head 1.5; access; symbols pkgsrc-2016Q4:1.4.0.6 pkgsrc-2016Q4-base:1.4 pkgsrc-2016Q3:1.4.0.4 pkgsrc-2016Q3-base:1.4 pkgsrc-2016Q2:1.4.0.2 pkgsrc-2016Q2-base:1.4 pkgsrc-2016Q1:1.3.0.2 pkgsrc-2016Q1-base:1.3 pkgsrc-2015Q4:1.2.0.8 pkgsrc-2015Q4-base:1.2 pkgsrc-2015Q3:1.2.0.6 pkgsrc-2015Q3-base:1.2 pkgsrc-2015Q2:1.2.0.4 pkgsrc-2015Q2-base:1.2 pkgsrc-2015Q1:1.2.0.2 pkgsrc-2015Q1-base:1.2; locks; strict; comment @// @; 1.5 date 2017.01.25.13.24.51; author ryoon; state dead; branches; next 1.4; commitid 3acwYN6np6o7SlDz; 1.4 date 2016.06.16.12.08.21; author ryoon; state Exp; branches; next 1.3; commitid LAwegbTYgLLjCGaz; 1.3 date 2016.03.08.21.32.52; author ryoon; state Exp; branches; next 1.2; commitid BVJhJwzz8HleXSXy; 1.2 date 2015.02.28.04.30.55; author ryoon; state Exp; branches; next 1.1; commitid Y4EEeVfm51r1kJby; 1.1 date 2015.02.16.16.16.17; author bad; state Exp; branches; next ; commitid D1C7H4hKP4KvBfay; desc @@ 1.5 log @Update to 51.0 Changelog: New Users can view passwords in the save password prompt before saving them Added a zoom button in the URL bar: Displays percent above or below 100 percent when a user has changed the page zoom setting from the default Lets users return to the default setting by clicking on the button Improved video performance for users without GPU acceleration for less CPU usage and a better full screen experience Firefox will save passwords even in forms that do not have “submit” events Added support for FLAC (Free Lossless Audio Codec) playback Added support for WebGL 2, with advanced graphics rendering features like transform feedback, improved texturing capabilities, and a new sophisticated shading language A warning is displayed when a login page does not have a secure connection Added Georgian (ka) and Kabyle (kab) locales An even faster E10s! Tab Switching is better! Improved reliability of browser data sync Remove Belarusian (be) locale Fixed Various security fixes Changed Use 2D graphics library (Skia) for content rendering on Linux Re-enabled E10s support for Russian (ru) locale Updated to NSS 3.28.1 Security fixes: #CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP #CVE-2017-5376: Use-after-free in XSL #CVE-2017-5377: Memory corruption with transforms to create gradients in Skia #CVE-2017-5378: Pointer and frame data leakage of Javascript objects #CVE-2017-5379: Use-after-free in Web Animations #CVE-2017-5380: Potential use-after-free during DOM manipulations #CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer #CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests #CVE-2017-5396: Use-after-free with Media Decoder #CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations #CVE-2017-5382: Feed preview can expose privileged content errors and exceptions #CVE-2017-5383: Location bar spoofing with unicode characters #CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) #CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers #CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions #CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events #CVE-2017-5391: Content about: pages can load privileged about: pages #CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage #CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager #CVE-2017-5395: Android location bar spoofing during scrolling #CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages #CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks #CVE-2017-5374: Memory safety bugs fixed in Firefox 51 #CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 @ text @$NetBSD: patch-js_src_jsdate.cpp,v 1.4 2016/06/16 12:08:21 ryoon Exp $ * For NetBSD --- js/src/jsdate.cpp.orig 2016-02-25 23:02:04.000000000 +0000 +++ js/src/jsdate.cpp @@@@ -2672,8 +2672,8 @@@@ ToLocaleFormatHelper(JSContext* cx, Hand if (strcmp(format, "%x") == 0 && result_len >= 6 && /* Format %x means use OS settings, which may have 2-digit yr, so hack end of 3/11/22 or 11.03.22 or 11Mar22 to use 4-digit yr...*/ - !isdigit(buf[result_len - 3]) && - isdigit(buf[result_len - 2]) && isdigit(buf[result_len - 1]) && + !isdigit(((unsigned char)buf[result_len - 3])) && + isdigit(((unsigned char)buf[result_len - 2])) && isdigit(((unsigned char)buf[result_len - 1])) && /* ...but not if starts with 4-digit year, like 2022/3/11. */ !(isdigit(buf[0]) && isdigit(buf[1]) && isdigit(buf[2]) && isdigit(buf[3]))) { @ 1.4 log @Update to 47.0 * Remove macOS patches, because I cannot confirm them sadly Changelog: New Support for Google’s Widevine CDM on Windows and Mac OS X so streaming services like Amazon Video can switch from Silverlight to encrypted HTML5 video. Enable VP9 video codec for users with fast machines Embedded YouTube videos now play with HTML5 video if Flash is not installed. View and search open tabs from your smartphone or another computer in a sidebar Allow no-cache on back/forward navigations for https resources Latgalu [ltg] locale added. Wikipedia tells us there are 164,500 daily speakers. Fixed Various security fixes Changed FUEL (Firefox User Extension Library) has been removed. Add-ons relying on it will stop working. The browser.sessionstore.restore_on_demand preference has been reset to its default value (true) to avoid e10s performance problems. Because faster is better! The Firefox click-to-activate plugin whitelist has been removed. XRender is no longer used for rendering web content on Linux as this may cause a regression in remote X performance Developer Web platform changes View, start,and debug registered Service Workers in the Service Workers developer tool Simulate Push messages in the Service Workers developer tool 'Start' button for service workers in about:debugging to start registered Service Workers Changes that can affect add-on compatibility Added support for ChaCha20/Poly1305 cipher suites Custom user agents supported in Responsive Design Mode Smart multi-line input in the Web Console Developer Information HTML5 cuechange events are now available on TextTrack objects WebCrypto: PBKDF2 supports SHA-2 hash algorithms WebCrypto: RSA-PSS signature support Fixed in Firefox 47 2016-61 Network Security Services (NSS) vulnerabilities 2016-60 Java applets bypass CSP protections 2016-59 Information disclosure of disabled plugins through CSS pseudo-classes 2016-58 Entering fullscreen and persistent pointerlock without user permission 2016-57 Incorrect icon displayed on permissions notifications 2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction 2016-55 File overwrite and privilege escalation through Mozilla Windows updater 2016-54 Partial same-origin-policy through setting location.host through data URI 2016-53 Out-of-bounds write with WebGL shader 2016-52 Addressbar spoofing though the SELECT element 2016-51 Use-after-free deleting tables from a contenteditable document 2016-50 Buffer overflow parsing HTML5 fragments 2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2) @ text @d1 1 a1 1 $NetBSD: patch-js_src_jsdate.cpp,v 1.3 2016/03/08 21:32:52 ryoon Exp $ @ 1.3 log @Update to 45.0 Changelog: New Instant browser tab sharing through Hello Tabs synced via Firefox Accounts from other devices are now shown in dropdown area of Awesome Bar when searching Synced Tabs button in button bar Introduce a new preference (network.dns.blockDotOnion) to allow blocking .onion at the DNS level Guarani [gn] locale added Fixed URLs containing a Unicode-format Internationalized Domain Name (IDN) are now properly redirected Various security fixes Fixed in Firefox 45 2016-37 Font vulnerabilities in the Graphite 2 library 2016-36 Use-after-free during processing of DER encoded keys in NSS 2016-35 Buffer overflow during ASN.1 decoding in NSS 2016-34 Out-of-bounds read in HTML parser following a failed allocation 2016-33 Use-after-free in GetStaticInstance in WebRTC 2016-32 WebRTC and LibVPX vulnerabilities found through code inspection 2016-31 Memory corruption with malicious NPAPI plugin 2016-30 Buffer overflow in Brotli decompression 2016-29 Same-origin policy violation using perfomance.getEntries and history navigation with session restore 2016-28 Addressbar spoofing though history navigation and Location protocol property 2016-27 Use-after-free during XML transformations 2016-26 Memory corruption when modifying a file being read by FileReader 2016-25 Use-after-free when using multiple WebRTC data channels 2016-24 Use-after-free in SetBody 2016-23 Use-after-free in HTML5 string parser 2016-22 Service Worker Manager out-of-bounds read in Service Worker Manager 2016-21 Displayed page address can be overridden 2016-20 Memory leak in libstagefright when deleting an array during MP4 processing 2016-19 Linux video memory DOS with Intel drivers 2016-18 CSP reports fail to strip location information for embedded iframe pages 2016-17 Local file overwriting and potential privilege escalation through CSP reports 2016-16 Miscellaneous memory safety hazards (rv:45.0 / rv:38.7) @ text @d1 3 a3 1 $NetBSD: patch-js_src_jsdate.cpp,v 1.2 2015/02/28 04:30:55 ryoon Exp $ @ 1.2 log @Update to 36.0 Changelog: New Pinned tiles on the new tab page can be synced New Support for the full HTTP/2 protocol. HTTP/2 enables a faster, more scalable, and more responsive web. New Locale added: Uzbek (uz) Changed -remote option removed Changed No longer accept insecure RC4 ciphers whenever possible Changed Phasing out Certificates with 1024-bit RSA Keys Changed Shut down hangs will now show the crash reporter before exiting the program Changed Add-on Compatibility HTML5 Support for the ECMAScript 6 Symbol data type added HTML5 unicode-range CSS descriptor implemented HTML5 CSSOM-View scroll behavior implemented allowing smooth scrolling of content without custom libraries HTML5 object-fit and object-position implemented. Defines how and where the content of a replaced element is displayed HTML5 isolation CSS property implemented. Create a new stacking context to isolate groups of boxes to control which blend together HTML5 CSS3 will-change property implemented. Hints the browser of elements that will be modified. The browser will perform some performance optimization for these HTML5 Changed JavaScript 'const' semantics to conform better to the ES6 specification. The const declaration is now block-scoped and requires an initializer. It also can not be redeclared anymore. HTML5 Improved ES6 generators for better performance Developer Eval sources now appear in the Debugger Debug JavaScript code that is evaluated dynamically, either as a string passed to eval() or as a string passed to the Function constructor Developer DOM Promises inspection Developer Inspector: More paste options in markup view Fixed CSS gradients work on premultiplied colors Fixed Fix some unexpected logout from Facebook or Google after restart Fixed Various security fixes Fixed in Firefox 36 2015-27 Caja Compiler JavaScript sandbox bypass 2015-26 UI Tour whitelisted sites in background tab can spoof foreground tabs 2015-25 Local files or privileged URLs in pages can be opened into new tabs 2015-24 Reading of local files through manipulation of form autocomplete 2015-23 Use-after-free in Developer Console date with OpenType Sanitiser 2015-22 Crash using DrawTarget in Cairo graphics library 2015-21 Buffer underflow during MP3 playback 2015-20 Buffer overflow during CSS restyling 2015-19 Out-of-bounds read and write while rendering SVG content 2015-18 Double-free when using non-default memory allocators with a zero-length XHR 2015-17 Buffer overflow in libstagefright during MP4 video playback 2015-16 Use-after-free in IndexedDB 2015-15 TLS TURN and STUN connections silently fail to simple TCP connections 2015-14 Malicious WebGL content crash when writing strings 2015-13 Appended period to hostnames can bypass HPKP and HSTS protections 2015-12 Invoking Mozilla updater will load locally stored DLL files 2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5) @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- js/src/jsdate.cpp.orig 2015-02-17 21:40:42.000000000 +0000 d5 1 a5 1 @@@@ -2651,11 +2651,11 @@@@ ToLocaleFormatHelper(JSContext *cx, Hand d14 2 a15 7 - !(isdigit(buf[0]) && isdigit(buf[1]) && - isdigit(buf[2]) && isdigit(buf[3]))) { + !(isdigit(((unsigned char)buf[0])) && isdigit(((unsigned char)buf[1])) && + isdigit(((unsigned char)buf[2])) && isdigit(((unsigned char)buf[3])))) { double localtime = obj->as().cachedLocalTime(&cx->runtime()->dateTimeInfo); int year = IsNaN(localtime) ? 0 : (int) YearFromTime(localtime); JS_snprintf(buf + (result_len - 2), (sizeof buf) - (result_len - 2), @ 1.1 log @Re-enable -Werror=char-subscripts and fix the fallout in the code. Per discussion with ryoon@@. Bump PKGREVISION for this and the previous two commits. @ text @d3 3 a5 3 --- js/src/jsdate.cpp.orig 2015-01-23 06:00:01.000000000 +0000 +++ js/src/jsdate.cpp 2015-02-05 12:54:32.000000000 +0000 @@@@ -2651,11 +2651,11 @@@@ d18 2 a20 2 "%d", js_DateGetYear(cx, obj)); } @