diff --git a/CVE-2020-15675.patch b/CVE-2020-15675.patch new file mode 100644 index 0000000000000000000000000000000000000000..dfdc8fc6bfa6b98f6203dc7b02c814986f266c37 --- /dev/null +++ b/CVE-2020-15675.patch @@ -0,0 +1,52 @@ +From 9a2c51887bff5742c072bf4f3c3794b349f51545 Mon Sep 17 00:00:00 2001 +From: Jeff Gilbert +Date: Fri, 12 Jul 2024 10:27:35 +0800 +Subject: [PATCH] Bug 1654211 - Hold WeakPtr to PresistentBufferProvider in BorrowedSourceSurface. r=gfx-reviewers,nical + +Reference:https://hg.mozilla.org/mozilla-central/rev/0ec8df5bd92b + +--- + gfx/layers/CanvasRenderer.h | 2 +- + gfx/layers/PersistentBufferProvider.h | 6 +++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/gfx/layers/CanvasRenderer.h b/gfx/layers/CanvasRenderer.h +index 7e03e295b0..ca3ae088cc 100644 +--- a/gfx/layers/CanvasRenderer.h ++++ b/gfx/layers/CanvasRenderer.h +@@ -95,7 +95,7 @@ struct CanvasRendererData final { + + class BorrowedSourceSurface final { + public: +- PersistentBufferProvider* const mReturnTo; ++ const WeakPtr mReturnTo; + const RefPtr mSurf; /// non-null + + BorrowedSourceSurface(PersistentBufferProvider*, RefPtr); +diff --git a/gfx/layers/PersistentBufferProvider.h b/gfx/layers/PersistentBufferProvider.h +index f0d8aeccb9..85cfee8805 100644 +--- a/gfx/layers/PersistentBufferProvider.h ++++ b/gfx/layers/PersistentBufferProvider.h +@@ -14,6 +14,8 @@ + #include "mozilla/RefCounted.h" + #include "mozilla/gfx/Types.h" + #include "mozilla/Vector.h" ++#include "mozilla/WeakPtr.h" ++ + + namespace mozilla { + +@@ -34,7 +36,9 @@ class TextureClient; + * from the provider again, the provider will guarantee the contents of the + * previously returned DrawTarget is persisted into the one newly returned. + */ +-class PersistentBufferProvider : public RefCounted { ++class PersistentBufferProvider : public RefCounted, ++ public SupportsWeakPtr { ++ + public: + MOZ_DECLARE_REFCOUNTED_VIRTUAL_TYPENAME(PersistentBufferProvider) + +-- +2.27.0 + diff --git a/CVE-2021-23972.patch b/CVE-2021-23972.patch new file mode 100644 index 0000000000000000000000000000000000000000..d20312a19a6b462ddef3be5863fa85f2cdec704c --- /dev/null +++ b/CVE-2021-23972.patch @@ -0,0 +1,152 @@ +From d52e9042bcec41a40b97b309b65aa32dc27379b2 Mon Sep 17 00:00:00 2001 +From: Kershaw Chang +Date: Fri, 12 Jul 2024 16:46:48 +0800 +Subject: [PATCH] Show auth spoofing warning prompt for cached response r=necko-reviewers,dragana + +--- + netwerk/protocol/http/nsHttpChannel.cpp | 11 +++ + netwerk/test/unit/test_SuperfluousAuth.js | 100 ++++++++++++++++++++++ + netwerk/test/unit/xpcshell.ini | 1 + + 3 files changed, 112 insertions(+) + create mode 100644 netwerk/test/unit/test_SuperfluousAuth.js + +diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp +index 2cb1f8d9fd..181c3ac785 100644 +--- a/netwerk/protocol/http/nsHttpChannel.cpp ++++ b/netwerk/protocol/http/nsHttpChannel.cpp +@@ -7365,6 +7365,17 @@ nsresult nsHttpChannel::ContinueOnStartRequest4(nsresult result) { + + if (mFallingBack) return NS_OK; + ++ if (NS_SUCCEEDED(mStatus) && mResponseHead && mAuthProvider) { ++ uint32_t httpStatus = mResponseHead->Status(); ++ if (httpStatus != 401 && httpStatus != 407) { ++ nsresult rv = mAuthProvider->CheckForSuperfluousAuth(); ++ if (NS_FAILED(rv)) { ++ LOG((" CheckForSuperfluousAuth failed (%08x)", ++ static_cast(rv))); ++ } ++ } ++ } ++ + return CallOnStartRequest(); + } + +diff --git a/netwerk/test/unit/test_SuperfluousAuth.js b/netwerk/test/unit/test_SuperfluousAuth.js +new file mode 100644 +index 0000000000..24b69186c8 +--- /dev/null ++++ b/netwerk/test/unit/test_SuperfluousAuth.js +@@ -0,0 +1,100 @@ ++/* ++ ++Create two http requests with the same URL in which has a user name. We allow ++first http request to be loaded and saved in the cache, so the second request ++will be served from the cache. However, we disallow loading by returning 1 ++in the prompt service. In the end, the second request will be failed. ++ ++*/ ++ ++"use strict"; ++ ++const { HttpServer } = ChromeUtils.import("resource://testing-common/httpd.js"); ++ ++const { MockRegistrar } = ChromeUtils.import( ++ "resource://testing-common/MockRegistrar.jsm" ++); ++ ++var httpProtocolHandler = Cc[ ++ "@mozilla.org/network/protocol;1?name=http" ++].getService(Ci.nsIHttpProtocolHandler); ++ ++XPCOMUtils.defineLazyGetter(this, "URL", function() { ++ return "http://foo@localhost:" + httpServer.identity.primaryPort; ++}); ++ ++var httpServer = null; ++ ++const gMockPromptService = { ++ firstTimeCalled: false, ++ confirmExBC() { ++ if (!this.firstTimeCalled) { ++ this.firstTimeCalled = true; ++ return 0; ++ } ++ ++ return 1; ++ }, ++ ++ QueryInterface: ChromeUtils.generateQI(["nsIPromptService"]), ++}; ++ ++var gMockPromptServiceCID = MockRegistrar.register( ++ "@mozilla.org/embedcomp/prompt-service;1", ++ gMockPromptService ++); ++ ++registerCleanupFunction(() => { ++ MockRegistrar.unregister(gMockPromptServiceCID); ++}); ++ ++function makeChan(uri) { ++ let chan = NetUtil.newChannel({ ++ uri, ++ loadUsingSystemPrincipal: true, ++ }).QueryInterface(Ci.nsIHttpChannel); ++ chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI; ++ return chan; ++} ++ ++const responseBody = "body"; ++ ++function contentHandler(metadata, response) { ++ response.setHeader("Content-Type", "text/plain"); ++ response.setHeader("ETag", "Just testing"); ++ response.setHeader("Cache-Control", "max-age=99999"); ++ response.setHeader("Content-Length", "" + responseBody.length); ++ response.bodyOutputStream.write(responseBody, responseBody.length); ++} ++ ++function run_test() { ++ do_get_profile(); ++ ++ Services.prefs.setBoolPref("network.http.rcwn.enabled", false); ++ ++ httpServer = new HttpServer(); ++ httpServer.registerPathHandler("/content", contentHandler); ++ httpServer.start(-1); ++ ++ httpProtocolHandler.EnsureHSTSDataReady().then(function() { ++ var chan1 = makeChan(URL + "/content"); ++ chan1.asyncOpen(new ChannelListener(firstTimeThrough, null)); ++ var chan2 = makeChan(URL + "/content"); ++ chan2.asyncOpen( ++ new ChannelListener(secondTimeThrough, null, CL_EXPECT_FAILURE) ++ ); ++ }); ++ ++ do_test_pending(); ++} ++ ++function firstTimeThrough(request, buffer) { ++ Assert.equal(buffer, responseBody); ++ Assert.ok(gMockPromptService.firstTimeCalled, "Prompt service invoked"); ++} ++ ++function secondTimeThrough(request, buffer) { ++ Assert.equal(request.status, Cr.NS_ERROR_ABORT); ++ httpServer.stop(do_test_finished); ++} ++ +diff --git a/netwerk/test/unit/xpcshell.ini b/netwerk/test/unit/xpcshell.ini +index 1cd274b004..3e6762f0dc 100644 +--- a/netwerk/test/unit/xpcshell.ini ++++ b/netwerk/test/unit/xpcshell.ini +@@ -434,3 +434,4 @@ skip-if = true || asan || tsan || os == 'win' || os =='android' + [test_trr_case_sensitivity.js] + skip-if = os == "android" + [test_trr_proxy.js] ++[test_SuperfluousAuth.js] +-- +2.27.0 + diff --git a/firefox.spec b/firefox.spec index dc2bc70b1388656c91120495afbb04743e36d3aa..20172ff4299b54987261871403e3a9f219466f8b 100644 --- a/firefox.spec +++ b/firefox.spec @@ -88,7 +88,7 @@ Summary: Mozilla Firefox Web browser Name: firefox Version: 79.0 -Release: 25 +Release: 26 URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ Source0: https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz @@ -204,7 +204,8 @@ Patch660: CVE-2022-34481.patch Patch661: CVE-2020-26979.patch Patch662: CVE-2023-6209.patch Patch663: CVE-2022-45406.patch - +Patch664: CVE-2020-15675.patch +Patch665: CVE-2021-23972.patch %if %{?system_nss} BuildRequires: pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version} BuildRequires: nss-static >= %{nss_version} @@ -402,6 +403,8 @@ tar -xf %{SOURCE3} %patch661 -p1 %patch662 -p1 %patch663 -p1 +%patch664 -p1 +%patch665 -p1 %{__rm} -f .mozconfig %{__cp} %{SOURCE10} .mozconfig @@ -850,6 +853,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : %endif %changelog +* Fri Jul 12 2024 technology208 - 79.0-26 +- Fix CVE-2020-15675/CVE-2021-23972 + * Thu Jul 11 2024 technology208 - 79.0-25 - Fix CVE-2022-45406