From 5657fe7eaccf28457971c4092930c13ccb91812c Mon Sep 17 00:00:00 2001 From: Martin Wilke Date: Wed, 22 Apr 2009 08:49:19 +0000 Subject: Backport patches to fix the following security vulnerabilities: CVE-2009-1312 CVE-2009-0652 CVE-2009-1302 CVE-2009-1303 Obtained from: Mozilla Bugzilla Security: http://www.vuxml.org/freebsd/3b18e237-2f15-11de-9672-0030843d3802.html --- www/firefox/Makefile | 2 +- www/firefox/files/patch-ff-453736 | 46 +++++++++++++++++++++++++++++++++++++++ www/firefox/files/patch-ff-474536 | 28 ++++++++++++++++++++++++ www/firefox/files/patch-ff-479336 | 13 +++++++++++ 4 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 www/firefox/files/patch-ff-453736 create mode 100644 www/firefox/files/patch-ff-474536 create mode 100644 www/firefox/files/patch-ff-479336 (limited to 'www/firefox') diff --git a/www/firefox/Makefile b/www/firefox/Makefile index e303783015cb..7cf5d41efbd4 100644 --- a/www/firefox/Makefile +++ b/www/firefox/Makefile @@ -8,7 +8,7 @@ PORTNAME= firefox DISTVERSION= 2.0.0.20 -PORTREVISION= 6 +PORTREVISION= 7 PORTEPOCH= 1 CATEGORIES= www ipv6 MASTER_SITES= ${MASTER_SITE_MOZILLA_EXTENDED} diff --git a/www/firefox/files/patch-ff-453736 b/www/firefox/files/patch-ff-453736 new file mode 100644 index 000000000000..ba4f89f92981 --- /dev/null +++ b/www/firefox/files/patch-ff-453736 @@ -0,0 +1,46 @@ +diff -p -U 8 -r1.15 nsSVGScriptElement.cpp +--- content/svg/content/src/nsSVGScriptElement.cpp 28 Apr 2005 23:47:55 -0000 1.15 ++++ content/svg/content/src/nsSVGScriptElement.cpp 26 Feb 2009 21:03:08 -0000 +@@ -177,17 +177,40 @@ nsSVGScriptElement::Init() + } + + return NS_OK; + } + + //---------------------------------------------------------------------- + // nsIDOMNode methods + +-NS_IMPL_DOM_CLONENODE_WITH_INIT(nsSVGScriptElement) ++nsresult ++nsSVGScriptElement::CloneNode(PRBool aDeep, nsIDOMNode** aReturn) ++{ ++ *aReturn = nsnull; ++ ++ nsSVGScriptElement* it = new nsSVGScriptElement(mNodeInfo); ++ if (!it) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } ++ ++ nsCOMPtr kungFuDeathGrip(it); ++ ++ CopyInnerTo(it, aDeep); ++ ++ // The clone should be marked evaluated if we are. It should also be marked ++ // evaluated if we're evaluating, to handle the case when this script node's ++ // script clones the node. ++ it->mIsEvaluated = mIsEvaluated || mEvaluating; ++ it->mLineNumber = mLineNumber; ++ ++ kungFuDeathGrip.swap(*aReturn); ++ ++ return NS_OK; ++} + + //---------------------------------------------------------------------- + // nsIDOMSVGScriptElement methods + + /* attribute DOMString type; */ + NS_IMETHODIMP + nsSVGScriptElement::GetType(nsAString & aType) + { + diff --git a/www/firefox/files/patch-ff-474536 b/www/firefox/files/patch-ff-474536 new file mode 100644 index 000000000000..7c9bb70ee2d6 --- /dev/null +++ b/www/firefox/files/patch-ff-474536 @@ -0,0 +1,28 @@ +diff -U 8 -p -r3.181.2.104 jsinterp.c +--- js/src/jsinterp.c 20 Oct 2008 15:43:57 -0000 3.181.2.104 ++++ js/src/jsinterp.c 2 Apr 2009 14:44:48 -0000 +@@ -4722,21 +4722,21 @@ interrupt: + + /* + * Try to optimize a property we either just created, or found + * directly in the global object, that is permanent, has a slot, + * and has stub getter and setter, into a "fast global" accessed + * by the JSOP_*GVAR opcodes. + */ + if (atomIndex < script->numGlobalVars && +- (attrs & JSPROP_PERMANENT) && + obj2 == obj && + OBJ_IS_NATIVE(obj)) { + sprop = (JSScopeProperty *) prop; +- if (SPROP_HAS_VALID_SLOT(sprop, OBJ_SCOPE(obj)) && ++ if ((sprop->attrs & JSPROP_PERMANENT) && ++ SPROP_HAS_VALID_SLOT(sprop, OBJ_SCOPE(obj)) && + SPROP_HAS_STUB_GETTER(sprop) && + SPROP_HAS_STUB_SETTER(sprop)) { + /* + * Fast globals use fp->vars to map the global name's + * atomIndex to the permanent fp->varobj slot number, + * tagged as a jsval. The atomIndex for the global's + * name literal is identical to its fp->vars index. + */ + diff --git a/www/firefox/files/patch-ff-479336 b/www/firefox/files/patch-ff-479336 new file mode 100644 index 000000000000..1b279a8655ce --- /dev/null +++ b/www/firefox/files/patch-ff-479336 @@ -0,0 +1,13 @@ +diff -up mozilla/modules/libpref/src/init/all.js.479336 mozilla/modules/libpref/src/init/all.js +--- modules/libpref/src/init/all.js.479336 2009-04-09 15:57:27.000000000 +0200 ++++ modules/libpref/src/init/all.js 2009-04-09 15:59:56.000000000 +0200 +@@ -631,7 +631,7 @@ pref("network.IDN.whitelist.org", true); + // attempt and so we always display the domain name as punycode. This would + // override the settings "network.IDN_show_punycode" and + // "network.IDN.whitelist.*". +-pref("network.IDN.blacklist_chars", "\u0020\u00A0\u00BC\u00BD\u01C3\u0337\u0338\u05C3\u05F4\u06D4\u0702\u115F\u1160\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200A\u200B\u2024\u2027\u2028\u2029\u202F\u2039\u203A\u2044\u205F\u2154\u2155\u2156\u2159\u215A\u215B\u215F\u2215\u23AE\u29F6\u29F8\u2AFB\u2AFD\u2FF0\u2FF1\u2FF2\u2FF3\u2FF4\u2FF5\u2FF6\u2FF7\u2FF8\u2FF9\u2FFA\u2FFB\u3000\u3002\u3014\u3015\u3033\u3164\u321D\u321E\u33AE\u33AF\u33C6\u33DF\uFE14\uFE15\uFE3F\uFE5D\uFE5E\uFEFF\uFF0E\uFF0F\uFF61\uFFA0\uFFF9\uFFFA\uFFFB\uFFFC\uFFFD"); ++pref("network.IDN.blacklist_chars", "\u0020\u00A0\u00BC\u00BD\u00BE\u01C3\u02D0\u0337\u0338\u0589\u05C3\u05F4\u0609\u060A\u066A\u06D4\u0701\u0702\u0703\u0704\u115F\u1160\u1735\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200A\u200B\u2024\u2027\u2028\u2029\u202F\u2039\u203A\u2041\u2044\u2052\u205F\u2153\u2154\u2155\u2156\u2157\u2158\u2159\u215A\u215B\u215C\u215D\u215E\u215F\u2215\u2236\u23AE\u2571\u29F6\u29F8\u2AFB\u2AFD\u2FF0\u2FF1\u2FF2\u2FF3\u2FF4\u2FF5\u2FF6\u2FF7\u2FF8\u2FF9\u2FFA\u2FFB\u3000\u3002\u3014\u3015\u3033\u3164\u321D\u321E\u33AE\u33AF\u33C6\u33DF\uA789\uFE14\uFE15\uFE3F\uFE5D\uFE5E\uFEFF\uFF0E\uFF0F\uFF61\uFFA0\uFFF9\uFFFA\uFFFB\uFFFC\uFFFD"); + + // This preference specifies a list of domains for which DNS lookups will be + // IPv4 only. Works around broken DNS servers which can't handle IPv6 lookups + -- cgit v1.2.3