nsLookAndFeel::GetPasswordCharacterImpl() + { ++ EnsureInit(); + return sInvisibleCharacter; + } + +@@ -1457,7 +1491,7 @@ nsLookAndFeel::RefreshImpl() + mStyle = nullptr; + #endif + +- Init(); ++ mInitialized = false; + } + + bool +diff -up firefox-52.0/widget/gtk/nsLookAndFeel.h.1158076 firefox-52.0/widget/gtk/nsLookAndFeel.h +--- firefox-52.0/widget/gtk/nsLookAndFeel.h.1158076 2016-05-12 19:13:34.000000000 +0200 ++++ firefox-52.0/widget/gtk/nsLookAndFeel.h 2017-03-22 10:06:36.461731972 +0100 +@@ -84,8 +84,9 @@ protected: + char16_t sInvisibleCharacter; + float sCaretRatio; + bool sMenuSupportsDrag; ++ bool mInitialized; + +- void Init(); ++ void EnsureInit(); + }; + + #endif diff --git a/mozilla-1348168.patch b/mozilla-1348168.patch new file mode 100644 index 0000000..e0627d2 --- /dev/null +++ b/mozilla-1348168.patch @@ -0,0 +1,88 @@ + +# HG changeset patch +# User Ehsan Akhgari +# Date 1489719163 14400 +# Node ID 4af7cd795eeef3bce2dd40d5a6e92d21304eaea1 +# Parent dac467924a46c4bbff97c948bf4a7143dada2b19 +Bug 1348168 - Disable Mozilla custom ImageBitmap extensions that didn't go through proper API review; r=bzbarsky a=dveditz + +diff --git a/dom/base/nsGlobalWindow.cpp b/dom/base/nsGlobalWindow.cpp +--- a/dom/base/nsGlobalWindow.cpp ++++ b/dom/base/nsGlobalWindow.cpp +@@ -14993,16 +14993,20 @@ nsGlobalWindow::CreateImageBitmap(const + + already_AddRefed + nsGlobalWindow::CreateImageBitmap(const ImageBitmapSource& aImage, + int32_t aOffset, int32_t aLength, + ImageBitmapFormat aFormat, + const Sequence& aLayout, + ErrorResult& aRv) + { ++ if (!ImageBitmap::ExtensionsEnabled(nullptr, nullptr)) { ++ aRv.Throw(NS_ERROR_TYPE_ERR); ++ return nullptr; ++ } + if (aImage.IsArrayBuffer() || aImage.IsArrayBufferView()) { + return ImageBitmap::Create(this, aImage, aOffset, aLength, aFormat, aLayout, + aRv); + } else { + aRv.Throw(NS_ERROR_TYPE_ERR); + return nullptr; + } + } +diff --git a/dom/workers/WorkerScope.cpp b/dom/workers/WorkerScope.cpp +--- a/dom/workers/WorkerScope.cpp ++++ b/dom/workers/WorkerScope.cpp +@@ -471,16 +471,24 @@ WorkerGlobalScope::CreateImageBitmap(con + + already_AddRefed + WorkerGlobalScope::CreateImageBitmap(const ImageBitmapSource& aImage, + int32_t aOffset, int32_t aLength, + ImageBitmapFormat aFormat, + const Sequence& aLayout, + ErrorResult& aRv) + { ++ JSContext* cx = GetCurrentThreadJSContext(); ++ MOZ_ASSERT(cx); ++ ++ if (!ImageBitmap::ExtensionsEnabled(cx, nullptr)) { ++ aRv.Throw(NS_ERROR_TYPE_ERR); ++ return nullptr; ++ } ++ + if (aImage.IsArrayBuffer() || aImage.IsArrayBufferView()) { + return ImageBitmap::Create(this, aImage, aOffset, aLength, aFormat, aLayout, + aRv); + } else { + aRv.Throw(NS_ERROR_TYPE_ERR); + return nullptr; + } + } +diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js +--- a/modules/libpref/init/all.js ++++ b/modules/libpref/init/all.js +@@ -831,22 +831,18 @@ pref("ui.scrollToClick", 0); + pref("canvas.focusring.enabled", true); + pref("canvas.customfocusring.enabled", false); + pref("canvas.hitregions.enabled", false); + pref("canvas.filters.enabled", true); + // Add support for canvas path objects + pref("canvas.path.enabled", true); + pref("canvas.capturestream.enabled", true); + +-// Disable the ImageBitmap-extensions in the release build. +-#ifdef RELEASE_OR_BETA ++// Disable the ImageBitmap-extensions for now. + pref("canvas.imagebitmap_extensions.enabled", false); +-#else +-pref("canvas.imagebitmap_extensions.enabled", true); +-#endif + + // We want the ability to forcibly disable platform a11y, because + // some non-a11y-related components attempt to bring it up. See bug + // 538530 for details about Windows; we have a pref here that allows it + // to be disabled for performance and testing resons. + // See bug 761589 for the crossplatform aspect. + // + // This pref is checked only once, and the browser needs a restart to +