fix CVE-2020-15675,CVE-2021-23972,CVE-2021-23954

2024-07-12 17:55:51 +08:00 · 2024-07-12 17:55:51 +08:00 · 5b04c98ae4
commit 5b04c98ae4
parent fe6ddd35d2
4 changed files with 242 additions and 2 deletions
--- a/CVE-2020-15675.patch
+++ b/CVE-2020-15675.patch
@ -0,0 +1,52 @@
+From 9a2c51887bff5742c072bf4f3c3794b349f51545 Mon Sep 17 00:00:00 2001
+From: Jeff Gilbert <jgilbert@mozilla.com>
+Date: Fri, 12 Jul 2024 10:27:35 +0800
+Subject: [PATCH] Bug 1654211 - Hold WeakPtr to PresistentBufferProvider in BorrowedSourceSurface. r=gfx-reviewers,nical
+
+Reference:https://hg.mozilla.org/mozilla-central/rev/0ec8df5bd92b
+
+---
+ gfx/layers/CanvasRenderer.h           | 2 +-
+ gfx/layers/PersistentBufferProvider.h | 6 +++++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/gfx/layers/CanvasRenderer.h b/gfx/layers/CanvasRenderer.h
+index 7e03e295b0..ca3ae088cc 100644
+--- a/gfx/layers/CanvasRenderer.h
+++ b/gfx/layers/CanvasRenderer.h
+@@ -95,7 +95,7 @@ struct CanvasRendererData final {
+ 
+ class BorrowedSourceSurface final {
+  public:
+-  PersistentBufferProvider* const mReturnTo;
+  const WeakPtr<PersistentBufferProvider> mReturnTo;
+   const RefPtr<gfx::SourceSurface> mSurf;  /// non-null
+ 
+   BorrowedSourceSurface(PersistentBufferProvider*, RefPtr<gfx::SourceSurface>);
+diff --git a/gfx/layers/PersistentBufferProvider.h b/gfx/layers/PersistentBufferProvider.h
+index f0d8aeccb9..85cfee8805 100644
+--- a/gfx/layers/PersistentBufferProvider.h
+++ b/gfx/layers/PersistentBufferProvider.h
+@@ -14,6 +14,8 @@
+ #include "mozilla/RefCounted.h"
+ #include "mozilla/gfx/Types.h"
+ #include "mozilla/Vector.h"
+#include "mozilla/WeakPtr.h"
+
+ 
+ namespace mozilla {
+ 
+@@ -34,7 +36,9 @@ class TextureClient;
+  * from the provider again, the provider will guarantee the contents of the
+  * previously returned DrawTarget is persisted into the one newly returned.
+  */
+-class PersistentBufferProvider : public RefCounted<PersistentBufferProvider> {
+class PersistentBufferProvider : public RefCounted<PersistentBufferProvider>,
+                                 public SupportsWeakPtr<PersistentBufferProvider> {
+
+  public:
+   MOZ_DECLARE_REFCOUNTED_VIRTUAL_TYPENAME(PersistentBufferProvider)
+ 
+-- 
+2.27.0
+
--- a/CVE-2021-23954.patch
+++ b/CVE-2021-23954.patch
@ -0,0 +1,26 @@
+From e8a9a73762cb5f9cd823282ec915b437df9ae99a Mon Sep 17 00:00:00 2001
+From: André Bargull <andre.bargull@gmail.com>
+Date: Fri, 12 Jul 2024 17:47:10 +0800
+Subject: [PATCH] Add TDZCheckCache. r=yulia, a=RyanVM
+
+Reference:https://hg.mozilla.org/integration/autoland/rev/fb3c410ea9732eaa74444b7f0b13cdef31f7b582
+---
+ js/src/frontend/BytecodeEmitter.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/js/src/frontend/BytecodeEmitter.cpp b/js/src/frontend/BytecodeEmitter.cpp
+index 422977f..2573b60 100644
+--- a/js/src/frontend/BytecodeEmitter.cpp
+++ b/js/src/frontend/BytecodeEmitter.cpp
+@@ -4310,6 +4310,8 @@ bool BytecodeEmitter::emitAssignmentOrInit(ParseNodeKind kind, ParseNode* lhs,
+ }
+ 
+ bool BytecodeEmitter::emitShortCircuitAssignment(AssignmentNode* node) {
+  TDZCheckCache tdzCache(this);
+
+   JSOp op;
+   switch (node->getKind()) {
+     case ParseNodeKind::CoalesceAssignExpr:
+-- 
+2.27.0
+
--- a/CVE-2021-23972.patch
+++ b/CVE-2021-23972.patch
@ -0,0 +1,154 @@
+From d52e9042bcec41a40b97b309b65aa32dc27379b2 Mon Sep 17 00:00:00 2001
+From: Kershaw Chang <kershaw@mozilla.com>
+Date: Fri, 12 Jul 2024 16:46:48 +0800
+Subject: [PATCH] Show auth spoofing warning prompt for cached response r=necko-reviewers,dragana
+
+Reference:https://hg.mozilla.org/integration/autoland/rev/3d26a1f3b809522af0152918341a4b5ff924e4bb
+
+---
+ netwerk/protocol/http/nsHttpChannel.cpp   |  11 +++
+ netwerk/test/unit/test_SuperfluousAuth.js | 100 ++++++++++++++++++++++
+ netwerk/test/unit/xpcshell.ini            |   1 +
+ 3 files changed, 112 insertions(+)
+ create mode 100644 netwerk/test/unit/test_SuperfluousAuth.js
+
+diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
+index 2cb1f8d9fd..181c3ac785 100644
+--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
+@@ -7365,6 +7365,17 @@ nsresult nsHttpChannel::ContinueOnStartRequest4(nsresult result) {
+ 
+   if (mFallingBack) return NS_OK;
+ 
+  if (NS_SUCCEEDED(mStatus) && mResponseHead && mAuthProvider) {
+    uint32_t httpStatus = mResponseHead->Status();
+    if (httpStatus != 401 && httpStatus != 407) {
+      nsresult rv = mAuthProvider->CheckForSuperfluousAuth();
+      if (NS_FAILED(rv)) {
+        LOG(("  CheckForSuperfluousAuth failed (%08x)",
+             static_cast<uint32_t>(rv)));
+      }
+    }
+  }
+
+   return CallOnStartRequest();
+ }
+ 
+diff --git a/netwerk/test/unit/test_SuperfluousAuth.js b/netwerk/test/unit/test_SuperfluousAuth.js
+new file mode 100644
+index 0000000000..24b69186c8
+--- /dev/null
+++ b/netwerk/test/unit/test_SuperfluousAuth.js
+@@ -0,0 +1,100 @@
+/*
+
+Create two http requests with the same URL in which has a user name. We allow
+first http request to be loaded and saved in the cache, so the second request
+will be served from the cache. However, we disallow loading by returning 1
+in the prompt service. In the end, the second request will be failed.
+
+*/
+
+"use strict";
+
+const { HttpServer } = ChromeUtils.import("resource://testing-common/httpd.js");
+
+const { MockRegistrar } = ChromeUtils.import(
+  "resource://testing-common/MockRegistrar.jsm"
+);
+
+var httpProtocolHandler = Cc[
+  "@mozilla.org/network/protocol;1?name=http"
+].getService(Ci.nsIHttpProtocolHandler);
+
+XPCOMUtils.defineLazyGetter(this, "URL", function() {
+  return "http://foo@localhost:" + httpServer.identity.primaryPort;
+});
+
+var httpServer = null;
+
+const gMockPromptService = {
+  firstTimeCalled: false,
+  confirmExBC() {
+    if (!this.firstTimeCalled) {
+      this.firstTimeCalled = true;
+      return 0;
+    }
+
+    return 1;
+  },
+
+  QueryInterface: ChromeUtils.generateQI(["nsIPromptService"]),
+};
+
+var gMockPromptServiceCID = MockRegistrar.register(
+  "@mozilla.org/embedcomp/prompt-service;1",
+  gMockPromptService
+);
+
+registerCleanupFunction(() => {
+  MockRegistrar.unregister(gMockPromptServiceCID);
+});
+
+function makeChan(uri) {
+  let chan = NetUtil.newChannel({
+    uri,
+    loadUsingSystemPrincipal: true,
+  }).QueryInterface(Ci.nsIHttpChannel);
+  chan.loadFlags = Ci.nsIChannel.LOAD_INITIAL_DOCUMENT_URI;
+  return chan;
+}
+
+const responseBody = "body";
+
+function contentHandler(metadata, response) {
+  response.setHeader("Content-Type", "text/plain");
+  response.setHeader("ETag", "Just testing");
+  response.setHeader("Cache-Control", "max-age=99999");
+  response.setHeader("Content-Length", "" + responseBody.length);
+  response.bodyOutputStream.write(responseBody, responseBody.length);
+}
+
+function run_test() {
+  do_get_profile();
+
+  Services.prefs.setBoolPref("network.http.rcwn.enabled", false);
+
+  httpServer = new HttpServer();
+  httpServer.registerPathHandler("/content", contentHandler);
+  httpServer.start(-1);
+
+  httpProtocolHandler.EnsureHSTSDataReady().then(function() {
+    var chan1 = makeChan(URL + "/content");
+    chan1.asyncOpen(new ChannelListener(firstTimeThrough, null));
+    var chan2 = makeChan(URL + "/content");
+    chan2.asyncOpen(
+      new ChannelListener(secondTimeThrough, null, CL_EXPECT_FAILURE)
+    );
+  });
+
+  do_test_pending();
+}
+
+function firstTimeThrough(request, buffer) {
+  Assert.equal(buffer, responseBody);
+  Assert.ok(gMockPromptService.firstTimeCalled, "Prompt service invoked");
+}
+
+function secondTimeThrough(request, buffer) {
+  Assert.equal(request.status, Cr.NS_ERROR_ABORT);
+  httpServer.stop(do_test_finished);
+}
+
+diff --git a/netwerk/test/unit/xpcshell.ini b/netwerk/test/unit/xpcshell.ini
+index 1cd274b004..3e6762f0dc 100644
+--- a/netwerk/test/unit/xpcshell.ini
+++ b/netwerk/test/unit/xpcshell.ini
+@@ -434,3 +434,4 @@ skip-if = true || asan || tsan || os == 'win' || os =='android'
+ [test_trr_case_sensitivity.js]
+ skip-if = os == "android"
+ [test_trr_proxy.js]
+[test_SuperfluousAuth.js]
+-- 
+2.27.0
+
--- a/firefox.spec
+++ b/firefox.spec
@ -88,7 +88,7 @@
 Summary:             Mozilla Firefox Web browser
 Name:                firefox
 Version:             79.0
-Release:             25
+Release:             26
 URL:                 https://www.mozilla.org/firefox/
 License:             MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:             https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@ -204,7 +204,9 @@ Patch660:            CVE-2022-34481.patch
 Patch661:            CVE-2020-26979.patch
 Patch662:            CVE-2023-6209.patch
 Patch663:            CVE-2022-45406.patch
-
+Patch664:            CVE-2020-15675.patch
+Patch665:            CVE-2021-23972.patch
+Patch666:            CVE-2021-23954.patch
 %if %{?system_nss}
 BuildRequires:       pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
 BuildRequires:       nss-static >= %{nss_version}
@ -402,6 +404,9 @@ tar -xf %{SOURCE3}
 %patch661 -p1
 %patch662 -p1
 %patch663 -p1
+%patch664 -p1
+%patch665 -p1
+%patch666 -p1

 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
@ -850,6 +855,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif

 %changelog
+* Fri Jul 12 2024 technology208 <technology@208suo.com> - 79.0-26
+- Fix CVE-2020-15675,CVE-2021-23972,CVE-2021-23954
+
 * Thu Jul 11 2024 technology208 <technology@208suo.com> - 79.0-25
 - Fix CVE-2022-45406