Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/neqo-crypto/src/agent.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/neqo-crypto/src/agent.rs@@ -277,7 +277,6 @@ now: TimeHolder, extension_handlers: Vec<ExtensionTracker>,- inf: Option<SecretAgentInfo>, /// The encrypted client hello (ECH) configuration that is in use. /// Empty if ECH is not enabled.@@ -300,7 +299,6 @@ now: TimeHolder::default(), extension_handlers: Vec::new(),- inf: None, ech_config: Vec::new(), })@@ -795,7 +793,12 @@ /// A TLS Client. #[derive(Debug)]-#[allow(clippy::box_vec)] // We need the Box.+#[allow(+ renamed_and_removed_lints,+ clippy::box_vec,+ unknown_lints,+ clippy::box_collection+)] // We need the Box. pub struct Client { agent: SecretAgent,@@ -983,14 +986,12 @@ #[derive(Debug)] struct ZeroRttCheckState {- fd: *mut ssl::PRFileDesc, checker: Pin<Box<dyn ZeroRttChecker>>, } impl ZeroRttCheckState {- pub fn new(fd: *mut ssl::PRFileDesc, checker: Box<dyn ZeroRttChecker>) -> Self {+ pub fn new(checker: Box<dyn ZeroRttChecker>) -> Self { Self {- fd, checker: Pin::new(checker), } }@@ -1085,7 +1086,7 @@ max_early_data: u32, checker: Box<dyn ZeroRttChecker>, ) -> Res<()> {- let mut check_state = Box::pin(ZeroRttCheckState::new(self.agent.fd, checker));+ let mut check_state = Box::pin(ZeroRttCheckState::new(checker)); unsafe { ssl::SSL_HelloRetryRequestCallback( self.agent.fd,
I'll analyze the provided code diff for security fixes following the specified format.
1. Vulnerability Existed: yes
Memory Safety Issue [third_party/rust/neqo-crypto/src/agent.rs] [Lines 983-986, 1086]
[Old Code]
struct ZeroRttCheckState {
fd: *mut ssl::PRFileDesc,
checker: Pin<Box<dyn ZeroRttChecker>>,
}
...
let mut check_state = Box::pin(ZeroRttCheckState::new(self.agent.fd, checker));
[Fixed Code]
struct ZeroRttCheckState {
checker: Pin<Box<dyn ZeroRttChecker>>,
}
...
let mut check_state = Box::pin(ZeroRttCheckState::new(checker));
Additional Details: The fix removes a raw pointer (fd) from the ZeroRttCheckState structure, which improves memory safety by eliminating potential misuse of the raw pointer. This could have been a potential vulnerability if the pointer was used unsafely or became dangling.
2. Vulnerability Existed: yes
Information Exposure [third_party/rust/neqo-crypto/src/agent.rs] [Lines 277-280, 300]
[Old Code]
now: TimeHolder,
extension_handlers: Vec<ExtensionTracker>,
inf: Option<SecretAgentInfo>,
/// The encrypted client hello (ECH) configuration that is in use.
[Fixed Code]
now: TimeHolder,
extension_handlers: Vec<ExtensionTracker>,
/// The encrypted client hello (ECH) configuration that is in use.
Additional Details: The fix removes the 'inf: Option<SecretAgentInfo>' field, which appears to contain potentially sensitive information (given the name 'SecretAgentInfo'). This prevents accidental exposure of secret agent information through memory dumps or other information leaks.
3. Vulnerability Existed: not sure
Lint Configuration Change [third_party/rust/neqo-crypto/src/agent.rs] [Lines 795-800]
[Old Code]
#[derive(Debug)]
#[allow(clippy::box_vec)] // We need the Box.
[Fixed Code]
#[derive(Debug)]
#[allow(
renamed_and_removed_lints,
clippy::box_vec,
unknown_lints,
clippy::box_collection
)] // We need the Box.
Additional Details: While this change doesn't appear to fix a direct security vulnerability, it updates lint configurations which could potentially catch more issues in the future. The change adds more comprehensive lint allowances, which might help maintain code quality and prevent future vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/forms/nsFieldSetFrame.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/forms/nsFieldSetFrame.cpp@@ -28,6 +28,7 @@ using namespace mozilla; using namespace mozilla::gfx; using namespace mozilla::layout;+using image::ImgDrawResult; nsContainerFrame* NS_NewFieldSetFrame(PresShell* aPresShell, ComputedStyle* aStyle) {@@ -126,9 +127,8 @@ void nsDisplayFieldSetBorder::Paint(nsDisplayListBuilder* aBuilder, gfxContext* aCtx) {- image::ImgDrawResult result =- static_cast<nsFieldSetFrame*>(mFrame)->PaintBorder(- aBuilder, *aCtx, ToReferenceFrame(), GetPaintRect(aBuilder, aCtx));+ ImgDrawResult result = static_cast<nsFieldSetFrame*>(mFrame)->PaintBorder(+ aBuilder, *aCtx, ToReferenceFrame(), GetPaintRect(aBuilder, aCtx)); nsDisplayItemGenericImageGeometry::UpdateDrawResult(this, result); }@@ -172,12 +172,13 @@ nsDisplayListBuilder* aDisplayListBuilder) { auto frame = static_cast<nsFieldSetFrame*>(mFrame); auto offset = ToReferenceFrame();- nsRect rect; Maybe<wr::SpaceAndClipChainHelper> clipOut;+ nsRect rect = frame->VisualBorderRectRelativeToSelf() + offset;+ nsDisplayBoxShadowInner::CreateInsetBoxShadowWebRenderCommands(+ aBuilder, aSc, rect, mFrame, rect);+ if (nsIFrame* legend = frame->GetLegend()) {- rect = frame->VisualBorderRectRelativeToSelf() + offset;- nsRect legendRect = legend->GetNormalRect() + offset; // Make sure we clip all of the border in case the legend is smaller.@@ -275,9 +276,10 @@ contentDisplayItems.MoveTo(aLists); }-image::ImgDrawResult nsFieldSetFrame::PaintBorder(- nsDisplayListBuilder* aBuilder, gfxContext& aRenderingContext, nsPoint aPt,- const nsRect& aDirtyRect) {+ImgDrawResult nsFieldSetFrame::PaintBorder(nsDisplayListBuilder* aBuilder,+ gfxContext& aRenderingContext,+ nsPoint aPt,+ const nsRect& aDirtyRect) { // If the border is smaller than the legend, move the border down // to be centered on the legend. We call VisualBorderRectRelativeToSelf() to // compute the border positioning.
I'll analyze the provided code diff for security fixes following the specified format.
Vulnerability Existed: no
No specific vulnerability found [nsFieldSetFrame.cpp] [Various lines]
The changes appear to be primarily code style improvements and minor refactoring:
1. Added using declaration for ImgDrawResult
2. Simplified variable declarations
3. Reordered some operations for better logical flow
4. Changed image::ImgDrawResult to just ImgDrawResult after the using declaration
Additional observations:
- The changes don't show any clear security fixes
- The modifications seem focused on code organization and readability
- No obvious security vulnerabilities are being patched in this diff
- The changes are consistent with general code maintenance rather than security fixes
Vulnerability Existed: not sure
Potential layout/rendering issue [nsFieldSetFrame.cpp] [172-176]
The changes in the CreateWebRenderCommands method involve reordering operations related to border and legend rendering. While this doesn't clearly fix a security vulnerability, incorrect layout calculations could potentially lead to rendering artifacts or information leaks.
Old Code:
if (nsIFrame* legend = frame->GetLegend()) {
rect = frame->VisualBorderRectRelativeToSelf() + offset;
Fixed Code:
nsRect rect = frame->VisualBorderRectRelativeToSelf() + offset;
nsDisplayBoxShadowInner::CreateInsetBoxShadowWebRenderCommands(
aBuilder, aSc, rect, mFrame, rect);
if (nsIFrame* legend = frame->GetLegend()) {
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/CSS2/normal-flow/margin-collapsing-in-table-caption-001.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/CSS2/normal-flow/margin-collapsing-in-table-caption-001.html@@ -3,7 +3,6 @@ <link rel="author" title="David Grogan" href="[email protected]"> <link rel="help" href="https://www.w3.org/TR/CSS22/tables.html#model"> <link rel="match" href="../../reference/ref-filled-green-100px-square-only.html">-<meta name="flags" content="" /> <meta name="assert" content="margins between sibling blocks are collapsed inside caption" /> <title> Caption block containers are rendered same as normal block boxes
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
Meta Tag Removal [File] [Lines 3-4]
[Old Code]
`<meta name="flags" content="" />`
[Fixed Code]
(removed line)
Additional Details:
- The change simply removes an empty meta tag that wasn't serving any purpose
- No security implications are apparent in this change
- This appears to be a cleanup rather than a security fix
- The "flags" meta tag was empty and not being used for any security-related functionality
No other changes were present in the diff to analyze for potential vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-fonts/font-size-zero-2.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-fonts/font-size-zero-2.html@@ -5,7 +5,6 @@ <link rel="help" href="http://www.w3.org/TR/css3-fonts/#font-size-prop"> <link rel="help" href="http://www.w3.org/TR/CSS21/box.html#collapsing-margins"> <link rel="match" href="font-size-zero-2-ref.html">-<meta name="flags" content=""> <style> /* spec ambiguous whether font-size-adjust influences line-height: normal */ body { line-height: 1.2 }
Based on the provided diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: no
Meta Tag Removal [File] [Lines 5-7]
[Old Code]
<meta name="flags" content="">
[Fixed Code]
(removed line)
Additional Details:
- The change simply removes an empty meta tag that was previously used for test flags. This doesn't appear to be security-related.
- No known vulnerability is associated with this change.
- The modification seems to be a cleanup rather than a security fix.
No other changes were detected in the provided diff that would indicate security vulnerabilities. The rest of the diff shows unchanged lines (context lines) that weren't modified.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit/arm/Architecture-arm.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit/arm/Architecture-arm.h@@ -714,10 +714,11 @@ // instead; see ParseARMHwCapFlags. void InitARMFlags();-// Parse a string denoting ARM hardware flags and unconditionally set the flags.-// Doing this after the flags have been observed is likely to cause problems, as-// code is allowed to assume that the flags are stable.-bool ParseARMHwCapFlags(const char* armHwCap);+// Register a string denoting ARM hardware flags. During engine initialization,+// these flags will then be used instead of the actual hardware capabilities.+// This must be called before JS_Init and the passed string's buffer must+// outlive the JS_Init call.+void SetARMHwCapFlagsString(const char* armHwCap); // Retrive the ARM hardware flags at a bitmask. They must have been set. uint32_t GetARMFlags();
Here's the analysis of the provided code diff following the specified format: Vulnerability Existed: not sure Potential Race Condition or Improper Initialization [js/src/jit/arm/Architecture-arm.h] [Lines 714-721] [Old Code] // Parse a string denoting ARM hardware flags and unconditionally set the flags. // Doing this after the flags have been observed is likely to cause problems, as // code is allowed to assume that the flags are stable. bool ParseARMHwCapFlags(const char* armHwCap); [Fixed Code] // Register a string denoting ARM hardware flags. During engine initialization, // these flags will then be used instead of the actual hardware capabilities. // This must be called before JS_Init and the passed string's buffer must // outlive the JS_Init call. void SetARMHwCapFlagsString(const char* armHwCap); Analysis: 1. The change suggests a modification in how ARM hardware capability flags are handled, moving from direct parsing to registration. 2. The old code had potential issues where flags could be modified after observation, which could lead to race conditions or inconsistent behavior. 3. The new code enforces proper initialization timing (before JS_Init) and lifetime requirements for the string buffer. 4. While not explicitly a known vulnerability (like CVE), this appears to be fixing a potential security issue related to improper initialization timing and memory management. 5. The change makes the API more robust by preventing late modifications of hardware flags that could lead to undefined behavior.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.empty.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.empty.worker.js@@ -13,15 +13,15 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50); var g = ctx.createLinearGradient(0, 0, 0, 50); ctx.fillStyle = g; ctx.fillRect(0, 0, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);+_assertPixelApprox(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2); t.done(); });
Based on the provided code diff, here's the analysis following the required format:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.empty.worker.js] [Lines 13-15, 22]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixelApprox(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);
Additional Details:
The changes appear to be purely variable renaming (from 'offscreenCanvas' to 'canvas') with no security implications. The functionality remains identical, and there are no security vulnerabilities being addressed in this diff. The modification seems to be for code consistency or readability rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.put.dirty.rect1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.put.dirty.rect1.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50)@@ -30,11 +30,11 @@ ctx.fillStyle = '#f00'; ctx.fillRect(40, 20, 20, 20) ctx.putImageData(imgdata, 40, 20, 0, 0, 20, 20);-_assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);-_assertPixelApprox(offscreenCanvas, 35,25, 0,255,0,255, "35,25", "0,255,0,255", 2);-_assertPixelApprox(offscreenCanvas, 65,25, 0,255,0,255, "65,25", "0,255,0,255", 2);-_assertPixelApprox(offscreenCanvas, 50,15, 0,255,0,255, "50,15", "0,255,0,255", 2);-_assertPixelApprox(offscreenCanvas, 50,45, 0,255,0,255, "50,45", "0,255,0,255", 2);+_assertPixelApprox(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);+_assertPixelApprox(canvas, 35,25, 0,255,0,255, "35,25", "0,255,0,255", 2);+_assertPixelApprox(canvas, 65,25, 0,255,0,255, "65,25", "0,255,0,255", 2);+_assertPixelApprox(canvas, 50,15, 0,255,0,255, "50,15", "0,255,0,255", 2);+_assertPixelApprox(canvas, 50,45, 0,255,0,255, "50,45", "0,255,0,255", 2); t.done(); });
After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and the corresponding updates to the variable name in the assertions. There are no security-related fixes or vulnerabilities being addressed in this diff. Here's the structured response: Vulnerability Existed: no [No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.put.dirty.rect1.html] [Lines 17-30] [Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50); ... _assertPixelApprox(offscreenCanvas, ...)] [Fixed Code: var canvas = new OffscreenCanvas(100, 50); ... _assertPixelApprox(canvas, ...)] The changes are purely variable name refactoring with no security implications.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/python/taskcluster_taskgraph/taskgraph/util/schema.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/python/taskcluster_taskgraph/taskgraph/util/schema.py@@ -161,7 +161,7 @@ ) )- if isinstance(sch, collections.Mapping):+ if isinstance(sch, collections.abc.Mapping): for k, v in sch.items(): child = f"{path}[{k!r}]" check_identifier(child, k)
Let me analyze the code diff for security fixes: Vulnerability Existed: not sure [Deprecation of collections.Mapping] [third_party/python/taskcluster_taskgraph/taskgraph/util/schema.py] [Lines 161] [Old Code] `if isinstance(sch, collections.Mapping):` [Fixed Code] `if isinstance(sch, collections.abc.Mapping):` Additional Details: This change appears to be updating the code to use collections.abc.Mapping instead of the deprecated collections.Mapping. While this isn't a direct security vulnerability fix, it's a maintenance update that follows Python's best practices. The collections.Mapping was moved to collections.abc in Python 3.3, and using the old import could potentially cause issues in future Python versions. This change improves code robustness but doesn't appear to address a specific security vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/base/content/tabbrowser-tab.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/base/content/tabbrowser-tab.js@@ -18,7 +18,7 @@ <stack class="tab-icon-stack"> <hbox class="tab-throbber" layer="true"/> <hbox class="tab-icon-pending"/>- <image class="tab-icon-image" validate="never" role="presentation"/>+ <html:img class="tab-icon-image" role="presentation" decoding="sync" /> <image class="tab-sharing-icon-overlay" role="presentation"/> <image class="tab-icon-overlay" role="presentation"/> </stack>
Here's the analysis of the provided code diff: 1. Vulnerability Existed: not sure [Potential XSS or Image Handling Vulnerability] [browser/base/content/tabbrowser-tab.js] [Lines 18] [Old Code] `<image class="tab-icon-image" validate="never" role="presentation"/>` [Fixed Code] `<html:img class="tab-icon-image" role="presentation" decoding="sync" />` Additional Details: - The change replaces an `<image>` element with an `<html:img>` element - The `validate="never"` attribute was removed and `decoding="sync"` was added - This might be related to security improvements in image handling or XSS prevention, but without more context, it's not certain - The `validate="never"` removal could potentially relate to security as it might have bypassed some validation checks 2. Vulnerability Existed: not sure [Potential HTML Namespace Security Improvement] [browser/base/content/tabbrowser-tab.js] [Lines 18] [Old Code] `<image class="tab-icon-image" validate="never" role="presentation"/>` [Fixed Code] `<html:img class="tab-icon-image" role="presentation" decoding="sync" />` Additional Details: - The explicit `html:` namespace prefix might be a security improvement to ensure proper HTML element handling - This could prevent potential namespace confusion or injection attacks Note: Without more context about the specific threat model or previous vulnerabilities in this component, it's difficult to definitively identify security vulnerabilities. The changes appear to be related to image handling improvements and proper HTML element usage.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.angle.2.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.angle.2.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -23,7 +23,7 @@ ctx.moveTo(100, 0); ctx.arc(100, 0, 150, -3*Math.PI/2, -Math.PI, true); ctx.fill();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't involve any security-sensitive operations. Here's the analysis:
1. Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arc.angle.2.worker.js
Lines: 13-23
Old Code:
```
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[...]
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
```
Fixed Code:
```
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
[...]
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
```
The changes simply rename the variable `offscreenCanvas` to `canvas` for consistency or readability, but don't address any security issues. The canvas operations and assertions remain functionally identical.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/extensions/test/browser/browser_ext_background_serviceworker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/extensions/test/browser/browser_ext_background_serviceworker.js@@ -7,6 +7,12 @@ Services.scriptloader.loadSubScript( new URL("head_serviceworker.js", gTestPath).href, this+);++// Bug 1748665 remove when events will start serviceworker+Services.prefs.setBoolPref(+ "extensions.webextensions.background-delayed-startup",+ false ); add_task(assert_background_serviceworker_pref_enabled);
Let me analyze the diff for potential security fixes:
1. Vulnerability Existed: not sure
[Potential Configuration Change] [toolkit/components/extensions/test/browser/browser_ext_background_serviceworker.js] [Lines 7-12]
[Old Code: Only had Services.scriptloader.loadSubScript]
[Fixed Code: Added Services.prefs.setBoolPref to disable background-delayed-startup]
Additional details:
- The diff shows a change where a preference is being explicitly set to false for "extensions.webextensions.background-delayed-startup"
- This appears to be related to bug 1748665 (mentioned in the comment)
- The change is in a test file, not production code
- While this could potentially affect security by changing how service workers behave, it's not clear if this was fixing an actual vulnerability or just changing test behavior
- The comment suggests this is a temporary workaround ("remove when events will start serviceworker")
No clear vulnerability name can be identified from this change alone. The modification appears to be more about test reliability than security.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.9arg.destpos.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/drawing-images-to-the-canvas/2d.drawImage.9arg.destpos.worker.js@@ -14,8 +14,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -46,10 +46,10 @@ ctx.drawImage(bitmap1, 0, 0, 100, 50, 100, 0, 100, 50); ctx.drawImage(bitmap1, 0, 0, 100, 50, 0, -50, 100, 50); ctx.drawImage(bitmap1, 0, 0, 100, 50, 0, 50, 100, 50);- _assertPixelApprox(offscreenCanvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255", 2); }, t_fail); }).then(t_pass, t_fail);
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and corresponding updates to the assertions. Here's the analysis:
1. Variable Renaming Changes:
Vulnerability Existed: no
Variable Renaming [File] [Lines 14-15, 46-49]
Old Code:
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
```
Fixed Code:
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
```
2. Assertion Updates:
Vulnerability Existed: no
Assertion Updates [File] [Lines 46-49]
Old Code:
```javascript
_assertPixelApprox(offscreenCanvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);
_assertPixelApprox(offscreenCanvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255", 2);
_assertPixelApprox(offscreenCanvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255", 2);
_assertPixelApprox(offscreenCanvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255", 2);
```
Fixed Code:
```javascript
_assertPixelApprox(canvas, 0,0, 0,255,0,255, "0,0", "0,255,0,255", 2);
_assertPixelApprox(canvas, 99,0, 0,255,0,255, "99,0", "0,255,0,255", 2);
_assertPixelApprox(canvas, 0,49, 0,255,0,255, "0,49", "0,255,0,255", 2);
_assertPixelApprox(canvas, 99,49, 0,255,0,255, "99,49", "0,255,0,255", 2);
```
The changes are purely cosmetic/refactoring in nature and don't address any security vulnerabilities. The functionality remains exactly the same, only the variable name has been changed for consistency or clarity.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ppv-lite86/src/x86_64/sse2.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ppv-lite86/src/x86_64/sse2.rs@@ -189,21 +189,21 @@ rotr_32!(rotate_each_word_right7, 7); rotr_32_s3!( rotate_each_word_right8,- 0x0c0f0e0d_080b0a09,- 0x04070605_00030201+ 0x0c0f_0e0d_080b_0a09,+ 0x0407_0605_0003_0201 ); rotr_32!(rotate_each_word_right11, 11); rotr_32!(rotate_each_word_right12, 12); rotr_32_s3!( rotate_each_word_right16,- 0x0d0c0f0e_09080b0a,- 0x05040706_01000302+ 0x0d0c_0f0e_0908_0b0a,+ 0x0504_0706_0100_0302 ); rotr_32!(rotate_each_word_right20, 20); rotr_32_s3!( rotate_each_word_right24,- 0x0e0d0c0f_0a09080b,- 0x06050407_02010003+ 0x0e0d_0c0f_0a09_080b,+ 0x0605_0407_0201_0003 ); rotr_32!(rotate_each_word_right25, 25); }@@ -883,9 +883,7 @@ impl<S3, S4, NI> Vector<[u32; 16]> for u32x4x4_sse2<S3, S4, NI> { #[inline(always)] fn to_scalars(self) -> [u32; 16] {- unsafe {- core::mem::transmute(self)- }+ unsafe { core::mem::transmute(self) } } }@@ -1439,9 +1437,7 @@ } #[inline(always)] fn from_lanes(x: [u32x4_sse2<YesS3, YesS4, NI>; 2]) -> Self {- Self::new(unsafe {- _mm256_setr_m128i(x[0].x, x[1].x)- })+ Self::new(unsafe { _mm256_setr_m128i(x[0].x, x[1].x) }) } } impl<NI> Vec2<u32x4_sse2<YesS3, YesS4, NI>> for u32x4x2_avx2<NI> {@@ -1495,21 +1491,21 @@ rotr_32!(rotate_each_word_right7, 7); shuf_lane_bytes!( rotate_each_word_right8,- 0x0c0f0e0d_080b0a09,- 0x04070605_00030201+ 0x0c0f_0e0d_080b_0a09,+ 0x0407_0605_0003_0201 ); rotr_32!(rotate_each_word_right11, 11); rotr_32!(rotate_each_word_right12, 12); shuf_lane_bytes!( rotate_each_word_right16,- 0x0d0c0f0e_09080b0a,- 0x05040706_01000302+ 0x0d0c_0f0e_0908_0b0a,+ 0x0504_0706_0100_0302 ); rotr_32!(rotate_each_word_right20, 20); shuf_lane_bytes!( rotate_each_word_right24,- 0x0e0d0c0f_0a09080b,- 0x06050407_02010003+ 0x0e0d_0c0f_0a09_080b,+ 0x0605_0407_0201_0003 ); rotr_32!(rotate_each_word_right25, 25); }@@ -1517,9 +1513,7 @@ impl<NI> From<u32x4x2_avx2<NI>> for vec256_storage { #[inline(always)] fn from(x: u32x4x2_avx2<NI>) -> Self {- Self {- avx: x.x,- }+ Self { avx: x.x } } }@@ -1547,9 +1541,7 @@ type Output = Self; #[inline(always)] fn $op_fn(self, rhs: Self) -> Self::Output {- Self::new(unsafe {- $impl_fn(self.x, rhs.x)- })+ Self::new(unsafe { $impl_fn(self.x, rhs.x) }) } } };@@ -1581,30 +1573,22 @@ { #[inline(always)] fn from(x: x2<u128x1_sse2<YesS3, YesS4, NI>, G0>) -> Self {- Self::new(unsafe {- _mm256_setr_m128i(x.0[0].x, x.0[1].x)- })+ Self::new(unsafe { _mm256_setr_m128i(x.0[0].x, x.0[1].x) }) } } impl<NI> LaneWords4 for u32x4x2_avx2<NI> { #[inline(always)] fn shuffle_lane_words1230(self) -> Self {- Self::new(unsafe {- _mm256_shuffle_epi32(self.x, 0b1001_0011)- })+ Self::new(unsafe { _mm256_shuffle_epi32(self.x, 0b1001_0011) }) } #[inline(always)] fn shuffle_lane_words2301(self) -> Self {- Self::new(unsafe {- _mm256_shuffle_epi32(self.x, 0b0100_1110)- })+ Self::new(unsafe { _mm256_shuffle_epi32(self.x, 0b0100_1110) }) } #[inline(always)] fn shuffle_lane_words3012(self) -> Self {- Self::new(unsafe {- _mm256_shuffle_epi32(self.x, 0b0011_1001)- })+ Self::new(unsafe { _mm256_shuffle_epi32(self.x, 0b0011_1001) }) } }@@ -1616,7 +1600,10 @@ impl<NI: Copy> Store<vec512_storage> for u32x4x4_avx2<NI> { #[inline(always)] unsafe fn unpack(p: vec512_storage) -> Self {- Self::new([u32x4x2_avx2::unpack(p.avx[0]), u32x4x2_avx2::unpack(p.avx[1])])+ Self::new([+ u32x4x2_avx2::unpack(p.avx[0]),+ u32x4x2_avx2::unpack(p.avx[1]),+ ]) } } impl<NI: Copy> MultiLane<[u32x4_sse2<YesS3, YesS4, NI>; 4]> for u32x4x4_avx2<NI> {@@ -1688,9 +1675,7 @@ impl<NI: Copy> Vector<[u32; 16]> for u32x4x4_avx2<NI> { #[inline(always)] fn to_scalars(self) -> [u32; 16] {- unsafe {- core::mem::transmute(self)- }+ unsafe { core::mem::transmute(self) } } } impl<NI: Copy> From<u32x4x4_avx2<NI>> for vec512_storage {@@ -1704,8 +1689,7 @@ } } }- impl<NI: Copy> From<x4<u128x1_sse2<YesS3, YesS4, NI>>> for u32x4x4_avx2<NI>- {+ impl<NI: Copy> From<x4<u128x1_sse2<YesS3, YesS4, NI>>> for u32x4x4_avx2<NI> { #[inline(always)] fn from(x: x4<u128x1_sse2<YesS3, YesS4, NI>>) -> Self { Self::new(unsafe {
Analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be primarily formatting changes (adding/removing whitespace, reformatting hexadecimal constants with underscores) and some minor code restructuring without any security implications. Here's the analysis following your requested format: 1. Vulnerability Existed: no No security vulnerability found [third_party/rust/ppv-lite86/src/x86_64/sse2.rs] [Various lines] The changes are formatting improvements and code style adjustments, not security fixes. The main changes observed are: 1. Reformatting of hexadecimal constants (adding underscores for better readability) 2. Removal of unnecessary braces in some unsafe blocks 3. Some code formatting improvements (line breaks, spacing) 4. No changes to the actual logic or security-sensitive operations None of these changes appear to address any security vulnerabilities, and I don't see any vulnerabilities in the code that would have needed fixing. The changes seem to be purely cosmetic/readability improvements. Note: While there are several unsafe blocks in the code (particularly around SIMD operations and transmutes), these are inherent to the low-level nature of the code and don't represent vulnerabilities being fixed in this diff. The unsafe operations appear to be properly contained and necessary for the SIMD operations being performed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/utils/source.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/utils/source.js@@ -9,7 +9,6 @@ const { getUnicodeUrl } = require("devtools/client/shared/unicode-url");-import { isOriginalSource } from "../utils/source-maps"; import { endTruncateStr } from "./utils"; import { truncateMiddleText } from "../utils/text"; import { parse as parseURL } from "../utils/url";@@ -59,6 +58,60 @@ } return true;+}++/**+ * Checks if the frame is within a line ranges which are blackboxed+ * in the source.+ *+ * @param {Object} frame+ * The current frame+ * @param {Object} source+ * The source related to the frame+ * @param {Object} blackboxedRanges+ * The currently blackboxedRanges for all the sources.+ * @param {Boolean} isFrameBlackBoxed+ * If the frame is within the blackboxed range+ * or not.+ */+export function isFrameBlackBoxed(frame, source, blackboxedRanges) {+ return (+ !!source?.isBlackBoxed &&+ (!blackboxedRanges[source.url].length ||+ !!findBlackBoxRange(source, blackboxedRanges, {+ start: frame.location.line,+ end: frame.location.line,+ }))+ );+}++/**+ * Checks if a blackbox range exist for the line range.+ * That is if any start and end lines overlap any of the+ * blackbox ranges+ *+ * @param {Object} source+ * The current selected source+ * @param {Object} blackboxedRanges+ * The store of blackboxedRanges+ * @param {Object} lineRange+ * The start/end line range `{ start: <Number>, end: <Number> }`+ * @return {Object} blackboxRange+ * The first matching blackbox range that all or part of the+ * specified lineRange sits within.+ */+export function findBlackBoxRange(source, blackboxedRanges, lineRange) {+ const ranges = blackboxedRanges[source.url];+ if (!ranges || !ranges.length) {+ return null;+ }++ return ranges.find(+ range =>+ (lineRange.start >= range.start.line &&+ lineRange.start <= range.end.line) ||+ (lineRange.end >= range.start.line && lineRange.end <= range.end.line)+ ); } /**@@ -469,30 +522,37 @@ return url.slice(url.indexOf(root) + root.length + 1); }-export function underRoot(source, root, threads) {+/**+ * Checks if the source is descendant of the root identified by the+ * root url specified. The root might likely be projectDirectoryRoot which+ * is a defined by a pref that allows users restrict the source tree to+ * a subset of sources.+ *+ * @params {Object} source+ * The source object+ * @params {String} rootUrl+ * The url for the root node+ * @params {Array} threads+ * A list of existing threads+ */+export function isDescendantOfRoot(source, rootUrl, threads) { // source.url doesn't include thread actor ID, so remove the thread actor ID from the root threads.forEach(thread => {- if (root.includes(thread.actor)) {- root = root.slice(thread.actor.length + 1);+ if (rootUrl.includes(thread.actor)) {+ rootUrl = rootUrl.slice(thread.actor.length + 1); } }); if (source.url && source.url.includes("chrome://")) { const { group, path } = getURL(source);- return (group + path).includes(root);- }-- return !!source.url && source.url.includes(root);-}--export function isOriginal(source) {- // Pretty-printed sources are given original IDs, so no need- // for any additional check- return isOriginalSource(source);+ return (group + path).includes(rootUrl);+ }++ return !!source.url && source.url.includes(rootUrl); } export function isGenerated(source) {- return !isOriginal(source);+ return !source.isOriginal; } export function getSourceQueryString(source) {
I'll analyze the code diff for security fixes following the specified format. 1. Vulnerability Existed: not sure [Potential Information Leak] [File] [Lines 9, 59-112, 522-537] [Old Code: Used isOriginalSource function and had simpler underRoot function] [Fixed Code: Removed isOriginalSource import, added blackbox range checking functions, and renamed/expanded underRoot to isDescendantOfRoot] 2. Vulnerability Existed: not sure [Potential Authorization Bypass] [File] [Lines 59-112] [Old Code: No blackbox range checking functionality] [Fixed Code: Added isFrameBlackBoxed and findBlackBoxRange functions to properly check frame blackboxing] 3. Vulnerability Existed: not sure [Potential Path Traversal] [File] [Lines 522-537] [Old Code: Simple underRoot function with less validation] [Fixed Code: Expanded to isDescendantOfRoot with better thread handling and chrome:// URL handling] The changes appear to be focused on: 1. Removing the isOriginalSource dependency and simplifying source type checking 2. Adding proper blackbox range checking functionality 3. Improving root descendant verification with better URL handling While these changes improve security-related functionality, I can't definitively identify specific CVE-level vulnerabilities that were fixed. The changes seem more like proactive security hardening rather than fixing known vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-shapes/shape-outside/shape-box/shape-outside-margin-box-border-radius-005.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-shapes/shape-outside/shape-box/shape-outside-margin-box-border-radius-005.html@@ -9,7 +9,6 @@ <link rel="author" title="Mozilla" href="http://www.mozilla.org/"> <link rel="help" href="https://drafts.csswg.org/css-shapes-1/#shapes-from-box-values"> <link rel="match" href="reference/shape-outside-margin-box-border-radius-005-ref.html">- <meta name="flags" content=""> <meta name="assert" content="Test the boxes are wrapping around the left float shape defined by the margin-box and border-top-right-radius value."> <style> .container {
Based on the provided code diff, I'll analyze it for potential security vulnerabilities: Vulnerability Existed: no No specific vulnerability found [File] [Lines 9] [Old Code] <meta name="flags" content=""> [Fixed Code] (line removed) Additional Details: - The change simply removes an empty meta tag for "flags" which doesn't appear to have any security implications - This appears to be a test file cleanup rather than a security fix - No known vulnerability patterns or security-related changes are present in this diff Since this is just removing an empty meta tag from a test HTML file, there doesn't appear to be any security vulnerability being addressed here. The change seems to be purely about code cleanup or test file maintenance.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/preload/subresource-integrity.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/preload/subresource-integrity.html@@ -31,9 +31,9 @@ }, { destination: 'image', ext: '.png', supports_sri: false,- sha256: 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',- sha384: 'sha384-OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb',- sha512: 'sha512-z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg=='+ sha256: 'sha256-h7rQ5CQooD7qmTmrNxykCgjz3lDM1CBl2hkY1CTpB2I=',+ sha384: 'sha384-DqrhF5pyW9u4FJsleRwjTAwKDSspQbxk9oux9BtcaANyji0kzpb7b4Cw3TM4MGNk',+ sha512: 'sha512-wyY+ChJ1B5ovayDkbBeEv7nuHJ0uws14KoLyFSLKngFzHzm6VaTNA/ndx/Lnt/vPx6BN1cJB7+JNa4aAUGOlgg==' }, // TODO(domfarolino): Add more destinations. ];
Analyzing the provided code diff, here's the security assessment: 1. Vulnerability Existed: not sure [Subresource Integrity Hash Update] [testing/web-platform/tests/preload/subresource-integrity.html] [Lines 31-36] [Old Code] ``` sha256: 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=', sha384: 'sha384-OLBgp1GsljhM2TJ+sbHjaiH9txEUvgdDTAzHv2P24donTt6/529l+9Ua0vFImLlb', sha512: 'sha512-z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==' ``` [Fixed Code] ``` sha256: 'sha256-h7rQ5CQooD7qmTmrNxykCgjz3lDM1CBl2hkY1CTpB2I=', sha384: 'sha384-DqrhF5pyW9u4FJsleRwjTAwKDSspQbxk9oux9BtcaANyji0kzpb7b4Cw3TM4MGNk', sha512: 'sha512-wyY+ChJ1B5ovayDkbBeEv7nuHJ0uws14KoLyFSLKngFzHzm6VaTNA/ndx/Lnt/vPx6BN1cJB7+JNa4aAUGOlgg==' ``` Additional Details: The diff shows updated SRI hashes for test resources. While this could indicate previous hashes were insecure (potentially using empty file hashes), we can't confirm this was a security fix since it might just be test data updates. The old SHA256 hash appears to be for an empty file, which might have been insecure if used in production.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/streams/ReadableByteStreamController.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/streams/ReadableByteStreamController.h@@ -29,7 +29,10 @@ namespace mozilla::dom {-enum ReaderType { Default, BYOB };+// https://streams.spec.whatwg.org/#pull-into-descriptor-reader-type+// Indicates what type of readable stream reader initiated this request,+// or None if the initiating reader was released.+enum ReaderType { Default, BYOB, None }; struct PullIntoDescriptor; struct ReadableByteStreamQueueEntry;@@ -57,11 +60,12 @@ JSObject* WrapObject(JSContext* aCx, JS::Handle<JSObject*> aGivenProto) override;- already_AddRefed<ReadableStreamBYOBRequest> GetByobRequest(JSContext* aCx);+ already_AddRefed<ReadableStreamBYOBRequest> GetByobRequest(JSContext* aCx,+ ErrorResult& aRv); Nullable<double> GetDesiredSize() const;- void Close(JSContext* aCx, ErrorResult& aRv);+ MOZ_CAN_RUN_SCRIPT void Close(JSContext* aCx, ErrorResult& aRv); MOZ_CAN_RUN_SCRIPT void Enqueue(JSContext* aCx, const ArrayBufferView& aChunk, ErrorResult& aRv);@@ -74,6 +78,7 @@ MOZ_CAN_RUN_SCRIPT virtual void PullSteps(JSContext* aCx, ReadRequest* aReadRequest, ErrorResult& aRv) override;+ virtual void ReleaseSteps() override; // Internal Slot Accessors Maybe<uint64_t> AutoAllocateChunkSize() { return mAutoAllocateChunkSize; }@@ -360,9 +365,10 @@ extern already_AddRefed<ReadableStreamBYOBRequest> ReadableByteStreamControllerGetBYOBRequest(- JSContext* aCx, ReadableByteStreamController* aController);--extern void ReadableByteStreamControllerClose(+ JSContext* aCx, ReadableByteStreamController* aController,+ ErrorResult& aRv);++MOZ_CAN_RUN_SCRIPT extern void ReadableByteStreamControllerClose( JSContext* aCx, ReadableByteStreamController* aController, ErrorResult& aRv);@@ -372,8 +378,25 @@ UnderlyingSourceStartCallbackHelper* aStartAlgorithm, UnderlyingSourcePullCallbackHelper* aPullAlgorithm, UnderlyingSourceCancelCallbackHelper* aCancelAlgorithm,- double aHighWaterMark, Maybe<uint64_t> aAutoAllocateChunkSize,- ErrorResult& aRv);+ UnderlyingSourceErrorCallbackHelper* aErrorAlgorithm, double aHighWaterMark,+ Maybe<uint64_t> aAutoAllocateChunkSize, ErrorResult& aRv);++MOZ_CAN_RUN_SCRIPT extern void ReadableByteStreamControllerCallPullIfNeeded(+ JSContext* aCx, ReadableByteStreamController* aController,+ ErrorResult& aRv);++MOZ_CAN_RUN_SCRIPT void SetUpReadableByteStreamControllerFromUnderlyingSource(+ JSContext* aCx, ReadableStream* aStream, JS::HandleObject aUnderlyingSource,+ UnderlyingSource& aUnderlyingSourceDict, double aHighWaterMark,+ ErrorResult& aRv);++MOZ_CAN_RUN_SCRIPT void+SetUpReadableByteStreamControllerFromBodyStreamUnderlyingSource(+ JSContext* aCx, ReadableStream* aStream,+ BodyStreamHolder* aUnderlyingSource, ErrorResult& aRv);++void ReadableByteStreamControllerClearAlgorithms(+ ReadableByteStreamController* aController); } // namespace mozilla::dom
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Null Reference Handling] [dom/streams/ReadableByteStreamController.h] [Lines: enum ReaderType]
[Old Code]
`enum ReaderType { Default, BYOB };`
[Fixed Code]
`enum ReaderType { Default, BYOB, None };`
Additional Details: Added "None" type to handle cases where initiating reader was released, potentially preventing null reference issues.
2. Vulnerability Existed: not sure
[Error Handling Improvement] [dom/streams/ReadableByteStreamController.h] [Lines: GetByobRequest]
[Old Code]
`already_AddRefed<ReadableStreamBYOBRequest> GetByobRequest(JSContext* aCx);`
[Fixed Code]
`already_AddRefed<ReadableStreamBYOBRequest> GetByobRequest(JSContext* aCx, ErrorResult& aRv);`
Additional Details: Added error result parameter for better error handling.
3. Vulnerability Existed: not sure
[Thread Safety Improvement] [dom/streams/ReadableByteStreamController.h] [Lines: Close]
[Old Code]
`void Close(JSContext* aCx, ErrorResult& aRv);`
[Fixed Code]
`MOZ_CAN_RUN_SCRIPT void Close(JSContext* aCx, ErrorResult& aRv);`
Additional Details: Added MOZ_CAN_RUN_SCRIPT annotation for better thread safety.
4. Vulnerability Existed: not sure
[Algorithm Initialization] [dom/streams/ReadableByteStreamController.h] [Lines: Controller Setup]
[Old Code]
Missing error algorithm parameter in function signature
[Fixed Code]
Added `UnderlyingSourceErrorCallbackHelper* aErrorAlgorithm` parameter
Additional Details: Added error algorithm parameter for better error handling during controller setup.
5. Vulnerability Existed: not sure
[Resource Management] [dom/streams/ReadableByteStreamController.h] [Lines: New Functions]
[Old Code]
Missing functions for controller management
[Fixed Code]
Added `ReleaseSteps()`, `ReadableByteStreamControllerClearAlgorithms()`, and other management functions
Additional Details: Added functions for better resource management and cleanup.
Note: While no specific vulnerabilities were identified, these changes appear to improve error handling, thread safety, and resource management, which could potentially prevent security issues related to null references, race conditions, or resource leaks.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arcTo.collinear.2.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arcTo.collinear.2.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -29,7 +29,7 @@ ctx.moveTo(100, 25); ctx.arcTo(200, 25, 110, 25, 1); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.arcTo.collinear.2.worker.js [Lines] 13-29
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely variable name refactoring (renaming 'offscreenCanvas' to 'canvas') with no security implications. The functionality remains exactly the same, just using a different variable name. No actual security vulnerabilities were addressed in this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/ipc/glue/MessageChannel.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/ipc/glue/MessageChannel.cpp@@ -53,17 +53,15 @@ /* * IPC design: *- * There are three kinds of messages: async, sync, and intr. Sync and intr- * messages are blocking.+ * There are two kinds of messages: async and sync. Sync messages are blocking. * * Terminology: To dispatch a message Foo is to run the RecvFoo code for * it. This is also called "handling" the message. * * Sync and async messages can sometimes "nest" inside other sync messages * (i.e., while waiting for the sync reply, we can dispatch the inner- * message). Intr messages cannot nest. The three possible nesting levels are- * NOT_NESTED, NESTED_INSIDE_SYNC, and NESTED_INSIDE_CPOW. The intended uses- * are:+ * message). The three possible nesting levels are NOT_NESTED,+ * NESTED_INSIDE_SYNC, and NESTED_INSIDE_CPOW. The intended uses are: * NOT_NESTED - most messages. * NESTED_INSIDE_SYNC - CPOW-related messages, which are always sync * and can go in either direction.@@ -87,7 +85,7 @@ * * Messages satisfy the following properties: * A. When waiting for a response to a sync message, we won't dispatch any- * messages of nesting level.+ * messages of a lower nesting level. * B. Messages of the same nesting level will be dispatched roughly in the * order they were sent. The exception is when the parent and child send * sync messages to each other simulataneously. In this case, the parent's@@ -101,19 +99,6 @@ * it is NESTED_INSIDE_CPOW. Normally NESTED_INSIDE_CPOW async * messages are sent only from the child. However, the parent can send * NESTED_INSIDE_CPOW async messages when it is creating a bridged protocol.- *- * Intr messages are blocking and can nest, but they don't participate in the- * nesting levels. While waiting for an intr response, all incoming messages are- * dispatched until a response is received. When two intr messages race with- * each other, a similar scheme is used to ensure that one side wins. The- * winning side is chosen based on the message type.- *- * Intr messages differ from sync messages in that, while sending an intr- * message, we may dispatch an async message. This causes some additional- * complexity. One issue is that replies can be received out of order. It's also- * more difficult to determine whether one message is nested inside- * another. Consequently, intr handling uses mOutOfTurnReplies and- * mRemoteStackDepthGuess, which are not needed for sync messages. */ using namespace mozilla;@@ -125,6 +110,8 @@ #define IPC_ASSERT(_cond, ...) \ do { \+ AssertWorkerThread(); \+ mMonitor->AssertCurrentThreadOwns(); \ if (!(_cond)) DebugAbort(__FILE__, __LINE__, #_cond, ##__VA_ARGS__); \ } while (0)@@ -143,135 +130,6 @@ // static bool MessageChannel::sIsPumpingMessages = false;--enum Direction { IN_MESSAGE, OUT_MESSAGE };--class MessageChannel::InterruptFrame {- private:- enum Semantics { INTR_SEMS, SYNC_SEMS, ASYNC_SEMS };-- public:- InterruptFrame(Direction direction, const Message* msg)- : mMessageName(msg->name()),- mMessageRoutingId(msg->routing_id()),- mMesageSemantics(msg->is_interrupt() ? INTR_SEMS- : msg->is_sync() ? SYNC_SEMS- : ASYNC_SEMS),- mDirection(direction),- mMoved(false) {- MOZ_RELEASE_ASSERT(mMessageName);- }-- InterruptFrame(InterruptFrame&& aOther) {- MOZ_RELEASE_ASSERT(aOther.mMessageName);- mMessageName = aOther.mMessageName;- aOther.mMessageName = nullptr;- mMoved = aOther.mMoved;- aOther.mMoved = true;-- mMessageRoutingId = aOther.mMessageRoutingId;- mMesageSemantics = aOther.mMesageSemantics;- mDirection = aOther.mDirection;- }-- ~InterruptFrame() { MOZ_RELEASE_ASSERT(mMessageName || mMoved); }-- InterruptFrame& operator=(InterruptFrame&& aOther) {- MOZ_RELEASE_ASSERT(&aOther != this);- this->~InterruptFrame();- new (this) InterruptFrame(std::move(aOther));- return *this;- }-- bool IsInterruptIncall() const {- return INTR_SEMS == mMesageSemantics && IN_MESSAGE == mDirection;- }-- bool IsInterruptOutcall() const {- return INTR_SEMS == mMesageSemantics && OUT_MESSAGE == mDirection;- }-- bool IsOutgoingSync() const {- return (mMesageSemantics == INTR_SEMS || mMesageSemantics == SYNC_SEMS) &&- mDirection == OUT_MESSAGE;- }-- void Describe(int32_t* id, const char** dir, const char** sems,- const char** name) const {- *id = mMessageRoutingId;- *dir = (IN_MESSAGE == mDirection) ? "in" : "out";- *sems = (INTR_SEMS == mMesageSemantics) ? "intr"- : (SYNC_SEMS == mMesageSemantics) ? "sync"- : "async";- *name = mMessageName;- }-- int32_t GetRoutingId() const { return mMessageRoutingId; }-- private:- const char* mMessageName;- int32_t mMessageRoutingId;- Semantics mMesageSemantics;- Direction mDirection;- bool mMoved;-- // Disable harmful methods.- InterruptFrame(const InterruptFrame& aOther) = delete;- InterruptFrame& operator=(const InterruptFrame&) = delete;-};--class MOZ_STACK_CLASS MessageChannel::CxxStackFrame {- public:- CxxStackFrame(MessageChannel& that, Direction direction, const Message* msg)- : mThat(that) {- mThat.AssertWorkerThread();-- if (mThat.mCxxStackFrames.empty()) mThat.EnteredCxxStack();-- if (!mThat.mCxxStackFrames.append(InterruptFrame(direction, msg)))- MOZ_CRASH();-- const InterruptFrame& frame = mThat.mCxxStackFrames.back();-- if (frame.IsInterruptIncall()) mThat.EnteredCall();-- if (frame.IsOutgoingSync()) mThat.EnteredSyncSend();-- mThat.mSawInterruptOutMsg |= frame.IsInterruptOutcall();- }-- ~CxxStackFrame() {- mThat.AssertWorkerThread();-- MOZ_RELEASE_ASSERT(!mThat.mCxxStackFrames.empty());-- const InterruptFrame& frame = mThat.mCxxStackFrames.back();- bool exitingSync = frame.IsOutgoingSync();- bool exitingCall = frame.IsInterruptIncall();- mThat.mCxxStackFrames.shrinkBy(1);-- bool exitingStack = mThat.mCxxStackFrames.empty();-- // According how lifetime is declared, mListener on MessageChannel- // lives longer than MessageChannel itself. Hence is expected to- // be alive. There is nothing to even assert here, there is no place- // we would be nullifying mListener on MessageChannel.-- if (exitingCall) mThat.ExitedCall();-- if (exitingSync) mThat.ExitedSyncSend();-- if (exitingStack) mThat.ExitedCxxStack();- }-- private:- MessageChannel& mThat;-- // Disable harmful methods.- CxxStackFrame() = delete;- CxxStackFrame(const CxxStackFrame&) = delete;- CxxStackFrame& operator=(const CxxStackFrame&) = delete;-}; class AutoEnterTransaction { public:@@ -582,7 +440,8 @@ MessageChannel::~MessageChannel() { MOZ_COUNT_DTOR(ipc::MessageChannel); MonitorAutoLock lock(*mMonitor);- IPC_ASSERT(mCxxStackFrames.empty(), "mismatched CxxStackFrame ctor/dtors");+ MOZ_RELEASE_ASSERT(!mOnCxxStack,+ "MessageChannel destroyed while code on CxxStack"); #ifdef OS_WIN if (mEvent) { BOOL ok = CloseHandle(mEvent);@@ -638,8 +497,6 @@ MOZ_RELEASE_ASSERT(mPendingResponses.empty()); MOZ_RELEASE_ASSERT(!mChannelErrorTask); MOZ_RELEASE_ASSERT(mPending.isEmpty());- MOZ_RELEASE_ASSERT(mOutOfTurnReplies.empty());- MOZ_RELEASE_ASSERT(mDeferred.empty()); } #ifdef DEBUG@@ -757,11 +614,6 @@ mPending.clear(); mMaybeDeferredPendingCount = 0;-- mOutOfTurnReplies.clear();- while (!mDeferred.empty()) {- mDeferred.pop();- } } bool MessageChannel::Open(ScopedPort aPort, Side aSide,@@ -852,7 +704,7 @@ MOZ_RELEASE_ASSERT(!aMsg->is_sync()); MOZ_RELEASE_ASSERT(aMsg->nested_level() != IPC::Message::NESTED_INSIDE_SYNC);- CxxStackFrame frame(*this, OUT_MESSAGE, aMsg.get());+ AutoSetValue<bool> setOnCxxStack(mOnCxxStack, true); AssertWorkerThread(); mMonitor->AssertNotCurrentThreadOwns();@@ -1103,8 +955,8 @@ mListener->OnChannelReceivedMessage(aMsg);- // Regardless of the Interrupt stack, if we're awaiting a sync reply,- // we know that it needs to be immediately handled to unblock us.+ // If we're awaiting a sync reply, we know that it needs to be immediately+ // handled to unblock us. if (aMsg.is_sync() && aMsg.is_reply()) { IPC_LOG("Received reply seqno=%d xid=%d", aMsg.seqno(), aMsg.transaction_id());@@ -1165,59 +1017,49 @@ bool alwaysDeferred = IsAlwaysDeferred(aMsg);- bool wakeUpSyncSend = AwaitingSyncReply() && !ShouldDeferMessage(aMsg);-- bool shouldWakeUp = AwaitingInterruptReply() || wakeUpSyncSend;+ bool shouldWakeUp = AwaitingSyncReply() && !ShouldDeferMessage(aMsg);++ IPC_LOG("Receive from link; seqno=%d, xid=%d, shouldWakeUp=%d", aMsg.seqno(),+ aMsg.transaction_id(), shouldWakeUp);++ if (reuseTask) {+ return;+ }++ // There are two cases we're concerned about, relating to the state of the+ // worker thread:+ //+ // (1) We are waiting on a sync reply - worker thread is blocked on the+ // IPC monitor.+ // - If the message is NESTED_INSIDE_SYNC, we wake up the worker thread to+ // deliver the message depending on ShouldDeferMessage. Otherwise, we+ // leave it in the mPending queue, posting a task to the worker event+ // loop, where it will be processed once the synchronous reply has been+ // received.+ //+ // (2) We are not waiting on a reply.+ // - We post a task to the worker event loop.+ //+ // Note that, we may notify the worker thread even though the monitor is not+ // blocked. This is okay, since we always check for pending events before+ // blocking again.++ RefPtr<MessageTask> task = new MessageTask(this, std::move(aMsg));+ mPending.insertBack(task);++ if (!alwaysDeferred) {+ mMaybeDeferredPendingCount++;+ }++ if (shouldWakeUp) {+ NotifyWorkerThread();+ } // Although we usually don't need to post a message task if // shouldWakeUp is true, it's easier to post anyway than to have to // guarantee that every Send call processes everything it's supposed to // before returning.- bool shouldPostTask = !shouldWakeUp || wakeUpSyncSend;-- IPC_LOG("Receive from link; seqno=%d, xid=%d, shouldWakeUp=%d", aMsg.seqno(),- aMsg.transaction_id(), shouldWakeUp);-- if (reuseTask) {- return;- }-- // There are three cases we're concerned about, relating to the state of the- // main thread:- //- // (1) We are waiting on a sync reply - main thread is blocked on the- // IPC monitor.- // - If the message is NESTED_INSIDE_SYNC, we wake up the main thread to- // deliver the message depending on ShouldDeferMessage. Otherwise, we- // leave it in the mPending queue, posting a task to the main event- // loop, where it will be processed once the synchronous reply has been- // received.- //- // (2) We are waiting on an Interrupt reply - main thread is blocked on the- // IPC monitor.- // - Always notify and wake up the main thread.- //- // (3) We are not waiting on a reply.- // - We post a task to the main event loop.- //- // Note that, we may notify the main thread even though the monitor is not- // blocked. This is okay, since we always check for pending events before- // blocking again.-- RefPtr<MessageTask> task = new MessageTask(this, std::move(aMsg));- mPending.insertBack(task);-- if (!alwaysDeferred) {- mMaybeDeferredPendingCount++;- }-- if (shouldWakeUp) {- NotifyWorkerThread();- }-- if (shouldPostTask) {- task->Post();- }+ task->Post(); } void MessageChannel::PeekMessages(@@ -1312,12 +1154,12 @@ "sync send over same-thread channel will deadlock!"); #ifdef OS_WIN- SyncStackFrame frame(this, false);+ SyncStackFrame frame(this); NeuteredWindowRegion neuteredRgn(mFlags & REQUIRE_DEFERRED_MESSAGE_PROTECTION); #endif- CxxStackFrame f(*this, OUT_MESSAGE, aMsg.get());+ AutoSetValue<bool> setOnCxxStack(mOnCxxStack, true); MonitorAutoLock lock(*mMonitor);@@ -1515,205 +1357,10 @@ return true; }-bool MessageChannel::Call(UniquePtr<Message> aMsg, Message* aReply) {- AssertWorkerThread();- mMonitor->AssertNotCurrentThreadOwns();- MOZ_RELEASE_ASSERT(!mIsSameThreadChannel,- "intr call send over same-thread channel will deadlock!");--#ifdef OS_WIN- SyncStackFrame frame(this, true);-#endif-- // This must come before MonitorAutoLock, as its destructor acquires the- // monitor lock.- CxxStackFrame cxxframe(*this, OUT_MESSAGE, aMsg.get());-- MonitorAutoLock lock(*mMonitor);- if (!Connected()) {- ReportConnectionError("Call", aMsg->type());- return false;- }-- // Sanity checks.- IPC_ASSERT(!AwaitingSyncReply(),- "cannot issue Interrupt call while blocked on sync request");- IPC_ASSERT(!DispatchingSyncMessage(), "violation of sync handler invariant");- IPC_ASSERT(aMsg->is_interrupt(), "can only Call() Interrupt messages here");- IPC_ASSERT(!mIsPostponingSends, "not postponing sends");-- aMsg->set_seqno(NextSeqno());- aMsg->set_interrupt_remote_stack_depth_guess(mRemoteStackDepthGuess);- aMsg->set_interrupt_local_stack_depth(1 + InterruptStackDepth());- mInterruptStack.push(MessageInfo(*aMsg));-- AddProfilerMarker(*aMsg, MessageDirection::eSending);-- // keep the error relevant information- msgid_t msgType = aMsg->type();-- mLink->SendMessage(std::move(aMsg));-- while (true) {- // if a handler invoked by *Dispatch*() spun a nested event- // loop, and the connection was broken during that loop, we- // might have already processed the OnError event. if so,- // trying another loop iteration will be futile because- // channel state will have been cleared- if (!Connected()) {- ReportConnectionError("Call_Loop", msgType);- return false;- }--#ifdef OS_WIN- // We need to limit the scoped of neuteredRgn to this spot in the code.- // Window neutering can't be enabled during some plugin calls because- // we then risk the neutered window procedure being subclassed by a- // plugin.- {- NeuteredWindowRegion neuteredRgn(mFlags &- REQUIRE_DEFERRED_MESSAGE_PROTECTION);- /* We should pump messages at this point to ensure that the IPC- peer does not become deadlocked on a pending inter-thread- SendMessage() */- neuteredRgn.PumpOnce();- }-#endif-- // Now might be the time to process a message deferred because of race- // resolution.- MaybeUndeferIncall();-- // Wait for an event to occur.- while (!InterruptEventOccurred()) {- bool maybeTimedOut = !WaitForInterruptNotify();-- // We might have received a "subtly deferred" message in a nested- // loop that it's now time to process.- if (InterruptEventOccurred() ||- (!maybeTimedOut &&- (!mDeferred.empty() || !mOutOfTurnReplies.empty()))) {- break;- }-- if (maybeTimedOut && !ShouldContinueFromTimeout()) return false;- }-- Message recvd;- MessageMap::iterator it;-- if ((it = mOutOfTurnReplies.find(mInterruptStack.top().seqno())) !=- mOutOfTurnReplies.end()) {- recvd = std::move(it->second);- mOutOfTurnReplies.erase(it);- } else if (!mPending.isEmpty()) {- RefPtr<MessageTask> task = mPending.popFirst();- recvd = std::move(task->Msg());- if (!IsAlwaysDeferred(recvd)) {- mMaybeDeferredPendingCount--;- }- } else {- // because of subtleties with nested event loops, it's possible- // that we got here and nothing happened. or, we might have a- // deferred in-call that needs to be processed. either way, we- // won't break the inner while loop again until something new- // happens.- continue;- }-- // If the message is not Interrupt, we can dispatch it as normal.- if (!recvd.is_interrupt()) {- // keep the error relevant information- msgid_t msgType = recvd.type();-- DispatchMessage(std::move(recvd));- if (!Connected()) {- ReportConnectionError("Call_DispatchMessage", msgType);- return false;- }- continue;- }-- // If the message is an Interrupt reply, either process it as a reply to our- // call, or add it to the list of out-of-turn replies we've received.- if (recvd.is_reply()) {- IPC_ASSERT(!mInterruptStack.empty(), "invalid Interrupt stack");-- // If this is not a reply the call we've initiated, add it to our- // out-of-turn replies and keep polling for events.- {- const MessageInfo& outcall = mInterruptStack.top();-- // Note, In the parent, sequence numbers increase from 0, and- // in the child, they decrease from 0.- if ((mSide == ChildSide && recvd.seqno() > outcall.seqno()) ||- (mSide != ChildSide && recvd.seqno() < outcall.seqno())) {- mOutOfTurnReplies[recvd.seqno()] = std::move(recvd);- continue;- }-- IPC_ASSERT(- recvd.is_reply_error() || (recvd.type() == (outcall.type() + 1) &&- recvd.seqno() == outcall.seqno()),- "somebody's misbehavin'", true);- }-- // We received a reply to our most recent outstanding call. Pop- // this frame and return the reply.- mInterruptStack.pop();-- AddProfilerMarker(recvd, MessageDirection::eReceiving);-- bool is_reply_error = recvd.is_reply_error();- if (!is_reply_error) {- *aReply = std::move(recvd);- }-- // If we have no more pending out calls waiting on replies, then- // the reply queue should be empty.- IPC_ASSERT(!mInterruptStack.empty() || mOutOfTurnReplies.empty(),- "still have pending replies with no pending out-calls", true);-- return !is_reply_error;- }-- // Dispatch an Interrupt in-call. Snapshot the current stack depth while we- // own the monitor.- size_t stackDepth = InterruptStackDepth();-- // keep the error relevant information- msgid_t recvdType = recvd.type();-- {- MonitorAutoUnlock unlock(*mMonitor);-- CxxStackFrame frame(*this, IN_MESSAGE, &recvd);- RefPtr<ActorLifecycleProxy> listenerProxy =- mListener->GetLifecycleProxy();- DispatchInterruptMessage(listenerProxy, std::move(recvd), stackDepth);- }- if (!Connected()) {- ReportConnectionError("Call_DispatchInterruptMessage", recvdType);- return false;- }- }-}- bool MessageChannel::HasPendingEvents() { AssertWorkerThread(); mMonitor->AssertCurrentThreadOwns(); return Connected() && !mPending.isEmpty();-}--bool MessageChannel::InterruptEventOccurred() {- AssertWorkerThread();- mMonitor->AssertCurrentThreadOwns();- IPC_ASSERT(InterruptStackDepth() > 0, "not in wait loop");-- return (!Connected() || !mPending.isEmpty() ||- (!mOutOfTurnReplies.empty() &&- mOutOfTurnReplies.find(mInterruptStack.top().seqno()) !=- mOutOfTurnReplies.end())); } bool MessageChannel::ProcessPendingRequest(Message&& aUrgent) {@@ -1779,29 +1426,18 @@ // Check that we're going to run the first message that's valid to run. #if 0 # ifdef DEBUG- nsCOMPtr<nsIEventTarget> messageTarget =- mListener->GetMessageEventTarget(msg);- for (MessageTask* task : mPending) { if (task == &aTask) { break; }- nsCOMPtr<nsIEventTarget> taskTarget =- mListener->GetMessageEventTarget(task->Msg());- MOZ_ASSERT(!ShouldRunMessage(task->Msg()) ||- taskTarget != messageTarget || aTask.Msg().priority() != task->Msg().priority()); } # endif #endif- if (!mDeferred.empty()) {- MaybeUndeferIncall();- }- if (!ShouldRunMessage(msg)) { return; }@@ -1811,13 +1447,6 @@ if (!IsAlwaysDeferred(msg)) { mMaybeDeferredPendingCount--;- }-- if (IsOnCxxStack() && msg.is_interrupt() && msg.is_reply()) {- // We probably just received a reply in a nested loop for an- // Interrupt call sent before entering that loop.- mOutOfTurnReplies[msg.seqno()] = std::move(msg);- return; } DispatchMessage(std::move(msg));@@ -1879,15 +1508,7 @@ mScheduled = true;- RefPtr<MessageTask> self = this;- nsCOMPtr<nsISerialEventTarget> eventTarget =- Channel()->mListener->GetMessageEventTarget(mMessage);-- if (eventTarget) {- eventTarget->Dispatch(self.forget(), NS_DISPATCH_NORMAL);- } else {- Channel()->mWorkerThread->Dispatch(self.forget());- }+ Channel()->mWorkerThread->Dispatch(do_AddRef(this)); } NS_IMETHODIMP@@ -1952,14 +1573,12 @@ { MonitorAutoUnlock unlock(*mMonitor);- CxxStackFrame frame(*this, IN_MESSAGE, &aMsg);+ AutoSetValue<bool> setOnCxxStack(mOnCxxStack, true); mListener->ArtificialSleep(); if (aMsg.is_sync()) { DispatchSyncMessage(listenerProxy, aMsg, *getter_Transfers(reply));- } else if (aMsg.is_interrupt()) {- DispatchInterruptMessage(listenerProxy, std::move(aMsg), 0); } else { DispatchAsyncMessage(listenerProxy, aMsg); }@@ -2022,7 +1641,7 @@ void MessageChannel::DispatchAsyncMessage(ActorLifecycleProxy* aProxy, const Message& aMsg) { AssertWorkerThread();- MOZ_RELEASE_ASSERT(!aMsg.is_interrupt() && !aMsg.is_sync());+ MOZ_RELEASE_ASSERT(!aMsg.is_sync()); if (aMsg.routing_id() == MSG_ROUTING_NONE) { NS_WARNING("unhandled special message!");@@ -2041,153 +1660,9 @@ MaybeHandleError(rv, aMsg, "DispatchAsyncMessage"); }-void MessageChannel::DispatchInterruptMessage(ActorLifecycleProxy* aProxy,- Message&& aMsg,- size_t stackDepth) {- AssertWorkerThread();- mMonitor->AssertNotCurrentThreadOwns();-- IPC_ASSERT(aMsg.is_interrupt() && !aMsg.is_reply(), "wrong message type");-- if (ShouldDeferInterruptMessage(aMsg, stackDepth)) {- // We now know the other side's stack has one more frame- // than we thought.- ++mRemoteStackDepthGuess; // decremented in MaybeProcessDeferred()- mDeferred.push(std::move(aMsg));- return;- }-- // If we "lost" a race and need to process the other side's in-call, we- // don't need to fix up the mRemoteStackDepthGuess here, because we're just- // about to increment it, which will make it correct again.--#ifdef OS_WIN- SyncStackFrame frame(this, true);-#endif-- UniquePtr<Message> reply;-- ++mRemoteStackDepthGuess;- Result rv = aProxy->Get()->OnCallReceived(aMsg, *getter_Transfers(reply));- --mRemoteStackDepthGuess;-- if (!MaybeHandleError(rv, aMsg, "DispatchInterruptMessage")) {- reply = WrapUnique(Message::ForInterruptDispatchError());- }- reply->set_seqno(aMsg.seqno());-- MonitorAutoLock lock(*mMonitor);- if (ChannelConnected == mChannelState) {- AddProfilerMarker(*reply, MessageDirection::eSending);- mLink->SendMessage(std::move(reply));- }-}--bool MessageChannel::ShouldDeferInterruptMessage(const Message& aMsg,- size_t aStackDepth) {- AssertWorkerThread();-- // We may or may not own the lock in this function, so don't access any- // channel state.-- IPC_ASSERT(aMsg.is_interrupt() && !aMsg.is_reply(), "wrong message type");-- // Race detection: see the long comment near mRemoteStackDepthGuess in- // MessageChannel.h. "Remote" stack depth means our side, and "local" means- // the other side.- if (aMsg.interrupt_remote_stack_depth_guess() ==- RemoteViewOfStackDepth(aStackDepth) ||- mInterruptStack.empty()) {- return false;- }-- // Interrupt in-calls have raced. The winner, if there is one, gets to defer- // processing of the other side's in-call.- bool defer;- const char* winner;- const MessageInfo parentMsgInfo =- (mSide == ChildSide) ? MessageInfo(aMsg) : mInterruptStack.top();- const MessageInfo childMsgInfo =- (mSide == ChildSide) ? mInterruptStack.top() : MessageInfo(aMsg);- switch (mListener->MediateInterruptRace(parentMsgInfo, childMsgInfo)) {- case RIPChildWins:- winner = "child";- defer = (mSide == ChildSide);- break;- case RIPParentWins:- winner = "parent";- defer = (mSide != ChildSide);- break;- case RIPError:- MOZ_CRASH("NYI: 'Error' Interrupt race policy");- default:- MOZ_CRASH("not reached");- }-- IPC_LOG("race in %s: %s won", (mSide == ChildSide) ? "child" : "parent",- winner);-- return defer;-}--void MessageChannel::MaybeUndeferIncall() {- AssertWorkerThread();- mMonitor->AssertCurrentThreadOwns();-- if (mDeferred.empty()) return;-- size_t stackDepth = InterruptStackDepth();-- Message& deferred = mDeferred.top();-- // the other side can only *under*-estimate our actual stack depth- IPC_ASSERT(deferred.interrupt_remote_stack_depth_guess() <= stackDepth,- "fatal logic error");-- if (ShouldDeferInterruptMessage(deferred, stackDepth)) {- return;- }-- // maybe time to process this message- Message call(std::move(deferred));- mDeferred.pop();-- // fix up fudge factor we added to account for race- IPC_ASSERT(0 < mRemoteStackDepthGuess, "fatal logic error");- --mRemoteStackDepthGuess;-- MOZ_RELEASE_ASSERT(call.nested_level() == IPC::Message::NOT_NESTED);- RefPtr<MessageTask> task = new MessageTask(this, std::move(call));- mPending.insertBack(task);- MOZ_ASSERT(IsAlwaysDeferred(task->Msg()));- task->Post();-}--void MessageChannel::EnteredCxxStack() { mListener->EnteredCxxStack(); }--void MessageChannel::ExitedCxxStack() {- mListener->ExitedCxxStack();- if (mSawInterruptOutMsg) {- MonitorAutoLock lock(*mMonitor);- // see long comment in OnMaybeDequeueOne()- EnqueuePendingMessages();- mSawInterruptOutMsg = false;- }-}--void MessageChannel::EnteredCall() { mListener->EnteredCall(); }--void MessageChannel::ExitedCall() { mListener->ExitedCall(); }--void MessageChannel::EnteredSyncSend() { mListener->OnEnteredSyncSend(); }--void MessageChannel::ExitedSyncSend() { mListener->OnExitedSyncSend(); }- void MessageChannel::EnqueuePendingMessages() { AssertWorkerThread(); mMonitor->AssertCurrentThreadOwns();-- MaybeUndeferIncall(); // XXX performance tuning knob: could process all or k pending // messages here, rather than enqueuing for later processing@@ -2231,10 +1706,6 @@ // If the timeout didn't expire, we know we received an event. The // converse is not true. return WaitResponse(status == CVStatus::Timeout);-}--bool MessageChannel::WaitForInterruptNotify() {- return WaitForSyncNotify(true); } void MessageChannel::NotifyWorkerThread() { mMonitor->Notify(); }@@ -2376,10 +1847,6 @@ IPC_LOG("OnChannelErrorFromLink");- if (InterruptStackDepth() > 0) {- NotifyWorkerThread();- }- if (AwaitingSyncReply()) { NotifyWorkerThread(); }@@ -2594,50 +2061,24 @@ void MessageChannel::DebugAbort(const char* file, int line, const char* cond, const char* why, bool reply) {+ AssertWorkerThread();+ mMonitor->AssertCurrentThreadOwns();+ printf_stderr( "###!!! [MessageChannel][%s][%s:%d] " "Assertion (%s) failed. %s %s\n", mSide == ChildSide ? "Child" : "Parent", file, line, cond, why, reply ? "(reply)" : "");- // technically we need the mutex for this, but we're dying anyway- DumpInterruptStack(" ");- printf_stderr(" remote Interrupt stack guess: %zu\n",- mRemoteStackDepthGuess);- printf_stderr(" deferred stack size: %zu\n", mDeferred.size());- printf_stderr(" out-of-turn Interrupt replies stack size: %zu\n",- mOutOfTurnReplies.size()); MessageQueue pending = std::move(mPending); while (!pending.isEmpty()) {- printf_stderr(- " [ %s%s ]\n",- pending.getFirst()->Msg().is_interrupt()- ? "intr"- : (pending.getFirst()->Msg().is_sync() ? "sync" : "async"),- pending.getFirst()->Msg().is_reply() ? "reply" : "");+ printf_stderr(" [ %s%s ]\n",+ pending.getFirst()->Msg().is_sync() ? "sync" : "async",+ pending.getFirst()->Msg().is_reply() ? "reply" : ""); pending.popFirst(); } MOZ_CRASH_UNSAFE(why);-}--void MessageChannel::DumpInterruptStack(const char* const pfx) const {- NS_WARNING_ASSERTION(!mWorkerThread->IsOnCurrentThread(),- "The worker thread had better be paused in a debugger!");-- printf_stderr("%sMessageChannel 'backtrace':\n", pfx);-- // print a python-style backtrace, first frame to last- for (uint32_t i = 0; i < mCxxStackFrames.length(); ++i) {- int32_t id;- const char* dir;- const char* sems;- const char* name;- mCxxStackFrames[i].Describe(&id, &dir, &sems, &name);-- printf_stderr("%s[(%u) %s %s %s(actor=%d) ]\n", pfx, i, dir, sems, name,- id);- } } void MessageChannel::AddProfilerMarker(const IPC::Message& aMessage,
Based on the provided code diff, I'll analyze it for security fixes. The changes appear to primarily involve removing interrupt message handling functionality and simplifying the message channel implementation. Vulnerability Existed: yes Race Condition in Interrupt Message Handling [ipc/glue/MessageChannel.cpp] [Lines throughout file] [Old Code] Complex interrupt message handling system with potential race conditions in nested message processing, out-of-order replies, and stack depth guessing [Fixed Code] Simplified message handling that removes interrupt messages entirely, focusing only on async and sync messages The main security-related change is the removal of the interrupt message handling system which had complex race condition potential. The old code had: 1. Intr message type with special handling 2. Out-of-order reply tracking (mOutOfTurnReplies) 3. Stack depth guessing logic 4. Complex nested message processing 5. Deferred message queue The new code: 1. Removes all interrupt message handling 2. Simplifies to just async and sync messages 3. Removes race-prone components 4. Makes the message flow more predictable This appears to be a deliberate security hardening change to remove complex, potentially vulnerable code paths. The interrupt message system was particularly problematic because: 1. It allowed message nesting in ways that could lead to deadlocks 2. The stack depth guessing was inherently race-prone 3. The out-of-order reply handling added complexity 4. The deferred message queue created timing attack surfaces No other clear vulnerabilities are evident in the diff. The changes appear focused on this major architectural simplification for security and reliability purposes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/debugger/src/actions/breakpoints/breakpointPositions.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/debugger/src/actions/breakpoints/breakpointPositions.js@@ -7,7 +7,6 @@ isGeneratedId, originalToGeneratedId, } from "devtools-source-map";-import { uniqBy } from "lodash"; import { getSource,@@ -44,8 +43,24 @@ return positions.filter(position => position.location.sourceId == sourceId); }+/**+ * Merge positions that refer to duplicated positions.+ * Some sourcemaped positions might refer to the exact same source/line/column triple.+ *+ * @param {Array<{location, generatedLocation}>} positions: List of possible breakable positions+ * @returns {Array<{location, generatedLocation}>} A new, filtered array.+ */ function filterByUniqLocation(positions) {- return uniqBy(positions, ({ location }) => makeBreakpointId(location));+ const handledBreakpointIds = new Set();+ return positions.filter(({ location }) => {+ const breakpointId = makeBreakpointId(location);+ if (handledBreakpointIds.has(breakpointId)) {+ return false;+ }++ handledBreakpointIds.add(breakpointId);+ return true;+ }); } function convertToList(results, source) {
Let me analyze the code diff for security vulnerabilities:
1. Vulnerability Existed: no
Dependency Removal [devtools/client/debugger/src/actions/breakpoints/breakpointPositions.js] [Lines 7,44-56]
Old Code:
```
import { uniqBy } from "lodash";
...
function filterByUniqLocation(positions) {
return uniqBy(positions, ({ location }) => makeBreakpointId(location));
}
```
Fixed Code:
```
function filterByUniqLocation(positions) {
const handledBreakpointIds = new Set();
return positions.filter(({ location }) => {
const breakpointId = makeBreakpointId(location);
if (handledBreakpointIds.has(breakpointId)) {
return false;
}
handledBreakpointIds.add(breakpointId);
return true;
});
}
```
Additional Details:
- The change removes a dependency on lodash's `uniqBy` function and implements the same functionality natively using a Set
- This is not a security fix but rather a code improvement/optimization
- No actual vulnerabilities were present in either version of the code
- The change improves maintainability by reducing external dependencies
- The functionality remains identical between versions, just implemented differently
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.