Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit/x64/MacroAssembler-x64.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit/x64/MacroAssembler-x64.h@@ -72,6 +72,12 @@ JmpSrc (X86Encoding::BaseAssemblerX64::*op)( X86Encoding::XMMRegisterID id));+ void vpRiprOpSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest,+ JmpSrc (X86Encoding::BaseAssemblerX64::*op)(+ X86Encoding::XMMRegisterID srcId,+ X86Encoding::XMMRegisterID destId));+ public: using MacroAssemblerX86Shared::load32; using MacroAssemblerX86Shared::store16;@@ -971,68 +977,129 @@ void loadConstantSimd128Int(const SimdConstant& v, FloatRegister dest); void loadConstantSimd128Float(const SimdConstant& v, FloatRegister dest);- void vpaddbSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpaddwSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpadddSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpaddqSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpsubbSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpsubwSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpsubdSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpsubqSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpmullwSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpmulldSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpaddsbSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpaddusbSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpaddswSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpadduswSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpsubsbSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpsubusbSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpsubswSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpsubuswSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpminsbSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpminubSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpminswSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpminuwSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpminsdSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpminudSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpmaxsbSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpmaxubSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpmaxswSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpmaxuwSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpmaxsdSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpmaxudSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpandSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpxorSimd128(const SimdConstant& v, FloatRegister srcDest);- void vporSimd128(const SimdConstant& v, FloatRegister srcDest);- void vaddpsSimd128(const SimdConstant& v, FloatRegister srcDest);- void vaddpdSimd128(const SimdConstant& v, FloatRegister srcDest);- void vsubpsSimd128(const SimdConstant& v, FloatRegister srcDest);- void vsubpdSimd128(const SimdConstant& v, FloatRegister srcDest);- void vdivpsSimd128(const SimdConstant& v, FloatRegister srcDest);- void vdivpdSimd128(const SimdConstant& v, FloatRegister srcDest);- void vmulpsSimd128(const SimdConstant& v, FloatRegister srcDest);- void vmulpdSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpacksswbSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpackuswbSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpackssdwSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpackusdwSimd128(const SimdConstant& v, FloatRegister srcDest);- void vpshufbSimd128(const SimdConstant& v, FloatRegister srcDest);- void vptestSimd128(const SimdConstant& v, FloatRegister src);- void vpmaddwdSimd128(const SimdConstant& v, FloatRegister src);- void vpcmpeqbSimd128(const SimdConstant& v, FloatRegister src);- void vpcmpgtbSimd128(const SimdConstant& v, FloatRegister src);- void vpcmpeqwSimd128(const SimdConstant& v, FloatRegister src);- void vpcmpgtwSimd128(const SimdConstant& v, FloatRegister src);- void vpcmpeqdSimd128(const SimdConstant& v, FloatRegister src);- void vpcmpgtdSimd128(const SimdConstant& v, FloatRegister src);- void vcmpeqpsSimd128(const SimdConstant& v, FloatRegister src);- void vcmpneqpsSimd128(const SimdConstant& v, FloatRegister src);- void vcmpltpsSimd128(const SimdConstant& v, FloatRegister src);- void vcmplepsSimd128(const SimdConstant& v, FloatRegister src);- void vcmpeqpdSimd128(const SimdConstant& v, FloatRegister src);- void vcmpneqpdSimd128(const SimdConstant& v, FloatRegister src);- void vcmpltpdSimd128(const SimdConstant& v, FloatRegister src);- void vcmplepdSimd128(const SimdConstant& v, FloatRegister src);+ void vpaddbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpaddwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpadddSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpaddqSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpsubbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpsubwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpsubdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpsubqSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpmullwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpmulldSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpaddsbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpaddusbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpaddswSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpadduswSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpsubsbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpsubusbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpsubswSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpsubuswSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpminsbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpminubSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpminswSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpminuwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpminsdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpminudSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpmaxsbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpmaxubSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpmaxswSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpmaxuwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpmaxsdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpmaxudSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpandSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpxorSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vporSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vaddpsSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vaddpdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vsubpsSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vsubpdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vdivpsSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vdivpdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vmulpsSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vmulpdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpacksswbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpackuswbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpackssdwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpackusdwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpshufbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vptestSimd128(const SimdConstant& v, FloatRegister lhs);+ void vpmaddwdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpcmpeqbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpcmpgtbSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpcmpeqwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpcmpgtwSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpcmpeqdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vpcmpgtdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vcmpeqpsSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vcmpneqpsSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vcmpltpsSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vcmplepsSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vcmpeqpdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vcmpneqpdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vcmpltpdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest);+ void vcmplepdSimd128(const SimdConstant& v, FloatRegister lhs,+ FloatRegister dest); void loadWasmPinnedRegsFromTls() { loadPtr(Address(WasmTlsReg, offsetof(wasm::TlsData, memoryBase)), HeapReg);
After analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily functional/architectural modifications to the SIMD operations interface rather than security fixes. Here's my analysis:
1. First observation is the addition of a new method `vpRiprOpSimd128`:
```
Vulnerability Existed: no
New Method Added [File] [Lines 72-76]
[No old code]
[New code:
void vpRiprOpSimd128(const SimdConstant& v, FloatRegister lhs,
FloatRegister dest,
JmpSrc (X86Encoding::BaseAssemblerX64::*op)(
X86Encoding::XMMRegisterID srcId,
X86Encoding::XMMRegisterID destId));
]
This appears to be a new utility method rather than a security fix.
2. The main changes involve modifying SIMD operation signatures:
```
Vulnerability Existed: not sure
SIMD Interface Modification [File] [Lines 971-1096]
[Old code pattern:
void vpaddbSimd128(const SimdConstant& v, FloatRegister srcDest);
]
[New code pattern:
void vpaddbSimd128(const SimdConstant& v, FloatRegister lhs,
FloatRegister dest);
]
The changes separate source and destination registers rather than using a single srcDest register. While this could potentially prevent some register corruption issues, there's no clear evidence this was fixing a specific security vulnerability.
The changes appear to be architectural improvements to the SIMD interface rather than direct security fixes. The modification from single register (srcDest) to separate source/destination registers could improve safety, but I cannot identify a specific vulnerability being addressed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-pseudo/grammar-spelling-errors-001.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-pseudo/grammar-spelling-errors-001.html@@ -10,7 +10,6 @@ <link rel="help" href="https://www.w3.org/TR/css-pseudo-4/#highlight-painting"> <link rel="match" href="reference/grammar-spelling-errors-001-ref.html">- <meta content="" name="flags"> <meta name="assert" content="In this test, we postulate that the word 'dificultly' represents both a grammar error and a spelling error. In such editorial scenario, then the pseudo-element ::spelling-error's background color (yellow) is supposed to be drawn over the pseudo-element ::grammar-error's background color (red). The color should remain green as the pseudo-element ::spelling-error's 'color' is unspecified."> <style>
Analysis of the provided code diff: 1. Vulnerability Existed: no No security vulnerability found [File] [Lines 10] Old Code: `<meta content="" name="flags">` Fixed Code: (removed line) Additional Details: This appears to be a simple removal of an empty meta tag that wasn't serving any purpose. There's no security implication to this change, just a cleanup of unnecessary code. 2. Vulnerability Existed: no No security vulnerability found [File] [Lines 10-14] Old Code: (included the flags meta tag) Fixed Code: (removed the flags meta tag) Additional Details: The rest of the changes are just part of the test file's documentation and assertions, which don't relate to security. The main change was removing an unused meta tag. Note: The diff shows only one actual code change (removal of a meta tag), which doesn't appear to be security-related. The rest of the changes are either comments or test assertions. No known vulnerabilities (XSS, injection, etc.) are present in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/serde_derive/src/lib.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/serde_derive/src/lib.rs@@ -13,9 +13,8 @@ //! //! [https://serde.rs/derive.html]: https://serde.rs/derive.html-#![doc(html_root_url = "https://docs.rs/serde_derive/1.0.130")]+#![doc(html_root_url = "https://docs.rs/serde_derive/1.0.133")] #![allow(unknown_lints, bare_trait_objects)]-#![deny(clippy::all, clippy::pedantic)] // Ignored clippy lints #![allow( // clippy false positive: https://github.com/rust-lang/rust-clippy/issues/7054@@ -44,6 +43,7 @@ clippy::indexing_slicing, clippy::items_after_statements, clippy::let_underscore_drop,+ clippy::manual_assert, clippy::map_err_ignore, clippy::match_same_arms, // clippy bug: https://github.com/rust-lang/rust-clippy/issues/6984
Here's the analysis of the provided code diff:
1. Vulnerability Existed: no
Version Update [File] third_party/rust/serde_derive/src/lib.rs [Lines 13]
Old Code: #![doc(html_root_url = "https://docs.rs/serde_derive/1.0.130")]
Fixed Code: #![doc(html_root_url = "https://docs.rs/serde_derive/1.0.133")]
2. Vulnerability Existed: no
Lint Configuration Change [File] third_party/rust/serde_derive/src/lib.rs [Lines 16-44]
Old Code: #![deny(clippy::all, clippy::pedantic)]
Fixed Code: (removed)
3. Vulnerability Existed: no
Additional Lint Allowance [File] third_party/rust/serde_derive/src/lib.rs [Lines 44]
Old Code: (no mention of clippy::manual_assert)
Fixed Code: clippy::manual_assert,
The changes appear to be:
1. A version number update from 1.0.130 to 1.0.133
2. Removal of strict clippy linting rules (all and pedantic)
3. Addition of an allowed lint (manual_assert)
None of these changes appear to be security-related fixes. They are primarily maintenance and configuration updates. The version bump might include security fixes in the dependencies, but the diff itself doesn't show any vulnerability fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/webconsole/test/browser/browser_webconsole_split.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/webconsole/test/browser/browser_webconsole_split.js@@ -5,16 +5,19 @@ const TEST_URI = "data:text/html;charset=utf-8,<!DOCTYPE html>Web Console test for splitting";-const { LocalizationHelper } = require("devtools/shared/l10n");-const L10N = new LocalizationHelper(- "devtools/client/locales/toolbox.properties"-); // Test is slow on Linux EC2 instances - Bug 962931 requestLongerTimeout(4); add_task(async function() { let toolbox;+ const getFluentString = await getFluentStringHelper([+ "devtools/client/toolbox.ftl",+ ]);+ const hideSplitConsoleLabel = getFluentString(+ "toolbox-meatball-menu-hideconsole-label"+ );+ await addTab(TEST_URI); await testConsoleLoadOnDifferentPanel(); await testKeyboardShortcuts();@@ -122,8 +125,7 @@ let label; if (menuItem && menuItem.querySelector(".label")) { label =- menuItem.querySelector(".label").textContent ===- L10N.getStr("toolbox.meatballMenu.hideconsole.label")+ menuItem.querySelector(".label").textContent === hideSplitConsoleLabel ? "hide" : "split"; }
Based on the provided diff, I'll analyze it for security fixes:
1. Vulnerability Existed: not sure
[Localization Resource Loading Change] [devtools/client/webconsole/test/browser/browser_webconsole_split.js] [Lines 5-8, 10-15]
[Old Code]
```javascript
const { LocalizationHelper } = require("devtools/shared/l10n");
const L10N = new LocalizationHelper(
"devtools/client/locales/toolbox.properties"
);
```
[Fixed Code]
```javascript
const getFluentString = await getFluentStringHelper([
"devtools/client/toolbox.ftl",
]);
const hideSplitConsoleLabel = getFluentString(
"toolbox-meatball-menu-hideconsole-label"
);
```
2. Vulnerability Existed: not sure
[String Comparison Change] [devtools/client/webconsole/test/browser/browser_webconsole_split.js] [Lines 122-125]
[Old Code]
```javascript
label =
menuItem.querySelector(".label").textContent ===
L10N.getStr("toolbox.meatballMenu.hideconsole.label")
```
[Fixed Code]
```javascript
label =
menuItem.querySelector(".label").textContent === hideSplitConsoleLabel
```
The changes appear to be related to localization system migration from properties files to Fluent (FTL) format, which is more of a refactoring/architecture change rather than a direct security fix. However, localization changes can sometimes impact security if they affect how user-facing strings are processed or displayed, though no specific vulnerability is evident here.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.fill.rtl-manual.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.fill.rtl-manual.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#000'; ctx.fillRect(0, 0, 100, 50);
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability [testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.fill.rtl-manual.worker.js] [Lines 13-14]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional details:
- This appears to be a simple variable renaming change (from 'offscreenCanvas' to 'canvas')
- No security implications are evident in this change
- The change is likely for code consistency or readability rather than security fixes
- The functionality remains exactly the same, just with a different variable name
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/filter-effects/filter-contrast-003.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/filter-effects/filter-contrast-003.html@@ -7,7 +7,6 @@ <link rel="help" href="http://www.w3.org/TR/filter-effects-1/#FilterProperty"> <link rel="help" href="https://www.w3.org/TR/filter-effects-1/#funcdef-filter-contrast"> <link rel="match" href="filter-contrast-003-ref.html">- <meta name="flags" content=""> <meta name="assert" content="CSS contrast filter will apply a component transfer to the div element to adjust the contrast of the colors. Since contrast is 200%, it will be less contrast."> <style type="text/css">
Based on the provided diff, I'll analyze it for potential security vulnerabilities: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/filter-effects/filter-contrast-003.html] [Lines 7] [Old Code: <meta name="flags" content="">] [Fixed Code: (line removed)] Additional details: 1. The change simply removes an empty meta tag with "flags" attribute, which appears to be test-related metadata. 2. There's no indication of any security vulnerability being fixed here - this seems like a routine cleanup of test code. 3. The empty flags attribute wasn't posing any security risk, and its removal doesn't appear to address any security issue. No other vulnerabilities or changes were detected in the provided diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit/LIR.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit/LIR.h@@ -72,7 +72,11 @@ static const uintptr_t KIND_MASK = (1 << KIND_BITS) - 1; protected:+#ifdef JS_64BIT+ static const uintptr_t DATA_BITS = sizeof(uint32_t) * 8;+#else static const uintptr_t DATA_BITS = (sizeof(uint32_t) * 8) - KIND_BITS;+#endif static const uintptr_t DATA_SHIFT = KIND_SHIFT + KIND_BITS; public:@@ -87,7 +91,7 @@ ARGUMENT_SLOT // Argument slot. };- static const uintptr_t DATA_MASK = (1 << DATA_BITS) - 1;+ static const uintptr_t DATA_MASK = (uintptr_t(1) << DATA_BITS) - 1; protected: uint32_t data() const {
Analyzing the provided code diff, here's the security assessment: 1. Vulnerability Existed: yes Integer Overflow Vulnerability [js/src/jit/LIR.h] [Lines 87] [Old Code] static const uintptr_t DATA_MASK = (1 << DATA_BITS) - 1; [Fixed Code] static const uintptr_t DATA_MASK = (uintptr_t(1) << DATA_BITS) - 1; Additional Details: The fix addresses a potential integer overflow issue by explicitly casting the '1' to uintptr_t before the bit shift operation. The original code could lead to undefined behavior if DATA_BITS was large enough to cause an overflow when shifting a plain integer '1'. The fix ensures proper handling of the bit shift operation on 64-bit systems. 2. Vulnerability Existed: not sure Potential Bit Width Handling Issue [js/src/jit/LIR.h] [Lines 72-76] [Old Code] static const uintptr_t DATA_BITS = (sizeof(uint32_t) * 8) - KIND_BITS; [Fixed Code] #ifdef JS_64BIT static const uintptr_t DATA_BITS = sizeof(uint32_t) * 8; #else static const uintptr_t DATA_BITS = (sizeof(uint32_t) * 8) - KIND_BITS; #endif Additional Details: The change introduces different behavior between 32-bit and 64-bit systems, but it's unclear if this was fixing a security vulnerability or just improving platform compatibility. The modification might be related to proper bit handling across different architectures, but without more context, we can't be certain if this was security-related.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/MediaSession.java+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/MediaSession.java@@ -494,7 +494,7 @@ Feature.PREVIOUS_TRACK, // Feature.SET_VIDEO_SURFACE })- /* package */ @interface MSFeature {}+ public @interface MSFeature {} /** Flags for supported media session features. */ public static class Feature {
Let me analyze this code diff for potential security issues:
Vulnerability Existed: no
[No specific vulnerability] [mobile/android/geckoview/src/main/java/org/mozilla/geckoview/MediaSession.java] [Lines 494]
[Old Code: /* package */ @interface MSFeature {}]
[Fixed Code: public @interface MSFeature {}]
Analysis:
1. This change simply modifies the visibility of an annotation interface from package-private to public.
2. There's no indication of any security vulnerability being fixed here - this appears to be a routine code maintenance change.
3. No security-related functionality is being modified, just the access level of an internal type.
4. The change doesn't involve any security-sensitive operations, data handling, or potential attack vectors.
The modification seems to be part of normal code evolution rather than a security fix. No known vulnerability patterns (like injection, XSS, etc.) are involved in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/serviceworkers/ServiceWorkerScriptCache.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/serviceworkers/ServiceWorkerScriptCache.cpp@@ -210,11 +210,11 @@ void Abort();- virtual void ResolvedCallback(JSContext* aCx,- JS::Handle<JS::Value> aValue) override;-- virtual void RejectedCallback(JSContext* aCx,- JS::Handle<JS::Value> aValue) override;+ virtual void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override;++ virtual void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override; const nsString& Buffer() const { MOZ_ASSERT(NS_IsMainThread());@@ -265,9 +265,11 @@ nsresult Initialize(nsIPrincipal* aPrincipal, const nsAString& aURL, const nsAString& aCacheName);- void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override;-- void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override;+ void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override;++ void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override; CacheStorage* CacheStorage_() { MOZ_ASSERT(NS_IsMainThread());@@ -1193,7 +1195,8 @@ } void CompareCache::ResolvedCallback(JSContext* aCx,- JS::Handle<JS::Value> aValue) {+ JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) { MOZ_ASSERT(NS_IsMainThread()); switch (mState) {@@ -1208,7 +1211,8 @@ } void CompareCache::RejectedCallback(JSContext* aCx,- JS::Handle<JS::Value> aValue) {+ JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) { MOZ_ASSERT(NS_IsMainThread()); if (mState != Finished) {@@ -1344,7 +1348,8 @@ // 4. Put the value in the cache. // For this reason we have mState to know what callback we are handling. void CompareManager::ResolvedCallback(JSContext* aCx,- JS::Handle<JS::Value> aValue) {+ JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) { MOZ_ASSERT(NS_IsMainThread()); MOZ_ASSERT(mCallback);@@ -1374,7 +1379,8 @@ } void CompareManager::RejectedCallback(JSContext* aCx,- JS::Handle<JS::Value> aValue) {+ JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) { MOZ_ASSERT(NS_IsMainThread()); switch (mState) { case Finished:@@ -1428,10 +1434,10 @@ NoopPromiseHandler() { AssertIsOnMainThread(); }- void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override {- }- void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override {- }+ void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override {}+ void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override {} private: ~NoopPromiseHandler() { AssertIsOnMainThread(); }
I'll analyze the provided code diff for security fixes following the specified format.
Vulnerability Existed: not sure
[Potential Error Handling Improvement] [dom/serviceworkers/ServiceWorkerScriptCache.cpp] [Lines 210-214, 265-269, 1193-1213, 1344-1380, 1428-1437]
[Old Code]
virtual void ResolvedCallback(JSContext* aCx,
JS::Handle<JS::Value> aValue) override;
virtual void RejectedCallback(JSContext* aCx,
JS::Handle<JS::Value> aValue) override;
[Fixed Code]
virtual void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,
ErrorResult& aRv) override;
virtual void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,
ErrorResult& aRv) override;
Additional Details:
The main change in this diff is the addition of ErrorResult& aRv parameter to all ResolvedCallback and RejectedCallback methods. While this doesn't appear to fix a specific named vulnerability, it improves error handling by:
1. Providing a standardized way to propagate errors
2. Ensuring callbacks can properly report errors to the calling context
3. Making error handling more consistent across the codebase
The change suggests there might have been potential issues with error handling before, though without more context it's hard to identify if this was fixing a specific security vulnerability or just improving robustness.
No other obvious security vulnerabilities are apparent in this diff. The changes appear to be focused on improving error handling patterns rather than fixing specific security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/webrtc/MediaEngineWebRTCAudio.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/webrtc/MediaEngineWebRTCAudio.h@@ -16,7 +16,7 @@ namespace mozilla { class AudioInputProcessing;-class AudioInputTrack;+class AudioProcessingTrack; // This class is created and used exclusively on the Media Manager thread, with // exactly two exceptions:@@ -92,9 +92,9 @@ // The current preferences for the APM's various processing stages. MediaEnginePrefs mCurrentPrefs;- // The AudioInputTrack used to inteface with the MediaTrackGraph. Set in+ // The AudioProcessingTrack used to inteface with the MediaTrackGraph. Set in // SetTrack as part of the initialization, and nulled in ::Deallocate.- RefPtr<AudioInputTrack> mTrack;+ RefPtr<AudioProcessingTrack> mTrack; // See note at the top of this class. RefPtr<AudioInputProcessing> mInputProcessing;@@ -113,9 +113,8 @@ void Process(MediaTrackGraphImpl* aGraph, GraphTime aFrom, GraphTime aTo, AudioSegment* aInput, AudioSegment* aOutput);- void NotifyOutputData(MediaTrackGraphImpl* aGraph, AudioDataValue* aBuffer,- size_t aFrames, TrackRate aRate,- uint32_t aChannels) override;+ void ProcessOutputData(MediaTrackGraphImpl* aGraph, AudioDataValue* aBuffer,+ size_t aFrames, TrackRate aRate, uint32_t aChannels); bool IsVoiceInput(MediaTrackGraphImpl* aGraph) const override { // If we're passing data directly without AEC or any other process, this // means that all voice-processing has been disabled intentionaly. In this@@ -202,7 +201,7 @@ // operates in "pull" mode, and we append silence only, releasing the audio // input track. bool mEnabled;- // Whether or not we've ended and removed the AudioInputTrack.+ // Whether or not we've ended and removed the AudioProcessingTrack. bool mEnded; // When processing is enabled, the number of packets received by this // instance, to implement periodic logging.@@ -218,7 +217,7 @@ }; // MediaTrack subclass tailored for MediaEngineWebRTCMicrophoneSource.-class AudioInputTrack : public ProcessedMediaTrack {+class AudioProcessingTrack : public ProcessedMediaTrack { // Only accessed on the graph thread. RefPtr<AudioInputProcessing> mInputProcessing;@@ -227,7 +226,7 @@ RefPtr<MediaInputPort> mPort; // Only accessed on the main thread. Used for bookkeeping on main thread, such- // that CloseAudioInput can be idempotent.+ // that DisconnectDeviceInput can be idempotent. // XXX Should really be a CubebUtils::AudioDeviceID, but they aren't // copyable (opaque pointers) RefPtr<AudioDataListener> mInputListener;@@ -235,25 +234,25 @@ // Only accessed on the main thread. Maybe<CubebUtils::AudioDeviceID> mDeviceId;- explicit AudioInputTrack(TrackRate aSampleRate)+ explicit AudioProcessingTrack(TrackRate aSampleRate) : ProcessedMediaTrack(aSampleRate, MediaSegment::AUDIO, new AudioSegment()) {}- ~AudioInputTrack() = default;+ ~AudioProcessingTrack() = default; public: // Main Thread API // Users of audio inputs go through the track so it can track when the // last track referencing an input goes away, so it can close the cubeb // input. Main thread only.- nsresult OpenAudioInput(CubebUtils::AudioDeviceID aId,- AudioDataListener* aListener,- const PrincipalHandle& aPrincipal);- void CloseAudioInput();+ nsresult ConnectDeviceInput(CubebUtils::AudioDeviceID aId,+ AudioDataListener* aListener,+ const PrincipalHandle& aPrincipal);+ void DisconnectDeviceInput(); Maybe<CubebUtils::AudioDeviceID> DeviceId() const; void Destroy() override; void SetInputProcessing(RefPtr<AudioInputProcessing> aInputProcessing);- static AudioInputTrack* Create(MediaTrackGraph* aGraph);+ static AudioProcessingTrack* Create(MediaTrackGraph* aGraph); // Graph Thread API void DestroyImpl() override;@@ -266,12 +265,15 @@ } // Get the data in [aFrom, aTo) from aPort->GetSource() to aOutput. aOutput // needs to be empty.- void GetInputSourceData(AudioSegment& aOutput,- const MediaInputPort* aPort, GraphTime aFrom,- GraphTime aTo) const;+ void GetInputSourceData(AudioSegment& aOutput, const MediaInputPort* aPort,+ GraphTime aFrom, GraphTime aTo) const;+ // Pass the graph's mixed audio output to mInputProcessing for processing as+ // the reverse stream.+ void NotifyOutputData(MediaTrackGraphImpl* aGraph, AudioDataValue* aBuffer,+ size_t aFrames, TrackRate aRate, uint32_t aChannels); // Any thread- AudioInputTrack* AsAudioInputTrack() override { return this; }+ AudioProcessingTrack* AsAudioProcessingTrack() override { return this; } private: // Graph thread API
After analyzing the provided code diff, I don't identify any clear security vulnerabilities being fixed. The changes appear to be primarily class renaming and method reorganization rather than security fixes. Here's my analysis: 1. Vulnerability Existed: no Class Renaming [dom/media/webrtc/MediaEngineWebRTCAudio.h] [Multiple lines] The diff shows renaming of `AudioInputTrack` to `AudioProcessingTrack` and related method name changes, but no security implications. 2. Vulnerability Existed: no Method Reorganization [dom/media/webrtc/MediaEngineWebRTCAudio.h] [Multiple lines] The movement of `NotifyOutputData` functionality into `ProcessOutputData` appears to be a code organization change rather than a security fix. 3. Vulnerability Existed: no API Renaming [dom/media/webrtc/MediaEngineWebRTCAudio.h] [Multiple lines] Changes like `OpenAudioInput` → `ConnectDeviceInput` and `CloseAudioInput` → `DisconnectDeviceInput` are interface naming improvements without security implications. The changes appear to be focused on: 1. Better naming conventions 2. Code organization 3. Clearer separation of concerns 4. Improved API semantics No CVE-listed vulnerabilities or obvious security issues are being addressed in this diff. The modifications seem to be part of ongoing code maintenance and improvement rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/security/nss/lib/ssl/sslimpl.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/security/nss/lib/ssl/sslimpl.h@@ -38,6 +38,7 @@ typedef struct sslNamedGroupDefStr sslNamedGroupDef; typedef struct sslEchConfigStr sslEchConfig; typedef struct sslEchConfigContentsStr sslEchConfigContents;+typedef struct sslEchCookieDataStr sslEchCookieData; typedef struct sslEchXtnStateStr sslEchXtnState; typedef struct sslPskStr sslPsk; typedef struct sslDelegatedCredentialStr sslDelegatedCredential;@@ -288,6 +289,7 @@ unsigned int suppressEndOfEarlyData : 1; unsigned int enableTls13GreaseEch : 1; unsigned int enableTls13BackendEch : 1;+ unsigned int callExtensionWriterOnEchInner : 1; } sslOptions; typedef enum { sslHandshakingUndetermined = 0,@@ -745,12 +747,14 @@ * used to generate ACKs. */ /* TLS 1.3 ECH state. */- PRBool echAccepted; /* Client/Server: True if we've commited to using CHInner. */- HpkeContext *echHpkeCtx; /* Client/Server: HPKE context for ECH. */- const char *echPublicName; /* Client: If rejected, the ECHConfig.publicName to+ PRBool echAccepted; /* Client/Server: True if we've commited to using CHInner. */+ PRBool echDecided;+ HpkeContext *echHpkeCtx; /* Client/Server: HPKE context for ECH. */+ const char *echPublicName; /* Client: If rejected, the ECHConfig.publicName to * use for certificate verification. */- sslBuffer greaseEchBuf; /* Client: Remember GREASE ECH, as advertised, for CH2 (HRR case). */-+ sslBuffer greaseEchBuf; /* Client: Remember GREASE ECH, as advertised, for CH2 (HRR case).+ Server: Remember HRR Grease Value, for transcript calculations */+ PRBool echInvalidExtension; /* Client: True if the server offered an invalid extension for the ClientHelloInner */ } SSL3HandshakeState; #define SSL_ASSERT_HASHES_EMPTY(ss) \@@ -1956,6 +1960,7 @@ SECStatus SSLExp_EnableTls13GreaseEch(PRFileDesc *fd, PRBool enabled); SECStatus SSLExp_EnableTls13BackendEch(PRFileDesc *fd, PRBool enabled);+SECStatus SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled); SEC_END_PROTOS
Here is the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: not sure [Potential ECH (Encrypted Client Hello) Implementation Improvement] [security/nss/lib/ssl/sslimpl.h] [Lines 38, 288, 745-747, 1956] [Old Code] ``` typedef struct sslEchConfigContentsStr sslEchConfigContents; unsigned int enableTls13BackendEch : 1; PRBool echAccepted; ``` [Fixed Code] ``` typedef struct sslEchCookieDataStr sslEchCookieData; unsigned int callExtensionWriterOnEchInner : 1; PRBool echDecided; PRBool echInvalidExtension; SECStatus SSLExp_CallExtensionWriterOnEchInner(PRFileDesc *fd, PRBool enabled); ``` Additional Details: The changes appear to enhance the ECH implementation by adding new state tracking (echDecided, echInvalidExtension) and functionality (callExtensionWriterOnEchInner). While not explicitly fixing a known vulnerability, these changes could address potential edge cases in ECH handling. 2. Vulnerability Existed: not sure [Potential ECH State Tracking Improvement] [security/nss/lib/ssl/sslimpl.h] [Lines 745-747] [Old Code] ``` PRBool echAccepted; sslBuffer greaseEchBuf; ``` [Fixed Code] ``` PRBool echAccepted; PRBool echDecided; sslBuffer greaseEchBuf; PRBool echInvalidExtension; ``` Additional Details: The addition of echDecided and echInvalidExtension flags suggests improved state tracking for ECH negotiations, potentially preventing invalid state transitions or extension handling. Note: While these changes appear to be security-related improvements to the ECH implementation, I cannot definitively identify specific vulnerabilities being fixed without more context about the threat model or previous issues. The changes seem more like proactive hardening rather than fixes for known vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/nimbus/lib/NimbusFeatures.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/nimbus/lib/NimbusFeatures.cpp@@ -16,44 +16,75 @@ static nsTHashSet<nsCString> sExposureFeatureSet;-void NimbusFeatures::GetPrefName(const nsACString& aFeatureId,+void NimbusFeatures::GetPrefName(const nsACString& branchPrefix,+ const nsACString& aFeatureId, const nsACString& aVariable, nsACString& aPref) {- // This branch is used to store experiment data- constexpr auto kSyncDataPrefBranch = "nimbus.syncdatastore."_ns;+ nsAutoCString featureAndVariable;+ featureAndVariable.Append(aFeatureId);+ if (!aVariable.IsEmpty()) {+ featureAndVariable.Append(".");+ featureAndVariable.Append(aVariable);+ } aPref.Truncate();- aPref.Append(kSyncDataPrefBranch);- aPref.Append(aFeatureId);- if (!aVariable.IsEmpty()) {- aPref.Append(".");- aPref.Append(aVariable);- }-}-+ aPref.Append(branchPrefix);+ aPref.Append(featureAndVariable);+}++/**+ * Returns the variable value configured via experiment or rollout.+ * If a fallback pref is defined in the FeatureManifest and it+ * has a user value set this takes precedence over remote configurations.+ */ bool NimbusFeatures::GetBool(const nsACString& aFeatureId, const nsACString& aVariable, bool aDefault) {- nsAutoCString pref;- GetPrefName(aFeatureId, aVariable, pref);- if (Preferences::HasUserValue(pref.get())) {- return Preferences::GetBool(pref.get(), aDefault);- }- auto prefName = GetNimbusFallbackPrefName(aFeatureId, aVariable);+ if (prefName.isSome() && Preferences::HasUserValue(prefName->get())) {+ return Preferences::GetBool(prefName->get(), aDefault);+ }++ nsAutoCString experimentPref;+ GetPrefName(kSyncDataPrefBranch, aFeatureId, aVariable, experimentPref);+ if (Preferences::HasUserValue(experimentPref.get())) {+ return Preferences::GetBool(experimentPref.get(), aDefault);+ }++ nsAutoCString rolloutPref;+ GetPrefName(kSyncRolloutsPrefBranch, aFeatureId, aVariable, rolloutPref);+ if (Preferences::HasUserValue(rolloutPref.get())) {+ return Preferences::GetBool(rolloutPref.get(), aDefault);+ }+ if (prefName.isSome()) { return Preferences::GetBool(prefName->get(), aDefault); } return aDefault; }+/**+ * Returns the variable value configured via experiment or rollout.+ * If a fallback pref is defined in the FeatureManifest and it+ * has a user value set this takes precedence over remote configurations.+ */ int NimbusFeatures::GetInt(const nsACString& aFeatureId, const nsACString& aVariable, int aDefault) {- nsAutoCString pref;- GetPrefName(aFeatureId, aVariable, pref);- if (Preferences::HasUserValue(pref.get())) {- return Preferences::GetInt(pref.get(), aDefault);- }- auto prefName = GetNimbusFallbackPrefName(aFeatureId, aVariable);+ if (prefName.isSome() && Preferences::HasUserValue(prefName->get())) {+ return Preferences::GetInt(prefName->get(), aDefault);+ }++ nsAutoCString experimentPref;+ GetPrefName(kSyncDataPrefBranch, aFeatureId, aVariable, experimentPref);+ if (Preferences::HasUserValue(experimentPref.get())) {+ return Preferences::GetInt(experimentPref.get(), aDefault);+ }++ nsAutoCString rolloutPref;+ GetPrefName(kSyncRolloutsPrefBranch, aFeatureId, aVariable, rolloutPref);+ if (Preferences::HasUserValue(rolloutPref.get())) {+ return Preferences::GetInt(rolloutPref.get(), aDefault);+ }+ if (prefName.isSome()) { return Preferences::GetInt(prefName->get(), aDefault); }@@ -64,18 +95,34 @@ const nsACString& aVariable, PrefChangedFunc aUserCallback, void* aUserData) {- nsAutoCString pref;- GetPrefName(aFeatureId, aVariable, pref);- return Preferences::RegisterCallback(aUserCallback, pref, aUserData);+ nsAutoCString experimentPref;+ nsAutoCString rolloutPref;+ GetPrefName(kSyncDataPrefBranch, aFeatureId, aVariable, experimentPref);+ GetPrefName(kSyncRolloutsPrefBranch, aFeatureId, aVariable, rolloutPref);+ nsresult rv =+ Preferences::RegisterCallback(aUserCallback, experimentPref, aUserData);+ NS_ENSURE_SUCCESS(rv, rv);+ rv = Preferences::RegisterCallback(aUserCallback, rolloutPref, aUserData);+ NS_ENSURE_SUCCESS(rv, rv);++ return NS_OK; } nsresult NimbusFeatures::OffUpdate(const nsACString& aFeatureId, const nsACString& aVariable, PrefChangedFunc aUserCallback, void* aUserData) {- nsAutoCString pref;- GetPrefName(aFeatureId, aVariable, pref);- return Preferences::UnregisterCallback(aUserCallback, pref, aUserData);+ nsAutoCString experimentPref;+ nsAutoCString rolloutPref;+ GetPrefName(kSyncDataPrefBranch, aFeatureId, aVariable, experimentPref);+ GetPrefName(kSyncRolloutsPrefBranch, aFeatureId, aVariable, rolloutPref);+ nsresult rv =+ Preferences::UnregisterCallback(aUserCallback, experimentPref, aUserData);+ NS_ENSURE_SUCCESS(rv, rv);+ rv = Preferences::UnregisterCallback(aUserCallback, rolloutPref, aUserData);+ NS_ENSURE_SUCCESS(rv, rv);++ return NS_OK; } /**@@ -99,7 +146,7 @@ aExperimentSlug.Truncate(); aBranchSlug.Truncate();- GetPrefName(aFeatureId, ""_ns, prefName);+ GetPrefName(kSyncDataPrefBranch, aFeatureId, EmptyCString(), prefName); MOZ_TRY(Preferences::GetString(prefName.get(), prefValue)); if (prefValue.IsEmpty()) { return NS_ERROR_UNEXPECTED;
Based on the provided code diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Inconsistent Preference Handling] [toolkit/components/nimbus/lib/NimbusFeatures.cpp] [Lines 16-75]
[Old Code]
The old code only checked experiment data preferences in a single branch ("nimbus.syncdatastore.")
[Fixed Code]
The new code checks both experiment data and rollout preferences separately (kSyncDataPrefBranch and kSyncRolloutsPrefBranch)
2. Vulnerability Existed: not sure
[Potential Race Condition in Preference Updates] [toolkit/components/nimbus/lib/NimbusFeatures.cpp] [Lines 91-108]
[Old Code]
Single preference registration/unregistration
[Fixed Code]
Now handles both experiment and rollout preferences separately, with proper error checking
3. Vulnerability Existed: not sure
[Potential Information Leak] [toolkit/components/nimbus/lib/NimbusFeatures.cpp] [Lines 16-75]
[Old Code]
Simple preference value retrieval without clear precedence rules
[Fixed Code]
Added explicit precedence rules (user values > remote configurations) and documentation
The changes appear to be architectural improvements rather than direct security fixes, but they could potentially address security-related issues in preference handling. The main changes involve:
1. Separating experiment and rollout preference handling
2. Adding clear precedence rules for preference values
3. Improving error handling in preference registration
However, without more context about the threat model or specific vulnerabilities being addressed, I can't definitively identify specific security vulnerabilities that were fixed. The changes seem to improve robustness and maintainability of the preference handling system.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ryu/src/d2s_intrinsics.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ryu/src/d2s_intrinsics.rs@@ -19,46 +19,6 @@ // KIND, either express or implied. use core::ptr;--// Returns (lo, hi).-#[cfg(not(integer128))]-#[cfg_attr(feature = "no-panic", inline)]-pub fn umul128(a: u64, b: u64) -> (u64, u64) {- let a_lo = a as u32;- let a_hi = (a >> 32) as u32;- let b_lo = b as u32;- let b_hi = (b >> 32) as u32;-- let b00 = a_lo as u64 * b_lo as u64;- let b01 = a_lo as u64 * b_hi as u64;- let b10 = a_hi as u64 * b_lo as u64;- let b11 = a_hi as u64 * b_hi as u64;-- let b00_lo = b00 as u32;- let b00_hi = (b00 >> 32) as u32;-- let mid1 = b10 + b00_hi as u64;- let mid1_lo = mid1 as u32;- let mid1_hi = (mid1 >> 32) as u32;-- let mid2 = b01 + mid1_lo as u64;- let mid2_lo = mid2 as u32;- let mid2_hi = (mid2 >> 32) as u32;-- let p_hi = b11 + mid1_hi as u64 + mid2_hi as u64;- let p_lo = ((mid2_lo as u64) << 32) | b00_lo as u64;-- (p_lo, p_hi)-}--#[cfg(not(integer128))]-#[cfg_attr(feature = "no-panic", inline)]-pub fn shiftright128(lo: u64, hi: u64, dist: u32) -> u64 {- // We don't need to handle the case dist >= 64 here (see above).- debug_assert!(dist > 0);- debug_assert!(dist < 64);- (hi << (64 - dist)) | (lo >> dist)-} #[cfg_attr(feature = "no-panic", inline)] pub fn div5(x: u64) -> u64 {@@ -107,7 +67,6 @@ (value & ((1u64 << p) - 1)) == 0 }-#[cfg(integer128)] #[cfg_attr(feature = "no-panic", inline)] pub fn mul_shift_64(m: u64, mul: &(u64, u64), j: u32) -> u64 { let b0 = m as u128 * mul.0 as u128;@@ -115,7 +74,6 @@ (((b0 >> 64) + b2) >> (j - 64)) as u64 }-#[cfg(integer128)] #[cfg_attr(feature = "no-panic", inline)] pub unsafe fn mul_shift_all_64( m: u64,@@ -129,43 +87,3 @@ ptr::write(vm, mul_shift_64(4 * m - 1 - mm_shift as u64, mul, j)); mul_shift_64(4 * m, mul, j) }--#[cfg(not(integer128))]-#[cfg_attr(feature = "no-panic", inline)]-pub unsafe fn mul_shift_all_64(- mut m: u64,- mul: &(u64, u64),- j: u32,- vp: *mut u64,- vm: *mut u64,- mm_shift: u32,-) -> u64 {- m <<= 1;- // m is maximum 55 bits- let (lo, tmp) = umul128(m, mul.0);- let (mut mid, mut hi) = umul128(m, mul.1);- mid = mid.wrapping_add(tmp);- hi = hi.wrapping_add((mid < tmp) as u64); // overflow into hi-- let lo2 = lo.wrapping_add(mul.0);- let mid2 = mid.wrapping_add(mul.1).wrapping_add((lo2 < lo) as u64);- let hi2 = hi.wrapping_add((mid2 < mid) as u64);- ptr::write(vp, shiftright128(mid2, hi2, j - 64 - 1));-- if mm_shift == 1 {- let lo3 = lo.wrapping_sub(mul.0);- let mid3 = mid.wrapping_sub(mul.1).wrapping_sub((lo3 > lo) as u64);- let hi3 = hi.wrapping_sub((mid3 > mid) as u64);- ptr::write(vm, shiftright128(mid3, hi3, j - 64 - 1));- } else {- let lo3 = lo + lo;- let mid3 = mid.wrapping_add(mid).wrapping_add((lo3 < lo) as u64);- let hi3 = hi.wrapping_add(hi).wrapping_add((mid3 < mid) as u64);- let lo4 = lo3.wrapping_sub(mul.0);- let mid4 = mid3.wrapping_sub(mul.1).wrapping_sub((lo4 > lo3) as u64);- let hi4 = hi3.wrapping_sub((mid4 > mid3) as u64);- ptr::write(vm, shiftright128(mid4, hi4, j - 64));- }-- shiftright128(mid, hi, j - 64 - 1)-}
Let me analyze the code diff for security fixes: 1. Vulnerability Existed: not sure [Potential Integer Overflow] [third_party/rust/ryu/src/d2s_intrinsics.rs] [Removed lines 19-46] [Old Code: umul128 function implementation] [Fixed Code: Function removed] 2. Vulnerability Existed: not sure [Potential Integer Overflow] [third_party/rust/ryu/src/d2s_intrinsics.rs] [Removed lines 48-53] [Old Code: shiftright128 function implementation] [Fixed Code: Function removed] 3. Vulnerability Existed: not sure [Potential Integer Overflow] [third_party/rust/ryu/src/d2s_intrinsics.rs] [Removed lines 87-129] [Old Code: 128-bit emulation version of mul_shift_all_64] [Fixed Code: Function removed] The main change appears to be the removal of 128-bit integer emulation code (for platforms without native 128-bit integer support) in favor of using native 128-bit integers where available. While I can't identify specific vulnerabilities in the removed code, the changes suggest potential concerns about: 1. Correctness of 128-bit multiplication emulation 2. Potential overflow handling in the emulated operations 3. Possible edge cases in shift operations The removal of this code and reliance on native 128-bit support (via #[cfg(integer128)]) likely improves reliability and reduces potential for arithmetic-related vulnerabilities, though I can't confirm specific vulnerabilities existed in the old code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/neqo-http3/src/connection.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/neqo-http3/src/connection.rs@@ -9,10 +9,11 @@ use crate::control_stream_local::ControlStreamLocal; use crate::control_stream_remote::ControlStreamRemote; use crate::features::extended_connect::{- webtransport::{WebTransportRecvStream, WebTransportSendStream},- ExtendedConnectEvents, ExtendedConnectFeature, ExtendedConnectSession, ExtendedConnectType,+ webtransport_session::WebTransportSession,+ webtransport_streams::{WebTransportRecvStream, WebTransportSendStream},+ ExtendedConnectEvents, ExtendedConnectFeature, ExtendedConnectType, };-use crate::hframe::HFrame;+use crate::frames::HFrame; use crate::push_controller::PushController; use crate::qpack_decoder_receiver::DecoderRecvStream; use crate::qpack_encoder_receiver::EncoderRecvStream;@@ -241,11 +242,11 @@ if let Some(recv_stream) = self.recv_streams.get_mut(&stream_id) { let res = recv_stream.receive(conn);- self.handle_stream_manipulation_output(res, stream_id, conn)- .map(|(output, _)| output)- } else {- Ok(ReceiveOutput::NoOutput)- }+ return self+ .handle_stream_manipulation_output(res, stream_id, conn)+ .map(|(output, _)| output);+ }+ Ok(ReceiveOutput::NoOutput) } fn handle_unblocked_streams(@@ -260,10 +261,8 @@ .http_stream() .ok_or(Error::HttpInternal(10))? .header_unblocked(conn);- debug_assert!(matches!(- self.handle_stream_manipulation_output(res, stream_id, conn)?,- (ReceiveOutput::NoOutput, _)- ));+ let res = self.handle_stream_manipulation_output(res, stream_id, conn)?;+ debug_assert!(matches!(res, (ReceiveOutput::NoOutput, _))); } } Ok(())@@ -484,11 +483,13 @@ qinfo!([self], "A new http stream {}.", stream_id); } NewStreamType::WebTransportStream(session_id) => {- if self- .webtransport- .get_session(StreamId::from(session_id))- .is_none()- {+ let session_exists = self+ .send_streams+ .get(&StreamId::from(session_id))+ .map_or(false, |s| {+ s.stream_type() == Http3StreamType::ExtendedConnect+ });+ if !session_exists { conn.stream_stop_sending(stream_id, Error::HttpStreamCreation.code())?; return Ok(ReceiveOutput::NoOutput); }@@ -590,7 +591,6 @@ pub fn fetch<'b, 't, T>( &mut self, conn: &mut Connection,- stream_type: Http3StreamType, send_events: Box<dyn SendStreamEvents>, recv_events: Box<dyn HttpRecvStreamEvents>, push_handler: Option<Rc<RefCell<PushController>>>,@@ -605,6 +605,12 @@ request.method, request.target, );+ let id = self.create_bidi_transport_stream(conn)?;+ self.fetch_with_stream(id, conn, send_events, recv_events, push_handler, request)?;+ Ok(id)+ }++ fn create_bidi_transport_stream(&self, conn: &mut Connection) -> Res<StreamId> { // Requests cannot be created when a connection is in states: Initializing, GoingAway, Closing and Closed. match self.state() { Http3State::GoingAway(..) | Http3State::Closing(..) | Http3State::Closed(..) => {@@ -618,13 +624,33 @@ .stream_create(StreamType::BiDi) .map_err(|e| Error::map_stream_create_errors(&e))?; conn.stream_keep_alive(id, true)?;-+ Ok(id)+ }++ fn fetch_with_stream<'b, 't, T>(+ &mut self,+ stream_id: StreamId,+ conn: &mut Connection,+ send_events: Box<dyn SendStreamEvents>,+ recv_events: Box<dyn HttpRecvStreamEvents>,+ push_handler: Option<Rc<RefCell<PushController>>>,+ request: &RequestDescription<'b, 't, T>,+ ) -> Res<()>+ where+ T: AsRequestTarget<'t> + ?Sized + Debug,+ { let final_headers = Http3Connection::create_fetch_headers(request)?;++ let stream_type = if request.connect_type.is_some() {+ Http3StreamType::ExtendedConnect+ } else {+ Http3StreamType::Http+ }; let mut send_message = SendMessage::new( MessageType::Request, stream_type,- id,+ stream_id, self.qpack_encoder.clone(), send_events, );@@ -635,13 +661,13 @@ .send_headers(&final_headers, conn)?; self.add_streams(- id,+ stream_id, Box::new(send_message), Box::new(RecvMessage::new( &RecvMessageInfo { message_type: MessageType::Response, stream_type,- stream_id: id,+ stream_id, header_frame_type_read: false, }, Rc::clone(&self.qpack_decoder),@@ -654,10 +680,10 @@ // Call immediately send so that at least headers get sent. This will make Firefox faster, since // it can send request body immediatly in most cases and does not need to do a complete process loop. self.send_streams- .get_mut(&id)+ .get_mut(&stream_id) .ok_or(Error::InvalidStreamId)? .send(conn)?;- Ok(id)+ Ok(()) } /// Stream data are read directly into a buffer supplied as a parameter of this function to avoid copying@@ -733,7 +759,7 @@ error: AppError, conn: &mut Connection, ) -> Res<()> {- qinfo!([self], "reset_:stream {} error={}.", stream_id, error);+ qinfo!([self], "cancel_fetch {} error={}.", stream_id, error); let send_stream = self.send_streams.get(&stream_id); let recv_stream = self.recv_streams.get(&stream_id); match (send_stream, recv_stream) {@@ -791,6 +817,8 @@ mem::drop(send_stream.close(conn)); if send_stream.done() { self.remove_send_stream(stream_id, conn);+ } else if send_stream.has_data_to_send() {+ self.streams_with_pending_data.insert(stream_id); } Ok(()) }@@ -810,26 +838,32 @@ return Err(Error::Unavailable); }- let extended_conn = Rc::new(RefCell::new(ExtendedConnectSession::new(- ExtendedConnectType::WebTransport,+ let id = self.create_bidi_transport_stream(conn)?;++ let extended_conn = Rc::new(RefCell::new(WebTransportSession::new(+ id, events, self.role,+ Rc::clone(&self.qpack_encoder),+ Rc::clone(&self.qpack_decoder), )));- let id = self.fetch(- conn,- Http3StreamType::ExtendedConnect,+ self.add_streams(+ id, Box::new(extended_conn.clone()), Box::new(extended_conn.clone()),- None,- &RequestDescription {- method: "CONNECT",- target,- headers,- connect_type: Some(ExtendedConnectType::WebTransport),- priority: Priority::default(),- },- )?;- self.webtransport.insert(id, extended_conn);+ );++ let final_headers = Http3Connection::create_fetch_headers(&RequestDescription {+ method: "CONNECT",+ target,+ headers,+ connect_type: Some(ExtendedConnectType::WebTransport),+ priority: Priority::default(),+ })?;+ extended_conn+ .borrow_mut()+ .send_request(&final_headers, conn)?;+ self.streams_with_pending_data.insert(id); Ok(id) }@@ -867,48 +901,69 @@ (Some(s), Some(_r), false) => { if s.http_stream() .ok_or(Error::InvalidStreamId)?- .send_headers(&[Header::new(":status", "400")], conn)+ .send_headers(&[Header::new(":status", "404")], conn) .is_ok() { mem::drop(self.stream_close_send(conn, stream_id));-- mem::drop(self.stream_stop_sending(- conn,- stream_id,- Error::HttpRequestRejected.code(),- ));+ // TODO issue 1294: add a timer to clean up the recv_stream if the peer does not do that in a short time. self.streams_with_pending_data.insert(stream_id); } else { self.cancel_fetch(stream_id, Error::HttpRequestRejected.code(), conn)?; } Ok(()) }- (Some(s), Some(r), true) => {+ (Some(s), Some(_r), true) => { if s.http_stream() .ok_or(Error::InvalidStreamId)? .send_headers(&[Header::new(":status", "200")], conn) .is_ok() {- let extended_conn = Rc::new(RefCell::new(ExtendedConnectSession::new(- ExtendedConnectType::WebTransport,- events,- self.role,- )));- s.http_stream()- .unwrap()- .set_new_listener(Box::new(extended_conn.clone()));- r.http_stream()- .unwrap()- .set_new_listener(Box::new(extended_conn.clone()));- extended_conn.borrow_mut().negotiation_done(stream_id, true);- self.webtransport.insert(stream_id, extended_conn);+ let extended_conn =+ Rc::new(RefCell::new(WebTransportSession::new_with_http_streams(+ stream_id,+ events,+ self.role,+ self.recv_streams.remove(&stream_id).unwrap(),+ self.send_streams.remove(&stream_id).unwrap(),+ )));+ self.add_streams(+ stream_id,+ Box::new(extended_conn.clone()),+ Box::new(extended_conn),+ ); self.streams_with_pending_data.insert(stream_id); } else { self.cancel_fetch(stream_id, Error::HttpRequestRejected.code(), conn)?;+ return Err(Error::InvalidStreamId); } Ok(()) } }+ }++ pub(crate) fn webtransport_close_session(+ &mut self,+ conn: &mut Connection,+ session_id: StreamId,+ error: u32,+ message: &str,+ ) -> Res<()> {+ qtrace!("Clos WebTransport session {:?}", session_id);+ let send_stream = self+ .send_streams+ .get_mut(&session_id)+ .ok_or(Error::InvalidStreamId)?;+ if send_stream.stream_type() != Http3StreamType::ExtendedConnect {+ return Err(Error::InvalidStreamId);+ }++ send_stream.close_with_message(conn, error, message)?;+ if send_stream.done() {+ self.remove_send_stream(session_id, conn);+ } else if send_stream.has_data_to_send() {+ self.streams_with_pending_data.insert(session_id);+ }+ Ok(()) } pub fn webtransport_create_stream_local(@@ -926,8 +981,10 @@ ); let wt = self- .webtransport- .get_session(session_id)+ .recv_streams+ .get(&session_id)+ .ok_or(Error::InvalidStreamId)?+ .webtransport() .ok_or(Error::InvalidStreamId)?; if !wt.borrow().is_active() { return Err(Error::InvalidStreamId);@@ -962,8 +1019,10 @@ ); let wt = self- .webtransport- .get_session(session_id)+ .recv_streams+ .get(&session_id)+ .ok_or(Error::InvalidStreamId)?+ .webtransport() .ok_or(Error::InvalidStreamId)?; self.webtransport_create_stream_internal(@@ -979,7 +1038,7 @@ fn webtransport_create_stream_internal( &mut self,- webtransport_session: Rc<RefCell<ExtendedConnectSession>>,+ webtransport_session: Rc<RefCell<WebTransportSession>>, stream_id: StreamId, session_id: StreamId, send_events: Box<dyn SendStreamEvents>,@@ -1155,10 +1214,7 @@ .http_stream() .ok_or(Error::InvalidStreamId)?;- if stream- .priority_handler_mut()- .maybe_update_priority(priority)- {+ if stream.maybe_update_priority(priority) { self.control_stream_local.queue_update_priority(stream_id); Ok(true) } else {@@ -1205,26 +1261,32 @@ Ok(()) }- fn remove_extended_connect(&mut self, stream_id: StreamId, conn: &mut Connection) {- if let Some((recv, send)) = self.webtransport.remove(stream_id) {- for id in recv {- qtrace!("Remove the extended connect sub receiver stream {}", id);- // Use CloseType::ResetRemote so that an event will be sent. CloseType::LocalError would have- // the same effect.- if let Some(mut s) = self.recv_streams.remove(&id) {- mem::drop(s.reset(CloseType::ResetRemote(Error::HttpRequestCancelled.code())));- }- mem::drop(conn.stream_stop_sending(id, Error::HttpRequestCancelled.code()));- }- for id in send {- qtrace!("Remove the extended connect sub send stream {}", id);- if let Some(mut s) = self.send_streams.remove(&id) {- s.handle_stop_sending(CloseType::ResetRemote(- Error::HttpRequestCancelled.code(),- ));- }- mem::drop(conn.stream_reset_send(id, Error::HttpRequestCancelled.code()));- }+ fn remove_extended_connect(+ &mut self,+ wt: &Rc<RefCell<WebTransportSession>>,+ conn: &mut Connection,+ ) {+ let out = wt.borrow_mut().take_sub_streams();+ if out.is_none() {+ return;+ }+ let (recv, send) = out.unwrap();++ for id in recv {+ qtrace!("Remove the extended connect sub receiver stream {}", id);+ // Use CloseType::ResetRemote so that an event will be sent. CloseType::LocalError would have+ // the same effect.+ if let Some(mut s) = self.recv_streams.remove(&id) {+ mem::drop(s.reset(CloseType::ResetRemote(Error::HttpRequestCancelled.code())));+ }+ mem::drop(conn.stream_stop_sending(id, Error::HttpRequestCancelled.code()));+ }+ for id in send {+ qtrace!("Remove the extended connect sub send stream {}", id);+ if let Some(mut s) = self.send_streams.remove(&id) {+ s.handle_stop_sending(CloseType::ResetRemote(Error::HttpRequestCancelled.code()));+ }+ mem::drop(conn.stream_reset_send(id, Error::HttpRequestCancelled.code())); } }@@ -1236,7 +1298,10 @@ let stream = self.recv_streams.remove(&stream_id); if let Some(ref s) = stream { if s.stream_type() == Http3StreamType::ExtendedConnect {- self.remove_extended_connect(stream_id, conn);+ self.send_streams.remove(&stream_id).unwrap();+ if let Some(wt) = s.webtransport() {+ self.remove_extended_connect(&wt, conn);+ } } } stream@@ -1250,7 +1315,9 @@ let stream = self.send_streams.remove(&stream_id); if let Some(ref s) = stream { if s.stream_type() == Http3StreamType::ExtendedConnect {- self.remove_extended_connect(stream_id, conn);+ if let Some(wt) = self.recv_streams.remove(&stream_id).unwrap().webtransport() {+ self.remove_extended_connect(&wt, conn);+ } } } stream
I'll analyze the code diff for security fixes following the specified format:
1. Vulnerability Existed: yes
WebTransport Session Validation [third_party/rust/neqo-http3/src/connection.rs] [Lines 484-490]
Old Code:
```rust
if self
.webtransport
.get_session(StreamId::from(session_id))
.is_none()
```
Fixed Code:
```rust
let session_exists = self
.send_streams
.get(&StreamId::from(session_id))
.map_or(false, |s| {
s.stream_type() == Http3StreamType::ExtendedConnect
});
if !session_exists
```
2. Vulnerability Existed: yes
Incorrect Error Handling in WebTransport [third_party/rust/neqo-http3/src/connection.rs] [Lines 901-905]
Old Code:
```rust
.send_headers(&[Header::new(":status", "400")], conn)
```
Fixed Code:
```rust
.send_headers(&[Header::new(":status", "404")], conn)
```
3. Vulnerability Existed: yes
WebTransport Session Management [third_party/rust/neqo-http3/src/connection.rs] [Lines 1258-1290]
Old Code:
```rust
fn remove_extended_connect(&mut self, stream_id: StreamId, conn: &mut Connection) {
if let Some((recv, send)) = self.webtransport.remove(stream_id) {
...
}
}
```
Fixed Code:
```rust
fn remove_extended_connect(
&mut self,
wt: &Rc<RefCell<WebTransportSession>>,
conn: &mut Connection,
) {
let out = wt.borrow_mut().take_sub_streams();
if out.is_none() {
return;
}
let (recv, send) = out.unwrap();
...
}
```
4. Vulnerability Existed: not sure
Stream Management Refactoring [third_party/rust/neqo-http3/src/connection.rs] [Lines 590-680]
Old Code:
```rust
pub fn fetch<'b, 't, T>(
&mut self,
conn: &mut Connection,
stream_type: Http3StreamType,
...
```
Fixed Code:
```rust
pub fn fetch<'b, 't, T>(
&mut self,
conn: &mut Connection,
...
let id = self.create_bidi_transport_stream(conn)?;
self.fetch_with_stream(id, conn, send_events, recv_events, push_handler, request)?;
```
The changes appear to address several security issues:
1. Improved WebTransport session validation to prevent unauthorized stream creation
2. Fixed incorrect error status code (400 -> 404) for invalid requests
3. Improved WebTransport session cleanup to properly handle sub-streams
4. Refactored stream creation logic (security impact uncertain)
The fixes generally improve validation, error handling, and resource management in the WebTransport implementation.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/widget/gtk/nsDeviceContextSpecG.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/widget/gtk/nsDeviceContextSpecG.cpp@@ -416,11 +416,9 @@ if (widget::ShouldUsePortal(widget::PortalKind::Print)) { // Use the name of the file for printing to match with // nsFlatpakPrintPortal- nsCOMPtr<nsIObserverService> os =- mozilla::services::GetObserverService();+ nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService(); // Pass filename to be sure that observer process the right data- os->NotifyObservers(nullptr, "print-to-file-finished",- targetPath.get());+ os->NotifyObservers(nullptr, "print-to-file-finished", targetPath.get()); } } return NS_OK;
Here's the analysis of the provided code diff:
Vulnerability Existed: no
[Code Style Improvement] [widget/gtk/nsDeviceContextSpecG.cpp] [Lines 416-423]
[Old Code]
nsCOMPtr<nsIObserverService> os =
mozilla::services::GetObserverService();
// Pass filename to be sure that observer process the right data
os->NotifyObservers(nullptr, "print-to-file-finished",
targetPath.get());
[Fixed Code]
nsCOMPtr<nsIObserverService> os = mozilla::services::GetObserverService();
// Pass filename to be sure that observer process the right data
os->NotifyObservers(nullptr, "print-to-file-finished", targetPath.get());
Analysis:
The changes appear to be purely stylistic/formatting improvements rather than security fixes. The modifications include:
1. Consolidating the observer service initialization onto one line
2. Removing unnecessary line breaks in the NotifyObservers call
3. No changes to the actual functionality or security aspects of the code
No security vulnerabilities appear to have been addressed in this diff. The changes are focused on code readability and consistency.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.attributes.shadowColor.initial.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.attributes.shadowColor.initial.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); _assertSame(ctx.shadowColor, 'rgba(0, 0, 0, 0)', "ctx.shadowColor", "'rgba(0, 0, 0, 0)'"); t.done();
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be purely a variable name refactoring from `offscreenCanvas` to `canvas`
- No security-related changes are evident in this diff
- The functionality remains identical, only the variable name was changed for better clarity/consistency
- This is a test file change and doesn't affect production code security
No security vulnerabilities were found in this diff. The modification is a benign refactoring with no security implications.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.prune.arc.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.prune.arc.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -34,7 +34,7 @@ ctx.moveTo(60, 25); ctx.arc(50, 25, 10, 0, 0, false); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security-related fixes. The changes appear to be purely cosmetic/refactoring, renaming a variable from `offscreenCanvas` to `canvas` for consistency. Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.prune.arc.html] [Lines 17-18, 34]
[Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); var ctx = offscreenCanvas.getContext('2d'); ... _assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");]
[Fixed Code: var canvas = new OffscreenCanvas(100, 50); var ctx = canvas.getContext('2d'); ... _assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");]
The changes are:
1. Variable name change from `offscreenCanvas` to `canvas`
2. Corresponding update to the variable name in the `_assertPixel` call
No security implications are present in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/generic/LocalAccessible.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/generic/LocalAccessible.cpp@@ -33,6 +33,7 @@ #include "TableCellAccessible.h" #include "TreeWalker.h" #include "HTMLElementAccessibles.h"+#include "ImageAccessible.h" #include "nsIDOMXULButtonElement.h" #include "nsIDOMXULSelectCntrlEl.h"@@ -281,24 +282,6 @@ KeyBinding LocalAccessible::KeyboardShortcut() const { return KeyBinding(); }-void LocalAccessible::TranslateString(const nsString& aKey,- nsAString& aStringOut) {- nsCOMPtr<nsIStringBundleService> stringBundleService =- components::StringBundle::Service();- if (!stringBundleService) return;-- nsCOMPtr<nsIStringBundle> stringBundle;- stringBundleService->CreateBundle(- "chrome://global-platform/locale/accessible.properties",- getter_AddRefs(stringBundle));- if (!stringBundle) return;-- nsAutoString xsValue;- nsresult rv = stringBundle->GetStringFromName(- NS_ConvertUTF16toUTF8(aKey).get(), xsValue);- if (NS_SUCCEEDED(rv)) aStringOut.Assign(xsValue);-}- uint64_t LocalAccessible::VisibilityState() const { if (IPCAccessibilityActive() && StaticPrefs::accessibility_cache_enabled_AtStartup()) {@@ -501,7 +484,7 @@ // If we can't find the point in a child, we will return the fallback answer: // we return |this| if the point is within it, otherwise nullptr. LocalAccessible* fallbackAnswer = nullptr;- nsIntRect rect = Bounds();+ LayoutDeviceIntRect rect = Bounds(); if (rect.Contains(aX, aY)) fallbackAnswer = this; if (nsAccUtils::MustPrune(this)) { // Do not dig any further@@ -611,7 +594,7 @@ for (uint32_t childIdx = 0; childIdx < childCount; childIdx++) { LocalAccessible* child = accessible->LocalChildAt(childIdx);- nsIntRect childRect = child->Bounds();+ LayoutDeviceIntRect childRect = child->Bounds(); if (childRect.Contains(aX, aY) && (child->State() & states::INVISIBLE) == 0) { if (aWhichChild == EWhichChildAtPoint::DeepestChild) {@@ -786,9 +769,9 @@ return unionRectTwips; }-nsIntRect LocalAccessible::Bounds() const {- return BoundsInAppUnits().ToNearestPixels(- mDoc->PresContext()->AppUnitsPerDevPixel());+LayoutDeviceIntRect LocalAccessible::Bounds() const {+ return LayoutDeviceIntRect::FromAppUnitsToNearest(+ BoundsInAppUnits(), mDoc->PresContext()->AppUnitsPerDevPixel()); } nsIntRect LocalAccessible::BoundsInCSSPixels() const {@@ -1255,8 +1238,7 @@ aAttribute == nsGkAtoms::aria_busy || aAttribute == nsGkAtoms::aria_multiline || aAttribute == nsGkAtoms::aria_multiselectable ||- aAttribute == nsGkAtoms::contenteditable ||- (aAttribute == nsGkAtoms::href && IsHTMLLink());+ aAttribute == nsGkAtoms::contenteditable; } void LocalAccessible::DOMAttributeChanged(int32_t aNameSpaceID,@@ -1399,6 +1381,14 @@ } } return;+ }++ if ((aAttribute == nsGkAtoms::aria_expanded ||+ aAttribute == nsGkAtoms::href) &&+ (aModType == dom::MutationEvent_Binding::ADDITION ||+ aModType == dom::MutationEvent_Binding::REMOVAL)) {+ // The presence of aria-expanded adds an expand/collapse action.+ SendCache(CacheDomain::Actions, CacheUpdateType::Update); } if (aAttribute == nsGkAtoms::alt &&@@ -2296,7 +2286,7 @@ nsIFrame* frame = GetFrame(); if (!frame) return;- nsIntPoint coords =+ LayoutDeviceIntPoint coords = nsAccUtils::ConvertToScreenCoords(aX, aY, aCoordinateType, this); nsIFrame* parentFrame = frame;@@ -3262,7 +3252,7 @@ fields->SetAttribute(nsGkAtoms::state, state); }- if (aCacheDomain & CacheDomain::GroupInfo) {+ if (aCacheDomain & CacheDomain::GroupInfo && mContent) { for (nsAtom* attr : {nsGkAtoms::aria_level, nsGkAtoms::aria_setsize, nsGkAtoms::aria_posinset}) { int32_t value = 0;@@ -3274,10 +3264,34 @@ } }+ if (aCacheDomain & CacheDomain::Actions) {+ uint8_t actionCount = ActionCount();+ ImageAccessible* imgAcc = AsImage();+ bool hasLongDesc = imgAcc && imgAcc->HasLongDesc();++ if (actionCount && !(actionCount == 1 && hasLongDesc)) {+ // We only cache the first action that is not showlongdesc.+ nsAutoString actionName;+ ActionNameAt(0, actionName);+ RefPtr<nsAtom> actionAtom = NS_Atomize(actionName);+ fields->SetAttribute(nsGkAtoms::action, actionAtom);+ } else if (aUpdateType == CacheUpdateType::Update) {+ fields->SetAttribute(nsGkAtoms::action, DeleteEntry());+ }++ if (imgAcc) {+ if (hasLongDesc) {+ fields->SetAttribute(nsGkAtoms::longdesc, true);+ } else if (aUpdateType == CacheUpdateType::Update) {+ fields->SetAttribute(nsGkAtoms::longdesc, DeleteEntry());+ }+ }+ }+ if (aUpdateType == CacheUpdateType::Initial) { // Add fields which never change and thus only need to be included in the // initial cache push.- if (mContent->IsElement()) {+ if (mContent && mContent->IsElement()) { fields->SetAttribute(nsGkAtoms::tag, mContent->NodeInfo()->NameAtom()); if (IsTextField() || IsDateTimeField()) {
Here is the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: not sure [Potential Integer Overflow/Type Safety Issue] [File: accessible/generic/LocalAccessible.cpp] [Lines: 501, 611] [Old Code] `nsIntRect rect = Bounds();` [Fixed Code] `LayoutDeviceIntRect rect = Bounds();` Additional Details: The change from nsIntRect to LayoutDeviceIntRect suggests a potential type safety improvement, though it's unclear if this was fixing an actual vulnerability or just improving code robustness. 2. Vulnerability Existed: not sure [Potential Information Leak] [File: accessible/generic/LocalAccessible.cpp] [Lines: 1255-1256] [Old Code] `aAttribute == nsGkAtoms::contenteditable || (aAttribute == nsGkAtoms::href && IsHTMLLink());` [Fixed Code] `aAttribute == nsGkAtoms::contenteditable;` Additional Details: The removal of href attribute check might relate to security considerations around link handling, but the exact vulnerability being addressed isn't clear. 3. Vulnerability Existed: not sure [Potential Race Condition] [File: accessible/generic/LocalAccessible.cpp] [Lines: 3262] [Old Code] `if (aCacheDomain & CacheDomain::GroupInfo)` [Fixed Code] `if (aCacheDomain & CacheDomain::GroupInfo && mContent)` Additional Details: The added null check for mContent could prevent potential null dereference issues, though it's unclear if this was exploitable. 4. Vulnerability Existed: not sure [Potential Action Validation Issue] [File: accessible/generic/LocalAccessible.cpp] [Lines: 3264-3284] [New Code Added] The new action caching logic with checks for ActionCount() and HasLongDesc() suggests improved validation of accessible actions, but it's unclear if this was fixing a specific vulnerability. Note: The diff shows several changes that appear to be security-related improvements (type safety, null checks, input validation), but without more context about the specific vulnerabilities being addressed, I can't definitively identify them. The removal of the TranslateString method might also be security-related (potential XSS via string bundles), but this is uncertain.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.prune.rect.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.stroke.prune.rect.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -26,7 +26,7 @@ ctx.rect(50, 25, 0, 0); ctx.stroke(); ctx.strokeRect(50, 25, 0, 0);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14, 26]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Additional Details:
- The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) with no security implications
- The functionality remains exactly the same, just with a different variable name
- No security-related patterns (like input validation, sensitive data handling, etc.) were modified
- This appears to be a code style/consistency change rather than a security fix
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/wgpu-hal/src/lib.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/wgpu-hal/src/lib.rs@@ -562,10 +562,15 @@ /// Format can be used as depth-stencil and input attachment. const DEPTH_STENCIL_ATTACHMENT = 1 << 8;+ /// Format can be multisampled.+ const MULTISAMPLE = 1 << 9;+ /// Format can be used for render pass resolve targets.+ const MULTISAMPLE_RESOLVE = 1 << 10;+ /// Format can be copied from.- const COPY_SRC = 1 << 9;+ const COPY_SRC = 1 << 11; /// Format can be copied to.- const COPY_DST = 1 << 10;+ const COPY_DST = 1 << 12; } );
Based on the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be feature additions and bit flag renumbering rather than security fixes. Here's my analysis:
1. Vulnerability Existed: no
Feature Flag Addition [third_party/rust/wgpu-hal/src/lib.rs] [Lines 562-572]
Old Code:
const DEPTH_STENCIL_ATTACHMENT = 1 << 8;
/// Format can be copied from.
const COPY_SRC = 1 << 9;
/// Format can be copied to.
const COPY_DST = 1 << 10;
Fixed Code:
const DEPTH_STENCIL_ATTACHMENT = 1 << 8;
/// Format can be multisampled.
const MULTISAMPLE = 1 << 9;
/// Format can be used for render pass resolve targets.
const MULTISAMPLE_RESOLVE = 1 << 10;
/// Format can be copied from.
const COPY_SRC = 1 << 11;
/// Format can be copied to.
const COPY_DST = 1 << 12;
The changes consist of:
1. Adding two new feature flags (MULTISAMPLE and MULTISAMPLE_RESOLVE)
2. Re-numbering the existing COPY_SRC and COPY_DST flags to make room for the new flags
There's no indication of any security vulnerability being addressed in this change. The modification is purely additive and organizational in nature.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.