Fri Jan 10 13:56:19 2020 UTC ()
Pullup ticket #6113 - requested by nia
www/firefox68: security fix (zero-day)

Revisions pulled up:
- www/firefox68/Makefile                                        1.7-1.8
- www/firefox68/distinfo                                        1.6-1.7
- www/firefox68/patches/patch-rust-1.39.0                       deleted

---
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Wed Jan  8 21:49:32 UTC 2020

   Modified Files:
   	pkgsrc/www/firefox68: Makefile distinfo
   Removed Files:
   	pkgsrc/www/firefox68/patches: patch-rust-1.39.0

   Log Message:
   firefox68: Update to 68.4.0

   Security Vulnerabilities fixed in Firefox ESR 68.4:

   # CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows
   # CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
   # CVE-2019-17017: Type Confusion in XPCVariant.cpp
   # CVE-2019-17021: Heap address disclosure in parent process during content process initialization on Windows
   # CVE-2019-17022: CSS sanitization does not escape HTML tags
   # CVE-2019-17024: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4

---
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Thu Jan  9 20:51:59 UTC 2020

   Modified Files:
   	pkgsrc/www/firefox68: Makefile distinfo

   Log Message:
   firefox68: Update to 68.4.1

   This release fixes one zero-day vulnerability:

   CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement

   Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion.
   We are aware of targeted attacks in the wild abusing this flaw


(bsiegert)
diff -r1.5 -r1.5.4.1 pkgsrc/www/firefox68/Makefile
diff -r1.5 -r1.5.4.1 pkgsrc/www/firefox68/distinfo
diff -r1.1 -r0 pkgsrc/www/firefox68/patches/patch-rust-1.39.0
cvs diff -r1.5 -r1.5.4.1 pkgsrc/www/firefox68/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/www/firefox68/Attic/Makefile 2019/12/08 20:09:41 1.5
+++ pkgsrc/www/firefox68/Attic/Makefile 2020/01/10 13:56:19 1.5.4.1
@@ -1,18 +1,18 @@ @@ -1,18 +1,18 @@
1# $NetBSD: Makefile,v 1.5 2019/12/08 20:09:41 nia Exp $ 1# $NetBSD: Makefile,v 1.5.4.1 2020/01/10 13:56:19 bsiegert Exp $
2 2
3FIREFOX_VER= ${MOZ_BRANCH}${MOZ_BRANCH_MINOR} 3FIREFOX_VER= ${MOZ_BRANCH}${MOZ_BRANCH_MINOR}
4MOZ_BRANCH= 68.3 4MOZ_BRANCH= 68.4
5MOZ_BRANCH_MINOR= .0esr 5MOZ_BRANCH_MINOR= .1esr
6 6
7DISTNAME= firefox-${FIREFOX_VER}.source 7DISTNAME= firefox-${FIREFOX_VER}.source
8PKGNAME= ${DISTNAME:S/.source//:S/b/beta/:S/esr//:S/firefox-/firefox68-/} 8PKGNAME= ${DISTNAME:S/.source//:S/b/beta/:S/esr//:S/firefox-/firefox68-/}
9CATEGORIES= www 9CATEGORIES= www
10MASTER_SITES+= ${MASTER_SITE_MOZILLA:=firefox/releases/${FIREFOX_VER}/source/} 10MASTER_SITES+= ${MASTER_SITE_MOZILLA:=firefox/releases/${FIREFOX_VER}/source/}
11EXTRACT_SUFX= .tar.xz 11EXTRACT_SUFX= .tar.xz
12 12
13MAINTAINER= ryoon@NetBSD.org 13MAINTAINER= ryoon@NetBSD.org
14HOMEPAGE= https://www.mozilla.com/en-US/firefox/ 14HOMEPAGE= https://www.mozilla.com/en-US/firefox/
15COMMENT= Web browser with support for extensions (version ${FIREFOX_VER:C/\..*//}) 15COMMENT= Web browser with support for extensions (version ${FIREFOX_VER:C/\..*//})
16LICENSE= mpl-1.1 16LICENSE= mpl-1.1
17 17
18WRKSRC= ${WRKDIR}/firefox-${FIREFOX_VER:S/esr//} 18WRKSRC= ${WRKDIR}/firefox-${FIREFOX_VER:S/esr//}
cvs diff -r1.5 -r1.5.4.1 pkgsrc/www/firefox68/Attic/distinfo (expand / switch to unified diff)

--- pkgsrc/www/firefox68/Attic/distinfo 2019/12/08 20:09:41 1.5
+++ pkgsrc/www/firefox68/Attic/distinfo 2020/01/10 13:56:19 1.5.4.1
@@ -1,42 +1,41 @@ @@ -1,42 +1,41 @@
1$NetBSD: distinfo,v 1.5 2019/12/08 20:09:41 nia Exp $ 1$NetBSD: distinfo,v 1.5.4.1 2020/01/10 13:56:19 bsiegert Exp $
2 2
3SHA1 (firefox-68.3.0esr.source.tar.xz) = 220c262c5cb2ee81d29c58a5afe4522c9880cf2b 3SHA1 (firefox-68.4.1esr.source.tar.xz) = f11c0ecc0f17435149a2bce83f490bbd329e276d
4RMD160 (firefox-68.3.0esr.source.tar.xz) = 7cf26bd69a7414cdd78ab196e9add78b7235ef7c 4RMD160 (firefox-68.4.1esr.source.tar.xz) = 78098317b75b079a475a0bcb8a5f012178c1a643
5SHA512 (firefox-68.3.0esr.source.tar.xz) = f99a4a18aa1b4472152fc6de68ef56ee071c1adfc70a907c10943f8436758c9adc0fe05a90b894ea521cc0c30782e6e2c29f04747d7edf3e55080fa0c4ebf8c3 5SHA512 (firefox-68.4.1esr.source.tar.xz) = 8dd85096f1223b2ab396cc3b89a9f1b113f01ce8919af08a278d077cc4380c108a66b6379c75d85311aa3c54a7804f4d51f718b309fe107ff7c44aca7e4386ed
6Size (firefox-68.3.0esr.source.tar.xz) = 312378276 bytes 6Size (firefox-68.4.1esr.source.tar.xz) = 318559576 bytes
7SHA1 (patch-aa) = 1f292aae7d37bd480ba834324b737bfebee52503 7SHA1 (patch-aa) = 1f292aae7d37bd480ba834324b737bfebee52503
8SHA1 (patch-browser_app_profile_firefox.js) = 076cc2892547bac07fe907533f4e821f13f5738e 8SHA1 (patch-browser_app_profile_firefox.js) = 076cc2892547bac07fe907533f4e821f13f5738e
9SHA1 (patch-build_moz.configure_old.configure) = 05963b12fd908d90e3378b30cff7e48291b8a447 9SHA1 (patch-build_moz.configure_old.configure) = 05963b12fd908d90e3378b30cff7e48291b8a447
10SHA1 (patch-dom_base_nsAttrName.h) = ac7ba441a3b27df2855cf2673eea36b1cb44ad49 10SHA1 (patch-dom_base_nsAttrName.h) = ac7ba441a3b27df2855cf2673eea36b1cb44ad49
11SHA1 (patch-dom_media_CubebUtils.cpp) = b1b4f981c4bede877e3bd092d2648d4b8cbc73a5 11SHA1 (patch-dom_media_CubebUtils.cpp) = b1b4f981c4bede877e3bd092d2648d4b8cbc73a5
12SHA1 (patch-gfx_angle_checkout_src_common_third__party_smhasher_src_PMurHash.cpp) = e458c9c8dc66edc69c1874734af28a77fc5e3993 12SHA1 (patch-gfx_angle_checkout_src_common_third__party_smhasher_src_PMurHash.cpp) = e458c9c8dc66edc69c1874734af28a77fc5e3993
13SHA1 (patch-gfx_angle_checkout_src_compiler_translator_InfoSink.h) = 2f73c76c48852613e0c55c1680fcc2a9eb3cf4ef 13SHA1 (patch-gfx_angle_checkout_src_compiler_translator_InfoSink.h) = 2f73c76c48852613e0c55c1680fcc2a9eb3cf4ef
14SHA1 (patch-gfx_gl_GLContextProviderGLX.cpp) = 2c909a10a341e600392417240ad0c556f495d6ba 14SHA1 (patch-gfx_gl_GLContextProviderGLX.cpp) = 2c909a10a341e600392417240ad0c556f495d6ba
15SHA1 (patch-gfx_skia_skia_src_core_SkCpu.cpp) = 36218819254f3681b9c717d652ea78c9f20d49ad 15SHA1 (patch-gfx_skia_skia_src_core_SkCpu.cpp) = 36218819254f3681b9c717d652ea78c9f20d49ad
16SHA1 (patch-ipc_chromium_src_base_lock__impl__posix.cc) = d84d9b4d416e049423120dcbf9199644ce1c93ab 16SHA1 (patch-ipc_chromium_src_base_lock__impl__posix.cc) = d84d9b4d416e049423120dcbf9199644ce1c93ab
17SHA1 (patch-ipc_chromium_src_base_message__pump__libevent.cc) = 4a6606da590cfb8d855bde58b9c6f90e98d0870c 17SHA1 (patch-ipc_chromium_src_base_message__pump__libevent.cc) = 4a6606da590cfb8d855bde58b9c6f90e98d0870c
18SHA1 (patch-ipc_chromium_src_base_platform__thread__posix.cc) = 35d20981d33ccdb1d8ffb8039e48798777f11658 18SHA1 (patch-ipc_chromium_src_base_platform__thread__posix.cc) = 35d20981d33ccdb1d8ffb8039e48798777f11658
19SHA1 (patch-ipc_chromium_src_chrome_common_ipc__channel__posix.cc) = d634805bf3b02475081cb2f263e91e3f4c481a29 19SHA1 (patch-ipc_chromium_src_chrome_common_ipc__channel__posix.cc) = d634805bf3b02475081cb2f263e91e3f4c481a29
20SHA1 (patch-ipc_glue_CrossProcessSemaphore.h) = 25e24743060acf10c776c6b3b3660f52a2e9fbe8 20SHA1 (patch-ipc_glue_CrossProcessSemaphore.h) = 25e24743060acf10c776c6b3b3660f52a2e9fbe8
21SHA1 (patch-ipc_glue_CrossProcessSemaphore__posix.cpp) = f8d155ee66008b7cc4052b6a889327543b89e0bb 21SHA1 (patch-ipc_glue_CrossProcessSemaphore__posix.cpp) = f8d155ee66008b7cc4052b6a889327543b89e0bb
22SHA1 (patch-ipc_glue_GeckoChildProcessHost.cpp) = 260c29bacd8bf265951b7a412f850bf2b292c836 22SHA1 (patch-ipc_glue_GeckoChildProcessHost.cpp) = 260c29bacd8bf265951b7a412f850bf2b292c836
23SHA1 (patch-js_src_threading_posix_Thread.cpp) = 47e612a676e614fd6dd43b8a3140218a3fbdc7fa 23SHA1 (patch-js_src_threading_posix_Thread.cpp) = 47e612a676e614fd6dd43b8a3140218a3fbdc7fa
24SHA1 (patch-js_src_util_NativeStack.cpp) = 2c6f844d38343f40ebbc8fd665279256e4ae6d35 24SHA1 (patch-js_src_util_NativeStack.cpp) = 2c6f844d38343f40ebbc8fd665279256e4ae6d35
25SHA1 (patch-media_ffvpx_libavutil_arm_bswap.h) = de58daa0fd23d4fec50426602b65c9ea5862558a 25SHA1 (patch-media_ffvpx_libavutil_arm_bswap.h) = de58daa0fd23d4fec50426602b65c9ea5862558a
26SHA1 (patch-media_libcubeb_gtest_moz.build) = ea6dcc7ceeb76ce1fb9d508cf43080a2eef3a9e4 26SHA1 (patch-media_libcubeb_gtest_moz.build) = ea6dcc7ceeb76ce1fb9d508cf43080a2eef3a9e4
27SHA1 (patch-media_libcubeb_src_cubeb.c) = e3446562ed16ec9643df42ee0b9c46ee91f22913 27SHA1 (patch-media_libcubeb_src_cubeb.c) = e3446562ed16ec9643df42ee0b9c46ee91f22913
28SHA1 (patch-media_libcubeb_src_cubeb__alsa.c) = f359a66a22f11142d05746e15894d998d3e3bf5a 28SHA1 (patch-media_libcubeb_src_cubeb__alsa.c) = f359a66a22f11142d05746e15894d998d3e3bf5a
29SHA1 (patch-media_libcubeb_src_cubeb__oss.c) = 103f751d5a7bc14a81a6ed43e1afc722bc092f7e 29SHA1 (patch-media_libcubeb_src_cubeb__oss.c) = 103f751d5a7bc14a81a6ed43e1afc722bc092f7e
30SHA1 (patch-media_libcubeb_src_moz.build) = dcca90cb5132442877712cd7b1f4e832c93d2655 30SHA1 (patch-media_libcubeb_src_moz.build) = dcca90cb5132442877712cd7b1f4e832c93d2655
31SHA1 (patch-media_libcubeb_update.sh) = 4508319d8534a0cc983e4767c2142169af9e5033 31SHA1 (patch-media_libcubeb_update.sh) = 4508319d8534a0cc983e4767c2142169af9e5033
32SHA1 (patch-media_libpng_pngpriv.h) = c8084332560017cd7c9b519b61d125fa28af0dbc 32SHA1 (patch-media_libpng_pngpriv.h) = c8084332560017cd7c9b519b61d125fa28af0dbc
33SHA1 (patch-rust-1.39.0) = 73f41832022fb42c6d84131b6daf9396a1fea284 
34SHA1 (patch-toolkit_components_terminator_nsTerminator.cpp) = e5700d95302ef9672b404ab19e13ef7ba3ede5cf 33SHA1 (patch-toolkit_components_terminator_nsTerminator.cpp) = e5700d95302ef9672b404ab19e13ef7ba3ede5cf
35SHA1 (patch-toolkit_library_moz.build) = 102e3713552c26f76e8b4e473846bb8fbc44b278 34SHA1 (patch-toolkit_library_moz.build) = 102e3713552c26f76e8b4e473846bb8fbc44b278
36SHA1 (patch-toolkit_modules_subprocess_subprocess__shared__unix.js) = 22a39e54e042ab2270a3cb54e4e307c8900cad12 35SHA1 (patch-toolkit_modules_subprocess_subprocess__shared__unix.js) = 22a39e54e042ab2270a3cb54e4e307c8900cad12
37SHA1 (patch-toolkit_moz.configure) = 40ee147cc1d2c62dd6c83b3f67ce9e61f758ea57 36SHA1 (patch-toolkit_moz.configure) = 40ee147cc1d2c62dd6c83b3f67ce9e61f758ea57
38SHA1 (patch-toolkit_mozapps_installer_packager.mk) = b2343fbad2556504dfd13601c02e6e2357c7d2bc 37SHA1 (patch-toolkit_mozapps_installer_packager.mk) = b2343fbad2556504dfd13601c02e6e2357c7d2bc
39SHA1 (patch-toolkit_xre_glxtest.cpp) = 04942938f45f326c7d5c4da3bf8cc2d09b977c69 38SHA1 (patch-toolkit_xre_glxtest.cpp) = 04942938f45f326c7d5c4da3bf8cc2d09b977c69
40SHA1 (patch-xpcom_base_nscore.h) = 1ac4d34d3c9e80bc1ac966c6c84cb320bc0fa1ec 39SHA1 (patch-xpcom_base_nscore.h) = 1ac4d34d3c9e80bc1ac966c6c84cb320bc0fa1ec
41SHA1 (patch-xpcom_build_BinaryPath.h) = 92461769d2fee8f015b91a5326247f271afeedea 40SHA1 (patch-xpcom_build_BinaryPath.h) = 92461769d2fee8f015b91a5326247f271afeedea
42SHA1 (patch-xpcom_reflect_xptcall_md_unix_moz.build) = 6956c90d4c74c71e7e9a5882e4840ba2673160fa 41SHA1 (patch-xpcom_reflect_xptcall_md_unix_moz.build) = 6956c90d4c74c71e7e9a5882e4840ba2673160fa
File Deleted: pkgsrc/www/firefox68/patches/Attic/patch-rust-1.39.0