head 1.6; access; symbols pkgsrc-2016Q4:1.5.0.6 pkgsrc-2016Q4-base:1.5 pkgsrc-2016Q3:1.5.0.4 pkgsrc-2016Q3-base:1.5 pkgsrc-2016Q2:1.5.0.2 pkgsrc-2016Q2-base:1.5 pkgsrc-2016Q1:1.4.0.6 pkgsrc-2016Q1-base:1.4 pkgsrc-2015Q4:1.4.0.4 pkgsrc-2015Q4-base:1.4 pkgsrc-2015Q3:1.4.0.2 pkgsrc-2015Q3-base:1.4 pkgsrc-2015Q2:1.3.0.2 pkgsrc-2015Q2-base:1.3 pkgsrc-2015Q1:1.1.0.2 pkgsrc-2015Q1-base:1.1; locks; strict; comment @// @; 1.6 date 2017.03.07.20.45.43; author ryoon; state dead; branches; next 1.5; commitid cj2gfa0XmazzZEIz; 1.5 date 2016.06.16.12.08.21; author ryoon; state Exp; branches; next 1.4; commitid LAwegbTYgLLjCGaz; 1.4 date 2015.09.23.06.44.42; author ryoon; state Exp; branches; next 1.3; commitid A8JQd1PZS2cnplCy; 1.3 date 2015.05.12.22.48.54; author ryoon; state Exp; branches; next 1.2; commitid NJZg0HQjg2n73dly; 1.2 date 2015.04.05.12.54.11; author ryoon; state Exp; branches; next 1.1; commitid K8Tn7QcmAk8VWogy; 1.1 date 2015.02.16.16.16.17; author bad; state Exp; branches; next ; commitid D1C7H4hKP4KvBfay; desc @@ 1.6 log @Update to 52.0 * Switch to GTK3 build * Remove py-sqlite2 dependency, fix PR pkg/52032 Changelog: New Added support for WebAssembly, an emerging standard that brings near-native performance to Web-based games, apps, and software libraries without the use of plugins. Added automatic captive portal detection, for easier access to Wi-Fi hotspots. When accessing the Internet via a captive portal, Firefox will alert users and open the portal login page in a new tab. Added user warnings for non-secure HTTP pages with logins. Firefox now displays a "This connection is not secure" message when users click into the username and password fields on pages that don't use HTTPS. Implemented the Strict Secure Cookies specification which forbids insecure HTTP sites from setting cookies with the "secure" attribute. In some cases, this will prevent an insecure site from setting a cookie with the same name as an existing "secure" cookie from the same base domain. Enhanced Sync to allow users to send and open tabs from one device to another. Fixed Various security fixes Improved text input for third-party keyboard layouts on Windows. This will address some keyboard layouts that * have chained dead keys * input two or more characters with a non-printable key or a dead key sequence * input a character even when a dead key sequence failed to compose a character Changed Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported. Removed Battery Status API to reduce fingerprinting of users by trackers Improved experience for downloads: * Notification in the toolbar when a download fails * Quick access to five most recent downloads rather than three * Larger buttons for canceling and restarting downloads Display (but allow users to override) an "Untrusted Connection" error when encountering SHA-1 certificates that chain up to a root certificate included in Mozilla's CA Certificate Program. (Note: Firefox continues to permit SHA-1 certificates that chain to manually imported root certificates.) Read more about the Mozilla Security Team's plans to deprecate SHA-1 Migrated Firefox users on Windows XP and Windows Vista operating systems to the extended support release (ESR) version of Firefox. When not using Direct2D on Windows, Skia is used for content rendering Developer Enabled CSS Grid Layout, opening up a world of new possibilities for graphic design Redesigned Responsive Design Mode to include device selection, network throttling, and more Improved security for screen sharing, which now shows a preview and no longer requires a whitelisted domain unresolved Google Hangouts temporarily won't work Security fixes: #CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP #CVE-2017-5401: Memory Corruption when handling ErrorResult #CVE-2017-5402: Use-after-free working with events in FontFace objects #CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object #CVE-2017-5404: Use-after-free working with ranges in selections #CVE-2017-5406: Segmentation fault in Skia with canvas operations #CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters #CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping #CVE-2017-5411: Use-after-free in Buffer Storage in libGLES #CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service #CVE-2017-5408: Cross-origin reading of video captions in violation of CORS #CVE-2017-5412: Buffer overflow read in SVG filters #CVE-2017-5413: Segmentation fault during bidirectional operations #CVE-2017-5414: File picker can choose incorrect default directory #CVE-2017-5415: Addressbar spoofing through blob URL #CVE-2017-5416: Null dereference crash in HttpChannel #CVE-2017-5417: Addressbar spoofing by draging and dropping URLs #CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access #CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running #CVE-2017-5427: Non-existent chrome.manifest file loaded during startup #CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses #CVE-2017-5419: Repeated authentication prompts lead to DOS attack #CVE-2017-5420: Javascript: URLs can obfuscate addressbar location #CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports #CVE-2017-5421: Print preview spoofing #CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink #CVE-2017-5399: Memory safety bugs fixed in Firefox 52 #CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 @ text @$NetBSD: patch-js_src_jit_MIR.cpp,v 1.5 2016/06/16 12:08:21 ryoon Exp $ * For NetBSD --- js/src/jit/MIR.cpp.orig 2016-05-12 17:05:02.000000000 +0000 +++ js/src/jit/MIR.cpp @@@@ -76,7 +76,7 @@@@ MDefinition::PrintOpcodeName(GenericPrin const char* name = names[op]; size_t len = strlen(name); for (size_t i = 0; i < len; i++) - out.printf("%c", tolower(name[i])); + out.printf("%c", tolower((unsigned char)name[i])); } static MConstant* @ 1.5 log @Update to 47.0 * Remove macOS patches, because I cannot confirm them sadly Changelog: New Support for Google’s Widevine CDM on Windows and Mac OS X so streaming services like Amazon Video can switch from Silverlight to encrypted HTML5 video. Enable VP9 video codec for users with fast machines Embedded YouTube videos now play with HTML5 video if Flash is not installed. View and search open tabs from your smartphone or another computer in a sidebar Allow no-cache on back/forward navigations for https resources Latgalu [ltg] locale added. Wikipedia tells us there are 164,500 daily speakers. Fixed Various security fixes Changed FUEL (Firefox User Extension Library) has been removed. Add-ons relying on it will stop working. The browser.sessionstore.restore_on_demand preference has been reset to its default value (true) to avoid e10s performance problems. Because faster is better! The Firefox click-to-activate plugin whitelist has been removed. XRender is no longer used for rendering web content on Linux as this may cause a regression in remote X performance Developer Web platform changes View, start,and debug registered Service Workers in the Service Workers developer tool Simulate Push messages in the Service Workers developer tool 'Start' button for service workers in about:debugging to start registered Service Workers Changes that can affect add-on compatibility Added support for ChaCha20/Poly1305 cipher suites Custom user agents supported in Responsive Design Mode Smart multi-line input in the Web Console Developer Information HTML5 cuechange events are now available on TextTrack objects WebCrypto: PBKDF2 supports SHA-2 hash algorithms WebCrypto: RSA-PSS signature support Fixed in Firefox 47 2016-61 Network Security Services (NSS) vulnerabilities 2016-60 Java applets bypass CSP protections 2016-59 Information disclosure of disabled plugins through CSS pseudo-classes 2016-58 Entering fullscreen and persistent pointerlock without user permission 2016-57 Incorrect icon displayed on permissions notifications 2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction 2016-55 File overwrite and privilege escalation through Mozilla Windows updater 2016-54 Partial same-origin-policy through setting location.host through data URI 2016-53 Out-of-bounds write with WebGL shader 2016-52 Addressbar spoofing though the SELECT element 2016-51 Use-after-free deleting tables from a contenteditable document 2016-50 Buffer overflow parsing HTML5 fragments 2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2) @ text @d1 1 a1 1 $NetBSD: patch-js_src_jit_MIR.cpp,v 1.4 2015/09/23 06:44:42 ryoon Exp $ @ 1.4 log @Update to 41.0 Changelog: New Enhance IME support on Windows (Vista +) using TSF (Text Services Framework) New Ability to set a profile picture for your Firefox Account New Firefox Hello now includes instant messaging New SVG images can be used as favicons New Improved box-shadow rendering performance Changed WebRTC now requires perfect forward secrecy Changed WARP is disabled on Windows 7 Changed Updates to image decoding process Changed Support for running animations of 'transform' and 'opacity' on the compositor thread HTML5 MessageChannel and MessagePort API enabled by default HTML5 Added support for the transform-origin property on SVG elements HTML5 CSS Font Loading API enabled by default HTML5 Navigator.onLine now varies with actual internet connectivity (Windows and Mac OS X only) HTML5 Copy/Cut Web content from JavaScript to the OS clipboard with document.execCommand("cut"/"copy") HTML5 Implemented Cache API for querying named caches that are accessible Window, Worker, and ServiceWorker Developer Removed support for binary XPCOM components in extensions, use addon SDK "system/child_process" pipe mechanism for native binaries instead Developer Network requests can be exported in HAR format Developer Quickly add new CSS rule with New Rule button in the Inspector Developer Screenshot a node or element from markup view with the Screenshot Node context menu item Developer Copy element CSS rule declarations with the Copy Rule Declaration context menu item in the Inspector Developer Pseudo-Class panel in the Inspector Fixed Picture element does not react to resize/viewport changes Fixed Various security fixes Security fixes: Fixed in Firefox 41 2015-114 Information disclosure via the High Resolution Time API 2015-113 Memory safety errors in libGLES in the ANGLE graphics library 2015-112 Vulnerabilities found through code inspection 2015-111 Errors in the handling of CORS preflight request headers 2015-110 Dragging and dropping images exposes final URL after redirects 2015-109 JavaScript immutable property enforcement can be bypassed 2015-108 Scripted proxies can access inner window 2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems 2015-106 Use-after-free while manipulating HTML media content 2015-105 Buffer overflow while decoding WebM video 2015-104 Use-after-free with shared workers and IndexedDB 2015-103 URL spoofing in reader mode 2015-102 Crash when using debugger with SavedStacks in JavaScript 2015-101 Buffer overflow in libvpx while parsing vp9 format video 2015-100 Arbitrary file manipulation by local user through Mozilla updater 2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme 2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes 2015-97 Memory leak in mozTCPSocket to servers 2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3) @ text @d1 1 a1 1 $NetBSD: patch-js_src_jit_MIR.cpp,v 1.3 2015/05/12 22:48:54 ryoon Exp $ d3 3 a5 1 --- js/src/jit/MIR.cpp.orig 2015-08-24 21:53:12.000000000 +0000 d7 1 a7 1 @@@@ -72,7 +72,7 @@@@ MDefinition::PrintOpcodeName(GenericPrin d15 1 a15 1 const Value& @ 1.3 log @Update to 38.0 Changelog: New New tab-based preferences New Ruby annotation support New Base for the next ESR release. Changed autocomplete=off is no longer supported for username/password fields Changed URL parser avoids doing percent encoding when setting the Fragment part of the URL, and percent decoding when getting the Fragment in line with the URL spec Changed RegExp.prototype.source now returns "(?:)" instead of the empty string for empty regular expressions Changed Improved page load times via speculative connection warmup HTML5 WebSocket now available in Web Workers HTML5 BroadcastChannel API implemented HTML5 Implemented srcset attribute and element for responsive images HTML5 Implemented DOM3 Events KeyboardEvent.code HTML5 Mac OS X: Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube HTML5 Implemented Encrypted Media Extensions (EME) API to support encrypted HTML5 video/audio playback (Windows Vista or later only) HTML5 Automatically download Adobe Primetime Content Decryption Module (CDM) for DRM playback through EME (Windows Vista or later only) Developer Optimized-out variables are now visible in Debugger UI Developer XMLHttpRequest logs in the web console are now visually labelled and can be filtered separately from regular network requests Developer WebRTC now has multistream and renegotiation support Developer copy command added to console Fixed Various security fixes Fixed in Firefox 38 2015-58 Mozilla Windows updater can be run outside of application directory 2015-57 Privilege escalation through IPC channel messages 2015-56 Untrusted site hosting trusted page can intercept webchannel responses 2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata 2015-54 Buffer overflow when parsing compressed XML 2015-53 Use-after-free due to Media Decoder Thread creation during shutdown 2015-52 Sensitive URL encoded information written to Android logcat 2015-51 Use-after-free during text processing with vertical text enabled 2015-50 Out-of-bounds read and write in asm.js validation 2015-49 Referrer policy ignored when links opened by middle-click and context menu 2015-48 Buffer overflow with SVG content and CSS 2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer 2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7) @ text @d1 1 a1 1 $NetBSD: patch-js_src_jit_MIR.cpp,v 1.2 2015/04/05 12:54:11 ryoon Exp $ d3 1 a3 1 --- js/src/jit/MIR.cpp.orig 2015-05-04 00:43:27.000000000 +0000 d5 1 a5 1 @@@@ -71,7 +71,7 @@@@ MDefinition::PrintOpcodeName(FILE* fp, M d9 2 a10 2 - fprintf(fp, "%c", tolower(name[i])); + fprintf(fp, "%c", tolower(((unsigned char)name[i]))); @ 1.2 log @Update to 37.0 * Bump nspr requirement. Changelog: New Heartbeat user rating system - your feedback about Firefox New Yandex set as default search provider for the Turkish locale New Bing search now uses HTTPS for secure searching New Improved protection against site impersonation via OneCRL centralized certificate revocation New Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc Changed Disabled insecure TLS version fallback for site security Changed Extended SSL error reporting for reporting non-certificate errors Changed TLS False Start optimization now requires a cipher suite using AEAD construction Changed Improved certificate and TLS communication security by removing support for DSA Changed Improved performance of WebGL rendering on Windows HTML5 Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube (Windows only) HTML5 Added support for CSS display:contents HTML5 IndexedDB now accessible from worker threads HTML5 New SDP/JSEP implementation in WebRTC Developer Debug tabs opened in Chrome Desktop, Chrome for Android, and Safari for iOS Developer New Inspector animations panel to control element animations Developer New Security Panel included in Network Panel Developer Debugger panel support for chrome:// and about:// URIs Developer Added logging of weak ciphers to the web console Fixed Various security fixes Fixed in Firefox 37 2015-42 Windows can retain access to privileged content on navigation to unprivileged pages 2015-41 PRNG weakness allows for DNS poisoning on Android 2015-40 Same-origin bypass through anchor navigation 2015-39 Use-after-free due to type confusion flaws 2015-38 Memory corruption crashes in Off Main Thread Compositing 2015-37 CORS requests should not follow 30x redirections after preflight 2015-36 Incorrect memory management for simple-type arrays in WebRTC 2015-35 Cursor clickjacking with flash and images 2015-34 Out of bounds read in QCMS library 2015-33 resource:// documents can load privileged pages 2015-32 Add-on lightweight theme installation approval bypassed through MITM attack 2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin 2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6) @ text @d1 1 a1 1 $NetBSD: patch-js_src_jit_MIR.cpp,v 1.1 2015/02/16 16:16:17 bad Exp $ d3 1 a3 1 --- js/src/jit/MIR.cpp.orig 2015-03-27 02:20:25.000000000 +0000 d5 2 a6 2 @@@@ -71,7 +71,7 @@@@ MDefinition::PrintOpcodeName(FILE *fp, M const char *name = names[op]; d13 1 a13 1 const Value & @ 1.1 log @Re-enable -Werror=char-subscripts and fix the fallout in the code. Per discussion with ryoon@@. Bump PKGREVISION for this and the previous two commits. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 --- js/src/jit/MIR.cpp.orig 2015-01-23 06:00:01.000000000 +0000 +++ js/src/jit/MIR.cpp 2015-02-05 12:06:56.000000000 +0000 @@@@ -68,7 +68,7 @@@@ d13 1 a13 1 static MConstant * @