Subject: CVS commit: [pkgsrc-2020Q3] pkgsrc/www/firefox78
From: Benny Siegert
Date: 2020-11-24 19:29:25
Message id: 20201124182925.591E5FA9D@cvs.NetBSD.org

Log Message:
Pullup ticket #6370 - requested by nia
www/firefox78: security fix

NOTE: This also includes the changes from pullup tickets #6363 and #6369.

Revisions pulled up:
- www/firefox78/Makefile                                        1.9,1.13
- www/firefox78/distinfo                                        1.5-1.6
- www/firefox78/patches/patch-js_src_jit_ProcessExecutableMemory.cpp 1.1
- www/firefox78/patches/patch-js_src_vm_ArrayBufferObject.cpp   1.1

---
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Tue Nov 10 02:59:28 UTC 2020

   Modified Files:
   	pkgsrc/www/firefox78: Makefile distinfo
   Added Files:
   	pkgsrc/www/firefox78/patches:
   	    patch-js_src_jit_ProcessExecutableMemory.cpp
   	    patch-js_src_vm_ArrayBufferObject.cpp

   Log Message:
   firefox78: Update to 78.4.1. Apply MPROTECT patches from mozjs.

   Security Vulnerabilities fixed in Firefox 82.0.3, Firefox ESR 78.4.1, and \ 
Thunderbird 78.4.2

   #CVE-2020-26950: Write side effects in MCallGetProperty opcode not accounted for

---
   Module Name:	pkgsrc
   Committed By:	nia
   Date:		Wed Nov 18 12:33:45 UTC 2020

   Modified Files:
   	pkgsrc/www/firefox78: Makefile distinfo

   Log Message:
   firefox78: Update to 78.5.0

   Security Vulnerabilities fixed in Firefox ESR 78.5

       #CVE-2020-26951: Parsing mismatches could confuse and bypass security
       sanitizer for chrome privileged code

       #CVE-2020-16012: Variable time processing of cross-origin images during
       drawImage calls

       #CVE-2020-26953: Fullscreen could be enabled without displaying the security
       UI

       #CVE-2020-26956: XSS through paste (manual and clipboard API)

       #CVE-2020-26958: Requests intercepted through ServiceWorkers lacked MIME
       type restrictions

       #CVE-2020-26959: Use-after-free in WebRequestService

       #CVE-2020-26960: Potential use-after-free in uses of nsTArray

       #CVE-2020-15999: Heap buffer overflow in freetype

       #CVE-2020-26961: DoH did not filter IPv4 mapped IP Addresses

       #CVE-2020-26965: Software keyboards may have remembered typed passwords

       #CVE-2020-26966: Single-word search queries were also broadcast to local
       network

       #CVE-2020-26968: Memory safety bugs fixed in Firefox 83 and Firefox ESR 78.5

Files:
RevisionActionfile
1.6.2.2modifypkgsrc/www/firefox78/Makefile
1.3.2.2modifypkgsrc/www/firefox78/distinfo
1.1.2.2addpkgsrc/www/firefox78/patches/patch-js_src_jit_ProcessExecutableMemory.cpp
1.1.2.2addpkgsrc/www/firefox78/patches/patch-js_src_vm_ArrayBufferObject.cpp