guix-commits
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

01/01: gnu: icecat: Add fixes for CVE-2014-{8634,8638,8639,8641}.


From: Mark H. Weaver
Subject: 01/01: gnu: icecat: Add fixes for CVE-2014-{8634,8638,8639,8641}.
Date: Fri, 16 Jan 2015 14:14:50 +0000

mhw pushed a commit to branch master
in repository guix.

commit 2a666e9cfddc5ec25831618bc376ab4ca6692527
Author: Mark H Weaver <address@hidden>
Date:   Fri Jan 16 03:52:05 2015 -0500

    gnu: icecat: Add fixes for CVE-2014-{8634,8638,8639,8641}.
    
    * gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch,
      gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch,
      gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch,
      gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch,
      gnu/packages/patches/icecat-CVE-2014-8639.patch,
      gnu/packages/patches/icecat-CVE-2014-8641.patch,
      gnu/packages/patches/icecat-armhf-xpcom.patch: New files.
    * gnu-system.am (dist_patch_DATA): Add them.
    * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
---
 gnu-system.am                                      |    7 +
 gnu/packages/gnuzilla.scm                          |   11 +-
 .../patches/icecat-CVE-2014-8634-pt1.patch         |  410 ++++++++++++++++++++
 .../patches/icecat-CVE-2014-8634-pt2.patch         |   30 ++
 .../patches/icecat-CVE-2014-8638-pt1.patch         |   27 ++
 .../patches/icecat-CVE-2014-8638-pt2.patch         |  149 +++++++
 gnu/packages/patches/icecat-CVE-2014-8639.patch    |   92 +++++
 gnu/packages/patches/icecat-CVE-2014-8641.patch    |   29 ++
 gnu/packages/patches/icecat-armhf-xpcom.patch      |   25 ++
 9 files changed, 778 insertions(+), 2 deletions(-)

diff --git a/gnu-system.am b/gnu-system.am
index 58baec7..a5f6a83 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -387,6 +387,7 @@ dist_patch_DATA =                                           
\
   gnu/packages/patches/guix-test-networking.patch              \
   gnu/packages/patches/gtkglext-disable-disable-deprecated.patch \
   gnu/packages/patches/hop-bigloo-4.0b.patch                   \
+  gnu/packages/patches/icecat-armhf-xpcom.patch                        \
   gnu/packages/patches/icecat-CVE-2014-1587-bug-1042567.patch  \
   gnu/packages/patches/icecat-CVE-2014-1587-bug-1072847.patch  \
   gnu/packages/patches/icecat-CVE-2014-1587-bug-1079729.patch  \
@@ -396,6 +397,12 @@ dist_patch_DATA =                                          
\
   gnu/packages/patches/icecat-CVE-2014-1592.patch              \
   gnu/packages/patches/icecat-CVE-2014-1593.patch              \
   gnu/packages/patches/icecat-CVE-2014-1594.patch              \
+  gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch          \
+  gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch          \
+  gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch          \
+  gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch          \
+  gnu/packages/patches/icecat-CVE-2014-8639.patch              \
+  gnu/packages/patches/icecat-CVE-2014-8641.patch              \
   gnu/packages/patches/irrlicht-mesa-10.patch                  \
   gnu/packages/patches/jbig2dec-ignore-testtest.patch          \
   gnu/packages/patches/kmod-module-directory.patch             \
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 8e39746..9c6b39f 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013 Andreas Enge <address@hidden>
 ;;; Copyright © 2013, 2014 Ludovic Courtès <address@hidden>
-;;; Copyright © 2014 Mark H Weaver <address@hidden>
+;;; Copyright © 2014, 2015 Mark H Weaver <address@hidden>
 ;;; Copyright © 2015 Sou Bunnbu <address@hidden>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -231,7 +231,14 @@ standards.")
                       "icecat-CVE-2014-1590.patch"
                       "icecat-CVE-2014-1592.patch"
                       "icecat-CVE-2014-1593.patch"
-                      "icecat-CVE-2014-1594.patch")))))
+                      "icecat-CVE-2014-1594.patch"
+                      "icecat-armhf-xpcom.patch"
+                      "icecat-CVE-2014-8639.patch"
+                      "icecat-CVE-2014-8634-pt1.patch"
+                      "icecat-CVE-2014-8634-pt2.patch"
+                      "icecat-CVE-2014-8641.patch"
+                      "icecat-CVE-2014-8638-pt1.patch"
+                      "icecat-CVE-2014-8638-pt2.patch")))))
     (build-system gnu-build-system)
     (inputs
      `(("alsa-lib" ,alsa-lib)
diff --git a/gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch 
b/gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch
new file mode 100644
index 0000000..3d2f81e
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch
@@ -0,0 +1,410 @@
+From 4f447768a2ff6bf37d462e033c11e20c733129ba Mon Sep 17 00:00:00 2001
+From: Jan de Mooij <address@hidden>
+Date: Tue, 16 Dec 2014 22:52:51 +0100
+Subject: [PATCH] Bug 1109889 - Share more exception handling code. r=nbp,
+ a=abillings
+
+---
+ js/src/jit/Ion.cpp                            | 11 ++++++++++-
+ js/src/jit/IonMacroAssembler.cpp              |  8 ++++----
+ js/src/jit/JitCompartment.h                   |  8 ++++++--
+ js/src/jit/arm/MacroAssembler-arm.cpp         | 11 ++---------
+ js/src/jit/arm/MacroAssembler-arm.h           |  6 ++++--
+ js/src/jit/arm/Trampoline-arm.cpp             |  4 ++--
+ js/src/jit/mips/MacroAssembler-mips.cpp       | 11 ++---------
+ js/src/jit/mips/MacroAssembler-mips.h         |  7 +++++--
+ js/src/jit/mips/Trampoline-mips.cpp           |  4 ++--
+ js/src/jit/shared/MacroAssembler-x86-shared.h |  3 +++
+ js/src/jit/x64/MacroAssembler-x64.cpp         | 11 ++---------
+ js/src/jit/x64/MacroAssembler-x64.h           |  3 +--
+ js/src/jit/x64/Trampoline-x64.cpp             |  4 ++--
+ js/src/jit/x86/MacroAssembler-x86.cpp         | 11 ++---------
+ js/src/jit/x86/MacroAssembler-x86.h           |  3 +--
+ js/src/jit/x86/Trampoline-x86.cpp             |  4 ++--
+ 16 files changed, 50 insertions(+), 59 deletions(-)
+
+diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp
+index 9635742..a77f9b4 100644
+--- a/js/src/jit/Ion.cpp
++++ b/js/src/jit/Ion.cpp
+@@ -150,6 +150,7 @@ JitRuntime::JitRuntime()
+   : execAlloc_(nullptr),
+     ionAlloc_(nullptr),
+     exceptionTail_(nullptr),
++    exceptionTailParallel_(nullptr),
+     bailoutTail_(nullptr),
+     enterJIT_(nullptr),
+     bailoutHandler_(nullptr),
+@@ -198,10 +199,18 @@ JitRuntime::initialize(JSContext *cx)
+         return false;
+ 
+     IonSpew(IonSpew_Codegen, "# Emitting exception tail stub");
+-    exceptionTail_ = generateExceptionTailStub(cx);
++
++    void *handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleException);
++    void *handlerParallel = JS_FUNC_TO_DATA_PTR(void *, 
jit::HandleParallelFailure);
++
++    exceptionTail_ = generateExceptionTailStub(cx, handler);
+     if (!exceptionTail_)
+         return false;
+ 
++    exceptionTailParallel_ = generateExceptionTailStub(cx, handlerParallel);
++    if (!exceptionTailParallel_)
++        return false;
++
+     IonSpew(IonSpew_Codegen, "# Emitting bailout tail stub");
+     bailoutTail_ = generateBailoutTailStub(cx);
+     if (!bailoutTail_)
+diff --git a/js/src/jit/IonMacroAssembler.cpp 
b/js/src/jit/IonMacroAssembler.cpp
+index 2326fe1..9f7cc8f 100644
+--- a/js/src/jit/IonMacroAssembler.cpp
++++ b/js/src/jit/IonMacroAssembler.cpp
+@@ -1030,18 +1030,18 @@ MacroAssembler::handleFailure(ExecutionMode 
executionMode)
+         sps_->skipNextReenter();
+     leaveSPSFrame();
+ 
+-    void *handler;
++    JitCode *excTail;
+     switch (executionMode) {
+       case SequentialExecution:
+-        handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleException);
++        excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+         break;
+       case ParallelExecution:
+-        handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleParallelFailure);
++        excTail = 
GetIonContext()->runtime->jitRuntime()->getExceptionTailParallel();
+         break;
+       default:
+         MOZ_ASSUME_UNREACHABLE("No such execution mode");
+     }
+-    MacroAssemblerSpecific::handleFailureWithHandler(handler);
++    jump(excTail);
+ 
+     // Doesn't actually emit code, but balances the leave()
+     if (sps_)
+diff --git a/js/src/jit/JitCompartment.h b/js/src/jit/JitCompartment.h
+index 486a29d..475a685 100644
+--- a/js/src/jit/JitCompartment.h
++++ b/js/src/jit/JitCompartment.h
+@@ -153,8 +153,9 @@ class JitRuntime
+     // need for explicit interrupt checks.
+     JSC::ExecutableAllocator *ionAlloc_;
+ 
+-    // Shared post-exception-handler tail
++    // Shared exception-handler tail.
+     JitCode *exceptionTail_;
++    JitCode *exceptionTailParallel_;
+ 
+     // Shared post-bailout-handler tail.
+     JitCode *bailoutTail_;
+@@ -214,7 +215,7 @@ class JitRuntime
+     InlineList<PatchableBackedge> backedgeList_;
+ 
+   private:
+-    JitCode *generateExceptionTailStub(JSContext *cx);
++    JitCode *generateExceptionTailStub(JSContext *cx, void *handler);
+     JitCode *generateBailoutTailStub(JSContext *cx);
+     JitCode *generateEnterJIT(JSContext *cx, EnterJitType type);
+     JitCode *generateArgumentsRectifier(JSContext *cx, ExecutionMode mode, 
void **returnAddrOut);
+@@ -287,6 +288,9 @@ class JitRuntime
+     JitCode *getExceptionTail() const {
+         return exceptionTail_;
+     }
++    JitCode *getExceptionTailParallel() const {
++        return exceptionTailParallel_;
++    }
+ 
+     JitCode *getBailoutTail() const {
+         return bailoutTail_;
+diff --git a/js/src/jit/arm/MacroAssembler-arm.cpp 
b/js/src/jit/arm/MacroAssembler-arm.cpp
+index b34483c..63b3ff2 100644
+--- a/js/src/jit/arm/MacroAssembler-arm.cpp
++++ b/js/src/jit/arm/MacroAssembler-arm.cpp
+@@ -3984,25 +3984,18 @@ MacroAssemblerARMCompat::callWithABI(const Address 
&fun, MoveOp::Type result)
+ }
+ 
+ void
+-MacroAssemblerARMCompat::handleFailureWithHandler(void *handler)
++MacroAssemblerARMCompat::handleFailureWithHandlerTail(void *handler)
+ {
+     // Reserve space for exception information.
+     int size = (sizeof(ResumeFromException) + 7) & ~7;
+     ma_sub(Imm32(size), sp);
+     ma_mov(sp, r0);
+ 
+-    // Ask for an exception handler.
++    // Call the handler.
+     setupUnalignedABICall(1, r1);
+     passABIArg(r0);
+     callWithABI(handler);
+ 
+-    JitCode *excTail = 
GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+-    branch(excTail);
+-}
+-
+-void
+-MacroAssemblerARMCompat::handleFailureWithHandlerTail()
+-{
+     Label entryFrame;
+     Label catch_;
+     Label finally;
+diff --git a/js/src/jit/arm/MacroAssembler-arm.h 
b/js/src/jit/arm/MacroAssembler-arm.h
+index 00e8a03..6ccc0be 100644
+--- a/js/src/jit/arm/MacroAssembler-arm.h
++++ b/js/src/jit/arm/MacroAssembler-arm.h
+@@ -711,6 +711,9 @@ class MacroAssemblerARMCompat : public MacroAssemblerARM
+     void jump(Label *label) {
+         as_b(label);
+     }
++    void jump(JitCode *code) {
++        branch(code);
++    }
+     void jump(Register reg) {
+         ma_bx(reg);
+     }
+@@ -1202,8 +1205,7 @@ class MacroAssemblerARMCompat : public MacroAssemblerARM
+ 
+     void linkExitFrame();
+     void linkParallelExitFrame(const Register &pt);
+-    void handleFailureWithHandler(void *handler);
+-    void handleFailureWithHandlerTail();
++    void handleFailureWithHandlerTail(void *handler);
+ 
+     /////////////////////////////////////////////////////////////////
+     // Common interface.
+diff --git a/js/src/jit/arm/Trampoline-arm.cpp 
b/js/src/jit/arm/Trampoline-arm.cpp
+index e539c00..693dad8 100644
+--- a/js/src/jit/arm/Trampoline-arm.cpp
++++ b/js/src/jit/arm/Trampoline-arm.cpp
+@@ -928,11 +928,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx)
+ }
+ 
+ JitCode *
+-JitRuntime::generateExceptionTailStub(JSContext *cx)
++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler)
+ {
+     MacroAssembler masm;
+ 
+-    masm.handleFailureWithHandlerTail();
++    masm.handleFailureWithHandlerTail(handler);
+ 
+     Linker linker(masm);
+     AutoFlushICache afc("ExceptionTailStub");
+diff --git a/js/src/jit/mips/MacroAssembler-mips.cpp 
b/js/src/jit/mips/MacroAssembler-mips.cpp
+index cee93a5..256434d 100644
+--- a/js/src/jit/mips/MacroAssembler-mips.cpp
++++ b/js/src/jit/mips/MacroAssembler-mips.cpp
+@@ -3139,25 +3139,18 @@ MacroAssemblerMIPSCompat::callWithABI(const Address 
&fun, MoveOp::Type result)
+ }
+ 
+ void
+-MacroAssemblerMIPSCompat::handleFailureWithHandler(void *handler)
++MacroAssemblerMIPSCompat::handleFailureWithHandlerTail(void *handler)
+ {
+     // Reserve space for exception information.
+     int size = (sizeof(ResumeFromException) + StackAlignment) & 
~(StackAlignment - 1);
+     ma_subu(StackPointer, StackPointer, Imm32(size));
+     ma_move(a0, StackPointer); // Use a0 since it is a first function argument
+ 
+-    // Ask for an exception handler.
++    // Call the handler.
+     setupUnalignedABICall(1, a1);
+     passABIArg(a0);
+     callWithABI(handler);
+ 
+-    JitCode *excTail = 
GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+-    branch(excTail);
+-}
+-
+-void
+-MacroAssemblerMIPSCompat::handleFailureWithHandlerTail()
+-{
+     Label entryFrame;
+     Label catch_;
+     Label finally;
+diff --git a/js/src/jit/mips/MacroAssembler-mips.h 
b/js/src/jit/mips/MacroAssembler-mips.h
+index ed1f566..899a50e 100644
+--- a/js/src/jit/mips/MacroAssembler-mips.h
++++ b/js/src/jit/mips/MacroAssembler-mips.h
+@@ -481,6 +481,10 @@ class MacroAssemblerMIPSCompat : public MacroAssemblerMIPS
+         as_nop();
+     }
+ 
++    void jump(JitCode *code) {
++        branch(code);
++    }
++
+     void neg32(Register reg) {
+         ma_negu(reg, reg);
+     }
+@@ -842,8 +846,7 @@ public:
+ 
+     void linkExitFrame();
+     void linkParallelExitFrame(const Register &pt);
+-    void handleFailureWithHandler(void *handler);
+-    void handleFailureWithHandlerTail();
++    void handleFailureWithHandlerTail(void *handler);
+ 
+     /////////////////////////////////////////////////////////////////
+     // Common interface.
+diff --git a/js/src/jit/mips/Trampoline-mips.cpp 
b/js/src/jit/mips/Trampoline-mips.cpp
+index b456845..64c2385 100644
+--- a/js/src/jit/mips/Trampoline-mips.cpp
++++ b/js/src/jit/mips/Trampoline-mips.cpp
+@@ -960,11 +960,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx)
+ 
+ 
+ JitCode *
+-JitRuntime::generateExceptionTailStub(JSContext *cx)
++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler)
+ {
+     MacroAssembler masm;
+ 
+-    masm.handleFailureWithHandlerTail();
++    masm.handleFailureWithHandlerTail(handler);
+ 
+     Linker linker(masm);
+     AutoFlushICache afc("ExceptionTailStub");
+diff --git a/js/src/jit/shared/MacroAssembler-x86-shared.h 
b/js/src/jit/shared/MacroAssembler-x86-shared.h
+index 01d1a4b..779cf83 100644
+--- a/js/src/jit/shared/MacroAssembler-x86-shared.h
++++ b/js/src/jit/shared/MacroAssembler-x86-shared.h
+@@ -287,6 +287,9 @@ class MacroAssemblerX86Shared : public Assembler
+     void jump(Label *label) {
+         jmp(label);
+     }
++    void jump(JitCode *code) {
++        jmp(code);
++    }
+     void jump(RepatchLabel *label) {
+         jmp(label);
+     }
+diff --git a/js/src/jit/x64/MacroAssembler-x64.cpp 
b/js/src/jit/x64/MacroAssembler-x64.cpp
+index 9a9f995..0db799c 100644
+--- a/js/src/jit/x64/MacroAssembler-x64.cpp
++++ b/js/src/jit/x64/MacroAssembler-x64.cpp
+@@ -287,24 +287,17 @@ MacroAssemblerX64::callWithABI(Address fun, MoveOp::Type 
result)
+ }
+ 
+ void
+-MacroAssemblerX64::handleFailureWithHandler(void *handler)
++MacroAssemblerX64::handleFailureWithHandlerTail(void *handler)
+ {
+     // Reserve space for exception information.
+     subq(Imm32(sizeof(ResumeFromException)), rsp);
+     movq(rsp, rax);
+ 
+-    // Ask for an exception handler.
++    // Call the handler.
+     setupUnalignedABICall(1, rcx);
+     passABIArg(rax);
+     callWithABI(handler);
+ 
+-    JitCode *excTail = 
GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+-    jmp(excTail);
+-}
+-
+-void
+-MacroAssemblerX64::handleFailureWithHandlerTail()
+-{
+     Label entryFrame;
+     Label catch_;
+     Label finally;
+diff --git a/js/src/jit/x64/MacroAssembler-x64.h 
b/js/src/jit/x64/MacroAssembler-x64.h
+index 2c11e9a..5010549 100644
+--- a/js/src/jit/x64/MacroAssembler-x64.h
++++ b/js/src/jit/x64/MacroAssembler-x64.h
+@@ -1288,8 +1288,7 @@ class MacroAssemblerX64 : public MacroAssemblerX86Shared
+     void callWithABI(AsmJSImmPtr imm, MoveOp::Type result = MoveOp::GENERAL);
+     void callWithABI(Address fun, MoveOp::Type result = MoveOp::GENERAL);
+ 
+-    void handleFailureWithHandler(void *handler);
+-    void handleFailureWithHandlerTail();
++    void handleFailureWithHandlerTail(void *handler);
+ 
+     void makeFrameDescriptor(Register frameSizeReg, FrameType type) {
+         shlq(Imm32(FRAMESIZE_SHIFT), frameSizeReg);
+diff --git a/js/src/jit/x64/Trampoline-x64.cpp 
b/js/src/jit/x64/Trampoline-x64.cpp
+index 72f4592..3b83850 100644
+--- a/js/src/jit/x64/Trampoline-x64.cpp
++++ b/js/src/jit/x64/Trampoline-x64.cpp
+@@ -785,11 +785,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx)
+ }
+ 
+ JitCode *
+-JitRuntime::generateExceptionTailStub(JSContext *cx)
++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler)
+ {
+     MacroAssembler masm;
+ 
+-    masm.handleFailureWithHandlerTail();
++    masm.handleFailureWithHandlerTail(handler);
+ 
+     Linker linker(masm);
+     JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
+diff --git a/js/src/jit/x86/MacroAssembler-x86.cpp 
b/js/src/jit/x86/MacroAssembler-x86.cpp
+index d36f4d3..57a0f85 100644
+--- a/js/src/jit/x86/MacroAssembler-x86.cpp
++++ b/js/src/jit/x86/MacroAssembler-x86.cpp
+@@ -281,24 +281,17 @@ MacroAssemblerX86::callWithABI(const Address &fun, 
MoveOp::Type result)
+ }
+ 
+ void
+-MacroAssemblerX86::handleFailureWithHandler(void *handler)
++MacroAssemblerX86::handleFailureWithHandlerTail(void *handler)
+ {
+     // Reserve space for exception information.
+     subl(Imm32(sizeof(ResumeFromException)), esp);
+     movl(esp, eax);
+ 
+-    // Ask for an exception handler.
++    // Call the handler.
+     setupUnalignedABICall(1, ecx);
+     passABIArg(eax);
+     callWithABI(handler);
+ 
+-    JitCode *excTail = 
GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+-    jmp(excTail);
+-}
+-
+-void
+-MacroAssemblerX86::handleFailureWithHandlerTail()
+-{
+     Label entryFrame;
+     Label catch_;
+     Label finally;
+diff --git a/js/src/jit/x86/MacroAssembler-x86.h 
b/js/src/jit/x86/MacroAssembler-x86.h
+index 17de7a7..7e578c8 100644
+--- a/js/src/jit/x86/MacroAssembler-x86.h
++++ b/js/src/jit/x86/MacroAssembler-x86.h
+@@ -1086,8 +1086,7 @@ class MacroAssemblerX86 : public MacroAssemblerX86Shared
+     void callWithABI(const Address &fun, MoveOp::Type result = 
MoveOp::GENERAL);
+ 
+     // Used from within an Exit frame to handle a pending exception.
+-    void handleFailureWithHandler(void *handler);
+-    void handleFailureWithHandlerTail();
++    void handleFailureWithHandlerTail(void *handler);
+ 
+     void makeFrameDescriptor(Register frameSizeReg, FrameType type) {
+         shll(Imm32(FRAMESIZE_SHIFT), frameSizeReg);
+diff --git a/js/src/jit/x86/Trampoline-x86.cpp 
b/js/src/jit/x86/Trampoline-x86.cpp
+index 0a2f0de..9fd2c00 100644
+--- a/js/src/jit/x86/Trampoline-x86.cpp
++++ b/js/src/jit/x86/Trampoline-x86.cpp
+@@ -827,11 +827,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx)
+ }
+ 
+ JitCode *
+-JitRuntime::generateExceptionTailStub(JSContext *cx)
++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler)
+ {
+     MacroAssembler masm;
+ 
+-    masm.handleFailureWithHandlerTail();
++    masm.handleFailureWithHandlerTail(handler);
+ 
+     Linker linker(masm);
+     JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
+-- 
+2.1.2
+
diff --git a/gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch 
b/gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch
new file mode 100644
index 0000000..d7f68e9
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch
@@ -0,0 +1,30 @@
+From e5de31c8f927b1aa06dde02c356cda33beb463d9 Mon Sep 17 00:00:00 2001
+From: Kyle Huey <address@hidden>
+Date: Fri, 19 Dec 2014 18:16:17 -0800
+Subject: [PATCH] Bug 1111737. r=smaug, a=bkerensa
+
+---
+ content/base/src/nsScriptLoader.cpp | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/content/base/src/nsScriptLoader.cpp 
b/content/base/src/nsScriptLoader.cpp
+index a6a4c34..7f3a76e 100644
+--- a/content/base/src/nsScriptLoader.cpp
++++ b/content/base/src/nsScriptLoader.cpp
+@@ -812,7 +812,12 @@ NotifyOffThreadScriptLoadCompletedRunnable::Run()
+ {
+   MOZ_ASSERT(NS_IsMainThread());
+ 
+-  nsresult rv = mLoader->ProcessOffThreadRequest(mRequest, &mToken);
++  // We want these to be dropped on the main thread, once we return from this
++  // function.
++  nsRefPtr<nsScriptLoadRequest> request = mRequest.forget();
++  nsRefPtr<nsScriptLoader> loader = mLoader.forget();
++
++  nsresult rv = loader->ProcessOffThreadRequest(request, &mToken);
+ 
+   if (mToken) {
+     // The result of the off thread parse was not actually needed to process
+-- 
+2.1.2
+
diff --git a/gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch 
b/gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch
new file mode 100644
index 0000000..83ee5fc
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch
@@ -0,0 +1,27 @@
+From 0c4a326295bdb37742fe23f0395916d2ba8ade53 Mon Sep 17 00:00:00 2001
+From: Christoph Kerschbaumer <address@hidden>
+Date: Wed, 19 Nov 2014 16:03:39 -0800
+Subject: [PATCH 1/2] Bug 1080987 - navigator.sendBeacon() needs to sent origin
+ header. r=sicking, a=bkerensa
+
+---
+ dom/base/Navigator.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dom/base/Navigator.cpp b/dom/base/Navigator.cpp
+index 0f03ad3..020e370 100644
+--- a/dom/base/Navigator.cpp
++++ b/dom/base/Navigator.cpp
+@@ -1265,6 +1265,9 @@ Navigator::SendBeacon(const nsAString& aUrl,
+                                                                principal,
+                                                                true);
+ 
++  rv = cors->Init(channel, true);
++  NS_ENSURE_SUCCESS(rv, false);
++
+   // Start a preflight if cross-origin and content type is not whitelisted
+   rv = secMan->CheckSameOriginURI(documentURI, uri, false);
+   bool crossOrigin = NS_FAILED(rv);
+-- 
+2.1.2
+
diff --git a/gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch 
b/gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch
new file mode 100644
index 0000000..4e439ef
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch
@@ -0,0 +1,149 @@
+From 0d47e593c685313571aaa00cb7341b458123c82f Mon Sep 17 00:00:00 2001
+From: Christoph Kerschbaumer <address@hidden>
+Date: Wed, 19 Nov 2014 16:03:30 -0800
+Subject: [PATCH 2/2] Bug 1080987 - navigator.sendBeacon() needs to sent origin
+ header - test. r=sicking, a=bkerensa
+
+---
+ .../beacon/beacon-originheader-handler.sjs         | 41 ++++++++++++++
+ dom/tests/mochitest/beacon/mochitest.ini           |  2 +
+ .../mochitest/beacon/test_beaconOriginHeader.html  | 64 ++++++++++++++++++++++
+ 3 files changed, 107 insertions(+)
+ create mode 100644 dom/tests/mochitest/beacon/beacon-originheader-handler.sjs
+ create mode 100644 dom/tests/mochitest/beacon/test_beaconOriginHeader.html
+
+diff --git a/dom/tests/mochitest/beacon/beacon-originheader-handler.sjs 
b/dom/tests/mochitest/beacon/beacon-originheader-handler.sjs
+new file mode 100644
+index 0000000..baed22c
+--- /dev/null
++++ b/dom/tests/mochitest/beacon/beacon-originheader-handler.sjs
+@@ -0,0 +1,41 @@
++/*
++ * TestSever customized specifically for the needs of:
++ * Bug 1080987 - navigator.sendBeacon() needs to sent origin header
++ */
++
++function handleRequest(request, response)
++{
++  response.setHeader("Cache-Control", "no-cache", false);
++  response.setHeader("Content-Type", "text/plain", false);
++
++  // case XHR-REQUEST: the xhr-request tries to query the
++  // stored header from the beacon request.
++  if (request.queryString == "queryheader") {
++    var header = getState("originHeader");
++    // if the beacon already stored the header - return.
++    if (header) {
++      response.write(header);
++      setState("originHeader", "");
++      return;
++    }
++    // otherwise wait for the beacon request
++    response.processAsync();
++    setObjectState("xhr-response", response);
++    return;
++  }
++
++  // case BEACON-REQUEST: get the beacon header and
++  // store the header on the server.
++  var header = request.getHeader("origin");
++  setState("originHeader", header);
++
++  // if there is an xhr-request waiting, return the header now.
++  getObjectState("xhr-response", function(xhrResponse) {
++    if (!xhrResponse) {
++      return;
++    }
++    setState("originHeader", "");
++    xhrResponse.write(header);
++    xhrResponse.finish();
++  });
++}
+diff --git a/dom/tests/mochitest/beacon/mochitest.ini 
b/dom/tests/mochitest/beacon/mochitest.ini
+index f65276e..6681fa4 100644
+--- a/dom/tests/mochitest/beacon/mochitest.ini
++++ b/dom/tests/mochitest/beacon/mochitest.ini
+@@ -2,8 +2,10 @@
+ skip-if = buildapp == 'b2g' || e10s
+ support-files = beacon-frame.html
+                 beacon-handler.sjs
++                beacon-originheader-handler.sjs
+ 
+ [test_beacon.html]
+ [test_beaconFrame.html]
+ [test_beaconPreflight.html]
+ [test_beaconContentPolicy.html]
++[test_beaconOriginHeader.html]
+diff --git a/dom/tests/mochitest/beacon/test_beaconOriginHeader.html 
b/dom/tests/mochitest/beacon/test_beaconOriginHeader.html
+new file mode 100644
+index 0000000..b5684a9
+--- /dev/null
++++ b/dom/tests/mochitest/beacon/test_beaconOriginHeader.html
+@@ -0,0 +1,64 @@
++<!DOCTYPE HTML>
++<html>
++<head>
++  <title>Bug 1080987 - navigator.sendBeacon() needs to sent origin 
header</title>
++  <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
++  <script type="text/javascript" 
src="/tests/SimpleTest/SimpleTest.js"></script>
++  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
++</head>
++<body>
++  <p id="display"></p>
++  <div id="content" style="visibility: hidden">
++    <iframe style="width:100%;" id="testframe"></iframe>
++  </div>
++
++<script class="testbody" type="text/javascript">
++
++SimpleTest.waitForExplicitFinish();
++
++const BEACON_URL = 
"http://example.com/tests/dom/tests/mochitest/beacon/beacon-originheader-handler.sjs";;
++const ORIGIN_HEADER = "http://mochi.test:8888";;
++
++/* Description of the test:
++ *   We call sendBeacon() cross origin and make sure that the
++ *   origin header is actually set in the request.
++ *
++ * Since sendBeacon() does not expect any response, we are storing the
++ * header on the server (*.sjs) and use an XMLHttpRequest to actually
++ * retrieve the header back from the server. We assert that the header
++ * is indeed correct. Since sendBeacon() and also the XMLHttpRequest()
++ * are performed in an asynchronous fashion, there is no guarantee that
++ * the sendBeacon() is actually executed before the XMLHttpRequest().
++ * Hence the xhr-response might be processed asynchronously.
++ */
++
++SpecialPowers.pushPrefEnv({'set': [["beacon.enabled", true]]}, runTest);
++
++function queryHeaderFromServer() {
++  var xhr = new XMLHttpRequest();
++  xhr.open("GET", "beacon-originheader-handler.sjs?queryheader", true);
++  xhr.onload = function() {
++    is(xhr.responseText, ORIGIN_HEADER, "SendBeacon sends right origin 
header");
++    SimpleTest.finish();
++  };
++  xhr.onerror = function() {
++    ok(false, "xhr request returned error");
++    SimpleTest.finish();
++  };
++  xhr.send();
++}
++
++function runTest() {
++  // generate data and send beacon
++  var formData = new FormData();
++  formData.append('name', 'value');
++  navigator.sendBeacon(BEACON_URL, formData);
++
++  // start quering the result from the server
++  queryHeaderFromServer();
++}
++
++</script>
++</pre>
++</body>
++</html>
+-- 
+2.1.2
+
diff --git a/gnu/packages/patches/icecat-CVE-2014-8639.patch 
b/gnu/packages/patches/icecat-CVE-2014-8639.patch
new file mode 100644
index 0000000..2610765
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2014-8639.patch
@@ -0,0 +1,92 @@
+From f80b2eefd451b8ed0fd783d9b9ed0412c8d46efd Mon Sep 17 00:00:00 2001
+From: Patrick McManus <address@hidden>
+Date: Thu, 11 Dec 2014 13:55:16 -0500
+Subject: [PATCH] bug 1095859 - proxy tweak r=valentin.gosu a=bkerensa
+
+---
+ netwerk/protocol/http/nsHttpChannel.cpp |  7 ++++++-
+ netwerk/test/unit/test_auth_proxy.js    | 29 +++++++++++++++++++++++++++++
+ 2 files changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/netwerk/protocol/http/nsHttpChannel.cpp 
b/netwerk/protocol/http/nsHttpChannel.cpp
+index f20e033..35e71c7 100644
+--- a/netwerk/protocol/http/nsHttpChannel.cpp
++++ b/netwerk/protocol/http/nsHttpChannel.cpp
+@@ -1237,7 +1237,12 @@ nsHttpChannel::ProcessResponse()
+     // notify "http-on-examine-response" observers
+     gHttpHandler->OnExamineResponse(this);
+ 
+-    SetCookie(mResponseHead->PeekHeader(nsHttp::Set_Cookie));
++    // Cookies should not be handled on proxy failure either.
++    // This would be consolidated with ProcessSecurityHeaders but it should
++    // happen after OnExamineResponse.
++    if (!mTransaction->ProxyConnectFailed() && (httpStatus != 407)) {
++        SetCookie(mResponseHead->PeekHeader(nsHttp::Set_Cookie));
++    }
+ 
+     // handle unused username and password in url (see bug 232567)
+     if (httpStatus != 401 && httpStatus != 407) {
+diff --git a/netwerk/test/unit/test_auth_proxy.js 
b/netwerk/test/unit/test_auth_proxy.js
+index 6af4e98..9275d6d 100644
+--- a/netwerk/test/unit/test_auth_proxy.js
++++ b/netwerk/test/unit/test_auth_proxy.js
+@@ -172,6 +172,12 @@ var listener = {
+       // If we expect 200, the request should have succeeded
+       do_check_eq(this.expectedCode == 200, request.requestSucceeded);
+ 
++      var cookie = "";
++      try {
++        cookie = request.getRequestHeader("Cookie");
++      } catch (e) { }
++      do_check_eq(cookie, "");
++
+     } catch (e) {
+       do_throw("Unexpected exception: " + e);
+     }
+@@ -261,6 +267,25 @@ function test_all_ok() {
+   do_test_pending();
+ }
+ 
++function test_proxy_407_cookie() {
++  var chan = makeChan();
++  chan.notificationCallbacks = new Requestor(FLAG_RETURN_FALSE, 0);
++  chan.setRequestHeader("X-Set-407-Cookie", "1", false);
++  listener.expectedCode = 407; // Proxy Unauthorized
++  chan.asyncOpen(listener, null);
++
++  do_test_pending();
++}
++
++function test_proxy_200_cookie() {
++  var chan = makeChan();
++  chan.notificationCallbacks = new Requestor(0, 0);
++  chan.setRequestHeader("X-Set-407-Cookie", "1", false);
++  listener.expectedCode = 200; // OK
++  chan.asyncOpen(listener, null);
++  do_test_pending();
++}
++
+ function test_host_returnfalse() {
+   dump("\ntest: host returnfalse\n");
+   var chan = makeChan();
+@@ -301,6 +326,7 @@ function test_proxy_wrongpw_host_returnfalse() {
+ }
+ 
+ var tests = [test_proxy_returnfalse, test_proxy_wrongpw, test_all_ok,
++        test_proxy_407_cookie, test_proxy_200_cookie,
+         test_host_returnfalse, test_host_wrongpw,
+         test_proxy_wrongpw_host_wrongpw, test_proxy_wrongpw_host_returnfalse];
+ 
+@@ -331,6 +357,9 @@ function proxyAuthHandler(metadata, response) {
+           "Unauthorized by HTTP proxy");
+       response.setHeader("Proxy-Authenticate",
+           'Basic realm="' + realm + '"', false);
++      if (metadata.hasHeader("X-Set-407-Cookie")) {
++          response.setHeader("Set-Cookie", "chewy", false);
++      }
+       body = "failed";
+       response.bodyOutputStream.write(body, body.length);
+     }
+-- 
+2.1.2
+
diff --git a/gnu/packages/patches/icecat-CVE-2014-8641.patch 
b/gnu/packages/patches/icecat-CVE-2014-8641.patch
new file mode 100644
index 0000000..ec42861
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2014-8641.patch
@@ -0,0 +1,29 @@
+From e36a3dd359ff0ac9c8796d41bedc884218d479e7 Mon Sep 17 00:00:00 2001
+From: Paul Adenot <address@hidden>
+Date: Tue, 16 Dec 2014 18:45:40 +0100
+Subject: [PATCH] Bug 1108455. r=kinetik, a=sledru
+
+---
+ media/libcubeb/src/cubeb_wasapi.cpp | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/media/libcubeb/src/cubeb_wasapi.cpp 
b/media/libcubeb/src/cubeb_wasapi.cpp
+index 135aa86..5387a4f 100644
+--- a/media/libcubeb/src/cubeb_wasapi.cpp
++++ b/media/libcubeb/src/cubeb_wasapi.cpp
+@@ -365,10 +365,8 @@ wasapi_stream_render_loop(LPVOID stream)
+       assert(padding <= stm->buffer_frame_count);
+ 
+       if (stm->draining) {
+-        if (padding == 0) {
+-          stm->state_callback(stm, stm->user_ptr, CUBEB_STATE_DRAINED);
+-          is_playing = false;
+-        }
++        stm->state_callback(stm, stm->user_ptr, CUBEB_STATE_DRAINED);
++        is_playing = false;
+         continue;
+       }
+ 
+-- 
+2.1.2
+
diff --git a/gnu/packages/patches/icecat-armhf-xpcom.patch 
b/gnu/packages/patches/icecat-armhf-xpcom.patch
new file mode 100644
index 0000000..e92c8bb
--- /dev/null
+++ b/gnu/packages/patches/icecat-armhf-xpcom.patch
@@ -0,0 +1,25 @@
+From 06198585dae1e4079b4b52b49827fd5b826030b7 Mon Sep 17 00:00:00 2001
+From: Douglas Crosher <address@hidden>
+Date: Sun, 16 Nov 2014 00:29:23 +1100
+Subject: [PATCH] Bug 1050258 - ARM hard-float XPCOM: correct argument passing.
+ r=mjrosenb, a=bkerensa
+
+---
+ xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp 
b/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp
+index 946b7e3..c1c536b 100644
+--- a/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp
++++ b/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp
+@@ -224,6 +224,7 @@ static inline void copy_dword(uint32_t* &ireg_args,
+     *(uint64_t *)ireg_args = data;
+     ireg_args += 2;
+   } else {
++    ireg_args = end;
+     if ((uint32_t)stack_args & 4) {
+       stack_args++;
+     }
+-- 
+2.1.2
+



reply via email to

[Prev in Thread] Current Thread [Next in Thread]