Commit graph

36 commits

Author SHA1 Message Date
ryoon
b9c1e1d533 Recursive revbump from textproc/icu-62.1 2018-07-20 03:33:47 +00:00
ryoon
4fea36abc2 Recursive revbump from audio/pulseaudio 2018-07-06 15:06:40 +00:00
wiz
8ee21bdcf0 Recursive bump for new fribidi dependency in pango. 2018-04-16 14:33:44 +00:00
adam
299d329d51 revbump after icu update 2018-04-14 07:33:52 +00:00
wiz
c57215a7b2 Recursive bumps for fontconfig and libzip dependency changes. 2018-03-12 11:15:24 +00:00
wiz
bff4597ffc Bump PKGREVISION for gdbm shlib major bump 2018-01-28 20:10:34 +00:00
wiz
20f7c989fe recursive bump for libxkbcommon removal from at-spi2-core 2017-11-23 17:19:40 +00:00
ryoon
5bd9ca4ef6 Recursive revbump from audio/pulseaudio-11.0 2017-09-08 02:38:35 +00:00
maya
1a4faeeb94 firefox{,45,52}: bump pkgrevision with no change.
these packages pull in GCC_REQD+=4.9 via mozilla-common.mk, and
are very widely used (I suspect only www/firefox actually needs it)

this will take care of most of the fallout from major bumping
pkgsrc-gcc-libstdc++ to 7 on netbsd. these are the most widely
used packages setting GCC_REQD>4.8.
2017-07-09 09:04:00 +00:00
khorben
707879c0ec Add dependency to multimedia/ffmpeg3
This fixes audio and H.264 support. From ryoon@ originally, on 46.0nb1 at
the time.

"commit" maya@
2017-05-13 02:34:30 +00:00
khorben
515f006dc5 Register more binaries as not safe for PaX mprotect
This also reflects the current situation in www/firefox.

Bumps PKGREVISION.
2017-05-12 20:21:27 +00:00
ryoon
26c992fb62 Update to 45.9.0
Changelog:
Security fixes:
 #CVE-2017-5433: Use-after-free in SMIL animation functions
 #CVE-2017-5435: Use-after-free during transaction processing in the editor
 #CVE-2017-5436: Out-of-bounds write with malicious font in Graphite 2
 #CVE-2017-5461: Out-of-bounds write in Base64 encoding in NSS
 #CVE-2017-5459: Buffer overflow in WebGL
 #CVE-2017-5434: Use-after-free during focus handling
 #CVE-2017-5432: Use-after-free in text input selection
 #CVE-2017-5460: Use-after-free in frame selection
 #CVE-2017-5438: Use-after-free in nsAutoPtr during XSLT processing
 #CVE-2017-5439: Use-after-free in nsTArray Length() during XSLT processing
 #CVE-2017-5440: Use-after-free in txExecutionState destructor during XSLT processing
 #CVE-2017-5441: Use-after-free with selection during scroll events
 #CVE-2017-5442: Use-after-free during style changes
 #CVE-2017-5464: Memory corruption with accessibility and DOM manipulation
 #CVE-2017-5443: Out-of-bounds write during BinHex decoding
 #CVE-2017-5444: Buffer overflow while parsing application/http-index-format content
 #CVE-2017-5446: Out-of-bounds read when HTTP/2 DATA frames are sent with incorrect data
 #CVE-2017-5447: Out-of-bounds read during glyph processing
 #CVE-2017-5465: Out-of-bounds read in ConvolvePixel
 #CVE-2017-5448: Out-of-bounds write in ClearKeyDecryptor
 #CVE-2016-10196: Vulnerabilities in Libevent library
 #CVE-2017-5469: Potential Buffer overflow in flex-generated code
 #CVE-2017-5445: Uninitialized values used while parsing application/http-index-format content
 #CVE-2017-5462: DRBG flaw in NSS
 #CVE-2017-5429: Memory safety bugs fixed in Firefox 53, Firefox ESR 45.9, and Firefox ESR 52.1
2017-05-10 14:13:26 +00:00
adam
75a9285105 Revbump after icu update 2017-04-22 21:03:07 +00:00
ryoon
1eb2510f29 Remove PKGREVISION 2017-03-26 03:54:37 +00:00
ryoon
46e631bcd8 Update to 45.8.0
Changelog:
 #CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
 #CVE-2017-5401: Memory Corruption when handling ErrorResult
 #CVE-2017-5402: Use-after-free working with events in FontFace objects
 #CVE-2017-5404: Use-after-free working with ranges in selections
 #CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
 #CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
 #CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service
 #CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
 #CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
 #CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8
2017-03-26 03:53:34 +00:00
ryoon
72c3cb198b Recursive revbump from fonts/harfbuzz 2017-02-12 06:24:36 +00:00
maya
c808c59f3d firefox45: make oss audio not overflow (sound like crap) when playing
bass-heavy sounds, similar to the change made to www/firefox.

put this patch in files/ because it's the right thing and also because
I'm struggling to make changes to the patch, possibly my moving the
location of EOF so the patch doesn't apply fully (guessing)

PKGREVISION->2
2017-02-08 07:32:01 +00:00
wiz
7ac05101c6 Recursive bump for harfbuzz's new graphite2 dependency. 2017-02-06 13:54:36 +00:00
ryoon
e2b8856b4a Update 45.7.0
Security fixes:
#CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
#CVE-2017-5376: Use-after-free in XSL
#CVE-2017-5378: Pointer and frame data leakage of Javascript objects
#CVE-2017-5380: Potential use-after-free during DOM manipulations
#CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer
#CVE-2017-5396: Use-after-free with Media Decoder
#CVE-2017-5383: Location bar spoofing with unicode characters
#CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions
#CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7
2017-01-27 13:43:41 +00:00
ryoon
f62b809c5a Recursive revbump from audio/pulseaudio-10.0 2017-01-21 20:06:44 +00:00
ryoon
a5df064835 Fix an insecure connection error in HTTP2 case with devel/nss-3.28 or later
Bump PKGREVISION
2017-01-20 15:03:36 +00:00
wiz
c761d409e7 Recursive bump for libvpx shlib major change. 2017-01-16 23:45:10 +00:00
ryoon
2a0773c14c Update to 45.6.0
Chagnelog:
Security vulnerabilities fixed in Firefox ESR 45.6
 #CVE-2016-9899: Use-after-free while manipulating DOM events and audio elements
 #CVE-2016-9895: CSP bypass using marquee tag
 #CVE-2016-9897: Memory corruption in libGLES
 #CVE-2016-9898: Use-after-free in Editor while manipulating DOM subtrees
 #CVE-2016-9900: Restricted external resources can be loaded by SVG images through data URLs
 #CVE-2016-9904: Cross-origin information leak in shared atoms
 #CVE-2016-9905: Crash in EnumerateSubDocuments
 #CVE-2016-9901: Data from Pocket server improperly sanitized before execution
 #CVE-2016-9902: Pocket extension does not validate the origin of events
 #CVE-2016-9893: Memory safety bugs fixed in Firefox 50.1 and Firefox ESR 45.6
2017-01-02 17:45:12 +00:00
ryoon
36ed025474 Recursive revbump from textproc/icu 58.1 2016-12-04 05:17:03 +00:00
ryoon
d212624b60 Update to 45.5.1
Changelog:
45.5.1:
 #CVE-2016-9079: Use-after-free in SVG Animation

45.5.0:
 #CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
 #CVE-2016-5293: Write to arbitrary file with Mozilla Updater and Maintenance Service using updater.log hardlink
 #CVE-2016-5294: Arbitrary target directory for result files of update process
 #CVE-2016-5297: Incorrect argument length checking in JavaScript
 #CVE-2016-9064: Add-ons update must verify IDs match between current and new versions
 #CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
 #CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
 #CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
 #CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
2016-12-03 10:19:29 +00:00
ryoon
34d503aa8e Update to 45.4.0
Changelog:
Security vulnerabilities fixed in Firefox ESR 45.4

Announced
    September 13, 2016
Impact
    Critical
Products
    Firefox ESR
Fixed in

        Firefox ESR 45.4

Description

CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString [high]
Reporter: Atte Kettunen
Description: An out-of-bounds write of a boolean value during text conversion with some unicode characters. [1291016]

CVE-2016-5272 - Bad cast in nsImageGeometryMixin [high]
Reporter: Abhishek Arya
Description: A bad cast when processing layout with input elements can result in a potentially exploitable crash. [1297934]

CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList [high]
Reporter: Nils
Description: A use-after-free vulnerability triggered by setting a aria-owns attribute [1287721]

CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState [high]
Reporter: Nils
Description: A use-after-free issue in web animations during restyling. [1282076]

CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick [high]
Reporter: Nils
Description: A user-after-free vulnerability with web animations when destroying a timeline [1291665]

CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame [critical]
Reporter: Nils
Description: A potentially exploitable crash caused by a buffer overflow while encoding image frames to images [1294677]

CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap [high]
Reporter: Mei Wang
Description: Use-after-free vulnerability when changing text direction [1289970]

CVE-2016-5281 - use-after-free in DOMSVGLength [high]
Reporter: Brian Carpenter
Description: Use-after-free vulnerability when manipulating SVG format content through script [1284690]

CVE-2016-5284 - Add-on update site certificate pin expiration [high]
Reporter: Multiple people
Description: Due to flaws in the process we used to update "Preloaded Public Key Pinning" in our releases, the pinning for add-on updates became ineffective in early September. An attacker who was able to get a mis-issued certificate for a Mozilla web site could send malicious add-on updates to users on networks controlled by the attacker. Users who have not installed any add-ons are not affected. [1303127]

CVE-2016-5250 - Resource Timing API is storing resources sent by the previous page [moderate]
Reporter: Catalin Dumitru
Description: URLs of resources loaded after a navigation started can leak to the following page through the Resource Timing API, leading to potential information disclosure. [1254688]

CVE-2016-5261 - Integer overflow and memory corruption in WebSocketChannel [high]
Reporter: Samuel Groß
Description: An integer overflow error in WebSockets during data buffering on incoming packets resulting in attacker controlled data being written at a known offset in the allocated buffer. [1287266]

CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 [critical]
Reporter: Mozilla developers
Description: Mozilla developers and community members Christoph Diehl, Andrew McCreight, Dan Minor, Byron Campen, Jon Coppeard, Steve Fink, Tyson Smith, Philipp, and Carsten Book reported memory safety bugs present in Firefox 48 and Firefox ESR 45.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort at least some of these could be exploited to run arbitrary code. [Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4]
2016-09-21 11:51:14 +00:00
maya
0b95a993ed Another paxctl +m needed, lib/firefox45/firefox 2016-08-20 23:17:00 +00:00
ryoon
82f67120a8 Recursive revbump from multimedia/libvpx uppdate 2016-08-17 00:06:39 +00:00
ryoon
2fdb6b5840 Update to 45.3.0
Changelog:

Fixed Various stability fixes

Fixed in Firefox ESR 45.3
    2016-80 Same-origin policy violation using local HTML file and saved shortcut file
    2016-79 Use-after-free when applying SVG effects
    2016-78 Type confusion in display transformation
    2016-77 Buffer overflow in ClearKey Content Decryption Module (CDM) during video playback
    2016-76 Scripts on marquee tag can execute in sandboxed iframes
    2016-73 Use-after-free in service workers with nested sync events
    2016-72 Use-after-free in DTLS during WebRTC session shutdown
    2016-70 Use-after-free when using alt key and toplevel menus
    2016-67 Stack underflow during 2D graphics rendering
    2016-65 Cairo rendering crash due to memory allocation issue with FFmpeg 0.10
    2016-64 Buffer overflow rendering SVG with bidirectional content
    2016-63 Favicon network connection can persist when page is closed
    2016-62 Miscellaneous memory safety hazards (rv:48.0 / rv:45.3)
2016-08-11 04:24:03 +00:00
ryoon
e37b97fe3c Recursive revbump from audio/pulseaudio 2016-08-04 17:03:30 +00:00
adam
77b8ed74db Revbump after graphics/gd update 2016-08-03 10:22:08 +00:00
wiz
73716d23de Bump PKGREVISION for perl-5.24.0 for everything mentioning perl. 2016-07-09 06:38:30 +00:00
ryoon
663b500e29 Update to 45.2.0
Changelog:
Fixed
    Graphics-related crashes (Bugs 1261320, 1224199)
    Various security fixes
    Unicode support for AutoConfig API (Bug 1271032)
    Web compatibility fix for addEventListener API (Bug 1266194)

Fixed in Firefox ESR 45.2
    2016-58 Entering fullscreen and persistent pointerlock without user permission
    2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
    2016-55 File overwrite and privilege escalation through Mozilla Windows updater
    2016-53 Out-of-bounds write with WebGL shader
    2016-52 Addressbar spoofing though the SELECT element
    2016-51 Use-after-free deleting tables from a contenteditable document
    2016-50 Buffer overflow parsing HTML5 fragments
    2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
2016-06-19 06:24:09 +00:00
ryoon
2bebf440a5 Update to 45.1.1
Changelog:
Fixed
    Build issue when jit is disabled (Bug 1266366)

    Add-on signing certificate expiration (Bug 1267318)

    Graphics-related shutdown crash (Bug 1261321)
2016-05-05 11:51:24 +00:00
ryoon
8778a94953 Remove unused patch. 2016-05-04 09:41:55 +00:00
ryoon
9afab81d6a Import firefox45-45.1.0 as www/firefox45.
Mozilla Firefox is a free, open-source and cross-platform web browser
for Windows, Linux, MacOS X and many other operating systems.

It is fast and easy to use, and offers many advantages over other web
browsers, such as tabbed browsing and the ability to block pop-up
windows.

Firefox also offers excellent bookmark and history management, and it
can be extended by developers using industry standards such as XML,
CSS, JavaScript, C++, etc. Many extensions are available.

This package tracks Firefox 45 ESR branch.

Changelog from www/firefox 45.0.2:
Fixed in Firefox ESR 45.1
    2016-47 Write to invalid HashMap entry through JavaScript.watch()
    2016-44 Buffer overflow in libstagefright with CENC offsets
    2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
2016-04-27 16:36:50 +00:00