From 95ee5018266d35d476f69af90eb3d538f1a0c815 Mon Sep 17 00:00:00 2001
From: Jacob Wang <jacob.wang@openanolis.org>
Date: Mon, 25 Aug 2025 17:23:29 +0800
Subject: [PATCH 1/2] [CVE]update to firefox-128.14.0-2

to #ICULBE

update to firefox-128.14.0-2 for CVE-2025-9179 CVE-2025-9180 CVE-2025-9181 CVE-2025-9182 CVE-2025-9185

Project: TC2024080204
Signed-off-by: Jacob Wang <jacob.wang@openanolis.org>
---
 download                                      |  4 +-
 ...nHandled-for-IO-error-processhandler.patch | 29 ++++++++++++
 ...refs.js => firefox-redhat-default-prefs.js |  4 +-
 firefox.spec                                  | 47 +++++++++----------
 4 files changed, 56 insertions(+), 28 deletions(-)
 create mode 100644 exceptionHandled-for-IO-error-processhandler.patch
 rename firefox-anolis-default-prefs.js => firefox-redhat-default-prefs.js (93%)

diff --git a/download b/download
index ecaafb3..19aefd7 100644
--- a/download
+++ b/download
@@ -1,6 +1,6 @@
 fc25f988b87b5187d4e2f006efa699a3  cbindgen-vendor.tar.xz
-610910f179b89a1b8a0a29bf5bbae44f  firefox-128.13.0esr.processed-source.tar.xz
-8b55dd5153ae218d5ea0159099878394  firefox-langpacks-128.13.0esr-20250715.tar.xz
+72d658db3d3d7f13d7e85c043e15d9d7  firefox-128.14.0esr.processed-source.tar.xz
+824e766472af737ea731e12d66470c20  firefox-langpacks-128.14.0esr-20250815.tar.xz
 b3c1d2ea615cb0195f4f62b005773262  mochitest-python.tar.gz
 2d901c7a62fc68bbd8816e8c4c6276c1  wasi-sdk-20.tar.gz
 7b35b9a003996b1f1dbc3cd936a609f2  nspr-4.35.0-1.el8_1.src.rpm
diff --git a/exceptionHandled-for-IO-error-processhandler.patch b/exceptionHandled-for-IO-error-processhandler.patch
new file mode 100644
index 0000000..e6267a5
--- /dev/null
+++ b/exceptionHandled-for-IO-error-processhandler.patch
@@ -0,0 +1,29 @@
+diff -up firefox-140.1.0/testing/mozbase/mozprocess/mozprocess/processhandler.py.exceptionHandled-for-IO-error-processhandler firefox-140.1.0/testing/mozbase/mozprocess/mozprocess/processhandler.py
+--- firefox-140.1.0/testing/mozbase/mozprocess/mozprocess/processhandler.py.exceptionHandled-for-IO-error-processhandler	2025-07-14 19:14:55.000000000 +0200
++++ firefox-140.1.0/testing/mozbase/mozprocess/mozprocess/processhandler.py	2025-08-05 18:05:54.329479764 +0200
+@@ -1098,11 +1098,22 @@ class ProcessReader:
+ 
+     def _read_stream(self, stream, queue, callback):
+         sentinel = "" if isinstance(stream, io.TextIOBase) else b""
+-        for line in iter(stream.readline, sentinel):
+-            queue.put((line, callback))
++        try:
++            for line in iter(stream.readline, sentinel):
++                queue.put((line, callback))
++        except ValueError as e:
++            if "I/O operation on closed file" in str(e):
++                # Stream was closed by the process, this is normal
++                pass
++            else:
++                raise
+         # Give a chance to the reading loop to exit without a timeout.
+         queue.put((b"", None))
+-        stream.close()
++        try:
++            stream.close()
++        except ValueError:
++            # Stream might already be closed
++            pass
+ 
+     def start(self, proc):
+         queue = Queue()
diff --git a/firefox-anolis-default-prefs.js b/firefox-redhat-default-prefs.js
similarity index 93%
rename from firefox-anolis-default-prefs.js
rename to firefox-redhat-default-prefs.js
index ad8dbea..4263a3d 100644
--- a/firefox-anolis-default-prefs.js
+++ b/firefox-redhat-default-prefs.js
@@ -14,8 +14,8 @@ pref("browser.shell.checkDefaultBrowser",   false);
 pref("network.manage-offline-status",       true);
 pref("extensions.shownSelectionUI",         true);
 pref("ui.SpellCheckerUnderlineStyle",       1);
-pref("startup.homepage_override_url",       "https://openanolis.cn/");
-pref("startup.homepage_welcome_url",        "https://openanolis.cn/");
+pref("startup.homepage_override_url",       "%HOMEPAGE%");
+pref("startup.homepage_welcome_url",        "%HOMEPAGE%");
 pref("browser.startup.homepage",            "data:text/plain,browser.startup.homepage=file:///%PREFIX%/share/doc/HTML/index.html");
 pref("media.gmp-gmpopenh264.autoupdate",true);
 pref("media.gmp-gmpopenh264.enabled",false);
diff --git a/firefox.spec b/firefox.spec
index 40e1e58..1f7fcc5 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -1,4 +1,3 @@
-%define anolis_release .0.1
 %define homepage %(grep '^HOME_URL\s*=' /etc/os-release | sed 's/^HOME_URL\s*=//;s/^\s*"//;s/"\s*$//')
 %global disable_toolsets  0
 
@@ -19,17 +18,17 @@
 
 %{lua:
 function dist_to_rhel_minor(str, start)
-  match = string.match(str, ".module%+an8.%d+")
+  match = string.match(str, ".module%+el8.%d+")
   if match then
      return string.sub(match, 13)
   end
-  match = string.match(str, ".an8_%d+")
+  match = string.match(str, ".el8_%d+")
   if match then
      return string.sub(match, 6)
   end
-  match = string.match(str, ".an8")
+  match = string.match(str, ".el8")
   if match then
-     return 8
+     return 10
   end
   match = string.match(str, ".module%+el9.%d+")
   if match then
@@ -167,13 +166,11 @@ end}
 
 Summary:        Mozilla Firefox Web browser
 Name:           firefox
-Version:        128.13.0
-Release:        1%{anolis_release}%{?dist}
+Version:        128.14.0
+Release:        2%{?dist}
 URL:            https://www.mozilla.org/firefox/
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 
-ExcludeArch:  loongarch64
-
 %if 0%{?rhel} >= 9
 ExcludeArch:    %{ix86}
 %endif
@@ -200,12 +197,12 @@ ExcludeArch:    aarch64 s390 ppc
 # Link to original tarball: https://archive.mozilla.org/pub/firefox/releases/%%{version}%%{?pre_version}/source/firefox-%%{version}%%{?pre_version}.source.tar.xz
 Source0:        firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz
 %if %{with langpacks}
-Source1:        firefox-langpacks-%{version}%{?pre_version}-20250715.tar.xz
+Source1:        firefox-langpacks-%{version}%{?pre_version}-20250815.tar.xz
 %endif
 Source2:        cbindgen-vendor.tar.xz
 Source3:        process-official-tarball
 Source10:       firefox-mozconfig
-Source12:       firefox-anolis-default-prefs.js
+Source12:       firefox-redhat-default-prefs.js
 Source20:       firefox.desktop
 Source21:       firefox.sh.in
 Source23:       firefox.1
@@ -253,7 +250,8 @@ Patch13:        disable-vsync-for-kiosk.patch
 Patch14:        rhbz-71999-fips-youtube.patch
 
 # -- Upstreamed patches --
-Patch51:       mozilla-bmo1170092.patch
+Patch51:        mozilla-bmo1170092.patch
+Patch52:        exceptionHandled-for-IO-error-processhandler.patch
 
 # -- Submitted upstream, not merged --
 Patch101:       mozilla-bmo1636168-fscreen.patch
@@ -428,10 +426,10 @@ BuildRequires:  lld
 BuildRequires:  clang cmake ninja-build
 %endif
 
-#%if !0%{?flatpak}
+%if !0%{?flatpak}
 #TODO
-#BuildRequires:  system-bookmarks
-#%endif
+BuildRequires:  system-bookmarks
+%endif
 
 %if 0%{?test_on_wayland}
 BuildRequires:  dbus-x11
@@ -489,7 +487,6 @@ BuildRequires: gcc-toolset-%{gts_version}-gcc-plugin-annobin
 # Do not explicitly require gcc-toolset-%%{gts_version}-gcc-c++ instead fail
 # when clang is upgraded to depend on a later toolset and adjust version.
 # ERROR: The target C compiler is version 13.3.1, while the target C++ compiler is version 8.5.0. Need to use the same compiler version.
-BuildRequires: gcc-toolset-%{gts_version}-gcc-c++
 %endif
 
 Requires:       mozilla-filesystem
@@ -1241,6 +1238,7 @@ export LIBCLANG_RT=`pwd`/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.buil
 
 # -- Upstreamed patches --
 %patch -P51 -p1 -b .mozilla-bmo1170092
+%patch -P52 -p1 -b .exceptionHandled-for-IO-error-processhandler
 
 # -- Submitted upstream, not merged --
 %patch -P101 -p1 -b .mozilla-bmo1636168-fscreen
@@ -1701,10 +1699,10 @@ EOF
 %endif
 
 # set up our default bookmarks
-#%if !0%{?flatpak}
-  #%global default_bookmarks_file  /usr/share/bookmarks/default-bookmarks.html
-  #%{__cp} -p %{default_bookmarks_file} objdir/dist/bin/browser/chrome/browser/content/browser/default-bookmarks.html
-#%endif
+%if !0%{?flatpak}
+  %global default_bookmarks_file  /usr/share/bookmarks/default-bookmarks.html
+  %{__cp} -p %{default_bookmarks_file} objdir/dist/bin/browser/chrome/browser/content/browser/default-bookmarks.html
+%endif
 
 # Make sure locale works for langpacks
 %{__cat} > objdir/dist/bin/browser/defaults/preferences/firefox-l10n.js << EOF
@@ -1999,10 +1997,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 #---------------------------------------------------------------------
 
 %changelog
-* Fri Jul 25 2025 Liwei Ge <geliwei@openanolis.org> - 128.13.0-1.0.1
-- Add firefox-anolis-default-prefs.js
-- Remove bookmarks and loongarch64
-- Add BuildRequires gcc-toolset-13-gcc-c++
+* Fri Aug 15 2025 Jan Grulich <jgrulich@redhat.com> - 128.14.0-2
+- Add missing translations
+
+* Tue Aug 12 2025 Jan Grulich <jgrulich@redhat.com> - 128.14.0-1
+- Update to 128.14.0 build1
 
 * Tue Jul 15 2025 Eike Rathke <erack@redhat.com> - 128.13.0-1
 - Update to 128.13.0 build1
-- 
Gitee


From c2209aef6627ed8c3d3adfe3192bd7780a966135 Mon Sep 17 00:00:00 2001
From: Zhao Hang <wb-zh951434@alibaba-inc.com>
Date: Thu, 16 Dec 2021 06:12:47 +0000
Subject: [PATCH 2/2] rebrand: add firefox-anolis-default-prefs.js

---
 ...refs.js => firefox-anolis-default-prefs.js |  4 +--
 firefox.spec                                  | 35 ++++++++++++-------
 2 files changed, 24 insertions(+), 15 deletions(-)
 rename firefox-redhat-default-prefs.js => firefox-anolis-default-prefs.js (93%)

diff --git a/firefox-redhat-default-prefs.js b/firefox-anolis-default-prefs.js
similarity index 93%
rename from firefox-redhat-default-prefs.js
rename to firefox-anolis-default-prefs.js
index 4263a3d..ad8dbea 100644
--- a/firefox-redhat-default-prefs.js
+++ b/firefox-anolis-default-prefs.js
@@ -14,8 +14,8 @@ pref("browser.shell.checkDefaultBrowser",   false);
 pref("network.manage-offline-status",       true);
 pref("extensions.shownSelectionUI",         true);
 pref("ui.SpellCheckerUnderlineStyle",       1);
-pref("startup.homepage_override_url",       "%HOMEPAGE%");
-pref("startup.homepage_welcome_url",        "%HOMEPAGE%");
+pref("startup.homepage_override_url",       "https://openanolis.cn/");
+pref("startup.homepage_welcome_url",        "https://openanolis.cn/");
 pref("browser.startup.homepage",            "data:text/plain,browser.startup.homepage=file:///%PREFIX%/share/doc/HTML/index.html");
 pref("media.gmp-gmpopenh264.autoupdate",true);
 pref("media.gmp-gmpopenh264.enabled",false);
diff --git a/firefox.spec b/firefox.spec
index 1f7fcc5..affff49 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -1,3 +1,4 @@
+%define anolis_release .0.1
 %define homepage %(grep '^HOME_URL\s*=' /etc/os-release | sed 's/^HOME_URL\s*=//;s/^\s*"//;s/"\s*$//')
 %global disable_toolsets  0
 
@@ -18,17 +19,17 @@
 
 %{lua:
 function dist_to_rhel_minor(str, start)
-  match = string.match(str, ".module%+el8.%d+")
+  match = string.match(str, ".module%+an8.%d+")
   if match then
      return string.sub(match, 13)
   end
-  match = string.match(str, ".el8_%d+")
+  match = string.match(str, ".an8_%d+")
   if match then
      return string.sub(match, 6)
   end
-  match = string.match(str, ".el8")
+  match = string.match(str, ".an8")
   if match then
-     return 10
+     return 8
   end
   match = string.match(str, ".module%+el9.%d+")
   if match then
@@ -167,10 +168,12 @@ end}
 Summary:        Mozilla Firefox Web browser
 Name:           firefox
 Version:        128.14.0
-Release:        2%{?dist}
+Release:        2%{anolis_release}%{?dist}
 URL:            https://www.mozilla.org/firefox/
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 
+ExcludeArch:  loongarch64
+
 %if 0%{?rhel} >= 9
 ExcludeArch:    %{ix86}
 %endif
@@ -202,7 +205,7 @@ Source1:        firefox-langpacks-%{version}%{?pre_version}-20250815.tar.xz
 Source2:        cbindgen-vendor.tar.xz
 Source3:        process-official-tarball
 Source10:       firefox-mozconfig
-Source12:       firefox-redhat-default-prefs.js
+Source12:       firefox-anolis-default-prefs.js
 Source20:       firefox.desktop
 Source21:       firefox.sh.in
 Source23:       firefox.1
@@ -426,10 +429,10 @@ BuildRequires:  lld
 BuildRequires:  clang cmake ninja-build
 %endif
 
-%if !0%{?flatpak}
+#%if !0%{?flatpak}
 #TODO
-BuildRequires:  system-bookmarks
-%endif
+#BuildRequires:  system-bookmarks
+#%endif
 
 %if 0%{?test_on_wayland}
 BuildRequires:  dbus-x11
@@ -487,6 +490,7 @@ BuildRequires: gcc-toolset-%{gts_version}-gcc-plugin-annobin
 # Do not explicitly require gcc-toolset-%%{gts_version}-gcc-c++ instead fail
 # when clang is upgraded to depend on a later toolset and adjust version.
 # ERROR: The target C compiler is version 13.3.1, while the target C++ compiler is version 8.5.0. Need to use the same compiler version.
+BuildRequires: gcc-toolset-%{gts_version}-gcc-c++
 %endif
 
 Requires:       mozilla-filesystem
@@ -1699,10 +1703,10 @@ EOF
 %endif
 
 # set up our default bookmarks
-%if !0%{?flatpak}
-  %global default_bookmarks_file  /usr/share/bookmarks/default-bookmarks.html
-  %{__cp} -p %{default_bookmarks_file} objdir/dist/bin/browser/chrome/browser/content/browser/default-bookmarks.html
-%endif
+#%if !0%{?flatpak}
+  #%global default_bookmarks_file  /usr/share/bookmarks/default-bookmarks.html
+  #%{__cp} -p %{default_bookmarks_file} objdir/dist/bin/browser/chrome/browser/content/browser/default-bookmarks.html
+#%endif
 
 # Make sure locale works for langpacks
 %{__cat} > objdir/dist/bin/browser/defaults/preferences/firefox-l10n.js << EOF
@@ -1997,6 +2001,11 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 #---------------------------------------------------------------------
 
 %changelog
+* Mon Aug 25 2025 Liwei Ge <geliwei@openanolis.org> - 128.14.0-2.0.1
+- Add firefox-anolis-default-prefs.js
+- Remove bookmarks and loongarch64
+- Add BuildRequires gcc-toolset-13-gcc-c++
+
 * Fri Aug 15 2025 Jan Grulich <jgrulich@redhat.com> - 128.14.0-2
 - Add missing translations
 
-- 
Gitee