Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ryu/src/d2s_small_table.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ryu/src/d2s_small_table.rs@@ -19,8 +19,6 @@ // KIND, either express or implied. use crate::common::*;-#[cfg(not(integer128))]-use crate::d2s_intrinsics::*; pub static DOUBLE_POW5_INV_SPLIT2: [(u64, u64); 15] = [ (1, 2305843009213693952),@@ -98,7 +96,6 @@ ]; // Computes 5^i in the form required by Ryū.-#[cfg(integer128)] #[cfg_attr(feature = "no-panic", inline)] pub unsafe fn compute_pow5(i: u32) -> (u64, u64) { let base = i / DOUBLE_POW5_TABLE.len() as u32;@@ -122,7 +119,6 @@ } // Computes 5^-i in the form required by Ryū.-#[cfg(integer128)] #[cfg_attr(feature = "no-panic", inline)] pub unsafe fn compute_inv_pow5(i: u32) -> (u64, u64) { let base = (i + DOUBLE_POW5_TABLE.len() as u32 - 1) / DOUBLE_POW5_TABLE.len() as u32;@@ -144,64 +140,3 @@ + ((*POW5_INV_OFFSETS.get_unchecked((i / 16) as usize) >> ((i % 16) << 1)) & 3) as u128; (shifted_sum as u64, (shifted_sum >> 64) as u64) }--// Computes 5^i in the form required by Ryū, and stores it in the given pointer.-#[cfg(not(integer128))]-#[cfg_attr(feature = "no-panic", inline)]-pub unsafe fn compute_pow5(i: u32) -> (u64, u64) {- let base = i / DOUBLE_POW5_TABLE.len() as u32;- let base2 = base * DOUBLE_POW5_TABLE.len() as u32;- let offset = i - base2;- debug_assert!(base < DOUBLE_POW5_SPLIT2.len() as u32);- let mul = *DOUBLE_POW5_SPLIT2.get_unchecked(base as usize);- if offset == 0 {- return mul;- }- debug_assert!(offset < DOUBLE_POW5_TABLE.len() as u32);- let m = *DOUBLE_POW5_TABLE.get_unchecked(offset as usize);- let (low1, mut high1) = umul128(m, mul.1);- let (low0, high0) = umul128(m, mul.0);- let sum = high0 + low1;- if sum < high0 {- high1 += 1; // overflow into high1- }- // high1 | sum | low0- let delta = pow5bits(i as i32) - pow5bits(base2 as i32);- debug_assert!(i / 16 < POW5_OFFSETS.len() as u32);- (- shiftright128(low0, sum, delta as u32)- + ((*POW5_OFFSETS.get_unchecked((i / 16) as usize) >> ((i % 16) << 1)) & 3) as u64,- shiftright128(sum, high1, delta as u32),- )-}--// Computes 5^-i in the form required by Ryū, and stores it in the given pointer.-#[cfg(not(integer128))]-#[cfg_attr(feature = "no-panic", inline)]-pub unsafe fn compute_inv_pow5(i: u32) -> (u64, u64) {- let base = (i + DOUBLE_POW5_TABLE.len() as u32 - 1) / DOUBLE_POW5_TABLE.len() as u32;- let base2 = base * DOUBLE_POW5_TABLE.len() as u32;- let offset = base2 - i;- debug_assert!(base < DOUBLE_POW5_INV_SPLIT2.len() as u32);- let mul = *DOUBLE_POW5_INV_SPLIT2.get_unchecked(base as usize); // 1/5^base2- if offset == 0 {- return mul;- }- debug_assert!(offset < DOUBLE_POW5_TABLE.len() as u32);- let m = *DOUBLE_POW5_TABLE.get_unchecked(offset as usize);- let (low1, mut high1) = umul128(m, mul.1);- let (low0, high0) = umul128(m, mul.0 - 1);- let sum = high0 + low1;- if sum < high0 {- high1 += 1; // overflow into high1- }- // high1 | sum | low0- let delta = pow5bits(base2 as i32) - pow5bits(i as i32);- debug_assert!(base < POW5_INV_OFFSETS.len() as u32);- (- shiftright128(low0, sum, delta as u32)- + 1- + ((*POW5_INV_OFFSETS.get_unchecked((i / 16) as usize) >> ((i % 16) << 1)) & 3) as u64,- shiftright128(sum, high1, delta as u32),- )-}
I'll analyze the provided code diff for security fixes following the specified format. Vulnerability Existed: not sure Potential Integer Overflow/Underflow Vulnerability [File] [Lines 19-140] [Old Code] The old code had two versions of compute_pow5 and compute_inv_pow5 functions, one for 128-bit integers and one for non-128-bit integers, using unsafe operations and pointer dereferencing. [Fixed Code] The new code removes the non-128-bit integer version of these functions, consolidating to only the 128-bit implementation. Vulnerability Existed: not sure Potential Unsafe Pointer Dereference [File] [Lines 19-140] [Old Code] The old code used get_unchecked for array access and performed unsafe operations in both implementations. [Fixed Code] The new code still uses get_unchecked but removes the duplicate implementation path, reducing the attack surface. The main changes appear to be: 1. Removal of the non-128-bit integer code path 2. Consolidation of the pow5 computation functions 3. Removal of unused imports While the changes don't explicitly fix a known vulnerability, they: - Reduce code complexity - Remove potentially unsafe code paths - Eliminate duplicate implementations that could lead to inconsistencies The changes seem to be more about code simplification and maintenance rather than direct security fixes, but they could indirectly improve security by reducing the attack surface.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/taskcluster/scripts/misc/build-compiler-rt.sh+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/taskcluster/scripts/misc/build-compiler-rt.sh@@ -1,6 +1,6 @@ #!/bin/sh-set -e+set -e -x target=$1 shift@@ -62,6 +62,7 @@ -DDARWIN_osx_SYSROOT=$MOZ_FETCHES_DIR/MacOSX11.0.sdk -DDARWIN_macosx_OVERRIDE_SDK_VERSION=11.0 -DDARWIN_osx_BUILTIN_ARCHS=$arch+ -DLLVM_DEFAULT_TARGET_TRIPLE=$target " # compiler-rt build script expects to find `codesign` in $PATH. # Give it a fake one.@@ -79,6 +80,7 @@ " # These flags are only necessary to pass the cmake tests. exe_linker_flags="+ --rtlib=libgcc -L$MOZ_FETCHES_DIR/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/$ndk_target/$api_level -L$MOZ_FETCHES_DIR/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/$ndk_target "@@ -106,6 +108,38 @@ " PATH="$MOZ_FETCHES_DIR/binutils/bin:$PATH" ;;+*-pc-windows-msvc)+ VSPATH="$MOZ_FETCHES_DIR/vs2017_15.9.6"+ SDK_VERSION=10.0.17134.0++ export INCLUDE="${VSPATH}/VC/include;${VSPATH}/VC/atlmfc/include;${VSPATH}/SDK/Include/${SDK_VERSION}/ucrt;${VSPATH}/SDK/Include/${SDK_VERSION}/shared;${VSPATH}/SDK/Include/${SDK_VERSION}/um"+ case "$target" in+ i686-pc-windows-msvc)+ VCARCH=x86+ ;;+ x86_64-pc-windows-msvc)+ VCARCH=x64+ ;;+ aarch64-pc-windows-msvc)+ VCARCH=arm64+ ;;+ esac+ export LIB="${VSPATH}/VC/lib/${VCARCH};${VSPATH}/VC/atlmfc/lib/${VCARCH};${VSPATH}/SDK/Lib/${SDK_VERSION}/um/${VCARCH};${VSPATH}/SDK/Lib/${SDK_VERSION}/ucrt/${VCARCH}"+ export LD_PRELOAD=$MOZ_FETCHES_DIR/liblowercase/liblowercase.so+ export LOWERCASE_DIRS=$VSPATH+ clang=$MOZ_FETCHES_DIR/clang/bin/clang-cl+ clangxx=$clang+ ar=lib+ EXTRA_CMAKE_FLAGS="+ -DCMAKE_SYSTEM_NAME=Windows+ -DCMAKE_LINKER=$MOZ_FETCHES_DIR/clang/bin/lld-link+ -DCMAKE_MT=$MOZ_FETCHES_DIR/clang/bin/llvm-mt+ -DCMAKE_RC_COMPILER=$MOZ_FETCHES_DIR/clang/bin/llvm-rc+ -DCMAKE_C_FLAGS='--target=$target -fms-compatibility-version=19.15.26726'+ -DCMAKE_CXX_FLAGS='--target=$target -fms-compatibility-version=19.15.26726'+ -DCMAKE_ASM_FLAGS=--target=$target+ "+ ;; *) echo $target is not supported yet exit 1@@ -120,18 +154,27 @@ cd compiler-rt for patchfile in "$@"; do- patch -d $MOZ_FETCHES_DIR/llvm-project -p1 < $GECKO_PATH/$patchfile+ case $patchfile in+ *.json)+ jq -r '.patches[]' $GECKO_PATH/$patchfile | while read p; do+ patch -d $MOZ_FETCHES_DIR/llvm-project -p1 < $GECKO_PATH/$(dirname $patchfile)/$p+ done+ ;;+ *)+ patch -d $MOZ_FETCHES_DIR/llvm-project -p1 < $GECKO_PATH/$patchfile+ ;;+ esac done eval cmake \ $MOZ_FETCHES_DIR/llvm-project/compiler-rt \ -GNinja \ -DCMAKE_C_COMPILER=$clang \- -DCMAKE_CXX_COMPILER=$clang++ \+ -DCMAKE_CXX_COMPILER=${clangxx:-$clang++} \ -DCMAKE_C_COMPILER_TARGET=$target \ -DCMAKE_CXX_COMPILER_TARGET=$target \ -DCMAKE_ASM_COMPILER_TARGET=$target \- -DCMAKE_AR=$MOZ_FETCHES_DIR/clang/bin/llvm-ar \+ -DCMAKE_AR=$MOZ_FETCHES_DIR/clang/bin/llvm-${ar:-ar} \ -DCMAKE_RANLIB=$MOZ_FETCHES_DIR/clang/bin/llvm-ranlib \ -DCMAKE_BUILD_TYPE=Release \ -DLLVM_ENABLE_ASSERTIONS=OFF \
I'll analyze the code diff for security fixes following the specified format.
1. Vulnerability Existed: not sure
[Potential Command Injection] [taskcluster/scripts/misc/build-compiler-rt.sh] [Lines 153-161]
[Old Code]
for patchfile in "$@"; do
patch -d $MOZ_FETCHES_DIR/llvm-project -p1 < $GECKO_PATH/$patchfile
done
[Fixed Code]
for patchfile in "$@"; do
case $patchfile in
*.json)
jq -r '.patches[]' $GECKO_PATH/$patchfile | while read p; do
patch -d $MOZ_FETCHES_DIR/llvm-project -p1 < $GECKO_PATH/$(dirname $patchfile)/$p
done
;;
*)
patch -d $MOZ_FETCHES_DIR/llvm-project -p1 < $GECKO_PATH/$patchfile
;;
esac
done
2. Vulnerability Existed: not sure
[Potential Insecure Path Handling] [taskcluster/scripts/misc/build-compiler-rt.sh] [Lines 108-138]
[Old Code]
[No previous Windows MSVC support]
[Fixed Code]
Added Windows MSVC support with proper path and environment variable handling for different architectures (x86, x64, arm64)
3. Vulnerability Existed: not sure
[Potential Build Configuration Issue] [taskcluster/scripts/misc/build-compiler-rt.sh] [Lines 79-81]
[Old Code]
exe_linker_flags="
-L$MOZ_FETCHES_DIR/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/$ndk_target/$api_level
-L$MOZ_FETCHES_DIR/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/$ndk_target
"
[Fixed Code]
exe_linker_flags="
--rtlib=libgcc
-L$MOZ_FETCHES_DIR/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/$ndk_target/$api_level
-L$MOZ_FETCHES_DIR/android-ndk/toolchains/llvm/prebuilt/linux-x86_64/sysroot/usr/lib/$ndk_target
"
4. Vulnerability Existed: not sure
[Potential Missing Target Triple] [taskcluster/scripts/misc/build-compiler-rt.sh] [Lines 62-65]
[Old Code]
-DDARWIN_osx_BUILTIN_ARCHS=$arch
"
[Fixed Code]
-DDARWIN_osx_BUILTIN_ARCHS=$arch
-DLLVM_DEFAULT_TARGET_TRIPLE=$target
"
Note: While I've identified several changes that could potentially relate to security fixes, I'm not certain about specific vulnerabilities being addressed. The changes appear to improve robustness and add support for Windows MSVC builds, but without more context about the specific security concerns being addressed, I can't definitively state what vulnerabilities were fixed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/2d/BaseRect.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/2d/BaseRect.h@@ -555,12 +555,10 @@ void Scale(T aScale) { Scale(aScale, aScale); } // Scale 'this' by aXScale and aYScale, without doing any rounding. void Scale(T aXScale, T aYScale) {- T right = XMost() * aXScale;- T bottom = YMost() * aYScale; x = x * aXScale; y = y * aYScale;- width = right - x;- height = bottom - y;+ width = width * aXScale;+ height = height * aYScale; } // Scale 'this' by aScale, converting coordinates to integers so that the // result is the smallest integer-coordinate rectangle containing the
Here's the analysis of the provided code diff:
Vulnerability Existed: not sure
[Potential Integer Overflow/Precision Loss] [gfx/2d/BaseRect.h] [Lines 555-560]
[Old Code]
T right = XMost() * aXScale;
T bottom = YMost() * aYScale;
x = x * aXScale;
y = y * aYScale;
width = right - x;
height = bottom - y;
[Fixed Code]
x = x * aXScale;
y = y * aYScale;
width = width * aXScale;
height = height * aYScale;
Additional Details:
The change appears to modify how rectangle scaling is calculated. The old code first calculated the right/bottom positions and then derived width/height, while the new code directly scales the width/height. This could potentially address:
1. Integer overflow issues when XMost() * aXScale is very large
2. Floating-point precision loss when subtracting two large numbers (right - x)
3. More consistent behavior when dealing with negative coordinates
However, without more context about the template type T and how this code is used, it's difficult to confirm if this was an actual security vulnerability or just a robustness improvement. The change does make the calculation more numerically stable in edge cases.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/mozilla/tests/webdriver/new_session/debugger_address.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/mozilla/tests/webdriver/new_session/debugger_address.py@@ -1,6 +1,8 @@ import json import pytest++from http.client import HTTPConnection from tests.support.http_request import HTTPRequest from . import using_context@@ -70,3 +72,37 @@ session.execute_script("""return Services.appinfo.fissionAutostart""") is True )++[email protected]("origin", [None, "", "sometext", "http://localhost:1234"])[email protected](+ {+ "moz:debuggerAddress": True,+ "moz:firefoxOptions": {+ "prefs": {+ "remote.active-protocols": 2,+ }+ },+ }+)+def test_origin_header_allowed_when_bidi_disabled(session, origin):+ debugger_address = session.capabilities.get("moz:debuggerAddress")+ assert debugger_address is not None++ url = f"http://{debugger_address}/json/version"++ conn = HTTPConnection(debugger_address)+ conn.putrequest("GET", url)++ if origin is not None:+ conn.putheader("Origin", origin)++ conn.putheader("Connection", "upgrade")+ conn.putheader("Upgrade", "websocket")+ conn.putheader("Sec-WebSocket-Key", "dGhlIHNhbXBsZSBub25jZQ==")+ conn.putheader("Sec-WebSocket-Version", "13")+ conn.endheaders()++ response = conn.getresponse()++ assert response.status == 200
Based on the provided diff, I'll analyze the security implications: 1. Vulnerability Existed: not sure [Potential Origin Header Injection] [testing/web-platform/mozilla/tests/webdriver/new_session/debugger_address.py] [Lines 72+] [Old Code] (No equivalent test existed) [Fixed Code] (New test added that checks various Origin header values including potentially malicious ones) Additional Details: - The new test appears to be testing how the debugger address endpoint handles various Origin header values - While not clearly a vulnerability fix, it's testing security-related behavior (Origin header validation) - The test verifies that the endpoint returns 200 OK regardless of Origin header when BiDi is disabled - This might be related to CORS (Cross-Origin Resource Sharing) security testing Note: Without seeing the actual security fix or vulnerability report, it's difficult to confirm if this was specifically addressing a known vulnerability. The test appears to be adding security-related test coverage rather than fixing a specific vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.2.radii.1.dompoint.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.2.radii.1.dompoint.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -23,20 +23,20 @@ ctx.fill(); // top-left corner-_assertPixel(offscreenCanvas, 20,1, 255,0,0,255, "20,1", "255,0,0,255");-_assertPixel(offscreenCanvas, 41,1, 0,255,0,255, "41,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,10, 255,0,0,255, "1,10", "255,0,0,255");-_assertPixel(offscreenCanvas, 1,21, 0,255,0,255, "1,21", "0,255,0,255");+_assertPixel(canvas, 20,1, 255,0,0,255, "20,1", "255,0,0,255");+_assertPixel(canvas, 41,1, 0,255,0,255, "41,1", "0,255,0,255");+_assertPixel(canvas, 1,10, 255,0,0,255, "1,10", "255,0,0,255");+_assertPixel(canvas, 1,21, 0,255,0,255, "1,21", "0,255,0,255"); // bottom-right corner-_assertPixel(offscreenCanvas, 79,48, 255,0,0,255, "79,48", "255,0,0,255");-_assertPixel(offscreenCanvas, 58,48, 0,255,0,255, "58,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,39, 255,0,0,255, "98,39", "255,0,0,255");-_assertPixel(offscreenCanvas, 98,28, 0,255,0,255, "98,28", "0,255,0,255");+_assertPixel(canvas, 79,48, 255,0,0,255, "79,48", "255,0,0,255");+_assertPixel(canvas, 58,48, 0,255,0,255, "58,48", "0,255,0,255");+_assertPixel(canvas, 98,39, 255,0,0,255, "98,39", "255,0,0,255");+_assertPixel(canvas, 98,28, 0,255,0,255, "98,28", "0,255,0,255"); // other corners-_assertPixel(offscreenCanvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 98,1, 0,255,0,255, "98,1", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security-related fixes. The changes appear to be purely cosmetic/refactoring, renaming a variable from `offscreenCanvas` to `canvas` and updating all references to it. Here's the analysis:
Vulnerability Existed: no
[Variable Renaming Refactoring] [testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.2.radii.1.dompoint.worker.js] [Lines 13-14, 23-36]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 20,1, 255,0,0,255, "20,1", "255,0,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 20,1, 255,0,0,255, "20,1", "255,0,0,255");
The changes don't indicate any security fixes or vulnerability patches, just a variable name change for better readability or consistency. No security-related functionality was modified.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/filters/2d.filter.canvasFilterObject.componentTransfer.table.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/filters/2d.filter.canvasFilterObject.componentTransfer.table.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); // From https://www.w3.org/TR/SVG11/filters.html#feComponentTransferElement function getTransformedValue(C, V) {@@ -55,7 +55,7 @@ let outputColor = getColor(color, [tableValuesR, tableValuesG, tableValuesB]); ctx.fillStyle = `rgb(${color[0]}, ${color[1]}, ${color[2]})`; ctx.fillRect(0, 0, 10, 10);- _assertPixelApprox(offscreenCanvas, 5, 5, outputColor[0],outputColor[1],outputColor[2],255, "5,5", `${outputColor[0]},${outputColor[1]},${outputColor[2]}`, 2);+ _assertPixelApprox(canvas, 5, 5, outputColor[0],outputColor[1],outputColor[2],255, "5,5", `${outputColor[0]},${outputColor[1]},${outputColor[2]}`, 2); } t.done()
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't affect security. Here's the analysis:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 13-14, 55]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[...]
_assertPixelApprox(offscreenCanvas, 5, 5, outputColor[0],outputColor[1],outputColor[2],255, "5,5", `${outputColor[0]},${outputColor[1]},${outputColor[2]}`, 2);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
[...]
_assertPixelApprox(canvas, 5, 5, outputColor[0],outputColor[1],outputColor[2],255, "5,5", `${outputColor[0]},${outputColor[1]},${outputColor[2]}`, 2);
The changes simply rename the variable `offscreenCanvas` to `canvas` and update all references to it. This doesn't appear to address any security issues but rather improves code consistency or readability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/xpconnect/src/XPCJSContext.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/xpconnect/src/XPCJSContext.cpp@@ -13,7 +13,6 @@ #include "xpcpublic.h" #include "XPCWrapper.h" #include "XPCJSMemoryReporter.h"-#include "XPCPrefableContextOptions.h" #include "XPCSelfHostedShmem.h" #include "WrapperFactory.h" #include "mozJSComponentLoader.h"@@ -775,6 +774,9 @@ static mozilla::Atomic<bool> sWeakRefsEnabled(false); static mozilla::Atomic<bool> sWeakRefsExposeCleanupSome(false); static mozilla::Atomic<bool> sIteratorHelpersEnabled(false);+#ifdef NIGHTLY_BUILD+static mozilla::Atomic<bool> sArrayGroupingEnabled(true);+#endif static JS::WeakRefSpecifier GetWeakRefsEnabled() { if (!sWeakRefsEnabled) {@@ -801,10 +803,71 @@ .setPropertyErrorMessageFixEnabled(sPropertyErrorMessageFixEnabled) .setWeakRefsEnabled(GetWeakRefsEnabled()) .setIteratorHelpersEnabled(sIteratorHelpersEnabled)+#ifdef NIGHTLY_BUILD+ .setArrayGroupingEnabled(sArrayGroupingEnabled)+#endif #ifdef ENABLE_NEW_SET_METHODS .setNewSetMethodsEnabled(enableNewSetMethods) #endif ;+}++void xpc::SetPrefableContextOptions(JS::ContextOptions& options) {+ options+ .setAsmJS(Preferences::GetBool(JS_OPTIONS_DOT_STR "asmjs"))+#ifdef FUZZING+ .setFuzzing(Preferences::GetBool(JS_OPTIONS_DOT_STR "fuzzing.enabled"))+#endif+ .setWasm(Preferences::GetBool(JS_OPTIONS_DOT_STR "wasm"))+ .setWasmForTrustedPrinciples(+ Preferences::GetBool(JS_OPTIONS_DOT_STR "wasm_trustedprincipals"))+#ifdef ENABLE_WASM_CRANELIFT+ .setWasmCranelift(+ Preferences::GetBool(JS_OPTIONS_DOT_STR "wasm_optimizingjit"))+ .setWasmIon(false)+#else+ .setWasmCranelift(false)+ .setWasmIon(Preferences::GetBool(JS_OPTIONS_DOT_STR "wasm_optimizingjit"))+#endif+ .setWasmBaseline(+ Preferences::GetBool(JS_OPTIONS_DOT_STR "wasm_baselinejit"))+#define WASM_FEATURE(NAME, LOWER_NAME, COMPILE_PRED, COMPILER_PRED, FLAG_PRED, \+ SHELL, PREF) \+ .setWasm##NAME(Preferences::GetBool(JS_OPTIONS_DOT_STR "wasm_" PREF))+ JS_FOR_WASM_FEATURES(WASM_FEATURE, WASM_FEATURE, WASM_FEATURE)+#undef WASM_FEATURE+#ifdef ENABLE_WASM_SIMD_WORMHOLE+# ifdef EARLY_BETA_OR_EARLIER+ .setWasmSimdWormhole(+ Preferences::GetBool(JS_OPTIONS_DOT_STR "wasm_simd_wormhole"))+# else+ .setWasmSimdWormhole(false)+# endif+#endif+ .setWasmVerbose(Preferences::GetBool(JS_OPTIONS_DOT_STR "wasm_verbose"))+ .setThrowOnAsmJSValidationFailure(Preferences::GetBool(+ JS_OPTIONS_DOT_STR "throw_on_asmjs_validation_failure"))+ .setSourcePragmas(+ Preferences::GetBool(JS_OPTIONS_DOT_STR "source_pragmas"))+ .setAsyncStack(Preferences::GetBool(JS_OPTIONS_DOT_STR "asyncstack"))+ .setAsyncStackCaptureDebuggeeOnly(Preferences::GetBool(+ JS_OPTIONS_DOT_STR "asyncstack_capture_debuggee_only"))+ .setPrivateClassFields(Preferences::GetBool(+ JS_OPTIONS_DOT_STR "experimental.private_fields"))+ .setPrivateClassMethods(Preferences::GetBool(+ JS_OPTIONS_DOT_STR "experimental.private_methods"))+ .setClassStaticBlocks(Preferences::GetBool(+ JS_OPTIONS_DOT_STR "experimental.class_static_blocks"))+#ifdef ENABLE_CHANGE_ARRAY_BY_COPY+ .setChangeArrayByCopy(Preferences::GetBool(+ JS_OPTIONS_DOT_STR "experimental.enable_change_array_by_copy"))+#endif+#ifdef NIGHTLY_BUILD+ .setImportAssertions(Preferences::GetBool(+ JS_OPTIONS_DOT_STR "experimental.import_assertions"))+#endif+ .setErgnomicBrandChecks(Preferences::GetBool(+ JS_OPTIONS_DOT_STR "experimental.ergonomic_brand_checks")); } // Mirrored value of javascript.options.self_hosted.use_shared_memory.@@ -946,6 +1009,8 @@ #ifdef NIGHTLY_BUILD sIteratorHelpersEnabled = Preferences::GetBool(JS_OPTIONS_DOT_STR "experimental.iterator_helpers");+ sArrayGroupingEnabled =+ Preferences::GetBool(JS_OPTIONS_DOT_STR "experimental.array_grouping"); #endif #ifdef ENABLE_NEW_SET_METHODS@@ -963,10 +1028,7 @@ #endif // JS_GC_ZEAL auto& contextOptions = JS::ContextOptionsRef(cx);- SetPrefableContextOptions(contextOptions,- [](const char* jsPref, const char* workerPref) {- return Preferences::GetBool(jsPref);- });+ SetPrefableContextOptions(contextOptions); // Set options not shared with workers. contextOptions
Based on the provided code diff, I'll analyze it for security fixes:
1. First change (removal of XPCPrefableContextOptions.h include):
Vulnerability Existed: no
No specific vulnerability - This appears to be a code cleanup/refactoring change where an unused header was removed.
2. Second change (addition of array grouping feature flag):
Vulnerability Existed: no
No specific vulnerability - This adds a new experimental feature flag (array grouping) guarded by NIGHTLY_BUILD, which is a normal feature addition.
3. Third change (refactoring of SetPrefableContextOptions):
Vulnerability Existed: not sure
Potential Configuration Security Improvement [File] js/xpconnect/src/XPCJSContext.cpp [Lines] 801-946
[Old Code]
The old implementation appeared to use a lambda function to get preferences
[Fixed Code]
The new implementation directly uses Preferences::GetBool() calls in a more straightforward way
Additional Notes:
- The changes appear to be primarily refactoring and feature additions rather than security fixes
- The removal of the lambda-based preference getting mechanism could potentially improve security by making the code more straightforward and easier to audit, but this is speculative
- The addition of new experimental features (like array grouping) behind NIGHTLY_BUILD flags follows standard security practices for feature rollout
- No obvious vulnerabilities (like memory safety issues, privilege escalations, etc.) are being fixed in this diff
The most significant change is the refactoring of the preference setting logic, which might have security implications in terms of making the code more maintainable and auditable, but doesn't appear to fix any specific known vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.join.closed.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.join.closed.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.strokeStyle = '#0f0';@@ -28,10 +28,10 @@ ctx.lineTo(1000, 50); ctx.closePath(); ctx.stroke();-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255");+_assertPixel(canvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255");+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255"); t.done(); });
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 13-28]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
Additional Details:
The changes appear to be purely a variable name refactoring from "offscreenCanvas" to "canvas". There are no security-related changes in this diff, just improved code readability/maintainability. The functionality remains exactly the same, only the variable name was changed. No security vulnerabilities were addressed in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/security/nss/cmd/crlutil/crlutil.c+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/security/nss/cmd/crlutil/crlutil.c@@ -1044,7 +1044,10 @@ PK11_SetPasswordFunc(SECU_GetModulePassword); if (showFileCRL) {- NSS_NoDB_Init(NULL);+ rv = NSS_NoDB_Init(NULL);+ if (rv != SECSuccess) {+ goto loser;+ } } else { secstatus = NSS_Initialize(SECU_ConfigDirectory(NULL), dbPrefix, dbPrefix, "secmod.db", readonly ? NSS_INIT_READONLY : 0);
Here's the analysis of the provided code diff:
Vulnerability Existed: yes
Unchecked Return Value Vulnerability [File] security/nss/cmd/crlutil/crlutil.c [Lines 1044]
[Old Code]
NSS_NoDB_Init(NULL);
[Fixed Code]
rv = NSS_NoDB_Init(NULL);
if (rv != SECSuccess) {
goto loser;
}
Additional Details:
The vulnerability was an unchecked return value from NSS_NoDB_Init(). In the old code, the function's return value wasn't checked, which could lead to program continuing execution even if initialization failed. The fix properly checks the return value and handles the error case by jumping to the 'loser' label for cleanup. This is important for security as continuing execution after failed initialization could lead to undefined behavior or security issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/darling_core/src/options/shape.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/darling_core/src/options/shape.rs@@ -5,7 +5,7 @@ use quote::{ToTokens, TokenStreamExt}; use syn::{Meta, NestedMeta};-use {Error, FromMeta, Result};+use crate::{Error, FromMeta, Result}; /// Receiver struct for shape validation. Shape validation allows a deriving type /// to declare that it only accepts - for example - named structs, or newtype enum@@ -134,7 +134,7 @@ } fn set_word(&mut self, word: &str) -> Result<()> {- match word.trim_left_matches(self.prefix) {+ match word.trim_start_matches(self.prefix) { "newtype" => { self.newtype = true; Ok(())@@ -188,7 +188,7 @@ let body = if self.any { quote!(::darling::export::Ok(())) } else if self.supports_none() {- let ty = self.prefix.trim_right_matches('_');+ let ty = self.prefix.trim_end_matches('_'); quote!(::darling::export::Err(::darling::Error::unsupported_shape(#ty))) } else { let unit = match_arm("unit", self.unit);@@ -228,15 +228,14 @@ #[cfg(test)] mod tests { use proc_macro2::TokenStream;- use syn; use super::Shape;- use FromMeta;+ use crate::FromMeta; /// parse a string as a syn::Meta instance. fn pm(tokens: TokenStream) -> ::std::result::Result<syn::Meta, String> { let attribute: syn::Attribute = parse_quote!(#[#tokens]);- attribute.parse_meta().or(Err("Unable to parse".into()))+ attribute.parse_meta().map_err(|_| "Unable to parse".into()) } fn fm<T: FromMeta>(tokens: TokenStream) -> T {@@ -247,22 +246,22 @@ #[test] fn supports_any() { let decl = fm::<Shape>(quote!(ignore(any)));- assert_eq!(decl.any, true);+ assert!(decl.any); } #[test] fn supports_struct() { let decl = fm::<Shape>(quote!(ignore(struct_any, struct_newtype)));- assert_eq!(decl.struct_values.any, true);- assert_eq!(decl.struct_values.newtype, true);+ assert!(decl.struct_values.any);+ assert!(decl.struct_values.newtype); } #[test] fn supports_mixed() { let decl = fm::<Shape>(quote!(ignore(struct_newtype, enum_newtype, enum_tuple)));- assert_eq!(decl.struct_values.newtype, true);- assert_eq!(decl.enum_values.newtype, true);- assert_eq!(decl.enum_values.tuple, true);- assert_eq!(decl.struct_values.any, false);- }-}+ assert!(decl.struct_values.newtype);+ assert!(decl.enum_values.newtype);+ assert!(decl.enum_values.tuple);+ assert!(!decl.struct_values.any);+ }+}
I'll analyze the code diff for security fixes following the specified format.
1. Vulnerability Existed: no
Deprecated Function Usage [third_party/rust/darling_core/src/options/shape.rs] [Lines 134, 188]
Old Code: `trim_left_matches(self.prefix)`
Fixed Code: `trim_start_matches(self.prefix)`
Additional Details: This is not a security fix but rather updating deprecated Rust functions (trim_left_matches → trim_start_matches) for consistency with Rust's naming conventions.
2. Vulnerability Existed: no
Deprecated Function Usage [third_party/rust/darling_core/src/options/shape.rs] [Lines 134, 188]
Old Code: `trim_right_matches('_')`
Fixed Code: `trim_end_matches('_')`
Additional Details: Similar to the first case, this updates another deprecated Rust function (trim_right_matches → trim_end_matches) for naming consistency.
3. Vulnerability Existed: no
Error Handling Improvement [third_party/rust/darling_core/src/options/shape.rs] [Lines 228-247]
Old Code: `.or(Err("Unable to parse".into()))`
Fixed Code: `.map_err(|_| "Unable to parse".into())`
Additional Details: This is an improvement in error handling style but doesn't represent a security fix.
4. Vulnerability Existed: no
Import Path Update [third_party/rust/darling_core/src/options/shape.rs] [Lines 5, 230]
Old Code: `use {Error, FromMeta, Result};`
Fixed Code: `use crate::{Error, FromMeta, Result};`
Additional Details: This is a code style/import path update, not a security fix.
5. Vulnerability Existed: no
Test Assertion Improvement [third_party/rust/darling_core/src/options/shape.rs] [Lines 247-263]
Old Code: `assert_eq!(decl.any, true);`
Fixed Code: `assert!(decl.any);`
Additional Details: This is a test improvement using more idiomatic assertions, not a security fix.
The changes appear to be primarily code quality improvements, modernization of deprecated functions, and test enhancements rather than security fixes. No actual vulnerabilities were addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/fetch/FetchStreamReader.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/fetch/FetchStreamReader.h@@ -9,6 +9,7 @@ #include "js/RootingAPI.h" #include "js/TypeDecls.h"+#include "mozilla/Attributes.h" #include "mozilla/dom/FetchBinding.h" #include "mozilla/dom/PromiseNativeHandler.h" #include "nsIAsyncOutputStream.h"@@ -17,6 +18,8 @@ namespace mozilla { namespace dom {+class ReadableStream;+class ReadableStreamDefaultReader; class WeakWorkerRef; class FetchStreamReader final : public nsIOutputStreamCallback,@@ -33,18 +36,30 @@ FetchStreamReader** aStreamReader, nsIInputStream** aInputStream);- void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override;+ void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override;- void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override;+ void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,+ ErrorResult& aRv) override; // Idempotently close the output stream and null out all state. If aCx is // provided, the reader will also be canceled. aStatus must be a DOM error // as understood by DOMException because it will be provided as the // cancellation reason.+ //+ // This is a script boundary minimize annotation changes required while+ // we figure out how to handle some more tricky annotation cases (for+ // example, the destructor of this class. Tracking under Bug 1750656)+ MOZ_CAN_RUN_SCRIPT_BOUNDARY void CloseAndRelease(JSContext* aCx, nsresult aStatus);+#ifdef MOZ_DOM_STREAMS+ void StartConsuming(JSContext* aCx, ReadableStream* aStream,+ ReadableStreamDefaultReader** aReader, ErrorResult& aRv);+#else void StartConsuming(JSContext* aCx, JS::HandleObject aStream, JS::MutableHandle<JSObject*> aReader, ErrorResult& aRv);+#endif private: explicit FetchStreamReader(nsIGlobalObject* aGlobal);@@ -61,7 +76,11 @@ RefPtr<WeakWorkerRef> mWorkerRef;+#ifdef MOZ_DOM_STREAMS+ RefPtr<ReadableStreamDefaultReader> mReader;+#else JS::Heap<JSObject*> mReader;+#endif nsTArray<uint8_t> mBuffer; uint32_t mBufferRemaining;
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: not sure
[Potential Memory Safety Issue] [dom/fetch/FetchStreamReader.h] [Lines 36, 61-65]
[Old Code]
JS::Heap<JSObject*> mReader;
[Fixed Code]
#ifdef MOZ_DOM_STREAMS
RefPtr<ReadableStreamDefaultReader> mReader;
#else
JS::Heap<JSObject*> mReader;
#endif
Additional Details: The change moves from raw JS object handling to using RefPtr for stream readers, which could indicate a memory safety improvement, but without more context about the specific issues being addressed, we can't be certain.
2. Vulnerability Existed: not sure
[Potential Error Handling Issue] [dom/fetch/FetchStreamReader.h] [Lines 33-36]
[Old Code]
void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override;
void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue) override;
[Fixed Code]
void ResolvedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,
ErrorResult& aRv) override;
void RejectedCallback(JSContext* aCx, JS::Handle<JS::Value> aValue,
ErrorResult& aRv) override;
Additional Details: The addition of ErrorResult parameters suggests improved error handling, but we can't determine if this fixes a specific vulnerability without more context.
3. Vulnerability Existed: not sure
[Potential Race Condition] [dom/fetch/FetchStreamReader.h] [Lines 46-49]
[Old Code]
(no annotation)
[Fixed Code]
MOZ_CAN_RUN_SCRIPT_BOUNDARY
Additional Details: The addition of MOZ_CAN_RUN_SCRIPT_BOUNDARY annotation suggests potential threading or script execution safety concerns, but we can't confirm a specific vulnerability was fixed.
Note: The changes appear to be primarily about improving memory safety and error handling, but without specific bug reports or vulnerability disclosures related to these changes, we can't definitively state what vulnerabilities were addressed. The changes are consistent with general security hardening practices.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/extensions/test/xpcshell/test_ext_cache_api.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/extensions/test/xpcshell/test_ext_cache_api.js@@ -248,3 +248,56 @@ "The extension cache storage data should have been evicted on addon uninstall" ); });++add_task(+ {+ // Pref used to allow to use the Cache WebAPI related to a page loaded from http+ // (otherwise Gecko will throw a SecurityError when trying to access the webpage+ // cache storage from the content script, unless the webpage is loaded from https).+ pref_set: [["dom.caches.testing.enabled", true]],+ },+ async function test_cache_put_from_contentscript() {+ const extension = ExtensionTestUtils.loadExtension({+ manifest: {+ content_scripts: [+ {+ matches: ["http://example.com/*"],+ js: ["content.js"],+ },+ ],+ },+ files: {+ "content.js": async function() {+ const cache = await caches.open("test-cachestorage");+ const request = "http://example.com";+ const response = await fetch(request);+ await cache.put(request, response).catch(err => {+ browser.test.sendMessage("cache-put-error", {+ name: err.name,+ message: err.message,+ });+ });+ },+ },+ });++ await extension.startup();++ const page = await ExtensionTestUtils.loadContentPage("http://example.com");+ const actualError = await extension.awaitMessage("cache-put-error");+ equal(+ actualError.name,+ "SecurityError",+ "Got a security error from cache.put call as expected"+ );+ ok(+ /Disallowed on WebExtension ContentScript Request/.test(+ actualError.message+ ),+ `Got the expected error message: ${actualError.message}`+ );++ await page.close();+ await extension.unload();+ }+);
Here's the analysis of the provided code diff:
Vulnerability Existed: yes
[SecurityError Handling for Cache API in Content Scripts] [toolkit/components/extensions/test/xpcshell/test_ext_cache_api.js] [Lines 248-302]
[Old Code]
(No previous test case existed for this scenario)
[Fixed Code]
The added test case verifies that:
1. Cache API operations from content scripts are properly restricted
2. Attempts to use cache.put() from a content script result in a SecurityError
3. The error message clearly indicates the operation is disallowed for WebExtension ContentScript requests
The fix ensures that extensions can't misuse the Cache API from content scripts, which could potentially lead to security issues if allowed. The test enforces that such operations are properly blocked with appropriate error messages.
Vulnerability Existed: not sure
[Potential Cache API Misuse from HTTP Context] [toolkit/components/extensions/test/xpcshell/test_ext_cache_api.js] [Lines 248-302]
[Old Code]
(No previous test case existed for this scenario)
[Fixed Code]
The test includes a pref_set to enable cache testing ("dom.caches.testing.enabled": true) and specifically tests behavior with HTTP URLs. While this appears to be a test case rather than a vulnerability fix, it might be related to preventing potential cache manipulation from insecure contexts. However, without more context about the actual implementation changes, this is uncertain.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-values/calc-offsets-relative-bottom-1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-values/calc-offsets-relative-bottom-1.html@@ -5,7 +5,6 @@ <link rel="author" title="L. David Baron" href="https://dbaron.org/"> <link rel="help" href="http://www.w3.org/TR/css3-values/#calc-notation"> <link rel="match" href="calc-offsets-relative-top-1-ref.html">- <meta name="flags" content=""> <style type="text/css"> body { margin: 0 } body > div { float: left; height: 100px; width: 3px; }
Based on the provided diff, I'll analyze it for potential security vulnerabilities: 1. Vulnerability Existed: no [No specific vulnerability] [testing/web-platform/tests/css/css-values/calc-offsets-relative-bottom-1.html] [Lines 5] [Old Code: <meta name="flags" content="">] [Fixed Code: (line removed)] Additional details: - The change simply removes an empty meta tag with a "flags" attribute, which appears to be test-related metadata - There's no indication of any security vulnerability being fixed here - This appears to be a minor cleanup change rather than a security fix - No common vulnerability patterns (XSS, injection, etc.) are present in this change The modification doesn't show any security implications as it's just removing an unused or unnecessary HTML meta tag from a test file.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.2.radii.2.double.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.roundrect.2.radii.2.double.worker.js@@ -13,18 +13,18 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50); ctx.roundRect(0, 0, 100, 50, [0, 20]); ctx.fillStyle = '#0f0'; ctx.fill();-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");-_assertPixel(offscreenCanvas, 98,1, 255,0,0,255, "98,1", "255,0,0,255");-_assertPixel(offscreenCanvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");-_assertPixel(offscreenCanvas, 1,48, 255,0,0,255, "1,48", "255,0,0,255");+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");+_assertPixel(canvas, 98,1, 255,0,0,255, "98,1", "255,0,0,255");+_assertPixel(canvas, 98,48, 0,255,0,255, "98,48", "0,255,0,255");+_assertPixel(canvas, 1,48, 255,0,0,255, "1,48", "255,0,0,255"); t.done(); });
After analyzing the provided code diff, I don't see any security-related changes. The changes appear to be purely cosmetic/refactoring (variable renaming) without any security implications.
Answer Format for Each Vulnerability:
Vulnerability Existed: no
No security vulnerabilities found in the diff. The changes are purely variable name refactoring from 'offscreenCanvas' to 'canvas' and corresponding updates to assertion calls.
Additional Details:
- The changes don't affect any security-sensitive operations
- No security-related functions or patterns were modified
- The test logic remains identical, only variable names were changed
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.transparent-2.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.transparent-2.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'TrAnSpArEnT'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0");+_assertPixel(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14, 20]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0");
The changes appear to be purely cosmetic/refactoring, renaming the variable from `offscreenCanvas` to `canvas`. There are no security-related changes in this diff. The functionality remains exactly the same, just with a different variable name. No security vulnerability is being fixed here.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/taskcluster/docker/firefox-flatpak/runme.sh+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/taskcluster/docker/firefox-flatpak/runme.sh@@ -137,13 +137,17 @@ install -D -m644 -t "${appdir}/lib/firefox/browser/defaults/preferences" default-preferences.js install -D -m755 launch-script.sh "${appdir}/bin/firefox"+# We need to set GTK_PATH to load cups printing backend which is missing in+# freedesktop sdk. flatpak build-finish build \ --share=ipc \ --share=network \+ --env=GTK_PATH=/app/lib/gtkmodules \ --socket=pulseaudio \ --socket=wayland \ --socket=x11 \ --socket=pcsc \+ --socket=cups \ --require-version=0.11.1 \ --persist=.mozilla \ --filesystem=xdg-download:rw \
Based on the provided diff, here's the analysis:
Vulnerability Existed: not sure
Potential Missing Library Path Configuration [File] taskcluster/docker/firefox-flatpak/runme.sh [Lines 137-150]
[Old Code]
flatpak build-finish build \
--share=ipc \
--share=network \
--socket=pulseaudio \
--socket=wayland \
--socket=x11 \
--socket=pcsc \
--require-version=0.11.1 \
--persist=.mozilla \
--filesystem=xdg-download:rw \
[Fixed Code]
flatpak build-finish build \
--share=ipc \
--share=network \
--env=GTK_PATH=/app/lib/gtkmodules \
--socket=pulseaudio \
--socket=wayland \
--socket=x11 \
--socket=pcsc \
--socket=cups \
--require-version=0.11.1 \
--persist=.mozilla \
--filesystem=xdg-download:rw \
Additional Details:
The changes add GTK_PATH environment variable configuration and cups socket. While not a direct security vulnerability, this could potentially affect security if:
1. The GTK_PATH wasn't properly set before, potentially causing the application to load libraries from unexpected locations
2. The addition of cups socket could potentially expand the attack surface, though it's necessary for printing functionality
The changes appear to be more about functionality (adding printing support) than direct security fixes, but could have security implications in how the application handles library loading and printing capabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ppv-lite86/.cargo-checksum.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ppv-lite86/.cargo-checksum.json@@ -1 +1 @@-{"files":{"Cargo.toml":"a3b4c03b3b8faad8965a6177b8d10d005aaf72dba4e0460f7e4602da15f63bc2","LICENSE-APACHE":"0218327e7a480793ffdd4eb792379a9709e5c135c7ba267f709d6f6d4d70af0a","LICENSE-MIT":"4cada0bd02ea3692eee6f16400d86c6508bbd3bafb2b65fed0419f36d4f83e8f","src/generic.rs":"3fcf342f83e6410abb7be6b2e8cf7e0673c872d53ace794eaabd12929489beea","src/lib.rs":"bcf308d7037e259d6640a785556fcdb86653cb4f72f64fbfeda9899857c14479","src/soft.rs":"4cc23fa9451ea44a4e3c492c66627dae6008746aab6d5290712ecc66846f2ea0","src/types.rs":"d51ea12b78b771ce3823b4fd23b1df125f4719d2e3ac63c842813b0cfc6cdb8b","src/x86_64/mod.rs":"e868eab93b96df599667c6e5de0f253946aed691bc39ee4c4f8ed72a758105d9","src/x86_64/sse2.rs":"5d958d134fcb0a4a264aadc51abddc24baeeaef41ae9b36bd49d6ab8dcff5d2c"},"package":"ed0cfbc8191465bed66e1718596ee0b0b35d5ee1f41c5df2189d0fe8bde535ba"}+{"files":{"CHANGELOG.md":"0bd1d2bdb4a940a0d867a782644eb007e79611be0a8d74d4ba106e83597716df","Cargo.toml":"3bd5de9ba4df3b05b80f05a777b148897137a43fbbfe7f35eea276a6d3b048e2","LICENSE-APACHE":"0218327e7a480793ffdd4eb792379a9709e5c135c7ba267f709d6f6d4d70af0a","LICENSE-MIT":"4cada0bd02ea3692eee6f16400d86c6508bbd3bafb2b65fed0419f36d4f83e8f","src/generic.rs":"a49f9f8fbe3d9e67d67861e77ae9e69cc9f8181edad578be99b19cdf05bd8046","src/lib.rs":"bcf308d7037e259d6640a785556fcdb86653cb4f72f64fbfeda9899857c14479","src/soft.rs":"11d7c36036444d3ad1267564b0913e4301d9ba485a7bb596eb39bf2a5973ff57","src/types.rs":"a1c9e993f85a99d1762597193d72ee8ff00c3f1116885040b4e4ecfbdedabf0a","src/x86_64/mod.rs":"145200e7f2dae24e4e0fd1020269132dddd652f30373f70a6b8dd40bf8327fea","src/x86_64/sse2.rs":"a7395837200b4eb03c178c762f3269ce9030187718b8ca62e15070c5c19cba96"},"package":"eb9f9e6e233e5c4a35559a617bf40a4ec447db2e84c20b55a6f83167b7e57872"}=========gfx/vr/ipc/VRManagerChild.cpp========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/vr/ipc/VRManagerChild.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/vr/ipc/VRManagerChild.cpp@@ -369,14 +369,8 @@ void VRManagerChild::DetectRuntimes() { Unused << SendDetectRuntimes(); } PVRLayerChild* VRManagerChild::CreateVRLayer(uint32_t aDisplayID,- nsISerialEventTarget* aTarget, uint32_t aGroup) { PVRLayerChild* vrLayerChild = AllocPVRLayerChild(aDisplayID, aGroup);- // Do the DOM labeling.- if (aTarget) {- SetEventTargetForActor(vrLayerChild, aTarget);- MOZ_ASSERT(vrLayerChild->GetActorEventTarget());- } return SendPVRLayerConstructor(vrLayerChild, aDisplayID, aGroup); }
I'll analyze the provided code diffs for security fixes following the specified format.
1. For the first file (ppv-lite86/.cargo-checksum.json):
Vulnerability Existed: not sure
[Dependency Checksum Update] [third_party/rust/ppv-lite86/.cargo-checksum.json] [Entire file]
[Old checksums and package hash]
[New checksums and package hash]
Note: This appears to be a routine dependency update with changed checksums, but without more context about the specific changes in the dependency, we can't determine if it fixes a security vulnerability.
2. For the second file (VRManagerChild.cpp):
Vulnerability Existed: yes
[Potential Privilege Escalation or Improper Access Control] [gfx/vr/ipc/VRManagerChild.cpp] [Lines 369-377]
[Old Code:
PVRLayerChild* VRManagerChild::CreateVRLayer(uint32_t aDisplayID,
nsISerialEventTarget* aTarget,
uint32_t aGroup) {
vrLayerChild = AllocPVRLayerChild(aDisplayID, aGroup);
if (aTarget) {
SetEventTargetForActor(vrLayerChild, aTarget);
MOZ_ASSERT(vrLayerChild->GetActorEventTarget());
}]
[Fixed Code:
PVRLayerChild* VRManagerChild::CreateVRLayer(uint32_t aDisplayID,
uint32_t aGroup) {
vrLayerChild = AllocPVRLayerChild(aDisplayID, aGroup);]
Note: The removal of the event target parameter and related code suggests a fix for potential privilege escalation or improper access control in the VR layer creation. The original code allowed setting an arbitrary event target, which could have been abused to bypass security boundaries.
The second change appears to be a security-related fix, while the first is likely a routine dependency update whose security implications aren't clear from the diff alone.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/webrtc-sdp/src/lib.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/webrtc-sdp/src/lib.rs@@ -230,7 +230,7 @@ bandwidth = maybe_vector_to_string!("b={}\r\n", self.bandwidth, "\r\nb="), connection = option_to_string!("c={}\r\n", self.connection), session_attributes = maybe_vector_to_string!("a={}\r\n", self.attribute, "\r\na="),- media_sections = maybe_vector_to_string!("{}", self.media, "\r\n")+ media_sections = self.media.iter().map(|s| s.to_string()).collect::<String>(), ) } }@@ -396,6 +396,9 @@ } }+/* removing this wrap would not allow us to call this from the match statement inside+ * parse_sdp_line() */+#[allow(clippy::unnecessary_wraps)] fn parse_session(value: &str) -> Result<SdpType, SdpParserInternalError> { trace!("session: {}", value); Ok(SdpType::Session(String::from(value)))@@ -717,6 +720,16 @@ } }+ if msection+ .get_attribute(SdpAttributeType::RtcpMuxOnly)+ .is_some()+ && msection.get_attribute(SdpAttributeType::RtcpMux).is_none()+ {+ return Err(make_seq_error(+ "rtcp-mux-only media sections must also contain the rtcp-mux attribute",+ ));+ }+ let rids: Vec<&SdpAttributeRid> = msection .get_attributes() .iter()@@ -823,7 +836,7 @@ let _media_pos = lines .iter()- .position(|ref l| matches!(l.sdp_type, SdpType::Media(_)));+ .position(|l| matches!(l.sdp_type, SdpType::Media(_))); match _media_pos { Some(p) => {@@ -922,760 +935,5 @@ } #[cfg(test)]-mod tests {- extern crate url;- use super::*;- use address::{Address, AddressType};- use anonymizer::ToBytesVec;- use media_type::create_dummy_media_section;- use std::net::IpAddr;- use std::net::Ipv4Addr;-- fn create_dummy_sdp_session() -> SdpSession {- let origin = parse_origin("mozilla 506705521068071134 0 IN IP4 0.0.0.0");- assert!(origin.is_ok());- let connection = parse_connection("IN IP4 198.51.100.7");- assert!(connection.is_ok());- let mut sdp_session;- if let SdpType::Origin(o) = origin.unwrap() {- sdp_session = SdpSession::new(0, o, "-".to_string());-- if let Ok(SdpType::Connection(c)) = connection {- sdp_session.connection = Some(c);- } else {- unreachable!();- }- } else {- unreachable!();- }- sdp_session- }-- #[test]- fn test_session_works() -> Result<(), SdpParserInternalError> {- parse_session("topic")?;- Ok(())- }-- #[test]- fn test_version_works() -> Result<(), SdpParserInternalError> {- parse_version("0")?;- Ok(())- }-- #[test]- fn test_version_unsupported_input() {- assert!(parse_version("1").is_err());- assert!(parse_version("11").is_err());- assert!(parse_version("a").is_err());- }-- #[test]- fn test_origin_works() -> Result<(), SdpParserInternalError> {- parse_origin("mozilla 506705521068071134 0 IN IP4 0.0.0.0")?;- parse_origin("mozilla 506705521068071134 0 IN IP6 2001:db8::1")?;- Ok(())- }-- #[test]- fn test_origin_missing_username() {- assert!(parse_origin("").is_err());- }-- #[test]- fn test_origin_missing_session_id() {- assert!(parse_origin("mozilla ").is_err());- }-- #[test]- fn test_origin_missing_session_version() {- assert!(parse_origin("mozilla 506705521068071134 ").is_err());- }-- #[test]- fn test_origin_missing_nettype() {- assert!(parse_origin("mozilla 506705521068071134 0 ").is_err());- }-- #[test]- fn test_origin_unsupported_nettype() {- assert!(parse_origin("mozilla 506705521068071134 0 UNSUPPORTED IP4 0.0.0.0").is_err());- }-- #[test]- fn test_origin_missing_addtype() {- assert!(parse_origin("mozilla 506705521068071134 0 IN ").is_err());- }-- #[test]- fn test_origin_missing_ip_addr() {- assert!(parse_origin("mozilla 506705521068071134 0 IN IP4 ").is_err());- }-- #[test]- fn test_origin_unsupported_addrtpe() {- assert!(parse_origin("mozilla 506705521068071134 0 IN IP1 0.0.0.0").is_err());- }-- #[test]- fn test_origin_invalid_ip_addr() {- assert!(parse_origin("mozilla 506705521068071134 0 IN IP4 1.1.1.256").is_err());- assert!(parse_origin("mozilla 506705521068071134 0 IN IP6 ::g").is_err());- }-- #[test]- fn test_origin_addr_type_mismatch() {- assert!(parse_origin("mozilla 506705521068071134 0 IN IP4 ::1").is_err());- }-- #[test]- fn connection_works() -> Result<(), SdpParserInternalError> {- parse_connection("IN IP4 127.0.0.1")?;- parse_connection("IN IP4 127.0.0.1/10/10")?;- parse_connection("IN IP6 ::1")?;- parse_connection("IN IP6 ::1/1/1")?;- Ok(())- }-- #[test]- fn connection_lots_of_whitespace() -> Result<(), SdpParserInternalError> {- parse_connection("IN IP4 127.0.0.1")?;- Ok(())- }-- #[test]- fn connection_wrong_amount_of_tokens() {- assert!(parse_connection("IN IP4").is_err());- assert!(parse_connection("IN IP4 0.0.0.0 foobar").is_err());- }-- #[test]- fn connection_unsupported_nettype() {- assert!(parse_connection("UNSUPPORTED IP4 0.0.0.0").is_err());- }-- #[test]- fn connection_unsupported_addrtpe() {- assert!(parse_connection("IN IP1 0.0.0.0").is_err());- }-- #[test]- fn connection_broken_ip_addr() {- assert!(parse_connection("IN IP4 1.1.1.256").is_err());- assert!(parse_connection("IN IP6 ::g").is_err());- }-- #[test]- fn connection_addr_type_mismatch() {- assert!(parse_connection("IN IP4 ::1").is_err());- }-- #[test]- fn bandwidth_works() -> Result<(), SdpParserInternalError> {- parse_bandwidth("AS:1")?;- parse_bandwidth("CT:123")?;- parse_bandwidth("TIAS:12345")?;- Ok(())- }-- #[test]- fn bandwidth_wrong_amount_of_tokens() {- assert!(parse_bandwidth("TIAS").is_err());- assert!(parse_bandwidth("TIAS:12345:xyz").is_err());- }-- #[test]- fn bandwidth_unsupported_type() -> Result<(), SdpParserInternalError> {- parse_bandwidth("UNSUPPORTED:12345")?;- Ok(())- }-- #[test]- fn test_timing_works() -> Result<(), SdpParserInternalError> {- parse_timing("0 0")?;- Ok(())- }-- #[test]- fn test_timing_non_numeric_tokens() {- assert!(parse_timing("a 0").is_err());- assert!(parse_timing("0 a").is_err());- }-- #[test]- fn test_timing_wrong_amount_of_tokens() {- assert!(parse_timing("0").is_err());- assert!(parse_timing("0 0 0").is_err());- }-- #[test]- fn test_parse_sdp_line_works() -> Result<(), SdpParserError> {- parse_sdp_line("v=0", 0)?;- parse_sdp_line("s=somesession", 0)?;- Ok(())- }-- #[test]- fn test_parse_sdp_line_empty_line() {- assert!(parse_sdp_line("", 0).is_err());- }-- #[test]- fn test_parse_sdp_line_unsupported_types() {- assert!(parse_sdp_line("e=foobar", 0).is_err());- assert!(parse_sdp_line("i=foobar", 0).is_err());- assert!(parse_sdp_line("k=foobar", 0).is_err());- assert!(parse_sdp_line("p=foobar", 0).is_err());- assert!(parse_sdp_line("r=foobar", 0).is_err());- assert!(parse_sdp_line("u=foobar", 0).is_err());- assert!(parse_sdp_line("z=foobar", 0).is_err());- }-- #[test]- fn test_parse_sdp_line_unknown_key() {- assert!(parse_sdp_line("y=foobar", 0).is_err());- }-- #[test]- fn test_parse_sdp_line_too_long_type() {- assert!(parse_sdp_line("ab=foobar", 0).is_err());- }-- #[test]- fn test_parse_sdp_line_without_equal() {- assert!(parse_sdp_line("abcd", 0).is_err());- assert!(parse_sdp_line("ab cd", 0).is_err());- }-- #[test]- fn test_parse_sdp_line_empty_value() {- assert!(parse_sdp_line("v=", 0).is_err());- assert!(parse_sdp_line("o=", 0).is_err());- }-- #[test]- fn test_parse_sdp_line_empty_name() {- assert!(parse_sdp_line("=abc", 0).is_err());- }-- #[test]- fn test_parse_sdp_line_valid_a_line() -> Result<(), SdpParserError> {- parse_sdp_line("a=rtpmap:8 PCMA/8000", 0)?;- Ok(())- }-- #[test]- fn test_parse_sdp_line_invalid_a_line() {- assert!(parse_sdp_line("a=rtpmap:200 PCMA/8000", 0).is_err());- }-- #[test]- fn test_add_attribute() -> Result<(), SdpParserInternalError> {- let mut sdp_session = create_dummy_sdp_session();-- sdp_session.add_attribute(SdpAttribute::Sendrecv)?;- assert!(sdp_session.add_attribute(SdpAttribute::BundleOnly).is_err());- assert_eq!(sdp_session.attribute.len(), 1);- Ok(())- }-- #[test]- fn test_sanity_check_sdp_session_timing() -> Result<(), SdpParserError> {- let mut sdp_session = create_dummy_sdp_session();- sdp_session.extend_media(vec![create_dummy_media_section()]);-- assert!(sanity_check_sdp_session(&sdp_session).is_err());-- let t = SdpTiming { start: 0, stop: 0 };- sdp_session.set_timing(t);-- sanity_check_sdp_session(&sdp_session)?;- Ok(())- }-- #[test]- fn test_sanity_check_sdp_session_media() -> Result<(), SdpParserError> {- let mut sdp_session = create_dummy_sdp_session();- let t = SdpTiming { start: 0, stop: 0 };- sdp_session.set_timing(t);-- sanity_check_sdp_session(&sdp_session)?;-- sdp_session.extend_media(vec![create_dummy_media_section()]);-- sanity_check_sdp_session(&sdp_session)?;- Ok(())- }-- #[test]- fn test_sanity_check_sdp_connection() -> Result<(), SdpParserInternalError> {- let origin = parse_origin("mozilla 506705521068071134 0 IN IP4 0.0.0.0")?;- let mut sdp_session;- if let SdpType::Origin(o) = origin {- sdp_session = SdpSession::new(0, o, "-".to_string());- } else {- unreachable!();- }- let t = SdpTiming { start: 0, stop: 0 };- sdp_session.set_timing(t);-- assert!(sanity_check_sdp_session(&sdp_session).is_ok());-- // the dummy media section doesn't contain a connection- sdp_session.extend_media(vec![create_dummy_media_section()]);-- assert!(sanity_check_sdp_session(&sdp_session).is_err());-- let connection = parse_connection("IN IP6 ::1")?;- if let SdpType::Connection(c) = connection {- sdp_session.connection = Some(c);- } else {- unreachable!();- }-- assert!(sanity_check_sdp_session(&sdp_session).is_ok());-- let mut second_media = create_dummy_media_section();- let mconnection = parse_connection("IN IP4 0.0.0.0")?;- if let SdpType::Connection(c) = mconnection {- second_media.set_connection(c);- } else {- unreachable!();- }- sdp_session.extend_media(vec![second_media]);- assert!(sdp_session.media.len() == 2);-- assert!(sanity_check_sdp_session(&sdp_session).is_ok());- Ok(())- }-- #[test]- fn test_sanity_check_sdp_session_extmap() -> Result<(), SdpParserInternalError> {- let mut sdp_session = create_dummy_sdp_session();- let t = SdpTiming { start: 0, stop: 0 };- sdp_session.set_timing(t);- sdp_session.extend_media(vec![create_dummy_media_section()]);-- let attribute =- parse_attribute("extmap:3 http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time")?;- if let SdpType::Attribute(a) = attribute {- sdp_session.add_attribute(a)?;- } else {- unreachable!();- }- assert!(sdp_session- .get_attribute(SdpAttributeType::Extmap)- .is_some());-- assert!(sanity_check_sdp_session(&sdp_session).is_ok());-- let mut second_media = create_dummy_media_section();- let mattribute =- parse_attribute("extmap:1/sendonly urn:ietf:params:rtp-hdrext:ssrc-audio-level")?;- if let SdpType::Attribute(ma) = mattribute {- second_media.add_attribute(ma)?;- } else {- unreachable!();- }- assert!(second_media- .get_attribute(SdpAttributeType::Extmap)- .is_some());-- sdp_session.extend_media(vec![second_media]);- assert!(sdp_session.media.len() == 2);-- assert!(sanity_check_sdp_session(&sdp_session).is_err());-- sdp_session.attribute = Vec::new();-- assert!(sanity_check_sdp_session(&sdp_session).is_ok());- Ok(())- }-- #[test]- fn test_sanity_check_sdp_session_simulcast() -> Result<(), SdpParserError> {- let mut sdp_session = create_dummy_sdp_session();- let t = SdpTiming { start: 0, stop: 0 };- sdp_session.set_timing(t);- sdp_session.extend_media(vec![create_dummy_media_section()]);-- sanity_check_sdp_session(&sdp_session)?;- Ok(())- }-- #[test]- fn test_parse_sdp_zero_length_string_fails() {- assert!(parse_sdp("", true).is_err());- }-- #[test]- fn test_parse_sdp_to_short_string() {- assert!(parse_sdp("fooooobarrrr", true).is_err());- }-- #[test]- fn test_parse_sdp_minimal_sdp_successfully() -> Result<(), SdpParserError> {- parse_sdp(- "v=0\r\n-o=- 0 0 IN IP6 ::1\r\n-s=-\r\n-c=IN IP6 ::1\r\n-t=0 0\r\n",- true,- )?;- Ok(())- }-- #[test]- fn test_parse_sdp_too_short() {- assert!(parse_sdp(- "v=0\r\n-o=- 0 0 IN IP4 0.0.0.0\r\n-s=-\r\n",- true- )- .is_err());- }-- #[test]- fn test_parse_sdp_line_error() {- assert!(parse_sdp(- "v=0\r\n-o=- 0 0 IN IP4 0.0.0.0\r\n-s=-\r\n-t=0 foobar\r\n-m=audio 0 UDP/TLS/RTP/SAVPF 0\r\n",- true- )- .is_err());- }-- #[test]- fn test_parse_sdp_unsupported_error() {- assert!(parse_sdp(- "v=0\r\n-o=- 0 0 IN IP4 0.0.0.0\r\n-s=-\r\n-t=0 0\r\n-m=foobar 0 UDP/TLS/RTP/SAVPF 0\r\n",- true- )- .is_err());- }-- #[test]- fn test_parse_sdp_unsupported_warning() -> Result<(), SdpParserError> {- parse_sdp(- "v=0\r\n-o=- 0 0 IN IP4 0.0.0.0\r\n-s=-\r\n-c=IN IP4 198.51.100.7\r\n-t=0 0\r\n-m=audio 0 UDP/TLS/RTP/SAVPF 0\r\n-a=unsupported\r\n",- false,- )?;- Ok(())- }-- #[test]- fn test_parse_sdp_sequence_error() {- assert!(parse_sdp(- "v=0\r\n-o=- 0 0 IN IP4 0.0.0.0\r\n-s=-\r\n-t=0 0\r\n-a=bundle-only\r\n-m=audio 0 UDP/TLS/RTP/SAVPF 0\r\n",- true- )- .is_err());- }-- #[test]- fn test_parse_sdp_integer_error() {- assert!(parse_sdp(- "v=0\r\n-o=- 0 0 IN IP4 0.0.0.0\r\n-s=-\r\n-t=0 0\r\n-m=audio 0 UDP/TLS/RTP/SAVPF 0\r\n-a=rtcp:34er21\r\n",- true- )- .is_err());- }-- #[test]- fn test_parse_sdp_ipaddr_error() {- assert!(parse_sdp(- "v=0\r\n-o=- 0 0 IN IP4 0.a.b.0\r\n-s=-\r\n-t=0 0\r\n-m=audio 0 UDP/TLS/RTP/SAVPF 0\r\n",- true- )- .is_err());- }-- #[test]- fn test_parse_sdp_invalid_session_attribute() {- assert!(parse_sdp(- "v=0\r\n-o=- 0 0 IN IP4 0.a.b.0\r\n-s=-\r\n-t=0 0\r\n-a=bundle-only\r\n-m=audio 0 UDP/TLS/RTP/SAVPF 0\r\n",- true- )- .is_err());- }-- #[test]- fn test_parse_sdp_invalid_media_attribute() {- assert!(parse_sdp(- "v=0\r\n-o=- 0 0 IN IP4 0.a.b.0\r\n-s=-\r\n-t=0 0\r\n-m=audio 0 UDP/TLS/RTP/SAVPF 0\r\n-a=ice-lite\r\n",- true- )- .is_err());- }-- #[test]- fn test_mask_origin() {- let mut anon = StatefulSdpAnonymizer::new();- if let SdpType::Origin(origin_1) =- parse_origin("mozilla 506705521068071134 0 IN IP4 0.0.0.0").unwrap()- {- for _ in 0..2 {- let masked = origin_1.masked_clone(&mut anon);- assert_eq!(masked.username, "origin-user-00000001");- assert_eq!(- masked.unicast_addr,- ExplicitlyTypedAddress::Ip(IpAddr::V4(Ipv4Addr::from(1)))- );- }- } else {- unreachable!();- }- }-- #[test]- fn test_mask_sdp() {- let mut anon = StatefulSdpAnonymizer::new();- let sdp = parse_sdp(- "v=0\r\n- o=ausername 4294967296 2 IN IP4 127.0.0.1\r\n- s=SIP Call\r\n- c=IN IP4 198.51.100.7/51\r\n- a=ice-pwd:12340\r\n- a=ice-ufrag:4a799b2e\r\n- a=fingerprint:sha-1 CD:34:D1:62:16:95:7B:B7:EB:74:E2:39:27:97:EB:0B:23:73:AC:BC\r\n- t=0 0\r\n- m=video 56436 RTP/SAVPF 120\r\n- a=candidate:77142221 1 udp 2113937151 192.168.137.1 54081 typ host\r\n- a=remote-candidates:0 10.0.0.1 5555\r\n- a=rtpmap:120 VP8/90000\r\n",- true,- )- .unwrap();- let mut masked = sdp.masked_clone(&mut anon);- assert_eq!(masked.origin.username, "origin-user-00000001");- assert_eq!(- masked.origin.unicast_addr,- ExplicitlyTypedAddress::Ip(IpAddr::V4(Ipv4Addr::from(1)))- );- assert_eq!(- masked.connection.unwrap().address,- ExplicitlyTypedAddress::Ip(IpAddr::V4(Ipv4Addr::from(2)))- );- let mut attributes = masked.attribute;- for m in &mut masked.media {- for attribute in m.get_attributes() {- attributes.push(attribute.clone());- }- }- for attribute in attributes {- match attribute {- SdpAttribute::Candidate(c) => {- assert_eq!(c.address, Address::Ip(IpAddr::V4(Ipv4Addr::from(3))));- assert_eq!(c.port, 1);- }- SdpAttribute::Fingerprint(f) => {- assert_eq!(f.fingerprint, 1u64.to_byte_vec());- }- SdpAttribute::IcePwd(p) => {- assert_eq!(p, "ice-password-00000001");- }- SdpAttribute::IceUfrag(u) => {- assert_eq!(u, "ice-user-00000001");- }- SdpAttribute::RemoteCandidate(r) => {- assert_eq!(r.address, Address::Ip(IpAddr::V4(Ipv4Addr::from(4))));- assert_eq!(r.port, 2);- }- _ => {}- }- }- }-- #[test]- fn test_parse_session_vector() -> Result<(), SdpParserError> {- let mut sdp_session = create_dummy_sdp_session();- let mut lines: Vec<SdpLine> = Vec::new();- lines.push(parse_sdp_line("a=sendrecv", 1)?);- sdp_session.parse_session_vector(&mut lines)?;- assert_eq!(sdp_session.attribute.len(), 1);- Ok(())- }-- #[test]- fn test_parse_session_vector_non_session_attribute() -> Result<(), SdpParserError> {- let mut sdp_session = create_dummy_sdp_session();- let mut lines: Vec<SdpLine> = Vec::new();- lines.push(parse_sdp_line("a=bundle-only", 2)?);- assert!(sdp_session.parse_session_vector(&mut lines).is_err());- assert_eq!(sdp_session.attribute.len(), 0);- Ok(())- }-- #[test]- fn test_parse_session_vector_version_repeated() -> Result<(), SdpParserError> {- let mut sdp_session = create_dummy_sdp_session();- let mut lines: Vec<SdpLine> = Vec::new();- lines.push(parse_sdp_line("v=0", 3)?);- assert!(sdp_session.parse_session_vector(&mut lines).is_err());- Ok(())- }-- #[test]- fn test_parse_session_vector_contains_media_type() -> Result<(), SdpParserError> {- let mut sdp_session = create_dummy_sdp_session();- let mut lines: Vec<SdpLine> = Vec::new();- lines.push(parse_sdp_line("m=audio 0 UDP/TLS/RTP/SAVPF 0", 4)?);- assert!(sdp_session.parse_session_vector(&mut lines).is_err());- Ok(())- }-- #[test]- fn test_parse_sdp_vector_no_media_section() -> Result<(), SdpParserError> {- let mut lines: Vec<SdpLine> = Vec::new();- lines.push(parse_sdp_line("v=0", 1)?);- lines.push(parse_sdp_line(- "o=ausername 4294967296 2 IN IP4 127.0.0.1",- 1,- )?);- lines.push(parse_sdp_line("s=SIP Call", 1)?);- lines.push(parse_sdp_line("t=0 0", 1)?);- lines.push(parse_sdp_line("c=IN IP6 ::1", 1)?);- assert!(parse_sdp_vector(&mut lines).is_ok());- Ok(())- }-- #[test]- fn test_parse_sdp_vector_with_media_section() -> Result<(), SdpParserError> {- let mut lines: Vec<SdpLine> = Vec::new();- lines.push(parse_sdp_line("v=0", 1)?);- lines.push(parse_sdp_line(- "o=ausername 4294967296 2 IN IP4 127.0.0.1",- 1,- )?);- lines.push(parse_sdp_line("s=SIP Call", 1)?);- lines.push(parse_sdp_line("t=0 0", 1)?);- lines.push(parse_sdp_line("m=video 56436 RTP/SAVPF 120", 1)?);- lines.push(parse_sdp_line("c=IN IP6 ::1", 1)?);- assert!(parse_sdp_vector(&mut lines).is_ok());- Ok(())- }-- #[test]- fn test_parse_sdp_vector_too_short() -> Result<(), SdpParserError> {- let mut lines: Vec<SdpLine> = Vec::new();- lines.push(parse_sdp_line("v=0", 1)?);- assert!(parse_sdp_vector(&mut lines).is_err());- Ok(())- }-- #[test]- fn test_parse_sdp_vector_missing_version() -> Result<(), SdpParserError> {- let mut lines: Vec<SdpLine> = Vec::new();- lines.push(parse_sdp_line(- "o=ausername 4294967296 2 IN IP4 127.0.0.1",- 1,- )?);- for _ in 0..3 {- lines.push(parse_sdp_line("a=sendrecv", 1)?);- }- assert!(parse_sdp_vector(&mut lines).is_err());- Ok(())- }-- #[test]- fn test_parse_sdp_vector_missing_origin() -> Result<(), SdpParserError> {- let mut lines: Vec<SdpLine> = Vec::new();- lines.push(parse_sdp_line("v=0", 1)?);- for _ in 0..3 {- lines.push(parse_sdp_line("a=sendrecv", 1)?);- }- assert!(parse_sdp_vector(&mut lines).is_err());- Ok(())- }-- #[test]- fn test_parse_sdp_vector_missing_session() -> Result<(), SdpParserError> {- let mut lines: Vec<SdpLine> = Vec::new();- lines.push(parse_sdp_line("v=0", 1)?);- lines.push(parse_sdp_line(- "o=ausername 4294967296 2 IN IP4 127.0.0.1",- 1,- )?);- for _ in 0..2 {- lines.push(parse_sdp_line("a=sendrecv", 1)?);- }- assert!(parse_sdp_vector(&mut lines).is_err());- Ok(())- }-- #[test]- fn test_session_add_media_works() -> Result<(), SdpParserError> {- let mut sdp_session = create_dummy_sdp_session();- assert!(sdp_session- .add_media(- SdpMediaValue::Audio,- SdpAttribute::Sendrecv,- 99,- SdpProtocolValue::RtpSavpf,- ExplicitlyTypedAddress::from(Ipv4Addr::new(127, 0, 0, 1))- )- .is_ok());- assert!(sdp_session.get_connection().is_some());- assert_eq!(sdp_session.attribute.len(), 0);- assert_eq!(sdp_session.media.len(), 1);- assert_eq!(sdp_session.media[0].get_attributes().len(), 1);- assert!(sdp_session.media[0]- .get_attribute(SdpAttributeType::Sendrecv)- .is_some());- Ok(())- }-- #[test]- fn test_session_add_media_invalid_attribute_fails() -> Result<(), SdpParserInternalError> {- let mut sdp_session = create_dummy_sdp_session();- assert!(sdp_session- .add_media(- SdpMediaValue::Audio,- SdpAttribute::IceLite,- 99,- SdpProtocolValue::RtpSavpf,- ExplicitlyTypedAddress::try_from((AddressType::IpV4, "127.0.0.1"))?- )- .is_err());- Ok(())- }-}+#[path = "./lib_tests.rs"]+mod tests;
I'll analyze the provided code diff for security fixes. Here are the findings:
1. Vulnerability Existed: yes
Input Validation Vulnerability [File] third_party/rust/webrtc-sdp/src/lib.rs [Lines] 717-728
[Old Code]
(No previous validation for rtcp-mux-only attribute)
[Fixed Code]
if msection
.get_attribute(SdpAttributeType::RtcpMuxOnly)
.is_some()
&& msection.get_attribute(SdpAttributeType::RtcpMux).is_none()
{
return Err(make_seq_error(
"rtcp-mux-only media sections must also contain the rtcp-mux attribute",
));
}
2. Vulnerability Existed: not sure
Potential String Formatting Issue [File] third_party/rust/webrtc-sdp/src/lib.rs [Lines] 230-230
[Old Code]
media_sections = maybe_vector_to_string!("{}", self.media, "\r\n")
[Fixed Code]
media_sections = self.media.iter().map(|s| s.to_string()).collect::<String>()
3. Vulnerability Existed: not sure
Potential Reference Handling Issue [File] third_party/rust/webrtc-sdp/src/lib.rs [Lines] 823-823
[Old Code]
.position(|ref l| matches!(l.sdp_type, SdpType::Media(_)))
[Fixed Code]
.position(|l| matches!(l.sdp_type, SdpType::Media(_)))
The most clear security fix is the first one, which adds validation for the rtcp-mux-only attribute to ensure it's only used when rtcp-mux is also present. The other changes might be related to code quality or potential security improvements, but their security impact is less clear.
The test module was also significantly reduced by moving it to a separate file, but this doesn't appear to be security-related.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ryu/src/lib.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ryu/src/lib.rs@@ -29,7 +29,9 @@ //! } //! ``` //!-//! ## Performance+//! ## Performance (lower is better)+//!+//!  //! //! You can run upstream's benchmarks with: //!@@ -62,19 +64,9 @@ //! $ cargo bench //! ``` //!-//! The benchmark shows Ryū approximately 4-10x faster than the standard library+//! The benchmark shows Ryū approximately 2-5x faster than the standard library //! across a range of f32 and f64 inputs. Measurements are in nanoseconds per //! iteration; smaller is better.-//!-//! | type=f32 | 0.0 | 0.1234 | 2.718281828459045 | f32::MAX |-//! |:--------:|:----:|:------:|:-----------------:|:--------:|-//! | RYU | 3ns | 28ns | 23ns | 22ns |-//! | STD | 40ns | 106ns | 128ns | 110ns |-//!-//! | type=f64 | 0.0 | 0.1234 | 2.718281828459045 | f64::MAX |-//! |:--------:|:----:|:------:|:-----------------:|:--------:|-//! | RYU | 3ns | 50ns | 35ns | 32ns |-//! | STD | 39ns | 105ns | 128ns | 202ns | //! //! ## Formatting //!@@ -89,7 +81,7 @@ //! notation. #![no_std]-#![doc(html_root_url = "https://docs.rs/ryu/1.0.6")]+#![doc(html_root_url = "https://docs.rs/ryu/1.0.9")] #![allow( clippy::cast_lossless, clippy::cast_possible_truncation,
After analyzing the provided code diff, I don't find any security-related changes. The changes appear to be documentation updates and version number changes. Here's the analysis: 1. Vulnerability Existed: no Documentation Update [third_party/rust/ryu/src/lib.rs] [Lines 29-64] [Old performance documentation with tables] [New performance documentation with image reference] 2. Vulnerability Existed: no Version Update [third_party/rust/ryu/src/lib.rs] [Line 81] [Old version: 1.0.6] [New version: 1.0.9] The changes consist of: - Replacing numeric performance benchmarks with a reference to a performance image - Updating the performance comparison description from "4-10x faster" to "2-5x faster" - Updating the documentation URL version from 1.0.6 to 1.0.9 None of these changes appear to address security vulnerabilities or introduce security-related fixes. They are purely documentation and version number updates.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-values/calc-border-radius-1-ref.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-values/calc-border-radius-1-ref.html@@ -3,7 +3,6 @@ <head> <title>CSS Reference: test for border-radius: calc()</title> <link rel="author" title="L. David Baron" href="https://dbaron.org/">- <meta name="flags" content=""> <style type="text/css"> p {
Based on the provided code diff, here's the analysis: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/css-values/calc-border-radius-1-ref.html] [Lines 3-6] [Old Code] <meta name="flags" content=""> [Fixed Code] [Removed line] Additional Details: The diff shows removal of an empty meta tag with a "flags" attribute. This appears to be test configuration cleanup rather than a security fix. The removed line didn't contain any security-sensitive content or introduce any vulnerabilities. The change seems to be related to test infrastructure maintenance rather than addressing a security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.