Security Vulnerabilities fixed in Firefox ESR 68.12
#CVE-2020-15663: Downgrade attack on the Mozilla Maintenance Service could
have resulted in escalation of privilege
#CVE-2020-15664: Attacker-induced prompt for extension installation
#CVE-2020-15669: Use-After-Free when aborting an operation
Security Vulnerabilities fixed in Firefox ESR 68.11
#CVE-2020-15652: Potential leak of redirect targets when loading scripts in
a worker
#CVE-2020-6514: WebRTC data channel leaks internal address to peer
#CVE-2020-6463: Use-after-free in ANGLE
gl::Texture::onUnbindAsSamplerTexture
#CVE-2020-15650: Overwriting local files through malicious file picker
application
#CVE-2020-15649: Exfiltrating local files through malicious file picker
application
#CVE-2020-15659: Memory safety bugs fixed in Firefox 79 and Firefox ESR
68.11
For anyone curious about the delay: apparently, my ccache cache
was corrupted so the build was failing. *sigh* that won't be a problem
soon...
Security Vulnerabilities fixed in Firefox ESR 68.10
#CVE-2020-12417: Memory corruption due to missing sign-extension for
ValueTags on ARM64
#CVE-2020-12418: Information disclosure due to manipulated URL object
#CVE-2020-12419: Use-after-free in nsGlobalWindowInner
#CVE-2020-12420: Use-After-Free when trying to connect to a STUN server
#CVE-2020-12421: Add-On updates did not respect the same certificate trust
rules as software updates
This was working around the lack of pshared semaphores on older NetBSD
releases, and restrictions on which process can destroy semaphores
on newer NetBSD releases.
However, we've switched to a new NetBSD-exclusive hack in www/firefox
where we force the use of the tiled rendering mode. This copies what
Firefox does on macOS, which has similar limitations on cross-process
semaphores. The discovery of this was a joint effort between maya
and me.
This avoids several bugs:
1) Multiprocess mode being outright broken on older NetBSD releases
2) Multiprocess mode leaking semaphores and eventually hitting open
file limits on newer NetBSD releases
Bump PKGREVISION
This allows rust-bin and rust to coexist in bulk builds (for testing, etc),
but the packages still may not be installed at the same time.
rust.mk as a solution for picking the correct rust variant was suggested
by gdt@. It is intended to be included directly by packages that do not
use cargo.mk, and indirectly by packages that do use cargo.mk.
rust.mk provides one user-settable variable:
RUST_TYPE
as before, whether to bootstrap rust from source or use
official binaries. may be "src" or "bin"
And two package-settable variables:
RUST_REQ
the minimum version of Rust required by the package.
defaults to "1.20.0"
RUST_RUNTIME
whether Rust is a runtime dependency, may be "yes" or "no"
Security Vulnerabilities fixed in Firefox ESR 68.9
#CVE-2020-12399: Timing attack on DSA signatures in NSS library
#CVE-2020-12405: Use-after-free in SharedWorkerService
#CVE-2020-12406: JavaScript Type confusion with NativeTypes
#CVE-2020-12410: Memory safety bugs fixed in Firefox 77 and Firefox ESR 68.9
Security Vulnerabilities fixed in Firefox ESR 68.8
#CVE-2020-12387: Use-after-free during worker shutdown
#CVE-2020-12388: Sandbox escape with improperly guarded Access Tokens
#CVE-2020-12389: Sandbox escape with improperly separated process types
#CVE-2020-6831: Buffer overflow in SCTP chunk input validation
#CVE-2020-12392: Arbitrary local file access with 'Copy as cURL'
#CVE-2020-12393: Devtools' 'Copy as cURL' feature did not fully escape
website-controlled data, potentially leading to command injection
#CVE-2020-12395: Memory safety bugs fixed in Firefox 76 and Firefox ESR 68.8
Otherwise configure gets confused if SHELL happens to be unset in
the environment, e.g. if you always do builds with `env -i
PATH=/bin:/usr/bin:$PREFIX/bin bmake ...'.
Security Vulnerabilities fixed in Firefox ESR 68.7
#CVE-2020-6828: Preference overwrite via crafted Intent from malicious
Android application
#CVE-2020-6827: Custom Tabs in Firefox for Android could have the URI
spoofed
#CVE-2020-6821: Uninitialized memory could be read when using the WebGL
copyTexSubImage method
#CVE-2020-6822: Out of bounds write in GMPDecodeData when processing large
images
#CVE-2020-6825: Memory safety bugs fixed in Firefox 75 and Firefox ESR 68.7
Security Vulnerabilities fixed in Firefox 74.0.1 and Firefox ESR 68.6.1
#CVE-2020-6819: Use-after-free while running the nsDocShell destructor
#CVE-2020-6820: Use-after-free when handling a ReadableStream
While here,
- Remove OSS support now that cubeb_sun has been stable for a long while
- Appease pkglint
Security fixes in this release:
#CVE-2020-6805: Use-after-free when removing data about origins
#CVE-2020-6806: BodyStream::OnInputStreamReady was missing protections
#CVE-2020-6807: Use-after-free in cubeb during stream destruction
#CVE-2020-6811: Devtools' 'Copy as cURL' feature did not fully escape
#CVE-2019-20503: Out of bounds reads in sctp_load_addresses_from_init
#CVE-2020-6812: The names of AirPods with personally identifiable
#CVE-2020-6814: Memory safety bugs fixed in Firefox 74 and Firefox ESR 68.6
Security Vulnerabilities fixed in Firefox ESR68.5
# CVE-2020-6796: Missing bounds check on shared memory read in the parent process
# CVE-2020-6797: Extensions granted downloads.open permission could open arbitrary applications on Mac OSX
# CVE-2020-6798: Incorrect parsing of template tag could result in JavaScript injection
# CVE-2020-6799: Arbitrary code execution when opening pdf links from other applications, when Firefox is configured as default pdf reader
Note: This issue only affects Windows operating systems and when Firefox is configured as the default handler for non-default filetypes. Other operating systems are unaffected.
# CVE-2020-6800: Memory safety bugs fixed in Firefox 73 and Firefox ESR 68.5
This release fixes one zero-day vulnerability:
CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion.
We are aware of targeted attacks in the wild abusing this flaw
Security Vulnerabilities fixed in Firefox ESR 68.4:
# CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows
# CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
# CVE-2019-17017: Type Confusion in XPCVariant.cpp
# CVE-2019-17021: Heap address disclosure in parent process during content process initialization on Windows
# CVE-2019-17022: CSS sanitization does not escape HTML tags
# CVE-2019-17024: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4
firefox68 tries to use pkg-build-options to find out if gtk3 was (or
will be) built with wayland, as that affects the PLIST. The current
code works for some and causes failures for others, including failures
of thunderbird. pkg-build-options insists on only being called from
bl3, but the use in Makefile (to manage PLIST changes) seems sensible.
This commit removes the use of pkg-build-options, resolving the build
issues on netbsd-8, and adds a default-off wayland option to firefox68
that merely adjusts the PLIST, so that people building firefox68 with
a wayland-enabled gtk3 have an easier time.
I don't believe that any default-option binary packages will change,
so no PKGREVISION++.
A proper fix is deferred until after the branch. This could involve
allowing pkg-build-options to be used in Makefile* instead of only
bl3, or adding wayland detection and setting some variable to gtk3's
bl3.
As discussed on pkgsrc-users and offlist with nia@.
