Page MenuHomeSolus

Update firefox to 59.0
ClosedPublic

Authored by kyrios123 on Mar 14 2018, 9:59 PM.

Details

Summary

Release notes available here

Security

  • CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
  • CVE-2018-5128: Use-after-free manipulating editor selection ranges
  • CVE-2018-5129: Out-of-bounds write with malformed IPC messages
  • CVE-2018-5130: Mismatched RTP payload type can trigger memory corruption
  • CVE-2018-5131: Fetch API improperly returns cached copies of no-store/no-cache resources
  • CVE-2018-5132: WebExtension Find API can search privileged pages
  • CVE-2018-5133: Value of the app.support.baseURL preference is not properly sanitized
  • CVE-2018-5134: WebExtensions may use view-source: URLs to bypass content restrictions
  • CVE-2018-5135: WebExtension browserAction can inject scripts into unintended contexts
  • CVE-2018-5136: Same-origin policy violation with data: URL shared workers
  • CVE-2018-5137: Script content can access legacy extension non-contentaccessible resources
  • CVE-2018-5138: Android Custom Tab address spoofing through long domain names
  • CVE-2018-5140: Moz-icon images accessible to web content through moz-icon: protocol
  • CVE-2018-5141: DOS attack through notifications Push API
  • CVE-2018-5142: Media Capture and Streams API permissions display incorrect origin with data: and blob: URLs
  • CVE-2018-5143: Self-XSS pasting javascript: URL with embedded tab into addressbar
  • CVE-2018-5126: Memory safety bugs fixed in Firefox 59
  • CVE-2018-5125: Memory safety bugs fixed in Firefox 59 and Firefox ESR 52.7

Fixes T6018

Signed-off-by: Pierre-Yves <pyu@riseup.net>

Test Plan
  • Executed a few online benchmarks

Diff Detail

Repository
R755 firefox
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

kyrios123 created this revision.Mar 14 2018, 9:59 PM
kyrios123 requested review of this revision.Mar 14 2018, 9:59 PM
kyrios123 edited the summary of this revision. (Show Details)Mar 14 2018, 10:00 PM
kyrios123 added a project: Restricted Project.
kyrios123 edited the summary of this revision. (Show Details)
kyrios123 updated this revision to Diff 6156.Mar 14 2018, 10:07 PM

I haven't decided yet if stylo should be enabled or not since I don't get any significant difference in my VM (see T4966).
I will probably run some more benchmarks and try to make some tests on a physical machine.

PS: I also made some tests without the CFLAGS & CXXFLAGS for GCC6 and I haven't noticed any issue so they are most likely not needed anymore.

@kyrios123 I did a local build with system libnspr and libnss enabled no problems if you want to update the diff. Considering if you fix D2496 first.

joebonrichie added inline comments.Mar 15 2018, 5:25 PM
package.yml
23–24

Part of system.devel not necessary.

36–37

cargo depends on rust this this builddep is not necessary.

kyrios123 updated this revision to Diff 6176.Mar 15 2018, 9:29 PM

clean-up package

JoshStrobl requested changes to this revision.Mar 15 2018, 9:35 PM
JoshStrobl added a subscriber: JoshStrobl.
JoshStrobl added inline comments.
files/prefs.js
2

Would appreciate an explanation / links for these changes.

package.yml
73

Any reason this was removed?

This revision now requires changes to proceed.Mar 15 2018, 9:35 PM
kyrios123 requested review of this revision.Mar 15 2018, 9:51 PM
kyrios123 added inline comments.
files/prefs.js
2

This is to match the locale of the OS.
User can replace it by a custom locale.

package.yml
73

Because it tries to make a symlink to something that doesn't exists.

JoshStrobl added inline comments.Mar 15 2018, 9:58 PM
package.yml
73

Used for Flash, Google Talk Plugin, and Rhythmbox plugin.

kyrios123 updated this revision to Diff 6178.Mar 15 2018, 10:03 PM

set back ln -sv %libdir%/mozilla/plugins $installdir/%libdir%/firefox/plugins

kyrios123 updated this revision to Diff 6179.Mar 15 2018, 10:08 PM

also fix pspec_x86_64.xml

This revision was not accepted when it landed; it landed in state Needs Review.Mar 15 2018, 10:10 PM
This revision was automatically updated to reflect the committed changes.