From bfa223143ebba4af04ad942120d19285c63b8384 Mon Sep 17 00:00:00 2001 From: wangxiao65 <287608437@qq.com> Date: Fri, 18 Dec 2020 11:52:37 +0800 Subject: [PATCH] fix CVE-2020-15664 CVE-2020-15665 CVE-2020-15666 CVE-2020-15667 CVE-2020-15668 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 --- CVE-2020-15664.patch | 34 +++++++++++ CVE-2020-15665.patch | 137 +++++++++++++++++++++++++++++++++++++++++++ CVE-2020-15666.patch | 113 +++++++++++++++++++++++++++++++++++ CVE-2020-15667.patch | 22 +++++++ CVE-2020-15668.patch | 38 ++++++++++++ CVE-2020-15676.patch | 23 ++++++++ CVE-2020-15677.patch | 30 ++++++++++ CVE-2020-15678.patch | 48 +++++++++++++++ firefox.spec | 21 ++++++- 9 files changed, 465 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-15664.patch create mode 100644 CVE-2020-15665.patch create mode 100644 CVE-2020-15666.patch create mode 100644 CVE-2020-15667.patch create mode 100644 CVE-2020-15668.patch create mode 100644 CVE-2020-15676.patch create mode 100644 CVE-2020-15677.patch create mode 100644 CVE-2020-15678.patch diff --git a/CVE-2020-15664.patch b/CVE-2020-15664.patch new file mode 100644 index 0000000..3c0c5f8 --- /dev/null +++ b/CVE-2020-15664.patch @@ -0,0 +1,34 @@ +# HG changeset patch +# User Kris Maglione +# Date 1597420945 0 +# Fri Aug 14 16:02:25 2020 +0000 +# Node ID 1edd9346c110b011ed87e50eb3d417202ea445fb +# Parent f69f80e5659f11977e7f1bd48386ea22e921dd52 +Bug 1658214: Only construct JS-implemented objects if inner window is current. r=bholley + +Differential Revision: https://phabricator.services.mozilla.com/D86614 + +diff -r f69f80e5659f -r 1edd9346c110 dom/bindings/BindingUtils.cpp +--- a/dom/bindings/BindingUtils.cpp Fri Aug 14 15:57:45 2020 +0000 ++++ b/dom/bindings/BindingUtils.cpp Fri Aug 14 16:02:25 2020 +0000 +@@ -2547,6 +2547,12 @@ + { + AutoNoJSAPI nojsapi; + ++ nsCOMPtr window = do_QueryInterface(aGlobal); ++ if (!window->IsCurrentInnerWindow()) { ++ aRv.ThrowInvalidStateError("Window no longer active"); ++ return; ++ } ++ + // Get the XPCOM component containing the JS implementation. + nsresult rv; + nsCOMPtr implISupports = do_CreateInstance(aContractId, &rv); +@@ -2561,7 +2567,6 @@ + // and our global is a window. + nsCOMPtr gpi = + do_QueryInterface(implISupports); +- nsCOMPtr window = do_QueryInterface(aGlobal); + if (gpi) { + JS::Rooted initReturn(RootingCx()); + rv = gpi->Init(window, &initReturn); diff --git a/CVE-2020-15665.patch b/CVE-2020-15665.patch new file mode 100644 index 0000000..fda950f --- /dev/null +++ b/CVE-2020-15665.patch @@ -0,0 +1,137 @@ +# HG changeset patch +# User Gijs Kruitbosch +# Date 1594843114 0 +# Wed Jul 15 19:58:34 2020 +0000 +# Node ID 8079eea73df334803da5b07322b19d32aa8ed9e3 +# Parent 8dee8cb525a2c7cff36a89be107eb50628619201 +Bug 1651636 - reset the address bar when beforeunload prompts close, r=mak + +Differential Revision: https://phabricator.services.mozilla.com/D83213 + +diff -r 8dee8cb525a2 -r 8079eea73df3 browser/actors/PromptParent.jsm +--- a/browser/actors/PromptParent.jsm Wed Jul 15 19:45:37 2020 +0000 ++++ b/browser/actors/PromptParent.jsm Wed Jul 15 19:58:34 2020 +0000 +@@ -169,7 +169,10 @@ + + this.unregisterPrompt(id); + +- PromptUtils.fireDialogEvent(window, "DOMModalDialogClosed", browser); ++ PromptUtils.fireDialogEvent(window, "DOMModalDialogClosed", browser, { ++ wasPermitUnload: args.inPermitUnload, ++ areLeaving: args.ok, ++ }); + resolver(args); + browser.maybeLeaveModalState(); + }; +diff -r 8dee8cb525a2 -r 8079eea73df3 browser/base/content/tabbrowser.js +--- a/browser/base/content/tabbrowser.js Wed Jul 15 19:45:37 2020 +0000 ++++ b/browser/base/content/tabbrowser.js Wed Jul 15 19:58:34 2020 +0000 +@@ -5418,6 +5418,26 @@ + true + ); + ++ // When cancelling beforeunload tabmodal dialogs, reset the URL bar to ++ // avoid spoofing risks. ++ this.addEventListener( ++ "DOMModalDialogClosed", ++ event => { ++ if ( ++ !event.detail?.wasPermitUnload || ++ event.detail.areLeaving || ++ event.target.nodeName != "browser" ++ ) { ++ return; ++ } ++ event.target.userTypedValue = null; ++ if (event.target == this.selectedBrowser) { ++ gURLBar.setURI(); ++ } ++ }, ++ true ++ ); ++ + let onTabCrashed = event => { + if (!event.isTrusted || !event.isTopFrame) { + return; +diff -r 8dee8cb525a2 -r 8079eea73df3 browser/base/content/test/tabPrompts/browser.ini +--- a/browser/base/content/test/tabPrompts/browser.ini Wed Jul 15 19:45:37 2020 +0000 ++++ b/browser/base/content/test/tabPrompts/browser.ini Wed Jul 15 19:58:34 2020 +0000 +@@ -1,3 +1,5 @@ ++[browser_beforeunload_urlbar.js] ++support-files = file_beforeunload_stop.html + [browser_closeTabSpecificPanels.js] + skip-if = (verify && debug && (os == 'linux')) || (fission && os == 'linux' && bits == 64 && os_version == '18.04') # Bug 1548664 + [browser_multiplePrompts.js] +diff -r 8dee8cb525a2 -r 8079eea73df3 browser/base/content/test/tabPrompts/browser_beforeunload_urlbar.js +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ b/browser/base/content/test/tabPrompts/browser_beforeunload_urlbar.js Wed Jul 15 19:58:34 2020 +0000 +@@ -0,0 +1,57 @@ ++/* Any copyright is dedicated to the Public Domain. ++ http://creativecommons.org/publicdomain/zero/1.0/ */ ++ ++"use strict"; ++ ++const TEST_ROOT = getRootDirectory(gTestPath).replace( ++ "chrome://mochitests/content", ++ "http://example.com" ++); ++ ++add_task(async function test_beforeunload_stay_clears_urlbar() { ++ await SpecialPowers.pushPrefEnv({ ++ set: [["dom.require_user_interaction_for_beforeunload", false]], ++ }); ++ const TEST_URL = TEST_ROOT + "file_beforeunload_stop.html"; ++ await BrowserTestUtils.withNewTab(TEST_URL, async function(browser) { ++ gURLBar.focus(); ++ const inputValue = "http://example.org/?q=typed"; ++ gURLBar.inputField.value = inputValue.slice(0, -1); ++ EventUtils.sendString(inputValue.slice(-1)); ++ ++ let promptOpenedPromise = TestUtils.topicObserved("tabmodal-dialog-loaded"); ++ EventUtils.synthesizeKey("VK_RETURN"); ++ await promptOpenedPromise; ++ let promptElement = browser.parentNode.querySelector("tabmodalprompt"); ++ ++ // Click the cancel button ++ promptElement.querySelector(".tabmodalprompt-button1").click(); ++ ++ await TestUtils.waitForCondition( ++ () => promptElement.parentNode == null, ++ "tabprompt should be removed" ++ ); ++ // Can't just compare directly with TEST_URL because the URL may be trimmed. ++ // Just need it to not be the example.org thing we typed in. ++ ok( ++ gURLBar.value.endsWith("_stop.html"), ++ "Url bar should be reset to point to the stop html file" ++ ); ++ ok( ++ gURLBar.value.includes("example.com"), ++ "Url bar should be reset to example.com" ++ ); ++ // Check the lock/identity icons are back: ++ is( ++ gURLBar.textbox.getAttribute("pageproxystate"), ++ "valid", ++ "Should be in valid pageproxy state." ++ ); ++ ++ // Now we need to get rid of the handler to avoid the prompt coming up when trying to close the ++ // tab when we exit `withNewTab`. :-) ++ await SpecialPowers.spawn(browser, [], function() { ++ content.window.onbeforeunload = null; ++ }); ++ }); ++}); +diff -r 8dee8cb525a2 -r 8079eea73df3 browser/base/content/test/tabPrompts/file_beforeunload_stop.html +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ b/browser/base/content/test/tabPrompts/file_beforeunload_stop.html Wed Jul 15 19:58:34 2020 +0000 +@@ -0,0 +1,8 @@ ++ ++

I will ask not to be closed.

++ ++ diff --git a/CVE-2020-15666.patch b/CVE-2020-15666.patch new file mode 100644 index 0000000..61460f8 --- /dev/null +++ b/CVE-2020-15666.patch @@ -0,0 +1,113 @@ +# HG changeset patch +# User Sebastian Streich +# Date 1594901018 0 +# Thu Jul 16 12:03:38 2020 +0000 +# Node ID b8f37ab6318150a94022625b0500efce2c456947 +# Parent 7e7affa995d31d0325c26d7a9994971e7682f3a0 +Bug 1450853 - Use Generic Error for 3rdparty MediaElement r=ckerschb,smaug + +*** +Add test + +Differential Revision: https://phabricator.services.mozilla.com/D80080 + +diff -r 7e7affa995d3 -r b8f37ab63181 dom/html/HTMLMediaElement.cpp +--- a/dom/html/HTMLMediaElement.cpp Thu Jul 16 12:23:08 2020 +0000 ++++ b/dom/html/HTMLMediaElement.cpp Thu Jul 16 12:03:38 2020 +0000 +@@ -2354,7 +2354,24 @@ + if (mDecoder) { + ShutdownDecoder(); + } +- mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED, aErrorDetails); ++ ++ bool isThirdPartyLoad = false; ++ nsresult rv = NS_ERROR_NOT_AVAILABLE; ++ if (mSrcAttrTriggeringPrincipal) { ++ rv = mSrcAttrTriggeringPrincipal->IsThirdPartyURI(mLoadingSrc, ++ &isThirdPartyLoad); ++ } ++ ++ if (NS_SUCCEEDED(rv) && isThirdPartyLoad) { ++ // aErrorDetails can include sensitive details like MimeType or HTTP Status ++ // Code. In case we're loading a 3rd party resource we should not leak this ++ // and pass a Generic Error Message ++ mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED, ++ NS_LITERAL_CSTRING("Failed to open media")); ++ } else { ++ mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED, aErrorDetails); ++ } ++ + RemoveMediaTracks(); + ChangeDelayLoadStatus(false); + UpdateAudioChannelPlayingState(); +diff -r 7e7affa995d3 -r b8f37ab63181 dom/security/test/general/mochitest.ini +--- a/dom/security/test/general/mochitest.ini Thu Jul 16 12:23:08 2020 +0000 ++++ b/dom/security/test/general/mochitest.ini Thu Jul 16 12:03:38 2020 +0000 +@@ -63,3 +63,4 @@ + [test_sec_fetch_websocket.html] + skip-if = toolkit == 'android' # no websocket support Bug 982828 + support-files = file_sec_fetch_websocket_wsh.py ++[test_bug1450853.html] +\ No newline at end of file +diff -r 7e7affa995d3 -r b8f37ab63181 dom/security/test/general/test_bug1450853.html +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ b/dom/security/test/general/test_bug1450853.html Thu Jul 16 12:03:38 2020 +0000 +@@ -0,0 +1,58 @@ ++ ++ ++ ++ ++ ++Test for Cross-origin resouce status leak via MediaError ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ Mozilla Bug 1450853 ++ ++ ++ diff --git a/CVE-2020-15667.patch b/CVE-2020-15667.patch new file mode 100644 index 0000000..81adc8f --- /dev/null +++ b/CVE-2020-15667.patch @@ -0,0 +1,22 @@ +# HG changeset patch +# User Molly Howell +# Date 1595024754 0 +# Fri Jul 17 22:25:54 2020 +0000 +# Node ID b79b6cc78248eea7fda10bfb76aa273c19c9fa65 +# Parent 0c0f777161a9499dd149853ff62d356f75d16c2a +Bug 1653371 - Don't used a signed type for a length parameter. r=bytesized + +Differential Revision: https://phabricator.services.mozilla.com/D84031 + +diff -r 0c0f777161a9 -r b79b6cc78248 modules/libmar/src/mar_read.c +--- a/modules/libmar/src/mar_read.c Sat Jul 18 02:57:28 2020 +0300 ++++ b/modules/libmar/src/mar_read.c Fri Jul 17 22:25:54 2020 +0000 +@@ -26,7 +26,7 @@ + return CityHash64(name, strlen(name)) % TABLESIZE; + } + +-static int mar_insert_item(MarFile* mar, const char* name, int namelen, ++static int mar_insert_item(MarFile* mar, const char* name, uint32_t namelen, + uint32_t offset, uint32_t length, uint32_t flags) { + MarItem *item, *root; + uint32_t hash; diff --git a/CVE-2020-15668.patch b/CVE-2020-15668.patch new file mode 100644 index 0000000..7d75844 --- /dev/null +++ b/CVE-2020-15668.patch @@ -0,0 +1,38 @@ +# HG changeset patch +# User Kevin Jacobs +# Date 1594335948 0 +# Thu Jul 09 23:05:48 2020 +0000 +# Node ID 06be9b59deb034f3ec6ab93c55e3ba4039f690cd +# Parent 93092fe1e43c69a0b7e7b2960b4b55524ba30db0 +Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs +2020-07-09 J.C. Jones + + * lib/softoken/pkcs11.c: + Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs + + Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before + accessing slot after obtaining it, even though slotLock is defined + as its lock. [0] + + [0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8 + a9fbde/lib/softoken/pkcs11i.h#320-321 + [58c2abd7404e] [tip] + +diff -r 93092fe1e43c -r 06be9b59deb0 security/nss/lib/softoken/pkcs11.c +--- a/security/nss/lib/softoken/pkcs11.c Thu Jul 09 23:16:09 2020 +0000 ++++ b/security/nss/lib/softoken/pkcs11.c Thu Jul 09 23:05:48 2020 +0000 +@@ -3661,10 +3661,12 @@ + PORT_Memcpy(pInfo->model, "NSS 3 ", 16); + PORT_Memcpy(pInfo->serialNumber, "0000000000000000", 16); + PORT_Memcpy(pInfo->utcTime, "0000000000000000", 16); +- pInfo->ulMaxSessionCount = 0; /* arbitrarily large */ ++ pInfo->ulMaxSessionCount = 0; /* arbitrarily large */ ++ pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */ ++ PZ_Lock(slot->slotLock); /* Protect sessionCount / rwSessioncount */ + pInfo->ulSessionCount = slot->sessionCount; +- pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */ + pInfo->ulRwSessionCount = slot->rwSessionCount; ++ PZ_Unlock(slot->slotLock); /* Unlock before sftk_getKeyDB */ + pInfo->firmwareVersion.major = 0; + pInfo->firmwareVersion.minor = 0; + PORT_Memcpy(pInfo->label, slot->tokDescription, sizeof(pInfo->label)); diff --git a/CVE-2020-15676.patch b/CVE-2020-15676.patch new file mode 100644 index 0000000..55c8dbe --- /dev/null +++ b/CVE-2020-15676.patch @@ -0,0 +1,23 @@ +# HG changeset patch +# User Kagami Sascha Rosylight +# Date 1599489912 0 +# Mon Sep 07 14:45:12 2020 +0000 +# Node ID 67c242c00ce3e796dafb7e98bbbf025e29cc1c67 +# Parent 749fda4e5eb11918833fa57e25adc77e4ed1db95 +Bug 1646140 - Fire SVG onload only when scripting is enabled r=hsivonen + +Differential Revision: https://phabricator.services.mozilla.com/D89218 + +diff -r 749fda4e5eb1 -r 67c242c00ce3 parser/html/nsHtml5TreeBuilderCppSupplement.h +--- a/parser/html/nsHtml5TreeBuilderCppSupplement.h Mon Sep 07 13:35:31 2020 +0000 ++++ b/parser/html/nsHtml5TreeBuilderCppSupplement.h Mon Sep 07 14:45:12 2020 +0000 +@@ -1072,6 +1072,9 @@ + } + if (aNamespace == kNameSpaceID_SVG) { + if (aName == nsGkAtoms::svg) { ++ if (!scriptingEnabled || mPreventScriptExecution) { ++ return; ++ } + if (mBuilder) { + nsHtml5TreeOperation::SvgLoad(static_cast(aElement)); + return; diff --git a/CVE-2020-15677.patch b/CVE-2020-15677.patch new file mode 100644 index 0000000..2cac5a2 --- /dev/null +++ b/CVE-2020-15677.patch @@ -0,0 +1,30 @@ +# HG changeset patch +# User Gijs Kruitbosch +# Date 1597251031 0 +# Wed Aug 12 16:50:31 2020 +0000 +# Node ID 082de8244278d76f9d6d216a7fd5da772b5152d3 +# Parent cc6db3162f6e3e9cdb85749054b52074b78c1643 +Bug 1641487, r=jaws + +Differential Revision: https://phabricator.services.mozilla.com/D86761 + +diff -r cc6db3162f6e -r 082de8244278 browser/components/downloads/DownloadsViewUI.jsm +--- a/browser/components/downloads/DownloadsViewUI.jsm Wed Aug 12 14:52:18 2020 +0000 ++++ b/browser/components/downloads/DownloadsViewUI.jsm Wed Aug 12 16:50:31 2020 +0000 +@@ -342,15 +342,7 @@ + * Downloads View. Type is either l10n object or string literal. + */ + showStatusWithDetails(stateLabel, hoverStatus) { +- let referrer = +- this.download.source.referrerInfo && +- this.download.source.referrerInfo.originalReferrer +- ? this.download.source.referrerInfo.originalReferrer.spec +- : null; +- +- let [displayHost] = DownloadUtils.getURIHost( +- referrer || this.download.source.url +- ); ++ let [displayHost] = DownloadUtils.getURIHost(this.download.source.url); + let [displayDate] = DownloadUtils.getReadableDates( + new Date(this.download.endTime) + ); diff --git a/CVE-2020-15678.patch b/CVE-2020-15678.patch new file mode 100644 index 0000000..185f4d9 --- /dev/null +++ b/CVE-2020-15678.patch @@ -0,0 +1,48 @@ +# HG changeset patch +# User Botond Ballo +# Date 1598039821 0 +# Fri Aug 21 19:57:01 2020 +0000 +# Node ID 5718234b1f27780b0d98ca4e6f1a22e1b012205a +# Parent b6b562c539e326715fda1dcd020c1095a9520e93 +Bug 1660211 - Respect iterator invalidation rules in ComputeClippedCompositionBounds(). r=kats + +Differential Revision: https://phabricator.services.mozilla.com/D87893 + +diff -r b6b562c539e3 -r 5718234b1f27 gfx/layers/apz/src/APZCTreeManager.cpp +--- a/gfx/layers/apz/src/APZCTreeManager.cpp Fri Aug 21 20:42:59 2020 +0000 ++++ b/gfx/layers/apz/src/APZCTreeManager.cpp Fri Aug 21 19:57:01 2020 +0000 +@@ -899,14 +899,13 @@ + ParentLayerRect APZCTreeManager::ComputeClippedCompositionBounds( + const MutexAutoLock& aProofOfMapLock, ClippedCompositionBoundsMap& aDestMap, + ScrollableLayerGuid aGuid) { +- auto insertResult = aDestMap.insert(std::make_pair(aGuid, ParentLayerRect())); +- if (!insertResult.second) { ++ if (auto iter = aDestMap.find(aGuid); iter != aDestMap.end()) { + // We already computed it for this one, early-exit. This might happen + // because on a later iteration of mApzcMap we might encounter an ancestor + // of an APZC that we processed on an earlier iteration. In this case we + // would have computed the ancestor's clipped composition bounds when + // recursing up on the earlier iteration. +- return insertResult.first->second; ++ return iter->second; + } + + ParentLayerRect bounds = mApzcMap[aGuid].apzc->GetCompositionBounds(); +@@ -916,7 +915,7 @@ + // Recursion base case, where the APZC with guid `aGuid` has no parent. + // In this case, we don't need to clip `bounds` any further and can just + // early exit. +- insertResult.first->second = bounds; ++ aDestMap.emplace(aGuid, bounds); + return bounds; + } + +@@ -950,7 +949,7 @@ + PixelCastJustification::MovingDownToChildren)); + + // Done! +- insertResult.first->second = bounds; ++ aDestMap.emplace(aGuid, bounds); + return bounds; + } + diff --git a/firefox.spec b/firefox.spec index 09c1d4a..61fd332 100644 --- a/firefox.spec +++ b/firefox.spec @@ -88,7 +88,7 @@ Summary: Mozilla Firefox Web browser Name: firefox Version: 79.0 -Release: 3 +Release: 4 URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ Source0: https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz @@ -145,6 +145,14 @@ Patch589: mozilla-1656436.patch Patch600: pgo.patch Patch601: mozilla-1516081.patch Patch602: mozilla-1516803.patch +Patch603: CVE-2020-15664.patch +Patch604: CVE-2020-15665.patch +Patch605: CVE-2020-15666.patch +Patch606: CVE-2020-15667.patch +Patch607: CVE-2020-15668.patch +Patch608: CVE-2020-15676.patch +Patch609: CVE-2020-15677.patch +Patch610: CVE-2020-15678.patch %if %{?system_nss} BuildRequires: pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version} BuildRequires: nss-static >= %{nss_version} @@ -281,6 +289,14 @@ tar -xf %{SOURCE3} %patch589 -p1 -b .mozilla-1656436 %patch600 -p1 -b .pgo %patch602 -p1 -b .1516803 +%patch603 -p1 +%patch604 -p1 +%patch605 -p1 +%patch606 -p1 +%patch607 -p1 +%patch608 -p1 +%patch609 -p1 +%patch610 -p1 %{__rm} -f .mozconfig %{__cp} %{SOURCE10} .mozconfig echo "ac_add_options --enable-default-toolkit=cairo-gtk3-wayland" >> .mozconfig @@ -722,6 +738,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : %endif %changelog +* Wed Dec 16 2020 wangxiao - 79.0-4 +- Fix CVE-2020-15664 CVE-2020-15665 CVE-2020-15666 CVE-2020-15667 + CVE-2020-15668 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678 * Thu Nov 28 2020 Jeffery.Gao - 79.0-3 - Fix firefox downgrade error -- Gitee