head	1.3;
access;
symbols
	pkgsrc-2018Q1:1.2.0.10
	pkgsrc-2018Q1-base:1.2
	pkgsrc-2017Q4:1.2.0.8
	pkgsrc-2017Q4-base:1.2
	pkgsrc-2017Q3:1.2.0.6
	pkgsrc-2017Q3-base:1.2
	pkgsrc-2017Q2:1.2.0.2
	pkgsrc-2017Q2-base:1.2
	pkgsrc-2017Q1:1.1.0.2
	pkgsrc-2017Q1-base:1.1;
locks; strict;
comment	@// @;


1.3
date	2018.05.10.20.01.53;	author ryoon;	state dead;
branches;
next	1.2;
commitid	xD42Z67JHKvGXMBA;

1.2
date	2017.06.14.11.28.44;	author ryoon;	state Exp;
branches;
next	1.1;
commitid	TvqH8xBKhv2gJkVz;

1.1
date	2017.03.07.20.45.43;	author ryoon;	state Exp;
branches;
next	;
commitid	cj2gfa0XmazzZEIz;


desc
@@


1.3
log
@Update to 60.0

* Remove untested patches including NetBSD/earm support

Changelog:
New
    Added a policy engine that allows customized Firefox deployments in
      enterprise environments, using Windows Group Policy or a cross-platform
      JSON file

    Enhancements to New Tab / Firefox Home
        Responsive layout that shows more content for users with wide-screen
          displays
        Highlights section includes web sites saved to Pocket
        More options to reorder sections and content on the page
        Pocket Sponsored Stories will appear for a percentage of users in
          the US. Read about our privacy-conscious approach to sponsored content

    Redesigned Cookies and Site Storage section in Preferences for greater
      clarity and control of first- and third-party cookies

    Applied Quantum CSS to render browser UI

    Added support for Web Authentication API, which allows USB tokens for
      website authentication

    Enhanced camera privacy indicators: Firefox now turns off your camera
      and the camera's light when you disable video recording, and turns
      the camera and light on when you resume recording

    Added an option for Linux users to show or hide page titles in a bar
      at the top of the browser. You'll find the Title Bar option in the
      Customize panel available from the main browser menu.

    Improved WebRTC audio performance and playback for Linux users

    Locale added: Occitan (oc)

Fixed
    Various security fixes

Changed
#CVE-2018-5154: Use-after-free with SVG animations and clip paths
#CVE-2018-5155: Use-after-free with SVG animations and text paths
#CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files
#CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer
#CVE-2018-5159: Integer overflow and out-of-bounds write in Skia
#CVE-2018-5160: Uninitialized memory use by WebRTC encoder
#CVE-2018-5152: WebExtensions information leak through webRequest API
#CVE-2018-5153: Out-of-bounds read in mixed content websocket messages
#CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache
#CVE-2018-5164: CSP not applied to all multipart content sent with
                multipart/x-mixed-replace
#CVE-2018-5166: WebExtension host permission bypass through filterReponseData
#CVE-2018-5167: Improper linkification of chrome: and javascript: content
                in web console and JavaScript debugger
#CVE-2018-5168: Lightweight themes can be installed without user interaction
#CVE-2018-5169: Dragging and dropping link text onto home button can set home
                page to include chrome pages
#CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks
                page or PDF viewer
#CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters
#CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior
                for downloaded files in Windows 10 April 2018 Update
#CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in
                their policies
#CVE-2018-5176: JSON Viewer script injection
#CVE-2018-5177: Buffer overflow in XSLT during number formatting
#CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in
                32-bit Firefox
#CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced
#CVE-2018-5181: Local file can be displayed in noopener tab through drag and
                drop of hyperlink
#CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped
                on addressbar
#CVE-2018-5151: Memory safety bugs fixed in Firefox 60
#CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8
@
text
@$NetBSD: patch-dom_media_platforms_ffmpeg_ffvpx_FFVPXRuntimeLinker.cpp,v 1.2 2017/06/14 11:28:44 ryoon Exp $

--- dom/media/platforms/ffmpeg/ffvpx/FFVPXRuntimeLinker.cpp.orig	2017-06-05 20:45:19.000000000 +0000
+++ dom/media/platforms/ffmpeg/ffvpx/FFVPXRuntimeLinker.cpp
@@@@ -11,9 +11,13 @@@@
 #include "prmem.h"
 #include "prlink.h"
 
+#ifdef MOZ_SYSTEM_SOUNDTOUCH
+#include "nsXPCOMPrivate.h" // for XUL_DLL
+#else
 // We use a known symbol located in lgpllibs to determine its location.
 // soundtouch happens to be always included in lgpllibs
 #include "soundtouch/SoundTouch.h"
+#endif
 
 namespace mozilla {
 
@@@@ -50,6 +54,12 @@@@ FFVPXRuntimeLinker::Init()
 
   sLinkStatus = LinkStatus_FAILED;
 
+#ifdef MOZ_SYSTEM_SOUNDTOUCH
+  // We retrieve the path of the XUL library as this is where mozavcodec and
+  // mozavutil libs are located.
+  char* path =
+    PR_GetLibraryFilePathname(XUL_DLL, (PRFuncPtr)&FFVPXRuntimeLinker::Init);
+#else
   // We retrieve the path of the lgpllibs library as this is where mozavcodec
   // and mozavutil libs are located.
   char* lgpllibsname = PR_GetLibraryName(nullptr, "lgpllibs");
@@@@ -60,6 +70,7 @@@@ FFVPXRuntimeLinker::Init()
     PR_GetLibraryFilePathname(lgpllibsname,
                               (PRFuncPtr)&soundtouch::SoundTouch::getVersionId);
   PR_FreeLibraryName(lgpllibsname);
+#endif
   if (!path) {
     return false;
   }
@


1.2
log
@Update to 54.0

* If your 54.0 is unstable, please disable e10s with
  browser.tabs.remote.autostart.2=false (this works at least for me)

Changelog:

New
    Simplified the download button and download status panel
    Added support for multiple content processes (e10s-multi)
    Added Burmese (my) locale

Fixed
    Various security fixes

Changed
    Moved the mobile bookmarks folder to the main bookmarks menu for easier access

Security fixes:
 #CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
 #CVE-2017-7749: Use-after-free during docshell reloading
 #CVE-2017-7750: Use-after-free with track elements
 #CVE-2017-7751: Use-after-free with content viewer listeners
 #CVE-2017-7752: Use-after-free with IME input
 #CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
 #CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files
 #CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
 #CVE-2017-7757: Use-after-free in IndexedDB
 #CVE-2017-7778: Vulnerabilities in the Graphite 2 library
 #CVE-2017-7758: Out-of-bounds read in Opus encoder
 #CVE-2017-7759: Android intent URLs can cause navigation to local file system
 #CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service
 #CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application
 #CVE-2017-7762: Addressbar spoofing in Reader mode
 #CVE-2017-7763: Mac fonts render some unicode characters as spaces
 #CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
 #CVE-2017-7765: Mark of the Web bypass when saving executable files
 #CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service
 #CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service
 #CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service
 #CVE-2017-7770: Addressbar spoofing with JavaScript events and fullscreen mode
 #CVE-2017-5471: Memory safety bugs fixed in Firefox 54
 #CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
@
text
@d1 1
a1 1
$NetBSD: patch-dom_media_platforms_ffmpeg_ffvpx_FFVPXRuntimeLinker.cpp,v 1.1 2017/03/07 20:45:43 ryoon Exp $
@


1.1
log
@Update to 52.0

* Switch to GTK3 build
* Remove py-sqlite2 dependency, fix PR pkg/52032

Changelog:
New
    Added support for WebAssembly, an emerging standard that brings near-native performance to Web-based games, apps, and software libraries without the use of plugins.

    Added automatic captive portal detection, for easier access to Wi-Fi hotspots. When accessing the Internet via a captive portal, Firefox will alert users and open the portal login page in a new tab.

    Added user warnings for non-secure HTTP pages with logins. Firefox now displays a "This connection is not secure" message when users click into the username and password fields on pages that don't use HTTPS.

    Implemented the Strict Secure Cookies specification which forbids insecure HTTP sites from setting cookies with the "secure" attribute. In some cases, this will prevent an insecure site from setting a cookie with the same name as an existing "secure" cookie from the same base domain.

    Enhanced Sync to allow users to send and open tabs from one device to another.

Fixed
    Various security fixes

    Improved text input for third-party keyboard layouts on Windows. This will address some keyboard layouts that
      * have chained dead keys
      * input two or more characters with a non-printable key or a dead key sequence
      * input a character even when a dead key sequence failed to compose a character

Changed
    Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported.

    Removed Battery Status API to reduce fingerprinting of users by trackers

    Improved experience for downloads:
      * Notification in the toolbar when a download fails
      * Quick access to five most recent downloads rather than three
      * Larger buttons for canceling and restarting downloads

    Display (but allow users to override) an "Untrusted Connection" error when encountering SHA-1 certificates that chain up to a root certificate included in Mozilla's CA Certificate Program. (Note: Firefox continues to permit SHA-1 certificates that chain to manually imported root certificates.) Read more about the Mozilla Security Team's plans to deprecate SHA-1

    Migrated Firefox users on Windows XP and Windows Vista operating systems to the extended support release (ESR) version of Firefox.

    When not using Direct2D on Windows, Skia is used for content rendering

Developer
    Enabled CSS Grid Layout, opening up a world of new possibilities for graphic design

    Redesigned Responsive Design Mode to include device selection, network throttling, and more

    Improved security for screen sharing, which now shows a preview and no longer requires a whitelisted domain

unresolved
    Google Hangouts temporarily won't work

Security fixes:
 #CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
 #CVE-2017-5401: Memory Corruption when handling ErrorResult
 #CVE-2017-5402: Use-after-free working with events in FontFace objects
 #CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
 #CVE-2017-5404: Use-after-free working with ranges in selections
 #CVE-2017-5406: Segmentation fault in Skia with canvas operations
 #CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
 #CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
 #CVE-2017-5411: Use-after-free in Buffer Storage in libGLES
 #CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service
 #CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
 #CVE-2017-5412: Buffer overflow read in SVG filters
 #CVE-2017-5413: Segmentation fault during bidirectional operations
 #CVE-2017-5414: File picker can choose incorrect default directory
 #CVE-2017-5415: Addressbar spoofing through blob URL
 #CVE-2017-5416: Null dereference crash in HttpChannel
 #CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
 #CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access
 #CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running
 #CVE-2017-5427: Non-existent chrome.manifest file loaded during startup
 #CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses
 #CVE-2017-5419: Repeated authentication prompts lead to DOS attack
 #CVE-2017-5420: Javascript: URLs can obfuscate addressbar location
 #CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
 #CVE-2017-5421: Print preview spoofing
 #CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink
 #CVE-2017-5399: Memory safety bugs fixed in Firefox 52
 #CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8
@
text
@d1 1
a1 1
$NetBSD$
d3 1
a3 1
--- dom/media/platforms/ffmpeg/ffvpx/FFVPXRuntimeLinker.cpp.orig	2016-10-14 08:14:07.000000000 +0000
d17 3
a19 3
 namespace mozilla
 {
@@@@ -51,6 +55,12 @@@@ FFVPXRuntimeLinker::Init()
d32 1
a32 1
@@@@ -61,6 +71,7 @@@@ FFVPXRuntimeLinker::Init()
@