rpms/firefox/FC-4 firefox-1.0.7-CVE-2005-4134-long-history-dos.patch, NONE, 1.1 firefox-1.0.7-CVE-2006-0292-javascript-unrooted.patch, NONE, 1.1 firefox-1.0.7-CVE-2006-0296-XULDocument.persist.patch, NONE, 1.1 firefox.spec, 1.77, 1.78
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Thu Feb 2 18:53:15 UTC 2006
Author: caillon
Update of /cvs/dist/rpms/firefox/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv31953
Modified Files:
firefox.spec
Added Files:
firefox-1.0.7-CVE-2005-4134-long-history-dos.patch
firefox-1.0.7-CVE-2006-0292-javascript-unrooted.patch
firefox-1.0.7-CVE-2006-0296-XULDocument.persist.patch
Log Message:
* Sun Jan 29 2006 Christopher Aillon <caillon at redhat.com> 0:1.0.7-1.2.fc4
- Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296
firefox-1.0.7-CVE-2005-4134-long-history-dos.patch:
toolkit/components/history/src/nsGlobalHistory.cpp | 16 +++++++++++++++-
xpfe/components/history/src/nsGlobalHistory.cpp | 16 +++++++++++++++-
2 files changed, 30 insertions(+), 2 deletions(-)
--- NEW FILE firefox-1.0.7-CVE-2005-4134-long-history-dos.patch ---
Index: xpfe/components/history/src/nsGlobalHistory.cpp
===================================================================
RCS file: /cvsroot/mozilla/xpfe/components/history/src/nsGlobalHistory.cpp,v
retrieving revision 1.195.6.3
diff -u -d -p -r1.195.6.3 nsGlobalHistory.cpp
--- xpfe/components/history/src/nsGlobalHistory.cpp 26 Aug 2004 02:03:23 -0000 1.195.6.3
+++ xpfe/components/history/src/nsGlobalHistory.cpp 29 Jan 2006 23:12:59 -0000
@@ -111,6 +111,11 @@ nsIPrefBranch* nsGlobalHistory::gPrefBra
#define FIND_BY_AGEINDAYS_PREFIX "find:datasource=history&match=AgeInDays&method="
+// see bug #319004 -- clamp title and URL to generously-large but not too large
+// length
+#define HISTORY_URI_LENGTH_MAX 65536
+#define HISTORY_TITLE_LENGTH_MAX 4096
+
// sync history every 10 seconds
#define HISTORY_SYNC_TIMEOUT (10 * PR_MSEC_PER_SEC)
//#define HISTORY_SYNC_TIMEOUT 3000 // every 3 seconds - testing only!
@@ -635,6 +640,9 @@ nsGlobalHistory::AddURI(nsIURI *aURI, PR
rv = aURI->GetSpec(URISpec);
NS_ENSURE_SUCCESS(rv, rv);
+ if (URISpec.Length() > HISTORY_URI_LENGTH_MAX)
+ return NS_OK;
+
PRInt64 now = GetNow();
// For notifying observers, later...
@@ -1049,7 +1057,7 @@ nsGlobalHistory::SetPageTitle(nsIURI *aU
nsresult rv;
NS_ENSURE_ARG_POINTER(aURI);
- const nsAFlatString& titleString = PromiseFlatString(aTitle);
+ nsAutoString titleString(StringHead(aTitle, HISTORY_TITLE_LENGTH_MAX));
// skip about: URIs to avoid reading in the db (about:blank, especially)
PRBool isAbout;
@@ -1341,6 +1349,9 @@ nsGlobalHistory::HidePage(nsIURI *aURI)
rv = aURI->GetSpec(URISpec);
NS_ENSURE_SUCCESS(rv, rv);
+ if (URISpec.Length() > HISTORY_URI_LENGTH_MAX)
+ return NS_OK;
+
nsCOMPtr<nsIMdbRow> row;
rv = FindRow(kToken_URLColumn, URISpec.get(), getter_AddRefs(row));
@@ -1374,6 +1385,9 @@ nsGlobalHistory::MarkPageAsTyped(nsIURI
nsresult rv = aURI->GetSpec(spec);
if (NS_FAILED(rv)) return rv;
+ if (spec.Length() > HISTORY_URI_LENGTH_MAX)
+ return NS_OK;
+
nsCOMPtr<nsIMdbRow> row;
rv = FindRow(kToken_URLColumn, spec.get(), getter_AddRefs(row));
if (NS_FAILED(rv)) {
Index: toolkit/components/history/src/nsGlobalHistory.cpp
===================================================================
RCS file: /cvsroot/mozilla/toolkit/components/history/src/nsGlobalHistory.cpp,v
retrieving revision 1.33.2.1.2.10
diff -u -d -p -r1.33.2.1.2.10 nsGlobalHistory.cpp
--- toolkit/components/history/src/nsGlobalHistory.cpp 25 Oct 2004 08:34:37 -0000 1.33.2.1.2.10
+++ toolkit/components/history/src/nsGlobalHistory.cpp 29 Jan 2006 23:12:59 -0000
@@ -113,6 +113,11 @@ nsIPrefBranch* nsGlobalHistory::gPrefBra
#define FIND_BY_AGEINDAYS_PREFIX "find:datasource=history&match=AgeInDays&method="
+// see bug #319004 -- clamp title and URL to generously-large but not too large
+// length
+#define HISTORY_URI_LENGTH_MAX 65536
+#define HISTORY_TITLE_LENGTH_MAX 4096
+
// sync history every 10 seconds
#define HISTORY_SYNC_TIMEOUT (10 * PR_MSEC_PER_SEC)
//#define HISTORY_SYNC_TIMEOUT 3000 // every 3 seconds - testing only!
@@ -663,6 +668,9 @@ nsGlobalHistory::AddPageToDatabase(nsIUR
rv = aURI->GetSpec(URISpec);
NS_ENSURE_SUCCESS(rv, rv);
+ if (URISpec.Length() > HISTORY_URI_LENGTH_MAX)
+ return NS_OK;
+
#ifdef DEBUG_bsmedberg
printf("AddURI: %s%s%s",
URISpec.get(),
@@ -1083,7 +1091,7 @@ nsGlobalHistory::SetPageTitle(nsIURI *aU
nsresult rv;
NS_ENSURE_ARG_POINTER(aURI);
- const nsAFlatString& titleString = PromiseFlatString(aTitle);
+ nsAutoString titleString(StringHead(aTitle, HISTORY_TITLE_LENGTH_MAX));
// skip about: URIs to avoid reading in the db (about:blank, especially)
PRBool isAbout;
@@ -1335,6 +1343,9 @@ nsGlobalHistory::HidePage(nsIURI *aURI)
rv = aURI->GetSpec(URISpec);
NS_ENSURE_SUCCESS(rv, rv);
+ if (URISpec.Length() > HISTORY_URI_LENGTH_MAX)
+ return NS_OK;
+
#ifdef DEBUG_bsmedberg
printf("nsGlobalHistory::HidePage: %s\n", URISpec.get());
#endif
@@ -1372,6 +1383,9 @@ nsGlobalHistory::MarkPageAsTyped(nsIURI
nsresult rv = aURI->GetSpec(spec);
if (NS_FAILED(rv)) return rv;
+ if (spec.Length() > HISTORY_URI_LENGTH_MAX)
+ return NS_OK;
+
nsCOMPtr<nsIMdbRow> row;
rv = FindRow(kToken_URLColumn, spec.get(), getter_AddRefs(row));
if (NS_FAILED(rv)) {
firefox-1.0.7-CVE-2006-0292-javascript-unrooted.patch:
jsemit.c | 13 +++++++++++++
jsinterp.c | 42 ++++++++++++++++++++++++++++++++----------
2 files changed, 45 insertions(+), 10 deletions(-)
--- NEW FILE firefox-1.0.7-CVE-2006-0292-javascript-unrooted.patch ---
Index: js/src/jsinterp.c
===================================================================
RCS file: /cvsroot/mozilla/js/src/jsinterp.c,v
retrieving revision 3.136.2.1.2.5.2.7
diff -u -d -p -U8 -r3.136.2.1.2.5.2.7 jsinterp.c
--- js/src/jsinterp.c 22 Apr 2005 00:25:15 -0000 3.136.2.1.2.5.2.7
+++ js/src/jsinterp.c 29 Jan 2006 22:31:53 -0000
@@ -2237,16 +2237,17 @@ js_Interpret(JSContext *cx, jsval *resul
cond = JSVAL_TO_INT(lval) OP JSVAL_TO_INT(rval); \
} else { \
d = ltmp ? JSVAL_TO_INT(lval) : *rt->jsNaN; \
d2 = rtmp ? JSVAL_TO_INT(rval) : *rt->jsNaN; \
cond = COMPARE_DOUBLES(d, OP, d2, JS_FALSE); \
} \
} else { \
VALUE_TO_PRIMITIVE(cx, lval, JSTYPE_NUMBER, &lval); \
+ sp[-2] = lval; \
VALUE_TO_PRIMITIVE(cx, rval, JSTYPE_NUMBER, &rval); \
if (JSVAL_IS_STRING(lval) && JSVAL_IS_STRING(rval)) { \
str = JSVAL_TO_STRING(lval); \
str2 = JSVAL_TO_STRING(rval); \
cond = js_CompareStrings(str, str2) OP 0; \
} else { \
VALUE_TO_NUMBER(cx, lval, d); \
VALUE_TO_NUMBER(cx, rval, d2); \
@@ -2278,20 +2279,22 @@ js_Interpret(JSContext *cx, jsval *resul
} \
} else { \
if (JSVAL_IS_NULL(lval) || JSVAL_IS_VOID(lval)) { \
cond = (JSVAL_IS_NULL(rval) || JSVAL_IS_VOID(rval)) OP 1; \
} else if (JSVAL_IS_NULL(rval) || JSVAL_IS_VOID(rval)) { \
cond = 1 OP 0; \
} else { \
if (ltmp == JSVAL_OBJECT) { \
- VALUE_TO_PRIMITIVE(cx, lval, JSTYPE_VOID, &lval); \
+ VALUE_TO_PRIMITIVE(cx, lval, JSTYPE_VOID, &sp[-2]); \
+ lval = sp[-2]; \
ltmp = JSVAL_TAG(lval); \
} else if (rtmp == JSVAL_OBJECT) { \
- VALUE_TO_PRIMITIVE(cx, rval, JSTYPE_VOID, &rval); \
+ VALUE_TO_PRIMITIVE(cx, rval, JSTYPE_VOID, &sp[-1]); \
+ rval = sp[-1]; \
rtmp = JSVAL_TAG(rval); \
} \
if (ltmp == JSVAL_STRING && rtmp == JSVAL_STRING) { \
str = JSVAL_TO_STRING(lval); \
str2 = JSVAL_TO_STRING(rval); \
cond = js_CompareStrings(str, str2) OP 0; \
} else { \
VALUE_TO_NUMBER(cx, lval, d); \
@@ -2424,26 +2427,28 @@ js_Interpret(JSContext *cx, jsval *resul
#undef INTEGER_OP
#undef BITWISE_OP
#undef SIGNED_SHIFT_OP
case JSOP_ADD:
rval = FETCH_OPND(-1);
lval = FETCH_OPND(-2);
- VALUE_TO_PRIMITIVE(cx, lval, JSTYPE_VOID, <mp);
- VALUE_TO_PRIMITIVE(cx, rval, JSTYPE_VOID, &rtmp);
- if ((cond = JSVAL_IS_STRING(ltmp)) || JSVAL_IS_STRING(rtmp)) {
+ VALUE_TO_PRIMITIVE(cx, lval, JSTYPE_VOID, &sp[-2]);
+ lval = sp[-2];
+ VALUE_TO_PRIMITIVE(cx, rval, JSTYPE_VOID, &sp[-1]);
+ rval = sp[-1];
+ if ((cond = JSVAL_IS_STRING(lval)) || JSVAL_IS_STRING(rval)) {
SAVE_SP(fp);
if (cond) {
- str = JSVAL_TO_STRING(ltmp);
- ok = (str2 = js_ValueToString(cx, rtmp)) != NULL;
+ str = JSVAL_TO_STRING(lval);
+ ok = (str2 = js_ValueToString(cx, rval)) != NULL;
} else {
- str2 = JSVAL_TO_STRING(rtmp);
- ok = (str = js_ValueToString(cx, ltmp)) != NULL;
+ str2 = JSVAL_TO_STRING(rval);
+ ok = (str = js_ValueToString(cx, lval)) != NULL;
}
if (!ok)
goto out;
str = js_ConcatStrings(cx, str, str2);
if (!str) {
ok = JS_FALSE;
goto out;
}
@@ -2736,39 +2741,56 @@ js_Interpret(JSContext *cx, jsval *resul
(cs->format & JOF_INC) ? (rval += 2) : (rval -= 2);
rtmp = rval;
}
} else {
/*
* Initially, rval contains the value to increment or decrement, which is not
* yet converted. As above, the expression result goes in rtmp, the updated
- * value goes in rval.
+ * value goes in rval. Our caller must set vp to point at a GC-rooted jsval
+ * in which we home rtmp, to protect it from GC in case the unconverted rval
+ * is not a number.
*/
#define NONINT_INCREMENT_OP() \
JS_BEGIN_MACRO \
VALUE_TO_NUMBER(cx, rval, d); \
if (cs->format & JOF_POST) { \
rtmp = rval; \
if (!JSVAL_IS_NUMBER(rtmp)) { \
ok = js_NewNumberValue(cx, d, &rtmp); \
if (!ok) \
goto out; \
+ *vp = rtmp; \
} \
(cs->format & JOF_INC) ? d++ : d--; \
ok = js_NewNumberValue(cx, d, &rval); \
} else { \
(cs->format & JOF_INC) ? ++d : --d; \
ok = js_NewNumberValue(cx, d, &rval); \
rtmp = rval; \
} \
if (!ok) \
goto out; \
JS_END_MACRO
+ if (cs->format & JOF_POST) {
+ /*
+ * We must push early to protect the postfix increment
+ * or decrement result, if converted to a jsdouble from
+ * a non-number value, from GC nesting in the setter.
+ */
+ vp = sp++;
+ SAVE_SP(fp);
+ --i;
+ }
+#ifdef __GNUC__
+ else vp = NULL; /* suppress bogus gcc warnings */
+#endif
+
NONINT_INCREMENT_OP();
}
fp->flags |= JSFRAME_ASSIGNING;
CACHED_SET(OBJ_SET_PROPERTY(cx, obj, id, &rval));
fp->flags &= ~JSFRAME_ASSIGNING;
if (!ok)
goto out;
Index: js/src/jsemit.c
===================================================================
RCS file: /cvsroot/mozilla/js/src/jsemit.c,v
retrieving revision 3.96.6.4.2.1
diff -u -d -p -U8 -r3.96.6.4.2.1 jsemit.c
--- js/src/jsemit.c 9 Jul 2005 01:48:08 -0000 3.96.6.4.2.1
+++ js/src/jsemit.c 29 Jan 2006 22:31:53 -0000
@@ -3935,16 +3935,29 @@ js_EmitTree(JSContext *cx, JSCodeGenerat
}
if (js_Emit1(cx, cg, op) < 0)
return JS_FALSE;
break;
#endif
default:
JS_ASSERT(0);
}
+
+ /*
+ * Allocate another stack slot for GC protection in case the initial
+ * value being post-incremented or -decremented is not a number, but
+ * converts to a jsdouble. In the TOK_NAME cases, op has 0 operand
+ * uses and 1 definition, so we don't need an extra stack slot -- we
+ * can use the one allocated for the def.
+ */
+ if (pn2->pn_type != TOK_NAME &&
+ (js_CodeSpec[op].format & JOF_POST) &&
+ (uintN)cg->stackDepth == cg->maxStackDepth) {
+ ++cg->maxStackDepth;
+ }
break;
case TOK_DELETE:
/*
* Under ECMA 3, deleting a non-reference returns true -- but alas we
* must evaluate the operand if it appears it might have side effects.
*/
pn2 = pn->pn_kid;
firefox-1.0.7-CVE-2006-0296-XULDocument.persist.patch:
nsXULDocument.cpp | 17 +++++++++++++++++
1 files changed, 17 insertions(+)
--- NEW FILE firefox-1.0.7-CVE-2006-0296-XULDocument.persist.patch ---
Index: content/xul/document/src/nsXULDocument.cpp
===================================================================
RCS file: /cvsroot/mozilla/content/xul/document/src/nsXULDocument.cpp,v
retrieving revision 1.611.2.1.14.2
diff -u -d -p -U8 -r1.611.2.1.14.2 nsXULDocument.cpp
--- content/xul/document/src/nsXULDocument.cpp 22 Jun 2005 01:52:31 -0000 1.611.2.1.14.2
+++ content/xul/document/src/nsXULDocument.cpp 29 Jan 2006 20:52:50 -0000
@@ -112,16 +112,17 @@
#include "nsIObjectOutputStream.h"
#include "nsIFocusController.h"
#include "nsContentList.h"
#include "nsIScriptGlobalObject.h"
#include "nsIScriptGlobalObjectOwner.h"
#include "nsIScriptSecurityManager.h"
#include "nsContentUtils.h"
#include "nsIParser.h"
+#include "nsIParserService.h"
#include "nsICSSStyleSheet.h"
//----------------------------------------------------------------------
//
// CIDs
//
static NS_DEFINE_CID(kHTMLElementFactoryCID, NS_HTML_ELEMENT_FACTORY_CID);
@@ -1485,16 +1486,32 @@ nsXULDocument::Persist(const nsAString&
PRInt32 nameSpaceID;
nsCOMPtr<nsINodeInfo> ni = element->GetExistingAttrNameFromQName(aAttr);
if (ni) {
tag = ni->NameAtom();
nameSpaceID = ni->NamespaceID();
}
else {
+ // Make sure that this QName is going to be valid.
+ nsIParserService *parserService = nsContentUtils::GetParserServiceWeakRef();
+ NS_ASSERTION(parserService, "Running scripts during shutdown?");
+
+ const PRUnichar *colon;
+ rv = parserService->CheckQName(PromiseFlatString(aAttr), PR_TRUE, &colon);
+ if (NS_FAILED(rv)) {
+ // There was an invalid character or it was malformed.
+ return NS_ERROR_INVALID_ARG;
+ }
+
+ if (colon) {
+ // We don't really handle namespace qualifiers in attribute names.
+ return NS_ERROR_NOT_IMPLEMENTED;
+ }
+
tag = do_GetAtom(aAttr);
NS_ENSURE_TRUE(tag, NS_ERROR_OUT_OF_MEMORY);
nameSpaceID = kNameSpaceID_None;
}
rv = Persist(element, nameSpaceID, tag);
if (NS_FAILED(rv)) return rv;
Index: firefox.spec
===================================================================
RCS file: /cvs/dist/rpms/firefox/FC-4/firefox.spec,v
retrieving revision 1.77
retrieving revision 1.78
diff -u -r1.77 -r1.78
--- firefox.spec 22 Sep 2005 19:20:49 -0000 1.77
+++ firefox.spec 2 Feb 2006 18:53:12 -0000 1.78
@@ -6,11 +6,12 @@
%define indexhtml file:///usr/share/doc/HTML/index.html
ExclusiveArch: i386 x86_64 ia64 ppc s390 s390x
+#ExclusiveArch: i386
Summary: Mozilla Firefox Web browser.
Name: firefox
Version: 1.0.7
-Release: 1.1.fc4
+Release: 1.2.fc4
Epoch: 0
URL: http://www.mozilla.org/projects/firefox/
License: MPL/LGPL
@@ -74,6 +75,10 @@
Patch106: firefox-1.0-candidate-window.patch
Patch107: firefox-1.0-imgloader-comarray.patch
+Patch110: firefox-1.0.7-CVE-2006-0296-XULDocument.persist.patch
+Patch111: firefox-1.0.7-CVE-2006-0292-javascript-unrooted.patch
+Patch112: firefox-1.0.7-CVE-2005-4134-long-history-dos.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: libpng-devel, libjpeg-devel
BuildRequires: zlib-devel, zip
@@ -148,6 +153,9 @@
%patch106 -p1
%patch107 -p0
+%patch110 -p0
+%patch111 -p0
+%patch112 -p0
%{__rm} -f .mozconfig
%{__cp} %{SOURCE10} .mozconfig
@@ -326,6 +334,9 @@
#---------------------------------------------------------------------
%changelog
+* Sun Jan 29 2006 Christopher Aillon <caillon at redhat.com> 0:1.0.7-1.2.fc4
+- Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296
+
* Thu Sep 22 2005 Christopher Aillon <caillon at redhat.com> 0:1.0.7-1.1.fc4
- Update to 1.0.7, containing fixes for:
CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
More information about the fedora-cvs-commits
mailing list