[pkgsrc/pkgsrc-2019Q4]: pkgsrc/www/firefox68 Pullup ticket #6113 - requested ...

[bsiegert <bsiegert%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/68c97bf35278
branches:  pkgsrc-2019Q4
changeset: 347316:68c97bf35278
user:      bsiegert <bsiegert%pkgsrc.org@localhost>
date:      Fri Jan 10 13:56:19 2020 +0000

description:
Pullup ticket #6113 - requested by nia
www/firefox68: security fix (zero-day)

Revisions pulled up:
- www/firefox68/Makefile                                        1.7-1.8
- www/firefox68/distinfo                                        1.6-1.7
- www/firefox68/patches/patch-rust-1.39.0                       deleted

---
   Module Name: pkgsrc
   Committed By:        nia
   Date:                Wed Jan  8 21:49:32 UTC 2020

   Modified Files:
        pkgsrc/www/firefox68: Makefile distinfo
   Removed Files:
        pkgsrc/www/firefox68/patches: patch-rust-1.39.0

   Log Message:
   firefox68: Update to 68.4.0

   Security Vulnerabilities fixed in Firefox ESR 68.4:

   # CVE-2019-17015: Memory corruption in parent process during new content process initialization on Windows
   # CVE-2019-17016: Bypass of @namespace CSS sanitization during pasting
   # CVE-2019-17017: Type Confusion in XPCVariant.cpp
   # CVE-2019-17021: Heap address disclosure in parent process during content process initialization on Windows
   # CVE-2019-17022: CSS sanitization does not escape HTML tags
   # CVE-2019-17024: Memory safety bugs fixed in Firefox 72 and Firefox ESR 68.4

---
   Module Name: pkgsrc
   Committed By:        nia
   Date:                Thu Jan  9 20:51:59 UTC 2020

   Modified Files:
        pkgsrc/www/firefox68: Makefile distinfo

   Log Message:
   firefox68: Update to 68.4.1

   This release fixes one zero-day vulnerability:

   CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement

   Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion.
   We are aware of targeted attacks in the wild abusing this flaw

diffstat:

 www/firefox68/Makefile                  |    6 +-
 www/firefox68/distinfo                  |   11 +-
 www/firefox68/patches/patch-rust-1.39.0 |  176 --------------------------------
 3 files changed, 8 insertions(+), 185 deletions(-)

diffs (221 lines):

diff -r bebc6fe26c4c -r 68c97bf35278 www/firefox68/Makefile
--- a/www/firefox68/Makefile    Thu Jan 09 14:59:09 2020 +0000
+++ b/www/firefox68/Makefile    Fri Jan 10 13:56:19 2020 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.5 2019/12/08 20:09:41 nia Exp $
+# $NetBSD: Makefile,v 1.5.4.1 2020/01/10 13:56:19 bsiegert Exp $
 
 FIREFOX_VER=           ${MOZ_BRANCH}${MOZ_BRANCH_MINOR}
-MOZ_BRANCH=            68.3
-MOZ_BRANCH_MINOR=      .0esr
+MOZ_BRANCH=            68.4
+MOZ_BRANCH_MINOR=      .1esr
 
 DISTNAME=      firefox-${FIREFOX_VER}.source
 PKGNAME=       ${DISTNAME:S/.source//:S/b/beta/:S/esr//:S/firefox-/firefox68-/}
diff -r bebc6fe26c4c -r 68c97bf35278 www/firefox68/distinfo
--- a/www/firefox68/distinfo    Thu Jan 09 14:59:09 2020 +0000
+++ b/www/firefox68/distinfo    Fri Jan 10 13:56:19 2020 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.5 2019/12/08 20:09:41 nia Exp $
+$NetBSD: distinfo,v 1.5.4.1 2020/01/10 13:56:19 bsiegert Exp $
 
-SHA1 (firefox-68.3.0esr.source.tar.xz) = 220c262c5cb2ee81d29c58a5afe4522c9880cf2b
-RMD160 (firefox-68.3.0esr.source.tar.xz) = 7cf26bd69a7414cdd78ab196e9add78b7235ef7c
-SHA512 (firefox-68.3.0esr.source.tar.xz) = f99a4a18aa1b4472152fc6de68ef56ee071c1adfc70a907c10943f8436758c9adc0fe05a90b894ea521cc0c30782e6e2c29f04747d7edf3e55080fa0c4ebf8c3
-Size (firefox-68.3.0esr.source.tar.xz) = 312378276 bytes
+SHA1 (firefox-68.4.1esr.source.tar.xz) = f11c0ecc0f17435149a2bce83f490bbd329e276d
+RMD160 (firefox-68.4.1esr.source.tar.xz) = 78098317b75b079a475a0bcb8a5f012178c1a643
+SHA512 (firefox-68.4.1esr.source.tar.xz) = 8dd85096f1223b2ab396cc3b89a9f1b113f01ce8919af08a278d077cc4380c108a66b6379c75d85311aa3c54a7804f4d51f718b309fe107ff7c44aca7e4386ed
+Size (firefox-68.4.1esr.source.tar.xz) = 318559576 bytes
 SHA1 (patch-aa) = 1f292aae7d37bd480ba834324b737bfebee52503
 SHA1 (patch-browser_app_profile_firefox.js) = 076cc2892547bac07fe907533f4e821f13f5738e
 SHA1 (patch-build_moz.configure_old.configure) = 05963b12fd908d90e3378b30cff7e48291b8a447
@@ -30,7 +30,6 @@
 SHA1 (patch-media_libcubeb_src_moz.build) = dcca90cb5132442877712cd7b1f4e832c93d2655
 SHA1 (patch-media_libcubeb_update.sh) = 4508319d8534a0cc983e4767c2142169af9e5033
 SHA1 (patch-media_libpng_pngpriv.h) = c8084332560017cd7c9b519b61d125fa28af0dbc
-SHA1 (patch-rust-1.39.0) = 73f41832022fb42c6d84131b6daf9396a1fea284
 SHA1 (patch-toolkit_components_terminator_nsTerminator.cpp) = e5700d95302ef9672b404ab19e13ef7ba3ede5cf
 SHA1 (patch-toolkit_library_moz.build) = 102e3713552c26f76e8b4e473846bb8fbc44b278
 SHA1 (patch-toolkit_modules_subprocess_subprocess__shared__unix.js) = 22a39e54e042ab2270a3cb54e4e307c8900cad12
diff -r bebc6fe26c4c -r 68c97bf35278 www/firefox68/patches/patch-rust-1.39.0
--- a/www/firefox68/patches/patch-rust-1.39.0   Thu Jan 09 14:59:09 2020 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,176 +0,0 @@
-$NetBSD: patch-rust-1.39.0,v 1.1 2019/11/18 12:09:15 ryoon Exp $
-
-From 9696bc1795c75b1b527e2b70d9baf3ced9e3c154 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Emilio=20Cobos=20=C3=81lvarez?= <emilio%crisal.io@localhost>
-Date: Mon, 23 Sep 2019 17:54:37 +0200
-Subject: [PATCH] ir: Make Ord and PartialOrd implementations agree.
-
-See https://github.com/rust-lang/rust/issues/64710.
-
-Bogus implementations were introduced in 230545e7c, d3e39dc62, and 379bb1663.
-
---- third_party/rust/bindgen/src/ir/analysis/has_vtable.rs.orig        2019-10-16 19:30:29.000000000 +0000
-+++ third_party/rust/bindgen/src/ir/analysis/has_vtable.rs
-@@ -9,17 +9,17 @@ use std::ops;
- use {HashMap, Entry};
- 
- /// The result of the `HasVtableAnalysis` for an individual item.
--#[derive(Copy, Clone, Debug, PartialEq, Eq, Ord)]
-+#[derive(Copy, Clone, Debug, PartialEq, Eq, PartialOrd, Ord)]
- pub enum HasVtableResult {
--    /// The item has a vtable, but the actual vtable pointer is in a base
--    /// member.
--    BaseHasVtable,
-+    /// The item does not have a vtable pointer.
-+    No,
- 
-     /// The item has a vtable and the actual vtable pointer is within this item.
-     SelfHasVtable,
- 
--    /// The item does not have a vtable pointer.
--    No
-+    /// The item has a vtable, but the actual vtable pointer is in a base
-+    /// member.
-+    BaseHasVtable,
- }
- 
- impl Default for HasVtableResult {
-@@ -28,21 +28,6 @@ impl Default for HasVtableResult {
-     }
- }
- 
--impl cmp::PartialOrd for HasVtableResult {
--    fn partial_cmp(&self, rhs: &Self) -> Option<cmp::Ordering> {
--        use self::HasVtableResult::*;
--
--        match (*self, *rhs) {
--            (x, y) if x == y => Some(cmp::Ordering::Equal),
--            (BaseHasVtable, _) => Some(cmp::Ordering::Greater),
--            (_, BaseHasVtable) => Some(cmp::Ordering::Less),
--            (SelfHasVtable, _) => Some(cmp::Ordering::Greater),
--            (_, SelfHasVtable) => Some(cmp::Ordering::Less),
--            _ => unreachable!(),
--        }
--    }
--}
--
- impl HasVtableResult {
-     /// Take the least upper bound of `self` and `rhs`.
-     pub fn join(self, rhs: Self) -> Self {
-$NetBSD: patch-rust-1.39.0,v 1.1 2019/11/18 12:09:15 ryoon Exp $
-
---- third_party/rust/bindgen/src/ir/analysis/sizedness.rs.orig 2019-10-16 19:30:29.000000000 +0000
-+++ third_party/rust/bindgen/src/ir/analysis/sizedness.rs
-@@ -22,13 +22,14 @@ use {HashMap, Entry};
- ///
- /// We initially assume that all types are `ZeroSized` and then update our
- /// understanding as we learn more about each type.
--#[derive(Copy, Clone, Debug, PartialEq, Eq, Ord)]
-+#[derive(Copy, Clone, Debug, PartialEq, Eq, PartialOrd, Ord)]
- pub enum SizednessResult {
--    /// Has some size that is known to be greater than zero. That doesn't mean
--    /// it has a static size, but it is not zero sized for sure. In other words,
--    /// it might contain an incomplete array or some other dynamically sized
--    /// type.
--    NonZeroSized,
-+    /// The type is zero-sized.
-+    ///
-+    /// This means that if it is a C++ type, and is not being used as a base
-+    /// member, then we must add an `_address` byte to enforce the
-+    /// unique-address-per-distinct-object-instance rule.
-+    ZeroSized,
- 
-     /// Whether this type is zero-sized or not depends on whether a type
-     /// parameter is zero-sized or not.
-@@ -52,12 +53,11 @@ pub enum SizednessResult {
-     /// https://github.com/rust-lang-nursery/rust-bindgen/issues/586
-     DependsOnTypeParam,
- 
--    /// The type is zero-sized.
--    ///
--    /// This means that if it is a C++ type, and is not being used as a base
--    /// member, then we must add an `_address` byte to enforce the
--    /// unique-address-per-distinct-object-instance rule.
--    ZeroSized,
-+    /// Has some size that is known to be greater than zero. That doesn't mean
-+    /// it has a static size, but it is not zero sized for sure. In other words,
-+    /// it might contain an incomplete array or some other dynamically sized
-+    /// type.
-+    NonZeroSized,
- }
- 
- impl Default for SizednessResult {
-@@ -66,21 +66,6 @@ impl Default for SizednessResult {
-     }
- }
- 
--impl cmp::PartialOrd for SizednessResult {
--    fn partial_cmp(&self, rhs: &Self) -> Option<cmp::Ordering> {
--        use self::SizednessResult::*;
--
--        match (*self, *rhs) {
--            (x, y) if x == y => Some(cmp::Ordering::Equal),
--            (NonZeroSized, _) => Some(cmp::Ordering::Greater),
--            (_, NonZeroSized) => Some(cmp::Ordering::Less),
--            (DependsOnTypeParam, _) => Some(cmp::Ordering::Greater),
--            (_, DependsOnTypeParam) => Some(cmp::Ordering::Less),
--            _ => unreachable!(),
--        }
--    }
--}
--
- impl SizednessResult {
-     /// Take the least upper bound of `self` and `rhs`.
-     pub fn join(self, rhs: Self) -> Self {
-$NetBSD: patch-rust-1.39.0,v 1.1 2019/11/18 12:09:15 ryoon Exp $
-
---- third_party/rust/bindgen/src/ir/derive.rs.orig     2019-10-16 19:30:29.000000000 +0000
-+++ third_party/rust/bindgen/src/ir/derive.rs
-@@ -92,10 +92,10 @@ pub trait CanDeriveOrd {
- ///
- /// Initially we assume that we can derive trait for all types and then
- /// update our understanding as we learn more about each type.
--#[derive(Debug, Copy, Clone, PartialEq, Eq, Ord)]
-+#[derive(Debug, Copy, Clone, PartialEq, Eq, PartialOrd, Ord)]
- pub enum CanDerive {
--    /// No, we cannot.
--    No,
-+    /// Yes, we can derive automatically.
-+    Yes,
- 
-     /// The only thing that stops us from automatically deriving is that
-     /// array with more than maximum number of elements is used.
-@@ -103,8 +103,8 @@ pub enum CanDerive {
-     /// This means we probably can "manually" implement such trait.
-     Manually,
- 
--    /// Yes, we can derive automatically.
--    Yes,
-+    /// No, we cannot.
-+    No,
- }
- 
- impl Default for CanDerive {
-@@ -113,22 +113,6 @@ impl Default for CanDerive {
-     }
- }
- 
--impl cmp::PartialOrd for CanDerive {
--    fn partial_cmp(&self, rhs: &Self) -> Option<cmp::Ordering> {
--        use self::CanDerive::*;
--
--        let ordering = match (*self, *rhs) {
--            (x, y) if x == y => cmp::Ordering::Equal,
--            (No, _) => cmp::Ordering::Greater,
--            (_, No) => cmp::Ordering::Less,
--            (Manually, _) => cmp::Ordering::Greater,
--            (_, Manually) => cmp::Ordering::Less,
--            _ => unreachable!()
--        };
--        Some(ordering)
--    }
--}
--
- impl CanDerive {
-     /// Take the least upper bound of `self` and `rhs`.
-     pub fn join(self, rhs: Self) -> Self {