From 57c29eae29190ef4dca95f344b335bc2344cb973 Mon Sep 17 00:00:00 2001 From: technology208 Date: Wed, 10 Jul 2024 14:17:45 +0800 Subject: [PATCH] fix CVE-2024-5699 --- CVE-2024-5699.patch | 298 ++++++++++++++++++++++++++++++++++++++++++++ firefox.spec | 9 +- 2 files changed, 305 insertions(+), 2 deletions(-) create mode 100644 CVE-2024-5699.patch diff --git a/CVE-2024-5699.patch b/CVE-2024-5699.patch new file mode 100644 index 0000000..df0bf39 --- /dev/null +++ b/CVE-2024-5699.patch @@ -0,0 +1,298 @@ +From d18f3fba3814270b585c1afecb0ef0a80dc41677 Mon Sep 17 00:00:00 2001 +From: longsonr +Date: Wed, 10 Jul 2024 14:08:58 +0800 +Subject: [PATCH] Treat cookie name prefixes as case-insensitive r=dveditz,cookie-reviewers,valentin + +Reference:https://hg.mozilla.org/mozilla-central/rev/715ecd9aaf75 + +--- + netwerk/cookie/CookieService.cpp | 48 ++++++++----------- + netwerk/cookie/CookieService.h | 1 - + .../prefix/__host.document-cookie.html.ini | 9 ---- + .../__host.document-cookie.https.html.ini | 15 ------ + .../cookies/prefix/__host.header.html.ini | 11 ----- + .../prefix/__host.header.https.html.ini | 19 -------- + .../prefix/__secure.document-cookie.html.ini | 8 ---- + .../__secure.document-cookie.https.html.ini | 8 ---- + .../cookies/prefix/__secure.header.html.ini | 11 ----- + .../prefix/__secure.header.https.html.ini | 9 ---- + .../document-cookie.non-secure.html.ini | 17 ------- + 11 files changed, 20 insertions(+), 136 deletions(-) + delete mode 100644 testing/web-platform/meta/cookies/prefix/__host.document-cookie.html.ini + delete mode 100644 testing/web-platform/meta/cookies/prefix/__host.document-cookie.https.html.ini + +diff --git a/netwerk/cookie/CookieService.cpp b/netwerk/cookie/CookieService.cpp +index c4716a159d..3d4651424e 100644 +--- a/netwerk/cookie/CookieService.cpp ++++ b/netwerk/cookie/CookieService.cpp +@@ -1177,6 +1177,18 @@ static void RecordUnicodeTelemetry(const CookieStruct& cookieData) { + Telemetry::AccumulateCategorical(label); + } + ++bool HasSecurePrefix(const nsCString& aString) { ++ static const char kSecure[] = "__Secure-"; ++ static constexpr uint32_t kSecureLen = sizeof(kSecure) - 1; ++ return nsCRT::strncasecmp(aString.get(), kSecure, kSecureLen) == 0; ++} ++ ++bool HasHostPrefix(const nsCString& aString) { ++ static const char kHost[] = "__Host-"; ++ static constexpr uint32_t kHostLen = sizeof(kHost) - 1; ++ return nsCRT::strncasecmp(aString.get(), kHost, kHostLen) == 0; ++} ++ + // processes a single cookie, and returns true if there are more cookies + // to be processed + bool CookieService::CanSetCookie( +@@ -1281,9 +1293,13 @@ bool CookieService::CanSetCookie( + return newCookie; + } + +- if (!CheckHiddenPrefix(aCookieData)) { ++ // If a cookie is nameless, then its value must not start with ++ // `__Host-` or `__Secure-` ++ if (aCookieData.name().IsEmpty() && (HasSecurePrefix(aCookieData.value()) || ++ HasHostPrefix(aCookieData.value()))) { ++ + COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, +- "failed the CheckHiddenPrefix tests"); ++ "failed hidden prefix tests"); + CookieLogging::LogMessageToConsole( + aCRC, aHostURI, nsIScriptError::warningFlag, CONSOLE_REJECTION_CATEGORY, + "CookieRejectedInvalidPrefix"_ns, +@@ -1923,25 +1939,6 @@ bool CookieService::CheckDomain(CookieStruct& aCookieData, nsIURI* aHostURI, + return true; + } + +-// static +-bool CookieService::CheckHiddenPrefix(CookieStruct& aCookieData) { +- // If a cookie is nameless, then its value must not start with +- // `__Host-` or `__Secure-` +- if (!aCookieData.name().IsEmpty()) { +- return true; +- } +- +- if (StringBeginsWith(aCookieData.value(), "__Host-"_ns)) { +- return false; +- } +- +- if (StringBeginsWith(aCookieData.value(), "__Secure-"_ns)) { +- return false; +- } +- +- return true; +-} +- + namespace { + nsAutoCString GetPathFromURI(nsIURI* aHostURI) { + // strip down everything after the last slash to get the path, +@@ -2025,13 +2022,8 @@ bool CookieService::CheckPath(CookieStruct& aCookieData, + // regularized and validated the CookieStruct values! + bool CookieService::CheckPrefixes(CookieStruct& aCookieData, + bool aSecureRequest) { +- static const char kSecure[] = "__Secure-"; +- static const char kHost[] = "__Host-"; +- static const int kSecureLen = sizeof(kSecure) - 1; +- static const int kHostLen = sizeof(kHost) - 1; +- +- bool isSecure = strncmp(aCookieData.name().get(), kSecure, kSecureLen) == 0; +- bool isHost = strncmp(aCookieData.name().get(), kHost, kHostLen) == 0; ++ bool isSecure = HasSecurePrefix(aCookieData.name()); ++ bool isHost = HasHostPrefix(aCookieData.name()); + + if (!isSecure && !isHost) { + // not one of the magic prefixes: carry on +diff --git a/netwerk/cookie/CookieService.h b/netwerk/cookie/CookieService.h +index ab76c94ab2..fa59de7287 100644 +--- a/netwerk/cookie/CookieService.h ++++ b/netwerk/cookie/CookieService.h +@@ -123,7 +123,6 @@ class CookieService final : public nsICookieService, + static bool CheckDomain(CookieStruct& aCookieData, nsIURI* aHostURI, + const nsACString& aBaseDomain, + bool aRequireHostMatch); +- static bool CheckHiddenPrefix(CookieStruct& aCookieData); + static bool CheckPath(CookieStruct& aCookieData, + nsIConsoleReportCollector* aCRC, nsIURI* aHostURI); + static bool CheckPrefixes(CookieStruct& aCookieData, bool aSecureRequest); +diff --git a/testing/web-platform/meta/cookies/prefix/__host.document-cookie.html.ini b/testing/web-platform/meta/cookies/prefix/__host.document-cookie.html.ini +deleted file mode 100644 +index 6f8ab2d4cb..0000000000 +--- a/testing/web-platform/meta/cookies/prefix/__host.document-cookie.html.ini ++++ /dev/null +@@ -1,9 +0,0 @@ +-[__host.document-cookie.html] +- [__HoSt: Non-secure origin: 'Path=/;'] +- expected: FAIL +- +- [__HoSt: Non-secure origin: 'Path=/;domain=web-platform.test'] +- expected: FAIL +- +- [__HoSt: Non-secure origin: 'Path=/;MaxAge=10'] +- expected: FAIL +diff --git a/testing/web-platform/meta/cookies/prefix/__host.document-cookie.https.html.ini b/testing/web-platform/meta/cookies/prefix/__host.document-cookie.https.html.ini +deleted file mode 100644 +index cf3ab5fa14..0000000000 +--- a/testing/web-platform/meta/cookies/prefix/__host.document-cookie.https.html.ini ++++ /dev/null +@@ -1,15 +0,0 @@ +-[__host.document-cookie.https.html] +- [__HoSt: Secure origin: Does not set 'Path=/;'] +- expected: FAIL +- +- [__HoSt: Secure origin: Does not set 'Secure; Path=/; Domain=web-platform.test; '] +- expected: FAIL +- +- [__HoSt: Secure origin: Does not set 'Path=/;MaxAge=10'] +- expected: FAIL +- +- [__HoSt: Secure origin: Does not set 'Secure; Path=/; Domain=web-platform.test; MaxAge=10'] +- expected: FAIL +- +- [__HoSt: Secure origin: Does not set 'Secure; Path=/cookies/resources/list.py'] +- expected: FAIL +diff --git a/testing/web-platform/meta/cookies/prefix/__host.header.html.ini b/testing/web-platform/meta/cookies/prefix/__host.header.html.ini +index d6dbc27575..05c87562a6 100644 +--- a/testing/web-platform/meta/cookies/prefix/__host.header.html.ini ++++ b/testing/web-platform/meta/cookies/prefix/__host.header.html.ini +@@ -1,14 +1,3 @@ + [__host.header.html] + expected: + if (os == "android") and fission: [OK, TIMEOUT] +- [__HoSt: Non-secure origin: Does not set 'Path=/;'] +- expected: FAIL +- +- [__HoSt: Non-secure origin: Does not set 'Path=/;domain=web-platform.test'] +- expected: FAIL +- +- [__HoSt: Non-secure origin: Does not set 'Path=/;MaxAge=10'] +- expected: FAIL +- +- [__HoSt: Non-secure origin: Does not set 'Path=/;HttpOnly'] +- expected: FAIL +diff --git a/testing/web-platform/meta/cookies/prefix/__host.header.https.html.ini b/testing/web-platform/meta/cookies/prefix/__host.header.https.html.ini +index 685b226853..861699e24b 100644 +--- a/testing/web-platform/meta/cookies/prefix/__host.header.https.html.ini ++++ b/testing/web-platform/meta/cookies/prefix/__host.header.https.html.ini +@@ -1,23 +1,4 @@ + [__host.header.https.html] + expected: + if (os == "android") and fission: [OK, TIMEOUT] +- [__HoSt: Secure origin: Does not set 'Path=/;'] +- expected: FAIL + +- [__HoSt: Secure origin: Does not set 'Secure; Path=/; Domain=web-platform.test; '] +- expected: FAIL +- +- [__HoSt: Secure origin: Does not set 'Path=/;MaxAge=10'] +- expected: FAIL +- +- [__HoSt: Secure origin: Does not set 'Secure; Path=/; Domain=web-platform.test; MaxAge=10'] +- expected: FAIL +- +- [__HoSt: Secure origin: Does not set 'Path=/;HttpOnly'] +- expected: FAIL +- +- [__HoSt: Secure origin: Does not set 'Secure; Path=/; Domain=web-platform.test; HttpOnly'] +- expected: FAIL +- +- [__HoSt: Secure origin: Does not set 'Secure; Path=/cookies/resources/list.py'] +- expected: FAIL +diff --git a/testing/web-platform/meta/cookies/prefix/__secure.document-cookie.html.ini b/testing/web-platform/meta/cookies/prefix/__secure.document-cookie.html.ini +index 45e9ad21b9..8bee7cdd73 100644 +--- a/testing/web-platform/meta/cookies/prefix/__secure.document-cookie.html.ini ++++ b/testing/web-platform/meta/cookies/prefix/__secure.document-cookie.html.ini +@@ -1,11 +1,3 @@ + [__secure.document-cookie.html] + expected: + if (os == "android") and fission: [OK, TIMEOUT] +- [__SeCuRe: Non-secure origin: Should not set 'Path=/;'] +- expected: FAIL +- +- [__SeCuRe: Non-secure origin: Should not set 'Path=/;MaxAge=10'] +- expected: FAIL +- +- [__SeCuRe: Non-secure origin: Should not set 'Path=/;domain=web-platform.test'] +- expected: FAIL +diff --git a/testing/web-platform/meta/cookies/prefix/__secure.document-cookie.https.html.ini b/testing/web-platform/meta/cookies/prefix/__secure.document-cookie.https.html.ini +index a6c32ec84c..cf0e874625 100644 +--- a/testing/web-platform/meta/cookies/prefix/__secure.document-cookie.https.html.ini ++++ b/testing/web-platform/meta/cookies/prefix/__secure.document-cookie.https.html.ini +@@ -1,11 +1,3 @@ + [__secure.document-cookie.https.html] + expected: + if (os == "android") and fission: [OK, TIMEOUT] +- [__SeCuRe: Secure origin: Should not set 'Path=/;'] +- expected: FAIL +- +- [__SeCuRe: Secure origin: Should not set 'Path=/;MaxAge=10'] +- expected: FAIL +- +- [__SeCuRe: Secure origin: Should not set 'Path=/;domain=web-platform.test'] +- expected: FAIL +diff --git a/testing/web-platform/meta/cookies/prefix/__secure.header.html.ini b/testing/web-platform/meta/cookies/prefix/__secure.header.html.ini +index cd08b714d9..af14d52d39 100644 +--- a/testing/web-platform/meta/cookies/prefix/__secure.header.html.ini ++++ b/testing/web-platform/meta/cookies/prefix/__secure.header.html.ini +@@ -1,14 +1,3 @@ + [__secure.header.html] + expected: + if (os == "android") and fission: [OK, TIMEOUT] +- [__SeCuRe: Non-secure origin: Should not set 'Path=/;'] +- expected: FAIL +- +- [__SeCuRe: Non-secure origin: Should not set 'Path=/;domain=web-platform.test'] +- expected: FAIL +- +- [__SeCuRe: Non-secure origin: Should not set 'Path=/;MaxAge=10'] +- expected: FAIL +- +- [__SeCuRe: Non-secure origin: Should not set 'Path=/;HttpOnly'] +- expected: FAIL +diff --git a/testing/web-platform/meta/cookies/prefix/__secure.header.https.html.ini b/testing/web-platform/meta/cookies/prefix/__secure.header.https.html.ini +index e2955b8945..d728f7aa3c 100644 +--- a/testing/web-platform/meta/cookies/prefix/__secure.header.https.html.ini ++++ b/testing/web-platform/meta/cookies/prefix/__secure.header.https.html.ini +@@ -1,15 +1,6 @@ + [__secure.header.https.html] + expected: + if (os == "android") and fission: [OK, TIMEOUT] +- [__SeCuRe: secure origin: Should not set 'Path=/;'] +- expected: FAIL +- +- [__SeCuRe: secure origin: Should not set 'Path=/;MaxAge=10'] +- expected: FAIL +- +- [__SeCuRe: secure origin: Should not set 'Path=/;HttpOnly'] +- expected: FAIL +- + [__SeCuRe: secure origin: Should not set 'Path=/;domain=not-web-platform.test'] + expected: + if not early_beta_or_earlier: FAIL +diff --git a/testing/web-platform/meta/cookies/prefix/document-cookie.non-secure.html.ini b/testing/web-platform/meta/cookies/prefix/document-cookie.non-secure.html.ini +index e577a52b78..b5df822251 100644 +--- a/testing/web-platform/meta/cookies/prefix/document-cookie.non-secure.html.ini ++++ b/testing/web-platform/meta/cookies/prefix/document-cookie.non-secure.html.ini +@@ -1,20 +1,3 @@ + [document-cookie.non-secure.html] + expected: + if (os == "android") and fission: [OK, TIMEOUT] +- [__SeCuRe: Non-secure origin: 'Path=/;'] +- expected: FAIL +- +- [__SeCuRe: Non-secure origin: 'Path=/;domain=web-platform.test'] +- expected: FAIL +- +- [__SeCuRe: Non-secure origin: 'Path=/;MaxAge=10'] +- expected: FAIL +- +- [__HoSt: Non-secure origin: 'Path=/; '] +- expected: FAIL +- +- [__HoSt: Non-secure origin: 'Path=/; domain=web-platform.test'] +- expected: FAIL +- +- [__HoSt: Non-secure origin: 'Path=/; MaxAge=10'] +- expected: FAIL +-- +2.27.0 + diff --git a/firefox.spec b/firefox.spec index 0cf6fd7..0a390fc 100644 --- a/firefox.spec +++ b/firefox.spec @@ -45,7 +45,7 @@ Summary: Mozilla Firefox Web browser Name: firefox Version: 115.12.0 -Release: 1 +Release: 2 URL: https://www.mozilla.org/firefox/ License: MPL-1.1 or GPL-2.0-or-later or LGPL-2.0-or-later Source0: https://ftp.mozilla.org/pub/firefox/releases/%{version}esr/source/firefox-%{version}esr.source.tar.xz @@ -115,7 +115,7 @@ Patch201: firefox-tests-xpcshell-freeze.patch # ---- Security patches ---- Patch301: CVE-2023-44488-libvpx.patch - +Patch302: CVE-2024-5699.patch # system AV1 patches (from Gentoo) Patch800: bmo-1559213-Support-system-av1.patch Patch801: bmo-1559213-fix-system-av1-libs.patch @@ -434,6 +434,8 @@ rm -vf ./*/layout/inspector/tests/chrome/test_fontVariationsAPI.css # ---- Security patches ---- cd media/libvpx/libvpx %patch -P301 -p1 -b .CVE-2023-44488-libvpx +%patch -P302 -p1 -b .CVE-2024-5699 + cd - # system AV1 patches @@ -970,6 +972,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : %endif %changelog +* Wed Jul 10 2024 technology208 - 115.12.0-2 +- fix CVE-2024-5699 + * Thu Jun 13 2024 wangkai <13474090681@163.com> - 115.12.0-1 - Update to 115.12.0 - Fix CVE-2024-29944 CVE-2024-3302 CVE-2024-3852 CVE-2024-3854 -- Gitee