From 77447d1c4b224ccdb5a4415b491e2e7784b78537 Mon Sep 17 00:00:00 2001 From: Jacob Wang Date: Mon, 7 Apr 2025 09:56:46 +0800 Subject: [PATCH 1/2] [CVE]update to firefox-128.9.0-2 to #IBYW7I update to firefox-128.9.0-2 for CVE-2025-3028 CVE-2025-3029 CVE-2025-3030 Project: TC2024080204 Signed-off-by: Jacob Wang --- disable-vsync-for-kiosk.patch | 18 +++++++ download | 4 +- ...refs.js => firefox-redhat-default-prefs.js | 4 +- firefox.spec | 50 ++++++++++--------- process-official-tarball | 3 ++ rhbz-71999-fips-youtube.patch | 43 ++++++++++++++++ 6 files changed, 94 insertions(+), 28 deletions(-) create mode 100644 disable-vsync-for-kiosk.patch rename firefox-anolis-default-prefs.js => firefox-redhat-default-prefs.js (93%) create mode 100644 rhbz-71999-fips-youtube.patch diff --git a/disable-vsync-for-kiosk.patch b/disable-vsync-for-kiosk.patch new file mode 100644 index 0000000..8e6225b --- /dev/null +++ b/disable-vsync-for-kiosk.patch @@ -0,0 +1,18 @@ +diff -up firefox-128.8.0/widget/gtk/nsWindow.cpp.kiosk-vsync firefox-128.8.0/widget/gtk/nsWindow.cpp +--- firefox-128.8.0/widget/gtk/nsWindow.cpp.kiosk-vsync 2025-03-13 13:04:03.112498669 +0100 ++++ firefox-128.8.0/widget/gtk/nsWindow.cpp 2025-03-13 13:06:13.227823446 +0100 +@@ -6348,9 +6348,13 @@ nsresult nsWindow::Create(nsIWidget* aPa + // Initialize the window specific VsyncSource early in order to avoid races + // with BrowserParent::UpdateVsyncParentVsyncDispatcher(). + // Only use for toplevel windows for now, see bug 1619246. ++ // ++ // Disable vsync for the kiosk mode - it cause the black screen ++ // This will be fixed in Firefox 140 + if (GdkIsWaylandDisplay() && + StaticPrefs::widget_wayland_vsync_enabled_AtStartup() && +- IsTopLevelWindowType()) { ++ IsTopLevelWindowType() && ++ !gKioskMode ) { + mWaylandVsyncSource = new WaylandVsyncSource(this); + mWaylandVsyncDispatcher = new VsyncDispatcher(mWaylandVsyncSource); + LOG_VSYNC(" created WaylandVsyncSource"); diff --git a/download b/download index 61a9c74..4db81da 100644 --- a/download +++ b/download @@ -1,6 +1,6 @@ fc25f988b87b5187d4e2f006efa699a3 cbindgen-vendor.tar.xz -fd6b895e2b89243fcecc604b85afa5cf firefox-128.8.0esr.processed-source.tar.xz -d934a1c5398b352142689c7de8a6a927 firefox-langpacks-128.8.0esr-20250224.tar.xz +41b4ac80021f2f640d9ee7599f6dabb8 firefox-128.9.0esr.b2.processed-source.tar.xz +fcfc7957f33934068b81ef12265a3e96 firefox-langpacks-128.9.0esr-20250331.tar.xz b3c1d2ea615cb0195f4f62b005773262 mochitest-python.tar.gz 2d901c7a62fc68bbd8816e8c4c6276c1 wasi-sdk-20.tar.gz 7b35b9a003996b1f1dbc3cd936a609f2 nspr-4.35.0-1.el8_1.src.rpm diff --git a/firefox-anolis-default-prefs.js b/firefox-redhat-default-prefs.js similarity index 93% rename from firefox-anolis-default-prefs.js rename to firefox-redhat-default-prefs.js index ad8dbea..4263a3d 100644 --- a/firefox-anolis-default-prefs.js +++ b/firefox-redhat-default-prefs.js @@ -14,8 +14,8 @@ pref("browser.shell.checkDefaultBrowser", false); pref("network.manage-offline-status", true); pref("extensions.shownSelectionUI", true); pref("ui.SpellCheckerUnderlineStyle", 1); -pref("startup.homepage_override_url", "https://openanolis.cn/"); -pref("startup.homepage_welcome_url", "https://openanolis.cn/"); +pref("startup.homepage_override_url", "%HOMEPAGE%"); +pref("startup.homepage_welcome_url", "%HOMEPAGE%"); pref("browser.startup.homepage", "data:text/plain,browser.startup.homepage=file:///%PREFIX%/share/doc/HTML/index.html"); pref("media.gmp-gmpopenh264.autoupdate",true); pref("media.gmp-gmpopenh264.enabled",false); diff --git a/firefox.spec b/firefox.spec index 7b94213..825a70e 100644 --- a/firefox.spec +++ b/firefox.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 %define homepage %(grep '^HOME_URL\s*=' /etc/os-release | sed 's/^HOME_URL\s*=//;s/^\s*"//;s/"\s*$//') %global disable_toolsets 0 @@ -19,15 +18,15 @@ %{lua: function dist_to_rhel_minor(str, start) - match = string.match(str, ".module%+an8.%d+") + match = string.match(str, ".module%+el8.%d+") if match then return string.sub(match, 13) end - match = string.match(str, ".an8_%d+") + match = string.match(str, ".el8_%d+") if match then return string.sub(match, 6) end - match = string.match(str, ".an8") + match = string.match(str, ".el8") if match then return 10 end @@ -157,7 +156,7 @@ end} # If set to .b2 or .b3 ... the processed source file needs to be renamed before upload, e.g. # firefox-102.8.0esr.b2.processed-source.tar.xz # When unset use processed source file name as is. -##global buildnum .b2 +%global buildnum .b2 %bcond_without langpacks @@ -167,13 +166,11 @@ end} Summary: Mozilla Firefox Web browser Name: firefox -Version: 128.8.0 -Release: 1%{anolis_release}%{?dist} +Version: 128.9.0 +Release: 2%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ -ExcludeArch: loongarch64 - %if 0%{?rhel} >= 9 ExcludeArch: %{ix86} %endif @@ -200,12 +197,12 @@ ExcludeArch: aarch64 s390 ppc # Link to original tarball: https://archive.mozilla.org/pub/firefox/releases/%%{version}%%{?pre_version}/source/firefox-%%{version}%%{?pre_version}.source.tar.xz Source0: firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz %if %{with langpacks} -Source1: firefox-langpacks-%{version}%{?pre_version}-20250224.tar.xz +Source1: firefox-langpacks-%{version}%{?pre_version}-20250331.tar.xz %endif Source2: cbindgen-vendor.tar.xz Source3: process-official-tarball Source10: firefox-mozconfig -Source12: firefox-anolis-default-prefs.js +Source12: firefox-redhat-default-prefs.js Source20: firefox.desktop Source21: firefox.sh.in Source23: firefox.1 @@ -247,6 +244,10 @@ Patch09: rhbz-2131158-webrtc-nss-fix.patch Patch10: build-ffvpx.patch Patch11: build-disable-gamepad.patch Patch12: firefox-system-nss-replace-xyber-with-mlkem.patch +# Enabled vsync cause the black screen when running in Kiosk mode +# This will be fixed in Firefox 140 +Patch13: disable-vsync-for-kiosk.patch +Patch14: rhbz-71999-fips-youtube.patch # -- Upstreamed patches -- Patch51: mozilla-bmo1170092.patch @@ -424,10 +425,10 @@ BuildRequires: lld BuildRequires: clang cmake ninja-build %endif -#%if !0%{?flatpak} +%if !0%{?flatpak} #TODO -#BuildRequires: system-bookmarks -#%endif +BuildRequires: system-bookmarks +%endif %if 0%{?test_on_wayland} BuildRequires: dbus-x11 @@ -484,7 +485,6 @@ BuildRequires: gcc-toolset-%{gts_version}-gcc BuildRequires: gcc-toolset-%{gts_version}-gcc-plugin-annobin # Do not explicitly require gcc-toolset-%{gts_version}-gcc-g++ instead fail # when clang is upgraded to depend on a later toolset and adjust version. -BuildRequires: gcc-toolset-%{gts_version}-gcc-c++ %endif Requires: mozilla-filesystem @@ -525,7 +525,6 @@ Provides: bundled(fastText) Provides: bundled(fathom) Provides: bundled(fdlibm) Provides: bundled(ffvpx) -Provides: bundled(freetype2) Provides: bundled(function2) Provides: bundled(gbm) Provides: bundled(gemmology) @@ -1227,6 +1226,8 @@ echo "--------------------------------------------" %if 0%{?rhel} == 10 %patch -P12 -p1 -b .system-nss-replace-xyber-with-mlkem %endif +%patch -P13 -p1 -b .kiosk-vsync +%patch -P14 -p1 -b .rhbz-71999-fips-youtube # We need to create the wasi.patch with the correct path to the wasm libclang_rt. %if %{with_wasi_sdk} @@ -1689,10 +1690,10 @@ EOF %endif # set up our default bookmarks -#%if !0%{?flatpak} - #%global default_bookmarks_file /usr/share/bookmarks/default-bookmarks.html - #%{__cp} -p %{default_bookmarks_file} objdir/dist/bin/browser/chrome/browser/content/browser/default-bookmarks.html -#%endif +%if !0%{?flatpak} + %global default_bookmarks_file /usr/share/bookmarks/default-bookmarks.html + %{__cp} -p %{default_bookmarks_file} objdir/dist/bin/browser/chrome/browser/content/browser/default-bookmarks.html +%endif # Make sure locale works for langpacks %{__cat} > objdir/dist/bin/browser/defaults/preferences/firefox-l10n.js << EOF @@ -1987,10 +1988,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog -* Fri Mar 07 2025 Liwei Ge - 128.8.0-1.0.1 -- Add firefox-anolis-default-prefs.js -- Remove bookmarks and loongarch64 -- Add BuildRequires gcc-toolset-13-gcc-c++ +* Mon Mar 31 2025 Eike Rathke - 128.9.0-2 +- Update to 128.9.0 build2 + +* Tue Mar 25 2025 Eike Rathke - 128.9.0-1 +- Update to 128.9.0 build1 * Mon Feb 24 2025 Eike Rathke - 128.8.0-1 - Update to 128.8.0 build1 diff --git a/process-official-tarball b/process-official-tarball index e3aabb9..a2c456b 100755 --- a/process-official-tarball +++ b/process-official-tarball @@ -18,6 +18,9 @@ rm -vf ./process-tarball-dir/*/mobile/android/android-components/components/feat rm -vf ./process-tarball-dir/*/third_party/webkit/PerformanceTests/Speedometer3/resources/editors/dist/assets/codemirror-521de7ab.js rm -vf ./process-tarball-dir/*/third_party/python/pip/pip-24.0.dist-info/AUTHORS.txt +# We uses system freetype2 +rm -vrf ./process-tarball-dir/*/modules/freetype2 + processed_tarball=${1/source/processed-source} cd ./process-tarball-dir diff --git a/rhbz-71999-fips-youtube.patch b/rhbz-71999-fips-youtube.patch new file mode 100644 index 0000000..5d53eed --- /dev/null +++ b/rhbz-71999-fips-youtube.patch @@ -0,0 +1,43 @@ +changeset: 781221:573380ae60a7 +tag: tip +user: stransky +date: Mon Mar 24 10:13:50 2025 +0100 +files: dom/cache/CacheStorage.cpp dom/indexedDB/ActorsParent.cpp +description: +FIPS-youtube + + +diff --git a/dom/cache/CacheStorage.cpp b/dom/cache/CacheStorage.cpp +--- a/dom/cache/CacheStorage.cpp ++++ b/dom/cache/CacheStorage.cpp +@@ -38,6 +38,7 @@ + #include "nsURLParsers.h" + #include "js/Object.h" // JS::GetClass + #include "js/PropertyAndElement.h" // JS_DefineProperty ++#include "pk11pub.h" + + namespace mozilla::dom::cache { + +@@ -581,7 +582,7 @@ bool CacheStorage::HasStorageAccess(UseC + if (!principal->IsSystemPrincipal() && + principal->GetPrivateBrowsingId() != + nsIScriptSecurityManager::DEFAULT_PRIVATE_BROWSING_ID && +- !StaticPrefs::dom_cache_privateBrowsing_enabled()) { ++ (!StaticPrefs::dom_cache_privateBrowsing_enabled() || PK11_IsFIPS())) { + return false; + } + } +diff --git a/dom/indexedDB/ActorsParent.cpp b/dom/indexedDB/ActorsParent.cpp +--- a/dom/indexedDB/ActorsParent.cpp ++++ b/dom/indexedDB/ActorsParent.cpp +@@ -14791,7 +14791,8 @@ nsresult FactoryOp::Open() { + mEnforcingQuota = mPersistenceType != PERSISTENCE_TYPE_PERSISTENT; + + if (mOriginMetadata.mIsPrivate) { +- if (StaticPrefs::dom_indexedDB_privateBrowsing_enabled()) { ++ if (StaticPrefs::dom_indexedDB_privateBrowsing_enabled() && ++ !PK11_IsFIPS()) { + // Explicitly disallow moz-extension urls from using the encrypted + // indexedDB storage mode when the caller is an extension (see Bug + // 1841806). + -- Gitee From f644d224039349387261ea48322daa34776074d2 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Thu, 16 Dec 2021 06:12:47 +0000 Subject: [PATCH 2/2] rebrand: add firefox-anolis-default-prefs.js --- ...refs.js => firefox-anolis-default-prefs.js | 4 +-- firefox.spec | 33 ++++++++++++------- 2 files changed, 23 insertions(+), 14 deletions(-) rename firefox-redhat-default-prefs.js => firefox-anolis-default-prefs.js (93%) diff --git a/firefox-redhat-default-prefs.js b/firefox-anolis-default-prefs.js similarity index 93% rename from firefox-redhat-default-prefs.js rename to firefox-anolis-default-prefs.js index 4263a3d..ad8dbea 100644 --- a/firefox-redhat-default-prefs.js +++ b/firefox-anolis-default-prefs.js @@ -14,8 +14,8 @@ pref("browser.shell.checkDefaultBrowser", false); pref("network.manage-offline-status", true); pref("extensions.shownSelectionUI", true); pref("ui.SpellCheckerUnderlineStyle", 1); -pref("startup.homepage_override_url", "%HOMEPAGE%"); -pref("startup.homepage_welcome_url", "%HOMEPAGE%"); +pref("startup.homepage_override_url", "https://openanolis.cn/"); +pref("startup.homepage_welcome_url", "https://openanolis.cn/"); pref("browser.startup.homepage", "data:text/plain,browser.startup.homepage=file:///%PREFIX%/share/doc/HTML/index.html"); pref("media.gmp-gmpopenh264.autoupdate",true); pref("media.gmp-gmpopenh264.enabled",false); diff --git a/firefox.spec b/firefox.spec index 825a70e..b37bf0f 100644 --- a/firefox.spec +++ b/firefox.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 %define homepage %(grep '^HOME_URL\s*=' /etc/os-release | sed 's/^HOME_URL\s*=//;s/^\s*"//;s/"\s*$//') %global disable_toolsets 0 @@ -18,15 +19,15 @@ %{lua: function dist_to_rhel_minor(str, start) - match = string.match(str, ".module%+el8.%d+") + match = string.match(str, ".module%+an8.%d+") if match then return string.sub(match, 13) end - match = string.match(str, ".el8_%d+") + match = string.match(str, ".an8_%d+") if match then return string.sub(match, 6) end - match = string.match(str, ".el8") + match = string.match(str, ".an8") if match then return 10 end @@ -167,10 +168,12 @@ end} Summary: Mozilla Firefox Web browser Name: firefox Version: 128.9.0 -Release: 2%{?dist} +Release: 2%{anolis_release}%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ +ExcludeArch: loongarch64 + %if 0%{?rhel} >= 9 ExcludeArch: %{ix86} %endif @@ -202,7 +205,7 @@ Source1: firefox-langpacks-%{version}%{?pre_version}-20250331.tar.xz Source2: cbindgen-vendor.tar.xz Source3: process-official-tarball Source10: firefox-mozconfig -Source12: firefox-redhat-default-prefs.js +Source12: firefox-anolis-default-prefs.js Source20: firefox.desktop Source21: firefox.sh.in Source23: firefox.1 @@ -425,10 +428,10 @@ BuildRequires: lld BuildRequires: clang cmake ninja-build %endif -%if !0%{?flatpak} +#%if !0%{?flatpak} #TODO -BuildRequires: system-bookmarks -%endif +#BuildRequires: system-bookmarks +#%endif %if 0%{?test_on_wayland} BuildRequires: dbus-x11 @@ -485,6 +488,7 @@ BuildRequires: gcc-toolset-%{gts_version}-gcc BuildRequires: gcc-toolset-%{gts_version}-gcc-plugin-annobin # Do not explicitly require gcc-toolset-%{gts_version}-gcc-g++ instead fail # when clang is upgraded to depend on a later toolset and adjust version. +BuildRequires: gcc-toolset-%{gts_version}-gcc-c++ %endif Requires: mozilla-filesystem @@ -1690,10 +1694,10 @@ EOF %endif # set up our default bookmarks -%if !0%{?flatpak} - %global default_bookmarks_file /usr/share/bookmarks/default-bookmarks.html - %{__cp} -p %{default_bookmarks_file} objdir/dist/bin/browser/chrome/browser/content/browser/default-bookmarks.html -%endif +#%if !0%{?flatpak} + #%global default_bookmarks_file /usr/share/bookmarks/default-bookmarks.html + #%{__cp} -p %{default_bookmarks_file} objdir/dist/bin/browser/chrome/browser/content/browser/default-bookmarks.html +#%endif # Make sure locale works for langpacks %{__cat} > objdir/dist/bin/browser/defaults/preferences/firefox-l10n.js << EOF @@ -1988,6 +1992,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog +* Mon Apr 07 2025 Liwei Ge - 128.9.0-2.0.1 +- Add firefox-anolis-default-prefs.js +- Remove bookmarks and loongarch64 +- Add BuildRequires gcc-toolset-13-gcc-c++ + * Mon Mar 31 2025 Eike Rathke - 128.9.0-2 - Update to 128.9.0 build2 -- Gitee