head 1.15; access; symbols pkgsrc-2026Q1:1.15.0.18 pkgsrc-2026Q1-base:1.15 pkgsrc-2025Q4:1.15.0.16 pkgsrc-2025Q4-base:1.15 pkgsrc-2025Q3:1.15.0.14 pkgsrc-2025Q3-base:1.15 pkgsrc-2025Q2:1.15.0.12 pkgsrc-2025Q2-base:1.15 pkgsrc-2025Q1:1.15.0.10 pkgsrc-2025Q1-base:1.15 pkgsrc-2024Q4:1.15.0.8 pkgsrc-2024Q4-base:1.15 pkgsrc-2024Q3:1.15.0.6 pkgsrc-2024Q3-base:1.15 pkgsrc-2024Q2:1.15.0.4 pkgsrc-2024Q2-base:1.15 pkgsrc-2024Q1:1.15.0.2 pkgsrc-2024Q1-base:1.15 pkgsrc-2023Q4:1.14.0.8 pkgsrc-2023Q4-base:1.14 pkgsrc-2023Q3:1.14.0.6 pkgsrc-2023Q3-base:1.14 pkgsrc-2023Q2:1.14.0.4 pkgsrc-2023Q2-base:1.14 pkgsrc-2023Q1:1.14.0.2 pkgsrc-2023Q1-base:1.14 pkgsrc-2022Q4:1.13.0.18 pkgsrc-2022Q4-base:1.13 pkgsrc-2022Q3:1.13.0.16 pkgsrc-2022Q3-base:1.13 pkgsrc-2022Q2:1.13.0.14 pkgsrc-2022Q2-base:1.13 pkgsrc-2022Q1:1.13.0.12 pkgsrc-2022Q1-base:1.13 pkgsrc-2021Q4:1.13.0.10 pkgsrc-2021Q4-base:1.13 pkgsrc-2021Q3:1.13.0.8 pkgsrc-2021Q3-base:1.13 pkgsrc-2021Q2:1.13.0.6 pkgsrc-2021Q2-base:1.13 pkgsrc-2021Q1:1.13.0.4 pkgsrc-2021Q1-base:1.13 pkgsrc-2020Q4:1.13.0.2 pkgsrc-2020Q4-base:1.13 pkgsrc-2020Q3:1.12.0.10 pkgsrc-2020Q3-base:1.12 pkgsrc-2020Q2:1.12.0.8 pkgsrc-2020Q2-base:1.12 pkgsrc-2020Q1:1.12.0.4 pkgsrc-2020Q1-base:1.12 pkgsrc-2019Q4:1.12.0.6 pkgsrc-2019Q4-base:1.12 pkgsrc-2019Q3:1.12.0.2 pkgsrc-2019Q3-base:1.12 pkgsrc-2019Q2:1.11.0.6 pkgsrc-2019Q2-base:1.11 pkgsrc-2019Q1:1.11.0.4 pkgsrc-2019Q1-base:1.11 pkgsrc-2018Q4:1.11.0.2 pkgsrc-2018Q4-base:1.11 pkgsrc-2018Q1:1.9.0.8 pkgsrc-2018Q1-base:1.9 pkgsrc-2017Q4:1.9.0.6 pkgsrc-2017Q4-base:1.9 pkgsrc-2017Q3:1.9.0.4 pkgsrc-2017Q3-base:1.9 pkgsrc-2016Q4:1.5.0.6 pkgsrc-2016Q4-base:1.5 pkgsrc-2016Q3:1.5.0.4 pkgsrc-2016Q3-base:1.5 pkgsrc-2016Q2:1.5.0.2 pkgsrc-2016Q2-base:1.5 pkgsrc-2016Q1:1.4.0.6 pkgsrc-2016Q1-base:1.4 pkgsrc-2015Q4:1.4.0.4 pkgsrc-2015Q4-base:1.4 pkgsrc-2015Q3:1.4.0.2 pkgsrc-2015Q3-base:1.4 pkgsrc-2015Q2:1.3.0.2 pkgsrc-2015Q2-base:1.3 pkgsrc-2015Q1:1.2.0.2 pkgsrc-2015Q1-base:1.2 pkgsrc-2014Q4:1.1.0.2 pkgsrc-2014Q4-base:1.1; locks; strict; comment @# @; 1.15 date 2024.01.31.15.54.52; author ryoon; state Exp; branches; next 1.14; commitid Xm1ju1GZSWmNlCWE; 1.14 date 2023.01.24.17.57.09; author nia; state Exp; branches; next 1.13; commitid 9Me0jLePQPV5ZOaE; 1.13 date 2020.12.17.09.53.15; author ryoon; state Exp; branches; next 1.12; commitid zhXrb1Fwr8fEZ4AC; 1.12 date 2019.07.11.11.32.40; author ryoon; state Exp; branches; next 1.11; commitid 78kKTlsMNaN1qCuB; 1.11 date 2018.11.07.12.55.11; author martin; state Exp; branches; next 1.10; commitid LzUVVXSU6l8wM0ZA; 1.10 date 2018.05.10.20.01.53; author ryoon; state dead; branches; next 1.9; commitid xD42Z67JHKvGXMBA; 1.9 date 2017.08.26.21.18.08; author he; state Exp; branches; next 1.8; commitid kkJFRDjJpzGXDL4A; 1.8 date 2017.08.26.10.36.01; author he; state Exp; branches; next 1.7; commitid MpgfyXeFrsus4I4A; 1.7 date 2017.03.07.20.45.43; author ryoon; state dead; branches; next 1.6; commitid cj2gfa0XmazzZEIz; 1.6 date 2017.01.25.13.24.51; author ryoon; state Exp; branches; next 1.5; commitid 3acwYN6np6o7SlDz; 1.5 date 2016.04.27.16.22.40; author ryoon; state Exp; branches; next 1.4; commitid u2rwBznaaKPcDh4z; 1.4 date 2015.09.23.06.44.42; author ryoon; state Exp; branches 1.4.6.1; next 1.3; commitid A8JQd1PZS2cnplCy; 1.3 date 2015.04.05.12.54.12; author ryoon; state Exp; branches; next 1.2; commitid K8Tn7QcmAk8VWogy; 1.2 date 2015.02.28.04.30.55; author ryoon; state Exp; branches; next 1.1; commitid Y4EEeVfm51r1kJby; 1.1 date 2014.10.15.13.43.32; author ryoon; state Exp; branches; next ; commitid xThioCjhcLRxKiUx; 1.4.6.1 date 2016.05.19.12.56.31; author bsiegert; state Exp; branches; next ; commitid 53h9eCcjRRHEM57z; desc @@ 1.15 log @firefox: Update to 122.0 CHangelog: 122.0: New * Firefox now displays images and descriptions for search suggestions when provided by the search engine. * The translations feature received an improvement in the quality of translated webpages. The results should be much more stable. This fixes issues where the content of a page could disappear when translated, or interactive widgets could break. * Firefox now supports creating and using passkeys stored in the iCloud Keychain on macOS. * MDN Web Docs article suggestions from Firefox Suggest will be available in the address bar for users searching for web development-related information. * The line breaking rules of Web content now match the Unicode Standard. This improves Web Browser compatibility for line breaking. An additional improvement for East Asian and South East Asian end users, Firefox now supports proper language-aware word selection when double-clicking on text for languages including Chinese, Japanese, Burmese, Lao, Khmer, and Thai. * Firefox now ships with a new .deb package for Linux users on Ubuntu, Debian, and Linux Mint. Fixed * Various security fixes. Security fixes: Mozilla Foundation Security Advisory 2024-01 #CVE-2024-0741: Out of bounds write in ANGLE #CVE-2024-0742: Failure to update user input timestamp #CVE-2024-0743: Crash in NSS TLS method #CVE-2024-0744: Wild pointer dereference in JavaScript #CVE-2024-0745: Stack buffer overflow in WebAudio #CVE-2024-0746: Crash when listing printers on Linux #CVE-2024-0747: Bypass of Content Security Policy when directive unsafe-inline was set #CVE-2024-0748: Compromised content process could modify document URI #CVE-2024-0749: Phishing site popup could show local origin in address bar #CVE-2024-0750: Potential permissions request bypass via clickjacking #CVE-2024-0751: Privilege escalation through devtools #CVE-2024-0752: Use-after-free could occur when applying update on macOS #CVE-2024-0753: HSTS policy on subdomain could bypass policy of upper domain #CVE-2024-0754: Crash when using some WASM files in devtools #CVE-2024-0755: Memory safety bugs fixed in Firefox 122, Firefox ESR 115.7, and Thunderbird 115.7 @ text @$NetBSD: patch-xpcom_reflect_xptcall_md_unix_moz.build,v 1.14 2023/01/24 17:57:09 nia Exp $ Make NetBSD/sparc64 use the same xptcall bindings as all other sparc64 ports https://bugzilla.mozilla.org/show_bug.cgi?id=1505360 --- xpcom/reflect/xptcall/md/unix/moz.build.orig 2024-01-12 13:20:20.000000000 +0000 +++ xpcom/reflect/xptcall/md/unix/moz.build @@@@ -221,7 +221,7 @@@@ if CONFIG["OS_ARCH"] == "OpenBSD" and CO ] if ( - CONFIG["OS_ARCH"] in ("OpenBSD", "FreeBSD", "Linux", "SunOS") + CONFIG["OS_ARCH"] in ("OpenBSD", "FreeBSD", "Linux", "SunOS", "NetBSD") and CONFIG["TARGET_CPU"] == "sparc64" ): SOURCES += [ @ 1.14 log @firefox: Update patch comments. @ text @d1 1 a1 1 $NetBSD: patch-xpcom_reflect_xptcall_md_unix_moz.build,v 1.13 2020/12/17 09:53:15 ryoon Exp $ d7 1 a7 1 --- xpcom/reflect/xptcall/md/unix/moz.build.orig 2020-12-03 23:14:25.000000000 +0000 d9 1 a9 1 @@@@ -225,7 +225,7 @@@@ if CONFIG["OS_ARCH"] == "OpenBSD" and CO d14 2 a15 2 + CONFIG["OS_ARCH"] in ("OpenBSD", "FreeBSD", "NetBSD", "Linux", "SunOS") and CONFIG["CPU_ARCH"] == "sparc64" @ 1.13 log @firefox: Update to 84.0 Changelog: New * Native support for macOS devices built with Apple Silicon CPUs brings dramatic performance improvements over the non-native build that was shipped in Firefox 83: Firefox launches over 2.5 times faster and web apps are now twice as responsive (per the SpeedoMeter 2.0 test). If you are on a new Apple device, follow these steps to upgrade to the latest Firefox. * WebRender rolls out to MacOS Big Sur, Windows devices with Intel Gen 6 GPUs, and Intel laptops running Windows 7 and 8. Additionally we'll ship an accelerated rendering pipeline for Linux/GNOME/X11 users for the first time, ever! * Firefox now uses more modern techniques for allocating shared memory on Linux, improving performance and increasing compatibility with Docker. * Firefox 84 is the final release to support Adobe Flash. Fixed * Various security fixes #CVE-2020-16042: Operations on a BigInt could have caused uninitialized memory to be exposed #CVE-2020-26971: Heap buffer overflow in WebGL #CVE-2020-26972: Use-After-Free in WebGL #CVE-2020-26973: CSS Sanitizer performed incorrect sanitization #CVE-2020-26974: Incorrect cast of StyleGenericFlexBasis resulted in a heap use-after-free #CVE-2020-26975: Malicious applications on Android could have induced Firefox for Android into sending arbitrary attacker-specified headers #CVE-2020-26976: HTTPS pages could have been intercepted by a registered service worker when they should not have been #CVE-2020-26977: URL spoofing via unresponsive port in Firefox for Android #CVE-2020-26978: Internal network hosts could have been probed by a malicious webpage #CVE-2020-26979: When entering an address in the address or search bars, a website could have redirected the user before they were navigated to the intended url #CVE-2020-35111: The proxy.onRequest API did not catch view-source URLs #CVE-2020-35112: Opening an extension-less download may have inadvertently launched an executable instead #CVE-2020-35113: Memory safety bugs fixed in Firefox 84 and Firefox ESR 78.6 @ text @d1 1 a1 1 $NetBSD: patch-xpcom_reflect_xptcall_md_unix_moz.build,v 1.12 2019/07/11 11:32:40 ryoon Exp $ d5 2 @ 1.12 log @Update to 68.0 Changelog: New Dark mode in reader view expands so that windows are also dark on the controls, sidebars and toolbars. Improved extension security and discovery: New reporting feature in about:addons allows you to report security and performance issues with extensions and themes. Redesigned extensions dashboard in about:addons provides easy access to information about your extensions, including data and settings access required by each extension. Find high quality, secure extensions via the Recommended Extensions program in about:addons, which now displays user count and ratings for each extension. "Recommended” badges for these extensions also appear on AMO. More extensions will be added over time. Cryptomining and fingerprinting protections are added to strict content blocking settings in Privacy & Security preferences. WebRender will roll out to Windows 10 users with AMD graphics cards. Windows Background Intelligent Transfer Service (BITS) update download support, which allows Firefox update downloads to continue when Firefox is closed. Fixed Various security fixes Local files can no longer access other files in the same directory. Security fixes: #CVE-2019-9811: Sandbox escape via installation of malicious language pack #CVE-2019-11711: Script injection within domain through inner window reuse #CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects #CVE-2019-11713: Use-after-free with HTTP/2 cached stream #CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread #CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault #CVE-2019-11715: HTML parsing error can contribute to content XSS #CVE-2019-11716: globalThis not enumerable until accessed #CVE-2019-11717: Caret character improperly escaped in origins #CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML #CVE-2019-11719: Out-of-bounds read when importing curve25519 private key #CVE-2019-11720: Character encoding XSS vulnerability #CVE-2019-11721: Domain spoofing through unicode latin 'kra' character #CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin #CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries #CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions #CVE-2019-11725: Websocket resources bypass safebrowsing protections #CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3 #CVE-2019-11728: Port scanning through Alt-Svc header #CVE-2019-11710: Memory safety bugs fixed in Firefox 68 #CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8 @ text @d1 1 a1 1 $NetBSD: patch-xpcom_reflect_xptcall_md_unix_moz.build,v 1.11 2018/11/07 12:55:11 martin Exp $ d5 1 a5 1 --- xpcom/reflect/xptcall/md/unix/moz.build.orig 2019-07-06 01:49:01.000000000 +0000 d7 1 a7 2 @@@@ -217,7 +217,7 @@@@ if CONFIG['OS_ARCH'] == 'OpenBSD' and CO 'xptcstubs_sparc_openbsd.cpp', d10 5 a14 2 -if CONFIG['OS_ARCH'] in ('OpenBSD', 'FreeBSD', 'Linux', 'SunOS') and CONFIG['CPU_ARCH'] == 'sparc64': +if CONFIG['OS_ARCH'] in ('OpenBSD', 'FreeBSD', 'NetBSD', 'Linux', 'SunOS') and CONFIG['CPU_ARCH'] == 'sparc64': a15 2 'xptcinvoke_asm_sparc64_openbsd.s', 'xptcinvoke_sparc64_openbsd.cpp', @ 1.11 log @Make the pkg at least build on sparc64 (nowhere near working yet) @ text @d1 1 a1 1 $NetBSD$ d5 3 a7 3 --- ./xpcom/reflect/xptcall/md/unix/moz.build.orig 2018-10-31 01:08:15.000000000 +0100 +++ ./xpcom/reflect/xptcall/md/unix/moz.build 2018-11-07 10:29:36.234212381 +0100 @@@@ -240,7 +240,7 @@@@ d11 2 a12 2 -if CONFIG['OS_ARCH'] in ('OpenBSD', 'FreeBSD', 'Linux') and CONFIG['CPU_ARCH'] == 'sparc64': +if CONFIG['OS_ARCH'] in ('OpenBSD', 'FreeBSD', 'NetBSD', 'Linux') and CONFIG['CPU_ARCH'] == 'sparc64': @ 1.10 log @Update to 60.0 * Remove untested patches including NetBSD/earm support Changelog: New Added a policy engine that allows customized Firefox deployments in enterprise environments, using Windows Group Policy or a cross-platform JSON file Enhancements to New Tab / Firefox Home Responsive layout that shows more content for users with wide-screen displays Highlights section includes web sites saved to Pocket More options to reorder sections and content on the page Pocket Sponsored Stories will appear for a percentage of users in the US. Read about our privacy-conscious approach to sponsored content Redesigned Cookies and Site Storage section in Preferences for greater clarity and control of first- and third-party cookies Applied Quantum CSS to render browser UI Added support for Web Authentication API, which allows USB tokens for website authentication Enhanced camera privacy indicators: Firefox now turns off your camera and the camera's light when you disable video recording, and turns the camera and light on when you resume recording Added an option for Linux users to show or hide page titles in a bar at the top of the browser. You'll find the Title Bar option in the Customize panel available from the main browser menu. Improved WebRTC audio performance and playback for Linux users Locale added: Occitan (oc) Fixed Various security fixes Changed #CVE-2018-5154: Use-after-free with SVG animations and clip paths #CVE-2018-5155: Use-after-free with SVG animations and text paths #CVE-2018-5157: Same-origin bypass of PDF Viewer to view protected PDF files #CVE-2018-5158: Malicious PDF can inject JavaScript into PDF Viewer #CVE-2018-5159: Integer overflow and out-of-bounds write in Skia #CVE-2018-5160: Uninitialized memory use by WebRTC encoder #CVE-2018-5152: WebExtensions information leak through webRequest API #CVE-2018-5153: Out-of-bounds read in mixed content websocket messages #CVE-2018-5163: Replacing cached data in JavaScript Start-up Bytecode Cache #CVE-2018-5164: CSP not applied to all multipart content sent with multipart/x-mixed-replace #CVE-2018-5166: WebExtension host permission bypass through filterReponseData #CVE-2018-5167: Improper linkification of chrome: and javascript: content in web console and JavaScript debugger #CVE-2018-5168: Lightweight themes can be installed without user interaction #CVE-2018-5169: Dragging and dropping link text onto home button can set home page to include chrome pages #CVE-2018-5172: Pasted script from clipboard can run in the Live Bookmarks page or PDF viewer #CVE-2018-5173: File name spoofing of Downloads panel with Unicode characters #CVE-2018-5174: Windows Defender SmartScreen UI runs with less secure behavior for downloaded files in Windows 10 April 2018 Update #CVE-2018-5175: Universal CSP bypass on sites using strict-dynamic in their policies #CVE-2018-5176: JSON Viewer script injection #CVE-2018-5177: Buffer overflow in XSLT during number formatting #CVE-2018-5165: Checkbox for enabling Flash protected mode is inverted in 32-bit Firefox #CVE-2018-5180: heap-use-after-free in mozilla::WebGLContext::DrawElementsInstanced #CVE-2018-5181: Local file can be displayed in noopener tab through drag and drop of hyperlink #CVE-2018-5182: Local file can be displayed from hyperlink dragged and dropped on addressbar #CVE-2018-5151: Memory safety bugs fixed in Firefox 60 #CVE-2018-5150: Memory safety bugs fixed in Firefox 60 and Firefox ESR 52.8 @ text @d1 1 a1 1 $NetBSD: patch-xpcom_reflect_xptcall_md_unix_moz.build,v 1.9 2017/08/26 21:18:08 he Exp $ d3 1 a3 2 CONFIG['OS_TEST'] is apparently CPU, not MACHINE, so use 'powerpc' instead of the longish list of powerpc ports. d5 5 a9 5 --- xpcom/reflect/xptcall/md/unix/moz.build.orig 2017-06-15 20:52:36.000000000 +0000 +++ xpcom/reflect/xptcall/md/unix/moz.build @@@@ -221,7 +221,7 @@@@ if CONFIG['OS_TEST'] in ('powerpc64', 'p 'xptcstubs_ppc64_linux.cpp', ] d11 5 a15 5 -if CONFIG['OS_TEST'] in ('macppc', 'bebox', 'ofppc', 'prep', 'amigappc'): +if CONFIG['OS_TEST'] in ('powerpc'): if CONFIG['OS_ARCH'] == 'NetBSD': SOURCES += [ 'xptcinvoke_asm_ppc_netbsd.s', @ 1.9 log @My mistake: left work/firefox* in patch file. @ text @d1 1 a1 1 $NetBSD: patch-xpcom_reflect_xptcall_md_unix_moz.build,v 1.8 2017/08/26 10:36:01 he Exp $ @ 1.8 log @Add some patches to get us closer to building on NetBSD/powerpc: * moz.build: CONFIG['OS_TEST'] is apparently PCU, not MACHINE, so use 'powerpc' instead of the longish list of powerpc ports. * xptcinvoke_asm_ppc_netbsd.s: adapt to use of NS_InvokeByIndex() * xptcinvoke_ppc_netbsd.cpp: adapt to use of NS_InvokeByIndex() * xptcstubs_ppc_netbsd.cpp: adapt in the direction of xptcstubs_ppc_linux.cpp; this has apparently not been build-tested in a while. The current stumbling block is the lack of 64-bit atomic operations. No PKGREVISION bump as this is a partial build fix only for NetBSD/powerpc. @ text @d1 1 a1 1 $NetBSD$ d6 2 a7 2 --- work/firefox-55.0.2/xpcom/reflect/xptcall/md/unix/moz.build.orig 2017-06-15 20:52:36.000000000 +0000 +++ work/firefox-55.0.2/xpcom/reflect/xptcall/md/unix/moz.build @ 1.7 log @Update to 52.0 * Switch to GTK3 build * Remove py-sqlite2 dependency, fix PR pkg/52032 Changelog: New Added support for WebAssembly, an emerging standard that brings near-native performance to Web-based games, apps, and software libraries without the use of plugins. Added automatic captive portal detection, for easier access to Wi-Fi hotspots. When accessing the Internet via a captive portal, Firefox will alert users and open the portal login page in a new tab. Added user warnings for non-secure HTTP pages with logins. Firefox now displays a "This connection is not secure" message when users click into the username and password fields on pages that don't use HTTPS. Implemented the Strict Secure Cookies specification which forbids insecure HTTP sites from setting cookies with the "secure" attribute. In some cases, this will prevent an insecure site from setting a cookie with the same name as an existing "secure" cookie from the same base domain. Enhanced Sync to allow users to send and open tabs from one device to another. Fixed Various security fixes Improved text input for third-party keyboard layouts on Windows. This will address some keyboard layouts that * have chained dead keys * input two or more characters with a non-printable key or a dead key sequence * input a character even when a dead key sequence failed to compose a character Changed Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported. Removed Battery Status API to reduce fingerprinting of users by trackers Improved experience for downloads: * Notification in the toolbar when a download fails * Quick access to five most recent downloads rather than three * Larger buttons for canceling and restarting downloads Display (but allow users to override) an "Untrusted Connection" error when encountering SHA-1 certificates that chain up to a root certificate included in Mozilla's CA Certificate Program. (Note: Firefox continues to permit SHA-1 certificates that chain to manually imported root certificates.) Read more about the Mozilla Security Team's plans to deprecate SHA-1 Migrated Firefox users on Windows XP and Windows Vista operating systems to the extended support release (ESR) version of Firefox. When not using Direct2D on Windows, Skia is used for content rendering Developer Enabled CSS Grid Layout, opening up a world of new possibilities for graphic design Redesigned Responsive Design Mode to include device selection, network throttling, and more Improved security for screen sharing, which now shows a preview and no longer requires a whitelisted domain unresolved Google Hangouts temporarily won't work Security fixes: #CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP #CVE-2017-5401: Memory Corruption when handling ErrorResult #CVE-2017-5402: Use-after-free working with events in FontFace objects #CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object #CVE-2017-5404: Use-after-free working with ranges in selections #CVE-2017-5406: Segmentation fault in Skia with canvas operations #CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters #CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping #CVE-2017-5411: Use-after-free in Buffer Storage in libGLES #CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service #CVE-2017-5408: Cross-origin reading of video captions in violation of CORS #CVE-2017-5412: Buffer overflow read in SVG filters #CVE-2017-5413: Segmentation fault during bidirectional operations #CVE-2017-5414: File picker can choose incorrect default directory #CVE-2017-5415: Addressbar spoofing through blob URL #CVE-2017-5416: Null dereference crash in HttpChannel #CVE-2017-5417: Addressbar spoofing by draging and dropping URLs #CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access #CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running #CVE-2017-5427: Non-existent chrome.manifest file loaded during startup #CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses #CVE-2017-5419: Repeated authentication prompts lead to DOS attack #CVE-2017-5420: Javascript: URLs can obfuscate addressbar location #CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports #CVE-2017-5421: Print preview spoofing #CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink #CVE-2017-5399: Memory safety bugs fixed in Firefox 52 #CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8 @ text @d1 1 a1 1 $NetBSD: patch-xpcom_reflect_xptcall_md_unix_moz.build,v 1.6 2017/01/25 13:24:51 ryoon Exp $ d3 8 a10 5 --- xpcom/reflect/xptcall/md/unix/moz.build.orig 2017-01-16 16:16:53.000000000 +0000 +++ xpcom/reflect/xptcall/md/unix/moz.build @@@@ -145,7 +145,7 @@@@ if CONFIG['OS_ARCH'] == 'NetBSD': 'xptcstubs_netbsd_m68k.cpp' ] d12 3 a14 3 -if CONFIG['OS_ARCH'] == 'Linux': +if CONFIG['OS_ARCH'] in ('Linux', 'FreeBSD', 'NetBSD', 'OpenBSD'): if CONFIG['OS_TEST'] == 'aarch64': d16 1 a16 1 'xptcinvoke_aarch64.cpp', @ 1.6 log @Update to 51.0 Changelog: New Users can view passwords in the save password prompt before saving them Added a zoom button in the URL bar: Displays percent above or below 100 percent when a user has changed the page zoom setting from the default Lets users return to the default setting by clicking on the button Improved video performance for users without GPU acceleration for less CPU usage and a better full screen experience Firefox will save passwords even in forms that do not have “submit” events Added support for FLAC (Free Lossless Audio Codec) playback Added support for WebGL 2, with advanced graphics rendering features like transform feedback, improved texturing capabilities, and a new sophisticated shading language A warning is displayed when a login page does not have a secure connection Added Georgian (ka) and Kabyle (kab) locales An even faster E10s! Tab Switching is better! Improved reliability of browser data sync Remove Belarusian (be) locale Fixed Various security fixes Changed Use 2D graphics library (Skia) for content rendering on Linux Re-enabled E10s support for Russian (ru) locale Updated to NSS 3.28.1 Security fixes: #CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP #CVE-2017-5376: Use-after-free in XSL #CVE-2017-5377: Memory corruption with transforms to create gradients in Skia #CVE-2017-5378: Pointer and frame data leakage of Javascript objects #CVE-2017-5379: Use-after-free in Web Animations #CVE-2017-5380: Potential use-after-free during DOM manipulations #CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer #CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests #CVE-2017-5396: Use-after-free with Media Decoder #CVE-2017-5381: Certificate Viewer exporting can be used to navigate and save to arbitrary filesystem locations #CVE-2017-5382: Feed preview can expose privileged content errors and exceptions #CVE-2017-5383: Location bar spoofing with unicode characters #CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC) #CVE-2017-5385: Data sent in multipart channels ignores referrer-policy response headers #CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions #CVE-2017-5394: Android location bar spoofing using fullscreen and JavaScript events #CVE-2017-5391: Content about: pages can load privileged about: pages #CVE-2017-5392: Weak references using multiple threads on weak proxy objects lead to unsafe memory usage #CVE-2017-5393: Remove addons.mozilla.org CDN from whitelist for mozAddonManager #CVE-2017-5395: Android location bar spoofing during scrolling #CVE-2017-5387: Disclosure of local file existence through TRACK tag error messages #CVE-2017-5388: WebRTC can be used to generate a large amount of UDP traffic for DDOS attacks #CVE-2017-5374: Memory safety bugs fixed in Firefox 51 #CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7 @ text @d1 1 a1 1 $NetBSD: patch-xpcom_reflect_xptcall_md_unix_moz.build,v 1.5 2016/04/27 16:22:40 ryoon Exp $ @ 1.5 log @Update to 46.0 * Drop buildlink to gstreamer1 Changelog: New Improved security of the JavaScript Just In Time (JIT) Compiler GTK3 integration (GNU/Linux only) Fixed Correct rendering for scaled SVGs that use a clip and a mask Various security fixes Screen reader behavior with blank spaces in Google Docs corrected Changed WebRTC fixes to improve performance and stability Developer Display dominator trees in Memory tool Allocation and garbage collection pause profiling in the performance panel Launch responsive mode from the Style Editor @@media sidebar HTML5 Added support for document.elementsFromPoint Added HKDF support for Web Crypto API Fixed in Firefox 46 2016-48 Firefox Health Reports could accept events from untrusted domains 2016-47 Write to invalid HashMap entry through JavaScript.watch() 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace 2016-44 Buffer overflow in libstagefright with CENC offsets 2016-43 Disclosure of user actions through JavaScript with motion and orientation sensors 2016-42 Use-after-free and buffer overflow in Service Workers 2016-41 Content provider permission bypass allows malicious application to access data 2016-40 Privilege escalation through file deletion by Maintenance Service updater 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8) @ text @d1 1 a1 1 $NetBSD: patch-xpcom_reflect_xptcall_md_unix_moz.build,v 1.4 2015/09/23 06:44:42 ryoon Exp $ d3 1 a3 1 --- xpcom/reflect/xptcall/md/unix/moz.build.orig 2016-04-15 16:57:50.000000000 +0000 d5 7 a11 6 @@@@ -9,7 +9,7 @@@@ if CONFIG['OS_ARCH'] == 'Darwin': 'xptcinvoke_darwin.cpp', 'xptcstubs_darwin.cpp', ] - if CONFIG['OS_TEST'] == 'powerpc': + if CONFIG['OS_TEST'] == 'ppc': d13 1 a13 2 '!xptcstubs_asm_ppc_darwin.s', 'xptcinvoke_asm_ppc_rhapsody.s', @ 1.4 log @Update to 41.0 Changelog: New Enhance IME support on Windows (Vista +) using TSF (Text Services Framework) New Ability to set a profile picture for your Firefox Account New Firefox Hello now includes instant messaging New SVG images can be used as favicons New Improved box-shadow rendering performance Changed WebRTC now requires perfect forward secrecy Changed WARP is disabled on Windows 7 Changed Updates to image decoding process Changed Support for running animations of 'transform' and 'opacity' on the compositor thread HTML5 MessageChannel and MessagePort API enabled by default HTML5 Added support for the transform-origin property on SVG elements HTML5 CSS Font Loading API enabled by default HTML5 Navigator.onLine now varies with actual internet connectivity (Windows and Mac OS X only) HTML5 Copy/Cut Web content from JavaScript to the OS clipboard with document.execCommand("cut"/"copy") HTML5 Implemented Cache API for querying named caches that are accessible Window, Worker, and ServiceWorker Developer Removed support for binary XPCOM components in extensions, use addon SDK "system/child_process" pipe mechanism for native binaries instead Developer Network requests can be exported in HAR format Developer Quickly add new CSS rule with New Rule button in the Inspector Developer Screenshot a node or element from markup view with the Screenshot Node context menu item Developer Copy element CSS rule declarations with the Copy Rule Declaration context menu item in the Inspector Developer Pseudo-Class panel in the Inspector Fixed Picture element does not react to resize/viewport changes Fixed Various security fixes Security fixes: Fixed in Firefox 41 2015-114 Information disclosure via the High Resolution Time API 2015-113 Memory safety errors in libGLES in the ANGLE graphics library 2015-112 Vulnerabilities found through code inspection 2015-111 Errors in the handling of CORS preflight request headers 2015-110 Dragging and dropping images exposes final URL after redirects 2015-109 JavaScript immutable property enforcement can be bypassed 2015-108 Scripted proxies can access inner window 2015-107 Out-of-bounds read during 2D canvas display on Linux 16-bit color depth systems 2015-106 Use-after-free while manipulating HTML media content 2015-105 Buffer overflow while decoding WebM video 2015-104 Use-after-free with shared workers and IndexedDB 2015-103 URL spoofing in reader mode 2015-102 Crash when using debugger with SavedStacks in JavaScript 2015-101 Buffer overflow in libvpx while parsing vp9 format video 2015-100 Arbitrary file manipulation by local user through Mozilla updater 2015-99 Site attribute spoofing on Android by pasting URL with unknown scheme 2015-98 Out of bounds read in QCMS library with ICC V4 profile attributes 2015-97 Memory leak in mozTCPSocket to servers 2015-96 Miscellaneous memory safety hazards (rv:41.0 / rv:38.3) @ text @d1 1 a1 1 $NetBSD: patch-xpcom_reflect_xptcall_md_unix_moz.build,v 1.3 2015/04/05 12:54:12 ryoon Exp $ d3 1 a3 1 --- xpcom/reflect/xptcall/md/unix/moz.build.orig 2015-08-24 21:53:22.000000000 +0000 a13 9 @@@@ -24,7 +24,7 @@@@ if CONFIG['OS_ARCH'] == 'GNU': 'xptcstubs_gcc_x86_unix.cpp' ] -if CONFIG['OS_ARCH'] in ('Linux', 'FreeBSD', 'NetBSD', 'OpenBSD') or \ +if CONFIG['OS_ARCH'] in ('Linux', 'FreeBSD', 'NetBSD', 'OpenBSD', 'DragonFly') or \ CONFIG['OS_ARCH'].startswith('GNU_'): if CONFIG['OS_TEST'] == 'x86_64': SOURCES += [ @ 1.4.6.1 log @Pullup ticket #5015 - requested by sevan www/firefox: security fix Revisions pulled up: - www/firefox/Makefile 1.249-1.250 - www/firefox/PLIST 1.105-1.106 - www/firefox/distinfo 1.242-1.243 - www/firefox/mozilla-common.mk 1.73 - www/firefox/patches/patch-aa 1.45 - www/firefox/patches/patch-config_external_moz.build 1.11 - www/firefox/patches/patch-config_system-headers 1.18 - www/firefox/patches/patch-dom_media_gstreamer_GStreamerAllocator.cpp deleted - www/firefox/patches/patch-dom_media_moz.build 1.3 - www/firefox/patches/patch-gfx_skia_generate__mozbuild.py 1.4 - www/firefox/patches/patch-gfx_skia_moz.build 1.11 - www/firefox/patches/patch-gfx_skia_skia_src_core_SkUtilsArm.cpp 1.2 - www/firefox/patches/patch-gfx_skia_skia_src_opts_SkBitmapProcState__opts__arm.cpp deleted - www/firefox/patches/patch-gfx_skia_skia_src_opts_memset.arm.S deleted - www/firefox/patches/patch-gfx_thebes_moz.build 1.3 - www/firefox/patches/patch-media_libcubeb_src_cubeb.c 1.3 - www/firefox/patches/patch-media_libcubeb_src_cubeb__alsa.c 1.14 - www/firefox/patches/patch-media_libcubeb_src_moz.build 1.7 - www/firefox/patches/patch-media_libtheora_moz.build 1.5 - www/firefox/patches/patch-pb deleted - www/firefox/patches/patch-pc deleted - www/firefox/patches/patch-toolkit_library_moz.build 1.5 - www/firefox/patches/patch-xpcom_reflect_xptcall_md_unix_moz.build 1.5 --- Module Name: pkgsrc Committed By: ryoon Date: Wed Apr 13 20:37:33 UTC 2016 Modified Files: pkgsrc/www/firefox: Makefile PLIST distinfo Log Message: Update to 45.0.2 Changelog: Fixed: Fix an issue impacting the cookie header when third-party cookies are blocked (1257861) Fix a web compatibility regression impacting the srcset attribute of the image tag (1259482) Fix a regression with the copy and paste with some old versions of some Gecko applications like Thunderbird (1254980) Fix a crash impacting the video playback with Media Source Extension (1258562) Fix a regression impacting some specific uploads (1255735) --- Module Name: pkgsrc Committed By: ryoon Date: Wed Apr 27 16:22:40 UTC 2016 Modified Files: pkgsrc/www/firefox: Makefile PLIST distinfo mozilla-common.mk pkgsrc/www/firefox/patches: patch-aa patch-config_external_moz.build patch-config_system-headers patch-dom_media_moz.build patch-gfx_skia_generate__mozbuild.py patch-gfx_skia_moz.build patch-gfx_skia_skia_src_core_SkUtilsArm.cpp patch-gfx_thebes_moz.build patch-media_libcubeb_src_cubeb.c patch-media_libcubeb_src_cubeb__alsa.c patch-media_libcubeb_src_moz.build patch-media_libtheora_moz.build patch-toolkit_library_moz.build patch-xpcom_reflect_xptcall_md_unix_moz.build Removed Files: pkgsrc/www/firefox/patches: patch-dom_media_gstreamer_GStreamerAllocator.cpp patch-gfx_skia_skia_src_opts_SkBitmapProcState__opts__arm.cpp patch-gfx_skia_skia_src_opts_memset.arm.S patch-pb patch-pc Log Message: Update to 46.0 * Drop buildlink to gstreamer1 Changelog: New Improved security of the JavaScript Just In Time (JIT) Compiler GTK3 integration (GNU/Linux only) Fixed Correct rendering for scaled SVGs that use a clip and a mask Various security fixes Screen reader behavior with blank spaces in Google Docs corrected Changed WebRTC fixes to improve performance and stability Developer Display dominator trees in Memory tool Allocation and garbage collection pause profiling in the performance panel Launch responsive mode from the Style Editor @@media sidebar HTML5 Added support for document.elementsFromPoint Added HKDF support for Web Crypto API Fixed in Firefox 46 2016-48 Firefox Health Reports could accept events from untrusted domains 2016-47 Write to invalid HashMap entry through JavaScript.watch() 2016-46 Elevation of privilege with chrome.tabs.update API in web extensions 2016-45 CSP not applied to pages sent with multipart/x-mixed-replace 2016-44 Buffer overflow in libstagefright with CENC offsets 2016-43 Disclosure of user actions through JavaScript with motion and orientation sensors 2016-42 Use-after-free and buffer overflow in Service Workers 2016-41 Content provider permission bypass allows malicious application to access data 2016-40 Privilege escalation through file deletion by Maintenance Service updater 2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8) @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- xpcom/reflect/xptcall/md/unix/moz.build.orig 2016-04-15 16:57:50.000000000 +0000 d14 9 @ 1.3 log @Update to 37.0 * Bump nspr requirement. Changelog: New Heartbeat user rating system - your feedback about Firefox New Yandex set as default search provider for the Turkish locale New Bing search now uses HTTPS for secure searching New Improved protection against site impersonation via OneCRL centralized certificate revocation New Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc Changed Disabled insecure TLS version fallback for site security Changed Extended SSL error reporting for reporting non-certificate errors Changed TLS False Start optimization now requires a cipher suite using AEAD construction Changed Improved certificate and TLS communication security by removing support for DSA Changed Improved performance of WebGL rendering on Windows HTML5 Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube (Windows only) HTML5 Added support for CSS display:contents HTML5 IndexedDB now accessible from worker threads HTML5 New SDP/JSEP implementation in WebRTC Developer Debug tabs opened in Chrome Desktop, Chrome for Android, and Safari for iOS Developer New Inspector animations panel to control element animations Developer New Security Panel included in Network Panel Developer Debugger panel support for chrome:// and about:// URIs Developer Added logging of weak ciphers to the web console Fixed Various security fixes Fixed in Firefox 37 2015-42 Windows can retain access to privileged content on navigation to unprivileged pages 2015-41 PRNG weakness allows for DNS poisoning on Android 2015-40 Same-origin bypass through anchor navigation 2015-39 Use-after-free due to type confusion flaws 2015-38 Memory corruption crashes in Off Main Thread Compositing 2015-37 CORS requests should not follow 30x redirections after preflight 2015-36 Incorrect memory management for simple-type arrays in WebRTC 2015-35 Cursor clickjacking with flash and images 2015-34 Out of bounds read in QCMS library 2015-33 resource:// documents can load privileged pages 2015-32 Add-on lightweight theme installation approval bypassed through MITM attack 2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin 2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6) @ text @d1 1 a1 1 $NetBSD: patch-xpcom_reflect_xptcall_md_unix_moz.build,v 1.2 2015/02/28 04:30:55 ryoon Exp $ d3 1 a3 1 --- xpcom/reflect/xptcall/md/unix/moz.build.orig 2015-03-27 02:20:33.000000000 +0000 d12 1 d14 1 a14 2 ] @@@@ -26,7 +26,7 @@@@ if CONFIG['OS_ARCH'] == 'GNU': @ 1.2 log @Update to 36.0 Changelog: New Pinned tiles on the new tab page can be synced New Support for the full HTTP/2 protocol. HTTP/2 enables a faster, more scalable, and more responsive web. New Locale added: Uzbek (uz) Changed -remote option removed Changed No longer accept insecure RC4 ciphers whenever possible Changed Phasing out Certificates with 1024-bit RSA Keys Changed Shut down hangs will now show the crash reporter before exiting the program Changed Add-on Compatibility HTML5 Support for the ECMAScript 6 Symbol data type added HTML5 unicode-range CSS descriptor implemented HTML5 CSSOM-View scroll behavior implemented allowing smooth scrolling of content without custom libraries HTML5 object-fit and object-position implemented. Defines how and where the content of a replaced element is displayed HTML5 isolation CSS property implemented. Create a new stacking context to isolate groups of boxes to control which blend together HTML5 CSS3 will-change property implemented. Hints the browser of elements that will be modified. The browser will perform some performance optimization for these HTML5 Changed JavaScript 'const' semantics to conform better to the ES6 specification. The const declaration is now block-scoped and requires an initializer. It also can not be redeclared anymore. HTML5 Improved ES6 generators for better performance Developer Eval sources now appear in the Debugger Debug JavaScript code that is evaluated dynamically, either as a string passed to eval() or as a string passed to the Function constructor Developer DOM Promises inspection Developer Inspector: More paste options in markup view Fixed CSS gradients work on premultiplied colors Fixed Fix some unexpected logout from Facebook or Google after restart Fixed Various security fixes Fixed in Firefox 36 2015-27 Caja Compiler JavaScript sandbox bypass 2015-26 UI Tour whitelisted sites in background tab can spoof foreground tabs 2015-25 Local files or privileged URLs in pages can be opened into new tabs 2015-24 Reading of local files through manipulation of form autocomplete 2015-23 Use-after-free in Developer Console date with OpenType Sanitiser 2015-22 Crash using DrawTarget in Cairo graphics library 2015-21 Buffer underflow during MP3 playback 2015-20 Buffer overflow during CSS restyling 2015-19 Out-of-bounds read and write while rendering SVG content 2015-18 Double-free when using non-default memory allocators with a zero-length XHR 2015-17 Buffer overflow in libstagefright during MP4 video playback 2015-16 Use-after-free in IndexedDB 2015-15 TLS TURN and STUN connections silently fail to simple TCP connections 2015-14 Malicious WebGL content crash when writing strings 2015-13 Appended period to hostnames can bypass HPKP and HSTS protections 2015-12 Invoking Mozilla updater will load locally stored DLL files 2015-11 Miscellaneous memory safety hazards (rv:36.0 / rv:31.5) @ text @d1 1 a1 1 $NetBSD: patch-xpcom_reflect_xptcall_md_unix_moz.build,v 1.1 2014/10/15 13:43:32 ryoon Exp $ d3 1 a3 1 --- xpcom/reflect/xptcall/md/unix/moz.build.orig 2015-02-17 21:40:51.000000000 +0000 d14 1 a14 9 @@@@ -19,14 +19,14 @@@@ if CONFIG['OS_ARCH'] == 'Darwin': if '86' in CONFIG['OS_TEST'] and CONFIG['OS_TEST'] != 'x86_64': DEFINES['MOZ_NEED_LEADING_UNDERSCORE'] = True -if CONFIG['OS_ARCH'] in ('NetBSD', 'GNU'): +if CONFIG['OS_ARCH'] in ('OpenBSD', 'GNU'): if CONFIG['CPU_ARCH'] == 'x86': SOURCES += [ 'xptcinvoke_gcc_x86_unix.cpp', d18 2 a19 2 -if CONFIG['OS_ARCH'] in ('Linux', 'FreeBSD', 'OpenBSD') or \ +if CONFIG['OS_ARCH'] in ('Linux', 'FreeBSD', 'NetBSD', 'DragonFly') or \ @ 1.1 log @Add missing patches. @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- xpcom/reflect/xptcall/md/unix/moz.build.orig 2014-10-11 09:06:50.000000000 +0000 d18 1 a18 1 -if CONFIG['OS_ARCH'] in ('NetBSD', 'OpenBSD', 'GNU'): d26 1 a26 1 -if CONFIG['OS_ARCH'] in ('Linux', 'FreeBSD') or \ @