CVS commit: pkgsrc/www/firefox128

["David H. Gutteridge" <gutteridge%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   gutteridge
Date:           Wed May 28 00:20:37 UTC 2025

Modified Files:
        pkgsrc/www/firefox128: Makefile distinfo

Log Message:
firefox128: update to 128.11.0

Mozilla Foundation Security Advisory 2025-44
Security Vulnerabilities fixed in Firefox ESR 128.11

Announced
    May 27, 2025
Impact
    critical
Products
    Firefox ESR
Fixed in

        Firefox ESR 128.11

#MFSA-TMP-2025-0001: Double-free in libvpx encoder

Reporter
    Randell Jesup
Impact
    critical

Description

A double-free could have occurred in vpx_codec_enc_init_multi after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially 
exploitable crash.
References

    Bug 1962421

#CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content

Reporter
    terjanq
Impact
    moderate

Description

Error handling for script execution was incorrectly isolated from web content, which could have allowed cross-origin leak attacks.
References

    Bug 1960745

#CVE-2025-5264: Potential local code execution in “Copy as cURL” command

Reporter
    Ameen Basha M K
Impact
    moderate

Description

Due to insufficient escaping of the newline character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the user's 
system.
References

    Bug 1950001

#CVE-2025-5265: Potential local code execution in “Copy as cURL” command

Reporter
    Ameen Basha M K
Impact
    moderate

Description

Due to insufficient escaping of the ampersand character in the “Copy as cURL” feature, an attacker could trick a user into using this command, potentially leading to local code execution on the 
user's system.
This bug only affects Firefox for Windows. Other versions of Firefox are unaffected.
References

    Bug 1962301

#CVE-2025-5266: Script element events leaked cross-origin resource status

Reporter
    Jakub Szymsza
Impact
    moderate

Description

Script elements loading cross-origin resources generated load and error events which leaked information enabling XS-Leaks attacks.
References

    Bug 1965628

#CVE-2025-5267: Clickjacking vulnerability could have led to leaking saved payment card details

Reporter
    Ameen Basha M K
Impact
    low

Description

A clickjacking vulnerability could have been used to trick a user into leaking saved payment card details to a malicious page.
References

    Bug 1954137

#CVE-2025-5268: Memory safety bugs fixed in Firefox 139, Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11

Reporter
    the Mozilla Fuzzing Team, Masayuki Nakano
Impact
    moderate

Description

Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort 
some of these could have been exploited to run arbitrary code.
References

    Memory safety bugs fixed in Firefox 139, Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11

#CVE-2025-5269: Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird 128.11

Reporter
    Randell Jesup
Impact
    moderate

Description

Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run 
arbitrary code.
References

    Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird 128.11


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 pkgsrc/www/firefox128/Makefile
cvs rdiff -u -r1.15 -r1.16 pkgsrc/www/firefox128/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/firefox128/Makefile
diff -u pkgsrc/www/firefox128/Makefile:1.25 pkgsrc/www/firefox128/Makefile:1.26
--- pkgsrc/www/firefox128/Makefile:1.25 Wed May 21 21:10:16 2025
+++ pkgsrc/www/firefox128/Makefile      Wed May 28 00:20:37 2025
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.25 2025/05/21 21:10:16 gutteridge Exp $
+# $NetBSD: Makefile,v 1.26 2025/05/28 00:20:37 gutteridge Exp $
 
 FIREFOX_VER=           ${MOZ_BRANCH}${MOZ_BRANCH_MINOR}
-MOZ_BRANCH=            128.10
-MOZ_BRANCH_MINOR=      .1esr
+MOZ_BRANCH=            128.11
+MOZ_BRANCH_MINOR=      .0esr
 
 DISTNAME=      firefox-${FIREFOX_VER}.source
 PKGNAME=       ${DISTNAME:S/.source//:S/b/beta/:S/esr//:S/firefox-/firefox128-/}

Index: pkgsrc/www/firefox128/distinfo
diff -u pkgsrc/www/firefox128/distinfo:1.15 pkgsrc/www/firefox128/distinfo:1.16
--- pkgsrc/www/firefox128/distinfo:1.15 Wed May 21 21:10:16 2025
+++ pkgsrc/www/firefox128/distinfo      Wed May 28 00:20:37 2025
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.15 2025/05/21 21:10:16 gutteridge Exp $
+$NetBSD: distinfo,v 1.16 2025/05/28 00:20:37 gutteridge Exp $
 
-BLAKE2s (firefox-128.10.1esr.source.tar.xz) = 4b2841f1f58fa688d6ed441e69e10e629464bdc23726fc9265a730d4768c613d
-SHA512 (firefox-128.10.1esr.source.tar.xz) = 6e7363d8cbecda1cedaf534ac10dc046b5f515399ec754492357e8a558c61ee3389f7bb90aa929dbcb4d6eba041ae1e778a0a8f90aa1e1f939eea517333b6c45
-Size (firefox-128.10.1esr.source.tar.xz) = 568752664 bytes
+BLAKE2s (firefox-128.11.0esr.source.tar.xz) = 5f504cf8d9f9ac882b1a5cb86073177dcf62803c62de59da9f053b3bf3ff5746
+SHA512 (firefox-128.11.0esr.source.tar.xz) = 80af64c1dce6d7a25111480567a3251cc2d1edce00acc4d85bbaa44590f5bbf4c0716f9490c3ab8ef1e6fc2bbabb2379029c2dee51ce477933c7a5935092d279
+Size (firefox-128.11.0esr.source.tar.xz) = 558920388 bytes
 BLAKE2s (nodejs-output-128.0.tgz) = a55b907ebe308948b99b9150d2530204c8fe2a5fda5ac371dd1163a6db43bcbc
 SHA512 (nodejs-output-128.0.tgz) = fba59ec14c43556749cac7a9233278e8dcd7779d5ba530ede67009bf1887c5d72dd31e3f440164b646738b465d852b882522caf7ed9aa4f81f53e588bdd3adec
 Size (nodejs-output-128.0.tgz) = 227482 bytes