aboutsummaryrefslogtreecommitdiffstats
path: root/www/mozilla-devel
diff options
context:
space:
mode:
authormarcus <marcus@FreeBSD.org>2004-09-28 11:20:33 +0800
committermarcus <marcus@FreeBSD.org>2004-09-28 11:20:33 +0800
commit9b18abdd9decadf1fc576e32dea38aa0cd43a76c (patch)
treeda62c3cb4d4253c161e6bfeee12cdf6f86e6d1a8 /www/mozilla-devel
parenta0da913f6d069d8ecec6bdcbcbeff7d23a774d68 (diff)
downloadfreebsd-ports-gnome-9b18abdd9decadf1fc576e32dea38aa0cd43a76c.tar.gz
freebsd-ports-gnome-9b18abdd9decadf1fc576e32dea38aa0cd43a76c.tar.zst
freebsd-ports-gnome-9b18abdd9decadf1fc576e32dea38aa0cd43a76c.zip
Patch the various recently reported security vulnerabilities in Mozilla.
This update covers the following Mozilla bugs: 245066 226669 250862 255067 256316 257317 258005 Thanks to nectar for scraping all of these patches together. Obtained from: Mozilla CVS Approved by: portmgr (implicit)
Diffstat (limited to 'www/mozilla-devel')
-rw-r--r--www/mozilla-devel/Makefile2
-rw-r--r--www/mozilla-devel/files/patch-25086222
-rw-r--r--www/mozilla-devel/files/patch-25506760
-rw-r--r--www/mozilla-devel/files/patch-25631618
-rw-r--r--www/mozilla-devel/files/patch-25731431
-rw-r--r--www/mozilla-devel/files/patch-258005278
6 files changed, 410 insertions, 1 deletions
diff --git a/www/mozilla-devel/Makefile b/www/mozilla-devel/Makefile
index a2545c8e97b6..0e30cb559ebc 100644
--- a/www/mozilla-devel/Makefile
+++ b/www/mozilla-devel/Makefile
@@ -7,7 +7,7 @@
PORTNAME?= mozilla
PORTVERSION= 1.8.a3
-PORTREVISION?= 0
+PORTREVISION?= 1
PORTEPOCH?= 2
CATEGORIES?= www
MASTER_SITES= ${MASTER_SITE_MOZILLA} \
diff --git a/www/mozilla-devel/files/patch-250862 b/www/mozilla-devel/files/patch-250862
new file mode 100644
index 000000000000..05423dc84195
--- /dev/null
+++ b/www/mozilla-devel/files/patch-250862
@@ -0,0 +1,22 @@
+Index: mozilla/xpfe/communicator/resources/content/contentAreaDD.js
+===================================================================
+RCS file: /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaDD.js,v
+retrieving revision 1.32
+retrieving revision 1.32.88.1
+diff -u -r1.32 -r1.32.88.1
+--- xpfe/communicator/resources/content/contentAreaDD.js 10 Jul 2002 01:23:50 -0000 1.32
++++ xpfe/communicator/resources/content/contentAreaDD.js 27 Aug 2004 01:13:39 -0000 1.32.88.1
+@@ -53,8 +53,11 @@
+ {
+ var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType);
+
+- // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out
+- if (!url || !url.length || url.indexOf(" ", 0) != -1)
++ // valid urls don't contain spaces ' '; if we have a space it
++ // isn't a valid url, or if it's a javascript: or data: url,
++ // bail out
++ if (!url || !url.length || url.indexOf(" ", 0) != -1 ||
++ /^\s*(javascript|data):/.test(url))
+ return;
+
+ switch (document.firstChild.getAttribute('windowtype')) {
diff --git a/www/mozilla-devel/files/patch-255067 b/www/mozilla-devel/files/patch-255067
new file mode 100644
index 000000000000..cddf17ca8328
--- /dev/null
+++ b/www/mozilla-devel/files/patch-255067
@@ -0,0 +1,60 @@
+Index: mozilla/gfx/src/shared/gfxImageFrame.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/gfx/src/shared/gfxImageFrame.cpp,v
+retrieving revision 1.26
+retrieving revision 1.26.12.1
+diff -u -r1.26 -r1.26.12.1
+--- gfx/src/shared/gfxImageFrame.cpp 16 Jan 2004 23:28:48 -0000 1.26
++++ gfx/src/shared/gfxImageFrame.cpp 27 Aug 2004 11:02:58 -0000 1.26.12.1
+@@ -72,6 +72,13 @@
+ return NS_ERROR_FAILURE;
+ }
+
++ /* reject over-wide or over-tall images */
++ const PRInt32 k64KLimit = 0x0000FFFF;
++ if ( aWidth > k64KLimit || aHeight > k64KLimit ){
++ NS_ERROR("image too big");
++ return NS_ERROR_FAILURE;
++ }
++
+ nsresult rv;
+
+ mOffset.MoveTo(aX, aY);
+Index: mozilla/gfx/src/windows/nsImageWin.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/gfx/src/windows/nsImageWin.cpp,v
+retrieving revision 3.130.2.1
+retrieving revision 3.130.2.1.6.1
+diff -u -r3.130.2.1 -r3.130.2.1.6.1
+--- gfx/src/windows/nsImageWin.cpp 11 May 2004 21:53:49 -0000 3.130.2.1
++++ gfx/src/windows/nsImageWin.cpp 27 Aug 2004 11:02:58 -0000 3.130.2.1.6.1
+@@ -131,6 +131,10 @@
+ return NS_ERROR_UNEXPECTED;
+ }
+
++ // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor)
++ const PRInt32 k64KLimit = 0x0000FFFF;
++ if (aWidth > k64KLimit || aHeight > k64KLimit)
++ return NS_ERROR_FAILURE;
+
+ if (mNumPaletteColors >= 0){
+ // If we have a palette
+Index: mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp,v
+retrieving revision 1.24.2.1
+retrieving revision 1.24.2.1.6.1
+diff -u -r1.24.2.1 -r1.24.2.1.6.1
+--- modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 13 May 2004 22:27:35 -0000 1.24.2.1
++++ modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 27 Aug 2004 11:02:58 -0000 1.24.2.1.6.1
+@@ -274,7 +274,9 @@
+ CalcBitShift();
+ }
+ // BMPs with negative width are invalid
+- if (mBIH.width < 0)
++ // Reject extremely wide images to keep the math sane
++ const PRInt32 k64KWidth = 0x0000FFFF;
++ if (mBIH.width < 0 || mBIH.width > k64KWidth)
+ return NS_ERROR_FAILURE;
+
+ PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height;
diff --git a/www/mozilla-devel/files/patch-256316 b/www/mozilla-devel/files/patch-256316
new file mode 100644
index 000000000000..147d15e5303d
--- /dev/null
+++ b/www/mozilla-devel/files/patch-256316
@@ -0,0 +1,18 @@
+Index: mozilla/netwerk/dns/src/nsIDNService.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/netwerk/dns/src/nsIDNService.cpp,v
+retrieving revision 1.18
+retrieving revision 1.18.10.1
+diff -u -r1.18 -r1.18.10.1
+--- netwerk/dns/src/nsIDNService.cpp 3 Apr 2004 07:32:18 -0000 1.18
++++ netwerk/dns/src/nsIDNService.cpp 27 Aug 2004 11:23:21 -0000 1.18.10.1
+@@ -242,6 +242,9 @@
+
+ NS_IMETHODIMP nsIDNService::Normalize(const nsACString & input, nsACString & output)
+ {
++ // protect against bogus input
++ NS_ENSURE_TRUE(IsUTF8(input), NS_ERROR_UNEXPECTED);
++
+ nsAutoString outUTF16;
+ nsresult rv = stringPrep(NS_ConvertUTF8toUTF16(input), outUTF16);
+ if (NS_SUCCEEDED(rv))
diff --git a/www/mozilla-devel/files/patch-257314 b/www/mozilla-devel/files/patch-257314
new file mode 100644
index 000000000000..8bcc707b9dd9
--- /dev/null
+++ b/www/mozilla-devel/files/patch-257314
@@ -0,0 +1,31 @@
+Index: nsVCardObj.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/mailnews/addrbook/src/nsVCardObj.cpp,v
+retrieving revision 1.2
+retrieving revision 1.2.24.1
+diff -u -r1.2 -r1.2.24.1
+--- mailnews/addrbook/src/nsVCardObj.cpp 14 Sep 2003 21:45:58 -0000 1.2
++++ mailnews/addrbook/src/nsVCardObj.cpp 31 Aug 2004 07:44:25 -0000 1.2.24.1
+@@ -1344,16 +1344,13 @@
+
+ static void writeGroup(OFile *fp, VObject *o)
+ {
+- char buf1[256];
+- char buf2[256];
+- PL_strcpy(buf1,NAME_OF(o));
+- while ((o=isAPropertyOf(o,VCGroupingProp)) != 0) {
+- PL_strcpy(buf2,STRINGZ_VALUE_OF(o));
+- PL_strcat(buf2,".");
+- PL_strcat(buf2,buf1);
+- PL_strcpy(buf1,buf2);
++ nsCAutoString buf(NAME_OF(o));
++
++ while ((o=isAPropertyOf(o,VCGroupingProp)) != 0) {
++ buf.Insert(NS_LITERAL_CSTRING("."), 0);
++ buf.Insert(STRINGZ_VALUE_OF(o), 0);
+ }
+- appendsOFile(fp,buf1);
++ appendsOFile(fp, buf.get());
+ }
+
+ static int inList(const char **list, const char *s)
diff --git a/www/mozilla-devel/files/patch-258005 b/www/mozilla-devel/files/patch-258005
new file mode 100644
index 000000000000..fc20d4b596cf
--- /dev/null
+++ b/www/mozilla-devel/files/patch-258005
@@ -0,0 +1,278 @@
+Index: nsMsgCompUtils.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/mailnews/compose/src/nsMsgCompUtils.cpp,v
+retrieving revision 1.161
+retrieving revision 1.161.10.1
+diff -u -r1.161 -r1.161.10.1
+--- mailnews/compose/src/nsMsgCompUtils.cpp 12 Mar 2004 07:23:38 -0000 1.161
++++ mailnews/compose/src/nsMsgCompUtils.cpp 8 Sep 2004 19:27:53 -0000 1.161.10.1
+@@ -821,16 +821,7 @@
+ nsresult rv;
+ nsCOMPtr<nsIPref> prefs(do_GetService(kPrefCID, &rv));
+
+- PRInt32 buffer_size = 2048 + (real_name ? 2*PL_strlen(real_name) : 0) + (base_url ? 2*PL_strlen(base_url) : 0) +
+- (type_param ? PL_strlen(type_param) : 0) + (encoding ? PL_strlen(encoding) : 0) +
+- (description ? PL_strlen(description) : 0) + (x_mac_type ? PL_strlen(x_mac_type) : 0) +
+- (x_mac_creator ? PL_strlen(x_mac_creator) : 0) + (attachmentCharset ? PL_strlen(attachmentCharset) : 0) +
+- (bodyCharset ? PL_strlen(bodyCharset) : 0) + (content_id ? PL_strlen(content_id) : 0);
+- char *buffer = (char *) PR_Malloc (buffer_size);
+- char *buffer_tail = buffer;
+-
+- if (! buffer)
+- return 0; /* NS_ERROR_OUT_OF_MEMORY */
++ nsCString buf("");
+
+ NS_ASSERTION (encoding, "null encoding");
+
+@@ -874,14 +865,13 @@
+ }
+ }
+
+- PUSH_STRING ("Content-Type: ");
+- PUSH_STRING (type);
+-
++ buf.Append("Content-Type: ");
++ buf.Append(type);
+ if (type_param && *type_param)
+ {
+ if (*type_param != ';')
+- PUSH_STRING("; ");
+- PUSH_STRING(type_param);
++ buf.Append("; ");
++ buf.Append(type_param);
+ }
+
+ if (mime_type_needs_charset (type))
+@@ -918,8 +908,8 @@
+ (PL_strcasecmp(encoding, ENCODING_BASE64) != 0)) &&
+ (*charset_label))
+ {
+- PUSH_STRING ("; charset=");
+- PUSH_STRING (charset_label);
++ buf.Append("; charset=");
++ buf.Append(charset_label);
+ }
+ }
+
+@@ -930,7 +920,7 @@
+ if(type && !PL_strcasecmp(type, "text/plain"))
+ {
+ if(UseFormatFlowed(bodyCharset))
+- PUSH_STRING ("; format=flowed");
++ buf.Append("; format=flowed");
+ // else
+ // {
+ // Don't add a markup. Could use
+@@ -942,59 +932,59 @@
+ }
+
+ if (x_mac_type && *x_mac_type) {
+- PUSH_STRING ("; x-mac-type=\"");
+- PUSH_STRING (x_mac_type);
+- PUSH_STRING ("\"");
++ buf.Append("; x-mac-type=\"");
++ buf.Append(x_mac_type);
++ buf.Append("\"");
+ }
+
+ if (x_mac_creator && *x_mac_creator) {
+- PUSH_STRING ("; x-mac-creator=\"");
+- PUSH_STRING (x_mac_creator);
+- PUSH_STRING ("\"");
++ buf.Append("; x-mac-creator=\"");
++ buf.Append(x_mac_creator);
++ buf.Append("\"");
+ }
+
+ #ifdef EMIT_NAME_IN_CONTENT_TYPE
+ if (encodedRealName && *encodedRealName) {
+ if (parmFolding == 0 || parmFolding == 1) {
+- PUSH_STRING (";\r\n name=\"");
+- PUSH_STRING (encodedRealName);
+- PUSH_STRING ("\"");
++ buf.Append(";\r\n name=\"");
++ buf.Append(encodedRealName);
++ buf.Append("\"");
+ }
+ else // if (parmFolding == 2)
+ {
+ char *rfc2231Parm = RFC2231ParmFolding("name", charset.get(),
+ nsMsgI18NGetAcceptLanguage(), encodedRealName);
+ if (rfc2231Parm) {
+- PUSH_STRING(";\r\n ");
+- PUSH_STRING(rfc2231Parm);
++ buf.Append(";\r\n ");
++ buf.Append(rfc2231Parm);
+ PR_Free(rfc2231Parm);
+ }
+ }
+ }
+ #endif /* EMIT_NAME_IN_CONTENT_TYPE */
++ buf.Append(CRLF);
+
+- PUSH_NEWLINE ();
++ buf.Append("Content-Transfer-Encoding: ");
++ buf.Append(encoding);
+
+- PUSH_STRING ("Content-Transfer-Encoding: ");
+- PUSH_STRING (encoding);
+- PUSH_NEWLINE ();
++ buf.Append(CRLF);
+
+ if (description && *description) {
+ char *s = mime_fix_header (description);
+ if (s) {
+- PUSH_STRING ("Content-Description: ");
+- PUSH_STRING (s);
+- PUSH_NEWLINE ();
++ buf.Append("Content-Description: ");
++ buf.Append(s);
++ buf.Append(CRLF);
+ PR_Free(s);
+ }
+ }
+
+ if ( (content_id) && (*content_id) )
+ {
+- PUSH_STRING ("Content-ID: <");
+- PUSH_STRING (content_id);
+- PUSH_STRING (">");
+- PUSH_NEWLINE ();
++ buf.Append("Content-ID: <");
++ buf.Append(content_id);
++ buf.Append(">");
++ buf.Append(CRLF);
+ }
+
+ if (encodedRealName && *encodedRealName) {
+@@ -1004,15 +994,15 @@
+ rv = prefs->GetIntPref("mail.content_disposition_type", &pref_content_disposition);
+ NS_ASSERTION(NS_SUCCEEDED(rv), "failed to get mail.content_disposition_type");
+
+- PUSH_STRING ("Content-Disposition: ");
++ buf.Append("Content-Disposition: ");
+
+ if (pref_content_disposition == 1)
+- PUSH_STRING ("attachment");
++ buf.Append("attachment");
+ else
+ if (pref_content_disposition == 2 &&
+ (!PL_strcasecmp(type, TEXT_PLAIN) ||
+ (period && !PL_strcasecmp(period, ".txt"))))
+- PUSH_STRING("attachment");
++ buf.Append("attachment");
+
+ /* If this document is an anonymous binary file or a vcard,
+ then always show it as an attachment, never inline. */
+@@ -1020,23 +1010,23 @@
+ if (!PL_strcasecmp(type, APPLICATION_OCTET_STREAM) ||
+ !PL_strcasecmp(type, TEXT_VCARD) ||
+ !PL_strcasecmp(type, APPLICATION_DIRECTORY)) /* text/x-vcard synonym */
+- PUSH_STRING ("attachment");
++ buf.Append("attachment");
+ else
+- PUSH_STRING ("inline");
++ buf.Append("inline");
+
+ if (parmFolding == 0 || parmFolding == 1) {
+- PUSH_STRING (";\r\n filename=\"");
+- PUSH_STRING (encodedRealName);
+- PUSH_STRING ("\"" CRLF);
++ buf.Append(";\r\n filename=\"");
++ buf.Append(encodedRealName);
++ buf.Append("\"" CRLF);
+ }
+ else // if (parmFolding == 2)
+ {
+ char *rfc2231Parm = RFC2231ParmFolding("filename", charset.get(),
+ nsMsgI18NGetAcceptLanguage(), encodedRealName);
+ if (rfc2231Parm) {
+- PUSH_STRING(";\r\n ");
+- PUSH_STRING(rfc2231Parm);
+- PUSH_NEWLINE ();
++ buf.Append(";\r\n ");
++ buf.Append(rfc2231Parm);
++ buf.Append(CRLF);
+ PR_Free(rfc2231Parm);
+ }
+ }
+@@ -1045,7 +1035,7 @@
+ if (type &&
+ (!PL_strcasecmp (type, MESSAGE_RFC822) ||
+ !PL_strcasecmp (type, MESSAGE_NEWS)))
+- PUSH_STRING ("Content-Disposition: inline" CRLF);
++ buf.Append("Content-Disposition: inline" CRLF);
+
+ #ifdef GENERATE_CONTENT_BASE
+ /* If this is an HTML document, and we know the URL it originally
+@@ -1079,9 +1069,9 @@
+ prefs->GetBoolPref("mail.use_content_location_on_send", &useContentLocation);
+
+ if (useContentLocation)
+- PUSH_STRING ("Content-Location: \"");
++ buf.Append("Content-Location: \"");
+ else
+- PUSH_STRING ("Content-Base: \"");
++ buf.Append("Content-Base: \"");
+ /* rhp - Pref for Content-Location usage */
+
+ /* rhp: this is to work with the Content-Location stuff */
+@@ -1089,34 +1079,34 @@
+
+ while (*s != 0 && *s != '#')
+ {
+- const char *ot = buffer_tail;
+-
++ PRUint32 ot=buf.Length();
++ char tmp[]="\x00\x00";
+ /* URLs must be wrapped at 40 characters or less. */
+ if (col >= 38) {
+- PUSH_STRING(CRLF "\t");
++ buf.Append(CRLF "\t");
+ col = 0;
+ }
+
+ if (*s == ' ')
+- PUSH_STRING("%20");
++ buf.Append("%20");
+ else if (*s == '\t')
+- PUSH_STRING("%09");
++ buf.Append("%09");
+ else if (*s == '\n')
+- PUSH_STRING("%0A");
++ buf.Append("%0A");
+ else if (*s == '\r')
+- PUSH_STRING("%0D");
++ buf.Append("%0D");
+ else {
+- *buffer_tail++ = *s;
+- *buffer_tail = '\0';
++ tmp[0]=*s;
++ buf.Append(tmp);
+ }
+ s++;
+- col += (buffer_tail - ot);
++ col += (buf.Length() - ot);
+ }
+- PUSH_STRING ("\"" CRLF);
++ buf.Append("\"" CRLF);
+
+ /* rhp: this is to try to get around this fun problem with Content-Location */
+ if (!useContentLocation) {
+- PUSH_STRING ("Content-Location: \"");
++ buf.Append("Content-Location: \"");
+ s = base_url;
+ col = 0;
+ useContentLocation = PR_TRUE;
+@@ -1130,10 +1120,9 @@
+ #endif /* GENERATE_CONTENT_BASE */
+
+ /* realloc it smaller... */
+- buffer = (char*) PR_REALLOC (buffer, buffer_tail - buffer + 1);
+
+ PR_FREEIF(encodedRealName);
+- return buffer;
++ return PL_strdup(buf.get());
+ }
+
+ static PRBool isValidHost( const char* host )