head	1.2;
access;
symbols
	pkgsrc-2020Q3:1.1.0.18
	pkgsrc-2020Q3-base:1.1
	pkgsrc-2020Q2:1.1.0.16
	pkgsrc-2020Q2-base:1.1
	pkgsrc-2020Q1:1.1.0.12
	pkgsrc-2020Q1-base:1.1
	pkgsrc-2019Q4:1.1.0.14
	pkgsrc-2019Q4-base:1.1
	pkgsrc-2019Q3:1.1.0.10
	pkgsrc-2019Q3-base:1.1
	pkgsrc-2019Q2:1.1.0.8
	pkgsrc-2019Q2-base:1.1
	pkgsrc-2019Q1:1.1.0.6
	pkgsrc-2019Q1-base:1.1
	pkgsrc-2018Q4:1.1.0.4
	pkgsrc-2018Q4-base:1.1
	pkgsrc-2018Q3:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2020.11.11.09.52.00;	author nia;	state dead;
branches;
next	1.1;
commitid	CwfADKOANACW8svC;

1.1
date	2018.10.03.18.58.22;	author maya;	state Exp;
branches
	1.1.2.1;
next	;
commitid	YBHT8w5MUzMCUxUA;

1.1.2.1
date	2018.10.03.18.58.22;	author spz;	state dead;
branches;
next	1.1.2.2;
commitid	kts1c2GLh7ySj1VA;

1.1.2.2
date	2018.10.07.11.32.06;	author spz;	state Exp;
branches;
next	;
commitid	kts1c2GLh7ySj1VA;


desc
@@


1.2
log
@Remove spidermonkey52 - it's no longer used.
@
text
@$NetBSD: patch-CVE-2018-12387,v 1.1 2018/10/03 18:58:22 maya Exp $

From 64de926d460164d41269812742a1376ba7bafda6 Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@@mozilla.com>
Date: Tue, 25 Sep 2018 12:33:42 +0200
Subject: [PATCH] Bug 1493903 - Don't inline push with more than 1 argument.
 r=tcampbell

CVE-2018-12387

--- js/src/jit/MCallOptimize.cpp.orig	2018-04-28 01:04:03.000000000 +0000
+++ js/src/jit/MCallOptimize.cpp
@@@@ -818,6 +818,12 @@@@ IonBuilder::inlineArraySlice(CallInfo& c
         return InliningStatus_NotInlined;
     }
 
+    // XXX bug 1493903.
+    if (callInfo.argc() != 1) {
+        trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
+        return InliningStatus_NotInlined;
+    }
+
     MDefinition* obj = convertUnboxedObjects(callInfo.thisArg());
 
     // Ensure |this| and result are objects.
@


1.1
log
@spidermonkey52: backport patch for CVE-2018-12387

Don't inline push with more than 1 argument

A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory address to the calling function which can be used as part of an exploit inside the sandboxed content process.

Bump PKGREVISION
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-CVE-2018-12387 was added on branch pkgsrc-2018Q3 on 2018-10-07 11:32:06 +0000
@
text
@d1 25
@


1.1.2.2
log
@Pullup ticket #5839 - requested by maya
lang/spidermonkey52: security update
www/firefox-l10n: security update
www/firefox: security update

Revisions pulled up:
- lang/spidermonkey52/Makefile                                  1.10
- lang/spidermonkey52/distinfo                                  1.5
- lang/spidermonkey52/patches/patch-CVE-2018-12387              1.1
- www/firefox-l10n/Makefile                                     1.133
- www/firefox-l10n/distinfo                                     1.123
- www/firefox/Makefile                                          1.344
- www/firefox/distinfo                                          1.326

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Wed Oct  3 17:30:30 UTC 2018

   Modified Files:
           pkgsrc/www/firefox: Makefile distinfo

   Log Message:
   firefox: update to 62.0.3

   Fixed hangs on macOS Mojave (10.14) when various dialog windows (upload, download, print, etc) are activated (bug 1489785)
   Fixed playback of some encrypted video streams on macOS (bug 1491940)

   Unvisited bookmarks can once again be autofilled in the address bar (bug 1488879)
   WebGL rendering issues (bug 1489099)
   Updates from unpacked language packs no longer break the browser (bug 1488934)
   Fix fallback on startup when a language pack is missing (bug 1492459)
   Profile refresh from the Windows stub installer restarts the browser (bug 1491999)
   Properly restore window size and position when restarting on Windows (bugs 1489214 and 1489852)
   Avoid crash when sharing a profile with newer (as yet unreleased) versions of Firefox (bug 1490585)
   Do not undo removal of search engines when using a language pack (bug 1489820)
   Fixed rendering of some web sites (bug 1421885)
   Restored compatibility with some sites using deprecated TLS settings (bug 1487517)
   Fix screen share on MacOS when using multiple monitors (bug 1487419)

   CVE-2018-12386: Type confusion in JavaScript
   CVE-2018-12387:
   CVE-2018-12385: Crash in TransportSecurityInfo due to cached data


   To generate a diff of this commit:
   cvs rdiff -u -r1.343 -r1.344 pkgsrc/www/firefox/Makefile
   cvs rdiff -u -r1.325 -r1.326 pkgsrc/www/firefox/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Wed Oct  3 17:31:07 UTC 2018

   Modified Files:
           pkgsrc/www/firefox-l10n: Makefile distinfo

   Log Message:
   firefox-l10n: catch up to www/firefox update.


   To generate a diff of this commit:
   cvs rdiff -u -r1.132 -r1.133 pkgsrc/www/firefox-l10n/Makefile
   cvs rdiff -u -r1.122 -r1.123 pkgsrc/www/firefox-l10n/distinfo

-------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   maya
   Date:           Wed Oct  3 18:58:23 UTC 2018

   Modified Files:
           pkgsrc/lang/spidermonkey52: Makefile distinfo
   Added Files:
           pkgsrc/lang/spidermonkey52/patches: patch-CVE-2018-12387

   Log Message:
   spidermonkey52: backport patch for CVE-2018-12387

   Don't inline push with more than 1 argument

   A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push with multiple arguments that results in the stack pointer being off by 8 bytes after a bailout. This leaks a memory
   address to the calling function which can be used as part of an exploit inside the sandboxed content process.

   Bump PKGREVISION


   To generate a diff of this commit:
   cvs rdiff -u -r1.9 -r1.10 pkgsrc/lang/spidermonkey52/Makefile
   cvs rdiff -u -r1.4 -r1.5 pkgsrc/lang/spidermonkey52/distinfo
   cvs rdiff -u -r0 -r1.1 \
       pkgsrc/lang/spidermonkey52/patches/patch-CVE-2018-12387
@
text
@a0 25
$NetBSD$

From 64de926d460164d41269812742a1376ba7bafda6 Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@@mozilla.com>
Date: Tue, 25 Sep 2018 12:33:42 +0200
Subject: [PATCH] Bug 1493903 - Don't inline push with more than 1 argument.
 r=tcampbell

CVE-2018-12387

--- js/src/jit/MCallOptimize.cpp.orig	2018-04-28 01:04:03.000000000 +0000
+++ js/src/jit/MCallOptimize.cpp
@@@@ -818,6 +818,12 @@@@ IonBuilder::inlineArraySlice(CallInfo& c
         return InliningStatus_NotInlined;
     }
 
+    // XXX bug 1493903.
+    if (callInfo.argc() != 1) {
+        trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
+        return InliningStatus_NotInlined;
+    }
+
     MDefinition* obj = convertUnboxedObjects(callInfo.thisArg());
 
     // Ensure |this| and result are objects.
@