From 1e12924ae5e54eea544eed7b1f632a483e425e46 Mon Sep 17 00:00:00 2001 From: Ben Woodcroft Date: Fri, 3 Jun 2016 15:49:23 +1000 Subject: gnu: Add ruby-tzinfo-data. * gnu/packages/ruby.scm (ruby-tzinfo-data): New variable. * gnu/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + 1 file changed, 1 insertion(+) (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index d3e72629bc..1a61782439 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -733,6 +733,7 @@ dist_patch_DATA = \ %D%/packages/patches/rpm-CVE-2014-8118.patch \ %D%/packages/patches/rsem-makefile.patch \ %D%/packages/patches/ruby-symlinkfix.patch \ + %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\ %D%/packages/patches/rush-CVE-2013-6889.patch \ %D%/packages/patches/sed-hurd-path-max.patch \ %D%/packages/patches/scheme48-tests.patch \ -- cgit v1.2.3 From dae620b8fe83bada3e83579c1a02e2bac45adfef Mon Sep 17 00:00:00 2001 From: Ben Woodcroft Date: Fri, 3 Jun 2016 15:55:36 +1000 Subject: gnu: Add ruby-concurrent. * gnu/packages/ruby.scm (ruby-concurrent): New variable. * gnu/packages/patches/ruby-concurrent-ignore-broken-test.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + .../ruby-concurrent-ignore-broken-test.patch | 16 ++++++ gnu/packages/ruby.scm | 57 ++++++++++++++++++++++ 3 files changed, 74 insertions(+) create mode 100644 gnu/packages/patches/ruby-concurrent-ignore-broken-test.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 1a61782439..ff476be448 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -732,6 +732,7 @@ dist_patch_DATA = \ %D%/packages/patches/ripperx-missing-file.patch \ %D%/packages/patches/rpm-CVE-2014-8118.patch \ %D%/packages/patches/rsem-makefile.patch \ + %D%/packages/patches/ruby-concurrent-ignore-broken-test.patch \ %D%/packages/patches/ruby-symlinkfix.patch \ %D%/packages/patches/ruby-tzinfo-data-ignore-broken-test.patch\ %D%/packages/patches/rush-CVE-2013-6889.patch \ diff --git a/gnu/packages/patches/ruby-concurrent-ignore-broken-test.patch b/gnu/packages/patches/ruby-concurrent-ignore-broken-test.patch new file mode 100644 index 0000000000..4e801c3225 --- /dev/null +++ b/gnu/packages/patches/ruby-concurrent-ignore-broken-test.patch @@ -0,0 +1,16 @@ +This test appears to fail in GNU Guix and elsewhere. It has been reported +upstream at https://github.com/puma/puma/issues/995 + +diff --git a/spec/concurrent/channel_spec.rb b/spec/concurrent/channel_spec.rb +index d70fba8..4f29a8b 100644 +--- a/spec/concurrent/channel_spec.rb ++++ b/spec/concurrent/channel_spec.rb +@@ -598,7 +598,7 @@ module Concurrent + }.to raise_error(ArgumentError) + end + +- it 'loops until the block returns false' do ++ xit 'loops until the block returns false' do + actual = 0 + expected = 3 + latch = Concurrent::CountDownLatch.new(expected) diff --git a/gnu/packages/ruby.scm b/gnu/packages/ruby.scm index 10c1230bda..527f76b404 100644 --- a/gnu/packages/ruby.scm +++ b/gnu/packages/ruby.scm @@ -3995,4 +3995,61 @@ call.") (home-page "https://github.com/travisjeffery/timecop") (license license:expat))) +(define-public ruby-concurrent + (package + (name "ruby-concurrent") + (version "1.0.2") + (source + (origin + (method url-fetch) + ;; Download from GitHub because the rubygems version does not contain + ;; Rakefile. + (uri (string-append + "https://github.com/ruby-concurrency/concurrent-ruby/archive/v" + version + ".tar.gz")) + (file-name (string-append name "-" version ".tar.gz")) + (sha256 + (base32 + "1x3g2admp14ykwfxidsicqbhlfsnxh9wyc806np4i15hws4if1d8")) + ;; Exclude failing test reported at + ;; https://github.com/ruby-concurrency/concurrent-ruby/issues/534 + (patches (search-patches "ruby-concurrent-ignore-broken-test.patch")))) + (build-system ruby-build-system) + (arguments + `(#:test-target "spec" + #:phases + (modify-phases %standard-phases + (add-before 'build 'remove-git-lsfiles-and-extra-gemspecs + (lambda _ + (for-each (lambda (file) + (substitute* file + (("git ls-files") "find * |sort"))) + (list "concurrent-ruby.gemspec" + "support/file_map.rb")) + #t)) + (add-before 'build 'remove-extra-gemspecs + (lambda _ + ;; Delete extra gemspec files so 'first-gemspec' chooses the + ;; correct one. + (delete-file "concurrent-ruby-edge.gemspec") + (delete-file "concurrent-ruby-ext.gemspec") + #t)) + (add-before 'check 'rake-compile + ;; Fix the test error described at + ;; https://github.com/ruby-concurrency/concurrent-ruby/pull/408 + (lambda _ (zero? (system* "rake" "compile"))))))) + (native-inputs + `(("ruby-rake-compiler" ,ruby-rake-compiler) + ("ruby-yard" ,ruby-yard) + ("ruby-rspec" ,ruby-rspec) + ("ruby-timecop" ,ruby-timecop))) + (synopsis "Concurrency tools for Ruby") + (description + "This library provides modern concurrency tools including agents, +futures, promises, thread pools, actors, supervisors, and more. It is +inspired by Erlang, Clojure, Go, JavaScript, actors and classic concurrency +patterns.") + (home-page "http://www.concurrent-ruby.com") + (license license:expat))) -- cgit v1.2.3 From c7c49446ebcc48c2b2136f4475ab66aecb63d18e Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 8 Jun 2016 09:53:56 -0400 Subject: gnu: libvpx: Add fix for CVE-2016-2818. * gnu/packages/patches/libvpx-CVE-2016-2818.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/video.scm (libvpx)[source]: Add patch. --- gnu/local.mk | 1 + gnu/packages/patches/libvpx-CVE-2016-2818.patch | 36 +++++++++++++++++++++++++ gnu/packages/video.scm | 3 ++- 3 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libvpx-CVE-2016-2818.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index ff476be448..cc236a7d16 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -606,6 +606,7 @@ dist_patch_DATA = \ %D%/packages/patches/libtiff-oob-write-in-nextdecode.patch \ %D%/packages/patches/libtool-skip-tests2.patch \ %D%/packages/patches/libunwind-CVE-2015-3239.patch \ + %D%/packages/patches/libvpx-CVE-2016-2818.patch \ %D%/packages/patches/libwmf-CAN-2004-0941.patch \ %D%/packages/patches/libwmf-CVE-2006-3376.patch \ %D%/packages/patches/libwmf-CVE-2007-0455.patch \ diff --git a/gnu/packages/patches/libvpx-CVE-2016-2818.patch b/gnu/packages/patches/libvpx-CVE-2016-2818.patch new file mode 100644 index 0000000000..1fdf01cbca --- /dev/null +++ b/gnu/packages/patches/libvpx-CVE-2016-2818.patch @@ -0,0 +1,36 @@ +Patch contents copied from Mozilla esr45 changeset 312077:7ebfe49f001c + + changeset: 312077:7ebfe49f001c + user: Randell Jesup + Date: Fri Apr 15 23:11:01 2016 -0400 + summary: Bug 1263384: validate input frames against configured resolution in vp8 r=rillian, a=ritu,lizzard + + MozReview-Commit-ID: BxDCnJe0mzs + +--- libvpx-1.5.0/vp8/vp8_cx_iface.c.orig 2015-11-09 17:12:38.000000000 -0500 ++++ libvpx-1.5.0/vp8/vp8_cx_iface.c 2016-06-08 08:48:46.037213092 -0400 +@@ -925,11 +925,19 @@ + { + res = image2yuvconfig(img, &sd); + +- if (vp8_receive_raw_frame(ctx->cpi, ctx->next_frame_flag | lib_flags, +- &sd, dst_time_stamp, dst_end_time_stamp)) +- { +- VP8_COMP *cpi = (VP8_COMP *)ctx->cpi; +- res = update_error_state(ctx, &cpi->common.error); ++ if (sd.y_width != ctx->cfg.g_w || sd.y_height != ctx->cfg.g_h) { ++ /* from vp8_encoder.h for g_w/g_h: ++ "Note that the frames passed as input to the encoder must have this resolution" ++ */ ++ ctx->base.err_detail = "Invalid input frame resolution"; ++ res = VPX_CODEC_INVALID_PARAM; ++ } else { ++ if (vp8_receive_raw_frame(ctx->cpi, ctx->next_frame_flag | lib_flags, ++ &sd, dst_time_stamp, dst_end_time_stamp)) ++ { ++ VP8_COMP *cpi = (VP8_COMP *)ctx->cpi; ++ res = update_error_state(ctx, &cpi->common.error); ++ } + } + + /* reset for next frame */ diff --git a/gnu/packages/video.scm b/gnu/packages/video.scm index 692f3645e6..eee04faec0 100644 --- a/gnu/packages/video.scm +++ b/gnu/packages/video.scm @@ -839,7 +839,8 @@ projects while introducing many more.") name "-" version ".tar.bz2")) (sha256 (base32 - "15v7qw0ydyxn08ksb6lxn1l51pxgpwgshdwd3275yrr5hs86fv9h")))) + "15v7qw0ydyxn08ksb6lxn1l51pxgpwgshdwd3275yrr5hs86fv9h")) + (patches (search-patches "libvpx-CVE-2016-2818.patch")))) (build-system gnu-build-system) (arguments `(#:phases -- cgit v1.2.3 From 98d9182205e6655a0a55f1eadc84a0c9a1cdd9fa Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 8 Jun 2016 09:54:54 -0400 Subject: gnu: icecat: Add fixes for CVE-2016-{2818,2819,2821,2824,2828,2831}. * gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch, gnu/packages/patches/icecat-CVE-2016-2819.patch, gnu/packages/patches/icecat-CVE-2016-2821.patch, gnu/packages/patches/icecat-CVE-2016-2824.patch, gnu/packages/patches/icecat-CVE-2016-2828.patch, gnu/packages/patches/icecat-CVE-2016-2831.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches. --- gnu/local.mk | 14 ++ gnu/packages/gnuzilla.scm | 16 +- .../patches/icecat-CVE-2016-2818-pt1.patch | 62 +++++ .../patches/icecat-CVE-2016-2818-pt2.patch | 29 +++ .../patches/icecat-CVE-2016-2818-pt3.patch | 18 ++ .../patches/icecat-CVE-2016-2818-pt4.patch | 61 +++++ .../patches/icecat-CVE-2016-2818-pt5.patch | 266 ++++++++++++++++++++ .../patches/icecat-CVE-2016-2818-pt6.patch | 17 ++ .../patches/icecat-CVE-2016-2818-pt7.patch | 33 +++ .../patches/icecat-CVE-2016-2818-pt8.patch | 267 +++++++++++++++++++++ .../patches/icecat-CVE-2016-2818-pt9.patch | 188 +++++++++++++++ gnu/packages/patches/icecat-CVE-2016-2819.patch | 102 ++++++++ gnu/packages/patches/icecat-CVE-2016-2821.patch | 16 ++ gnu/packages/patches/icecat-CVE-2016-2824.patch | 85 +++++++ gnu/packages/patches/icecat-CVE-2016-2828.patch | 185 ++++++++++++++ gnu/packages/patches/icecat-CVE-2016-2831.patch | 120 +++++++++ 16 files changed, 1478 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-2819.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-2821.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-2824.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-2828.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-2831.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index cc236a7d16..8915c46cdd 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -549,6 +549,20 @@ dist_patch_DATA = \ %D%/packages/patches/hypre-doc-tables.patch \ %D%/packages/patches/hypre-ldflags.patch \ %D%/packages/patches/icecat-avoid-bundled-includes.patch \ + %D%/packages/patches/icecat-CVE-2016-2818-pt1.patch \ + %D%/packages/patches/icecat-CVE-2016-2818-pt2.patch \ + %D%/packages/patches/icecat-CVE-2016-2818-pt3.patch \ + %D%/packages/patches/icecat-CVE-2016-2818-pt4.patch \ + %D%/packages/patches/icecat-CVE-2016-2818-pt5.patch \ + %D%/packages/patches/icecat-CVE-2016-2818-pt6.patch \ + %D%/packages/patches/icecat-CVE-2016-2818-pt7.patch \ + %D%/packages/patches/icecat-CVE-2016-2818-pt8.patch \ + %D%/packages/patches/icecat-CVE-2016-2818-pt9.patch \ + %D%/packages/patches/icecat-CVE-2016-2819.patch \ + %D%/packages/patches/icecat-CVE-2016-2821.patch \ + %D%/packages/patches/icecat-CVE-2016-2824.patch \ + %D%/packages/patches/icecat-CVE-2016-2828.patch \ + %D%/packages/patches/icecat-CVE-2016-2831.patch \ %D%/packages/patches/icedtea-remove-overrides.patch \ %D%/packages/patches/icu4c-CVE-2014-6585.patch \ %D%/packages/patches/icu4c-CVE-2015-1270.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 4ffa3ac165..46342ee247 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -298,7 +298,21 @@ standards.") (base32 "0v4k47ziqsyfksv9sn4v1xvk4q414rc883hb1qzld63grj2nxxwp")) (patches (search-patches - "icecat-avoid-bundled-includes.patch")) + "icecat-avoid-bundled-includes.patch" + "icecat-CVE-2016-2818-pt1.patch" + "icecat-CVE-2016-2818-pt2.patch" + "icecat-CVE-2016-2818-pt3.patch" + "icecat-CVE-2016-2818-pt4.patch" + "icecat-CVE-2016-2818-pt5.patch" + "icecat-CVE-2016-2818-pt6.patch" + "icecat-CVE-2016-2818-pt7.patch" + "icecat-CVE-2016-2818-pt8.patch" + "icecat-CVE-2016-2818-pt9.patch" + "icecat-CVE-2016-2819.patch" + "icecat-CVE-2016-2821.patch" + "icecat-CVE-2016-2824.patch" + "icecat-CVE-2016-2828.patch" + "icecat-CVE-2016-2831.patch")) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch new file mode 100644 index 0000000000..57bc45f3c2 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch @@ -0,0 +1,62 @@ + changeset: 312039:4290826b078c + user: Timothy Nikkel + Date: Fri May 13 06:09:38 2016 +0200 + summary: Bug 1261230. r=mats, a=ritu + +diff -r 45a59425b498 -r 4290826b078c layout/generic/nsSubDocumentFrame.cpp +--- a/layout/generic/nsSubDocumentFrame.cpp Tue May 10 14:12:20 2016 +0200 ++++ b/layout/generic/nsSubDocumentFrame.cpp Fri May 13 06:09:38 2016 +0200 +@@ -132,6 +132,7 @@ + nsCOMPtr oldContainerDoc; + nsView* detachedViews = + frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc)); ++ frameloader->SetDetachedSubdocView(nullptr, nullptr); + if (detachedViews) { + if (oldContainerDoc == aContent->OwnerDoc()) { + // Restore stashed presentation. +@@ -142,7 +143,6 @@ + frameloader->Hide(); + } + } +- frameloader->SetDetachedSubdocView(nullptr, nullptr); + } + + nsContentUtils::AddScriptRunner(new AsyncFrameInit(this)); +@@ -936,13 +936,16 @@ + if (!mPresShell->IsDestroying()) { + mPresShell->FlushPendingNotifications(Flush_Frames); + } ++ ++ // Either the frame has been constructed by now, or it never will be, ++ // either way we want to clear the stashed views. ++ mFrameLoader->SetDetachedSubdocView(nullptr, nullptr); ++ + nsSubDocumentFrame* frame = do_QueryFrame(mFrameElement->GetPrimaryFrame()); + if ((!frame && mHideViewerIfFrameless) || + mPresShell->IsDestroying()) { + // Either the frame element has no nsIFrame or the presshell is being +- // destroyed. Hide the nsFrameLoader, which destroys the presentation, +- // and clear our references to the stashed presentation. +- mFrameLoader->SetDetachedSubdocView(nullptr, nullptr); ++ // destroyed. Hide the nsFrameLoader, which destroys the presentation. + mFrameLoader->Hide(); + } + return NS_OK; +@@ -968,7 +971,7 @@ + // Detach the subdocument's views and stash them in the frame loader. + // We can then reattach them if we're being reframed (for example if + // the frame has been made position:fixed). +- nsFrameLoader* frameloader = FrameLoader(); ++ RefPtr frameloader = FrameLoader(); + if (frameloader) { + nsView* detachedViews = ::BeginSwapDocShellsForViews(mInnerView->GetFirstChild()); + frameloader->SetDetachedSubdocView(detachedViews, mContent->OwnerDoc()); +@@ -977,7 +980,7 @@ + // safely determine whether the frame is being reframed or destroyed. + nsContentUtils::AddScriptRunner( + new nsHideViewer(mContent, +- mFrameLoader, ++ frameloader, + PresContext()->PresShell(), + (mDidCreateDoc || mCallingShow))); + } diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch new file mode 100644 index 0000000000..843e2eb244 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch @@ -0,0 +1,29 @@ + changeset: 312044:09418166fd77 + user: Jon Coppeard + Date: Wed May 11 10:14:45 2016 +0100 + summary: Bug 1264575 - Add missing pre-barrier in Ion r=jandem a=ritu + +diff -r 9cc65cca1f71 -r 09418166fd77 js/src/jit-test/tests/self-hosting/bug1264575.js +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ b/js/src/jit-test/tests/self-hosting/bug1264575.js Wed May 11 10:14:45 2016 +0100 +@@ -0,0 +1,7 @@ ++function f(x, [y]) {} ++f(0, []); ++// jsfunfuzz-generated ++let i = 0; ++for (var z of [0, 0, 0]) { ++ verifyprebarriers(); ++} +diff -r 9cc65cca1f71 -r 09418166fd77 js/src/jit/MCallOptimize.cpp +--- a/js/src/jit/MCallOptimize.cpp Mon May 16 15:11:24 2016 -0400 ++++ b/js/src/jit/MCallOptimize.cpp Wed May 11 10:14:45 2016 +0100 +@@ -2263,7 +2263,8 @@ + + callInfo.setImplicitlyUsedUnchecked(); + +- MStoreFixedSlot* store = MStoreFixedSlot::New(alloc(), callInfo.getArg(0), slot, callInfo.getArg(2)); ++ MStoreFixedSlot* store = ++ MStoreFixedSlot::NewBarriered(alloc(), callInfo.getArg(0), slot, callInfo.getArg(2)); + current->add(store); + current->push(store); + diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch new file mode 100644 index 0000000000..fab003158c --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch @@ -0,0 +1,18 @@ + changeset: 312051:9ec3d076fbee + parents: 312049:e0a272d5e162 + user: Eric Faust + Date: Wed May 04 15:54:43 2016 -0700 + summary: Bug 1269729 - Handle another OOM case on ARM. (r=jolesen) a=ritu + +diff -r e0a272d5e162 -r 9ec3d076fbee js/src/jit/arm/CodeGenerator-arm.cpp +--- a/js/src/jit/arm/CodeGenerator-arm.cpp Tue May 17 08:26:37 2016 -0400 ++++ b/js/src/jit/arm/CodeGenerator-arm.cpp Wed May 04 15:54:43 2016 -0700 +@@ -1116,7 +1116,7 @@ + for (int32_t i = 0; i < cases; i++) { + CodeLabel cl; + masm.writeCodePointer(cl.dest()); +- ool->addCodeLabel(cl); ++ masm.propagateOOM(ool->addCodeLabel(cl)); + } + addOutOfLineCode(ool, mir); + } diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch new file mode 100644 index 0000000000..0973203e0f --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch @@ -0,0 +1,61 @@ + changeset: 312055:b74f1ab939d2 + user: Olli Pettay + Date: Mon May 16 21:42:24 2016 +0300 + summary: Bug 1273202, make sure to not keep objects alive too long because of some useless event dispatching, r=jwatt a=ritu + +diff -r 072992bf176d -r b74f1ab939d2 dom/html/HTMLInputElement.cpp +--- a/dom/html/HTMLInputElement.cpp Sun May 15 17:03:06 2016 +0300 ++++ b/dom/html/HTMLInputElement.cpp Mon May 16 21:42:24 2016 +0300 +@@ -1168,7 +1168,7 @@ + mFileList->Disconnect(); + } + if (mNumberControlSpinnerIsSpinning) { +- StopNumberControlSpinnerSpin(); ++ StopNumberControlSpinnerSpin(eDisallowDispatchingEvents); + } + DestroyImageLoadingContent(); + FreeData(); +@@ -3721,7 +3721,7 @@ + } + + void +-HTMLInputElement::StopNumberControlSpinnerSpin() ++HTMLInputElement::StopNumberControlSpinnerSpin(SpinnerStopState aState) + { + if (mNumberControlSpinnerIsSpinning) { + if (nsIPresShell::GetCapturingContent() == this) { +@@ -3732,11 +3732,16 @@ + + mNumberControlSpinnerIsSpinning = false; + +- FireChangeEventIfNeeded(); ++ if (aState == eAllowDispatchingEvents) { ++ FireChangeEventIfNeeded(); ++ } + + nsNumberControlFrame* numberControlFrame = + do_QueryFrame(GetPrimaryFrame()); + if (numberControlFrame) { ++ MOZ_ASSERT(aState == eAllowDispatchingEvents, ++ "Shouldn't have primary frame for the element when we're not " ++ "allowed to dispatch events to it anymore."); + numberControlFrame->SpinnerStateChanged(); + } + } +diff -r 072992bf176d -r b74f1ab939d2 dom/html/HTMLInputElement.h +--- a/dom/html/HTMLInputElement.h Sun May 15 17:03:06 2016 +0300 ++++ b/dom/html/HTMLInputElement.h Mon May 16 21:42:24 2016 +0300 +@@ -721,7 +721,12 @@ + HTMLInputElement* GetOwnerNumberControl(); + + void StartNumberControlSpinnerSpin(); +- void StopNumberControlSpinnerSpin(); ++ enum SpinnerStopState { ++ eAllowDispatchingEvents, ++ eDisallowDispatchingEvents ++ }; ++ void StopNumberControlSpinnerSpin(SpinnerStopState aState = ++ eAllowDispatchingEvents); + void StepNumberControlForUserEvent(int32_t aDirection); + + /** diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch new file mode 100644 index 0000000000..cd98d0b28b --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch @@ -0,0 +1,266 @@ + changeset: 312063:88bea96c802a + user: Andrea Marchesini + Date: Tue May 10 10:52:19 2016 +0200 + summary: Bug 1267130 - Improve the URL segment calculation, r=valentin a=ritu + +diff -r 28dcecced055 -r 88bea96c802a netwerk/base/nsStandardURL.cpp +--- a/netwerk/base/nsStandardURL.cpp Wed May 18 11:55:29 2016 +1200 ++++ b/netwerk/base/nsStandardURL.cpp Tue May 10 10:52:19 2016 +0200 +@@ -475,19 +475,28 @@ + } + + uint32_t +-nsStandardURL::AppendSegmentToBuf(char *buf, uint32_t i, const char *str, URLSegment &seg, const nsCString *escapedStr, bool useEscaped) ++nsStandardURL::AppendSegmentToBuf(char *buf, uint32_t i, const char *str, ++ const URLSegment &segInput, URLSegment &segOutput, ++ const nsCString *escapedStr, ++ bool useEscaped, int32_t *diff) + { +- if (seg.mLen > 0) { ++ MOZ_ASSERT(segInput.mLen == segOutput.mLen); ++ ++ if (diff) *diff = 0; ++ ++ if (segInput.mLen > 0) { + if (useEscaped) { +- seg.mLen = escapedStr->Length(); +- memcpy(buf + i, escapedStr->get(), seg.mLen); ++ MOZ_ASSERT(diff); ++ segOutput.mLen = escapedStr->Length(); ++ *diff = segOutput.mLen - segInput.mLen; ++ memcpy(buf + i, escapedStr->get(), segOutput.mLen); ++ } else { ++ memcpy(buf + i, str + segInput.mPos, segInput.mLen); + } +- else +- memcpy(buf + i, str + seg.mPos, seg.mLen); +- seg.mPos = i; +- i += seg.mLen; ++ segOutput.mPos = i; ++ i += segOutput.mLen; + } else { +- seg.mPos = i; ++ segOutput.mPos = i; + } + return i; + } +@@ -598,6 +607,20 @@ + } + } + ++ // We must take a copy of every single segment because they are pointing to ++ // the |spec| while we are changing their value, in case we must use ++ // encoded strings. ++ URLSegment username(mUsername); ++ URLSegment password(mPassword); ++ URLSegment host(mHost); ++ URLSegment path(mPath); ++ URLSegment filepath(mFilepath); ++ URLSegment directory(mDirectory); ++ URLSegment basename(mBasename); ++ URLSegment extension(mExtension); ++ URLSegment query(mQuery); ++ URLSegment ref(mRef); ++ + // + // generate the normalized URL string + // +@@ -607,9 +630,10 @@ + char *buf; + mSpec.BeginWriting(buf); + uint32_t i = 0; ++ int32_t diff = 0; + + if (mScheme.mLen > 0) { +- i = AppendSegmentToBuf(buf, i, spec, mScheme); ++ i = AppendSegmentToBuf(buf, i, spec, mScheme, mScheme); + net_ToLowerCase(buf + mScheme.mPos, mScheme.mLen); + i = AppendToBuf(buf, i, "://", 3); + } +@@ -619,15 +643,22 @@ + + // append authority + if (mUsername.mLen > 0) { +- i = AppendSegmentToBuf(buf, i, spec, mUsername, &encUsername, useEncUsername); +- if (mPassword.mLen >= 0) { ++ i = AppendSegmentToBuf(buf, i, spec, username, mUsername, ++ &encUsername, useEncUsername, &diff); ++ ShiftFromPassword(diff); ++ if (password.mLen >= 0) { + buf[i++] = ':'; +- i = AppendSegmentToBuf(buf, i, spec, mPassword, &encPassword, useEncPassword); ++ i = AppendSegmentToBuf(buf, i, spec, password, mPassword, ++ &encPassword, useEncPassword, &diff); ++ ShiftFromHost(diff); + } + buf[i++] = '@'; + } +- if (mHost.mLen > 0) { +- i = AppendSegmentToBuf(buf, i, spec, mHost, &encHost, useEncHost); ++ if (host.mLen > 0) { ++ i = AppendSegmentToBuf(buf, i, spec, host, mHost, &encHost, useEncHost, ++ &diff); ++ ShiftFromPath(diff); ++ + net_ToLowerCase(buf + mHost.mPos, mHost.mLen); + MOZ_ASSERT(mPort >= -1, "Invalid negative mPort"); + if (mPort != -1 && mPort != mDefaultPort) { +@@ -652,21 +683,23 @@ + } + else { + uint32_t leadingSlash = 0; +- if (spec[mPath.mPos] != '/') { ++ if (spec[path.mPos] != '/') { + LOG(("adding leading slash to path\n")); + leadingSlash = 1; + buf[i++] = '/'; + // basename must exist, even if empty (bugs 113508, 429347) + if (mBasename.mLen == -1) { +- mBasename.mPos = i; +- mBasename.mLen = 0; ++ mBasename.mPos = basename.mPos = i; ++ mBasename.mLen = basename.mLen = 0; + } + } + + // record corrected (file)path starting position + mPath.mPos = mFilepath.mPos = i - leadingSlash; + +- i = AppendSegmentToBuf(buf, i, spec, mDirectory, &encDirectory, useEncDirectory); ++ i = AppendSegmentToBuf(buf, i, spec, directory, mDirectory, ++ &encDirectory, useEncDirectory, &diff); ++ ShiftFromBasename(diff); + + // the directory must end with a '/' + if (buf[i-1] != '/') { +@@ -674,7 +707,9 @@ + mDirectory.mLen++; + } + +- i = AppendSegmentToBuf(buf, i, spec, mBasename, &encBasename, useEncBasename); ++ i = AppendSegmentToBuf(buf, i, spec, basename, mBasename, ++ &encBasename, useEncBasename, &diff); ++ ShiftFromExtension(diff); + + // make corrections to directory segment if leadingSlash + if (leadingSlash) { +@@ -687,18 +722,24 @@ + + if (mExtension.mLen >= 0) { + buf[i++] = '.'; +- i = AppendSegmentToBuf(buf, i, spec, mExtension, &encExtension, useEncExtension); ++ i = AppendSegmentToBuf(buf, i, spec, extension, mExtension, ++ &encExtension, useEncExtension, &diff); ++ ShiftFromQuery(diff); + } + // calculate corrected filepath length + mFilepath.mLen = i - mFilepath.mPos; + + if (mQuery.mLen >= 0) { + buf[i++] = '?'; +- i = AppendSegmentToBuf(buf, i, spec, mQuery, &encQuery, useEncQuery); ++ i = AppendSegmentToBuf(buf, i, spec, query, mQuery, ++ &encQuery, useEncQuery, ++ &diff); ++ ShiftFromRef(diff); + } + if (mRef.mLen >= 0) { + buf[i++] = '#'; +- i = AppendSegmentToBuf(buf, i, spec, mRef, &encRef, useEncRef); ++ i = AppendSegmentToBuf(buf, i, spec, ref, mRef, &encRef, useEncRef, ++ &diff); + } + // calculate corrected path length + mPath.mLen = i - mPath.mPos; +@@ -953,6 +994,39 @@ + #undef GOT_PREF + } + ++#define SHIFT_FROM(name, what) \ ++void \ ++nsStandardURL::name(int32_t diff) \ ++{ \ ++ if (!diff) return; \ ++ if (what.mLen >= 0) { \ ++ CheckedInt pos = what.mPos; \ ++ pos += diff; \ ++ MOZ_ASSERT(pos.isValid()); \ ++ what.mPos = pos.value(); \ ++ } ++ ++#define SHIFT_FROM_NEXT(name, what, next) \ ++ SHIFT_FROM(name, what) \ ++ next(diff); \ ++} ++ ++#define SHIFT_FROM_LAST(name, what) \ ++ SHIFT_FROM(name, what) \ ++} ++ ++SHIFT_FROM_NEXT(ShiftFromAuthority, mAuthority, ShiftFromUsername) ++SHIFT_FROM_NEXT(ShiftFromUsername, mUsername, ShiftFromPassword) ++SHIFT_FROM_NEXT(ShiftFromPassword, mPassword, ShiftFromHost) ++SHIFT_FROM_NEXT(ShiftFromHost, mHost, ShiftFromPath) ++SHIFT_FROM_NEXT(ShiftFromPath, mPath, ShiftFromFilepath) ++SHIFT_FROM_NEXT(ShiftFromFilepath, mFilepath, ShiftFromDirectory) ++SHIFT_FROM_NEXT(ShiftFromDirectory, mDirectory, ShiftFromBasename) ++SHIFT_FROM_NEXT(ShiftFromBasename, mBasename, ShiftFromExtension) ++SHIFT_FROM_NEXT(ShiftFromExtension, mExtension, ShiftFromQuery) ++SHIFT_FROM_NEXT(ShiftFromQuery, mQuery, ShiftFromRef) ++SHIFT_FROM_LAST(ShiftFromRef, mRef) ++ + //---------------------------------------------------------------------------- + // nsStandardURL::nsISupports + //---------------------------------------------------------------------------- +diff -r 28dcecced055 -r 88bea96c802a netwerk/base/nsStandardURL.h +--- a/netwerk/base/nsStandardURL.h Wed May 18 11:55:29 2016 +1200 ++++ b/netwerk/base/nsStandardURL.h Tue May 10 10:52:19 2016 +0200 +@@ -77,6 +77,7 @@ + + URLSegment() : mPos(0), mLen(-1) {} + URLSegment(uint32_t pos, int32_t len) : mPos(pos), mLen(len) {} ++ URLSegment(const URLSegment& aCopy) : mPos(aCopy.mPos), mLen(aCopy.mLen) {} + void Reset() { mPos = 0; mLen = -1; } + // Merge another segment following this one to it if they're contiguous + // Assumes we have something like "foo;bar" where this object is 'foo' and right +@@ -177,7 +178,10 @@ + bool NormalizeIDN(const nsCSubstring &host, nsCString &result); + void CoalescePath(netCoalesceFlags coalesceFlag, char *path); + +- uint32_t AppendSegmentToBuf(char *, uint32_t, const char *, URLSegment &, const nsCString *esc=nullptr, bool useEsc = false); ++ uint32_t AppendSegmentToBuf(char *, uint32_t, const char *, ++ const URLSegment &input, URLSegment &output, ++ const nsCString *esc=nullptr, ++ bool useEsc = false, int32_t* diff = nullptr); + uint32_t AppendToBuf(char *, uint32_t, const char *, uint32_t); + + nsresult BuildNormalizedSpec(const char *spec); +@@ -216,17 +220,17 @@ + const nsDependentCSubstring Ref() { return Segment(mRef); } + + // shift the URLSegments to the right by diff +- void ShiftFromAuthority(int32_t diff) { mAuthority.mPos += diff; ShiftFromUsername(diff); } +- void ShiftFromUsername(int32_t diff) { mUsername.mPos += diff; ShiftFromPassword(diff); } +- void ShiftFromPassword(int32_t diff) { mPassword.mPos += diff; ShiftFromHost(diff); } +- void ShiftFromHost(int32_t diff) { mHost.mPos += diff; ShiftFromPath(diff); } +- void ShiftFromPath(int32_t diff) { mPath.mPos += diff; ShiftFromFilepath(diff); } +- void ShiftFromFilepath(int32_t diff) { mFilepath.mPos += diff; ShiftFromDirectory(diff); } +- void ShiftFromDirectory(int32_t diff) { mDirectory.mPos += diff; ShiftFromBasename(diff); } +- void ShiftFromBasename(int32_t diff) { mBasename.mPos += diff; ShiftFromExtension(diff); } +- void ShiftFromExtension(int32_t diff) { mExtension.mPos += diff; ShiftFromQuery(diff); } +- void ShiftFromQuery(int32_t diff) { mQuery.mPos += diff; ShiftFromRef(diff); } +- void ShiftFromRef(int32_t diff) { mRef.mPos += diff; } ++ void ShiftFromAuthority(int32_t diff); ++ void ShiftFromUsername(int32_t diff); ++ void ShiftFromPassword(int32_t diff); ++ void ShiftFromHost(int32_t diff); ++ void ShiftFromPath(int32_t diff); ++ void ShiftFromFilepath(int32_t diff); ++ void ShiftFromDirectory(int32_t diff); ++ void ShiftFromBasename(int32_t diff); ++ void ShiftFromExtension(int32_t diff); ++ void ShiftFromQuery(int32_t diff); ++ void ShiftFromRef(int32_t diff); + + // fastload helper functions + nsresult ReadSegment(nsIBinaryInputStream *, URLSegment &); diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch new file mode 100644 index 0000000000..143b02fa58 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch @@ -0,0 +1,17 @@ + changeset: 312067:380ddd689680 + user: Timothy Nikkel + Date: Tue May 10 22:58:26 2016 -0500 + summary: Bug 1261752. Part 1. r=mats a=ritu + +diff -r 02df988a56ae -r 380ddd689680 view/nsViewManager.cpp +--- a/view/nsViewManager.cpp Thu May 26 10:06:15 2016 -0700 ++++ b/view/nsViewManager.cpp Tue May 10 22:58:26 2016 -0500 +@@ -416,7 +416,7 @@ + if (aWidget->NeedsPaint()) { + // If an ancestor widget was hidden and then shown, we could + // have a delayed resize to handle. +- for (nsViewManager *vm = this; vm; ++ for (RefPtr vm = this; vm; + vm = vm->mRootView->GetParent() + ? vm->mRootView->GetParent()->GetViewManager() + : nullptr) { diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch new file mode 100644 index 0000000000..23c509d6c1 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch @@ -0,0 +1,33 @@ + changeset: 312068:73cc9a2d8fc1 + user: Timothy Nikkel + Date: Tue May 10 22:58:47 2016 -0500 + summary: Bug 1261752. Part 2. r=mats a=ritu + +diff -r 380ddd689680 -r 73cc9a2d8fc1 view/nsViewManager.cpp +--- a/view/nsViewManager.cpp Tue May 10 22:58:26 2016 -0500 ++++ b/view/nsViewManager.cpp Tue May 10 22:58:47 2016 -0500 +@@ -372,7 +372,7 @@ + } + } + if (rootShell->GetViewManager() != this) { +- return; // 'this' might have been destroyed ++ return; // presentation might have been torn down + } + if (aFlushDirtyRegion) { + nsAutoScriptBlocker scriptBlocker; +@@ -1069,6 +1069,7 @@ + if (mPresShell) { + mPresShell->GetPresContext()->RefreshDriver()->RevokeViewManagerFlush(); + ++ RefPtr strongThis(this); + CallWillPaintOnObservers(); + + ProcessPendingUpdatesForView(mRootView, true); +@@ -1085,6 +1086,7 @@ + + if (mHasPendingWidgetGeometryChanges) { + mHasPendingWidgetGeometryChanges = false; ++ RefPtr strongThis(this); + ProcessPendingUpdatesForView(mRootView, false); + } + } diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch new file mode 100644 index 0000000000..ee5e54e805 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch @@ -0,0 +1,267 @@ + changeset: 312069:3c2bd9158ad3 + user: Timothy Nikkel + Date: Tue May 10 22:58:47 2016 -0500 + summary: Bug 1261752. Part 3. r=mats a=ritu + +diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 layout/forms/nsComboboxControlFrame.cpp +--- a/layout/forms/nsComboboxControlFrame.cpp Tue May 10 22:58:47 2016 -0500 ++++ b/layout/forms/nsComboboxControlFrame.cpp Tue May 10 22:58:47 2016 -0500 +@@ -1417,7 +1417,11 @@ + // The popup's visibility doesn't update until the minimize animation has + // finished, so call UpdateWidgetGeometry to update it right away. + nsViewManager* viewManager = mDropdownFrame->GetView()->GetViewManager(); +- viewManager->UpdateWidgetGeometry(); ++ viewManager->UpdateWidgetGeometry(); // might destroy us ++ } ++ ++ if (!weakFrame.IsAlive()) { ++ return consume; + } + + return consume; +diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 view/nsViewManager.cpp +--- a/view/nsViewManager.cpp Tue May 10 22:58:47 2016 -0500 ++++ b/view/nsViewManager.cpp Tue May 10 22:58:47 2016 -0500 +@@ -670,15 +670,16 @@ + + void nsViewManager::WillPaintWindow(nsIWidget* aWidget) + { +- if (aWidget) { +- nsView* view = nsView::GetViewFor(aWidget); +- LayerManager *manager = aWidget->GetLayerManager(); ++ RefPtr widget(aWidget); ++ if (widget) { ++ nsView* view = nsView::GetViewFor(widget); ++ LayerManager* manager = widget->GetLayerManager(); + if (view && + (view->ForcedRepaint() || !manager->NeedsWidgetInvalidation())) { + ProcessPendingUpdates(); + // Re-get the view pointer here since the ProcessPendingUpdates might have + // destroyed it during CallWillPaintOnObservers. +- view = nsView::GetViewFor(aWidget); ++ view = nsView::GetViewFor(widget); + if (view) { + view->SetForcedRepaint(false); + } +diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/PuppetWidget.cpp +--- a/widget/PuppetWidget.cpp Tue May 10 22:58:47 2016 -0500 ++++ b/widget/PuppetWidget.cpp Tue May 10 22:58:47 2016 -0500 +@@ -823,6 +823,8 @@ + mDirtyRegion.SetEmpty(); + mPaintTask.Revoke(); + ++ RefPtr strongThis(this); ++ + mAttachedWidgetListener->WillPaintWindow(this); + + if (mAttachedWidgetListener) { +diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/cocoa/nsChildView.mm +--- a/widget/cocoa/nsChildView.mm Tue May 10 22:58:47 2016 -0500 ++++ b/widget/cocoa/nsChildView.mm Tue May 10 22:58:47 2016 -0500 +@@ -3716,6 +3716,8 @@ + + - (void)viewWillDraw + { ++ nsAutoRetainCocoaObject kungFuDeathGrip(self); ++ + if (mGeckoChild) { + // The OS normally *will* draw our NSWindow, no matter what we do here. + // But Gecko can delete our parent widget(s) (along with mGeckoChild) +diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/gonk/nsWindow.cpp +--- a/widget/gonk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500 ++++ b/widget/gonk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500 +@@ -196,7 +196,7 @@ + return; + } + +- nsWindow *targetWindow = (nsWindow *)sTopWindows[0]; ++ RefPtr targetWindow = (nsWindow *)sTopWindows[0]; + while (targetWindow->GetLastChild()) + targetWindow = (nsWindow *)targetWindow->GetLastChild(); + +@@ -205,15 +205,15 @@ + listener->WillPaintWindow(targetWindow); + } + +- LayerManager* lm = targetWindow->GetLayerManager(); +- if (mozilla::layers::LayersBackend::LAYERS_CLIENT == lm->GetBackendType()) { +- // No need to do anything, the compositor will handle drawing +- } else { +- NS_RUNTIMEABORT("Unexpected layer manager type"); +- } +- + listener = targetWindow->GetWidgetListener(); + if (listener) { ++ LayerManager* lm = targetWindow->GetLayerManager(); ++ if (mozilla::layers::LayersBackend::LAYERS_CLIENT == lm->GetBackendType()) { ++ // No need to do anything, the compositor will handle drawing ++ } else { ++ NS_RUNTIMEABORT("Unexpected layer manager type"); ++ } ++ + listener->DidPaintWindow(); + } + } +diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/gtk/nsWindow.cpp +--- a/widget/gtk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500 ++++ b/widget/gtk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500 +@@ -469,6 +469,12 @@ + } + } + ++nsIWidgetListener* ++nsWindow::GetListener() ++{ ++ return mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener; ++} ++ + nsresult + nsWindow::DispatchEvent(WidgetGUIEvent* aEvent, nsEventStatus& aStatus) + { +@@ -481,8 +487,7 @@ + aEvent->refPoint.y = GdkCoordToDevicePixels(aEvent->refPoint.y); + + aStatus = nsEventStatus_eIgnore; +- nsIWidgetListener* listener = +- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener; ++ nsIWidgetListener* listener = GetListener(); + if (listener) { + aStatus = listener->HandleEvent(aEvent, mUseAttachedEvents); + } +@@ -2119,8 +2124,7 @@ + if (!mGdkWindow || mIsFullyObscured || !mHasMappedToplevel) + return FALSE; + +- nsIWidgetListener *listener = +- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener; ++ nsIWidgetListener *listener = GetListener(); + if (!listener) + return FALSE; + +@@ -2149,6 +2153,8 @@ + clientLayers->SendInvalidRegion(region); + } + ++ RefPtr strongThis(this); ++ + // Dispatch WillPaintWindow notification to allow scripts etc. to run + // before we paint + { +@@ -2161,8 +2167,7 @@ + + // Re-get the listener since the will paint notification might have + // killed it. +- listener = +- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener; ++ listener = GetListener(); + if (!listener) + return FALSE; + } +@@ -2223,6 +2228,13 @@ + // If this widget uses OMTC... + if (GetLayerManager()->GetBackendType() == LayersBackend::LAYERS_CLIENT) { + listener->PaintWindow(this, region); ++ ++ // Re-get the listener since the will paint notification might have ++ // killed it. ++ listener = GetListener(); ++ if (!listener) ++ return TRUE; ++ + listener->DidPaintWindow(); + return TRUE; + } +@@ -2307,6 +2319,13 @@ + if (GetLayerManager()->GetBackendType() == LayersBackend::LAYERS_BASIC) { + AutoLayerManagerSetup setupLayerManager(this, ctx, layerBuffering); + painted = listener->PaintWindow(this, region); ++ ++ // Re-get the listener since the will paint notification might have ++ // killed it. ++ listener = GetListener(); ++ if (!listener) ++ return TRUE; ++ + } + } + +diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/gtk/nsWindow.h +--- a/widget/gtk/nsWindow.h Tue May 10 22:58:47 2016 -0500 ++++ b/widget/gtk/nsWindow.h Tue May 10 22:58:47 2016 -0500 +@@ -359,6 +359,7 @@ + GdkWindow** aWindow, gint* aButton, + gint* aRootX, gint* aRootY); + void ClearCachedResources(); ++ nsIWidgetListener* GetListener(); + + GtkWidget *mShell; + MozContainer *mContainer; +diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/qt/nsWindow.cpp +--- a/widget/qt/nsWindow.cpp Tue May 10 22:58:47 2016 -0500 ++++ b/widget/qt/nsWindow.cpp Tue May 10 22:58:47 2016 -0500 +@@ -857,18 +857,28 @@ + + // EVENTS + ++nsIWidgetListener* ++nsWindow::GetPaintListener() ++{ ++ return mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener; ++} ++ + void + nsWindow::OnPaint() + { + LOGDRAW(("nsWindow::%s [%p]\n", __FUNCTION__, (void *)this)); +- nsIWidgetListener* listener = +- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener; ++ nsIWidgetListener* listener = GetPaintListener(); + if (!listener) { + return; + } + + listener->WillPaintWindow(this); + ++ nsIWidgetListener* listener = GetPaintListener(); ++ if (!listener) { ++ return; ++ } ++ + switch (GetLayerManager()->GetBackendType()) { + case mozilla::layers::LayersBackend::LAYERS_CLIENT: { + nsIntRegion region(nsIntRect(0, 0, mWidget->width(), mWidget->height())); +@@ -879,6 +889,11 @@ + NS_ERROR("Invalid layer manager"); + } + ++ nsIWidgetListener* listener = GetPaintListener(); ++ if (!listener) { ++ return; ++ } ++ + listener->DidPaintWindow(); + } + +diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/qt/nsWindow.h +--- a/widget/qt/nsWindow.h Tue May 10 22:58:47 2016 -0500 ++++ b/widget/qt/nsWindow.h Tue May 10 22:58:47 2016 -0500 +@@ -254,6 +254,7 @@ + bool needDispatch; + } MozCachedMoveEvent; + ++ nsIWidgetListener* GetPaintListener(); + bool CheckForRollup(double aMouseX, double aMouseY, bool aIsWheel); + void* SetupPluginPort(void); + nsresult SetWindowIconList(const nsTArray &aIconList); +diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/windows/nsWindowGfx.cpp +--- a/widget/windows/nsWindowGfx.cpp Tue May 10 22:58:47 2016 -0500 ++++ b/widget/windows/nsWindowGfx.cpp Tue May 10 22:58:47 2016 -0500 +@@ -298,6 +298,8 @@ + clientLayerManager->SendInvalidRegion(region); + } + ++ RefPtr strongThis(this); ++ + nsIWidgetListener* listener = GetPaintListener(); + if (listener) { + listener->WillPaintWindow(this); diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch new file mode 100644 index 0000000000..a72698cc0b --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch @@ -0,0 +1,188 @@ + changeset: 312075:ee870911fabb + user: Timothy Nikkel + Date: Wed May 04 16:12:48 2016 -0500 + summary: Bug 1265577. r=mats, a=lizzard + +diff -r 751208d22b91 -r ee870911fabb dom/base/nsFrameLoader.cpp +--- a/dom/base/nsFrameLoader.cpp Thu May 26 17:07:49 2016 -0400 ++++ b/dom/base/nsFrameLoader.cpp Wed May 04 16:12:48 2016 -0500 +@@ -155,7 +155,7 @@ + nsFrameLoader::nsFrameLoader(Element* aOwner, bool aNetworkCreated) + : mOwnerContent(aOwner) + , mAppIdSentToPermissionManager(nsIScriptSecurityManager::NO_APP_ID) +- , mDetachedSubdocViews(nullptr) ++ , mDetachedSubdocFrame(nullptr) + , mIsPrerendered(false) + , mDepthTooGreat(false) + , mIsTopLevelContent(false) +@@ -2507,18 +2507,18 @@ + } + + void +-nsFrameLoader::SetDetachedSubdocView(nsView* aDetachedViews, +- nsIDocument* aContainerDoc) ++nsFrameLoader::SetDetachedSubdocFrame(nsIFrame* aDetachedFrame, ++ nsIDocument* aContainerDoc) + { +- mDetachedSubdocViews = aDetachedViews; ++ mDetachedSubdocFrame = aDetachedFrame; + mContainerDocWhileDetached = aContainerDoc; + } + +-nsView* +-nsFrameLoader::GetDetachedSubdocView(nsIDocument** aContainerDoc) const ++nsIFrame* ++nsFrameLoader::GetDetachedSubdocFrame(nsIDocument** aContainerDoc) const + { + NS_IF_ADDREF(*aContainerDoc = mContainerDocWhileDetached); +- return mDetachedSubdocViews; ++ return mDetachedSubdocFrame.GetFrame(); + } + + void +diff -r 751208d22b91 -r ee870911fabb dom/base/nsFrameLoader.h +--- a/dom/base/nsFrameLoader.h Thu May 26 17:07:49 2016 -0400 ++++ b/dom/base/nsFrameLoader.h Wed May 04 16:12:48 2016 -0500 +@@ -23,6 +23,7 @@ + #include "mozilla/Attributes.h" + #include "FrameMetrics.h" + #include "nsStubMutationObserver.h" ++#include "nsIFrame.h" + + class nsIURI; + class nsSubDocumentFrame; +@@ -197,23 +198,23 @@ + void SetRemoteBrowser(nsITabParent* aTabParent); + + /** +- * Stashes a detached view on the frame loader. We do this when we're ++ * Stashes a detached nsIFrame on the frame loader. We do this when we're + * destroying the nsSubDocumentFrame. If the nsSubdocumentFrame is +- * being reframed we'll restore the detached view when it's recreated, ++ * being reframed we'll restore the detached nsIFrame when it's recreated, + * otherwise we'll discard the old presentation and set the detached +- * subdoc view to null. aContainerDoc is the document containing the ++ * subdoc nsIFrame to null. aContainerDoc is the document containing the + * the subdoc frame. This enables us to detect when the containing + * document has changed during reframe, so we can discard the presentation + * in that case. + */ +- void SetDetachedSubdocView(nsView* aDetachedView, +- nsIDocument* aContainerDoc); ++ void SetDetachedSubdocFrame(nsIFrame* aDetachedFrame, ++ nsIDocument* aContainerDoc); + + /** +- * Retrieves the detached view and the document containing the view, +- * as set by SetDetachedSubdocView(). ++ * Retrieves the detached nsIFrame and the document containing the nsIFrame, ++ * as set by SetDetachedSubdocFrame(). + */ +- nsView* GetDetachedSubdocView(nsIDocument** aContainerDoc) const; ++ nsIFrame* GetDetachedSubdocFrame(nsIDocument** aContainerDoc) const; + + /** + * Applies a new set of sandbox flags. These are merged with the sandbox +@@ -326,12 +327,12 @@ + nsRefPtr mMessageManager; + nsCOMPtr mChildMessageManager; + private: +- // Stores the root view of the subdocument while the subdocument is being ++ // Stores the root frame of the subdocument while the subdocument is being + // reframed. Used to restore the presentation after reframing. +- nsView* mDetachedSubdocViews; ++ nsWeakFrame mDetachedSubdocFrame; + // Stores the containing document of the frame corresponding to this + // frame loader. This is reference is kept valid while the subframe's +- // presentation is detached and stored in mDetachedSubdocViews. This ++ // presentation is detached and stored in mDetachedSubdocFrame. This + // enables us to detect whether the frame has moved documents during + // a reframe, so that we know not to restore the presentation. + nsCOMPtr mContainerDocWhileDetached; +diff -r 751208d22b91 -r ee870911fabb layout/generic/nsSubDocumentFrame.cpp +--- a/layout/generic/nsSubDocumentFrame.cpp Thu May 26 17:07:49 2016 -0400 ++++ b/layout/generic/nsSubDocumentFrame.cpp Wed May 04 16:12:48 2016 -0500 +@@ -130,13 +130,16 @@ + nsRefPtr frameloader = FrameLoader(); + if (frameloader) { + nsCOMPtr oldContainerDoc; +- nsView* detachedViews = +- frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc)); +- frameloader->SetDetachedSubdocView(nullptr, nullptr); +- if (detachedViews) { +- if (oldContainerDoc == aContent->OwnerDoc()) { ++ nsIFrame* detachedFrame = ++ frameloader->GetDetachedSubdocFrame(getter_AddRefs(oldContainerDoc)); ++ frameloader->SetDetachedSubdocFrame(nullptr, nullptr); ++ MOZ_ASSERT(oldContainerDoc || !detachedFrame); ++ if (oldContainerDoc) { ++ nsView* detachedView = ++ detachedFrame ? detachedFrame->GetView() : nullptr; ++ if (detachedView && oldContainerDoc == aContent->OwnerDoc()) { + // Restore stashed presentation. +- ::InsertViewsInReverseOrder(detachedViews, mInnerView); ++ ::InsertViewsInReverseOrder(detachedView, mInnerView); + ::EndSwapDocShellsForViews(mInnerView->GetFirstChild()); + } else { + // Presentation is for a different document, don't restore it. +@@ -252,11 +255,12 @@ + nsRefPtr frameloader = FrameLoader(); + if (frameloader) { + nsCOMPtr oldContainerDoc; +- nsView* detachedViews = +- frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc)); +- if (detachedViews) { +- nsSize size = detachedViews->GetBounds().Size(); +- nsPresContext* presContext = detachedViews->GetFrame()->PresContext(); ++ nsIFrame* detachedFrame = ++ frameloader->GetDetachedSubdocFrame(getter_AddRefs(oldContainerDoc)); ++ nsView* view = detachedFrame ? detachedFrame->GetView() : nullptr; ++ if (view) { ++ nsSize size = view->GetBounds().Size(); ++ nsPresContext* presContext = detachedFrame->PresContext(); + return nsIntSize(presContext->AppUnitsToDevPixels(size.width), + presContext->AppUnitsToDevPixels(size.height)); + } +@@ -939,7 +943,7 @@ + + // Either the frame has been constructed by now, or it never will be, + // either way we want to clear the stashed views. +- mFrameLoader->SetDetachedSubdocView(nullptr, nullptr); ++ mFrameLoader->SetDetachedSubdocFrame(nullptr, nullptr); + + nsSubDocumentFrame* frame = do_QueryFrame(mFrameElement->GetPrimaryFrame()); + if ((!frame && mHideViewerIfFrameless) || +@@ -974,15 +978,25 @@ + RefPtr frameloader = FrameLoader(); + if (frameloader) { + nsView* detachedViews = ::BeginSwapDocShellsForViews(mInnerView->GetFirstChild()); +- frameloader->SetDetachedSubdocView(detachedViews, mContent->OwnerDoc()); + +- // We call nsFrameLoader::HideViewer() in a script runner so that we can +- // safely determine whether the frame is being reframed or destroyed. +- nsContentUtils::AddScriptRunner( +- new nsHideViewer(mContent, +- frameloader, +- PresContext()->PresShell(), +- (mDidCreateDoc || mCallingShow))); ++ if (detachedViews && detachedViews->GetFrame()) { ++ MOZ_ASSERT(mContent->OwnerDoc()); ++ frameloader->SetDetachedSubdocFrame( ++ detachedViews->GetFrame(), mContent->OwnerDoc()); ++ ++ // We call nsFrameLoader::HideViewer() in a script runner so that we can ++ // safely determine whether the frame is being reframed or destroyed. ++ nsContentUtils::AddScriptRunner( ++ new nsHideViewer(mContent, ++ frameloader, ++ PresContext()->PresShell(), ++ (mDidCreateDoc || mCallingShow))); ++ } else { ++ frameloader->SetDetachedSubdocFrame(nullptr, nullptr); ++ if (mDidCreateDoc || mCallingShow) { ++ frameloader->Hide(); ++ } ++ } + } + + nsLeafFrame::DestroyFrom(aDestructRoot); diff --git a/gnu/packages/patches/icecat-CVE-2016-2819.patch b/gnu/packages/patches/icecat-CVE-2016-2819.patch new file mode 100644 index 0000000000..cbb833d43d --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2819.patch @@ -0,0 +1,102 @@ + changeset: 312054:072992bf176d + user: Henri Sivonen + Date: Sun May 15 17:03:06 2016 +0300 + summary: Bug 1270381. r=wchen. a=ritu + +diff -r d30748143c21 -r 072992bf176d parser/html/javasrc/TreeBuilder.java +--- a/parser/html/javasrc/TreeBuilder.java Mon May 09 18:05:32 2016 -0700 ++++ b/parser/html/javasrc/TreeBuilder.java Sun May 15 17:03:06 2016 +0300 +@@ -39,6 +39,11 @@ + import java.util.HashMap; + import java.util.Map; + ++import org.xml.sax.ErrorHandler; ++import org.xml.sax.Locator; ++import org.xml.sax.SAXException; ++import org.xml.sax.SAXParseException; ++ + import nu.validator.htmlparser.annotation.Auto; + import nu.validator.htmlparser.annotation.Const; + import nu.validator.htmlparser.annotation.IdType; +@@ -54,11 +59,6 @@ + import nu.validator.htmlparser.common.TokenHandler; + import nu.validator.htmlparser.common.XmlViolationPolicy; + +-import org.xml.sax.ErrorHandler; +-import org.xml.sax.Locator; +-import org.xml.sax.SAXException; +-import org.xml.sax.SAXParseException; +- + public abstract class TreeBuilder implements TokenHandler, + TreeBuilderState { + +@@ -1924,7 +1924,6 @@ + break starttagloop; + } + generateImpliedEndTags(); +- // XXX is the next if dead code? + if (errorHandler != null && !isCurrent("table")) { + errNoCheckUnclosedElementsOnStack(); + } +@@ -2183,11 +2182,11 @@ + pop(); + } + break; +- } else if (node.isSpecial() ++ } else if (eltPos == 0 || (node.isSpecial() + && (node.ns != "http://www.w3.org/1999/xhtml" +- || (node.name != "p" +- && node.name != "address" +- && node.name != "div"))) { ++ || (node.name != "p" ++ && node.name != "address" ++ && node.name != "div")))) { + break; + } + eltPos--; +@@ -3878,7 +3877,7 @@ + pop(); + } + break endtagloop; +- } else if (node.isSpecial()) { ++ } else if (eltPos == 0 || node.isSpecial()) { + errStrayEndTag(name); + break endtagloop; + } +@@ -4745,6 +4744,7 @@ + int furthestBlockPos = formattingEltStackPos + 1; + while (furthestBlockPos <= currentPtr) { + StackNode node = stack[furthestBlockPos]; // weak ref ++ assert furthestBlockPos > 0: "How is formattingEltStackPos + 1 not > 0?"; + if (node.isSpecial()) { + break; + } +diff -r d30748143c21 -r 072992bf176d parser/html/nsHtml5TreeBuilder.cpp +--- a/parser/html/nsHtml5TreeBuilder.cpp Mon May 09 18:05:32 2016 -0700 ++++ b/parser/html/nsHtml5TreeBuilder.cpp Sun May 15 17:03:06 2016 +0300 +@@ -1102,7 +1102,7 @@ + pop(); + } + break; +- } else if (node->isSpecial() && (node->ns != kNameSpaceID_XHTML || (node->name != nsHtml5Atoms::p && node->name != nsHtml5Atoms::address && node->name != nsHtml5Atoms::div))) { ++ } else if (!eltPos || (node->isSpecial() && (node->ns != kNameSpaceID_XHTML || (node->name != nsHtml5Atoms::p && node->name != nsHtml5Atoms::address && node->name != nsHtml5Atoms::div)))) { + break; + } + eltPos--; +@@ -2749,7 +2749,7 @@ + pop(); + } + NS_HTML5_BREAK(endtagloop); +- } else if (node->isSpecial()) { ++ } else if (!eltPos || node->isSpecial()) { + errStrayEndTag(name); + NS_HTML5_BREAK(endtagloop); + } +@@ -3593,6 +3593,7 @@ + int32_t furthestBlockPos = formattingEltStackPos + 1; + while (furthestBlockPos <= currentPtr) { + nsHtml5StackNode* node = stack[furthestBlockPos]; ++ MOZ_ASSERT(furthestBlockPos > 0, "How is formattingEltStackPos + 1 not > 0?"); + if (node->isSpecial()) { + break; + } diff --git a/gnu/packages/patches/icecat-CVE-2016-2821.patch b/gnu/packages/patches/icecat-CVE-2016-2821.patch new file mode 100644 index 0000000000..8255d60009 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2821.patch @@ -0,0 +1,16 @@ + changeset: 312045:7aea44059251 + user: Olli Pettay + Date: Fri May 13 20:10:22 2016 +0300 + summary: Bug 1271460, don't leak editor created element objects, r=ehsan a=ritu + +diff -r 09418166fd77 -r 7aea44059251 editor/libeditor/nsHTMLInlineTableEditor.cpp +--- a/editor/libeditor/nsHTMLInlineTableEditor.cpp Wed May 11 10:14:45 2016 +0100 ++++ b/editor/libeditor/nsHTMLInlineTableEditor.cpp Fri May 13 20:10:22 2016 +0300 +@@ -109,7 +109,6 @@ + + // get the root content node. + nsCOMPtr bodyContent = GetRoot(); +- NS_ENSURE_TRUE(bodyContent, NS_ERROR_FAILURE); + + DeleteRefToAnonymousNode(mAddColumnBeforeButton, bodyContent, ps); + mAddColumnBeforeButton = nullptr; diff --git a/gnu/packages/patches/icecat-CVE-2016-2824.patch b/gnu/packages/patches/icecat-CVE-2016-2824.patch new file mode 100644 index 0000000000..72772ed15f --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2824.patch @@ -0,0 +1,85 @@ + changeset: 312070:4b54feddf36c + user: JerryShih + Date: Wed May 25 16:27:41 2016 +0200 + summary: Bug 1248580 - strip the uploading element num according to the uniform array size. r=jgilbert a=ritu + +diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLContextValidate.cpp +--- a/dom/canvas/WebGLContextValidate.cpp Tue May 10 22:58:47 2016 -0500 ++++ b/dom/canvas/WebGLContextValidate.cpp Wed May 25 16:27:41 2016 +0200 +@@ -1531,9 +1531,10 @@ + if (!loc->ValidateArrayLength(setterElemSize, setterArraySize, this, funcName)) + return false; + ++ MOZ_ASSERT((size_t)loc->mActiveInfo->mElemCount > loc->mArrayIndex); ++ size_t uniformElemCount = loc->mActiveInfo->mElemCount - loc->mArrayIndex; + *out_rawLoc = loc->mLoc; +- *out_numElementsToUpload = std::min((size_t)loc->mActiveInfo->mElemCount, +- setterArraySize / setterElemSize); ++ *out_numElementsToUpload = std::min(uniformElemCount, setterArraySize / setterElemSize); + return true; + } + +diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLProgram.cpp +--- a/dom/canvas/WebGLProgram.cpp Tue May 10 22:58:47 2016 -0500 ++++ b/dom/canvas/WebGLProgram.cpp Wed May 25 16:27:41 2016 +0200 +@@ -510,8 +510,14 @@ + const NS_LossyConvertUTF16toASCII userName(userName_wide); + + nsDependentCString baseUserName; +- bool isArray; +- size_t arrayIndex; ++ bool isArray = false; ++ // GLES 2.0.25, Section 2.10, p35 ++ // If the the uniform location is an array, then the location of the first ++ // element of that array can be retrieved by either using the name of the ++ // uniform array, or the name of the uniform array appended with "[0]". ++ // The ParseName() can't recognize this rule. So always initialize ++ // arrayIndex with 0. ++ size_t arrayIndex = 0; + if (!ParseName(userName, &baseUserName, &isArray, &arrayIndex)) + return nullptr; + +@@ -536,7 +542,8 @@ + return nullptr; + + nsRefPtr locObj = new WebGLUniformLocation(mContext, LinkInfo(), +- loc, activeInfo); ++ loc, arrayIndex, ++ activeInfo); + return locObj.forget(); + } + +diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLUniformLocation.cpp +--- a/dom/canvas/WebGLUniformLocation.cpp Tue May 10 22:58:47 2016 -0500 ++++ b/dom/canvas/WebGLUniformLocation.cpp Wed May 25 16:27:41 2016 +0200 +@@ -16,10 +16,13 @@ + + WebGLUniformLocation::WebGLUniformLocation(WebGLContext* webgl, + const webgl::LinkedProgramInfo* linkInfo, +- GLuint loc, const WebGLActiveInfo* activeInfo) ++ GLuint loc, ++ size_t arrayIndex, ++ const WebGLActiveInfo* activeInfo) + : WebGLContextBoundObject(webgl) + , mLinkInfo(linkInfo) + , mLoc(loc) ++ , mArrayIndex(arrayIndex) + , mActiveInfo(activeInfo) + { } + +diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLUniformLocation.h +--- a/dom/canvas/WebGLUniformLocation.h Tue May 10 22:58:47 2016 -0500 ++++ b/dom/canvas/WebGLUniformLocation.h Wed May 25 16:27:41 2016 +0200 +@@ -41,10 +41,11 @@ + + const WeakPtr mLinkInfo; + const GLuint mLoc; ++ const size_t mArrayIndex; + const WebGLActiveInfo* const mActiveInfo; + + WebGLUniformLocation(WebGLContext* webgl, const webgl::LinkedProgramInfo* linkInfo, +- GLuint loc, const WebGLActiveInfo* activeInfo); ++ GLuint loc, size_t arrayIndex, const WebGLActiveInfo* activeInfo); + + bool ValidateForProgram(WebGLProgram* prog, WebGLContext* webgl, + const char* funcName) const; diff --git a/gnu/packages/patches/icecat-CVE-2016-2828.patch b/gnu/packages/patches/icecat-CVE-2016-2828.patch new file mode 100644 index 0000000000..951eb4fc46 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2828.patch @@ -0,0 +1,185 @@ + changeset: 312096:dc190bd03d24 + tag: FIREFOX_45_2_0esr_BUILD2 + tag: FIREFOX_45_2_0esr_RELEASE + user: Jeff Gilbert + Date: Thu Apr 14 13:50:04 2016 -0700 + summary: Bug 1224199 - Destroy SharedSurfaces before ~GLContext(). - r=jrmuizel a=lizzard + +diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLBlitHelper.cpp +--- a/gfx/gl/GLBlitHelper.cpp Mon Mar 07 11:51:12 2016 +0000 ++++ b/gfx/gl/GLBlitHelper.cpp Thu Apr 14 13:50:04 2016 -0700 +@@ -172,6 +172,9 @@ + + GLBlitHelper::~GLBlitHelper() + { ++ if (!mGL->MakeCurrent()) ++ return; ++ + DeleteTexBlitProgram(); + + GLuint tex[] = { +diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLContext.cpp +--- a/gfx/gl/GLContext.cpp Mon Mar 07 11:51:12 2016 +0000 ++++ b/gfx/gl/GLContext.cpp Thu Apr 14 13:50:04 2016 -0700 +@@ -2079,12 +2079,13 @@ + if (IsDestroyed()) + return; + ++ // Null these before they're naturally nulled after dtor, as we want GLContext to ++ // still be alive in *their* dtors. ++ mScreen = nullptr; ++ mBlitHelper = nullptr; ++ mReadTexImageHelper = nullptr; ++ + if (MakeCurrent()) { +- DestroyScreenBuffer(); +- +- mBlitHelper = nullptr; +- mReadTexImageHelper = nullptr; +- + mTexGarbageBin->GLContextTeardown(); + } else { + NS_WARNING("MakeCurrent() failed during MarkDestroyed! Skipping GL object teardown."); +@@ -2328,8 +2329,6 @@ + return false; + } + +- DestroyScreenBuffer(); +- + // This will rebind to 0 (Screen) if needed when + // it falls out of scope. + ScopedBindFramebuffer autoFB(this); +@@ -2349,12 +2348,6 @@ + } + + void +-GLContext::DestroyScreenBuffer() +-{ +- mScreen = nullptr; +-} +- +-void + GLContext::ForceDirtyScreen() + { + ScopedBindFramebuffer autoFB(0); +diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLContext.h +--- a/gfx/gl/GLContext.h Mon Mar 07 11:51:12 2016 +0000 ++++ b/gfx/gl/GLContext.h Thu Apr 14 13:50:04 2016 -0700 +@@ -3492,8 +3492,6 @@ + friend class GLScreenBuffer; + UniquePtr mScreen; + +- void DestroyScreenBuffer(); +- + SharedSurface* mLockedSurface; + + public: +diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLReadTexImageHelper.cpp +--- a/gfx/gl/GLReadTexImageHelper.cpp Mon Mar 07 11:51:12 2016 +0000 ++++ b/gfx/gl/GLReadTexImageHelper.cpp Thu Apr 14 13:50:04 2016 -0700 +@@ -31,6 +31,9 @@ + + GLReadTexImageHelper::~GLReadTexImageHelper() + { ++ if (!mGL->MakeCurrent()) ++ return; ++ + mGL->fDeleteProgram(mPrograms[0]); + mGL->fDeleteProgram(mPrograms[1]); + mGL->fDeleteProgram(mPrograms[2]); +diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceANGLE.cpp +--- a/gfx/gl/SharedSurfaceANGLE.cpp Mon Mar 07 11:51:12 2016 +0000 ++++ b/gfx/gl/SharedSurfaceANGLE.cpp Thu Apr 14 13:50:04 2016 -0700 +@@ -120,8 +120,10 @@ + { + mEGL->fDestroySurface(Display(), mPBuffer); + ++ if (!mGL->MakeCurrent()) ++ return; ++ + if (mFence) { +- mGL->MakeCurrent(); + mGL->fDeleteFences(1, &mFence); + } + } +diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceEGL.cpp +--- a/gfx/gl/SharedSurfaceEGL.cpp Mon Mar 07 11:51:12 2016 +0000 ++++ b/gfx/gl/SharedSurfaceEGL.cpp Thu Apr 14 13:50:04 2016 -0700 +@@ -87,9 +87,12 @@ + { + mEGL->fDestroyImage(Display(), mImage); + +- mGL->MakeCurrent(); +- mGL->fDeleteTextures(1, &mProdTex); +- mProdTex = 0; ++ if (mSync) { ++ // We can't call this unless we have the ext, but we will always have ++ // the ext if we have something to destroy. ++ mEGL->fDestroySync(Display(), mSync); ++ mSync = 0; ++ } + + if (mConsTex) { + MOZ_ASSERT(mGarbageBin); +@@ -97,12 +100,11 @@ + mConsTex = 0; + } + +- if (mSync) { +- // We can't call this unless we have the ext, but we will always have +- // the ext if we have something to destroy. +- mEGL->fDestroySync(Display(), mSync); +- mSync = 0; +- } ++ if (!mGL->MakeCurrent()) ++ return; ++ ++ mGL->fDeleteTextures(1, &mProdTex); ++ mProdTex = 0; + } + + void +diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceGralloc.cpp +--- a/gfx/gl/SharedSurfaceGralloc.cpp Mon Mar 07 11:51:12 2016 +0000 ++++ b/gfx/gl/SharedSurfaceGralloc.cpp Thu Apr 14 13:50:04 2016 -0700 +@@ -154,7 +154,9 @@ + + DEBUG_PRINT("[SharedSurface_Gralloc %p] destroyed\n", this); + +- mGL->MakeCurrent(); ++ if (!mGL->MakeCurrent()) ++ return; ++ + mGL->fDeleteTextures(1, &mProdTex); + + if (mSync) { +diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceIO.cpp +--- a/gfx/gl/SharedSurfaceIO.cpp Mon Mar 07 11:51:12 2016 +0000 ++++ b/gfx/gl/SharedSurfaceIO.cpp Thu Apr 14 13:50:04 2016 -0700 +@@ -111,11 +111,10 @@ + + SharedSurface_IOSurface::~SharedSurface_IOSurface() + { +- if (mProdTex) { +- DebugOnly success = mGL->MakeCurrent(); +- MOZ_ASSERT(success); +- mGL->fDeleteTextures(1, &mProdTex); +- } ++ if (!mGL->MakeCurrent()) ++ return; ++ ++ mGL->fDeleteTextures(1, &mProdTex); + } + + //////////////////////////////////////////////////////////////////////// +diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/TextureGarbageBin.cpp +--- a/gfx/gl/TextureGarbageBin.cpp Mon Mar 07 11:51:12 2016 +0000 ++++ b/gfx/gl/TextureGarbageBin.cpp Thu Apr 14 13:50:04 2016 -0700 +@@ -36,6 +36,7 @@ + if (!mGL) + return; + ++ MOZ_RELEASE_ASSERT(mGL->IsCurrent()); + while (!mGarbageTextures.empty()) { + GLuint tex = mGarbageTextures.top(); + mGarbageTextures.pop(); diff --git a/gnu/packages/patches/icecat-CVE-2016-2831.patch b/gnu/packages/patches/icecat-CVE-2016-2831.patch new file mode 100644 index 0000000000..b99ecb6458 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2831.patch @@ -0,0 +1,120 @@ + changeset: 312091:a3fff31b8b70 + user: Xidorn Quan + Date: Thu Apr 14 17:38:13 2016 +1000 + summary: Bug 1261933 - Continue unlocking pointer even if the widget has gone. r=smaug a=lizzard + + MozReview-Commit-ID: 1siQhemFf9O + +diff -r f5e862ea4a72 -r a3fff31b8b70 dom/base/nsDocument.cpp +--- a/dom/base/nsDocument.cpp Tue May 31 18:35:26 2016 -0700 ++++ b/dom/base/nsDocument.cpp Thu Apr 14 17:38:13 2016 +1000 +@@ -12315,49 +12315,37 @@ + bool + nsDocument::SetPointerLock(Element* aElement, int aCursorStyle) + { +- // NOTE: aElement will be nullptr when unlocking. +- nsCOMPtr window = GetWindow(); +- if (!window) { +- NS_WARNING("SetPointerLock(): No Window"); +- return false; +- } +- +- nsIDocShell *docShell = window->GetDocShell(); +- if (!docShell) { +- NS_WARNING("SetPointerLock(): No DocShell (window already closed?)"); +- return false; +- } +- +- nsRefPtr presContext; +- docShell->GetPresContext(getter_AddRefs(presContext)); +- if (!presContext) { +- NS_WARNING("SetPointerLock(): Unable to get presContext in \ +- domWindow->GetDocShell()->GetPresContext()"); ++ MOZ_ASSERT(!aElement || aElement->OwnerDoc() == this, ++ "We should be either unlocking pointer (aElement is nullptr), " ++ "or locking pointer to an element in this document"); ++#ifdef DEBUG ++ if (!aElement) { ++ nsCOMPtr pointerLockedDoc = ++ do_QueryReferent(EventStateManager::sPointerLockedDoc); ++ MOZ_ASSERT(pointerLockedDoc == this); ++ } ++#endif ++ ++ nsIPresShell* shell = GetShell(); ++ if (!shell) { ++ NS_WARNING("SetPointerLock(): No PresShell"); + return false; + } +- +- nsCOMPtr shell = presContext->PresShell(); +- if (!shell) { +- NS_WARNING("SetPointerLock(): Unable to find presContext->PresShell()"); +- return false; +- } +- +- nsIFrame* rootFrame = shell->GetRootFrame(); +- if (!rootFrame) { +- NS_WARNING("SetPointerLock(): Unable to get root frame"); ++ nsPresContext* presContext = shell->GetPresContext(); ++ if (!presContext) { ++ NS_WARNING("SetPointerLock(): Unable to get PresContext"); + return false; + } + +- nsCOMPtr widget = rootFrame->GetNearestWidget(); +- if (!widget) { +- NS_WARNING("SetPointerLock(): Unable to find widget in \ +- shell->GetRootFrame()->GetNearestWidget();"); +- return false; +- } +- +- if (aElement && (aElement->OwnerDoc() != this)) { +- NS_WARNING("SetPointerLock(): Element not in this document."); +- return false; ++ nsCOMPtr widget; ++ nsIFrame* rootFrame = shell->GetRootFrame(); ++ if (!NS_WARN_IF(!rootFrame)) { ++ widget = rootFrame->GetNearestWidget(); ++ NS_WARN_IF_FALSE(widget, "SetPointerLock(): Unable to find widget " ++ "in shell->GetRootFrame()->GetNearestWidget();"); ++ if (aElement && !widget) { ++ return false; ++ } + } + + // Hide the cursor and set pointer lock for future mouse events +diff -r f5e862ea4a72 -r a3fff31b8b70 dom/events/EventStateManager.cpp +--- a/dom/events/EventStateManager.cpp Tue May 31 18:35:26 2016 -0700 ++++ b/dom/events/EventStateManager.cpp Thu Apr 14 17:38:13 2016 +1000 +@@ -4128,10 +4128,6 @@ + // NOTE: aElement will be nullptr when unlocking. + sIsPointerLocked = !!aElement; + +- if (!aWidget) { +- return; +- } +- + // Reset mouse wheel transaction + WheelTransaction::EndTransaction(); + +@@ -4140,6 +4136,8 @@ + do_GetService("@mozilla.org/widget/dragservice;1"); + + if (sIsPointerLocked) { ++ MOZ_ASSERT(aWidget, "Locking pointer requires a widget"); ++ + // Store the last known ref point so we can reposition the pointer after unlock. + mPreLockPoint = sLastRefPoint; + +@@ -4164,7 +4162,9 @@ + // pre-pointerlock position, so that the synthetic mouse event reports + // no movement. + sLastRefPoint = mPreLockPoint; +- aWidget->SynthesizeNativeMouseMove(mPreLockPoint + aWidget->WidgetToScreenOffset()); ++ if (aWidget) { ++ aWidget->SynthesizeNativeMouseMove(mPreLockPoint + aWidget->WidgetToScreenOffset()); ++ } + + // Don't retarget events to this element any more. + nsIPresShell::SetCapturingContent(nullptr, CAPTURE_POINTERLOCK); -- cgit v1.2.3 From 6e4f18cfdd1bf747e77f81b64497f1c05f57a057 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 8 Jun 2016 13:29:32 -0400 Subject: gnu: libxml2: Add fix for CVE-2016-1762. * gnu/packages/patches/libxml2-CVE-2016-1762.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xml.scm (libxml2/fixed)[source]: Add patch. --- gnu/local.mk | 1 + gnu/packages/patches/libxml2-CVE-2016-1762.patch | 31 ++++++++++++++++++++++++ gnu/packages/xml.scm | 3 ++- 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/libxml2-CVE-2016-1762.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 8915c46cdd..b07aa42f7d 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -633,6 +633,7 @@ dist_patch_DATA = \ %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ %D%/packages/patches/libwmf-CVE-2015-4695.patch \ %D%/packages/patches/libwmf-CVE-2015-4696.patch \ + %D%/packages/patches/libxml2-CVE-2016-1762.patch \ %D%/packages/patches/libxslt-CVE-2015-7995.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/libpthread-glibc-preparation.patch \ diff --git a/gnu/packages/patches/libxml2-CVE-2016-1762.patch b/gnu/packages/patches/libxml2-CVE-2016-1762.patch new file mode 100644 index 0000000000..15ec6a0aee --- /dev/null +++ b/gnu/packages/patches/libxml2-CVE-2016-1762.patch @@ -0,0 +1,31 @@ +Copied from Debian. + +From a7a94612aa3b16779e2c74e1fa353b5d9786c602 Mon Sep 17 00:00:00 2001 +From: Daniel Veillard +Date: Tue, 9 Feb 2016 12:55:29 +0100 +Subject: [PATCH] Heap-based buffer overread in xmlNextChar + +For https://bugzilla.gnome.org/show_bug.cgi?id=759671 + +when the end of the internal subset isn't properly detected +xmlParseInternalSubset should just return instead of trying +to process input further. + +[carnil: drop patches to testsuite files] +--- + +diff --git a/parser.c b/parser.c +index c5741e3..0677030 100644 +--- a/parser.c ++++ b/parser.c +@@ -8468,6 +8468,7 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) { + */ + if (RAW != '>') { + xmlFatalErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, NULL); ++ return; + } + NEXT; + } +-- +2.8.1 + diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index dc5c60dca8..40ff3e6b4b 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -116,7 +116,8 @@ project (but it is usable outside of the Gnome platform).") version ".tar.gz")) (sha256 (base32 - "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz"))))))) + "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz")) + (patches (search-patches "libxml2-CVE-2016-1762.patch"))))))) (define-public python-libxml2 (package (inherit libxml2) -- cgit v1.2.3 From 993b400acb24344d399857010177e7ecaab847b7 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 8 Jun 2016 18:17:13 -0400 Subject: Revert "gnu: libxml2: Add fix for CVE-2016-1762." This reverts commit 6e4f18cfdd1bf747e77f81b64497f1c05f57a057. --- gnu/local.mk | 1 - gnu/packages/patches/libxml2-CVE-2016-1762.patch | 31 ------------------------ gnu/packages/xml.scm | 3 +-- 3 files changed, 1 insertion(+), 34 deletions(-) delete mode 100644 gnu/packages/patches/libxml2-CVE-2016-1762.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index b07aa42f7d..8915c46cdd 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -633,7 +633,6 @@ dist_patch_DATA = \ %D%/packages/patches/libwmf-CVE-2015-0848+CVE-2015-4588.patch \ %D%/packages/patches/libwmf-CVE-2015-4695.patch \ %D%/packages/patches/libwmf-CVE-2015-4696.patch \ - %D%/packages/patches/libxml2-CVE-2016-1762.patch \ %D%/packages/patches/libxslt-CVE-2015-7995.patch \ %D%/packages/patches/lirc-localstatedir.patch \ %D%/packages/patches/libpthread-glibc-preparation.patch \ diff --git a/gnu/packages/patches/libxml2-CVE-2016-1762.patch b/gnu/packages/patches/libxml2-CVE-2016-1762.patch deleted file mode 100644 index 15ec6a0aee..0000000000 --- a/gnu/packages/patches/libxml2-CVE-2016-1762.patch +++ /dev/null @@ -1,31 +0,0 @@ -Copied from Debian. - -From a7a94612aa3b16779e2c74e1fa353b5d9786c602 Mon Sep 17 00:00:00 2001 -From: Daniel Veillard -Date: Tue, 9 Feb 2016 12:55:29 +0100 -Subject: [PATCH] Heap-based buffer overread in xmlNextChar - -For https://bugzilla.gnome.org/show_bug.cgi?id=759671 - -when the end of the internal subset isn't properly detected -xmlParseInternalSubset should just return instead of trying -to process input further. - -[carnil: drop patches to testsuite files] ---- - -diff --git a/parser.c b/parser.c -index c5741e3..0677030 100644 ---- a/parser.c -+++ b/parser.c -@@ -8468,6 +8468,7 @@ xmlParseInternalSubset(xmlParserCtxtPtr ctxt) { - */ - if (RAW != '>') { - xmlFatalErr(ctxt, XML_ERR_DOCTYPE_NOT_FINISHED, NULL); -+ return; - } - NEXT; - } --- -2.8.1 - diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index 40ff3e6b4b..dc5c60dca8 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -116,8 +116,7 @@ project (but it is usable outside of the Gnome platform).") version ".tar.gz")) (sha256 (base32 - "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz")) - (patches (search-patches "libxml2-CVE-2016-1762.patch"))))))) + "0g336cr0bw6dax1q48bblphmchgihx9p1pjmxdnrd6sh3qci3fgz"))))))) (define-public python-libxml2 (package (inherit libxml2) -- cgit v1.2.3 From 7c6058c08266f663973d1b7eb729e36e24728d17 Mon Sep 17 00:00:00 2001 From: Taylan Ulrich Bayırlı/Kammer Date: Thu, 9 Jun 2016 21:53:02 +0300 Subject: gnu: higan: Various improvements. * gnu/packages/games.scm (higan): Use semi-official repository at GitLab (using hotfix tag 098b which is equivalent to official release 098). Add a patch to remove the build flag -march=native. Set profile to balanced. * gnu/packages/patches/higan-remove-march-native-flag.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/games.scm | 9 ++++++--- gnu/packages/patches/higan-remove-march-native-flag.patch | 13 +++++++++++++ 3 files changed, 20 insertions(+), 3 deletions(-) create mode 100644 gnu/packages/patches/higan-remove-march-native-flag.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index 8915c46cdd..f31e5776d9 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -542,6 +542,7 @@ dist_patch_DATA = \ %D%/packages/patches/gtk3-respect-GUIX_GTK3_PATH.patch \ %D%/packages/patches/gtkglext-disable-disable-deprecated.patch \ %D%/packages/patches/hdf5-config-date.patch \ + %D%/packages/patches/higan-remove-march-native-flag.patch \ %D%/packages/patches/hop-bigloo-4.0b.patch \ %D%/packages/patches/hop-linker-flags.patch \ %D%/packages/patches/hydra-automake-1.15.patch \ diff --git a/gnu/packages/games.scm b/gnu/packages/games.scm index 0d095ac368..1d0a945347 100644 --- a/gnu/packages/games.scm +++ b/gnu/packages/games.scm @@ -2247,15 +2247,17 @@ Red Eclipse provides fast paced and accessible gameplay.") (define-public higan (package (name "higan") - (version "098") + (version "098b") (source (origin (method url-fetch) (uri (string-append - "https://github.com/TaylanUB/higan/archive/v" version ".tar.gz")) + "https://gitlab.com/higan/higan/repository/archive.tar.gz?ref=v" + version)) (file-name (string-append name "-" version ".tar.gz")) (sha256 - (base32 "12snxrk8wa94x3l69qcimgm0xc22zjgf7vzhckp2lzyfbf27950v")))) + (base32 "05j0xzr01gsyia4gj6jmdzklll4iky1kwxgxw0mmfcgm10m0h3bf")) + (patches (search-patches "higan-remove-march-native-flag.patch")))) (build-system gnu-build-system) (native-inputs `(("pkg-config" ,pkg-config))) @@ -2321,6 +2323,7 @@ Red Eclipse provides fast paced and accessible gameplay.") `("PATH" ":" prefix (,bin)))))))) #:make-flags (list "compiler=g++" + "profile=balanced" ;default is accuracy; which is quite slow (string-append "prefix=" (assoc-ref %outputs "out"))) ;; There is no test suite. #:tests? #f)) diff --git a/gnu/packages/patches/higan-remove-march-native-flag.patch b/gnu/packages/patches/higan-remove-march-native-flag.patch new file mode 100644 index 0000000000..8f4a36dc35 --- /dev/null +++ b/gnu/packages/patches/higan-remove-march-native-flag.patch @@ -0,0 +1,13 @@ +Remove -march=native from build flags. + +--- a/higan/GNUmakefile ++++ b/higan/GNUmakefile +@@ -32,7 +32,7 @@ ifeq ($(platform),windows) + else ifeq ($(platform),macosx) + flags += -march=native + else ifneq ($(filter $(platform),linux bsd),) +- flags += -march=native -fopenmp ++ flags += -fopenmp + link += -fopenmp + link += -Wl,-export-dynamic + link += -lX11 -lXext -- cgit v1.2.3 From 436dd0463668361476a448d88f6e8653981a7346 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Thu, 9 Jun 2016 13:02:11 -0400 Subject: gnu: expat: Fix CVE-2012-6702 and CVE-2016-5300. * gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/xml.scm (expat/fixed): Use it. --- gnu/local.mk | 1 + .../expat-CVE-2012-6702-and-CVE-2016-5300.patch | 142 +++++++++++++++++++++ gnu/packages/xml.scm | 3 +- 3 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch (limited to 'gnu/local.mk') diff --git a/gnu/local.mk b/gnu/local.mk index f31e5776d9..73aef0aa8e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -480,6 +480,7 @@ dist_patch_DATA = \ %D%/packages/patches/emacs-source-date-epoch.patch \ %D%/packages/patches/eudev-rules-directory.patch \ %D%/packages/patches/evilwm-lost-focus-bug.patch \ + %D%/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch \ %D%/packages/patches/expat-CVE-2015-1283.patch \ %D%/packages/patches/expat-CVE-2015-1283-refix.patch \ %D%/packages/patches/expat-CVE-2016-0718.patch \ diff --git a/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch b/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch new file mode 100644 index 0000000000..edc43f84f1 --- /dev/null +++ b/gnu/packages/patches/expat-CVE-2012-6702-and-CVE-2016-5300.patch @@ -0,0 +1,142 @@ +Fix CVE-2012-6702 and CVE-2016-5300. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6702 +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5300 + +Patch copied from: +https://sources.debian.net/src/expat/2.1.0-6%2Bdeb8u3/debian/patches/cve-2012-6702-plus-cve-2016-5300-v1.patch/ + +From cb31522769d11a375078a073cba94e7176cb48a4 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping +Date: Wed, 16 Mar 2016 15:30:12 +0100 +Subject: [PATCH] Resolve call to srand, use more entropy (patch version 1.0) + +Squashed backport against vanilla Expat 2.1.1, addressing: +* CVE-2012-6702 -- unanticipated internal calls to srand +* CVE-2016-5300 -- use of too little entropy + +Since commit e3e81a6d9f0885ea02d3979151c358f314bf3d6d +(released with Expat 2.1.0) Expat called srand by itself +from inside generate_hash_secret_salt for an instance +of XML_Parser if XML_SetHashSalt was either (a) not called +for that instance or if (b) salt 0 was passed to XML_SetHashSalt +prior to parsing. That call to srand passed (rather litle) +entropy extracted from the current time as a seed for srand. + +That call to srand (1) broke repeatability for code calling +srand with a non-random seed prior to parsing with Expat, +and (2) resulted in a rather small set of hashing salts in +Expat in total. + +For a short- to mid-term fix, the new approach avoids calling +srand altogether, extracts more entropy out of the clock and +other sources, too. + +For a long term fix, we may want to read sizeof(long) bytes +from a source like getrandom(..) on Linux, and from similar +sources on other supported architectures. + +https://bugzilla.redhat.com/show_bug.cgi?id=1197087 +--- + CMakeLists.txt | 3 +++ + lib/xmlparse.c | 48 +++++++++++++++++++++++++++++++++++++++++------- + 2 files changed, 44 insertions(+), 7 deletions(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 353627e..524d514 100755 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -41,6 +41,9 @@ include_directories(${CMAKE_BINARY_DIR} ${CMAKE_SOURCE_DIR}/lib) + if(MSVC) + add_definitions(-D_CRT_SECURE_NO_WARNINGS -wd4996) + endif(MSVC) ++if(WIN32) ++ add_definitions(-DCOMPILED_FROM_DSP) ++endif(WIN32) + + set(expat_SRCS + lib/xmlparse.c +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index e308c79..c5f942f 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -6,7 +6,14 @@ + #include /* memset(), memcpy() */ + #include + #include /* UINT_MAX */ +-#include /* time() */ ++ ++#ifdef COMPILED_FROM_DSP ++#define getpid GetCurrentProcessId ++#else ++#include /* gettimeofday() */ ++#include /* getpid() */ ++#include /* getpid() */ ++#endif + + #define XML_BUILDING_EXPAT 1 + +@@ -432,7 +439,7 @@ static ELEMENT_TYPE * + getElementType(XML_Parser parser, const ENCODING *enc, + const char *ptr, const char *end); + +-static unsigned long generate_hash_secret_salt(void); ++static unsigned long generate_hash_secret_salt(XML_Parser parser); + static XML_Bool startParsing(XML_Parser parser); + + static XML_Parser +@@ -691,11 +698,38 @@ static const XML_Char implicitContext[] = { + }; + + static unsigned long +-generate_hash_secret_salt(void) ++gather_time_entropy(void) + { +- unsigned int seed = time(NULL) % UINT_MAX; +- srand(seed); +- return rand(); ++#ifdef COMPILED_FROM_DSP ++ FILETIME ft; ++ GetSystemTimeAsFileTime(&ft); /* never fails */ ++ return ft.dwHighDateTime ^ ft.dwLowDateTime; ++#else ++ struct timeval tv; ++ int gettimeofday_res; ++ ++ gettimeofday_res = gettimeofday(&tv, NULL); ++ assert (gettimeofday_res == 0); ++ ++ /* Microseconds time is <20 bits entropy */ ++ return tv.tv_usec; ++#endif ++} ++ ++static unsigned long ++generate_hash_secret_salt(XML_Parser parser) ++{ ++ /* Process ID is 0 bits entropy if attacker has local access ++ * XML_Parser address is few bits of entropy if attacker has local access */ ++ const unsigned long entropy = ++ gather_time_entropy() ^ getpid() ^ (unsigned long)parser; ++ ++ /* Factors are 2^31-1 and 2^61-1 (Mersenne primes M31 and M61) */ ++ if (sizeof(unsigned long) == 4) { ++ return entropy * 2147483647; ++ } else { ++ return entropy * 2305843009213693951; ++ } + } + + static XML_Bool /* only valid for root parser */ +@@ -703,7 +737,7 @@ startParsing(XML_Parser parser) + { + /* hash functions must be initialized before setContext() is called */ + if (hash_secret_salt == 0) +- hash_secret_salt = generate_hash_secret_salt(); ++ hash_secret_salt = generate_hash_secret_salt(parser); + if (ns) { + /* implicit context only set for root parser, since child + parsers (i.e. external entity parsers) will inherit it +-- +2.8.2 + diff --git a/gnu/packages/xml.scm b/gnu/packages/xml.scm index dc5c60dca8..d5967f7966 100644 --- a/gnu/packages/xml.scm +++ b/gnu/packages/xml.scm @@ -69,7 +69,8 @@ things the parser might find in the XML document (like start tags).") (inherit expat) (source (origin (inherit (package-source expat)) - (patches (search-patches "expat-CVE-2015-1283.patch" + (patches (search-patches "expat-CVE-2012-6702-and-CVE-2016-5300.patch" + "expat-CVE-2015-1283.patch" "expat-CVE-2015-1283-refix.patch" "expat-CVE-2016-0718.patch")))))) -- cgit v1.2.3