rpms/firefox
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Import from CS git

Browse Source
This commit is contained in:
eabdullin 2025-11-20 11:05:50 +00:00
parent 4c4276c4fc
commit f3b28d53cf
7 changed files with 291 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.firefox.metadata
View File

@ -1,6 +1,6 @@
bc4adac8f38f5103d8f88564a1545063dd8d6402 SOURCES/cbindgen-vendor.tar.xz
c25da23b50ddf8926a943f86f1180b6d96c0eff0 SOURCES/firefox-140.4.0esr.processed-source.tar.xz
22a42066c01a85b1264223041ed270b9e294d7e0 SOURCES/firefox-langpacks-140.4.0esr-20251010.tar.xz
7744803db3f3ac6c101e3ebc1c9fdbcf6788f11e SOURCES/firefox-140.5.0esr.processed-source.tar.xz
f96430e7442d0b125d77598bcbac586340f63a77 SOURCES/firefox-langpacks-140.5.0esr-20251107.tar.xz
2d8a6b2b30d5496735f49ffe8c8a7ede3a78a5ca SOURCES/mochitest-python.tar.gz
0d0ddbd2a73340b3cbc977997f57222946b1e775 SOURCES/nspr-4.36.0-2.el8_2.src.rpm
fd3879b176634d66f8ef64d18fdaeec98e140c23 SOURCES/nss-3.112.0-1.el9_4.src.rpm

4
.gitignore vendored
View File

@ -1,6 +1,6 @@
SOURCES/cbindgen-vendor.tar.xz
SOURCES/firefox-140.4.0esr.processed-source.tar.xz
SOURCES/firefox-langpacks-140.4.0esr-20251010.tar.xz
SOURCES/firefox-140.5.0esr.processed-source.tar.xz
SOURCES/firefox-langpacks-140.5.0esr-20251107.tar.xz
SOURCES/mochitest-python.tar.gz
SOURCES/nspr-4.36.0-2.el8_2.src.rpm
SOURCES/nss-3.112.0-1.el9_4.src.rpm

66
SOURCES/firefox-adapt-ml-dsa-support-to-rhel-nss.patch
View File

@ -1,8 +1,37 @@
diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp
index 31aa1ddd67..6eb367eae4 100644
index 31aa1ddd67..93ab402bfd 100644
--- a/security/nss/lib/mozpkix/lib/pkixnss.cpp
+++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp
@@ -323,13 +323,21 @@ VerifyMLDSASignedDataNSS(Input data,
@@ -303,6 +303,28 @@ DigestBufNSS(Input item,
return Success;
}
+static SECOidTag
+findOIDByName(const char *cipherString)
+{
+ SECOidTag tag;
+ SECOidData *oid;
+
+ for (int i = 1; ; i++) {
+ SECOidTag tag = static_cast<SECOidTag>(i);
+ oid = SECOID_FindOIDByTag(tag);
+
+ if (oid == NULL) {
+ break;
+ }
+
+ if (strcasecmp(oid->desc, cipherString) == 0) {
+ return tag;
+ }
+ }
+
+ return SEC_OID_UNKNOWN;
+}
+
Result
VerifyMLDSASignedDataNSS(Input data,
Input signature,
@@ -323,17 +345,14 @@ VerifyMLDSASignedDataNSS(Input data,
SECItem dataItem(UnsafeMapInputToSECItem(data));
CK_MECHANISM_TYPE mechanism;
@ -10,22 +39,21 @@ index 31aa1ddd67..6eb367eae4 100644
- case SEC_OID_ML_DSA_44:
- case SEC_OID_ML_DSA_65:
- case SEC_OID_ML_DSA_87:
+ switch (SEC_GetSignatureAlgorithmOidTag(pubk->keyType, pubk->u.mldsa.params)) {
+ case CKP_ML_DSA_44:
+ hashPolicyTag = SEC_OID_UNKNOWN;
+ mechanism = CKM_ML_DSA;
+ signaturePolicyTag = SEC_OID_PRIVATE_3;
+ break;
+ case CKP_ML_DSA_65:
+ hashPolicyTag = SEC_OID_UNKNOWN;
mechanism = CKM_ML_DSA;
- mechanism = CKM_ML_DSA;
- signaturePolicyTag = pubk->u.mldsa.paramSet;
+ signaturePolicyTag = SEC_OID_PRIVATE_4;
+ break;
+ case CKP_ML_DSA_87:
hashPolicyTag = SEC_OID_UNKNOWN;
- hashPolicyTag = SEC_OID_UNKNOWN;
- break;
- default:
- return Result::ERROR_UNSUPPORTED_KEYALG;
- break;
+ if (pubk->u.mldsa.params == findOIDByName("ML-DSA-44") ||
+ pubk->u.mldsa.params == findOIDByName("ML-DSA-65") ||
+ pubk->u.mldsa.params == findOIDByName("ML-DSA-87")) {
+ hashPolicyTag = SEC_OID_UNKNOWN;
+ mechanism = CKM_ML_DSA;
+ signaturePolicyTag = SEC_OID_PRIVATE_5;
break;
default:
return Result::ERROR_UNSUPPORTED_KEYALG;
+ signaturePolicyTag = pubk->u.mldsa.params;
+ } else {
+ return Result::ERROR_UNSUPPORTED_KEYALG;
}
SECOidTag policyTags[2] = {signaturePolicyTag, hashPolicyTag};

139
SOURCES/firefox-add-mlkem768-secp256r1-support.patch Normal file
View File

File diff suppressed because one or more lines are too long

143
SOURCES/firefox-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch
View File

@ -1,26 +1,24 @@
diff --git a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
index cc77864..1e978ef 100644
index cc778640a1..298d6a61e8 100644
--- a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
+++ b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
@@ -53,6 +53,11 @@ class ServerCertHashesTrustDomain : public mozilla::pkix::TrustDomain {
@@ -53,6 +53,10 @@ class ServerCertHashesTrustDomain : public mozilla::pkix::TrustDomain {
mozilla::pkix::Input signature,
mozilla::pkix::Input subjectPublicKeyInfo) override;
+ virtual mozilla::pkix::Result VerifyMLDSASignedData(
+ mozilla::pkix::Input data,
+ mozilla::pkix::Input signature,
+ mozilla::pkix::Input data, mozilla::pkix::Input signature,
+ mozilla::pkix::Input subjectPublicKeyInfo) override;
+
virtual mozilla::pkix::Result DigestBuf(
mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf, size_t digestBufLen) override;
@@ -151,6 +156,15 @@ mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyECDSASignedData(
@@ -151,6 +155,14 @@ mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyECDSASignedData(
return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
}
+mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyMLDSASignedData(
+ mozilla::pkix::Input data,
+ mozilla::pkix::Input signature,
+ mozilla::pkix::Input data, mozilla::pkix::Input signature,
+ mozilla::pkix::Input subjectPublicKeyInfo) {
+ MOZ_ASSERT_UNREACHABLE("not expecting this to be called");
+
@ -31,27 +29,46 @@ index cc77864..1e978ef 100644
mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf, size_t digestBufLen) {
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
index ca33077..cb96f58 100644
index ca330770fb..1e8f1d4996 100644
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -1048,10 +1048,14 @@ void HashSignatureParams(pkix::Input data, pkix::Input signature,
@@ -7,6 +7,7 @@
#include "CertVerifier.h"
#include <stdint.h>
+#include <optional>
#include "AppTrustDomain.h"
#include "CTKnownLogs.h"
@@ -1010,7 +1011,7 @@ Result CertVerifier::VerifySSLServerCert(
void HashSignatureParams(pkix::Input data, pkix::Input signature,
pkix::Input subjectPublicKeyInfo,
pkix::der::PublicKeyAlgorithm publicKeyAlgorithm,
- pkix::DigestAlgorithm digestAlgorithm,
+ std::optional<pkix::DigestAlgorithm> digestAlgorithm,
/*out*/ Maybe<nsTArray<uint8_t>>& sha512Hash) {
sha512Hash.reset();
Digest digest;
@@ -1048,10 +1049,14 @@ void HashSignatureParams(pkix::Input data, pkix::Input signature,
sizeof(publicKeyAlgorithm)))) {
return;
}
- if (NS_FAILED(
+ // Digest algorithm is expected to be null since ML-DSA is not an hash and
+ // sign algorithm. Skip digestAlgorithm for ML-DSA.
+ if (publicKeyAlgorithm != der::PublicKeyAlgorithm::MLDSA) {
+ if (NS_FAILED(
digest.Update(reinterpret_cast<const uint8_t*>(&digestAlgorithm),
sizeof(digestAlgorithm)))) {
- digest.Update(reinterpret_cast<const uint8_t*>(&digestAlgorithm),
- sizeof(digestAlgorithm)))) {
- return;
+ // There is no fallback digest algorithm when it's empty.
+ // Check that digestAlgorithm actually contains a value.
+ if (digestAlgorithm) {
+ pkix::DigestAlgorithm value = digestAlgorithm.value();
+ if (NS_FAILED(digest.Update(reinterpret_cast<const uint8_t*>(&value),
+ sizeof(value)))) {
+ return;
+ }
}
nsTArray<uint8_t> result;
if (NS_FAILED(digest.End(result))) {
@@ -1064,12 +1068,19 @@ Result VerifySignedDataWithCache(
@@ -1064,10 +1069,17 @@ Result VerifySignedDataWithCache(
der::PublicKeyAlgorithm publicKeyAlg,
mozilla::glean::impl::DenominatorMetric telemetryDenominator,
mozilla::glean::impl::NumeratorMetric telemetryNumerator, Input data,
@ -68,34 +85,31 @@ index ca33077..cb96f58 100644
+ }
+
HashSignatureParams(data, signature, subjectPublicKeyInfo, publicKeyAlg,
- digestAlgorithm, sha512Hash);
+ digestAlgorithm.value_or(pkix::DigestAlgorithm::sha512), sha512Hash);
digestAlgorithm, sha512Hash);
// If hashing the signature parameters succeeded, see if this signature is in
// the signature cache.
if (sha512Hash.isSome() &&
@@ -1080,16 +1091,23 @@ Result VerifySignedDataWithCache(
@@ -1080,16 +1092,23 @@ Result VerifySignedDataWithCache(
Result result;
switch (publicKeyAlg) {
case der::PublicKeyAlgorithm::ECDSA:
- result = VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
- subjectPublicKeyInfo, pinArg);
+ result = VerifyECDSASignedDataNSS(data, digestAlgorithm.value(),
+ signature, subjectPublicKeyInfo,
+ pinArg);
+ result =
+ VerifyECDSASignedDataNSS(data, digestAlgorithm.value(), signature,
+ subjectPublicKeyInfo, pinArg);
break;
case der::PublicKeyAlgorithm::RSA_PKCS1:
- result = VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
- subjectPublicKeyInfo, pinArg);
+ result = VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm.value(),
+ signature, subjectPublicKeyInfo,
+ pinArg);
+ result =
+ VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm.value(), signature,
+ subjectPublicKeyInfo, pinArg);
break;
case der::PublicKeyAlgorithm::RSA_PSS:
- result = VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
- subjectPublicKeyInfo, pinArg);
+ result = VerifyRSAPSSSignedDataNSS(data, digestAlgorithm.value(),
+ signature, subjectPublicKeyInfo,
+ pinArg);
+ result =
+ VerifyRSAPSSSignedDataNSS(data, digestAlgorithm.value(), signature,
+ subjectPublicKeyInfo, pinArg);
+ break;
+ case der::PublicKeyAlgorithm::MLDSA:
+ result = VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
@ -104,58 +118,56 @@ index ca33077..cb96f58 100644
default:
MOZ_ASSERT_UNREACHABLE("unhandled public key algorithm");
diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h
index 6432547..f9a0365 100644
index 6432547c8a..6e09e6fcdd 100644
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -331,7 +331,7 @@ mozilla::pkix::Result VerifySignedDataWithCache(
@@ -331,7 +331,8 @@ mozilla::pkix::Result VerifySignedDataWithCache(
mozilla::pkix::der::PublicKeyAlgorithm publicKeyAlg,
mozilla::glean::impl::DenominatorMetric telemetryDenominator,
mozilla::glean::impl::NumeratorMetric telemetryNumerator,
- mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
+ mozilla::pkix::Input data, std::optional<mozilla::pkix::DigestAlgorithm> digestAlgorithm,
+ mozilla::pkix::Input data,
+ std::optional<mozilla::pkix::DigestAlgorithm> digestAlgorithm,
mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo,
SignatureCache* signatureCache, void* pinArg);
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index 77c17c1..741892f 100644
index 70ba17d70f..a3ace3cee7 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -1541,6 +1541,17 @@ Result NSSCertDBTrustDomain::VerifyECDSASignedData(
@@ -1541,6 +1541,15 @@ Result NSSCertDBTrustDomain::VerifyECDSASignedData(
signature, subjectPublicKeyInfo, mSignatureCache, mPinArg);
}
+Result NSSCertDBTrustDomain::VerifyMLDSASignedData(Input data,
+ Input signature,
+ Input subjectPublicKeyInfo)
+{
+Result NSSCertDBTrustDomain::VerifyMLDSASignedData(Input data, Input signature,
+ Input subjectPublicKeyInfo) {
+ return VerifySignedDataWithCache(
+ der::PublicKeyAlgorithm::MLDSA,
+ mozilla::glean::cert_signature_cache::total,
+ mozilla::glean::cert_signature_cache::hits, data, std::nullopt,
+ signature, subjectPublicKeyInfo, mSignatureCache, mPinArg);
+ mozilla::glean::cert_signature_cache::hits, data, std::nullopt, signature,
+ subjectPublicKeyInfo, mSignatureCache, mPinArg);
+}
+
Result NSSCertDBTrustDomain::CheckValidityIsAcceptable(
Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA,
KeyPurposeId keyPurpose) {
diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
index fc210f3..8d17a4f 100644
index fc210f3254..6178201758 100644
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -197,6 +197,11 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
@@ -197,6 +197,10 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
mozilla::pkix::Input signature,
mozilla::pkix::Input subjectPublicKeyInfo) override;
+ virtual Result VerifyMLDSASignedData(
+ mozilla::pkix::Input data,
+ mozilla::pkix::Input signature,
+ mozilla::pkix::Input data, mozilla::pkix::Input signature,
+ mozilla::pkix::Input subjectPublicKeyInfo) override;
+
virtual Result DigestBuf(mozilla::pkix::Input item,
mozilla::pkix::DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf,
diff --git a/security/ct/CTLogVerifier.cpp b/security/ct/CTLogVerifier.cpp
index d5e665a..4712137 100644
index d5e665aaca..471213745d 100644
--- a/security/ct/CTLogVerifier.cpp
+++ b/security/ct/CTLogVerifier.cpp
@@ -99,6 +99,10 @@ class SignatureParamsTrustDomain final : public TrustDomain {
@ -170,19 +182,16 @@ index d5e665a..4712137 100644
KeyPurposeId) override {
return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
diff --git a/security/ct/tests/gtest/CTTestUtils.cpp b/security/ct/tests/gtest/CTTestUtils.cpp
index 6a25307..03d19f7 100644
index 6a25307ec3..dbec7adc91 100644
--- a/security/ct/tests/gtest/CTTestUtils.cpp
+++ b/security/ct/tests/gtest/CTTestUtils.cpp
@@ -807,6 +807,15 @@ class OCSPExtensionTrustDomain : public TrustDomain {
@@ -807,6 +807,12 @@ class OCSPExtensionTrustDomain : public TrustDomain {
subjectPublicKeyInfo, nullptr);
}
+ pkix::Result VerifyMLDSASignedData(Input data,
+ Input signature,
+ pkix::Result VerifyMLDSASignedData(Input data, Input signature,
+ Input subjectPublicKeyInfo) override {
+ return VerifyMLDSASignedDataNSS(data,
+ signature,
+ subjectPublicKeyInfo,
+ return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
+ nullptr);
+ }
+
@ -190,20 +199,16 @@ index 6a25307..03d19f7 100644
KeyPurposeId) override {
ADD_FAILURE();
diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp
index ab49d7e..36e7e19 100644
index ab49d7eb1f..3963f90eb1 100644
--- a/security/manager/ssl/AppTrustDomain.cpp
+++ b/security/manager/ssl/AppTrustDomain.cpp
@@ -322,6 +322,16 @@ pkix::Result AppTrustDomain::VerifyECDSASignedData(
@@ -322,6 +322,12 @@ pkix::Result AppTrustDomain::VerifyECDSASignedData(
subjectPublicKeyInfo, nullptr);
}
+pkix::Result AppTrustDomain::VerifyMLDSASignedData(Input data,
+ Input signature,
+ Input subjectPublicKeyInfo)
+{
+ return VerifyMLDSASignedDataNSS(data,
+ signature,
+ subjectPublicKeyInfo,
+pkix::Result AppTrustDomain::VerifyMLDSASignedData(Input data, Input signature,
+ Input subjectPublicKeyInfo) {
+ return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
+ nullptr);
+}
+
@ -211,31 +216,29 @@ index ab49d7e..36e7e19 100644
Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/,
KeyPurposeId /*keyPurpose*/) {
diff --git a/security/manager/ssl/AppTrustDomain.h b/security/manager/ssl/AppTrustDomain.h
index 4b0212e..083d5fb 100644
index 4b0212ede0..85fdff5f13 100644
--- a/security/manager/ssl/AppTrustDomain.h
+++ b/security/manager/ssl/AppTrustDomain.h
@@ -80,6 +80,10 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain {
@@ -80,6 +80,9 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain {
mozilla::pkix::DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf,
size_t digestBufLen) override;
+ virtual Result VerifyMLDSASignedData(
+ mozilla::pkix::Input data,
+ mozilla::pkix::Input signature,
+ mozilla::pkix::Input data, mozilla::pkix::Input signature,
+ mozilla::pkix::Input subjectPublicKeyInfo) override;
private:
nsTArray<Span<const uint8_t>> mTrustedRoots;
diff --git a/security/manager/ssl/TLSClientAuthCertSelection.cpp b/security/manager/ssl/TLSClientAuthCertSelection.cpp
index 3a84b15..8450076 100644
index 3a84b15ee6..a3dc5a1af1 100644
--- a/security/manager/ssl/TLSClientAuthCertSelection.cpp
+++ b/security/manager/ssl/TLSClientAuthCertSelection.cpp
@@ -217,6 +217,12 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
@@ -217,6 +217,11 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
pkix::Input subjectPublicKeyInfo) override {
return pkix::Success;
}
+ virtual mozilla::pkix::Result VerifyMLDSASignedData(
+ pkix::Input data,
+ pkix::Input signature,
+ pkix::Input data, pkix::Input signature,
+ pkix::Input subjectPublicKeyInfo) override {
+ return pkix::Success;
+ }

2
SOURCES/wasi.patch
View File

@ -6,7 +6,7 @@ diff -up firefox-121.0.1/toolkit/moz.configure.wasi firefox-121.0.1/toolkit/moz.
if wasi_sysroot:
log.info("Using wasi sysroot in %s", wasi_sysroot)
- return ["--sysroot=%s" % wasi_sysroot]
+ return ["--sysroot=%s" % wasi_sysroot, "-nodefaultlibs", "-lc", "-lwasi-emulated-process-clocks", "-lc++", "-lc++abi", "/home/jhorak/r/firefox/firefox-140.4.0-build/firefox-140.4.0/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.builtins-wasm32.a"]
+ return ["--sysroot=%s" % wasi_sysroot, "-nodefaultlibs", "-lc", "-lwasi-emulated-process-clocks", "-lc++", "-lc++abi", "/home/jhorak/r/firefox/firefox-140.5.0-build/firefox-140.5.0/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.builtins-wasm32.a"]
return []
set_config("WASI_SYSROOT", wasi_sysroot)

30
SPECS/firefox.spec
View File

@ -12,6 +12,22 @@
%global run_firefox_tests 0
%endif
%ifarch x86_64
%if 0%{?rhel} == 7
# Disable debuginfo package and strip all binaries to avoid 4GB cpio limit
%define _binary_payload w19T16.xzdio
%global debug_package %{nil}
%define _enable_debug_packages 0
%define __spec_install_post \
%{__arch_install_post} \
%{__os_install_post} \
find %{buildroot}%{mozappdir} -type f -name "*.so" -exec eu-strip --strip-debug {} \\; 2>/dev/null || find %{buildroot}%{mozappdir} -type f -name "*.so" -exec strip --strip-debug {} \\; \
eu-strip --strip-all %{buildroot}%{mozappdir}/firefox-bin 2>/dev/null || strip --strip-all %{buildroot}%{mozappdir}/firefox-bin || : \
eu-strip --strip-all %{buildroot}%{mozappdir}/firefox 2>/dev/null || strip --strip-all %{buildroot}%{mozappdir}/firefox || : \
eu-strip --strip-all %{buildroot}%{mozappdir}/plugin-container 2>/dev/null || strip --strip-all %{buildroot}%{mozappdir}/plugin-container || :
%endif
%endif
# wasi_sdk is for sandboxing third party c/c++ libs by using rlbox, exclude s390x on the f39.
%global with_wasi_sdk 0
@ -175,8 +191,8 @@ end}
Summary: Mozilla Firefox Web browser
Name: firefox
Version: 140.4.0
Release: 3%{?dist}
Version: 140.5.0
Release: 1%{?dist}
URL: https://www.mozilla.org/firefox/
License: MPLv1.1 or GPLv2+ or LGPLv2+
@ -206,7 +222,7 @@ ExcludeArch: aarch64 s390 ppc
# Link to original tarball: https://archive.mozilla.org/pub/firefox/releases/%%{version}%%{?pre_version}/source/firefox-%%{version}%%{?pre_version}.source.tar.xz
Source0: firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz
%if %{with langpacks}
Source1: firefox-langpacks-%{version}%{?pre_version}-20251010.tar.xz
Source1: firefox-langpacks-%{version}%{?pre_version}-20251107.tar.xz
%endif
Source2: cbindgen-vendor.tar.xz
Source3: process-official-tarball
@ -291,6 +307,8 @@ Patch122: firefox-enable-ml-dsa-signature-verification-for-certificate-cha
Patch123: firefox-adapt-ml-dsa-support-to-rhel-nss.patch
# RHEL downstream only - enable ML-DSA in manager/ssl
Patch124: firefox-enable-ml-dsa-in-manager-ssl.patch
# RHEL downstream only - add mlkem768-secp256r1 support
Patch125: firefox-add-mlkem768-secp256r1-support.patch
# ---- Fedora specific patches ----
Patch151: firefox-enable-addons.patch
@ -1346,6 +1364,7 @@ export LIBCLANG_RT=`pwd`/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.buil
%patch -P122 -p1 -b .enable-ml-dsa-signature-verification-for-certificate-chain-validation
%patch -P123 -p1 -b .adapt-ml-dsa-support-to-rhel-nss
%patch -P124 -p1 -b .enable-ml-dsa-in-manager-ssl
%patch -P125 -p1 -b .add-mlkem768-secp256r1-support
%endif
# ---- Fedora specific patches ----
@ -1667,7 +1686,7 @@ MOZ_LINK_FLAGS="-Wl,--no-keep-memory -Wl,--reduce-memory-overheads"
# __global_ldflags that normally sets this.
MOZ_LINK_FLAGS="$MOZ_LINK_FLAGS -L%{_libdir}"
%endif
%ifarch %{ix86} %{s390x}
%ifarch %{ix86} s390x
export RUSTFLAGS="-Cdebuginfo=0"
echo 'export RUSTFLAGS="-Cdebuginfo=0"' >> .mozconfig
%endif
@ -2109,6 +2128,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
#---------------------------------------------------------------------
%changelog
* Fri Nov 7 2025 Jan Horak <jhorak@redhat.com> - 140.5.0-1
- Update to 140.5.0 ESR
* Fri Oct 10 2025 Jan Horak <jhorak@redhat.com> - 140.4.0-3
- Update to 140.4.0 ESR