From 98a725069b0538ef835c6aed5895425b52db7e0e Mon Sep 17 00:00:00 2001 From: Max Rees Date: Tue, 2 Jun 2020 15:42:44 -0500 Subject: [CVE] user/firefox-esr: bump to 68.9.0 and fix seccomp for time64 (#284) Also "fix" statx support by pulling upstream patch to replace our membarrier patch Dropped rust-config.patch in the hopes it is no longer needed... --- user/firefox-esr/APKBUILD | 17 +++-- user/firefox-esr/rust-config.patch | 20 ------ user/firefox-esr/seccomp-membarrier.patch | 12 ---- user/firefox-esr/seccomp-musl.patch | 49 +++++++++++++ user/firefox-esr/seccomp-time64.patch | 112 ++++++++++++++++++++++++++++++ 5 files changed, 172 insertions(+), 38 deletions(-) delete mode 100644 user/firefox-esr/rust-config.patch delete mode 100644 user/firefox-esr/seccomp-membarrier.patch create mode 100644 user/firefox-esr/seccomp-musl.patch create mode 100644 user/firefox-esr/seccomp-time64.patch diff --git a/user/firefox-esr/APKBUILD b/user/firefox-esr/APKBUILD index 82a4e5276..f780d8765 100644 --- a/user/firefox-esr/APKBUILD +++ b/user/firefox-esr/APKBUILD @@ -1,7 +1,7 @@ # Contributor: Molly Miller # Maintainer: A. Wilcox pkgname=firefox-esr -pkgver=68.8.0 +pkgver=68.9.0 pkgrel=0 pkgdesc="Firefox web browser (extended support release)" url="https://www.mozilla.org/firefox/" @@ -41,8 +41,8 @@ source="https://ftp.mozilla.org/pub/firefox/releases/$_ffxver/source/firefox-$_f mozilla-build-arm.patch ppc32-fix.patch rust-32bit.patch - rust-config.patch - seccomp-membarrier.patch + seccomp-musl.patch + seccomp-time64.patch shut-up-warning.patch skia-sucks1.patch skia-sucks2.patch @@ -126,6 +126,11 @@ ldpath="$_mozappdir" # - CVE-2020-12387 # - CVE-2020-12392 # - CVE-2020-12395 +# 68.9.0-r0: +# - CVE-2020-12399 +# - CVE-2020-12405 +# - CVE-2020-12406 +# - CVE-2020-12410 unpack() { default_unpack @@ -241,7 +246,7 @@ package() { EOF } -sha512sums="139a63dc85ae76a50da6be9a31425f97144e6c7e4a65b0f3009a84eb5c8c9566f6bb331e26590f8aecd5045c4d730ab4e848cf7220f3444a31147b5533c742b3 firefox-68.8.0esr.source.tar.xz +sha512sums="98431800d80f7c680aef9eede29df8217810912a319a7f7f8c2e637c43ecd4f4e29223a417afb2a6315e825f979453ff6e6b5a575649aba5cc63ce5956375bb8 firefox-68.9.0esr.source.tar.xz 16e814e8dcffc707b595ca2919bd2fa3db0d15794c63d977364652c4a5b92e90e72b8c9e1cc83b5020398bd90a1b397dbdd7cb931c49f1aa4af6ef95414b43e0 Python-2.7.16.tar.xz f82758d279cd12a1b30a9b36ac3c265cfb137df3db7ae185f2c538504e46fa70ace1b051fce847356851062b5cc9cd741a6d33d54f8cd103aa0c8272cb19ccc4 mozconfig ace7492f4fb0523c7340fdc09c831906f74fddad93822aff367135538dacd3f56288b907f5a04f53f94c76e722ba0bab73e28d83ec12d3e672554712e6b08613 bad-google-code.patch @@ -252,8 +257,8 @@ de8e3b15cd7dffb0eca5a729434986e5916234914cdc5fdcdbbc67d8bb439a535ed932293518dd74 e61664bc93eadce5016a06a4d0684b34a05074f1815e88ef2613380d7b369c6fd305fb34f83b5eb18b9e3138273ea8ddcfdcb1084fdcaa922a1e5b30146a3b18 mozilla-build-arm.patch 06a3f4ee6d3726adf3460952fcbaaf24bb15ef8d15b3357fdd1766c7a62b00bd53a1e943b5df7f4e1a69f4fae0d44b64fae1e027d7812499c77894975969ea10 ppc32-fix.patch 7c615703dc9b8427eeadd13bc9beda02e1c3d986cac1167feaf48fdfdcc15b7456460d4d58f301054cf459242ee75bbcd76bf67e26c2a443bc5655975d24ca1b rust-32bit.patch -45613d476e85fe333ef8091acce4806803953c1a99de4f03ff577cf20c5a1a3d635d0589e1490da104ef80721f4f1b1d35045af3c6892c1a468fa84095f27ad8 rust-config.patch -36369f2e237e894b2f9e70ffa0579bb3cddf1efa638a36b3469e9f529c28d7b72611fa426c5534d93094a8deb1376f43f6661447072dc6dfc6191ca5eebd4604 seccomp-membarrier.patch +efc77a320850e10e8b99e6fb5d3dd28a3044e287fd87efbdf95807de26a6885235b2d994743cb374345d91a0353abd70a5790b829e37b717b77605e24d4f7f98 seccomp-musl.patch +4b20dfa3ef3d470af069a274c53ea35c67d2d123f1b543ee243e7038ed94f5a1a6121f1f67713a9442e246b979c042f11efc7a6c32d0b8d3fd2c448dd1258733 seccomp-time64.patch 39ddb15d1453a8412275c36fc8db3befc69dffd4a362e932d280fb7fd1190db595a2af9b468ee49e0714f5e9df6e48eb5794122a64fa9f30d689de8693acbb15 shut-up-warning.patch e751ffab263f03d4c74feebc617e3af115b1b53cf54fe16c3acc585eec67773f37aa8de4c19599fa6478179b01439025112ef2b759aa9923c9900e7081cb65a9 skia-sucks1.patch 9152bd3e6dc446337e6a2ed602279c620aedecc796ba28e777854c4f41fcf3067f9ebd086a4b63a6b76c2e69ec599ac6435b8eeda4f7488b1c45f69113facba4 skia-sucks2.patch diff --git a/user/firefox-esr/rust-config.patch b/user/firefox-esr/rust-config.patch deleted file mode 100644 index eab72a0e4..000000000 --- a/user/firefox-esr/rust-config.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -urw firefox-68.0-old/build/moz.configure/rust.configure firefox-68.0/build/moz.configure/rust.configure ---- firefox-68.0-old/build/moz.configure/rust.configure 2019-07-07 15:56:29.345963800 +0000 -+++ firefox-68.0/build/moz.configure/rust.configure 2019-07-07 16:19:25.990645334 +0000 -@@ -193,12 +193,16 @@ - ambiguous = set() - per_raw_os = {} - for t in out: -+ if 'fuchsia' in t: continue - t = split_triplet(t, allow_unknown=True) - endianness = t.endianness - if t.cpu.startswith('thumb') and endianness not in ('big', 'little'): - endianness = 'little' - key = (t.cpu, endianness, t.os) - if key in per_os: -+ # hax to allow Adélie toolchains to work -+ if 'foxkit' in per_os[key].alias: -+ continue - previous = per_os[key] - per_raw_os[(previous.cpu, previous.endianness, - previous.raw_os)] = previous diff --git a/user/firefox-esr/seccomp-membarrier.patch b/user/firefox-esr/seccomp-membarrier.patch deleted file mode 100644 index be1744113..000000000 --- a/user/firefox-esr/seccomp-membarrier.patch +++ /dev/null @@ -1,12 +0,0 @@ -musl ldso issues a membarrier when setting up TLS - ---- firefox-68.7.0/security/sandbox/linux/SandboxFilter.cpp 2020-04-03 19:30:03.000000000 +0000 -+++ firefox-68.7.0/security/sandbox/linux/SandboxFilter.cpp 2020-04-19 04:59:30.280000000 +0000 -@@ -529,6 +529,7 @@ class SandboxPolicyCommon : public Sandb - - // ipc::Shmem; also, glibc when creating threads: - case __NR_mprotect: -+ case __NR_membarrier: - return Allow(); - - // madvise hints used by malloc; see bug 1303813 and bug 1364533 diff --git a/user/firefox-esr/seccomp-musl.patch b/user/firefox-esr/seccomp-musl.patch new file mode 100644 index 000000000..edd4a3024 --- /dev/null +++ b/user/firefox-esr/seccomp-musl.patch @@ -0,0 +1,49 @@ +Backport of https://hg.mozilla.org/mozilla-central/rev/a0be746532f437055e4190cc8db802ad1239405e + +diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp +--- a/security/sandbox/linux/SandboxFilter.cpp ++++ b/security/sandbox/linux/SandboxFilter.cpp +@@ -419,16 +419,20 @@ class SandboxPolicyCommon : public Sandb + case __NR_faccessat: + return Trap(AccessAtTrap, mBroker); + CASES_FOR_stat: + return Trap(StatTrap, mBroker); + CASES_FOR_lstat: + return Trap(LStatTrap, mBroker); + CASES_FOR_fstatat: + return Trap(StatAtTrap, mBroker); ++ // Used by new libc and Rust's stdlib, if available. ++ // We don't have broker support yet so claim it does not exist. ++ case __NR_statx: ++ return Error(ENOSYS); + case __NR_chmod: + return Trap(ChmodTrap, mBroker); + case __NR_link: + return Trap(LinkTrap, mBroker); + case __NR_mkdir: + return Trap(MkdirTrap, mBroker); + case __NR_symlink: + return Trap(SymlinkTrap, mBroker); +@@ -538,16 +542,20 @@ class SandboxPolicyCommon : public Sandb + .ElseIf(advice == MADV_HUGEPAGE, Allow()) + .ElseIf(advice == MADV_NOHUGEPAGE, Allow()) + #ifdef MOZ_ASAN + .ElseIf(advice == MADV_DONTDUMP, Allow()) + #endif + .Else(InvalidSyscall()); + } + ++ // musl libc will set this up in pthreads support. ++ case __NR_membarrier: ++ return Allow(); ++ + // Signal handling + #if defined(ANDROID) || defined(MOZ_ASAN) + case __NR_sigaltstack: + #endif + CASES_FOR_sigreturn: + CASES_FOR_sigprocmask: + CASES_FOR_sigaction: + return Allow(); + + diff --git a/user/firefox-esr/seccomp-time64.patch b/user/firefox-esr/seccomp-time64.patch new file mode 100644 index 000000000..72cc28b5d --- /dev/null +++ b/user/firefox-esr/seccomp-time64.patch @@ -0,0 +1,112 @@ +This drops the use of the chromium sandbox syscall headers which were +defining syscall numbers if they were undefined. This masked the time64 +issue initially since while musl renamed several of the time32 syscall +numbers to catch breakage like this, these headers were silently +bringing them back. I did this by comparing the syscall numbers provided +by the chromium and musl headers and redefining the generic names to +their time64 counterparts. + +For gettimeofday and settimeofday there does not appear to be a time64 +counterpart so I have defined them as the time32 versions. For +settimeofday this should not matter (the seccomp filter will block this +by virture of not being on the whitelist - no content process needs to +set the time anyway). + +It is not possible to entirely block the usage of time32 syscalls +because musl uses them internally when it can or in fallback paths. + +I did not check the MIPS headers since we don't currently ship a MIPS +port, so in the future those includes should be examined and dropped +too... + +--- firefox-68.8.0/security/sandbox/chromium/sandbox/linux/system_headers/linux_syscalls.h 2020-04-29 16:49:45.000000000 -0500 ++++ firefox-68.8.0/security/sandbox/chromium/sandbox/linux/system_headers/linux_syscalls.h 2020-05-20 03:09:47.369457646 -0500 +@@ -8,18 +8,7 @@ + + #ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_ + #define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_ +- +-#if defined(__x86_64__) +-#include "sandbox/linux/system_headers/x86_64_linux_syscalls.h" +-#endif +- +-#if defined(__i386__) +-#include "sandbox/linux/system_headers/x86_32_linux_syscalls.h" +-#endif +- +-#if defined(__arm__) && defined(__ARM_EABI__) +-#include "sandbox/linux/system_headers/arm_linux_syscalls.h" +-#endif ++#include + + #if defined(__mips__) && (_MIPS_SIM == _ABIO32) + #include "sandbox/linux/system_headers/mips_linux_syscalls.h" +@@ -33,5 +22,36 @@ + #include "sandbox/linux/system_headers/arm64_linux_syscalls.h" + #endif + ++#if !defined(__NR_clock_getres) && defined(__NR_clock_getres_time64) ++#define __NR_clock_getres __NR_clock_getres_time64 ++#endif ++#if !defined(__NR_clock_gettime) && defined(__NR_clock_gettime64) ++#define __NR_clock_gettime __NR_clock_gettime64 ++#endif ++#if !defined(__NR_clock_nanosleep) && defined(__NR_clock_nanosleep_time64) ++#define __NR_clock_nanosleep __NR_clock_nanosleep_time64 ++#endif ++#if !defined(__NR_clock_settime) && defined(__NR_clock_settime64) ++#define __NR_clock_settime __NR_clock_settime64 ++#endif ++#if !defined(__NR_gettimeofday) && defined(__NR_gettimeofday_time32) ++#define __NR_gettimeofday __NR_gettimeofday_time32 ++#endif ++#if !defined(__NR_settimeofday) && defined(__NR_settimeofday_time32) ++#define __NR_settimeofday __NR_settimeofday_time32 ++#endif ++#if !defined(__NR_timer_gettime) && defined(__NR_timer_gettime64) ++#define __NR_timer_gettime __NR_timer_gettime64 ++#endif ++#if !defined(__NR_timer_settime) && defined(__NR_timer_settime64) ++#define __NR_timer_settime __NR_timer_settime64 ++#endif ++#if !defined(__NR_timerfd_gettime) && defined(__NR_timerfd_gettime64) ++#define __NR_timerfd_gettime __NR_timerfd_gettime64 ++#endif ++#if !defined(__NR_timerfd_settime) && defined(__NR_timerfd_settime64) ++#define __NR_timerfd_settime __NR_timerfd_settime64 ++#endif ++ + #endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_ + +--- firefox-68.8.0/security/sandbox/linux/SandboxFilter.cpp 2020-04-29 16:49:45.000000000 -0500 ++++ firefox-68.8.0/security/sandbox/linux/SandboxFilter.cpp 2020-05-19 23:33:27.829642593 -0500 +@@ -478,6 +478,9 @@ class SandboxPolicyCommon : public Sandb + + // Thread synchronization + case __NR_futex: ++#ifdef __NR_futex_time64 ++ case __NR_futex_time64: ++#endif + // FIXME: This could be more restrictive.... + return Allow(); + +@@ -488,6 +491,9 @@ class SandboxPolicyCommon : public Sandb + case __NR_epoll_pwait: + case __NR_epoll_ctl: + case __NR_ppoll: ++#ifdef __NR_ppoll_time64 ++ case __NR_ppoll_time64: ++#endif + case __NR_poll: + return Allow(); + +@@ -1017,6 +1023,9 @@ class ContentSandboxPolicy : public Sand + + CASES_FOR_select: + case __NR_pselect6: ++#ifdef __NR_pselect6_time64 ++ case __NR_pselect6_time64: ++#endif + return Allow(); + + CASES_FOR_getdents: -- cgit v1.2.3-60-g2f50