diff --git a/.firefox.metadata b/.firefox.metadata index 19f80b6..f33c77b 100644 --- a/.firefox.metadata +++ b/.firefox.metadata @@ -1,5 +1,5 @@ c822547dbc12e2baebdfdfb38b665e23f0c2513a SOURCES/cbindgen-vendor.tar.xz -322e0ffb8b442f599b0f5dd695e6f83050b3dc82 SOURCES/firefox-91.4.0esr.processed-source.tar.xz -74a1b8c9a5f4a96f80af2d3fe542495e3af2423a SOURCES/firefox-langpacks-91.4.0esr-20211201.tar.xz +0693b8482089631c9c1c2b3c521aa701013e8a06 SOURCES/firefox-91.13.0esr.processed-source.tar.xz +3ad70d1bac601289f0355fed936bfd61e2fbbfd5 SOURCES/firefox-langpacks-91.13.0esr-20220817.tar.xz b5fd1332d8e0d37339ae170c7bebcb63a40b22e0 SOURCES/nspr-4.32.0-1.el8_1.src.rpm 8fff814901e03c2518ede2f8992d898f5ba61ed9 SOURCES/nss-3.67.0-7.el8_1.src.rpm diff --git a/.gitignore b/.gitignore index e79811e..aa16c51 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ SOURCES/cbindgen-vendor.tar.xz -SOURCES/firefox-91.4.0esr.processed-source.tar.xz -SOURCES/firefox-langpacks-91.4.0esr-20211201.tar.xz +SOURCES/firefox-91.13.0esr.processed-source.tar.xz +SOURCES/firefox-langpacks-91.13.0esr-20220817.tar.xz SOURCES/nspr-4.32.0-1.el8_1.src.rpm SOURCES/nss-3.67.0-7.el8_1.src.rpm diff --git a/SOURCES/D110204-fscreen.diff b/SOURCES/D110204-fscreen.diff index 99eeb3b..ce4c908 100644 --- a/SOURCES/D110204-fscreen.diff +++ b/SOURCES/D110204-fscreen.diff @@ -1,6 +1,5 @@ -diff -up firefox-91.0/widget/gtk/nsWindow.cpp.D110204-fscreen.diff firefox-91.0/widget/gtk/nsWindow.cpp ---- firefox-91.0/widget/gtk/nsWindow.cpp.D110204-fscreen.diff 2021-07-27 23:31:38.000000000 +0200 -+++ firefox-91.0/widget/gtk/nsWindow.cpp 2021-07-30 15:47:22.031795569 +0200 +--- firefox-91.11.0/widget/gtk/nsWindow.cpp.D110204-fscreen.diff 2022-06-20 21:18:51.000000000 +0200 ++++ firefox-91.11.0/widget/gtk/nsWindow.cpp 2022-06-21 12:21:44.892706641 +0200 @@ -91,6 +91,7 @@ #include "SystemTimeConverter.h" #include "WidgetUtilsGtk.h" @@ -17,7 +16,7 @@ diff -up firefox-91.0/widget/gtk/nsWindow.cpp.D110204-fscreen.diff firefox-91.0/ mAspectRatio(0.0f), mAspectRatioSaved(0.0f), mLastScrollEventTime(GDK_CURRENT_TIME), -@@ -4626,6 +4628,19 @@ void nsWindow::OnWindowStateEvent(GtkWid +@@ -4618,6 +4620,19 @@ void nsWindow::OnWindowStateEvent(GtkWid ClearTransparencyBitmap(); } } @@ -37,7 +36,7 @@ diff -up firefox-91.0/widget/gtk/nsWindow.cpp.D110204-fscreen.diff firefox-91.0/ } void nsWindow::OnDPIChanged() { -@@ -6880,6 +6895,19 @@ nsresult nsWindow::MakeFullScreen(bool a +@@ -6860,6 +6875,19 @@ nsresult nsWindow::MakeFullScreen(bool a } } @@ -57,14 +56,13 @@ diff -up firefox-91.0/widget/gtk/nsWindow.cpp.D110204-fscreen.diff firefox-91.0/ gtk_window_fullscreen(GTK_WINDOW(mShell)); } else { mSizeMode = mLastSizeMode; -diff -up firefox-91.0/widget/gtk/nsWindow.h.D110204-fscreen.diff firefox-91.0/widget/gtk/nsWindow.h ---- firefox-91.0/widget/gtk/nsWindow.h.D110204-fscreen.diff 2021-07-27 23:31:38.000000000 +0200 -+++ firefox-91.0/widget/gtk/nsWindow.h 2021-07-29 18:35:41.000639386 +0200 -@@ -763,6 +763,7 @@ class nsWindow final : public nsBaseWidg - * move-to-rect callback we store it to mNewSizeAfterMoveToRect. +--- firefox-91.11.0/widget/gtk/nsWindow.h.D110204-fscreen.diff 2022-06-21 12:21:44.894706636 +0200 ++++ firefox-91.11.0/widget/gtk/nsWindow.h 2022-06-21 12:25:20.985209461 +0200 +@@ -767,6 +767,7 @@ class nsWindow final : public nsBaseWidg + * move-to-rect callback we set mResizedAfterMoveToRect. */ bool mWaitingForMoveToRectCallback; + bool mPendingFullscreen; - LayoutDeviceIntRect mNewSizeAfterMoveToRect; + bool mResizedAfterMoveToRect; /** diff --git a/SOURCES/expat-CVE-2022-25235.patch b/SOURCES/expat-CVE-2022-25235.patch new file mode 100644 index 0000000..1e5c664 --- /dev/null +++ b/SOURCES/expat-CVE-2022-25235.patch @@ -0,0 +1,49 @@ +diff -up firefox-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235 firefox-91.7.0/parser/expat/lib/xmltok.c +--- firefox-91.7.0/parser/expat/lib/xmltok.c.expat-CVE-2022-25235 2022-03-02 17:57:38.364361168 +0100 ++++ firefox-91.7.0/parser/expat/lib/xmltok.c 2022-03-02 17:58:22.235512399 +0100 +@@ -65,13 +65,6 @@ + + ((((byte)[2]) >> 5) & 1)] \ + & (1u << (((byte)[2]) & 0x1F))) + +-#define UTF8_GET_NAMING(pages, p, n) \ +- ((n) == 2 \ +- ? UTF8_GET_NAMING2(pages, (const unsigned char *)(p)) \ +- : ((n) == 3 \ +- ? UTF8_GET_NAMING3(pages, (const unsigned char *)(p)) \ +- : 0)) +- + /* Detection of invalid UTF-8 sequences is based on Table 3.1B + of Unicode 3.2: http://www.unicode.org/unicode/reports/tr28/ + with the additional restriction of not allowing the Unicode +diff -up firefox-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235 firefox-91.7.0/parser/expat/lib/xmltok_impl.c +--- firefox-91.7.0/parser/expat/lib/xmltok_impl.c.expat-CVE-2022-25235 2022-03-02 17:57:38.365361172 +0100 ++++ firefox-91.7.0/parser/expat/lib/xmltok_impl.c 2022-03-02 18:04:51.240853247 +0100 +@@ -34,7 +34,7 @@ + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (!IS_NAME_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NAME_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -62,7 +62,7 @@ + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ +- if (!IS_NMSTRT_CHAR(enc, ptr, n)) { \ ++ if (IS_INVALID_CHAR(enc, ptr, n) || ! IS_NMSTRT_CHAR(enc, ptr, n)) { \ + *nextTokPtr = ptr; \ + return XML_TOK_INVALID; \ + } \ +@@ -1090,6 +1090,10 @@ PREFIX(prologTok)(const ENCODING *enc, c + case BT_LEAD ## n: \ + if (end - ptr < n) \ + return XML_TOK_PARTIAL_CHAR; \ ++ if (IS_INVALID_CHAR(enc, ptr, n)) { \ ++ *nextTokPtr = ptr; \ ++ return XML_TOK_INVALID; \ ++ } \ + if (IS_NMSTRT_CHAR(enc, ptr, n)) { \ + ptr += n; \ + tok = XML_TOK_NAME; \ diff --git a/SOURCES/expat-CVE-2022-25236.patch b/SOURCES/expat-CVE-2022-25236.patch new file mode 100644 index 0000000..2065dc9 --- /dev/null +++ b/SOURCES/expat-CVE-2022-25236.patch @@ -0,0 +1,40 @@ +diff -up firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 firefox-91.7.0/parser/expat/lib/xmlparse.c +--- firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25236 2022-03-02 18:08:40.085642028 +0100 ++++ firefox-91.7.0/parser/expat/lib/xmlparse.c 2022-03-02 18:13:31.838667958 +0100 +@@ -700,8 +700,7 @@ XML_ParserCreate(const XML_Char *encodin + XML_Parser XMLCALL + XML_ParserCreateNS(const XML_Char *encodingName, XML_Char nsSep) + { +- XML_Char tmp[2]; +- *tmp = nsSep; ++ XML_Char tmp[2] = {nsSep, 0}; + return XML_ParserCreate_MM(encodingName, NULL, tmp); + } + #endif +@@ -1276,8 +1275,7 @@ XML_ExternalEntityParserCreate(XML_Parse + would be otherwise. + */ + if (ns) { +- XML_Char tmp[2]; +- *tmp = namespaceSeparator; ++ XML_Char tmp[2] = {parser->m_namespaceSeparator, 0}; + parser = parserCreate(encodingName, &parser->m_mem, tmp, newDtd); + } + else { +@@ -3667,6 +3665,16 @@ addBinding(XML_Parser parser, PREFIX *pr + if (!mustBeXML && isXMLNS + && (len > xmlnsLen || uri[len] != xmlnsNamespace[len])) + isXMLNS = XML_FALSE; ++ // NOTE: While Expat does not validate namespace URIs against RFC 3986, ++ // we have to at least make sure that the XML processor on top of ++ // Expat (that is splitting tag names by namespace separator into ++ // 2- or 3-tuples (uri-local or uri-local-prefix)) cannot be confused ++ // by an attacker putting additional namespace separator characters ++ // into namespace declarations. That would be ambiguous and not to ++ // be expected. ++ if (parser->m_ns && (uri[len] == parser->m_namespaceSeparator)) { ++ return XML_ERROR_SYNTAX; ++ } + } + isXML = isXML && len == xmlLen; + isXMLNS = isXMLNS && len == xmlnsLen; diff --git a/SOURCES/expat-CVE-2022-25315.patch b/SOURCES/expat-CVE-2022-25315.patch new file mode 100644 index 0000000..171980f --- /dev/null +++ b/SOURCES/expat-CVE-2022-25315.patch @@ -0,0 +1,24 @@ +diff -up firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 firefox-91.7.0/parser/expat/lib/xmlparse.c +--- firefox-91.7.0/parser/expat/lib/xmlparse.c.expat-CVE-2022-25315 2022-03-02 18:17:50.966583254 +0100 ++++ firefox-91.7.0/parser/expat/lib/xmlparse.c 2022-03-02 18:19:27.636924735 +0100 +@@ -2479,6 +2479,7 @@ storeRawNames(XML_Parser parser) + while (tag) { + int bufSize; + int nameLen = sizeof(XML_Char) * (tag->name.strLen + 1); ++ size_t rawNameLen; + char *rawNameBuf = tag->buf + nameLen; + /* Stop if already stored. Since tagStack is a stack, we can stop + at the first entry that has already been copied; everything +@@ -2490,7 +2491,11 @@ storeRawNames(XML_Parser parser) + /* For re-use purposes we need to ensure that the + size of tag->buf is a multiple of sizeof(XML_Char). + */ +- bufSize = nameLen + ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); ++ rawNameLen = ROUND_UP(tag->rawNameLength, sizeof(XML_Char)); ++ /* Detect and prevent integer overflow. */ ++ if (rawNameLen > (size_t)INT_MAX - nameLen) ++ return XML_FALSE; ++ bufSize = nameLen + (int)rawNameLen; + if (bufSize > tag->bufEnd - tag->buf) { + char *temp = (char *)REALLOC(tag->buf, bufSize); + if (temp == NULL) diff --git a/SOURCES/firefox-mozconfig b/SOURCES/firefox-mozconfig index 9e8a32f..6c7afd7 100644 --- a/SOURCES/firefox-mozconfig +++ b/SOURCES/firefox-mozconfig @@ -12,7 +12,6 @@ ac_add_options --enable-chrome-format=omni ac_add_options --enable-pulseaudio ac_add_options --without-system-icu ac_add_options --enable-release -ac_add_options --update-channel=release ac_add_options --allow-addon-sideload ac_add_options --with-system-jpeg ac_add_options --enable-js-shell diff --git a/SOURCES/firefox-nss-addon-hack.patch b/SOURCES/firefox-nss-addon-hack.patch new file mode 100644 index 0000000..0322707 --- /dev/null +++ b/SOURCES/firefox-nss-addon-hack.patch @@ -0,0 +1,19 @@ +diff -up firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp.nss-hack firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp +--- firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp.nss-hack 2021-01-11 12:12:02.585514543 +0100 ++++ firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp 2021-01-11 12:47:50.345984582 +0100 +@@ -1619,6 +1619,15 @@ SECStatus InitializeNSS(const nsACString + return srv; + } + ++ /* Sets the NSS_USE_ALG_IN_ANY_SIGNATURE bit. ++ * does not change NSS_USE_ALG_IN_CERT_SIGNATURE, ++ * so policy will still disable use of sha1 in ++ * certificate related signature processing. */ ++ srv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); ++ if (srv != SECSuccess) { ++ NS_WARNING("Unable to use SHA1 for Add-ons, expect broken/disabled Add-ons. See https://bugzilla.redhat.com/show_bug.cgi?id=1908018 for details."); ++ } ++ + if (nssDbConfig == NSSDBConfig::ReadWrite) { + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { diff --git a/SOURCES/firefox.sh.in b/SOURCES/firefox.sh.in index ecff558..06c10ed 100644 --- a/SOURCES/firefox.sh.in +++ b/SOURCES/firefox.sh.in @@ -61,8 +61,6 @@ if [ ! -r $MOZ_LIB_DIR/firefox/$MOZ_FIREFOX_FILE ]; then MOZ_LIB_DIR="$SECONDARY_LIB_DIR" fi MOZ_DIST_BIN="$MOZ_LIB_DIR/firefox" -MOZ_LANGPACKS_DIR="$MOZ_DIST_BIN/langpacks" -MOZ_EXTENSIONS_PROFILE_DIR="$HOME/.mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}" MOZ_PROGRAM="$MOZ_DIST_BIN/$MOZ_FIREFOX_FILE" MOZ_LAUNCHER="$MOZ_DIST_BIN/run-mozilla.sh" @@ -100,12 +98,6 @@ export MOZ_PLUGIN_PATH ## export MOZ_APP_LAUNCHER="%PREFIX%/bin/firefox" -## -## Set FONTCONFIG_PATH for Xft/fontconfig -## -FONTCONFIG_PATH="/etc/fonts:${MOZILLA_FIVE_HOME}/res/Xft" -export FONTCONFIG_PATH - ## ## In order to better support certain scripts (such as Indic and some CJK ## scripts), Fedora builds its Firefox, with permission from the Mozilla @@ -135,76 +127,6 @@ export G_SLICE=always-malloc ## export MOZ_USE_XINPUT2=1 -# OK, here's where all the real work gets done - - -## -## To disable the use of Firefox localization, set MOZ_DISABLE_LANGPACKS=1 -## in your environment before launching Firefox. -## -# -# MOZ_DISABLE_LANGPACKS=1 -# export MOZ_DISABLE_LANGPACKS -# - -## -## Automatically installed langpacks are tracked by .fedora-langpack-install -## config file. -## -FEDORA_LANGPACK_CONFIG="$MOZ_EXTENSIONS_PROFILE_DIR/.fedora-langpack-install" - -MOZILLA_DOWN=0 -if ! [ $MOZ_DISABLE_LANGPACKS ] || [ $MOZ_DISABLE_LANGPACKS -eq 0 ]; then - if [ -x $MOZ_DIST_BIN/$MOZ_FIREFOX_FILE ]; then - # Is firefox running? - pidof firefox > /dev/null 2>&1 - MOZILLA_DOWN=$? - fi -fi - -# Modify language pack configuration only when firefox is not running -# and language packs are not disabled -if [ $MOZILLA_DOWN -ne 0 ]; then - - # Clear already installed langpacks - mkdir -p $MOZ_EXTENSIONS_PROFILE_DIR - if [ -f $FEDORA_LANGPACK_CONFIG ]; then - rm `cat $FEDORA_LANGPACK_CONFIG` > /dev/null 2>&1 - rm $FEDORA_LANGPACK_CONFIG > /dev/null 2>&1 - # remove all empty langpacks dirs while they block installation of langpacks - rmdir $MOZ_EXTENSIONS_PROFILE_DIR/langpack* > /dev/null 2>&1 - fi - - # Get locale from system - CURRENT_LOCALE=$LC_ALL - CURRENT_LOCALE=${CURRENT_LOCALE:-$LC_MESSAGES} - CURRENT_LOCALE=${CURRENT_LOCALE:-$LANG} - - # Try with a local variant first, then without a local variant - SHORTMOZLOCALE=`echo $CURRENT_LOCALE | sed "s|_\([^.]*\).*||g"` - MOZLOCALE=`echo $CURRENT_LOCALE | sed "s|_\([^.]*\).*|-\1|g"` - - function create_langpack_link() { - local language=$* - local langpack=langpack-${language}@firefox.mozilla.org.xpi - if [ -f $MOZ_LANGPACKS_DIR/$langpack ]; then - rm -rf $MOZ_EXTENSIONS_PROFILE_DIR/$langpack - # If the target file is a symlink (the fallback langpack), - # install the original file instead of the fallback one - if [ -h $MOZ_LANGPACKS_DIR/$langpack ]; then - langpack=`readlink $MOZ_LANGPACKS_DIR/$langpack` - fi - ln -s $MOZ_LANGPACKS_DIR/$langpack \ - $MOZ_EXTENSIONS_PROFILE_DIR/$langpack - echo $MOZ_EXTENSIONS_PROFILE_DIR/$langpack > $FEDORA_LANGPACK_CONFIG - return 0 - fi - return 1 - } - - create_langpack_link $MOZLOCALE || create_langpack_link $SHORTMOZLOCALE || true -fi - # BEAST fix (rhbz#1005611) NSS_SSL_CBC_RANDOM_IV=${NSS_SSL_CBC_RANDOM_IV-1} export NSS_SSL_CBC_RANDOM_IV @@ -244,28 +166,5 @@ done # Don't throw "old profile" dialog box. export MOZ_ALLOW_DOWNGRADE=1 -# Make sure at-spi-bus is running -if ! dbus-send --session \ - --dest=org.freedesktop.DBus \ - --type=method_call \ - --print-reply \ - /org/freedesktop/DBus \ - org.freedesktop.DBus.ListNames \ - | grep org.a11y.Bus > /dev/null; then - if [ -f "$MOZ_LIB_DIR/firefox/bundled/libexec/at-spi-bus-launcher" ]; then - echo "Starting a11y dbus service..." - $MOZ_LIB_DIR/firefox/bundled/libexec/at-spi-bus-launcher & - else - echo "Running without a11y support!" - fi -fi - # Run the browser -debugging=0 -if [ $debugging = 1 ] -then - echo $MOZ_LAUNCHER $script_args $MOZ_PROGRAM "$@" -fi - - exec $MOZ_LAUNCHER $script_args $MOZ_PROGRAM "$@" diff --git a/SOURCES/mozilla-s390x-skia-gradient.patch b/SOURCES/mozilla-s390x-skia-gradient.patch deleted file mode 100644 index 8c0e3bd..0000000 --- a/SOURCES/mozilla-s390x-skia-gradient.patch +++ /dev/null @@ -1,52 +0,0 @@ -# HG changeset patch -# Parent acf59ea86dd1d878b43920832093f082dcfc61c0 - -diff -r acf59ea86dd1 gfx/skia/skia/src/shaders/gradients/Sk4fLinearGradient.cpp ---- a/gfx/skia/skia/src/shaders/gradients/Sk4fLinearGradient.cpp Mon Mar 09 08:26:10 2020 +0100 -+++ b/gfx/skia/skia/src/shaders/gradients/Sk4fLinearGradient.cpp Fri Mar 27 13:30:28 2020 +0100 -@@ -7,7 +7,7 @@ - - #include "include/core/SkPaint.h" - #include "src/shaders/gradients/Sk4fLinearGradient.h" -- -+#include "src/core/SkEndian.h" - #include - #include - -@@ -28,6 +28,9 @@ - - while (n >= 4) { - DstTraits::store4x(c0, c1, c2, c3, dst, bias0, bias1); -+#ifdef SK_CPU_BENDIAN -+ SkEndianSwap32s(dst, 4); -+#endif - dst += 4; - - c0 = c0 + dc4; -@@ -37,12 +40,23 @@ - n -= 4; - } - if (n & 2) { -- DstTraits::store(c0, dst++, bias0); -- DstTraits::store(c1, dst++, bias1); -+ DstTraits::store(c0, dst, bias0); -+#ifdef SK_CPU_BENDIAN -+ *dst = SkEndianSwap32(*dst); -+#endif -+ ++dst; -+ DstTraits::store(c1, dst, bias1); -+#ifdef SK_CPU_BENDIAN -+ *dst = SkEndianSwap32(*dst); -+#endif -+ ++dst; - c0 = c0 + dc2; - } - if (n & 1) { - DstTraits::store(c0, dst, bias0); -+#ifdef SK_CPU_BENDIAN -+ *dst = SkEndianSwap32(*dst); -+#endif - } - } - - diff --git a/SPECS/firefox.spec b/SPECS/firefox.spec index 1087840..9db388f 100644 --- a/SPECS/firefox.spec +++ b/SPECS/firefox.spec @@ -18,7 +18,7 @@ function dist_to_rhel_minor(str, start) end match = string.match(str, ".el8") if match then - return 6 + return 7 end return -1 end} @@ -119,16 +119,23 @@ end} %global mozappdir %{_libdir}/%{name} %global mozappdirdev %{_libdir}/%{name}-devel-%{version} -%global langpackdir %{mozappdir}/langpacks +%global langpackdir %{mozappdir}/browser/extensions %global tarballdir %{name}-%{version} %global pre_version esr %global official_branding 1 %global build_langpacks 1 +# Workaround the dreaded "upstream source file changed content" rpmdiff failure that only secalert can waive. +# If set to .b2 or .b3 ... the processed source file needs to be renamed before upload, e.g. +# firefox-91.9.0esr.b2.processed-source.tar.xz +# With does_not_exist it's empty and source file name as is. +#global buildnum %{?does_not_exist} +%global buildnum %{?does_not_exist} + Summary: Mozilla Firefox Web browser Name: firefox -Version: 91.4.0 +Version: 91.13.0 Release: 1%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ @@ -136,10 +143,14 @@ License: MPLv1.1 or GPLv2+ or LGPLv2+ ExcludeArch: %{ix86} %endif %if 0%{?rhel} == 8 + %if %{rhel_minor_version} == 1 +ExcludeArch: %{ix86} aarch64 s390x + %else ExcludeArch: %{ix86} + %endif %endif %if 0%{?rhel} == 7 -ExcludeArch: s390 ppc +ExcludeArch: aarch64 s390 ppc %endif # We can't use the official tarball as it contains some test files that use @@ -147,9 +158,10 @@ ExcludeArch: s390 ppc # The official tarball has to be always processed by the process-official-tarball # script. # Link to official tarball: https://hg.mozilla.org/releases/mozilla-release/archive/firefox-%%{version}%%{?pre_version}.source.tar.xz -Source0: firefox-%{version}%{?pre_version}.processed-source.tar.xz +Source0: firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz %if %{build_langpacks} -Source1: firefox-langpacks-%{version}%{?pre_version}-20211201.tar.xz +Source1: firefox-langpacks-%{version}%{?pre_version}-20220817.tar.xz + %endif Source2: cbindgen-vendor.tar.xz Source3: process-official-tarball @@ -184,6 +196,7 @@ Patch6: build-nss-version.patch Patch215: firefox-enable-addons.patch Patch219: rhbz-1173156.patch Patch224: mozilla-1170092.patch +Patch225: firefox-nss-addon-hack.patch # Upstream patches @@ -197,9 +210,12 @@ Patch510: mozilla-bmo1554971.patch Patch511: mozilla-bmo1602730.patch Patch512: mozilla-bmo849632.patch Patch513: mozilla-bmo998749.patch -Patch514: mozilla-s390x-skia-gradient.patch +#Patch514: mozilla-s390x-skia-gradient.patch Patch515: mozilla-bmo1626236.patch Patch518: D110204-fscreen.diff +Patch519: expat-CVE-2022-25235.patch +Patch520: expat-CVE-2022-25236.patch +Patch521: expat-CVE-2022-25315.patch # Flatpak patches @@ -425,6 +441,11 @@ echo "use_rustts %{?use_rustts}" %patch219 -p1 -b .rhbz-1173156 %patch224 -p1 -b .1170092 +# Enable workaround for RHEL >= 8: rhbz#2043303 +%if 0%{?rhel} == 8 || 0%{?rhel} >= 9 +%patch225 -p1 -b .firefox-nss-addon-hack +%endif + # Patch for big endian platforms only %if 0%{?big_endian} %endif @@ -442,6 +463,9 @@ echo "use_rustts %{?use_rustts}" #%patch514 -p1 -b .mozilla-s390x-skia-gradient %patch515 -p1 -b .mozilla-bmo1626236 %patch518 -p1 -b .D110204-fscreen.diff +%patch519 -p1 -b .expat-CVE-2022-25235 +%patch520 -p1 -b .expat-CVE-2022-25236 +%patch521 -p1 -b .expat-CVE-2022-25315 %patch1001 -p1 -b .ppc64le-inline @@ -643,7 +667,7 @@ function build_bundled_package() { echo $PKG_CONFIG_PATH rpm -ivh %{SOURCE403} - rpmbuild --nodeps --define '_prefix %{bundled_install_path}' -ba %{_specdir}/nss.spec + rpmbuild --nodeps --define '_prefix %{bundled_install_path}' --without=tests -ba %{_specdir}/nss.spec pushd %{_buildrootdir} #cleanup #rm -rf {_buildrootdir}/usr/lib/debug/* @@ -877,9 +901,9 @@ ls %{_buildrootdir} export MACH_USE_SYSTEM_PYTHON=1 %if 0%{?use_llvmts} #scl enable llvm-toolset-%{llvm_version} './mach build -v' - ./mach build -v + ./mach build -v || exit 1 %else - ./mach build -v + ./mach build -v || exit 1 %endif # Look for the reason we get: /usr/lib/rpm/debugedit: canonicalization unexpectedly shrank by one character readelf -wl objdir/dist/bin/libxul.so | grep "/" @@ -1247,6 +1271,56 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog +* Wed Aug 17 2022 Eike Rathke - 91.13.0-1 +- Update to 91.13.0 build1 + +* Thu Jul 21 2022 Eike Rathke - 91.12.0-1 +- Update to 91.12.0 build1 + +* Thu Jun 23 2022 Eike Rathke - 91.11.0-2 +- Update to 91.11.0 build2 + +* Tue Jun 21 2022 Eike Rathke - 91.11.0-1 +- Update to 91.11.0 build1 + +* Tue May 24 2022 Eike Rathke - 91.10.0-1 +- Update to 91.10.0 build1 + +* Fri May 20 2022 Jan Horak - 91.9.1-1 +- Update to 91.9.1 build1 + +* Tue Apr 26 2022 Eike Rathke - 91.9.0-1 +- Update to 91.9.0 + +* Tue Apr 05 2022 Eike Rathke - 91.8.0-1 +- Update to 91.8.0 + +* Mon Mar 07 2022 Eike Rathke - 91.7.0-3 +- Update to 91.7.0 build3 + +* Wed Mar 02 2022 Jan Horak - 91.7.0-2 +- Added expat backports of CVE-2022-25235, CVE-2022-25236 and CVE-2022-25315 + +* Tue Mar 01 2022 Eike Rathke - 91.7.0-1 +- Update to 91.7.0 build2 + +* Fri Feb 25 2022 Jan Horak - 91.6.0-2 +- Install langpacks to the browser/extensions to make them available in UI: + rhbz#2030190 + +* Wed Feb 02 2022 Eike Rathke - 91.6.0-1 +- Update to 91.6.0 build1 + +* Wed Feb 02 2022 Jan Horak - 91.5.0-2 +- Use default update channel to fix non working enterprise policies: + rhbz#2044667 + +* Thu Jan 06 2022 Eike Rathke - 91.5.0-1 +- Update to 91.5.0 build1 + +* Mon Dec 13 2021 Jan Horak - 91.4.0-2 +- Added fix for failing addons signatures. + * Wed Dec 01 2021 Eike Rathke - 91.4.0-1 - Update to 91.4.0 build1