Commit graph

28 commits

Author SHA1 Message Date
ryoon
72c3cb198b Recursive revbump from fonts/harfbuzz 2017-02-12 06:24:36 +00:00
maya
c808c59f3d firefox45: make oss audio not overflow (sound like crap) when playing
bass-heavy sounds, similar to the change made to www/firefox.

put this patch in files/ because it's the right thing and also because
I'm struggling to make changes to the patch, possibly my moving the
location of EOF so the patch doesn't apply fully (guessing)

PKGREVISION->2
2017-02-08 07:32:01 +00:00
wiz
7ac05101c6 Recursive bump for harfbuzz's new graphite2 dependency. 2017-02-06 13:54:36 +00:00
ryoon
e2b8856b4a Update 45.7.0
Security fixes:
#CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
#CVE-2017-5376: Use-after-free in XSL
#CVE-2017-5378: Pointer and frame data leakage of Javascript objects
#CVE-2017-5380: Potential use-after-free during DOM manipulations
#CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer
#CVE-2017-5396: Use-after-free with Media Decoder
#CVE-2017-5383: Location bar spoofing with unicode characters
#CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions
#CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7
2017-01-27 13:43:41 +00:00
ryoon
f62b809c5a Recursive revbump from audio/pulseaudio-10.0 2017-01-21 20:06:44 +00:00
ryoon
a5df064835 Fix an insecure connection error in HTTP2 case with devel/nss-3.28 or later
Bump PKGREVISION
2017-01-20 15:03:36 +00:00
wiz
c761d409e7 Recursive bump for libvpx shlib major change. 2017-01-16 23:45:10 +00:00
ryoon
2a0773c14c Update to 45.6.0
Chagnelog:
Security vulnerabilities fixed in Firefox ESR 45.6
 #CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements
 #CVE-2016-9895: CSP bypass using marquee tag
 #CVE-2016-9897: Memory corruption in libGLES
 #CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees
 #CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs
 #CVE-2016-9904: Cross-origin information leak in shared atoms
 #CVE-2016-9905: Crash in EnumerateSubDocuments
 #CVE-2016-9901: Data from Pocket server improperly sanitized before execution
 #CVE-2016-9902: Pocket extension does not validate the origin of events
 #CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6
2017-01-02 17:45:12 +00:00
wiz
7f84153239 Add python-3.6 to incompatible versions. 2017-01-01 14:43:22 +00:00
ryoon
36ed025474 Recursive revbump from textproc/icu 58.1 2016-12-04 05:17:03 +00:00
ryoon
d212624b60 Update to 45.5.1
Changelog:
45.5.1:
 #CVE-2016-9079: Use-after-free in SVG Animation

45.5.0:
 #CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
 #CVE-2016-5293: Write to arbitrary file with Mozilla Updater and Maintenance Service using updater.log hardlink
 #CVE-2016-5294: Arbitrary target directory for result files of update process
 #CVE-2016-5297: Incorrect argument length checking in JavaScript
 #CVE-2016-9064: Add-ons update must verify IDs match between current and new versions
 #CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
 #CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
 #CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
 #CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
2016-12-03 10:19:29 +00:00
riastradh
98f240983a Add a debug-only file to PLIST. 2016-11-07 03:52:24 +00:00
ryoon
34d503aa8e Update to 45.4.0
Changelog:
Security vulnerabilities fixed in Firefox ESR 45.4

Announced
    September 13, 2016
Impact
    Critical
Products
    Firefox ESR
Fixed in

        Firefox ESR 45.4

Description

CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]
Reporter: Atte Kettunen
Description: An out-of-bounds write of a boolean value during text conversion with some unicode characters. [1291016]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]
Reporter: Abhishek Arya
Description: A bad cast when processing layout with input elements can result in a potentially exploitable crash. [1297934]

CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]
Reporter: Nils
Description: A use-after-free vulnerability triggered by setting a aria-owns attribute [1287721]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]
Reporter: Nils
Description: A use-after-free issue in web animations during restyling. [1282076]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]
Reporter: Nils
Description: A user-after-free vulnerability with web animations when destroying a timeline [1291665]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]
Reporter: Nils
Description: A potentially exploitable crash caused by a buffer overflow while encoding image frames to images [1294677]

CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]
Reporter: Mei Wang
Description: Use-after-free vulnerability when changing text direction [1289970]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]
Reporter: Brian Carpenter
Description: Use-after-free vulnerability when manipulating SVG format content through script [1284690]

CVE-2016-5284 - Add-on update site certificate pin expiration [high]
Reporter: Multiple people
Description: Due to flaws in the process we used to update "Preloaded Public Key Pinning" in our releases, the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected. [1303127]

CVE-2016-5250 - Resource Timing API is storing resources sent by the previous page [moderate]
Reporter: Catalin Dumitru
Description: URLs of resources loaded after a navigation started can leak to the following page through the Resource Timing API, leading to potential information disclosure. [1254688]

CVE-2016-5261 - Integer overflow and memory corruption in WebSocketChannel [high]
Reporter: Samuel Groß
Description: An integer overflow error in WebSockets during data buffering on incoming packets resulting in attacker controlled data being written at a known offset in the allocated buffer. [1287266]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]
Reporter: Mozilla developers
Description: Mozilla developers and community members Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard, Steve Fink, Tyson Smith, Philipp, and Carsten Book reported memory safety bugs present in Firefox 48 and Firefox ESR 45.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort at least some of these could be exploited to run arbitrary code. [Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4]
2016-09-21 11:51:14 +00:00
maya
0b95a993ed Another paxctl +m needed, lib/firefox45/firefox 2016-08-20 23:17:00 +00:00
ryoon
82f67120a8 Recursive revbump from multimedia/libvpx uppdate 2016-08-17 00:06:39 +00:00
ryoon
2fdb6b5840 Update to 45.3.0
Changelog:

Fixed Various stability fixes

Fixed in Firefox ESR 45.3
    2016-80 Same-origin policy violation using local HTML file and saved shortcut file
    2016-79 Use-after-free when applying SVG effects
    2016-78 Type confusion in display transformation
    2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
    2016-76 Scripts on marquee tag can execute in sandboxed iframes
    2016-73 Use-after-free in service workers with nested sync events
    2016-72 Use-after-free in DTLS during WebRTC session shutdown
    2016-70 Use-after-free when using alt key and toplevel menus
    2016-67 Stack underflow during 2D graphics rendering
    2016-65 Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
    2016-64 Buffer overflow rendering SVG with bidirectional content
    2016-63 Favicon network connection can persist when page is closed
    2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)
2016-08-11 04:24:03 +00:00
ryoon
e37b97fe3c Recursive revbump from audio/pulseaudio 2016-08-04 17:03:30 +00:00
adam
77b8ed74db Revbump after graphics/gd update 2016-08-03 10:22:08 +00:00
wiz
ad0031c15e Remove python33: adapt all packages that refer to it. 2016-07-09 13:03:30 +00:00
wiz
73716d23de Bump PKGREVISION for perl-5.24.0 for everything mentioning perl. 2016-07-09 06:38:30 +00:00
ryoon
663b500e29 Update to 45.2.0
Changelog:
Fixed
    Graphics-related crashes (Bugs 1261320, 1224199)
    Various security fixes
    Unicode support for AutoConfig API (Bug 1271032)
    Web compatibility fix for addEventListener API (Bug 1266194)

Fixed in Firefox ESR 45.2
    2016-58 Entering fullscreen and persistent pointerlock without user permission
    2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
    2016-55 File overwrite and privilege escalation through Mozilla Windows updater
    2016-53 Out-of-bounds write with WebGL shader
    2016-52 Addressbar spoofing though the SELECT element
    2016-51 Use-after-free deleting tables from a contenteditable document
    2016-50 Buffer overflow parsing HTML5 fragments
    2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
2016-06-19 06:24:09 +00:00
wiz
64215c3066 Allow gmake 4.2 again (now that the problem is fixed in 4.2nb1) 2016-05-31 11:45:10 +00:00
tnn
c1e84cc1f8 add tool dependency pattern of gmake less than 4.2 due to mozilla bug 1275547 2016-05-31 06:30:30 +00:00
snj
e07e82e0ec fix PLIST when the official-mozilla-branding option is enabled 2016-05-19 20:15:56 +00:00
ryoon
2bebf440a5 Update to 45.1.1
Changelog:
Fixed
    Build issue when jit is disabled (Bug 1266366)

    Add-on signing certificate expiration (Bug 1267318)

    Graphics-related shutdown crash (Bug 1261321)
2016-05-05 11:51:24 +00:00
ryoon
3ecf036ad3 Regen a patch for renamed file 2016-05-04 09:50:55 +00:00
ryoon
8778a94953 Remove unused patch. 2016-05-04 09:41:55 +00:00
ryoon
9afab81d6a Import firefox45-45.1.0 as www/firefox45.
Mozilla Firefox is a free, open-source and cross-platform web browser
for Windows, Linux, MacOS X and many other operating systems.

It is fast and easy to use, and offers many advantages over other web
browsers, such as tabbed browsing and the ability to block pop-up
windows.

Firefox also offers excellent bookmark and history management, and it
can be extended by developers using industry standards such as XML,
CSS, JavaScript, C++, etc. Many extensions are available.

This package tracks Firefox 45 ESR branch.

Changelog from www/firefox 45.0.2:
Fixed in Firefox ESR 45.1
    2016-47 Write to invalid HashMap entry through JavaScript.watch()
    2016-44 Buffer overflow in libstagefright with CENC offsets
    2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
2016-04-27 16:36:50 +00:00