head 1.5; access; symbols pkgsrc-2018Q1:1.4.0.14 pkgsrc-2018Q1-base:1.4 pkgsrc-2017Q4:1.4.0.12 pkgsrc-2017Q4-base:1.4 pkgsrc-2017Q3:1.4.0.10 pkgsrc-2017Q3-base:1.4 pkgsrc-2017Q2:1.4.0.6 pkgsrc-2017Q2-base:1.4 pkgsrc-2017Q1:1.4.0.4 pkgsrc-2017Q1-base:1.4 pkgsrc-2016Q4:1.4.0.2 pkgsrc-2016Q4-base:1.4 pkgsrc-2015Q2:1.2.0.2 pkgsrc-2015Q2-base:1.2 pkgsrc-2015Q1:1.1.0.2 pkgsrc-2015Q1-base:1.1; locks; strict; comment @// @; 1.5 date 2018.05.10.20.01.53; author ryoon; state dead; branches; next 1.4; commitid xD42Z67JHKvGXMBA; 1.4 date 2016.12.03.09.58.26; author ryoon; state Exp; branches; next 1.3; commitid uIUIk0K6tuQSqwwz; 1.3 date 2015.09.23.06.44.42; author ryoon; state dead; branches; next 1.2; commitid A8JQd1PZS2cnplCy; 1.2 date 2015.05.12.22.48.54; author ryoon; state Exp; branches; next 1.1; commitid NJZg0HQjg2n73dly; 1.1 date 2015.01.16.22.42.09; author ryoon; state Exp; branches; next ; commitid 4cICGew1Cni4Ki6y; desc @@ 1.5 log @Update to 60.0 * Remove untested patches including NetBSD/earm support Changelog: New Added a policy engine that allows customized Firefox deployments in enterprise environments, using Windows Group Policy or a cross-platform JSON file Enhancements to New Tab / Firefox Home Responsive layout that shows more content for users with wide-screen displays Highlights section includes web sites saved to Pocket More options to reorder sections and content on the page Pocket Sponsored Stories will appear for a percentage of users in the US. Read about our privacy-conscious approach to sponsored content Redesigned Cookies and Site Storage section in Preferences for greater clarity and control of first- and third-party cookies Applied Quantum CSS to render browser UI Added support for Web Authentication API, which allows USB tokens for website authentication Enhanced camera privacy indicators: Firefox now turns off your camera and the camera's light when you disable video recording, and turns the camera and light on when you resume recording Added an option for Linux users to show or hide page titles in a bar at the top of the browser. You'll find the Title Bar option in the Customize panel available from the main browser menu. Improved WebRTC audio performance and playback for Linux users Locale added: Occitan (oc) Fixed Various security fixes Changed #CVE-2018-5154: Use-after-free with SVG animations and clip paths #CVE-2018-5155: Use-after-free with SVG animations and text paths #CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files #CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer #CVE-2018-5159: Integer overflow and out-of-bounds write in Skia #CVE-2018-5160: Uninitialized memory use by WebRTC encoder #CVE-2018-5152: WebExtensions information leak through webRequest API #CVE-2018-5153: Out-of-bounds read in mixed content websocket messages #CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache #CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace #CVE-2018-5166: WebExtension host permission bypass through filterReponseData #CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger #CVE-2018-5168: Lightweight themes can be installed without user interaction #CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages #CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer #CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters #CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update #CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies #CVE-2018-5176: JSON Viewer script injection #CVE-2018-5177: Buffer overflow in XSLT during number formatting #CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox #CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced #CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink #CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar #CVE-2018-5151: Memory safety bugs fixed in Firefox 60 #CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 @ text @$NetBSD: patch-xpcom_build_XPCOMInit.cpp,v 1.4 2016/12/03 09:58:26 ryoon Exp $ --- xpcom/build/XPCOMInit.cpp.orig 2016-10-31 20:15:39.000000000 +0000 +++ xpcom/build/XPCOMInit.cpp @@@@ -137,7 +137,9 @@@@ extern nsresult nsStringInputStreamConst #include "mozilla/ipc/GeckoChildProcessHost.h" +#ifndef MOZ_OGG_NO_MEM_REPORTING #include "ogg/ogg.h" +#endif #if defined(MOZ_VPX) && !defined(MOZ_VPX_NO_MEM_REPORTING) #if defined(HAVE_STDINT_H) // mozilla-config.h defines HAVE_STDINT_H, and then it's defined *again* in @@@@ -638,11 +640,13 @@@@ NS_InitXPCOM2(nsIServiceManager** aResul // this oddness. mozilla::SetICUMemoryFunctions(); +#ifndef MOZ_OGG_NO_MEM_REPORTING // Do the same for libogg. ogg_set_mem_functions(OggReporter::CountingMalloc, OggReporter::CountingCalloc, OggReporter::CountingRealloc, OggReporter::CountingFree); +#endif #if defined(MOZ_VPX) && !defined(MOZ_VPX_NO_MEM_REPORTING) // And for VPX. @ 1.4 log @Update to 50.0.2 * Change default audio support to ALSA. You can use OSS or pulseaudio via ALSA plugin package. Changelog: 50.0.2: Fixed in Firefox 50.0.2 #CVE-2016-9079: Use-after-free in SVG Animation 50.0.1: Fixed *Firefox crashes with 3rd party Chinese IME when using IME text Security vulnerabilities fixed in Firefox 50.0.1: #CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect 50.0: New *Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac *Improved performance for SDK extensions or extensions using the SDK module loader *Added download protection for a large number of executable file types on Windows, Mac and Linux *Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer *Added Guarani (gn) locale *Added option to Find in page that allows users to limit search to whole words only *Updates to keyboard shortcuts *Set a preference to have Ctrl+Tab cycle through tabs in recently used order *View a page in Reader Mode by using Ctrl+Alt+R (command+alt+r on Mac) Fixed *Login cookies are now saved for sites with a high number of cookies (Bug 1264192) *Various security fixes *Fixed rendering of dashed and dotted borders with rounded corners (border-radius) Changed *The link to check for plugin security updates has been removed from the addon manager as Firefox automatically checks for plugin updates *Blocked versions of libavcodec older than 54.35.1 *Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux) Developer *Changes for web developers Security vulnerabilities fixed in Firefox 50: #CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1 #CVE-2016-5292: URL parsing causes crash #CVE-2016-5293: Write to arbitrary file with Mozilla Updater and Maintenance Service using updater.log hardlink #CVE-2016-5294: Arbitrary target directory for result files of update process #CVE-2016-5297: Incorrect argument length checking in JavaScript #CVE-2016-9064: Add-ons update must verify IDs match between current and new versions #CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen #CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler #CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore #CVE-2016-9068: heap-use-after-free in nsRefreshDriver #CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile #CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges #CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them #CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file #CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM #CVE-2016-5298: SSL indicator can mislead the user about the real URL visited #CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissionsPI key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions #CVE-2016-9062: Private browsing browser traces (Android) in browser.db and wal file #CVE-2016-9070: Sidebar bookmark can have reference to chrome window #CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl" #CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler #CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s #CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in Expat #CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP #CVE-2016-5289: Memory safety bugs fixed in Firefox 50 #CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5 @ text @d1 1 a1 1 $NetBSD$ @ 1.3 log @Update to 41.0 Changelog: New Enhance IME support on Windows (Vista +) using TSF (Text Services Framework) New Ability to set a profile picture for your Firefox Account New Firefox Hello now includes instant messaging New SVG images can be used as favicons New Improved box-shadow rendering performance Changed WebRTC now requires perfect forward secrecy Changed WARP is disabled on Windows 7 Changed Updates to image decoding process Changed Support for running animations of 'transform' and 'opacity' on the compositor thread HTML5 MessageChannel and MessagePort API enabled by default HTML5 Added support for the transform-origin property on SVG elements HTML5 CSS Font Loading API enabled by default HTML5 Navigator.onLine now varies with actual internet connectivity (Windows and Mac OS X only) HTML5 Copy/Cut Web content from JavaScript to the OS clipboard with document.execCommand("cut"/"copy") HTML5 Implemented Cache API for querying named caches that are accessible Window, Worker, and ServiceWorker Developer Removed support for binary XPCOM components in extensions, use addon SDK "system/child_process" pipe mechanism for native binaries instead Developer Network requests can be exported in HAR format Developer Quickly add new CSS rule with New Rule button in the Inspector Developer Screenshot a node or element from markup view with the Screenshot Node context menu item Developer Copy element CSS rule declarations with the Copy Rule Declaration context menu item in the Inspector Developer Pseudo-Class panel in the Inspector Fixed Picture element does not react to resize/viewport changes Fixed Various security fixes Security fixes: Fixed in Firefox 41 2015-114 Information disclosure via the High Resolution Time API 2015-113 Memory safety errors in libGLES in the ANGLE graphics library 2015-112 Vulnerabilities found through code inspection 2015-111 Errors in the handling of CORS preflight request headers 2015-110 Dragging and dropping images exposes final URL after redirects 2015-109 JavaScript immutable property enforcement can be bypassed 2015-108 Scripted proxies can access inner window 2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems 2015-106 Use-after-free while manipulating HTML media content 2015-105 Buffer overflow while decoding WebM video 2015-104 Use-after-free with shared workers and IndexedDB 2015-103 URL spoofing in reader mode 2015-102 Crash when using debugger with SavedStacks in JavaScript 2015-101 Buffer overflow in libvpx while parsing vp9 format video 2015-100 Arbitrary file manipulation by local user through Mozilla updater 2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme 2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes 2015-97 Memory leak in mozTCPSocket to servers 2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3) @ text @d1 1 a1 1 $NetBSD: patch-xpcom_build_XPCOMInit.cpp,v 1.2 2015/05/12 22:48:54 ryoon Exp $ d3 1 a3 1 --- xpcom/build/XPCOMInit.cpp.orig 2015-05-04 00:43:36.000000000 +0000 d5 3 a7 3 @@@@ -141,7 +141,9 @@@@ extern nsresult nsStringInputStreamConst #include "mozilla/VisualEventTracer.h" #endif d15 1 a15 1 @@@@ -669,11 +671,13 @@@@ NS_InitXPCOM2(nsIServiceManager** aResul @ 1.2 log @Update to 38.0 Changelog: New New tab-based preferences New Ruby annotation support New Base for the next ESR release. Changed autocomplete=off is no longer supported for username/password fields Changed URL parser avoids doing percent encoding when setting the Fragment part of the URL, and percent decoding when getting the Fragment in line with the URL spec Changed RegExp.prototype.source now returns "(?:)" instead of the empty string for empty regular expressions Changed Improved page load times via speculative connection warmup HTML5 WebSocket now available in Web Workers HTML5 BroadcastChannel API implemented HTML5 Implemented srcset attribute and element for responsive images HTML5 Implemented DOM3 Events KeyboardEvent.code HTML5 Mac OS X: Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube HTML5 Implemented Encrypted Media Extensions (EME) API to support encrypted HTML5 video/audio playback (Windows Vista or later only) HTML5 Automatically download Adobe Primetime Content Decryption Module (CDM) for DRM playback through EME (Windows Vista or later only) Developer Optimized-out variables are now visible in Debugger UI Developer XMLHttpRequest logs in the web console are now visually labelled and can be filtered separately from regular network requests Developer WebRTC now has multistream and renegotiation support Developer copy command added to console Fixed Various security fixes Fixed in Firefox 38 2015-58 Mozilla Windows updater can be run outside of application directory 2015-57 Privilege escalation through IPC channel messages 2015-56 Untrusted site hosting trusted page can intercept webchannel responses 2015-55 Buffer overflow and out-of-bounds read while parsing MP4 video metadata 2015-54 Buffer overflow when parsing compressed XML 2015-53 Use-after-free due to Media Decoder Thread creation during shutdown 2015-52 Sensitive URL encoded information written to Android logcat 2015-51 Use-after-free during text processing with vertical text enabled 2015-50 Out-of-bounds read and write in asm.js validation 2015-49 Referrer policy ignored when links opened by middle-click and context menu 2015-48 Buffer overflow with SVG content and CSS 2015-47 Buffer overflow parsing H.264 video with Linux Gstreamer 2015-46 Miscellaneous memory safety hazards (rv:38.0 / rv:31.7) @ text @d1 1 a1 1 $NetBSD: patch-xpcom_build_XPCOMInit.cpp,v 1.1 2015/01/16 22:42:09 ryoon Exp $ @ 1.1 log @Update to 35.0 Changelog: New Firefox Hello with new rooms-based conversations model New New search UI improved and enabled for more locales New Access the Firefox Marketplace from the Tools menu and optional toolbar button New Built-in support for H264 (MP4) on Mac OS X Snow Leopard (10.6) and newer through native APIs New Use tiled rendering on OS X New Improved high quality image resizing performance New Improved handling of dynamic styling changes to increase responsiveness HTML5 Added support for the CSS Font Loading API HTML5 Resource Timing API implemented HTML5 CSS filters enabled by default HTML5 Changed JavaScript 'let' semantics to conform better to the ES6 specification Developer Support for inspecting ::before and ::after pseudo elements Developer Computed view: Nodes matching the hovered selector are now highlighted Developer Network Monitor: New request/response headers view (more info) Developer Added support for the EXT_blend_minmax WebGL extension Fixed Show DOM Properties context menu item in inspector Fixed Reduced resource usage for scaled images Fixed PDF.js updated to version 1.0.907 Fixed Non-HTTP(S) XHR now returns correct status code Fixed Various security fixes Security fixes: 2015-09 XrayWrapper bypass through DOM objects 2015-08 Delegated OCSP responder certificates failure with id-pkix-ocsp-nocheck extension 2015-07 Gecko Media Plugin sandbox escape 2015-06 Read-after-free in WebRTC 2015-05 Read of uninitialized memory in Web Audio 2015-04 Cookie injection through Proxy Authenticate responses 2015-03 sendBeacon requests lack an Origin header 2015-02 Uninitialized memory use during bitmap rendering 2015-01 Miscellaneous memory safety hazards (rv:35.0 / rv:31.4) @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- xpcom/build/XPCOMInit.cpp.orig 2015-01-09 04:38:29.000000000 +0000 d5 1 a5 1 @@@@ -139,7 +139,9 @@@@ extern nsresult nsStringInputStreamConst d13 3 a15 3 #include "vpx_mem/vpx_mem.h" #endif @@@@ -652,11 +654,13 @@@@ NS_InitXPCOM2(nsIServiceManager** aResul @