./www/firefox, Web browser with support for extensions (version 57)

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 57.0.2, Package name: firefox-57.0.2, Maintainer: ryoon

Mozilla Firefox is a free, open-source and cross-platform web browser
for Windows, Linux, MacOS X and many other operating systems.

It is fast and easy to use, and offers many advantages over other web
browsers, such as tabbed browsing and the ability to block pop-up
windows.

Firefox also offers excellent bookmark and history management, and it
can be extended by developers using industry standards such as XML,
CSS, JavaScript, C++, etc. Many extensions are available.


Required to run:
[sysutils/desktop-file-utils] [sysutils/dbus-glib] [textproc/icu] [graphics/MesaLib] [graphics/cairo] [graphics/jpeg] [net/libIDL] [devel/nspr] [devel/libffi] [devel/nss] [x11/gtk2] [x11/pixman] [multimedia/libvpx] [x11/gtk3] [lang/gcc49-libs] [multimedia/ffmpeg3]

Required to build:
[pkgtools/x11-links] [devel/yasm] [x11/compositeproto] [x11/glproto] [x11/renderproto] [x11/xproto] [x11/xf86vidmodeproto] [x11/recordproto] [x11/xf86driproto] [x11/damageproto] [x11/inputproto] [x11/xextproto] [x11/randrproto] [x11/dri2proto] [x11/xcb-proto] [lang/clang] [x11/fixesproto4] [lang/gcc49] [pkgtools/cwrappers] [lang/rust]

Package options: dbus, oss

Master sites: (Expand)

SHA1: 2edcb2fade6cc4ed9339825bad1bdad381da7824
RMD160: 798fad0cecceac45db490dd79fb25b0ecb1ec83b
Filesize: 242941.875 KB

Version history: (Expand)


CVS history: (Expand)


   2017-12-10 01:45:09 by Ryo ONODERA | Files touched by this commit (7) | Package updated
Log message:
Update to 57.0.2

* Move gtk3 part to mozilla-common.mk
* Add a option for Widevine CDM support

Changelog:
For Windows only.
   2017-12-04 16:17:55 by Ryo ONODERA | Files touched by this commit (2) | Package updated
Log message:
Update to 57.0.1

Changelog:
Fixed
    Fix a video color distortion issue on YouTube and other video sites
    with some AMD devices (bug 1417442)

    Fix an issue with prefs.js when the profile path has non-ascii
    characters (bug 1420427)

    Various security fixes

    Google map crashes on OSX with Intel HD Graphics 3000

Changed
    Block injection of a client library associated with the RealPlayer
    Free player which is known to cause performance problems in Firefox.
    (Bug 1418535)

Security fixes:
Not available
   2017-11-30 17:45:43 by Adam Ciarcinski | Files touched by this commit (654) | Package updated
Log message:
Revbump after textproc/icu update
   2017-11-23 18:20:22 by Thomas Klausner | Files touched by this commit (556)
Log message:
recursive bump for libxkbcommon removal from at-spi2-core
   2017-11-16 02:04:38 by Ryo ONODERA | Files touched by this commit (56) | Package removed
Log message:
Update to 57.0

Changelog:  New
    A completely new browsing engine, designed to take full advantage
    of the processing power in modern devices

    A redesigned interface with a clean, modern appearance, consistent
    visual elements, and optimizations for touch screens

    A unified address and search bar. New installs will see this
    unified bar. Learn how to add the stand-alone search bar to
    the toolbar

    A revamped new tab page that includes top visited sites, recently
    visited pages, and recommendations from Pocket (in the US,
    Canada, and Germany)

    An updated product tour to orient new and returning Firefox
    users

    AMD VP9 hardware video decoder support for improved video
    playback with lower power consumption

    An expanded section in preferences to manage all website
    permissions

Fixed
    Various security fixes

Changed
    Firefox now exclusively supports extensions built using the
    WebExtension API, and unsupported legacy extensions will no
    longer work. Learn more about our efforts to improve the
    performance and security of extensions

    The browser's autoscroll feature, as well as scrolling by
    keyboard input and touch-dragging of scrollbars, now use
    asynchronous scrolling. These scrolling methods are now similar
    to other input methods like mousewheel, and provide a smoother
    scrolling experience

    The content process now has a stricter security sandbox that
    blocks filesystem reading and writing on Linux, similar to the
    protections for Windows and macOS that shipped in Firefox 56

    Middle mouse paste in the content area no longer navigates to
    URLs by default on Unix systems

    Removed the toolbar Share button. If you relied on this feature,
    you can install the Share Backported extension instead.

    Some older versions of the ATOK IME, including ATOK 2006, 2008,
    2009 and 2010, can cause crashes and are therefore disabled on
    the Windows 64-bit version of Firefox Quantum. To fix those
    incompatibility issues, please use a newer version of ATOK or
    one of other IMEs.

    The default font for Japanese text is now Meiryo

Security fixes:

CVE-2017-7828: Use-after-free of PressShell while restyling layout

Reporter
    Nils
Impact
    critical

Description

A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still in
use. This results in a potentially exploitable crash during these
operations.

References
    Bug 1406750 Bug 1412252

#CVE-2017-7830: Cross-origin URL information leak through Resource
Timing API

Reporter
    Jun Kokatsu
Impact
    high

Description

The Resource Timing API incorrectly revealed navigations in
cross-origin iframes. This is a same-origin policy violation and
could allow for data theft of URLs loaded by users.

References
    Bug 1408990

#CVE-2017-7831: Information disclosure of exposed properties on
JavaScript proxy objects

Reporter
    Oriol Brufau
Impact
    moderate

Description

A vulnerability where the security wrapper does not deny access to
some exposed properties using the deprecated exposedProps mechanism
on proxy objects. These properties should be explicitly unavailable
to proxy objects.

References
    Bug 1392026

#CVE-2017-7832: Domain spoofing through use of dotless 'i' character
followed by accent markers

Reporter
    Jonathan Kew
Impact
    moderate

Description

The combined, single character, version of the letter 'i' with any
of the potential accents in unicode, such as acute or grave, can
be spoofed in the addressbar by the dotless version of 'i' followed
by the same accent as a second character with most font sets. This
allows for domain spoofing attacks because these combined domain
names do not display as punycode.

References
    Bug 1408782

#CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker
characters

Reporter
    Rayyan Bijoora
Impact
    moderate

Description

Some Arabic and Indic vowel marker characters can be combined with
Latin characters in a domain name to eclipse the non-Latin character
with some font sets on the addressbar. The non-Latin character will
not be visible to most viewers. This allows for domain spoofing
attacks because these combined domain names do not display as
punycode.

References
    Bug 1370497

#CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections

Reporter
    Jordi Chancel
Impact
    moderate

Description

A data: URL loaded in a new tab did not inherit the Content Security
Policy (CSP) of the original page, allowing for bypasses of the
policy including the execution of JavaScript. In prior versions
when data: documents also inherited the context of the original
page this would allow for potential cross-site scripting (XSS)
attacks.

References
    Bug 1358009

#CVE-2017-7835: Mixed content blocking incorrectly applies with
redirects

Reporter
    Ben Kelly
Impact
    moderate

Description

Mixed content blocking of insecure (HTTP) sub-resources in a secure
(HTTPS) document was not correctly applied for resources that
redirect from HTTPS to HTTP, allowing content that should be blocked,
such as scripts, to be loaded on a page.

References
    Bug 1402363

#CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and
OS X

Reporter
    Ezra Caltum
Impact
    moderate

Description

The "pingsender" executable used by the Firefox Health Report
dynamically loads a system copy of libcurl, which an attacker could
replace. This allows for privilege escalation as the replaced
libcurl code will run with Firefox's privileges.  Note: This attack
requires an attacker have local system access and only affects OS
X and Linux. Windows systems are not affected.

References
    Bug 1401339

#CVE-2017-7837: SVG loaded as <img> can use meta tags to set cookies

Reporter
    Jun Kokatsu
Impact
    moderate

Description

SVG loaded through <img> tags can use <meta> tags within the SVG
data to set cookies for that page.

References
    Bug 1325923

#CVE-2017-7838: Failure of individual decoding of labels in
international domain names triggers punycode display of entire IDN

Reporter
    Corey Bonnell
Impact
    low

Description

Punycode format text will be displayed for entire qualified
international domain names in some instances when a sub-domain
triggers the punycode display instead of the primary domain being
displayed in native script and the sub-domain only displaying as
punycode. This could be used for limited spoofing attacks due to
user confusion.

References
    Bug 1399540

#CVE-2017-7839: Control characters before javascript: URLs defeats
self-XSS prevention mechanism

Reporter
    Eric Lawrence
Impact
    low

Description

Control characters prepended before javascript: URLs pasted in the
addressbar can cause the leading characters to be ignored and the
pasted JavaScript to be executed instead of being blocked. This
could be used in social engineering and self-cross-site-scripting
(self-XSS) attacks where users are convinced to copy and paste text
into the addressbar.

References
    Bug 1402896

#CVE-2017-7840: Exported bookmarks do not strip script elements
from user-supplied tags

Reporter
    Hanno Bock
Impact
    low

Description

JavaScript can be injected into an exported bookmarks file by
placing JavaScript code into user-supplied tags in saved bookmarks.
If the resulting exported HTML file is later opened in a browser
this JavaScript will be executed. This could be used in social
engineering and self-cross-scripting (self-XSS) attacks if users
were convinced to add malicious tags to bookmarks, export them,
and then open the resulting file.

References
    Bug 1366420

#CVE-2017-7842: Referrer Policy is not always respected for <link>
elements

Reporter
    Jun Kokatsu
Impact
    low

Description

If a document's Referrer Policy attribute is set to "no-referrer"
sometimes two network requests are made for <link> elements
instead of one. One of these requests includes the referrer instead
of respecting the set policy to not include a referrer on requests.

References
    Bug 1397064

#CVE-2017-7827: Memory safety bugs fixed in Firefox 57

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Boris Zbarsky, Carsten Book,
Christian Holler, Byron Campen, Jan de Mooij, Jason Kratzer,
Jesse Schwartzentruber, Marcia Knous, Randell Jesup, Tyson Smith,
and Ting-Yu Chou reported memory safety bugs present in Firefox 56.
Some of these bugs showed evidence of memory corruption and we presume
that with enough effort that some of these could be exploited to run
arbitrary code.

References
    Memory safety bugs fixed in Firefox 57

#CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox
ESR 52.5

Reporter
    Mozilla developers and community
Impact
    critical

Description

Mozilla developers and community members Christian Holler, David
Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer,
Philipp, Nicholas Nethercote, Oriol Brufau, André Bargull, Bob
Clary, Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and
Ryan VanderMeulen reported memory safety bugs present in Firefox
56 and Firefox ESR 52.4. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.

References
    Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
   2017-11-03 23:07:27 by Ryo ONODERA | Files touched by this commit (51) | Package updated
Log message:
Fix build with lang-rust-1.21.0 from 57 via FreeBSD Ports. Bump PKGREVISION
   2017-10-29 10:47:58 by Ryo ONODERA | Files touched by this commit (2) | Package updated
Log message:
Make clang and rust as build dependencies. Fix PR pkg/52668
Bump PKGREVISION
   2017-10-27 15:21:28 by Ryo ONODERA | Files touched by this commit (2) | Package updated
Log message:
Update to 56.0.2

Changelog:
56.0.2:
fixed:
    Disable Form Autofill completely on user request (Bug 1404531)

    Fix for video-related crashes on Windows 7 (Bug 1409141)

    Correct detection for 64-bit GSSAPI authentication (Bug 1409275)

    Fix for shutdown crash (Bug 1404105)

56.0.1:
fixed:
    Block D3D11 when using Intel drivers on Windows 7 systems
      with partial AVX support (bug 1403353)

changed:
    Users of 32-bit Firefox on 64-bit Windows are migrated to
      64-bit Firefox for increased stability and security.