Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/base/content/spotlight.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/base/content/spotlight.html@@ -6,7 +6,7 @@ <html> <head>- <meta http-equiv="Content-Security-Policy" content="default-src resource: chrome:; img-src https://www.mozilla.org; object-src 'none'">+ <meta http-equiv="Content-Security-Policy" content="default-src resource: chrome:; img-src https://www.mozilla.org blob:; object-src 'none'"> <meta name="referrer" content="no-referrer"> <link rel="stylesheet" type="text/css" href="chrome://global/skin/in-content/common.css"> <link rel="stylesheet" type="text/css" href="chrome://browser/skin/spotlight.css">
Here's the analysis of the provided code diff: Vulnerability Existed: yes Content Security Policy (CSP) Inadequate Resource Restrictions [File] browser/base/content/spotlight.html [Lines] 6 [Old Code] <meta http-equiv="Content-Security-Policy" content="default-src resource: chrome:; img-src https://www.mozilla.org; object-src 'none'"> [Fixed Code] <meta http-equiv="Content-Security-Policy" content="default-src resource: chrome:; img-src https://www.mozilla.org blob:; object-src 'none'"> Additional Details: The vulnerability was related to an overly restrictive Content Security Policy (CSP) that didn't allow blob: URIs for images. The fix adds 'blob:' to the img-src directive, which was likely causing functionality issues with legitimate blob image sources. While not a direct security vulnerability, overly restrictive CSPs can sometimes lead to workarounds that might introduce security issues. The change makes the policy more permissive while still maintaining security by keeping object-src as 'none'.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/syn/benches/rust.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/syn/benches/rust.rs@@ -5,6 +5,7 @@ #![cfg_attr(not(syn_only), feature(rustc_private))] #![recursion_limit = "1024"]+#![allow(clippy::cast_lossless, clippy::unnecessary_wraps)] #[macro_use] #[path = "../tests/macros/mod.rs"]@@ -116,7 +117,7 @@ macro_rules! testcases { ($($(#[$cfg:meta])* $name:ident,)*) => {- vec![+ [ $( $(#[$cfg])* (stringify!($name), $name::bench as fn(&str) -> Result<(), ()>),
Analysis: 1. Vulnerability Existed: no No specific vulnerability found [File] third_party/rust/syn/benches/rust.rs [Lines] 5-6 Old Code: #![recursion_limit = "1024"] Fixed Code: #![recursion_limit = "1024"]\n#![allow(clippy::cast_lossless, clippy::unnecessary_wraps)] 2. Vulnerability Existed: no No specific vulnerability found [File] third_party/rust/syn/benches/rust.rs [Lines] 116-117 Old Code: vec![ Fixed Code: [ The changes appear to be: 1. Adding Clippy lint allowances (not security-related) 2. Changing from vec![] to [] array syntax (performance optimization, not security-related) No security vulnerabilities were identified in this diff. The changes are either stylistic or related to linter configuration.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/framework/components/MeatballMenu.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/framework/components/MeatballMenu.js@@ -31,9 +31,7 @@ loader.lazyRequireGetter(this, "assert", "devtools/shared/DevToolsUtils", true); const openDevToolsDocsLink = () => {- openDocLink(- "https://developer.mozilla.org/docs/Tools?utm_source=devtools&utm_medium=tabbar-menu"- );+ openDocLink("https://firefox-source-docs.mozilla.org/devtools-user/"); }; const openCommunityLink = () => {@@ -71,6 +69,10 @@ // (i.e. we're not in a browser toolbox). disableAutohide: PropTypes.bool,+ // Apply a pseudo-locale to the Firefox UI. This is only available in the browser+ // toolbox. This value can be undefined, "accented", "bidi", "none".+ pseudoLocale: PropTypes.string,+ // Function to turn the options panel on / off. toggleOptions: PropTypes.func.isRequired,@@ -80,7 +82,15 @@ // Function to turn the disable pop-up autohide behavior on / off. toggleNoAutohide: PropTypes.func,- // Localization interface.+ // Manage the pseudo-localization for the Firefox UI.+ // https://firefox-source-docs.mozilla.org/l10n/fluent/tutorial.html#pseudolocalization+ disablePseudoLocale: PropTypes.func,+ enableAccentedPseudoLocale: PropTypes.func,+ enableBidiPseudoLocale: PropTypes.func,++ // Bug 1709191 - The help shortcut key is localized without Fluent, and still needs+ // to be migrated. This is the only remaining use of the legacy L10N object.+ // Everything else should prefer the Fluent API. L10N: PropTypes.object.isRequired, // Callback function that will be invoked any time the component contents@@ -99,6 +109,7 @@ // // - The "Disable pop-up autohide" menu item being added after the Browser // Toolbox is connected.+ // - The pseudo locale options being added after the Browser Toolbox is connected. // - The split console label changing between "Show Split Console" and "Hide // Split Console". // - The "Show/Hide Split Console" entry being added removed or removed.@@ -107,6 +118,7 @@ // autohide" is active, but for completeness we handle them here. const didChange = typeof this.props.disableAutohide !== typeof prevProps.disableAutohide ||+ this.props.pseudoLocale !== prevProps.pseudoLocale || this.props.currentToolId !== prevProps.currentToolId || this.props.isSplitConsoleActive !== prevProps.isSplitConsoleActive;@@ -122,22 +134,22 @@ for (const hostType of this.props.hostTypes) { // This is more verbose than it needs to be but lets us easily search for // l10n entities.- let l10nkey;+ let l10nID; switch (hostType.position) { case "window":- l10nkey = "toolbox.meatballMenu.dock.separateWindow.label";+ l10nID = "toolbox-meatball-menu-dock-separate-window-label"; break; case "bottom":- l10nkey = "toolbox.meatballMenu.dock.bottom.label";+ l10nID = "toolbox-meatball-menu-dock-bottom-label"; break; case "left":- l10nkey = "toolbox.meatballMenu.dock.left.label";+ l10nID = "toolbox-meatball-menu-dock-left-label"; break; case "right":- l10nkey = "toolbox.meatballMenu.dock.right.label";+ l10nID = "toolbox-meatball-menu-dock-right-label"; break; default:@@ -149,7 +161,7 @@ MenuItem({ id: `toolbox-meatball-menu-dock-${hostType.position}`, key: `dock-${hostType.position}`,- label: this.props.L10N.getStr(l10nkey),+ l10nID, onClick: hostType.switchHost, checked: hostType.position === this.props.currentHostType, className: "iconic",@@ -163,19 +175,40 @@ // Split console if (this.props.currentToolId !== "webconsole") {- const l10nkey = this.props.isSplitConsoleActive- ? "toolbox.meatballMenu.hideconsole.label"- : "toolbox.meatballMenu.splitconsole.label";+ const l10nID = this.props.isSplitConsoleActive+ ? "toolbox-meatball-menu-hideconsole-label"+ : "toolbox-meatball-menu-splitconsole-label"; items.push( MenuItem({ id: "toolbox-meatball-menu-splitconsole", key: "splitconsole",- label: this.props.L10N.getStr(l10nkey),+ l10nID, accelerator: "Esc", onClick: this.props.toggleSplitConsole, className: "iconic", }) );+ }++ // Settings+ items.push(+ MenuItem({+ id: "toolbox-meatball-menu-settings",+ key: "settings",+ l10nID: "toolbox-meatball-menu-settings-label",+ // Bug 1709191 - The help key is localized without Fluent, and still needs to+ // be migrated.+ accelerator: this.props.L10N.getStr("toolbox.help.key"),+ onClick: this.props.toggleOptions,+ className: "iconic",+ })+ );++ if (+ typeof this.props.disableAutohide !== "undefined" ||+ typeof this.props.pseudoLocale !== "undefined"+ ) {+ items.push(hr({ key: "docs-separator-1" })); } // Disable pop-up autohide@@ -187,9 +220,7 @@ MenuItem({ id: "toolbox-meatball-menu-noautohide", key: "noautohide",- label: this.props.L10N.getStr(- "toolbox.meatballMenu.noautohide.label"- ),+ l10nID: "toolbox-meatball-menu-noautohide-label", type: "checkbox", checked: this.props.disableAutohide, onClick: this.props.toggleNoAutohide,@@ -198,28 +229,50 @@ ); }- // Settings- items.push(- MenuItem({- id: "toolbox-meatball-menu-settings",- key: "settings",- label: this.props.L10N.getStr("toolbox.meatballMenu.settings.label"),- accelerator: this.props.L10N.getStr("toolbox.help.key"),- onClick: this.props.toggleOptions,- className: "iconic",- })- );-- items.push(hr({ key: "docs-separator" }));+ // Pseudo-locales.+ if (typeof this.props.pseudoLocale !== "undefined") {+ const {+ pseudoLocale,+ enableAccentedPseudoLocale,+ enableBidiPseudoLocale,+ disablePseudoLocale,+ } = this.props;+ items.push(+ MenuItem({+ id: "toolbox-meatball-menu-pseudo-locale-accented",+ key: "pseudo-locale-accented",+ l10nID: "toolbox-meatball-menu-pseudo-locale-accented",+ type: "checkbox",+ checked: pseudoLocale === "accented",+ onClick:+ pseudoLocale === "accented"+ ? disablePseudoLocale+ : enableAccentedPseudoLocale,+ className: "iconic",+ }),+ MenuItem({+ id: "toolbox-meatball-menu-pseudo-locale-bidi",+ key: "pseudo-locale-bidi",+ l10nID: "toolbox-meatball-menu-pseudo-locale-bidi",+ type: "checkbox",+ checked: pseudoLocale === "bidi",+ onClick:+ pseudoLocale === "bidi"+ ? disablePseudoLocale+ : enableBidiPseudoLocale,+ className: "iconic",+ })+ );+ }++ items.push(hr({ key: "docs-separator-2" })); // Getting started items.push( MenuItem({ id: "toolbox-meatball-menu-documentation", key: "documentation",- label: this.props.L10N.getStr(- "toolbox.meatballMenu.documentation.label"- ),+ l10nID: "toolbox-meatball-menu-documentation-label", onClick: openDevToolsDocsLink, }) );@@ -229,7 +282,7 @@ MenuItem({ id: "toolbox-meatball-menu-community", key: "community",- label: this.props.L10N.getStr("toolbox.meatballMenu.community.label"),+ l10nID: "toolbox-meatball-menu-community-label", onClick: openCommunityLink, }) );
I'll analyze the code diff for security fixes following the specified format. Vulnerability Existed: no No specific security vulnerability was fixed in this diff. The changes primarily involve: 1. Updating documentation links (from MDN to firefox-source-docs) 2. Adding pseudo-locale support for localization testing 3. Migrating from L10N.getStr to Fluent l10nID system 4. General code organization improvements The changes appear to be feature enhancements and localization improvements rather than security fixes. The URL change for documentation doesn't indicate a security issue since both domains are Mozilla-owned. Vulnerability Existed: not sure Potential XSS via L10N usage [File] [Lines 80-90] [Old Code] // Localization interface. L10N: PropTypes.object.isRequired, [Fixed Code] // Bug 1709191 - The help shortcut key is localized without Fluent, and still needs // to be migrated. This is the only remaining use of the legacy L10N object. // Everything else should prefer the Fluent API. L10N: PropTypes.object.isRequired, Additional Details: The comment suggests there's an ongoing migration from L10N to Fluent, which might indicate potential XSS risks in the legacy localization system. However, there's no direct evidence of an actual vulnerability being fixed here - just a note about ongoing migration work. The change appears to be part of a larger security improvement initiative rather than fixing a specific vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/fetch/Request.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/fetch/Request.h@@ -126,6 +126,7 @@ // This can return a null AbortSignalImpl. AbortSignalImpl* GetSignalImpl() const override;+ AbortSignalImpl* GetSignalImplToConsumeBody() const final; private: ~Request();
Let me analyze this code diff for potential security fixes. Vulnerability Existed: not sure [Potential Signal Handling Issue] [dom/fetch/Request.h] [Lines 126-127] [Old Code] AbortSignalImpl* GetSignalImpl() const override; [Fixed Code] AbortSignalImpl* GetSignalImpl() const override; AbortSignalImpl* GetSignalImplToConsumeBody() const final; Additional Details: 1. The diff adds a new method `GetSignalImplToConsumeBody()` marked as `final` 2. The original method `GetSignalImpl()` remains but now has a companion method 3. This suggests a potential fix for improper signal handling during body consumption 4. Without more context, it's unclear if this was fixing an actual vulnerability or just improving the API design 5. The change could be related to preventing race conditions or improper abort signal handling during body processing Note: This appears to be a defensive programming change that might address potential security issues with abort signal handling during fetch body consumption, but without more context about previous vulnerabilities or bug reports, we can't be certain.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/protocol/http/nsHttpTransaction.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/protocol/http/nsHttpTransaction.h@@ -86,6 +86,7 @@ void MakeSticky() { mCaps |= NS_HTTP_STICKY_CONNECTION; } void MakeNonSticky() override { mCaps &= ~NS_HTTP_STICKY_CONNECTION; }+ bool WaitingForHTTPSRR() const { return mCaps & NS_HTTP_FORCE_WAIT_HTTP_RR; } void MakeDontWaitHTTPSRR() { mCaps &= ~NS_HTTP_FORCE_WAIT_HTTP_RR; } // SetPriority() may only be used by the connection manager.
Analyzing the provided code diff:
1. Vulnerability Existed: not sure
[Potential Missing Access Control/State Check] [netwerk/protocol/http/nsHttpTransaction.h] [Lines 86-87]
[Old Code: No explicit check for HTTPSRR waiting state]
[Fixed Code: Added `bool WaitingForHTTPSRR() const { return mCaps & NS_HTTP_FORCE_WAIT_HTTP_RR; }`]
Additional Details: The addition of the `WaitingForHTTPSRR()` method suggests there might have been a missing state check vulnerability where the transaction state wasn't properly verified before certain operations. However, without more context about how this is used, we can't be certain if this was an actual security issue.
2. Vulnerability Existed: not sure
[Potential State Management Issue] [netwerk/protocol/http/nsHttpTransaction.h] [Lines 86-87]
[Old Code: Only had `MakeDontWaitHTTPSRR()` method]
[Fixed Code: Added complementary state check method]
Additional Details: The addition of a state check method alongside the existing state modification method suggests there might have been incomplete state management, which could potentially lead to security issues if states weren't properly checked before operations.
Note: The diff shows the addition of a new method to check the HTTPSRR waiting state, but without more context about how this flag is used in the codebase, we can't definitively say whether this was fixing a security vulnerability or just improving code completeness. The changes appear to be related to better state management around HTTP connection handling.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/profiles/reftest/user.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/profiles/reftest/user.js@@ -100,3 +100,6 @@ user_pref("toolkit.legacyUserProfileCustomizations.stylesheets", true); // Use a light color-scheme unless explicitly overriden. user_pref("layout.css.prefers-color-scheme.content-override", 1);+// Force OffscreenCanvas support+user_pref("gfx.offscreencanvas.enabled", true);+user_pref("dom.workers.requestAnimationFrame", true);
Analyzing the provided code diff, here's the security analysis:
1. Vulnerability Existed: not sure
[Potential Feature Enablement] [testing/profiles/reftest/user.js] [Lines 100-103]
[Old Code]
user_pref("layout.css.prefers-color-scheme.content-override", 1);
[Fixed Code]
user_pref("layout.css.prefers-color-scheme.content-override", 1);
user_pref("gfx.offscreencanvas.enabled", true);
user_pref("dom.workers.requestAnimationFrame", true);
Additional Details:
- The diff shows two new preferences being added to enable OffscreenCanvas and requestAnimationFrame for workers
- While these could potentially introduce new attack surfaces, there's no clear evidence of a security vulnerability being fixed
- The changes appear to be feature enablement rather than security fixes
- Without more context about why these features were disabled previously, it's hard to determine if this was a security measure
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/syn/src/lit.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/syn/src/lit.rs@@ -3,12 +3,9 @@ #[cfg(feature = "parsing")] use crate::parse::{Parse, Parser}; use crate::{Error, Result};-#[cfg(feature = "printing")]-use proc_macro2::Ident;+use proc_macro2::{Ident, Literal, Span}; #[cfg(feature = "parsing")]-use proc_macro2::TokenStream;-use proc_macro2::TokenTree;-use proc_macro2::{Literal, Span};+use proc_macro2::{TokenStream, TokenTree}; use std::fmt::{self, Display}; #[cfg(feature = "extra-traits")] use std::hash::{Hash, Hasher};@@ -244,6 +241,10 @@ pub fn suffix(&self) -> &str { &self.repr.suffix }++ pub fn token(&self) -> Literal {+ self.repr.token.clone()+ } } impl LitByteStr {@@ -275,6 +276,10 @@ pub fn suffix(&self) -> &str { &self.repr.suffix }++ pub fn token(&self) -> Literal {+ self.repr.token.clone()+ } } impl LitByte {@@ -306,6 +311,10 @@ pub fn suffix(&self) -> &str { &self.repr.suffix }++ pub fn token(&self) -> Literal {+ self.repr.token.clone()+ } } impl LitChar {@@ -336,6 +345,10 @@ pub fn suffix(&self) -> &str { &self.repr.suffix+ }++ pub fn token(&self) -> Literal {+ self.repr.token.clone() } }@@ -408,6 +421,10 @@ pub fn set_span(&mut self, span: Span) { self.repr.token.set_span(span); }++ pub fn token(&self) -> Literal {+ self.repr.token.clone()+ } } impl From<Literal> for LitInt {@@ -480,6 +497,10 @@ pub fn set_span(&mut self, span: Span) { self.repr.token.set_span(span); }++ pub fn token(&self) -> Literal {+ self.repr.token.clone()+ } } impl From<Literal> for LitFloat {@@ -520,6 +541,11 @@ pub fn set_span(&mut self, span: Span) { self.span = span;+ }++ pub fn token(&self) -> Ident {+ let s = if self.value { "true" } else { "false" };+ Ident::new(s, self.span) } }@@ -916,8 +942,7 @@ #[cfg_attr(doc_cfg, doc(cfg(feature = "printing")))] impl ToTokens for LitBool { fn to_tokens(&self, tokens: &mut TokenStream) {- let s = if self.value { "true" } else { "false" };- tokens.append(Ident::new(s, self.span));+ tokens.append(self.token()); } } }
Analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily about code organization and adding new functionality (the `token()` method) rather than addressing security issues. Here's the analysis following the requested format: 1. Vulnerability Existed: no No specific vulnerability [third_party/rust/syn/src/lit.rs] [Various lines] [Old Code: Various implementations without token() method] [Fixed Code: Added token() method implementations] 2. Vulnerability Existed: no No specific vulnerability [third_party/rust/syn/src/lit.rs] [Lines 916-942] [Old Code: Manual Ident creation in to_tokens] [Fixed Code: Using new token() method in to_tokens] The changes consist of: 1. Reorganizing imports 2. Adding consistent `token()` methods to various literal types 3. Updating the `to_tokens` implementation for `LitBool` to use the new `token()` method These appear to be code quality improvements rather than security fixes. No CVE or known vulnerability patterns are being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/platforms/apple/AppleVTDecoder.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/platforms/apple/AppleVTDecoder.cpp@@ -45,6 +45,10 @@ ? *aConfig.mColorSpace : DefaultColorSpace({mPictureWidth, mPictureHeight})), mColorRange(aConfig.mColorRange),+#if defined(MAC_OS_VERSION_10_13) && \+ MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_10_13+ mColorDepth(aConfig.mColorDepth),+#endif mStreamType(MP4Decoder::IsH264(aConfig.mMimeType) ? StreamType::H264 : VPXDecoder::IsVP9(aConfig.mMimeType) ? StreamType::VP9 : StreamType::Unknown),@@ -607,10 +611,21 @@ #ifndef MOZ_WIDGET_UIKIT // Output format type:+# if !defined(MAC_OS_VERSION_10_13) || \+ MAC_OS_X_VERSION_MAX_ALLOWED < MAC_OS_VERSION_10_13 SInt32 PixelFormatTypeValue = mColorRange == gfx::ColorRange::FULL ? kCVPixelFormatType_420YpCbCr8BiPlanarFullRange : kCVPixelFormatType_420YpCbCr8BiPlanarVideoRange;+# else+ bool is10Bit = (gfx::BitDepthForColorDepth(mColorDepth) == 10);+ SInt32 PixelFormatTypeValue =+ mColorRange == gfx::ColorRange::FULL+ ? (is10Bit ? kCVPixelFormatType_420YpCbCr10BiPlanarFullRange+ : kCVPixelFormatType_420YpCbCr8BiPlanarFullRange)+ : (is10Bit ? kCVPixelFormatType_420YpCbCr10BiPlanarVideoRange+ : kCVPixelFormatType_420YpCbCr8BiPlanarVideoRange);+# endif AutoCFRelease<CFNumberRef> PixelFormatTypeNumber = CFNumberCreate( kCFAllocatorDefault, kCFNumberSInt32Type, &PixelFormatTypeValue); // Construct IOSurface Properties
Analyzing the provided code diff, here's the security analysis:
1. Vulnerability Existed: not sure
[Potential Color Depth Handling Issue] [dom/media/platforms/apple/AppleVTDecoder.cpp] [Lines 45-48, 607-621]
[Old Code]
// No handling of mColorDepth in initialization
SInt32 PixelFormatTypeValue =
mColorRange == gfx::ColorRange::FULL
? kCVPixelFormatType_420YpCbCr8BiPlanarFullRange
: kCVPixelFormatType_420YpCbCr8BiPlanarVideoRange;
[Fixed Code]
#if defined(MAC_OS_VERSION_10_13) && \
MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_VERSION_10_13
mColorDepth(aConfig.mColorDepth),
#endif
// ...
bool is10Bit = (gfx::BitDepthForColorDepth(mColorDepth) == 10);
SInt32 PixelFormatTypeValue =
mColorRange == gfx::ColorRange::FULL
? (is10Bit ? kCVPixelFormatType_420YpCbCr10BiPlanarFullRange
: kCVPixelFormatType_420YpCbCr8BiPlanarFullRange)
: (is10Bit ? kCVPixelFormatType_420YpCbCr10BiPlanarVideoRange
: kCVPixelFormatType_420YpCbCr8BiPlanarVideoRange);
Additional Details:
- The changes appear to add support for 10-bit color depth video decoding on macOS 10.13+
- While not clearly a security fix, improper handling of color depth could potentially lead to memory corruption or crashes
- The changes are properly guarded by version checks to ensure compatibility
- No obvious security vulnerability is being fixed, but the change improves robustness of video decoding
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/futures-util/src/io/mod.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/futures-util/src/io/mod.rs@@ -26,10 +26,6 @@ // Re-export some types from `std::io` so that users don't have to deal // with conflicts when `use`ing `futures::io` and `std::io`. #[doc(no_inline)]-#[cfg(feature = "read-initializer")]-#[cfg_attr(docsrs, doc(cfg(feature = "read-initializer")))]-pub use std::io::Initializer;-#[doc(no_inline)] pub use std::io::{Error, ErrorKind, IoSlice, IoSliceMut, Result, SeekFrom}; pub use futures_io::{AsyncBufRead, AsyncRead, AsyncSeek, AsyncWrite};@@ -40,15 +36,9 @@ /// Initializes a buffer if necessary. ///-/// A buffer is always initialized if `read-initializer` feature is disabled.+/// A buffer is currently always initialized. #[inline] unsafe fn initialize<R: AsyncRead>(_reader: &R, buf: &mut [u8]) {- #[cfg(feature = "read-initializer")]- {- if !_reader.initializer().should_initialize() {- return;- }- } ptr::write_bytes(buf.as_mut_ptr(), 0, buf.len()) }
Here's the analysis of the provided code diff:
1. Vulnerability Existed: yes
Uninitialized Memory Access Vulnerability [third_party/rust/futures-util/src/io/mod.rs] [Lines 26-36, 40-44]
Old Code:
```rust
#[cfg(feature = "read-initializer")]
#[cfg_attr(docsrs, doc(cfg(feature = "read-initializer")))]
pub use std::io::Initializer;
...
unsafe fn initialize<R: AsyncRead>(_reader: &R, buf: &mut [u8]) {
#[cfg(feature = "read-initializer")]
{
if !_reader.initializer().should_initialize() {
return;
}
}
ptr::write_bytes(buf.as_mut_ptr(), 0, buf.len())
}
```
Fixed Code:
```rust
unsafe fn initialize<R: AsyncRead>(_reader: &R, buf: &mut [u8]) {
ptr::write_bytes(buf.as_mut_ptr(), 0, buf.len())
}
```
Additional Details:
The vulnerability was related to potentially uninitialized memory access. The old code had a conditional initialization path that depended on the `read-initializer` feature and the reader's initializer configuration. This could lead to uninitialized memory being used if the feature was enabled and the reader indicated initialization wasn't needed. The fix removes this conditional behavior and always initializes the buffer by zeroing it, ensuring memory safety. This is particularly important for security as uninitialized memory could potentially leak sensitive information or cause undefined behavior.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/extensions/test/xpcshell/test_ext_background_service_worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/extensions/test/xpcshell/test_ext_background_service_worker.js@@ -32,13 +32,6 @@ ); await AddonTestUtils.promiseStartupManager();- // Ensure that the profile-after-change message has been notified,- // so that ServiceWokerRegistrar is going to be initialized.- Services.obs.notifyObservers(- null,- "profile-after-change",- "force-serviceworkerrestart-init"- ); // Make sure background-delayed-startup is set to true (in some builds, // in particular Thunderbird, it is set to false) otherwise the extension
Based on the provided diff, I'll analyze it for security vulnerabilities:
Vulnerability Existed: not sure
Potential Race Condition in Service Worker Initialization [toolkit/components/extensions/test/xpcshell/test_ext_background_service_worker.js] [Lines 32-38]
[Old Code]
await AddonTestUtils.promiseStartupManager();
// Ensure that the profile-after-change message has been notified,
// so that ServiceWokerRegistrar is going to be initialized.
Services.obs.notifyObservers(
null,
"profile-after-change",
"force-serviceworkerrestart-init"
);
[Fixed Code]
await AddonTestUtils.promiseStartupManager();
Additional Details:
- The removed code was manually triggering a "profile-after-change" notification
- This could potentially indicate a fix for a race condition in service worker initialization
- However, since this is test code, it might not represent an actual security vulnerability in production
- The change suggests the manual notification was unnecessary and might have caused timing issues
Note: Without more context about why this change was made, it's difficult to determine if this was fixing an actual security vulnerability or just improving test reliability. The removal suggests the manual notification might have been causing unintended behavior in the service worker initialization process.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/naga/src/back/glsl/mod.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/naga/src/back/glsl/mod.rs@@ -90,23 +90,42 @@ _ => false, } }++ /// Whether a variable with this storage class can be initialized+ fn initializable(&self) -> bool {+ match *self {+ crate::StorageClass::WorkGroup+ | crate::StorageClass::Uniform+ | crate::StorageClass::Storage { .. } => false,+ _ => true,+ }+ } }-//Note: similar to `back/spv/helpers.rs`-fn global_needs_wrapper(ir_module: &crate::Module, global_ty: Handle<crate::Type>) -> bool {- match ir_module.types[global_ty].inner {- crate::TypeInner::Struct {- ref members,- span: _,- } => match ir_module.types[members.last().unwrap().ty].inner {- // Structs with dynamically sized arrays can't be copied and can't be wrapped.- crate::TypeInner::Array {- size: crate::ArraySize::Dynamic,- ..- } => false,- _ => true,- },- _ => false,+#[derive(PartialEq)]+enum GlobalTypeKind<'a> {+ WrappedStruct,+ Unsized(&'a [crate::StructMember]),+ Other,+}++impl<'a> GlobalTypeKind<'a> {+ //Note: similar to `back/spv/helpers.rs`+ fn new(ir_module: &'a crate::Module, global_ty: Handle<crate::Type>) -> Self {+ match ir_module.types[global_ty].inner {+ crate::TypeInner::Struct {+ ref members,+ span: _,+ } => match ir_module.types[members.last().unwrap().ty].inner {+ // Structs with dynamically sized arrays can't be copied and can't be wrapped.+ crate::TypeInner::Array {+ size: crate::ArraySize::Dynamic,+ ..+ } => Self::Unsized(members),+ _ => Self::WrappedStruct,+ },+ _ => Self::Other,+ } } }@@ -159,6 +178,10 @@ fn supports_std430_layout(&self) -> bool { *self >= Version::Desktop(430) || *self >= Version::Embedded(310)+ }++ fn supports_fma_function(&self) -> bool {+ *self >= Version::Desktop(400) || *self >= Version::Embedded(310) } }@@ -297,6 +320,16 @@ crate::Binding::BuiltIn(built_in) => { write!(f, "{}", glsl_built_in(built_in, self.output)) }+ }+ }+}++impl ShaderStage {+ fn to_str(self) -> &'static str {+ match self {+ ShaderStage::Compute => "cs",+ ShaderStage::Fragment => "fs",+ ShaderStage::Vertex => "vs", } } }@@ -521,14 +554,21 @@ // struct without adding all of it's members first for (handle, ty) in self.module.types.iter() { if let TypeInner::Struct { ref members, .. } = ty.inner {- let used_by_global = self.module.global_variables.iter().any(|(vh, var)| {- !ep_info[vh].is_empty() && var.class.is_buffer() && var.ty == handle- });-- let is_wrapped = global_needs_wrapper(self.module, handle);- // If it's a global non-wrapped struct, it will be printed- // with the corresponding global variable.- if !used_by_global || is_wrapped {+ let generate_struct = match GlobalTypeKind::new(self.module, handle) {+ GlobalTypeKind::WrappedStruct => true,+ // If it's a global non-wrapped struct, it will be printed+ // with the corresponding global variable.+ GlobalTypeKind::Unsized(_) => false,+ GlobalTypeKind::Other => {+ let used_by_global =+ self.module.global_variables.iter().any(|(vh, var)| {+ !ep_info[vh].is_empty() && var.class.is_buffer() && var.ty == handle+ });+ // If not used by a global, it's safe to just spew it here+ !used_by_global+ }+ };+ if generate_struct { let name = &self.names[&NameKey::Type(handle)]; write!(self.out, "struct {} ", name)?; self.write_struct_body(handle, members)?;@@ -901,18 +941,22 @@ write!(self.out, "{} ", block_name)?; self.reflection_names_globals.insert(handle, block_name);- let needs_wrapper = global_needs_wrapper(self.module, global.ty);- if needs_wrapper {- write!(self.out, "{{ ")?;- // Write the type- // `write_type` adds no leading or trailing spaces- self.write_type(global.ty)?;- } else if let crate::TypeInner::Struct { ref members, .. } =- self.module.types[global.ty].inner- {- self.write_struct_body(global.ty, members)?;- }- needs_wrapper+ match GlobalTypeKind::new(self.module, global.ty) {+ GlobalTypeKind::WrappedStruct => {+ write!(self.out, "{{ ")?;+ // Write the type+ // `write_type` adds no leading or trailing spaces+ self.write_type(global.ty)?;+ true+ }+ GlobalTypeKind::Unsized(members) => {+ self.write_struct_body(global.ty, members)?;+ false+ }+ GlobalTypeKind::Other => {+ return Err(Error::Custom("Non-struct type of a buffer".to_string()));+ }+ } } else { self.write_type(global.ty)?; false@@ -927,7 +971,7 @@ self.write_array_size(size)?; }- if is_value_init_supported(self.module, global.ty) {+ if global.class.initializable() && is_value_init_supported(self.module, global.ty) { write!(self.out, " = ")?; if let Some(init) = global.init { self.write_constant(init)?;@@ -957,7 +1001,12 @@ ) -> String { match global.binding { Some(ref br) => {- format!("_group_{}_binding_{}", br.group, br.binding)+ format!(+ "_group_{}_binding_{}_{}",+ br.group,+ br.binding,+ self.entry_point.stage.to_str()+ ) } None => self.names[&NameKey::GlobalVariable(handle)].clone(), }@@ -970,7 +1019,13 @@ global: &crate::GlobalVariable, ) -> BackendResult { match global.binding {- Some(ref br) => write!(self.out, "_group_{}_binding_{}", br.group, br.binding)?,+ Some(ref br) => write!(+ self.out,+ "_group_{}_binding_{}_{}",+ br.group,+ br.binding,+ self.entry_point.stage.to_str()+ )?, None => write!( self.out, "{}",@@ -1318,6 +1373,9 @@ // `type(components)` where `components` is a comma separated list of constants crate::ConstantInner::Composite { ty, ref components } => { self.write_type(ty)?;+ if let TypeInner::Array { size, .. } = self.module.types[ty].inner {+ self.write_array_size(size)?;+ } write!(self.out, "(")?; // Write the comma separated constants@@ -1928,6 +1986,7 @@ Expression::ImageSample { image, sampler: _, //TODO?+ gather, coordinate, array_index, offset,@@ -1962,6 +2021,7 @@ let workaround_lod_array_shadow_as_grad = (array_index.is_some() || dim == crate::ImageDimension::Cube) && depth_ref.is_some()+ && gather.is_none() && !self .options .writer_flags@@ -1969,6 +2029,7 @@ //Write the function to be used depending on the sample level let fun_name = match level {+ crate::SampleLevel::Zero if gather.is_some() => "textureGather", crate::SampleLevel::Auto | crate::SampleLevel::Bias(_) => "texture", crate::SampleLevel::Zero | crate::SampleLevel::Exact(_) => { if workaround_lod_array_shadow_as_grad {@@ -2002,8 +2063,8 @@ if array_index.is_some() { coord_dim += 1; }- let cube_array_shadow = coord_dim == 4;- if depth_ref.is_some() && !cube_array_shadow {+ let merge_depth_ref = depth_ref.is_some() && gather.is_none() && coord_dim < 4;+ if merge_depth_ref { coord_dim += 1; }@@ -2021,21 +2082,17 @@ write!(self.out, ", ")?; self.write_expr(expr, ctx)?; }- if !cube_array_shadow {- if let Some(expr) = depth_ref {- write!(self.out, ", ")?;- self.write_expr(expr, ctx)?;- }+ if merge_depth_ref {+ write!(self.out, ", ")?;+ self.write_expr(depth_ref.unwrap(), ctx)?; } if is_vec { write!(self.out, ")")?; }- if cube_array_shadow {- if let Some(expr) = depth_ref {- write!(self.out, ", ")?;- self.write_expr(expr, ctx)?;- }+ if let (Some(expr), false) = (depth_ref, merge_depth_ref) {+ write!(self.out, ", ")?;+ self.write_expr(expr, ctx)?; } match level {@@ -2045,7 +2102,7 @@ crate::SampleLevel::Zero => { if workaround_lod_array_shadow_as_grad { write!(self.out, ", vec2(0,0), vec2(0,0)")?;- } else {+ } else if gather.is_none() { write!(self.out, ", 0.0")?; } }@@ -2080,6 +2137,10 @@ if tex_1d_hack { write!(self.out, ", 0)")?; }+ }++ if let (Some(component), None) = (gather, depth_ref) {+ write!(self.out, ", {}", component as usize)?; } // End the function@@ -2239,7 +2300,11 @@ // comparison operations on vectors as they are implemented with // builtin functions. // Once again we wrap everything in parentheses to avoid precedence issues- Expression::Binary { op, left, right } => {+ Expression::Binary {+ mut op,+ left,+ right,+ } => { // Holds `Some(function_name)` if the binary operation is // implemented as a function call use crate::{BinaryOperator as Bo, ScalarKind as Sk, TypeInner as Ti};@@ -2276,6 +2341,17 @@ Bo::Modulo => BinaryOperation::Modulo, _ => BinaryOperation::Other, },+ (Some(Sk::Bool), Some(Sk::Bool)) => match op {+ Bo::InclusiveOr => {+ op = crate::BinaryOperator::LogicalOr;+ BinaryOperation::Other+ }+ Bo::And => {+ op = crate::BinaryOperator::LogicalAnd;+ BinaryOperation::Other+ }+ _ => BinaryOperation::Other,+ }, _ => BinaryOperation::Other, }, };@@ -2423,6 +2499,8 @@ Mf::Asinh => "asinh", Mf::Acosh => "acosh", Mf::Atanh => "atanh",+ Mf::Radians => "radians",+ Mf::Degrees => "degrees", // glsl doesn't have atan2 function // use two-argument variation of the atan function Mf::Atan2 => "atan",@@ -2453,7 +2531,30 @@ Mf::Refract => "refract", // computational Mf::Sign => "sign",- Mf::Fma => "fma",+ Mf::Fma => {+ if self.options.version.supports_fma_function() {+ // Use the fma function when available+ "fma"+ } else {+ // No fma support. Transform the function call into an arithmetic expression+ write!(self.out, "(")?;++ self.write_expr(arg, ctx)?;+ write!(self.out, " * ")?;++ let arg1 =+ arg1.ok_or_else(|| Error::Custom("Missing fma arg1".to_owned()))?;+ self.write_expr(arg1, ctx)?;+ write!(self.out, " + ")?;++ let arg2 =+ arg2.ok_or_else(|| Error::Custom("Missing fma arg2".to_owned()))?;+ self.write_expr(arg2, ctx)?;+ write!(self.out, ")")?;++ return Ok(());+ }+ } Mf::Mix => "mix", Mf::Step => "step", Mf::SmoothStep => "smoothstep",@@ -2467,6 +2568,8 @@ Mf::ReverseBits => "bitfieldReverse", Mf::ExtractBits => "bitfieldExtract", Mf::InsertBits => "bitfieldInsert",+ Mf::FindLsb => "findLSB",+ Mf::FindMsb => "findMSB", // data packing Mf::Pack4x8snorm => "packSnorm4x8", Mf::Pack4x8unorm => "packUnorm4x8",@@ -2673,28 +2776,46 @@ TypeInner::Scalar { kind, .. } => { self.write_zero_init_scalar(kind)?; }- TypeInner::Vector { size, kind, .. } => {+ TypeInner::Vector { kind, .. } => { self.write_value_type(inner)?; write!(self.out, "(")?;- for _ in 1..(size as usize) {- self.write_zero_init_scalar(kind)?;- write!(self.out, ", ")?;- }- // write last parameter without comma and space self.write_zero_init_scalar(kind)?; write!(self.out, ")")?; }- TypeInner::Matrix { columns, rows, .. } => {- let number_of_components = (columns as usize) * (rows as usize);+ TypeInner::Matrix { .. } => { self.write_value_type(inner)?; write!(self.out, "(")?;- for _ in 1..number_of_components {- // IR supports only float matrix- self.write_zero_init_scalar(crate::ScalarKind::Float)?;+ self.write_zero_init_scalar(crate::ScalarKind::Float)?;+ write!(self.out, ")")?;+ }+ TypeInner::Array { base, size, .. } => {+ let count = match size+ .to_indexable_length(self.module)+ .expect("Bad array size")+ {+ proc::IndexableLength::Known(count) => count,+ proc::IndexableLength::Dynamic => return Ok(()),+ };+ self.write_type(base)?;+ self.write_array_size(size)?;+ write!(self.out, "(")?;+ for _ in 1..count {+ self.write_zero_init_value(base)?; write!(self.out, ", ")?; } // write last parameter without comma and space- self.write_zero_init_scalar(crate::ScalarKind::Float)?;+ self.write_zero_init_value(base)?;+ write!(self.out, ")")?;+ }+ TypeInner::Struct { ref members, .. } => {+ let name = &self.names[&NameKey::Type(ty)];+ write!(self.out, "{}(", name)?;+ for (i, member) in members.iter().enumerate() {+ self.write_zero_init_value(member.ty)?;+ if i != members.len().saturating_sub(1) {+ write!(self.out, ", ")?;+ }+ } write!(self.out, ")")?; } _ => {} // TODO:@@ -2981,6 +3102,12 @@ fn is_value_init_supported(module: &crate::Module, ty: Handle<crate::Type>) -> bool { match module.types[ty].inner { TypeInner::Scalar { .. } | TypeInner::Vector { .. } | TypeInner::Matrix { .. } => true,+ TypeInner::Array { base, size, .. } => {+ size != crate::ArraySize::Dynamic && is_value_init_supported(module, base)+ }+ TypeInner::Struct { ref members, .. } => members+ .iter()+ .all(|member| is_value_init_supported(module, member.ty)), _ => false, } }
Here's the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: yes Buffer Initialization Vulnerability [third_party/rust/naga/src/back/glsl/mod.rs] [Lines 90-98] Old Code: No explicit check for initializable storage classes Fixed Code: Added `initializable()` method to check storage classes that can be initialized 2. Vulnerability Existed: yes Insecure Global Variable Naming [third_party/rust/naga/src/back/glsl/mod.rs] [Lines 997-1006, 1018-1026] Old Code: Global variable names only included group and binding Fixed Code: Added shader stage to global variable names to prevent naming collisions 3. Vulnerability Existed: not sure Potential Array Initialization Vulnerability [third_party/rust/naga/src/back/glsl/mod.rs] [Lines 1318-1323] Old Code: No array size check when writing composite constants Fixed Code: Added array size check when writing composite constants 4. Vulnerability Existed: yes Insecure Texture Sampling [third_party/rust/naga/src/back/glsl/mod.rs] [Lines 1968-1973, 1986-1991] Old Code: Missing gather parameter in image sampling Fixed Code: Added gather parameter handling in image sampling 5. Vulnerability Existed: yes Insecure FMA Implementation [third_party/rust/naga/src/back/glsl/mod.rs] [Lines 2453-2460, 2531-2554] Old Code: Direct FMA function call without version check Fixed Code: Added version check and fallback arithmetic expression for FMA 6. Vulnerability Existed: not sure Potential Zero Initialization Vulnerability [third_party/rust/naga/src/back/glsl/mod.rs] [Lines 2768-2799] Old Code: Limited zero initialization support Fixed Code: Expanded zero initialization support for arrays and structs 7. Vulnerability Existed: yes Insecure Binary Operation Handling [third_party/rust/naga/src/back/glsl/mod.rs] [Lines 2300-2305] Old Code: No special handling for boolean operations Fixed Code: Added proper handling for boolean operations (logical AND/OR) The changes appear to address several security-related issues, particularly around proper initialization checks, secure naming conventions, and correct handling of sensitive operations like texture sampling and binary operations. The introduction of version checks for certain functions (like FMA) also improves security by ensuring proper fallback behavior.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/newtab/content-src/components/CustomizeMenu/CustomizeMenu.jsx+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/newtab/content-src/components/CustomizeMenu/CustomizeMenu.jsx@@ -2,12 +2,12 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this file, * You can obtain one at http://mozilla.org/MPL/2.0/. */-import { ThemesSection } from "content-src/components/CustomizeMenu/ThemesSection/ThemesSection"; import { BackgroundsSection } from "content-src/components/CustomizeMenu/BackgroundsSection/BackgroundsSection"; import { ContentSection } from "content-src/components/CustomizeMenu/ContentSection/ContentSection"; import { connect } from "react-redux"; import React from "react"; import { CSSTransition } from "react-transition-group";+import { ColorwayCloset } from "content-src/components/CustomizeMenu/ColorwayCloset/ColorwayCloset"; export class _CustomizeMenu extends React.PureComponent { constructor(props) {@@ -63,7 +63,11 @@ data-l10n-id="newtab-custom-close-button" ref={c => (this.closeButton = c)} />- <ThemesSection />+ {this.props.showColorwayCloset ? (+ <ColorwayCloset dispatch={this.props.dispatch} />+ ) : (+ <React.Fragment />+ )} <BackgroundsSection /> <ContentSection openPreferences={this.props.openPreferences}
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Component Injection] [browser/components/newtab/content-src/components/CustomizeMenu/CustomizeMenu.jsx] [Lines 63-67]
[Old Code]
<ThemesSection />
[Fixed Code]
{this.props.showColorwayCloset ? (
<ColorwayCloset dispatch={this.props.dispatch} />
) : (
<React.Fragment />
)}
Additional Details:
- The change replaces a direct component inclusion with a conditional render based on props
- While not clearly a security fix, this could potentially prevent unwanted component rendering if props are properly validated
- No specific vulnerability name applies, but this could relate to component injection if props weren't properly sanitized
2. Vulnerability Existed: no
[No security vulnerability found] [browser/components/newtab/content-src/components/CustomizeMenu/CustomizeMenu.jsx] [Lines 2-7]
[Old Code]
import { ThemesSection } from "content-src/components/CustomizeMenu/ThemesSection/ThemesSection";
[Fixed Code]
import { ColorwayCloset } from "content-src/components/CustomizeMenu/ColorwayCloset/ColorwayCloset";
Additional Details:
- This appears to be a simple component replacement/refactoring with no security implications
- The change involves swapping one imported component for another without any security-related modifications
The changes appear to be primarily functional/architectural rather than security-focused, with no clear security vulnerabilities being fixed. The conditional rendering change could have security implications if the props weren't properly validated, but there's no evidence of this in the diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/raptor/raptor/perfdocs/config.yml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/raptor/raptor/perfdocs/config.yml@@ -97,6 +97,7 @@ ares6: "FF, CH, CU" assorted-dom: "FF, CH, CU" jetstream2: "FF, CH, CU"+ matrix-react-bench: "FF, CH, CU" motionmark-animometer: "FF, CH, CU" motionmark-htmlsuite: "FF, CH, CU" raptor-speedometer-geckoview: "GV"
Based on the provided diff content, I'll analyze it for security vulnerabilities:
Vulnerability Existed: no
No security vulnerability found [File] testing/raptor/raptor/perfdocs/config.yml [Lines 97]
[Old Code]
ares6: "FF, CH, CU"
assorted-dom: "FF, CH, CU"
jetstream2: "FF, CH, CU"
motionmark-animometer: "FF, CH, CU"
motionmark-htmlsuite: "FF, CH, CU"
raptor-speedometer-geckoview: "GV"
[Fixed Code]
ares6: "FF, CH, CU"
assorted-dom: "FF, CH, CU"
jetstream2: "FF, CH, CU"
matrix-react-bench: "FF, CH, CU"
motionmark-animometer: "FF, CH, CU"
motionmark-htmlsuite: "FF, CH, CU"
raptor-speedometer-geckoview: "GV"
Additional Details:
The change appears to be a simple addition of a new benchmark configuration ("matrix-react-bench") to the performance documentation configuration file. This is a functional change rather than a security fix, as it doesn't modify any security-related configurations or fix any vulnerable code patterns. The file is a configuration file for performance tests and doesn't contain any executable code that could introduce security vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.solid.destination-in.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.solid.destination-in.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 255, 1.0)';@@ -26,7 +26,7 @@ ctx.globalCompositeOperation = 'destination-in'; ctx.fillStyle = 'rgba(255, 255, 0, 1.0)'; ctx.fillRect(0, 0, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 0,255,255,255, "50,25", "0,255,255,255", 5);+_assertPixelApprox(canvas, 50,25, 0,255,255,255, "50,25", "0,255,255,255", 5); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and don't involve any security-related modifications. Here's the analysis following your requested format: Vulnerability Existed: no No security vulnerability found in this diff. The changes are purely variable renaming for consistency or readability purposes. Additional Details: - The change is purely a variable name change from `offscreenCanvas` to `canvas` - All functionality remains identical - No security-related patterns were modified (no input validation, no sensitive data handling, no security controls) - The test assertions remain the same with just the variable name updated The diff shows no evidence of any security fixes being implemented. The changes appear to be cosmetic/refactoring in nature.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.rgba-3.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.rgba-3.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'rgba(255, 0, 0, 1.)'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: no
No specific vulnerability [File] [Lines 17-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = 'rgba(255, 0, 0, 1.)'; } catch (e) { }
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = 'rgba(255, 0, 0, 1.)'; } catch (e) { }
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
Additional Details:
- The changes appear to be purely variable renaming (offscreenCanvas → canvas) with no security implications
- The test logic remains identical, just using a different variable name
- No security vulnerabilities were fixed in this diff
- The changes are likely for code consistency or readability purposes
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/geckodriver/src/capabilities.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/geckodriver/src/capabilities.rs@@ -178,10 +178,8 @@ Ok(true) }- fn web_socket_url(&mut self, caps: &Capabilities) -> WebDriverResult<bool> {- self.browser_version(caps)?- .map(|v| self.compare_browser_version(&v, ">=90"))- .unwrap_or(Ok(false))+ fn web_socket_url(&mut self, _: &Capabilities) -> WebDriverResult<bool> {+ Ok(true) } fn validate_custom(&mut self, name: &str, value: &Value) -> WebDriverResult<()> {@@ -409,6 +407,13 @@ ) })?;+ if options.get("androidPackage").is_some() && options.get("binary").is_some() {+ return Err(WebDriverError::new(+ ErrorStatus::InvalidArgument,+ "androidPackage and binary are mutual exclusive",+ ));+ }+ rv.android = FirefoxOptions::load_android(settings.android_storage, options)?; rv.args = FirefoxOptions::load_args(options)?; rv.env = FirefoxOptions::load_env(options)?;@@ -905,9 +910,7 @@ if let Some(args) = opts.args { let mut iter = args.iter();- assert!(iter- .find(|&arg| arg == &"--remote-debugging-port".to_owned())- .is_some());+ assert!(iter.any(|arg| arg == &"--remote-debugging-port".to_owned())); assert_eq!(iter.next(), Some(&"1234".to_owned())); } else { assert!(false, "CLI arguments for Firefox not found");@@ -951,9 +954,7 @@ if let Some(args) = opts.args { let mut iter = args.iter();- assert!(iter- .find(|&arg| arg == &"--remote-debugging-port".to_owned())- .is_some());+ assert!(iter.any(|arg| arg == &"--remote-debugging-port".to_owned())); assert_eq!(iter.next(), Some(&"1234".to_owned())); } else { assert!(false, "CLI arguments for Firefox not found");@@ -973,6 +974,16 @@ let marionette_settings = Default::default(); FirefoxOptions::from_capabilities(None, &marionette_settings, &mut caps) .expect_err("Firefox options need to be of type object");+ }++ #[test]+ fn fx_options_android_package_and_binary() {+ let mut firefox_opts = Capabilities::new();+ firefox_opts.insert("androidPackage".into(), json!("foo"));+ firefox_opts.insert("binary".into(), json!("bar"));++ make_options(firefox_opts, None)+ .expect_err("androidPackage and binary are mutual exclusive"); } #[test]@@ -1199,7 +1210,7 @@ let env = Value::Number(1.into()); let mut firefox_opts = Capabilities::new();- firefox_opts.insert("env".into(), env.into());+ firefox_opts.insert("env".into(), env); make_options(firefox_opts, None).expect_err("invalid firefox options"); }
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Logic Flaw] [testing/geckodriver/src/capabilities.rs] [178-181]
[Old Code]
fn web_socket_url(&mut self, caps: &Capabilities) -> WebDriverResult<bool> {
self.browser_version(caps)?
.map(|v| self.compare_browser_version(&v, ">=90"))
.unwrap_or(Ok(false))
}
[Fixed Code]
fn web_socket_url(&mut self, _: &Capabilities) -> WebDriverResult<bool> {
Ok(true)
}
[Note: The change simplifies the logic but it's unclear if this was fixing a security issue]
2. Vulnerability Existed: yes
[Mutually Exclusive Options Validation] [testing/geckodriver/src/capabilities.rs] [407-413]
[Old Code]
[No validation present]
[Fixed Code]
if options.get("androidPackage").is_some() && options.get("binary").is_some() {
return Err(WebDriverError::new(
ErrorStatus::InvalidArgument,
"androidPackage and binary are mutual exclusive",
));
}
[Note: Added validation to prevent conflicting options]
3. Vulnerability Existed: not sure
[Test Assertion Improvement] [testing/geckodriver/src/capabilities.rs] [905-910, 951-956]
[Old Code]
assert!(iter
.find(|&arg| arg == &"--remote-debugging-port".to_owned())
.is_some());
[Fixed Code]
assert!(iter.any(|arg| arg == &"--remote-debugging-port".to_owned()));
[Note: Changed assertion style but unclear if security-related]
4. Vulnerability Existed: not sure
[Test Case Addition] [testing/geckodriver/src/capabilities.rs] [974-980]
[Old Code]
[No test case]
[Fixed Code]
fn fx_options_android_package_and_binary() {
let mut firefox_opts = Capabilities::new();
firefox_opts.insert("androidPackage".into(), json!("foo"));
firefox_opts.insert("binary".into(), json!("bar"));
make_options(firefox_opts, None)
.expect_err("androidPackage and binary are mutual exclusive");
}
[Note: Added test for the new validation but unclear if security-related]
The most clear security-related fix is the addition of mutual exclusivity validation for androidPackage and binary options, which could prevent potential misconfiguration issues. The other changes appear to be code improvements or test additions whose security impact isn't immediately clear.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-9.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-9.xml@@ -6,7 +6,6 @@ p[title^="foo"] { background-color : lime }]]></style> <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <p title="foobar">This paragraph should have a green background<br></br>
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] [Lines 6] Old Code: <meta name="flags" content="" /> Fixed Code: (line removed) Additional Details: - The diff shows only the removal of an empty meta tag with a "flags" attribute - This appears to be test-related metadata cleanup rather than a security fix - No known vulnerabilities are associated with this change - The modification doesn't affect any security-relevant functionality Note: The change appears to be a minor cleanup of test metadata rather than addressing any security vulnerability. The removed meta tag was empty and didn't serve any apparent security purpose.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/generic/nsPageFrame.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/generic/nsPageFrame.cpp@@ -592,22 +592,25 @@ DisplayListClipState::AutoSaveRestore clipState(aBuilder); clipState.Clear();- // We need to extend the building rect to include the specified page size- // (scaled by the print scaling factor), in case it is larger than the- // physical page size. In that case the nsPageFrame will be the size of the- // physical page, but the child nsPageContentFrame will be the larger- // specified page size. The more correct way to do this would be to fully- // reverse the result of ComputePagesPerSheetAndPageSizeTransform to handle- // this scaling, but this should have the same result and is easier. nsPresContext* const pc = PresContext();- const float scale = pc->GetPageScale();- const nsSize pageSize = ComputePageSize();- const nsRect scaledPageRect{0, 0, NSToCoordCeil(pageSize.width / scale),- NSToCoordCeil(pageSize.height / scale)};- nsDisplayListBuilder::AutoBuildingDisplayList buildingForPageContentFrame(- aBuilder, this, scaledPageRect, scaledPageRect);-- nsContainerFrame::BuildDisplayList(aBuilder, set);+ {+ // We need to extend the building rect to include the specified page size+ // (scaled by the print scaling factor), in case it is larger than the+ // physical page size. In that case the nsPageFrame will be the size of+ // the physical page, but the child nsPageContentFrame will be the larger+ // specified page size. The more correct way to do this would be to fully+ // reverse the result of ComputePagesPerSheetAndPageSizeTransform to+ // handle this scaling, but this should have the same result and is+ // easier.+ const float scale = pc->GetPageScale();+ const nsSize pageSize = ComputePageSize();+ const nsRect scaledPageRect{0, 0, NSToCoordCeil(pageSize.width / scale),+ NSToCoordCeil(pageSize.height / scale)};+ nsDisplayListBuilder::AutoBuildingDisplayList buildingForPageContentFrame(+ aBuilder, this, scaledPageRect, scaledPageRect);++ nsContainerFrame::BuildDisplayList(aBuilder, set);+ } if (pc->IsRootPaginatedDocument()) { content.AppendNewToTop<nsDisplayHeaderFooter>(aBuilder, this);
Analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily structural/scope-related improvements rather than security fixes. Here's my analysis:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 592-615]
[Old Code]
nsPresContext* const pc = PresContext();
const float scale = pc->GetPageScale();
const nsSize pageSize = ComputePageSize();
const nsRect scaledPageRect{0, 0, NSToCoordCeil(pageSize.width / scale),
NSToCoordCeil(pageSize.height / scale)};
nsDisplayListBuilder::AutoBuildingDisplayList buildingForPageContentFrame(
aBuilder, this, scaledPageRect, scaledPageRect);
nsContainerFrame::BuildDisplayList(aBuilder, set);
[Fixed Code]
nsPresContext* const pc = PresContext();
{
const float scale = pc->GetPageScale();
const nsSize pageSize = ComputePageSize();
const nsRect scaledPageRect{0, 0, NSToCoordCeil(pageSize.width / scale),
NSToCoordCeil(pageSize.height / scale)};
nsDisplayListBuilder::AutoBuildingDisplayList buildingForPageContentFrame(
aBuilder, this, scaledPageRect, scaledPageRect);
nsContainerFrame::BuildDisplayList(aBuilder, set);
}
The main change is the addition of a scope block ({}) around the page scaling and display list building code. This is likely for better code organization or to ensure proper cleanup of the AutoBuildingDisplayList object, but doesn't appear to address any security vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/.github/dependabot.yml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/.github/dependabot.yml@@ -5,23 +5,8 @@ schedule: interval: weekly open-pull-requests-limit: 1000-- package-ecosystem: npm- directory: webrtc/tools/- schedule:- interval: weekly- open-pull-requests-limit: 1000-- package-ecosystem: npm- directory: tools/scripts/- schedule:- interval: weekly- open-pull-requests-limit: 1000 - package-ecosystem: pip directory: css/- schedule:- interval: weekly- open-pull-requests-limit: 1000-- package-ecosystem: npm- directory: css/css-writing-modes/tools/generators/ schedule: interval: weekly open-pull-requests-limit: 1000
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Overly Permissive Dependabot Configuration] [testing/web-platform/tests/.github/dependabot.yml] [Lines 5-23]
[Old Code:
- package-ecosystem: npm
directory: webrtc/tools/
schedule:
interval: weekly
open-pull-requests-limit: 1000
- package-ecosystem: npm
directory: tools/scripts/
schedule:
interval: weekly
open-pull-requests-limit: 1000
- package-ecosystem: npm
directory: css/css-writing-modes/tools/generators/
schedule:
interval: weekly
open-pull-requests-limit: 1000]
[Fixed Code:
(removed these configurations)]
Additional Details:
- The diff shows removal of several npm package ecosystem configurations from Dependabot
- The high open-pull-requests-limit (1000) could potentially allow too many dependency updates to be opened at once
- However, it's unclear if this was actually causing security issues or just being simplified
- The removal might be reducing attack surface by monitoring fewer directories for updates
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/security/nss/lib/ssl/tls13ech.c+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/security/nss/lib/ssl/tls13ech.c@@ -30,6 +30,20 @@ const SSL3Hashes *hashes, PK11SymKey **dest, SSLHashType hash);++PRBool+tls13_Debug_CheckXtnBegins(const PRUint8 *start, const PRUint16 xtnType)+{+#ifdef DEBUG+ SECStatus rv;+ sslReader ext_reader = SSL_READER(start, 2);+ PRUint64 extension_number;+ rv = sslRead_ReadNumber(&ext_reader, 2, &extension_number);+ return ((rv == SECSuccess) && (extension_number == xtnType));+#else+ return PR_TRUE;+#endif+} void tls13_DestroyEchConfig(sslEchConfig *config)@@ -142,7 +156,7 @@ * uint16 version; * uint16 length; * select (ECHConfig.version) {- * case 0xfe0a: ECHConfigContents contents;+ * case 0xfe0d: ECHConfigContents contents; * } * } ECHConfig; */@@ -226,15 +240,15 @@ goto loser; }- /* uint16 maximum_name_length */- rv = sslRead_ReadNumber(&configReader, 2, &tmpn);- if (rv != SECSuccess) {- goto loser;- }- contents.maxNameLen = (PRUint16)tmpn;+ /* uint8 maximum_name_length */+ rv = sslRead_ReadNumber(&configReader, 1, &tmpn);+ if (rv != SECSuccess) {+ goto loser;+ }+ contents.maxNameLen = (PRUint8)tmpn; /* opaque public_name<1..2^16-1> */- rv = sslRead_ReadVariable(&configReader, 2, &tmpBuf);+ rv = sslRead_ReadVariable(&configReader, 1, &tmpBuf); if (rv != SECSuccess) { goto loser; }@@ -346,7 +360,7 @@ if (rv != SECSuccess) { return SECFailure; }-+ SSL_TRC(100, ("Read EchConfig list of size %u", SSL_READER_REMAINING(&rdr))); if (SSL_READER_REMAINING(&rdr)) { PORT_SetError(SEC_ERROR_BAD_DATA); return SECFailure;@@ -438,7 +452,7 @@ * uint16 version; * uint16 length; * select (ECHConfig.version) {- * case 0xfe0a: ECHConfigContents contents;+ * case 0xfe0d: ECHConfigContents contents; * } * } ECHConfig; */@@ -497,22 +511,22 @@ /* * struct { * HpkeKeyConfig key_config;- * uint16 maximum_name_length;- * opaque public_name<1..2^16-1>;+ * uint8 maximum_name_length;+ * opaque public_name<1..255>; * Extension extensions<0..2^16-1>; * } ECHConfigContents; */- rv = sslBuffer_AppendNumber(&b, maxNameLen, 2);+ rv = sslBuffer_AppendNumber(&b, maxNameLen, 1); if (rv != SECSuccess) { goto loser; } len = PORT_Strlen(publicName);- if (len > 0xffff) {+ if (len > 0xff) { PORT_SetError(SEC_ERROR_INVALID_ARGS); goto loser; }- rv = sslBuffer_AppendVariable(&b, (const PRUint8 *)publicName, len, 2);+ rv = sslBuffer_AppendVariable(&b, (const PRUint8 *)publicName, len, 1); if (rv != SECSuccess) { goto loser; }@@ -820,93 +834,48 @@ } /*- * enum {- * encrypted_client_hello(0xfe0a), (65535)- * } ExtensionType;+ * outerAAD - The associated data for the AEAD (the entire client hello with the ECH payload zeroed)+ * chInner - The plaintext which will be encrypted (the ClientHelloInner plus padding)+ * echPayload - Output location. A buffer containing all-zeroes of at least chInner->len + TLS13_ECH_AEAD_TAG_LEN bytes. *- * struct {- * HpkeKdfId kdf_id;- * HpkeAeadId aead_id;- * } HpkeSymmetricCipherSuite;- * struct {- * HpkeSymmetricCipherSuite cipher_suite;- * uint8 config_id;- * opaque enc<1..2^16-1>;- * opaque payload<1..2^16-1>;- * } ClientECH;- *- * Takes as input the constructed ClientHelloInner and- * returns a constructed encrypted_client_hello extension- * (replacing the contents of |chInner|).+ * echPayload may point into outerAAD to avoid the need to duplicate the ClientHelloOuter buffer. */ static SECStatus-tls13_EncryptClientHello(sslSocket *ss, sslBuffer *outerAAD, sslBuffer *chInner)+tls13_EncryptClientHello(sslSocket *ss, SECItem *aadItem, const sslBuffer *chInner, PRUint8 *echPayload) { SECStatus rv; SECItem chPt = { siBuffer, chInner->buf, chInner->len }; SECItem *chCt = NULL;- SECItem aadItem = { siBuffer, outerAAD ? outerAAD->buf : NULL, outerAAD ? outerAAD->len : 0 };- const SECItem *hpkeEnc = NULL;- const sslEchConfig *cfg = (sslEchConfig *)PR_LIST_HEAD(&ss->echConfigs);- PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->echConfigs));-- SSL_TRC(50, ("%d: TLS13[%d]: Encrypting Client Hello Inner",- SSL_GETPID(), ss->fd));- PRINT_BUF(50, (ss, "aad", outerAAD->buf, outerAAD->len));- PRINT_BUF(50, (ss, "inner", chInner->buf, chInner->len));-- hpkeEnc = PK11_HPKE_GetEncapPubKey(ss->ssl3.hs.echHpkeCtx);- if (!hpkeEnc) {- FATAL_ERROR(ss, SEC_ERROR_LIBRARY_FAILURE, internal_error);- goto loser;- }++ PRINT_BUF(50, (ss, "aad for ECH Encrypt", aadItem->data, aadItem->len));+ PRINT_BUF(50, (ss, "plaintext for ECH Encrypt", chInner->buf, chInner->len)); #ifndef UNSAFE_FUZZER_MODE- rv = PK11_HPKE_Seal(ss->ssl3.hs.echHpkeCtx, &aadItem, &chPt, &chCt);- if (rv != SECSuccess) {- goto loser;- }- PRINT_BUF(50, (ss, "cipher", chCt->data, chCt->len));+ rv = PK11_HPKE_Seal(ss->ssl3.hs.echHpkeCtx, aadItem, &chPt, &chCt);+ if (rv != SECSuccess) {+ goto loser;+ }+ PRINT_BUF(50, (ss, "ciphertext from ECH Encrypt", chCt->data, chCt->len)); #else /* Fake a tag. */- SECITEM_AllocItem(NULL, chCt, chPt.len + 16);+ SECITEM_AllocItem(NULL, chCt, chPt.len + TLS13_ECH_AEAD_TAG_LEN); if (!chCt) { goto loser; } PORT_Memcpy(chCt->data, chPt.data, chPt.len); #endif- /* Format the encrypted_client_hello extension. */- sslBuffer_Clear(chInner);- rv = sslBuffer_AppendNumber(chInner, cfg->contents.kdfId, 2);- if (rv != SECSuccess) {- goto loser;- }- rv = sslBuffer_AppendNumber(chInner, cfg->contents.aeadId, 2);- if (rv != SECSuccess) {- goto loser;- }-- rv = sslBuffer_AppendNumber(chInner, cfg->contents.configId, 1);- if (rv != SECSuccess) {- goto loser;- }- if (!ss->ssl3.hs.helloRetry) {- rv = sslBuffer_AppendVariable(chInner, hpkeEnc->data, hpkeEnc->len, 2);- if (rv != SECSuccess) {- goto loser;- }- } else {- /* |enc| is empty. */- rv = sslBuffer_AppendNumber(chInner, 0, 2);- if (rv != SECSuccess) {- goto loser;- }- }- rv = sslBuffer_AppendVariable(chInner, chCt->data, chCt->len, 2);- if (rv != SECSuccess) {- goto loser;- }+#ifdef DEBUG+ /* When encrypting in-place, the payload is part of the AAD and must be zeroed. */+ PRUint8 val = 0;+ for (int i = 0; i < chCt->len; i++) {+ val |= *(echPayload + i);+ }+ PRINT_BUF(100, (ss, "Empty Placeholder for output of ECH Encryption", echPayload, chCt->len));+ PR_ASSERT(val == 0);+#endif++ PORT_Memcpy(echPayload, chCt->data, chCt->len); SECITEM_FreeItem(chCt, PR_TRUE); return SECSuccess;@@ -944,7 +913,7 @@ * If |explicitSid|, place this value into |writer| as the SID. Else, * the sid is copied from |reader| to |writer|. */ static SECStatus-tls13_CopyChPreamble(sslReader *reader, const SECItem *explicitSid, sslBuffer *writer, sslReadBuffer *extensions)+tls13_CopyChPreamble(sslSocket *ss, sslReader *reader, const SECItem *explicitSid, sslBuffer *writer, sslReadBuffer *extensions) { SECStatus rv; sslReadBuffer tmpReadBuf;@@ -1001,111 +970,60 @@ return SECFailure; }- if (SSL_READER_REMAINING(reader) != 0) {- PORT_SetError(SSL_ERROR_RX_MALFORMED_ECH_EXTENSION);- return SECFailure;- }-+ /* padding (optional) */+ sslReadBuffer padding;+ rv = sslRead_Read(reader, SSL_READER_REMAINING(reader), &padding);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ PRUint8 result = 0;+ for (int i = 0; i < padding.len; i++) {+ result |= padding.buf[i];+ }+ if (result) {+ SSL_TRC(50, ("%d: TLS13: Invalid ECH ClientHelloInner padding decoded", SSL_GETPID()));+ FATAL_ERROR(ss, SSL_ERROR_RX_MALFORMED_ECH_EXTENSION, illegal_parameter);+ return SECFailure;+ } return SECSuccess; } /*- * struct {- * HpkeSymmetricCipherSuite cipher_suite; // kdfid_, aead_id- * uint8 config_id;- * opaque enc<1..2^16-1>;- * opaque outer_hello<1..2^24-1>;- * } ClientHelloOuterAAD;+ * The ClientHelloOuterAAD is a serialized ClientHello structure, defined in+ * Section 4.1.2 of [RFC8446], which matches the ClientHelloOuter except the+ * payload field of the "encrypted_client_hello" is replaced with a byte+ * string of the same length but whose contents are zeros. This value does+ * not include the four-byte header from the Handshake structure. */ static SECStatus-tls13_MakeChOuterAAD(sslSocket *ss, const SECItem *outer, SECItem *outerAAD)+tls13_ServerMakeChOuterAAD(sslSocket *ss, const PRUint8 *outerCh, unsigned int outerChLen, SECItem *outerAAD) { SECStatus rv; sslBuffer aad = SSL_BUFFER_EMPTY;- sslReadBuffer aadXtns = { 0 };- sslReader chReader = SSL_READER(outer->data, outer->len);- PRUint64 tmpn;- sslReadBuffer tmpvar = { 0 };- unsigned int offset;- unsigned int savedOffset;+ const unsigned int echPayloadLen = ss->xtnData.ech->innerCh.len; /* Length of incoming payload */+ const unsigned int echPayloadOffset = ss->xtnData.ech->payloadStart - outerCh; /* Offset from start of CHO */++ PORT_Assert(outerChLen > echPayloadLen);+ PORT_Assert(echPayloadOffset + echPayloadLen <= outerChLen);+ PORT_Assert(ss->sec.isServer); PORT_Assert(ss->xtnData.ech);- rv = sslBuffer_AppendNumber(&aad, ss->xtnData.ech->kdfId, 2);- if (rv != SECSuccess) {- goto loser;- }- rv = sslBuffer_AppendNumber(&aad, ss->xtnData.ech->aeadId, 2);- if (rv != SECSuccess) {- goto loser;- }-- rv = sslBuffer_AppendNumber(&aad, ss->xtnData.ech->configId, 1);- if (rv != SECSuccess) {- goto loser;- }-- if (!ss->ssl3.hs.helloRetry) {- rv = sslBuffer_AppendVariable(&aad, ss->xtnData.ech->senderPubKey.data,- ss->xtnData.ech->senderPubKey.len, 2);- } else {- /* |enc| is empty for HelloRetryRequest. */- rv = sslBuffer_AppendNumber(&aad, 0, 2);- }- if (rv != SECSuccess) {- goto loser;- }-- /* Skip 3 bytes for the CHOuter length. */- rv = sslBuffer_Skip(&aad, 3, &savedOffset);- if (rv != SECSuccess) {- goto loser;- }-- /* aad := preamble, aadXtn := extensions */- rv = tls13_CopyChPreamble(&chReader, NULL, &aad, &aadXtns);- if (rv != SECSuccess) {- goto loser;- }- sslReader xtnsReader = SSL_READER(aadXtns.buf, aadXtns.len);-- /* Save room for extensions length. */- rv = sslBuffer_Skip(&aad, 2, &offset);- if (rv != SECSuccess) {- goto loser;- }-- /* Append each extension, minus encrypted_client_hello_xtn. */- while (SSL_READER_REMAINING(&xtnsReader)) {- rv = sslRead_ReadNumber(&xtnsReader, 2, &tmpn);- if (rv != SECSuccess) {- goto loser;- }- rv = sslRead_ReadVariable(&xtnsReader, 2, &tmpvar);- if (rv != SECSuccess) {- goto loser;- }-- if (tmpn != ssl_tls13_encrypted_client_hello_xtn) {- rv = sslBuffer_AppendNumber(&aad, tmpn, 2);- if (rv != SECSuccess) {- goto loser;- }- rv = sslBuffer_AppendVariable(&aad, tmpvar.buf, tmpvar.len, 2);- if (rv != SECSuccess) {- goto loser;- }- }- }-- rv = sslBuffer_InsertLength(&aad, offset, 2);- if (rv != SECSuccess) {- goto loser;- }-- rv = sslBuffer_InsertLength(&aad, savedOffset, 3);- if (rv != SECSuccess) {- goto loser;- }+#ifdef DEBUG+ /* Safety check that payload length pointed to by offset matches expected length */+ sslReader echXtnReader = SSL_READER(outerCh + echPayloadOffset - 2, 2);+ PRUint64 parsedXtnSize;+ rv = sslRead_ReadNumber(&echXtnReader, 2, &parsedXtnSize);+ PR_ASSERT(rv == SECSuccess);+ PR_ASSERT(parsedXtnSize == echPayloadLen);+#endif++ rv = sslBuffer_Append(&aad, outerCh, outerChLen);+ if (rv != SECSuccess) {+ goto loser;+ }+ PORT_Memset(aad.buf + echPayloadOffset, 0, echPayloadLen);++ PRINT_BUF(50, (ss, "AAD for ECH Decryption", aad.buf, aad.len)); outerAAD->data = aad.buf; outerAAD->len = aad.len;@@ -1154,6 +1072,8 @@ #ifndef UNSAFE_FUZZER_MODE rv = PK11_HPKE_Open(cx, outerAAD, &ss->xtnData.ech->innerCh, &decryptedChInner); if (rv != SECSuccess) {+ SSL_TRC(10, ("%d: SSL3[%d]: Failed to decrypt inner CH with this candidate",+ SSL_GETPID(), ss->fd)); goto loser; /* code set */ } #else@@ -1161,12 +1081,13 @@ if (rv != SECSuccess) { goto loser; }- decryptedChInner->len -= 16; /* Fake tag */+ decryptedChInner->len -= TLS13_ECH_AEAD_TAG_LEN; /* Fake tag */ #endif /* Stash the context, we may need it for HRR. */ ss->ssl3.hs.echHpkeCtx = cx; *chInner = decryptedChInner;+ PRINT_BUF(100, (ss, "Decrypted ECH Inner", decryptedChInner->data, decryptedChInner->len)); SECITEM_FreeItem(&hpkeInfo, PR_FALSE); return SECSuccess;@@ -1180,41 +1101,269 @@ return SECFailure; }+/* This is the maximum number of extension hooks that the following functions can handle. */+#define MAX_EXTENSION_WRITERS 32++static SECStatus+tls13_WriteDupXtnsToChInner(PRBool compressing, sslBuffer *dupXtns, sslBuffer *chInnerXtns)+{+ SECStatus rv;+ if (compressing && SSL_BUFFER_LEN(dupXtns) > 0) {+ rv = sslBuffer_AppendNumber(chInnerXtns, ssl_tls13_outer_extensions_xtn, 2);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ rv = sslBuffer_AppendNumber(chInnerXtns, dupXtns->len + 1, 2);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ rv = sslBuffer_AppendBufferVariable(chInnerXtns, dupXtns, 1);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ } else {+ /* dupXtns carries whole extensions with lengths on each. */+ rv = sslBuffer_AppendBuffer(chInnerXtns, dupXtns);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ }+ sslBuffer_Clear(dupXtns);+ return SECSuccess;+}++/* Add ordinary extensions to CHInner.+ * The value of the extension from CHOuter is in |extensionData|.+ *+ * If the value is to be compressed, it is written to |dupXtns|.+ * Otherwise, a full extension is written to |chInnerXtns|.+ *+ * This function is always called twice:+ * once without compression and once with compression if possible.+ *+ * Because we want to allow extensions that did not appear in CHOuter+ * to be included in CHInner, we also need to track which extensions+ * have been included. This is what |called| and |nCalled| track.+ */+static SECStatus+tls13_ChInnerAppendExtension(sslSocket *ss, PRUint16 extensionType,+ const sslReadBuffer *extensionData,+ sslBuffer *dupXtns, sslBuffer *chInnerXtns,+ PRBool compressing,+ PRUint16 *called, unsigned int *nCalled)+{+ PRUint8 buf[1024] = { 0 };+ const PRUint8 *p;+ unsigned int len = 0;+ PRBool willCompress;++ PORT_Assert(extensionType != ssl_tls13_encrypted_client_hello_xtn);+ sslCustomExtensionHooks *hook = ss->opt.callExtensionWriterOnEchInner+ ? ssl_FindCustomExtensionHooks(ss, extensionType)+ : NULL;+ if (hook && hook->writer) {+ if (*nCalled >= MAX_EXTENSION_WRITERS) {+ PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); /* TODO new code? */+ return SECFailure;+ }++ PRBool append = (*hook->writer)(ss->fd, ssl_hs_client_hello,+ buf, &len, sizeof(buf), hook->writerArg);+ called[(*nCalled)++] = extensionType;+ if (!append) {+ /* This extension is not going to appear in CHInner. */+ /* TODO: consider removing this extension from ss->xtnData.advertised.+ * The consequence of not removing it is that we won't complain+ * if the server accepts ECH and then includes this extension.+ * The cost is a complete reworking of ss->xtnData.advertised.+ */+ return SECSuccess;+ }+ /* It can be compressed if it is the same as the outer value. */+ willCompress = (len == extensionData->len &&+ NSS_SecureMemcmp(buf, extensionData->buf, len) == 0);+ p = buf;+ } else {+ /* Non-custom extensions are duplicated when compressing. */+ willCompress = PR_TRUE;+ p = extensionData->buf;+ len = extensionData->len;+ }++ /* Duplicated extensions all need to go together. */+ sslBuffer *dst = willCompress ? dupXtns : chInnerXtns;+ SECStatus rv = sslBuffer_AppendNumber(dst, extensionType, 2);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ if (!willCompress || !compressing) {+ rv = sslBuffer_AppendVariable(dst, p, len, 2);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ }+ /* As this function is called twice, we only want to update our state the second time. */+ if (compressing) {+ ss->xtnData.echAdvertised[ss->xtnData.echNumAdvertised++] = extensionType;+ SSL_TRC(50, ("Appending extension=%d to the Client Hello Inner. Compressed?=%d", extensionType, willCompress));+ }+ return SECSuccess;+}++/* Call any custom extension handlers that didn't want to be added to CHOuter. */+static SECStatus+tls13_ChInnerAdditionalExtensionWriters(sslSocket *ss, const PRUint16 *called,+ unsigned int nCalled, sslBuffer *chInnerXtns)+{+ if (!ss->opt.callExtensionWriterOnEchInner) {+ return SECSuccess;+ }++ for (PRCList *cursor = PR_NEXT_LINK(&ss->extensionHooks);+ cursor != &ss->extensionHooks;+ cursor = PR_NEXT_LINK(cursor)) {+ sslCustomExtensionHooks *hook = (sslCustomExtensionHooks *)cursor;++ /* Skip if this hook was already called. */+ PRBool hookCalled = PR_FALSE;+ for (unsigned int i = 0; i < nCalled; ++i) {+ if (called[i] == hook->type) {+ hookCalled = PR_TRUE;+ break;+ }+ }+ if (hookCalled) {+ continue;+ }++ /* This is a cut-down version of ssl_CallCustomExtensionSenders(). */+ PRUint8 buf[1024];+ unsigned int len = 0;+ PRBool append = (*hook->writer)(ss->fd, ssl_hs_client_hello,+ buf, &len, sizeof(buf), hook->writerArg);+ if (!append) {+ continue;+ }++ SECStatus rv = sslBuffer_AppendNumber(chInnerXtns, hook->type, 2);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ rv = sslBuffer_AppendVariable(chInnerXtns, buf, len, 2);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ ss->xtnData.echAdvertised[ss->xtnData.echNumAdvertised++] = hook->type;+ }+ return SECSuccess;+}++/* Take the PSK extension CHOuter and fill it with junk. */+static SECStatus+tls13_RandomizePsk(PRUint8 *buf, unsigned int len)+{+ sslReader rdr = SSL_READER(buf, len);++ /* Read the length of identities. */+ PRUint64 outerLen = 0;+ SECStatus rv = sslRead_ReadNumber(&rdr, 2, &outerLen);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ PORT_Assert(outerLen < len + 2);++ /* Read the length of PskIdentity.identity */+ PRUint64 innerLen = 0;+ rv = sslRead_ReadNumber(&rdr, 2, &innerLen);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ /* identities should contain just one identity. */+ PORT_Assert(outerLen == innerLen + 6);++ /* Randomize PskIdentity.{identity,obfuscated_ticket_age}. */+ rv = PK11_GenerateRandom(buf + rdr.offset, innerLen + 4);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ rdr.offset += innerLen + 4;++ /* Read the length of binders. */+ rv = sslRead_ReadNumber(&rdr, 2, &outerLen);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ PORT_Assert(outerLen + rdr.offset == len);++ /* Read the length of the binder. */+ rv = sslRead_ReadNumber(&rdr, 1, &innerLen);+ if (rv != SECSuccess) {+ return SECFailure;+ }+ /* binders should contain just one binder. */+ PORT_Assert(outerLen == innerLen + 1);++ /* Randomize the binder. */+ rv = PK11_GenerateRandom(buf + rdr.offset, innerLen);+ if (rv != SECSuccess) {+ return SECFailure;+ }++ return SECSuccess;+}+ /* Given a buffer of extensions prepared for CHOuter, translate those extensions to a * buffer suitable for CHInner. This is intended to be called twice: once without * compression for the transcript hash and binders, and once with compression for- * encoding the actual CHInner value. On the first run, if |inOutPskXtn| and- * chOuterXtnsBuf contains a PSK extension, remove it and return in the outparam.- * The caller will compute the binder value based on the uncompressed output. Next,- * if |compress|, consolidate duplicated extensions (that would otherwise be copied)- * into a single outer_extensions extension. If |inOutPskXtn|, the extension contains- * a binder, it is appended after the deduplicated outer_extensions. In the case of- * GREASE ECH, one call is made to estimate size (wiith compression, null inOutPskXtn).+ * encoding the actual CHInner value.+ *+ * Compressed extensions are moved in both runs. When compressing, they are moved+ * to a single outer_extensions extension, which lists extensions from CHOuter.+ * When not compressing, this produces the ClientHello that will be reconstructed+ * from the compressed ClientHello (that is, what goes into the handshake transcript),+ * so all the compressed extensions need to appear in the same place that the+ * outer_extensions extension appears.+ *+ * On the first run, if |inOutPskXtn| and OuterXtnsBuf contains a PSK extension,+ * remove it and return in the outparam.he caller will compute the binder value+ * based on the uncompressed output. Next, if |compress|, consolidate duplicated+ * extensions (that would otherwise be copied) into a single outer_extensions+ * extension. If |inOutPskXtn|, the extension contains a binder, it is appended+ * after the deduplicated outer_extensions. In the case of GREASE ECH, one call+ * is made to estimate size (wiith compression, null inOutPskXtn). */ SECStatus tls13_ConstructInnerExtensionsFromOuter(sslSocket *ss, sslBuffer *chOuterXtnsBuf, sslBuffer *chInnerXtns, sslBuffer *inOutPskXtn,- PRBool compress)+ PRBool shouldCompress) { SECStatus rv; PRUint64 extensionType; sslReadBuffer extensionData; sslBuffer pskXtn = SSL_BUFFER_EMPTY;- sslBuffer dupXtns = SSL_BUFFER_EMPTY; /* Dupcliated extensions, types-only if |compress|. */+ sslBuffer dupXtns = SSL_BUFFER_EMPTY; /* Duplicated extensions, types-only if |compress|. */ unsigned int tmpOffset; unsigned int tmpLen; unsigned int srcXtnBase; /* To truncate CHOuter and remove the PSK extension. */++ PRUint16 called[MAX_EXTENSION_WRITERS] = { 0 }; /* For tracking which has been called. */+ unsigned int nCalled = 0;+ SSL_TRC(50, ("%d: TLS13[%d]: Constructing ECH inner extensions %s compression",- SSL_GETPID(), ss->fd, compress ? "with" : "without"));+ SSL_GETPID(), ss->fd, shouldCompress ? "with" : "without")); /* When offering the "encrypted_client_hello" extension in its * ClientHelloOuter, the client MUST also offer an empty * "encrypted_client_hello" extension in its ClientHelloInner. */- rv = sslBuffer_AppendNumber(chInnerXtns, ssl_tls13_ech_is_inner_xtn, 2);- if (rv != SECSuccess) {- goto loser;- }- rv = sslBuffer_AppendNumber(chInnerXtns, 0, 2);+ rv = sslBuffer_AppendNumber(chInnerXtns, ssl_tls13_encrypted_client_hello_xtn, 2);+ if (rv != SECSuccess) {+ goto loser;+ }+ rv = sslBuffer_AppendNumber(chInnerXtns, 1, 2);+ if (rv != SECSuccess) {+ goto loser;+ }+ rv = sslBuffer_AppendNumber(chInnerXtns, ech_xtn_type_inner, 1); if (rv != SECSuccess) { goto loser; }@@ -1256,6 +1405,10 @@ if (rv != SECSuccess) { goto loser; }+ /* Only update state on second invocation of this function */+ if (shouldCompress) {+ ss->xtnData.echAdvertised[ss->xtnData.echNumAdvertised++] = extensionType;+ } break; case ssl_tls13_supported_versions_xtn: /* Only TLS 1.3 on CHInner. */@@ -1275,12 +1428,13 @@ if (rv != SECSuccess) { goto loser; }+ /* Only update state on second invocation of this function */+ if (shouldCompress) {+ ss->xtnData.echAdvertised[ss->xtnData.echNumAdvertised++] = extensionType;+ } break; case ssl_tls13_pre_shared_key_xtn:- /* If GREASEing, the estimated internal length- * will be short. However, the presence of a PSK extension in- * CHOuter is already a distinguisher. */- if (inOutPskXtn) {+ if (inOutPskXtn && !shouldCompress) { rv = sslBuffer_AppendNumber(&pskXtn, extensionType, 2); if (rv != SECSuccess) { goto loser;@@ -1290,64 +1444,74 @@ if (rv != SECSuccess) { goto loser; }- /* In terms of CHOuter, the PSK extension no longer exists.- * 0 lastXtnOffset means insert padding at the end. */- SSL_BUFFER_LEN(chOuterXtnsBuf) = srcXtnBase;- ss->xtnData.lastXtnOffset = 0;- }- break;- default:- PORT_Assert(extensionType != ssl_tls13_encrypted_client_hello_xtn);- rv = sslBuffer_AppendNumber(&dupXtns, extensionType, 2);- if (rv != SECSuccess) {- goto loser;- }- if (!compress) {- rv = sslBuffer_AppendVariable(&dupXtns, extensionData.buf,+ /* This should be the last extension. */+ PORT_Assert(srcXtnBase == ss->xtnData.lastXtnOffset);+ PORT_Assert(chOuterXtnsBuf->len - srcXtnBase == extensionData.len + 4);+ rv = tls13_RandomizePsk(chOuterXtnsBuf->buf + srcXtnBase + 4,+ chOuterXtnsBuf->len - srcXtnBase - 4);+ if (rv != SECSuccess) {+ goto loser;+ }+ } else if (!inOutPskXtn) {+ /* When GREASEing, only the length is used.+ * Order doesn't matter, so just copy the extension. */+ rv = sslBuffer_AppendNumber(chInnerXtns, extensionType, 2);+ if (rv != SECSuccess) {+ goto loser;+ }+ rv = sslBuffer_AppendVariable(chInnerXtns, extensionData.buf, extensionData.len, 2); if (rv != SECSuccess) { goto loser; } }+ /* Only update state on second invocation of this function */+ if (shouldCompress) {+ ss->xtnData.echAdvertised[ss->xtnData.echNumAdvertised++] = extensionType;+ } break;- }- }-- /* Append duplicated extensions, compressing or not. */- if (SSL_BUFFER_LEN(&dupXtns) && compress) {- rv = sslBuffer_AppendNumber(chInnerXtns, ssl_tls13_outer_extensions_xtn, 2);- if (rv != SECSuccess) {- goto loser;- }- rv = sslBuffer_AppendNumber(chInnerXtns, dupXtns.len + 1, 2);- if (rv != SECSuccess) {- goto loser;- }- rv = sslBuffer_AppendBufferVariable(chInnerXtns, &dupXtns, 1);- } else if (SSL_BUFFER_LEN(&dupXtns)) {- /* Each duplicated extension has its own length. */- rv = sslBuffer_AppendBuffer(chInnerXtns, &dupXtns);- }- if (rv != SECSuccess) {- goto loser;- }-- /* On the compression run, append the completed PSK extension (if- * provided). Else an incomplete (no binder) extension; the caller- * will compute the binder and call again. */- if (compress && inOutPskXtn) {- rv = sslBuffer_AppendBuffer(chInnerXtns, inOutPskXtn);- } else if (pskXtn.len) {- rv = sslBuffer_AppendBuffer(chInnerXtns, &pskXtn);- if (inOutPskXtn) {+ default: {+ /* This is a regular extension. We can maybe compress these. */+ rv = tls13_ChInnerAppendExtension(ss, extensionType,+ &extensionData,+ &dupXtns, chInnerXtns,+ shouldCompress,+ called, &nCalled);+ if (rv != SECSuccess) {+ goto loser;+ }+ break;+ }+ }+ }++ rv = tls13_WriteDupXtnsToChInner(shouldCompress, &dupXtns, chInnerXtns);+ if (rv != SECSuccess) {+ goto loser;+ }++ /* Now call custom extension handlers that didn't choose to append anything to+ * the outer ClientHello. */+ rv = tls13_ChInnerAdditionalExtensionWriters(ss, called, nCalled, chInnerXtns);+ if (rv != SECSuccess) {+ goto loser;+ }++ if (inOutPskXtn) {+ /* On the first, non-compress run, append the (bad) PSK binder.+ * On the second compression run, the caller is responsible for+ * providing an extension with a valid binder, so append that. */+ if (shouldCompress) {+ rv = sslBuffer_AppendBuffer(chInnerXtns, inOutPskXtn);+ } else {+ rv = sslBuffer_AppendBuffer(chInnerXtns, &pskXtn); *inOutPskXtn = pskXtn; }- }- if (rv != SECSuccess) {- goto loser;- }-- sslBuffer_Clear(&dupXtns);+ if (rv != SECSuccess) {+ goto loser;+ }+ }+ return SECSuccess; loser:@@ -1357,7 +1521,7 @@ } static SECStatus-tls13_EncodeClientHelloInner(sslSocket *ss, sslBuffer *chInner, sslBuffer *chInnerXtns, sslBuffer *out)+tls13_EncodeClientHelloInner(sslSocket *ss, const sslBuffer *chInner, const sslBuffer *chInnerXtns, sslBuffer *out) { PORT_Assert(ss && chInner && chInnerXtns && out); SECStatus rv;@@ -1421,19 +1585,112 @@ } SECStatus+tls13_PadChInner(sslBuffer *chInner, uint8_t maxNameLen, uint8_t serverNameLen)+{+ SECStatus rv;+ PORT_Assert(chInner);+ PORT_Assert(serverNameLen > 0);+ static unsigned char padding[256 + 32] = { 0 };+ int16_t name_padding = (int16_t)maxNameLen - (int16_t)serverNameLen;+ if (name_padding < 0) {+ name_padding = 0;+ }+ unsigned int rounding_padding = 31 - ((SSL_BUFFER_LEN(chInner) + name_padding) % 32);+ unsigned int total_padding = name_padding + rounding_padding;+ PORT_Assert(total_padding < sizeof(padding));+ SSL_TRC(100, ("computed ECH Inner Client Hello padding of size %u", total_padding));+ rv = sslBuffer_Append(chInner, padding, total_padding);+ if (rv != SECSuccess) {+ sslBuffer_Clear(chInner);+ return SECFailure;+ }+ return SECSuccess;+}++/* Build an ECH Xtn body with a zeroed payload for the client hello inner+ *+ * enum { outer(0), inner(1) } ECHClientHelloType;+ *+ * struct {+ * ECHClientHelloType type;+ * select (ECHClientHello.type) {+ * case outer:+ * HpkeSymmetricCipherSuite cipher_suite;+ * uint8 config_id;+ * opaque enc<0..2^16-1>;+ * opaque payload<1..2^16-1>;+ * case inner:+ * Empty;+ * };+ * } ECHClientHello;+ *+ * payloadLen = Size of zeroed placeholder field for payload.+ * payloadOffset = Out parameter, start of payload field+ * echXtn = Out parameter, constructed ECH Xtn with zeroed placeholder field.+*/+SECStatus+tls13_BuildEchXtn(sslEchConfig *cfg, const SECItem *hpkeEnc, unsigned int payloadLen, PRUint16 *payloadOffset, sslBuffer *echXtn)+{+ SECStatus rv;+ /* Format the encrypted_client_hello extension. */+ rv = sslBuffer_AppendNumber(echXtn, ech_xtn_type_outer, 1);+ if (rv != SECSuccess) {+ goto loser;+ }+ rv = sslBuffer_AppendNumber(echXtn, cfg->contents.kdfId, 2);+ if (rv != SECSuccess) {+ goto loser;+ }+ rv = sslBuffer_AppendNumber(echXtn, cfg->contents.aeadId, 2);+ if (rv != SECSuccess) {+ goto loser;+ }++ rv = sslBuffer_AppendNumber(echXtn, cfg->contents.configId, 1);+ if (rv != SECSuccess) {+ goto loser;+ }+ if (hpkeEnc) {+ /* Public Key */+ rv = sslBuffer_AppendVariable(echXtn, hpkeEnc->data, hpkeEnc->len, 2);+ if (rv != SECSuccess) {+ goto loser;+ }+ } else {+ /* |enc| is empty. */+ rv = sslBuffer_AppendNumber(echXtn, 0, 2);+ if (rv != SECSuccess) {+ goto loser;+ }+ }+ payloadLen += TLS13_ECH_AEAD_TAG_LEN;+ rv = sslBuffer_AppendNumber(echXtn, payloadLen, 2);+ if (rv != SECSuccess) {+ goto loser;+ }+ *payloadOffset = echXtn->len;+ rv = sslBuffer_Fill(echXtn, 0, payloadLen);+ if (rv != SECSuccess) {+ goto loser;+ }+ PRINT_BUF(100, (NULL, "ECH Xtn with Placeholder:", echXtn->buf, echXtn->len));+ return SECSuccess;+loser:+ sslBuffer_Clear(echXtn);+ return SECFailure;+}++SECStatus tls13_ConstructClientHelloWithEch(sslSocket *ss, const sslSessionID *sid, PRBool freshSid, sslBuffer *chOuter, sslBuffer *chOuterXtnsBuf) { SECStatus rv; sslBuffer chInner = SSL_BUFFER_EMPTY; sslBuffer encodedChInner = SSL_BUFFER_EMPTY;+ sslBuffer paddingChInner = SSL_BUFFER_EMPTY; sslBuffer chInnerXtns = SSL_BUFFER_EMPTY; sslBuffer pskXtn = SSL_BUFFER_EMPTY;- sslBuffer aad = SSL_BUFFER_EMPTY;- unsigned int encodedChLen; unsigned int preambleLen;- const SECItem *hpkeEnc = NULL;- unsigned int savedOffset; SSL_TRC(50, ("%d: TLS13[%d]: Constructing ECH inner", SSL_GETPID(), ss->fd));@@ -1464,7 +1721,6 @@ if (pskXtn.len) { PORT_Assert(ssl3_ExtensionAdvertised(ss, ssl_tls13_pre_shared_key_xtn));- PORT_Assert(ss->xtnData.lastXtnOffset == 0); /* stolen from outer */ rv = tls13_WriteExtensionsWithBinder(ss, &chInnerXtns, &chInner); /* Update the stolen PSK extension with the binder value. */ PORT_Memcpy(pskXtn.buf, &chInnerXtns.buf[chInnerXtns.len - pskXtn.len], pskXtn.len);@@ -1475,6 +1731,7 @@ goto loser; }+ PRINT_BUF(50, (ss, "Uncompressed CHInner", chInner.buf, chInner.len)); rv = ssl3_UpdateHandshakeHashesInt(ss, chInner.buf, chInner.len, &ss->ssl3.hs.echInnerMessages); if (rv != SECSuccess) {@@ -1494,105 +1751,237 @@ if (rv != SECSuccess) { goto loser; }-- /* Pad the outer prior to appending ECH (for the AAD).- * Encoded extension size is (echCipherSuite + enc + configId + payload + tag).- * Post-encryption, we'll assert that this was correct. */- encodedChLen = 4 + 1 + 2 + 2 + encodedChInner.len + 16;- if (!ss->ssl3.hs.helloRetry) {- encodedChLen += 32; /* enc */- }- rv = ssl_InsertPaddingExtension(ss, chOuter->len + encodedChLen, chOuterXtnsBuf);- if (rv != SECSuccess) {- goto loser;- }+ PRINT_BUF(50, (ss, "Compressed CHInner", encodedChInner.buf, encodedChInner.len)); PORT_Assert(!PR_CLIST_IS_EMPTY(&ss->echConfigs)); sslEchConfig *cfg = (sslEchConfig *)PR_LIST_HEAD(&ss->echConfigs);- rv = sslBuffer_AppendNumber(&aad, cfg->contents.kdfId, 2);- if (rv != SECSuccess) {- goto loser;- }- rv = sslBuffer_AppendNumber(&aad, cfg->contents.aeadId, 2);- if (rv != SECSuccess) {- goto loser;- }- rv = sslBuffer_AppendNumber(&aad, cfg->contents.configId, 1);- if (rv != SECSuccess) {- goto loser;- }-++ /* We are using ECH so SNI must have been included */
testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.join.parallel.html
========
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.join.parallel.html
+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.join.parallel.html
@@ -17,8 +17,8 @@
});
t.step(function() {
-var offscreenCanvas = new OffscreenCanvas(100, 50);
-var ctx = offscreenCanvas.getContext('2d');
+var canvas = new OffscreenCanvas(100, 50);
+var ctx = canvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillRect(0, 0, 100, 50);
@@ -30,10 +30,10 @@
ctx.lineTo(0, 25);
ctx.lineTo(-100, 25);
ctx.stroke();
-_assertPixel(offscreenCanvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
-_assertPixel(offscreenCanvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255");
-_assertPixel(offscreenCanvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255");
-_assertPixel(offscreenCanvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");
+_assertPixel(canvas, 1,1, 0,255,0,255, "1,1", "0,255,0,255");
+_assertPixel(canvas, 48,1, 0,255,0,255, "48,1", "0,255,0,255");
+_assertPixel(canvas, 48,48, 0,255,0,255, "48,48", "0,255,0,255");
+_assertPixel(canvas, 1,48, 0,255,0,255, "1,48", "0,255,0,255");
t.done();
});
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.