From 6e60904ab4918dd91e245d760696a32a1735e3c0 Mon Sep 17 00:00:00 2001 From: cuibb1 <95227821@qq.com> Date: Mon, 25 May 2020 16:41:12 +0800 Subject: [PATCH] fix CVE-2020-6811 CVE-2020-6814 --- CVE-2020-6811.patch | 102 ++++++ CVE-2020-6814-1.patch | 415 ++++++++++++++++++++++ CVE-2020-6814-2.patch | 133 +++++++ CVE-2020-6814-Add-FlippedOnce-class.patch | 74 ++++ firefox.spec | 13 +- 5 files changed, 736 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-6811.patch create mode 100644 CVE-2020-6814-1.patch create mode 100644 CVE-2020-6814-2.patch create mode 100644 CVE-2020-6814-Add-FlippedOnce-class.patch diff --git a/CVE-2020-6811.patch b/CVE-2020-6811.patch new file mode 100644 index 0000000..c93f204 --- /dev/null +++ b/CVE-2020-6811.patch @@ -0,0 +1,102 @@ +From c73d875661b96789047dd5cdccff82f1f639924d Mon Sep 17 00:00:00 2001 +From: Jan Odvarko +Date: Wed, 12 Feb 2020 11:52:30 +0000 +Subject: [PATCH] Bug 1607742 - Escape method argument r=Gijs + +Differential Revision: https://phabricator.services.mozilla.com/D60413 + +--HG-- +extra : moz-landing-system : lando +--- +devtools/client/shared/curl.js | 33 ++++++++++++++++++++++----------- + 1 file changed, 22 insertions(+), 11 deletions(-) + +diff --git a/devtools/client/shared/curl.js b/devtools/client/shared/curl.js +index 30d8382..6d862be 100644 +--- a/devtools/client/shared/curl.js ++++ b/devtools/client/shared/curl.js +@@ -59,6 +59,17 @@ const Curl = { + const utils = CurlUtils; + + let command = ["curl"]; ++ // Make sure to use the following helpers to sanitize arguments before execution. ++ const addParam = value => { ++ const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value); ++ command.push(safe); ++ }; ++ ++ const addPostData = value => { ++ const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value); ++ postData.push(safe); ++ }; ++ + const ignoredHeaders = new Set(); + + // The cURL command is expected to run on the same platform that Firefox runs +@@ -67,7 +78,7 @@ const Curl = { + utils.escapeStringWin : utils.escapeStringPosix; + + // Add URL. +- command.push(escapeString(data.url)); ++ addParam(data.url); + + let postDataText = null; + const multipartRequest = utils.isMultipartRequest(data); +@@ -77,15 +88,15 @@ const Curl = { + if (utils.isUrlEncodedRequest(data) || + ["PUT", "POST", "PATCH"].includes(data.method)) { + postDataText = data.postDataText; +- postData.push("--data"); +- postData.push(escapeString(utils.writePostDataTextParams(postDataText))); ++ addPostData("--data"); ++ addPostData(utils.writePostDataTextParams(postDataText)); + ignoredHeaders.add("content-length"); + } else if (multipartRequest) { + postDataText = data.postDataText; +- postData.push("--data-binary"); ++ addPostData("--data-binary"); + const boundary = utils.getMultipartBoundary(data); + const text = utils.removeBinaryDataFromMultipartText(postDataText, boundary); +- postData.push(escapeString(text)); ++ addPostData(text); + ignoredHeaders.add("content-length"); + } + // curl generates the host header itself based on the given URL +@@ -95,13 +106,13 @@ const Curl = { + // For servers that supports HEAD. + // This will fetch the header of a document only. + if (data.method == "HEAD") { +- command.push("-I"); ++ addParam("-I"); + } else if (!(data.method == "GET" || data.method == "POST")) { + // Add method. + // For HEAD, GET and POST requests this is not necessary. GET is the + // default, if --data or --binary is added POST is used, -I implies HEAD. +- command.push("-X"); +- command.push(data.method); ++ addParam("-X"); ++ addParam(data.method); + } + + // Add request headers. +@@ -113,14 +124,14 @@ const Curl = { + for (let i = 0; i < headers.length; i++) { + const header = headers[i]; + if (header.name.toLowerCase() === "accept-encoding") { +- command.push("--compressed"); ++ addParam("--compressed"); + continue; + } + if (ignoredHeaders.has(header.name.toLowerCase())) { + continue; + } +- command.push("-H"); +- command.push(escapeString(header.name + ": " + header.value)); ++ addParam("-H"); ++ addParam(header.name + ": " + header.value); + } + + // Add post data. +-- +2.23.0 + diff --git a/CVE-2020-6814-1.patch b/CVE-2020-6814-1.patch new file mode 100644 index 0000000..3c34c04 --- /dev/null +++ b/CVE-2020-6814-1.patch @@ -0,0 +1,415 @@ +From 187b93c6acb2340749b1586bd12afac1d619b136 Mon Sep 17 00:00:00 2001 +From: Jan de Mooij +Date: Tue, 4 Feb 2020 14:18:11 +0000 +Subject: [PATCH] Bug 1608256 - Remove MakeMRegExpHoistable optimization +. + r=tcampbell + +It's a lot of code and doesn't seem to affect Octane-regexp. + +Differential Revision: https://phabricator.services.mozilla.com/D61427 + +--HG-- +extra : moz-landing-system : lando +--- + js/src/jit/Ion.cpp | 8 - + js/src/jit/IonAnalysis.cpp | 267 -------------------------------- + js/src/jit/IonAnalysis.h | 3 - + js/src/jit/Lowering.cpp | 11 +- + js/src/jit/MIR.h | 8 - + js/src/vm/CommonPropertyNames.h | 6 - + 6 files changed, 3 insertions(+), 300 deletions(-) + +diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp +index fd31413..08d49bd 100644 +--- a/js/src/jit/Ion.cpp ++++ b/js/src/jit/Ion.cpp +@@ -1361,14 +1361,6 @@ OptimizeMIR(MIRGenerator* mir) + if (mir->shouldCancel("Start")) + return false; + +- if (!mir->compilingWasm()) { +- if (!MakeMRegExpHoistable(mir, graph)) +- return false; +- +- if (mir->shouldCancel("Make MRegExp Hoistable")) +- return false; +- } +- + gs.spewPass("BuildSSA"); + AssertBasicGraphCoherency(graph); + +diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp +index fd89546..217a4c5 100644 +--- a/js/src/jit/IonAnalysis.cpp ++++ b/js/src/jit/IonAnalysis.cpp +@@ -2033,273 +2033,6 @@ jit::ApplyTypeInformation(MIRGenerator* mir, MIRGraph& graph) + return true; + } + +-// Check if `def` is only the N-th operand of `useDef`. +-static inline size_t +-IsExclusiveNthOperand(MDefinition* useDef, size_t n, MDefinition* def) +-{ +- uint32_t num = useDef->numOperands(); +- if (n >= num || useDef->getOperand(n) != def) +- return false; +- +- for (uint32_t i = 0; i < num; i++) { +- if (i == n) +- continue; +- if (useDef->getOperand(i) == def) +- return false; +- } +- +- return true; +-} +- +-static size_t +-IsExclusiveThisArg(MCall* call, MDefinition* def) +-{ +- return IsExclusiveNthOperand(call, MCall::IndexOfThis(), def); +-} +- +-static size_t +-IsExclusiveFirstArg(MCall* call, MDefinition* def) +-{ +- return IsExclusiveNthOperand(call, MCall::IndexOfArgument(0), def); +-} +- +-static bool +-IsRegExpHoistableCall(CompileRuntime* runtime, MCall* call, MDefinition* def) +-{ +- if (call->isConstructing()) +- return false; +- +- JSAtom* name; +- if (WrappedFunction* fun = call->getSingleTarget()) { +- if (!fun->isSelfHostedBuiltin()) +- return false; +- name = GetSelfHostedFunctionName(fun->rawJSFunction()); +- } else { +- MDefinition* funDef = call->getFunction(); +- if (funDef->isDebugCheckSelfHosted()) +- funDef = funDef->toDebugCheckSelfHosted()->input(); +- if (funDef->isTypeBarrier()) +- funDef = funDef->toTypeBarrier()->input(); +- +- if (!funDef->isCallGetIntrinsicValue()) +- return false; +- name = funDef->toCallGetIntrinsicValue()->name(); +- } +- +- // Hoistable only if the RegExp is the first argument of RegExpBuiltinExec. +- if (name == runtime->names().RegExpBuiltinExec || +- name == runtime->names().UnwrapAndCallRegExpBuiltinExec || +- name == runtime->names().RegExpMatcher || +- name == runtime->names().RegExpTester || +- name == runtime->names().RegExpSearcher) +- { +- return IsExclusiveFirstArg(call, def); +- } +- +- if (name == runtime->names().RegExp_prototype_Exec) +- return IsExclusiveThisArg(call, def); +- +- return false; +-} +- +-static bool +-CanCompareRegExp(MCompare* compare, MDefinition* def) +-{ +- MDefinition* value; +- if (compare->lhs() == def) { +- value = compare->rhs(); +- } else { +- MOZ_ASSERT(compare->rhs() == def); +- value = compare->lhs(); +- } +- +- // Comparing two regexp that weren't cloned will give different result +- // than if they were cloned. +- if (value->mightBeType(MIRType::Object)) +- return false; +- +- // Make sure @@toPrimitive is not called which could notice +- // the difference between a not cloned/cloned regexp. +- +- JSOp op = compare->jsop(); +- // Strict equality comparison won't invoke @@toPrimitive. +- if (op == JSOP_STRICTEQ || op == JSOP_STRICTNE) +- return true; +- +- if (op != JSOP_EQ && op != JSOP_NE) { +- // Relational comparison always invoke @@toPrimitive. +- MOZ_ASSERT(op == JSOP_GT || op == JSOP_GE || op == JSOP_LT || op == JSOP_LE); +- return false; +- } +- +- // Loose equality comparison can invoke @@toPrimitive. +- if (value->mightBeType(MIRType::Boolean) || value->mightBeType(MIRType::String) || +- value->mightBeType(MIRType::Int32) || +- value->mightBeType(MIRType::Double) || value->mightBeType(MIRType::Float32) || +- value->mightBeType(MIRType::Symbol)) +- { +- return false; +- } +- +- return true; +-} +- +-static inline void +-SetNotInWorklist(MDefinitionVector& worklist) +-{ +- for (size_t i = 0; i < worklist.length(); i++) +- worklist[i]->setNotInWorklist(); +-} +- +-static bool +-IsRegExpHoistable(MIRGenerator* mir, MDefinition* regexp, MDefinitionVector& worklist, +- bool* hoistable) +-{ +- MOZ_ASSERT(worklist.length() == 0); +- +- if (!worklist.append(regexp)) +- return false; +- regexp->setInWorklist(); +- +- for (size_t i = 0; i < worklist.length(); i++) { +- MDefinition* def = worklist[i]; +- if (mir->shouldCancel("IsRegExpHoistable outer loop")) +- return false; +- +- for (MUseIterator use = def->usesBegin(); use != def->usesEnd(); use++) { +- if (mir->shouldCancel("IsRegExpHoistable inner loop")) +- return false; +- +- // Ignore resume points. At this point all uses are listed. +- // No DCE or GVN or something has happened. +- if (use->consumer()->isResumePoint()) +- continue; +- +- MDefinition* useDef = use->consumer()->toDefinition(); +- +- // Step through a few white-listed ops. +- if (useDef->isPhi() || useDef->isFilterTypeSet() || useDef->isGuardShape()) { +- if (useDef->isInWorklist()) +- continue; +- +- if (!worklist.append(useDef)) +- return false; +- useDef->setInWorklist(); +- continue; +- } +- +- // Instructions that doesn't invoke unknown code that may modify +- // RegExp instance or pass it to elsewhere. +- if (useDef->isRegExpMatcher() || useDef->isRegExpTester() || +- useDef->isRegExpSearcher()) +- { +- if (IsExclusiveNthOperand(useDef, 0, def)) +- continue; +- } else if (useDef->isLoadFixedSlot() || useDef->isTypeOf()) { +- continue; +- } else if (useDef->isCompare()) { +- if (CanCompareRegExp(useDef->toCompare(), def)) +- continue; +- } +- // Instructions that modifies `lastIndex` property. +- else if (useDef->isStoreFixedSlot()) { +- if (IsExclusiveNthOperand(useDef, 0, def)) { +- MStoreFixedSlot* store = useDef->toStoreFixedSlot(); +- if (store->slot() == RegExpObject::lastIndexSlot()) +- continue; +- } +- } else if (useDef->isSetPropertyCache()) { +- if (IsExclusiveNthOperand(useDef, 0, def)) { +- MSetPropertyCache* setProp = useDef->toSetPropertyCache(); +- if (setProp->idval()->isConstant()) { +- Value propIdVal = setProp->idval()->toConstant()->toJSValue(); +- if (propIdVal.isString()) { +- CompileRuntime* runtime = mir->runtime; +- if (propIdVal.toString() == runtime->names().lastIndex) +- continue; +- } +- } +- } +- } +- // MCall is safe only for some known safe functions. +- else if (useDef->isCall()) { +- if (IsRegExpHoistableCall(mir->runtime, useDef->toCall(), def)) +- continue; +- } +- +- // Everything else is unsafe. +- SetNotInWorklist(worklist); +- worklist.clear(); +- *hoistable = false; +- +- return true; +- } +- } +- +- SetNotInWorklist(worklist); +- worklist.clear(); +- *hoistable = true; +- return true; +-} +- +-bool +-jit::MakeMRegExpHoistable(MIRGenerator* mir, MIRGraph& graph) +-{ +- // If we are compiling try blocks, regular expressions may be observable +- // from catch blocks (which Ion does not compile). For now just disable the +- // pass in this case. +- if (graph.hasTryBlock()) +- return true; +- +- MDefinitionVector worklist(graph.alloc()); +- +- for (ReversePostorderIterator block(graph.rpoBegin()); block != graph.rpoEnd(); block++) { +- if (mir->shouldCancel("MakeMRegExpHoistable outer loop")) +- return false; +- +- for (MDefinitionIterator iter(*block); iter; iter++) { +- if (!*iter) +- MOZ_CRASH("confirm bug 1263794."); +- +- if (mir->shouldCancel("MakeMRegExpHoistable inner loop")) +- return false; +- +- if (!iter->isRegExp()) +- continue; +- +- MRegExp* regexp = iter->toRegExp(); +- +- bool hoistable = false; +- if (!IsRegExpHoistable(mir, regexp, worklist, &hoistable)) +- return false; +- +- if (!hoistable) +- continue; +- +- // Make MRegExp hoistable +- regexp->setMovable(); +- regexp->setDoNotClone(); +- +- // That would be incorrect for global/sticky, because lastIndex +- // could be wrong. Therefore setting the lastIndex to 0. That is +- // faster than a not movable regexp. +- RegExpObject* source = regexp->source(); +- if (source->sticky() || source->global()) { +- if (!graph.alloc().ensureBallast()) +- return false; +- MConstant* zero = MConstant::New(graph.alloc(), Int32Value(0)); +- regexp->block()->insertAfter(regexp, zero); +- +- MStoreFixedSlot* lastIndex = +- MStoreFixedSlot::New(graph.alloc(), regexp, RegExpObject::lastIndexSlot(), zero); +- regexp->block()->insertAfter(zero, lastIndex); +- } +- } +- } +- +- return true; +-} +- + void + jit::RenumberBlocks(MIRGraph& graph) + { +diff --git a/js/src/jit/IonAnalysis.h b/js/src/jit/IonAnalysis.h +index 512c6bd..d49783c 100644 +--- a/js/src/jit/IonAnalysis.h ++++ b/js/src/jit/IonAnalysis.h +@@ -59,9 +59,6 @@ EliminateDeadCode(MIRGenerator* mir, MIRGraph& graph); + MOZ_MUST_USE bool + ApplyTypeInformation(MIRGenerator* mir, MIRGraph& graph); + +-MOZ_MUST_USE bool +-MakeMRegExpHoistable(MIRGenerator* mir, MIRGraph& graph); +- + void + RenumberBlocks(MIRGraph& graph); + +diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp +index 3b52ec5..2ba15a6 100644 +--- a/js/src/jit/Lowering.cpp ++++ b/js/src/jit/Lowering.cpp +@@ -2413,14 +2413,9 @@ LIRGenerator::visitToObjectOrNull(MToObjectOrNull* ins) + void + LIRGenerator::visitRegExp(MRegExp* ins) + { +- if (ins->mustClone()) { +- LRegExp* lir = new(alloc()) LRegExp(temp()); +- define(lir, ins); +- assignSafepoint(lir, ins); +- } else { +- RegExpObject* source = ins->source(); +- define(new(alloc()) LPointer(source), ins); +- } ++ LRegExp* lir = new(alloc()) LRegExp(temp()); ++ define(lir, ins); ++ assignSafepoint(lir, ins); + } + + void +diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h +index e90b500..4a97c41 100644 +--- a/js/src/jit/MIR.h ++++ b/js/src/jit/MIR.h +@@ -8605,14 +8605,12 @@ class MDefFun + class MRegExp : public MNullaryInstruction + { + CompilerGCPointer source_; +- bool mustClone_; + bool hasShared_; + + MRegExp(TempAllocator& alloc, CompilerConstraintList* constraints, RegExpObject* source, + bool hasShared) + : MNullaryInstruction(classOpcode), + source_(source), +- mustClone_(true), + hasShared_(hasShared) + { + setResultType(MIRType::Object); +@@ -8623,12 +8621,6 @@ class MRegExp : public MNullaryInstruction + INSTRUCTION_HEADER(RegExp) + TRIVIAL_NEW_WRAPPERS_WITH_ALLOC + +- void setDoNotClone() { +- mustClone_ = false; +- } +- bool mustClone() const { +- return mustClone_; +- } + bool hasShared() const { + return hasShared_; + } +diff --git a/js/src/vm/CommonPropertyNames.h b/js/src/vm/CommonPropertyNames.h +index 0d537fb..3d2eeb5 100644 +--- a/js/src/vm/CommonPropertyNames.h ++++ b/js/src/vm/CommonPropertyNames.h +@@ -346,12 +346,7 @@ + "ReadableStreamDefaultReader_releaseLock") \ + macro(ReadableStreamTee, ReadableStreamTee, "ReadableStreamTee") \ + macro(reason, reason, "reason") \ +- macro(RegExpBuiltinExec, RegExpBuiltinExec, "RegExpBuiltinExec") \ + macro(RegExpFlagsGetter, RegExpFlagsGetter, "RegExpFlagsGetter") \ +- macro(RegExpMatcher, RegExpMatcher, "RegExpMatcher") \ +- macro(RegExpSearcher, RegExpSearcher, "RegExpSearcher") \ +- macro(RegExpTester, RegExpTester, "RegExpTester") \ +- macro(RegExp_prototype_Exec, RegExp_prototype_Exec, "RegExp_prototype_Exec") \ + macro(Reify, Reify, "Reify") \ + macro(reject, reject, "reject") \ + macro(rejected, rejected, "rejected") \ +@@ -429,7 +424,6 @@ + macro(uninitialized, uninitialized, "uninitialized") \ + macro(unsized, unsized, "unsized") \ + macro(unwatch, unwatch, "unwatch") \ +- macro(UnwrapAndCallRegExpBuiltinExec, UnwrapAndCallRegExpBuiltinExec, "UnwrapAndCallRegExpBuiltinExec") \ + macro(url, url, "url") \ + macro(usage, usage, "usage") \ + macro(useAsm, useAsm, "use asm") \ +-- +2.23.0 + diff --git a/CVE-2020-6814-2.patch b/CVE-2020-6814-2.patch new file mode 100644 index 0000000..0a8213c --- /dev/null +++ b/CVE-2020-6814-2.patch @@ -0,0 +1,133 @@ +From 235ee6bbd95335ede2a095e3e2ed67022afe7800 Mon Sep 17 00:00:00 2001 +From: Perry Jiang +Date: Wed, 19 Feb 2020 17:56:08 +0000 +Subject: [PATCH] Bug 1604847 - let ClientSourceOpChild finish +initialization + r=dom-workers-and-storage-reviewers,asuth + +Differential Revision: https://phabricator.services.mozilla.com/D63239 + +--HG-- +extra : moz-landing-system : lando +--- + dom/clients/manager/ClientSourceChild.cpp | 2 +- + dom/clients/manager/ClientSourceOpChild.cpp | 28 ++++++++++++++++++++- + dom/clients/manager/ClientSourceOpChild.h | 22 ++++++++++------ + 3 files changed, 43 insertions(+), 9 deletions(-) + +diff --git a/dom/clients/manager/ClientSourceChild.cpp b/dom/clients/manager/ClientSourceChild.cpp +index 0f13a63..e4a8330 100644 +--- a/dom/clients/manager/ClientSourceChild.cpp ++++ b/dom/clients/manager/ClientSourceChild.cpp +@@ -37,7 +37,7 @@ ClientSourceChild::AllocPClientSourceOpChild(const ClientOpConstructorArgs& aArg + bool + ClientSourceChild::DeallocPClientSourceOpChild(PClientSourceOpChild* aActor) + { +- delete aActor; ++ static_cast(aActor)->ScheduleDeletion(); + return true; + } + +diff --git a/dom/clients/manager/ClientSourceOpChild.cpp b/dom/clients/manager/ClientSourceOpChild.cpp +index dff99d2..b19787f 100644 +--- a/dom/clients/manager/ClientSourceOpChild.cpp ++++ b/dom/clients/manager/ClientSourceOpChild.cpp +@@ -8,6 +8,7 @@ + + #include "ClientSource.h" + #include "ClientSourceChild.h" ++#include "mozilla/Assertions.h" + #include "mozilla/Unused.h" + + namespace mozilla { +@@ -72,7 +73,7 @@ ClientSourceOpChild::DoSourceOp(Method aMethod, const Args& aArgs) + void + ClientSourceOpChild::ActorDestroy(ActorDestroyReason aReason) + { +- mPromiseRequestHolder.DisconnectIfExists(); ++ Cleanup(); + } + + void +@@ -111,6 +112,31 @@ ClientSourceOpChild::Init(const ClientOpConstructorArgs& aArgs) + break; + } + } ++ ++ mInitialized.Flip(); ++ ++ if (mDeletionRequested) { ++ Cleanup(); ++ delete this; ++ } ++} ++ ++void ClientSourceOpChild::ScheduleDeletion() { ++ if (mInitialized) { ++ Cleanup(); ++ delete this; ++ return; ++ } ++ ++ mDeletionRequested.Flip(); ++} ++ ++ClientSourceOpChild::~ClientSourceOpChild() { ++ MOZ_DIAGNOSTIC_ASSERT(mInitialized); ++} ++ ++void ClientSourceOpChild::Cleanup() { ++ mPromiseRequestHolder.DisconnectIfExists(); + } + + } // namespace dom +diff --git a/dom/clients/manager/ClientSourceOpChild.h b/dom/clients/manager/ClientSourceOpChild.h +index 1132353..7f30eb0 100644 +--- a/dom/clients/manager/ClientSourceOpChild.h ++++ b/dom/clients/manager/ClientSourceOpChild.h +@@ -6,6 +6,7 @@ + #ifndef _mozilla_dom_ClientSourceOpChild_h + #define _mozilla_dom_ClientSourceOpChild_h + ++#include "mozilla/dom/FlippedOnce.h" + #include "mozilla/dom/PClientSourceOpChild.h" + #include "ClientOpPromise.h" + +@@ -16,7 +17,17 @@ class ClientSource; + + class ClientSourceOpChild final : public PClientSourceOpChild + { +- MozPromiseRequestHolder mPromiseRequestHolder; ++ public: ++ void Init(const ClientOpConstructorArgs& aArgs); ++ ++ // Deletes "this" after initialization (or immediately if already ++ // initialized.) It's UB to use "this" after calling ScheduleDeletion. ++ void ScheduleDeletion(); ++ ++ private: ++ ~ClientSourceOpChild(); ++ ++ void Cleanup(); + + ClientSource* + GetSource() const; +@@ -29,12 +40,9 @@ class ClientSourceOpChild final : public PClientSourceOpChild + void + ActorDestroy(ActorDestroyReason aReason) override; + +-public: +- ClientSourceOpChild() = default; +- ~ClientSourceOpChild() = default; +- +- void +- Init(const ClientOpConstructorArgs& aArgs); ++ MozPromiseRequestHolder mPromiseRequestHolder; ++ FlippedOnce mDeletionRequested; ++ FlippedOnce mInitialized; + }; + + } // namespace dom +-- +2.23.0 + diff --git a/CVE-2020-6814-Add-FlippedOnce-class.patch b/CVE-2020-6814-Add-FlippedOnce-class.patch new file mode 100644 index 0000000..865caaf --- /dev/null +++ b/CVE-2020-6814-Add-FlippedOnce-class.patch @@ -0,0 +1,74 @@ +From 311de0b6358ba2b8eae20dcc5baf29472a273fc6 Mon Sep 17 00:00:00 2001 +From: Simon Giesecke +Date: Tue, 3 Dec 2019 15:25:49 +0000 +Subject: [PATCH] Bug 1598164 - Added FlippedOnce class template to help + reducing statefulness of boolean flags. + r=dom-workers-and-storage-reviewers,ytausky + +Differential Revision: https://phabricator.services.mozilla.com/D55080 + +--HG-- +extra : moz-landing-system : lando +--- + dom/indexedDB/FlippedOnce.h | 39 +++++++++++++++++++++++++++++++++++++ + dom/indexedDB/moz.build | 1 + + 2 files changed, 40 insertions(+) + create mode 100644 dom/indexedDB/FlippedOnce.h + +diff --git a/dom/indexedDB/FlippedOnce.h b/dom/indexedDB/FlippedOnce.h +new file mode 100644 +index 0000000000000..94cd8570a4b6e +--- /dev/null ++++ b/dom/indexedDB/FlippedOnce.h +@@ -0,0 +1,39 @@ ++/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ ++/* vim: set ts=8 sts=2 et sw=2 tw=80: */ ++/* This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this file, ++ * You can obtain one at http://mozilla.org/MPL/2.0/. */ ++ ++#ifndef mozilla_dom_indexeddb_flippedonce_h__ ++#define mozilla_dom_indexeddb_flippedonce_h__ ++ ++#include "mozilla/Assertions.h" ++#include "mozilla/Attributes.h" ++ ++namespace mozilla { ++ ++// A state-restricted bool, which can only be flipped once. It isn't required to ++// be flipped during its lifetime. ++template ++class FlippedOnce { ++ public: ++ FlippedOnce(const FlippedOnce&) = delete; ++ FlippedOnce& operator=(const FlippedOnce&) = delete; ++ ++ FlippedOnce() = default; ++ ++ MOZ_IMPLICIT operator bool() const { return mValue; }; ++ ++ void Flip() { ++ MOZ_ASSERT(mValue == Initial); ++ EnsureFlipped(); ++ } ++ ++ void EnsureFlipped() { mValue = !Initial; } ++ ++ private: ++ bool mValue = Initial; ++}; ++} // namespace mozilla ++ ++#endif +diff --git a/dom/indexedDB/moz.build b/dom/indexedDB/moz.build +index 4302528e6847b..5237528963127 100644 +--- a/dom/indexedDB/moz.build ++++ b/dom/indexedDB/moz.build +@@ -24,6 +24,7 @@ XPCSHELL_TESTS_MANIFESTS += [ + ] + + EXPORTS.mozilla.dom += [ ++ 'FlippedOnce.h', + 'IDBCursor.h', + 'IDBDatabase.h', + 'IDBEvents.h', diff --git a/firefox.spec b/firefox.spec index 913eb85..5ab16bd 100644 --- a/firefox.spec +++ b/firefox.spec @@ -1,7 +1,7 @@ Name: firefox Summary: Mozilla Firefox Web browser Version: 62.0.3 -Release: 5 +Release: 6 URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ Source0: http://download-origin.cdn.mozilla.net/pub/firefox/releases/62.0.3/source/firefox-62.0.3.source.tar.xz @@ -30,6 +30,11 @@ Patch0017: mozilla-1467128.patch Patch0018: mozilla-1415078.patch Patch0019: openeuler-20200525.patch +Patch6000: CVE-2020-6811.patch +Patch6001: CVE-2020-6814-Add-FlippedOnce-class.patch +Patch6002: CVE-2020-6814-1.patch +Patch6003: CVE-2020-6814-2.patch + BuildRequires: pkgconfig(nspr) >= 4.19 pkgconfig(nss) >= 3.37.3 pkgconfig(libpng) pkgconfig(libffi) BuildRequires: pkgconfig(zlib) pkgconfig(libIDL-2.0) pkgconfig(gtk+-3.0) pkgconfig(gtk+-2.0) pkgconfig(krb5) BuildRequires: pkgconfig(pango) pkgconfig(freetype2) >= 2.1.9 pkgconfig(xt) pkgconfig(xrender) pkgconfig(dri) @@ -316,6 +321,12 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : %{_datadir}/applications/firefox-wayland.desktop %changelog +* Mon May 25 2020 huanghaitao - 62.0.3-6 +- Type:cves +- ID: CVE-2020-6811 CVE-2020-6814 +- SUG:restart +- DESC: fix CVE-2020-6811 CVE-2020-6814 + * Mon May 25 2020 Captain Wei - 62.0.3-5 - fix unstable_name_collisions problem when compile -- Gitee