Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-5.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-5.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'hsl(120.0, 100.0%, 50.0%)'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security-related fixes. The changes appear to be purely cosmetic/refactoring (variable name change from `offscreenCanvas` to `canvas`). Here's the analysis following your format:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 17-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'hsl(120.0, 100.0%, 50.0%)';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#f00';
ctx.fillStyle = 'hsl(120.0, 100.0%, 50.0%)';
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes don't appear to address any security vulnerabilities but rather improve code consistency by using a shorter variable name. No security-related patterns (like input validation, sanitization, or security-sensitive operations) were modified in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.strokeStyle.default.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.strokeStyle.default.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); _assertSame(ctx.strokeStyle, '#000000', "ctx.strokeStyle", "'#000000'"); t.done();
Analysis of the provided code diff:
1. Vulnerability Existed: no
No specific vulnerability found [File] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
The changes in this diff appear to be purely cosmetic, renaming a variable from `offscreenCanvas` to `canvas`. There's no indication of any security vulnerability being fixed - the change seems to be about code style or consistency rather than security. The functionality remains exactly the same, just with a different variable name.
No known vulnerability names apply to this change, and the modification doesn't appear to address any security-related issue. The test's purpose (checking default strokeStyle value) remains unchanged.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/WebExtension.java+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/mobile/android/geckoview/src/main/java/org/mozilla/geckoview/WebExtension.java@@ -4,6 +4,7 @@ package org.mozilla.geckoview;+import android.annotation.SuppressLint; import android.graphics.Color; import android.util.Log; import androidx.annotation.AnyThread;@@ -120,7 +121,7 @@ @LongDef( flag = true, value = {Flags.NONE, Flags.ALLOW_CONTENT_MESSAGING})- /* package */ @interface WebExtensionFlags {}+ public @interface WebExtensionFlags {} /* package */ WebExtension(final DelegateControllerProvider provider, final GeckoBundle bundle) { location = bundle.getString("locationURI");@@ -192,7 +193,7 @@ BrowsingDataDelegate.Type.PASSWORDS }, flag = true)- @interface BrowsingDataTypes {}+ public @interface BrowsingDataTypes {} /** * This delegate is used to handle calls from the |browsingData| WebExtension API.@@ -1093,7 +1094,7 @@ @Retention(RetentionPolicy.SOURCE) @IntDef({ENV_TYPE_UNKNOWN, ENV_TYPE_EXTENSION, ENV_TYPE_CONTENT_SCRIPT})- /* package */ @interface EnvType {}+ public @interface EnvType {} /* package */ static final int ENV_TYPE_UNKNOWN = 0; /** This sender originated inside a privileged extension context like a background script. */ public static final int ENV_TYPE_EXTENSION = 1;@@ -1258,7 +1259,7 @@ @Retention(RetentionPolicy.SOURCE) @IntDef({TYPE_BROWSER_ACTION, TYPE_PAGE_ACTION})- /* package */ @interface ActionType {}+ public @interface ActionType {} /* package */ final @ActionType int type;@@ -1398,6 +1399,9 @@ return; }+ // The .accept method will be called from the UIThread in this case because+ // the GeckoResult instance was created on the UIThread+ @SuppressLint("WrongThread") final GeckoResult<GeckoSession> popup = delegate.onTogglePopup(mExtension, this); openPopup(popup, uri); });@@ -1573,7 +1577,7 @@ ErrorCodes.ERROR_USER_CANCELED, ErrorCodes.ERROR_POSTPONED, })- /* package */ @interface Codes {}+ public @interface Codes {} /** One of {@link ErrorCodes} that provides more information about this exception. */ public final @Codes int code;@@ -1651,7 +1655,7 @@ SignedStateFlags.SYSTEM, SignedStateFlags.PRIVILEGED })- @interface SignedState {}+ public @interface SignedState {} /** * Describes the blocklist state for a {@link WebExtension}. See <a@@ -1686,7 +1690,7 @@ BlocklistStateFlags.VULNERABLE_UPDATE_AVAILABLE, BlocklistStateFlags.VULNERABLE_NO_UPDATE })- @interface BlocklistState {}+ public @interface BlocklistState {} public static class DisabledFlags { /** The extension has been disabled by the user */@@ -1710,7 +1714,7 @@ @IntDef( flag = true, value = {DisabledFlags.USER, DisabledFlags.BLOCKLIST, DisabledFlags.APP})- @interface EnabledFlags {}+ public @interface EnabledFlags {} /** Provides information about a {@link WebExtension}. */ public class MetaData {@@ -1945,8 +1949,7 @@ Context.TAB, Context.TOOLS_MENU })-- /* package */ @interface ContextFlags {}+ public @interface ContextFlags {} /** * Flags to determine which contexts a menu item should be shown in. See <a@@ -2047,8 +2050,7 @@ @IntDef( flag = false, value = {MenuType.NORMAL, MenuType.CHECKBOX, MenuType.RADIO, MenuType.SEPARATOR})-- /* package */ @interface Type {}+ public @interface Type {} /** A set of constants that represents the display type of this menu item. */ static class MenuType {@@ -2515,7 +2517,6 @@ } @NonNull- @UiThread /* package */ static GeckoBundle downloadInfoToBundle(final @NonNull Info data) { final GeckoBundle dataBundle = new GeckoBundle();@@ -2583,7 +2584,7 @@ @IntDef( flag = true, value = {CONFLICT_ACTION_UNIQUIFY, CONFLICT_ACTION_OVERWRITE, CONFLICT_ACTION_PROMPT})- /* package */ @interface ConflictActionFlags {}+ public @interface ConflictActionFlags {} /** The app should modify the filename to make it unique */ public static final int CONFLICT_ACTION_UNIQUIFY = 0;
After analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes primarily involve modifying access modifiers of annotation interfaces from package-private to public and adding a `@SuppressLint` annotation. Here's the analysis:
1. Vulnerability Existed: no
Access Modifier Changes [File] [Various lines]
[Old Code] - Various `/* package */ @interface` declarations
[Fixed Code] - Changed to `public @interface` declarations
(This appears to be an API visibility change rather than a security fix)
2. Vulnerability Existed: no
WrongThread Suppression [File] [Line 1402]
[Old Code] - No annotation
[Fixed Code] - Added `@SuppressLint("WrongThread")`
(This is a threading annotation addition, not a security fix)
3. Vulnerability Existed: no
UiThread Annotation Removal [File] [Line 2519]
[Old Code] - Method had `@UiThread` annotation
[Fixed Code] - `@UiThread` annotation removed
(This appears to be a threading annotation adjustment, not a security fix)
The changes seem focused on API visibility and threading annotations rather than addressing specific security vulnerabilities. No known vulnerability patterns (like injection flaws, XSS, etc.) are being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/tools/wptrunner/wptrunner/executors/executorservo.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/tools/wptrunner/wptrunner/executors/executorservo.py@@ -11,17 +11,14 @@ from tools.serve.serve import make_hosts_file-from .base import (ConnectionlessProtocol,- RefTestImplementation,+from .base import (RefTestImplementation, crashtest_result_converter, testharness_result_converter, reftest_result_converter,- TimedRunner,- WdspecExecutor,- WdspecProtocol)+ TimedRunner) from .process import ProcessTestExecutor+from .protocol import ConnectionlessProtocol from ..browsers.base import browser_command-from ..webdriver_server import ServoDriverServer pytestrunner = None@@ -280,14 +277,6 @@ " ".join(self.command))-class ServoDriverProtocol(WdspecProtocol):- server_cls = ServoDriverServer---class ServoWdspecExecutor(WdspecExecutor):- protocol_cls = ServoDriverProtocol-- class ServoTimedRunner(TimedRunner): def run_func(self): try:
Based on the provided code diff, I'll analyze it for potential security fixes:
1. Vulnerability Existed: not sure
Import Restructuring [File] [Lines 11-18, 280-286]
[Old Code]
from .base import (ConnectionlessProtocol,
RefTestImplementation,
crashtest_result_converter,
testharness_result_converter,
reftest_result_converter,
TimedRunner,
WdspecExecutor,
WdspecProtocol)
from .process import ProcessTestExecutor
from ..browsers.base import browser_command
from ..webdriver_server import ServoDriverServer
[Fixed Code]
from .base import (RefTestImplementation,
crashtest_result_converter,
testharness_result_converter,
reftest_result_converter,
TimedRunner)
from .process import ProcessTestExecutor
from .protocol import ConnectionlessProtocol
from ..browsers.base import browser_command
2. Vulnerability Existed: not sure
Removed WebDriver Server Code [File] [Lines 280-286]
[Old Code]
class ServoDriverProtocol(WdspecProtocol):
server_cls = ServoDriverServer
class ServoWdspecExecutor(WdspecExecutor):
protocol_cls = ServoDriverProtocol
[Fixed Code]
[Removed entirely]
The changes appear to be primarily structural:
1. Moving ConnectionlessProtocol to a different module
2. Removing WebDriver server-related code (ServoDriverProtocol and ServoWdspecExecutor)
While these changes don't clearly indicate specific security vulnerabilities being fixed, the removal of WebDriver server code could potentially relate to security hardening by reducing the attack surface. However, without more context, I can't definitively identify specific vulnerabilities being addressed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/workers/WorkerPrivate.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/workers/WorkerPrivate.h@@ -28,10 +28,10 @@ #include "mozilla/dom/ClientSource.h" #include "mozilla/dom/FlippedOnce.h" #include "mozilla/dom/RemoteWorkerChild.h"+#include "mozilla/dom/quota/CheckedUnsafePtr.h" #include "mozilla/dom/Worker.h" #include "mozilla/dom/WorkerCommon.h" #include "mozilla/dom/WorkerLoadInfo.h"-#include "mozilla/dom/WorkerScope.h" #include "mozilla/dom/WorkerStatus.h" #include "mozilla/dom/workerinternals/JSSettings.h" #include "mozilla/dom/workerinternals/Queue.h"@@ -107,7 +107,9 @@ nsString ComputeWorkerPrivateId();-class WorkerPrivate final : public RelativeTimeline {+class WorkerPrivate final+ : public RelativeTimeline,+ public SupportsCheckedUnsafePtr<CheckIf<DiagnosticAssertEnabled>> { public: struct LocationInfo { nsCString mHref;@@ -261,9 +263,9 @@ bool ModifyBusyCountFromWorker(bool aIncrease);- bool AddChildWorker(WorkerPrivate* aChildWorker);-- void RemoveChildWorker(WorkerPrivate* aChildWorker);+ bool AddChildWorker(WorkerPrivate& aChildWorker);++ void RemoveChildWorker(WorkerPrivate& aChildWorker); void PostMessageToParent(JSContext* aCx, JS::Handle<JS::Value> aMessage, const Sequence<JSObject*>& aTransferable,@@ -585,6 +587,9 @@ // worker [Dedicated|Shared|Service]. bool IsChromeWorker() const { return mIsChromeWorker; }+ // TODO: Invariants require that the parent worker out-live any child+ // worker, so WorkerPrivate* should be safe in the moment of calling.+ // We would like to have stronger type-system annotated/enforced handling. WorkerPrivate* GetParent() const { return mParent; } bool IsFrozen() const {@@ -1156,7 +1161,9 @@ SharedMutex mMutex; mozilla::CondVar mCondVar;- WorkerPrivate* const mParent;+ // We cannot make this CheckedUnsafePtr<WorkerPrivate> as this would violate+ // our static assert+ MOZ_NON_OWNING_REF WorkerPrivate* const mParent; const nsString mScriptURL;@@ -1281,6 +1288,8 @@ RefPtr<WorkerGlobalScope> mScope; RefPtr<WorkerDebuggerGlobalScope> mDebuggerScope;+ // We cannot make this CheckedUnsafePtr<WorkerPrivate> as this would violate+ // our static assert nsTArray<WorkerPrivate*> mChildWorkers; nsTObserverArray<WorkerRef*> mWorkerRefs; nsTArray<UniquePtr<TimeoutInfo>> mTimeouts;@@ -1351,7 +1360,9 @@ ~AutoPushEventLoopGlobal(); private:- WorkerPrivate* mWorkerPrivate;+ // We cannot make this CheckedUnsafePtr<WorkerPrivate> as this would violate+ // our static assert+ MOZ_NON_OWNING_REF WorkerPrivate* mWorkerPrivate; nsCOMPtr<nsIGlobalObject> mOldEventLoopGlobal; }; friend class AutoPushEventLoopGlobal;@@ -1435,7 +1446,7 @@ }; class AutoSyncLoopHolder {- WorkerPrivate* mWorkerPrivate;+ CheckedUnsafePtr<WorkerPrivate> mWorkerPrivate; nsCOMPtr<nsIEventTarget> mTarget; uint32_t mIndex;@@ -1458,7 +1469,7 @@ } bool Run() {- WorkerPrivate* workerPrivate = mWorkerPrivate;+ CheckedUnsafePtr<WorkerPrivate> workerPrivate = mWorkerPrivate; mWorkerPrivate = nullptr; workerPrivate->AssertIsOnWorkerThread();
Analyzing the provided code diff for security fixes, here are the identified vulnerabilities:
1. Vulnerability Existed: yes
[Pointer Safety Improvement] [dom/workers/WorkerPrivate.h] [Lines 107, 1435-1469]
[Old Code]
```cpp
class WorkerPrivate final : public RelativeTimeline {
...
class AutoSyncLoopHolder {
WorkerPrivate* mWorkerPrivate;
```
[Fixed Code]
```cpp
class WorkerPrivate final
: public RelativeTimeline,
public SupportsCheckedUnsafePtr<CheckIf<DiagnosticAssertEnabled>> {
...
class AutoSyncLoopHolder {
CheckedUnsafePtr<WorkerPrivate> mWorkerPrivate;
```
2. Vulnerability Existed: yes
[Pointer Safety Improvement] [dom/workers/WorkerPrivate.h] [Lines 261-263]
[Old Code]
```cpp
bool AddChildWorker(WorkerPrivate* aChildWorker);
void RemoveChildWorker(WorkerPrivate* aChildWorker);
```
[Fixed Code]
```cpp
bool AddChildWorker(WorkerPrivate& aChildWorker);
void RemoveChildWorker(WorkerPrivate& aChildWorker);
```
3. Vulnerability Existed: not sure
[Potential Pointer Safety Issue] [dom/workers/WorkerPrivate.h] [Lines 1156-1161]
[Old Code]
```cpp
WorkerPrivate* const mParent;
```
[Fixed Code]
```cpp
MOZ_NON_OWNING_REF WorkerPrivate* const mParent;
```
4. Vulnerability Existed: not sure
[Potential Pointer Safety Issue] [dom/workers/WorkerPrivate.h] [Lines 1281-1288]
[Old Code]
```cpp
nsTArray<WorkerPrivate*> mChildWorkers;
```
[Fixed Code]
```cpp
// Comment indicates they can't use CheckedUnsafePtr here
nsTArray<WorkerPrivate*> mChildWorkers;
```
The main security improvements appear to be around pointer safety, with the introduction of `CheckedUnsafePtr` and changing raw pointers to references where possible. The changes suggest an effort to make pointer usage more type-safe and prevent potential null pointer dereferences or use-after-free vulnerabilities. The comments indicate there are some constraints preventing full conversion to safer pointer types in all cases.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/pin-project-internal/src/utils.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/pin-project-internal/src/utils.rs@@ -4,9 +4,13 @@ use quote::{format_ident, quote, quote_spanned, ToTokens}; use syn::{ parse::{Parse, ParseBuffer, ParseStream},+ parse_quote, punctuated::Punctuated,+ token, visit_mut::{self, VisitMut},- *,+ Attribute, ExprPath, ExprStruct, Generics, Ident, Item, Lifetime, LifetimeDef, Macro, PatPath,+ PatStruct, PatTupleStruct, Path, PathArguments, PredicateType, QSelf, Result, Token, Type,+ TypeParamBound, TypePath, Variant, Visibility, WherePredicate, }; pub(crate) type Variants = Punctuated<Variant, Token![,]>;
After analyzing the provided code diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be primarily about restructuring imports and adding some new ones. Here's the analysis following your requested format:
Vulnerability Existed: no
[No specific vulnerability] [third_party/rust/pin-project-internal/src/utils.rs] [Lines 4-13]
[Old Code]
use syn::{
parse::{Parse, ParseBuffer, ParseStream},
punctuated::Punctuated,
visit_mut::{self, VisitMut},
*,
};
[Fixed Code]
use syn::{
parse::{Parse, ParseBuffer, ParseStream},
parse_quote,
punctuated::Punctuated,
token,
visit_mut::{self, VisitMut},
Attribute, ExprPath, ExprStruct, Generics, Ident, Item, Lifetime, LifetimeDef, Macro, PatPath,
PatStruct, PatTupleStruct, Path, PathArguments, PredicateType, QSelf, Result, Token, Type,
TypeParamBound, TypePath, Variant, Visibility, WherePredicate,
};
The changes are:
1. Added `parse_quote` import
2. Added `token` import
3. Replaced the wildcard import (`*`) with explicit imports
4. Added several specific type imports from syn
These changes appear to be code quality/maintenance improvements rather than security fixes. The explicit imports make dependencies clearer and might help prevent potential naming conflicts, but this doesn't represent a security vulnerability being fixed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/layers/ipc/ImageBridgeChild.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/layers/ipc/ImageBridgeChild.h@@ -292,8 +292,7 @@ PTextureChild* CreateTexture( const SurfaceDescriptor& aSharedData, ReadLockDescriptor&& aReadLock, LayersBackend aLayersBackend, TextureFlags aFlags, uint64_t aSerial,- wr::MaybeExternalImageId& aExternalImageId,- nsISerialEventTarget* aTarget = nullptr) override;+ wr::MaybeExternalImageId& aExternalImageId) override; bool IsSameProcess() const override;
Let me analyze the code diff according to the specified format.
Vulnerability Existed: not sure
[Potential Parameter Injection/Incomplete Parameter Validation] [gfx/layers/ipc/ImageBridgeChild.h] [Lines 292-293]
[Old Code]
PTextureChild* CreateTexture(
const SurfaceDescriptor& aSharedData, ReadLockDescriptor&& aReadLock,
LayersBackend aLayersBackend, TextureFlags aFlags, uint64_t aSerial,
wr::MaybeExternalImageId& aExternalImageId,
nsISerialEventTarget* aTarget = nullptr) override;
[Fixed Code]
PTextureChild* CreateTexture(
const SurfaceDescriptor& aSharedData, ReadLockDescriptor&& aReadLock,
LayersBackend aLayersBackend, TextureFlags aFlags, uint64_t aSerial,
wr::MaybeExternalImageId& aExternalImageId) override;
Additional Details:
1. The change removes an optional parameter (aTarget) from the CreateTexture method
2. While this could potentially affect security by removing a parameter that might have been used for synchronization or thread safety, without more context about how this parameter was used, we can't be certain if this was fixing a vulnerability
3. The change might be related to preventing potential race conditions or thread safety issues by enforcing a specific execution context, but this is speculative
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/crossbeam-utils/.cargo-checksum.json+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/crossbeam-utils/.cargo-checksum.json@@ -1 +1 @@-{"files":{"CHANGELOG.md":"5242f1740c65509c465c9a36326d344722facff5f5e58dd064f7b77806b83a46","Cargo.toml":"ac35a7b8ccb16f1ab256951576537aa4179a316c068929c2acef89e0adc12319","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"5734ed989dfca1f625b40281ee9f4530f91b2411ec01cb748223e7eb87e201ab","README.md":"dfa9fbed47c344c134a63c84b7c0e4651baeac1554b7b3266d0e38643743fc33","benches/atomic_cell.rs":"c927eb3cd1e5ecc4b91adbc3bde98af15ffab4086190792ba64d5cde0e24df3d","build.rs":"68cfc4be02429834a19411fba29cb1cb52c841f03ac8104d1bae59a8b2184f9c","no_atomic.rs":"a2621c1b029c614fb0ab8e3f5cda2e839df88d90d26133181c1b901965f7eec4","src/atomic/atomic_cell.rs":"1a3a1e073340317b5ce7a94e29c6a87db89ff7e00da6b92cb3c0339364c3b084","src/atomic/consume.rs":"7a7736fcd64f6473dfea7653559ffc5e1a2a234df43835f8aa8734862145ac15","src/atomic/mod.rs":"7f6afd5bd0da1f7b51765ab04da4e5f683588ac2d23506e61bf7007bb1e61ba2","src/atomic/seq_lock.rs":"27182e6b87a9db73c5f6831759f8625f9fcdec3c2828204c444aef04f427735a","src/atomic/seq_lock_wide.rs":"9888dd03116bb89ca36d4ab8d5a0b5032107a2983a7eb8024454263b09080088","src/backoff.rs":"7cc7754e15f69b52e92a70d4f49d1bc274693455a0933a2d7eb0605806566af3","src/cache_padded.rs":"6a512698115ad0d5a5b163dbd7a83247e1f1c146c4a30f3fc74b952e3b767b59","src/lib.rs":"6f1bcf157abe06ad8458a53e865bf8efab9fad4a9424790147cee8fefb3795d8","src/sync/mod.rs":"59986f559a8f170a4b3247ab2eea2460b09809d87c8110ed88e4e7103d3519dc","src/sync/parker.rs":"ba8f75bff31b8be9275808e8f393e71cc682dfc1109ceccb12f69a3700cff5be","src/sync/sharded_lock.rs":"14be659744918d0b27db24c56b41c618b0f0484b6761da46561023d96c4c120f","src/sync/wait_group.rs":"32e946a7581c55f8aa9904527b92b177c538fa0cf7cbcfa1d1f25990582cb6ea","src/thread.rs":"0eb5ec1d3c1b40600d88eb70539d14276e32307f5bed2b679f50f6a20777a01e","tests/atomic_cell.rs":"6c9453384ecbbe76f8b97b62f022d478d3a76b4eae1e960f49790970f5d52158","tests/cache_padded.rs":"1bfaff8354c8184e1ee1f902881ca9400b60effb273b0d3f752801a483d2b66d","tests/parker.rs":"6def4721287d9d70b1cfd63ebb34e1c83fbb3376edbad2bc8aac6ef69dd99d20","tests/sharded_lock.rs":"726025ce6351fb56ed629d5a56bdf6e833b7afc5dedfa08de0b056c726b6c26d","tests/thread.rs":"9a7d7d3028c552fd834c68598b04a1cc252a816bc20ab62cec060d6cd09cab10","tests/wait_group.rs":"ad8f0cdfed31f9594a2e0737234d418f8b924d784a4db8d7e469deab8c95f5f8"},"package":"d82cfc11ce7f2c3faef78d8a684447b40d503d9681acebed6cb728d45940c4db"}+{"files":{"CHANGELOG.md":"097eb3484f4f13471dfe6879ce61450cc60d4453aecb924f38a8f0e4af593cdd","Cargo.toml":"2734493ab832f12a4f849c333d2dd11760c6ce614b88355da21118f77acdcd70","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"5734ed989dfca1f625b40281ee9f4530f91b2411ec01cb748223e7eb87e201ab","README.md":"dfa9fbed47c344c134a63c84b7c0e4651baeac1554b7b3266d0e38643743fc33","benches/atomic_cell.rs":"c927eb3cd1e5ecc4b91adbc3bde98af15ffab4086190792ba64d5cde0e24df3d","build.rs":"39cf39e855e52559c8f68880a02b3e2778ae2d8f089650af1b3e34a85898aed7","no_atomic.rs":"3529c0833bcd1e09a352d3bd1696d3666850c9b09fe2111bf1a783ec16a5f467","src/atomic/atomic_cell.rs":"9d0785073f506b75c110270947f6a8367ead7faaf29c507d4ede37125310cff6","src/atomic/consume.rs":"7a7736fcd64f6473dfea7653559ffc5e1a2a234df43835f8aa8734862145ac15","src/atomic/mod.rs":"7f6afd5bd0da1f7b51765ab04da4e5f683588ac2d23506e61bf7007bb1e61ba2","src/atomic/seq_lock.rs":"27182e6b87a9db73c5f6831759f8625f9fcdec3c2828204c444aef04f427735a","src/atomic/seq_lock_wide.rs":"9888dd03116bb89ca36d4ab8d5a0b5032107a2983a7eb8024454263b09080088","src/backoff.rs":"7cc7754e15f69b52e92a70d4f49d1bc274693455a0933a2d7eb0605806566af3","src/cache_padded.rs":"6a512698115ad0d5a5b163dbd7a83247e1f1c146c4a30f3fc74b952e3b767b59","src/lib.rs":"6f1bcf157abe06ad8458a53e865bf8efab9fad4a9424790147cee8fefb3795d8","src/sync/mod.rs":"59986f559a8f170a4b3247ab2eea2460b09809d87c8110ed88e4e7103d3519dc","src/sync/parker.rs":"3f997f5b41fec286ccedcf3d36f801d741387badb574820b8e3456117ecd9154","src/sync/sharded_lock.rs":"14be659744918d0b27db24c56b41c618b0f0484b6761da46561023d96c4c120f","src/sync/wait_group.rs":"32e946a7581c55f8aa9904527b92b177c538fa0cf7cbcfa1d1f25990582cb6ea","src/thread.rs":"6a7676fd4e50af63aec6f655121a10cd6e8c704f4677125388186ba58dc5842d","tests/atomic_cell.rs":"ba2e34ed1e27f0d0d4f1bb8a5feb4eb8131f756adb27a719de52c26ee7b86b9c","tests/cache_padded.rs":"1bfaff8354c8184e1ee1f902881ca9400b60effb273b0d3f752801a483d2b66d","tests/parker.rs":"6def4721287d9d70b1cfd63ebb34e1c83fbb3376edbad2bc8aac6ef69dd99d20","tests/sharded_lock.rs":"eb6c5b59f007e0d290dd0f58758e8ccb5cacd38af34e3341368ced815f0c41be","tests/thread.rs":"9a7d7d3028c552fd834c68598b04a1cc252a816bc20ab62cec060d6cd09cab10","tests/wait_group.rs":"ad8f0cdfed31f9594a2e0737234d418f8b924d784a4db8d7e469deab8c95f5f8"},"package":"cfcae03edb34f947e64acdb1c33ec169824e20657e9ecb61cef6c8c74dcb8120"}=========third_party/rust/ryu/src/d2s.rs========--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ryu/src/d2s.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ryu/src/d2s.rs@@ -24,9 +24,6 @@ use crate::d2s_intrinsics::*; #[cfg(feature = "small")] pub use crate::d2s_small_table::*;-#[cfg(not(maybe_uninit))]-use core::mem;-#[cfg(maybe_uninit)] use core::mem::MaybeUninit; pub const DOUBLE_MANTISSA_BITS: u32 = 52;@@ -117,14 +114,7 @@ let mut vr: u64; let mut vp: u64; let mut vm: u64;- #[cfg(not(maybe_uninit))]- {- vp = unsafe { mem::uninitialized() };- vm = unsafe { mem::uninitialized() };- }- #[cfg(maybe_uninit)] let mut vp_uninit: MaybeUninit<u64> = MaybeUninit::uninit();- #[cfg(maybe_uninit)] let mut vm_uninit: MaybeUninit<u64> = MaybeUninit::uninit(); let e10: i32; let mut vm_is_trailing_zeros = false;@@ -147,30 +137,13 @@ DOUBLE_POW5_INV_SPLIT.get_unchecked(q as usize) }, i as u32,- #[cfg(maybe_uninit)]- {- vp_uninit.as_mut_ptr()- },- #[cfg(not(maybe_uninit))]- {- &mut vp- },- #[cfg(maybe_uninit)]- {- vm_uninit.as_mut_ptr()- },- #[cfg(not(maybe_uninit))]- {- &mut vm- },+ vp_uninit.as_mut_ptr(),+ vm_uninit.as_mut_ptr(), mm_shift, ) };- #[cfg(maybe_uninit)]- {- vp = unsafe { vp_uninit.assume_init() };- vm = unsafe { vm_uninit.assume_init() };- }+ vp = unsafe { vp_uninit.assume_init() };+ vm = unsafe { vm_uninit.assume_init() }; if q <= 21 { // This should use q <= 22, but I think 21 is also safe. Smaller values // may still be safe, but it's more difficult to reason about them.@@ -206,30 +179,13 @@ DOUBLE_POW5_SPLIT.get_unchecked(i as usize) }, j as u32,- #[cfg(maybe_uninit)]- {- vp_uninit.as_mut_ptr()- },- #[cfg(not(maybe_uninit))]- {- &mut vp- },- #[cfg(maybe_uninit)]- {- vm_uninit.as_mut_ptr()- },- #[cfg(not(maybe_uninit))]- {- &mut vm- },+ vp_uninit.as_mut_ptr(),+ vm_uninit.as_mut_ptr(), mm_shift, ) };- #[cfg(maybe_uninit)]- {- vp = unsafe { vp_uninit.assume_init() };- vm = unsafe { vm_uninit.assume_init() };- }+ vp = unsafe { vp_uninit.assume_init() };+ vm = unsafe { vm_uninit.assume_init() }; if q <= 1 { // {vr,vp,vm} is trailing zeros if {mv,mp,mm} has at least q trailing 0 bits. // mv = 4 * m2, so it always has at least two trailing 0 bits.
Based on the provided code diff, I'll analyze the security fixes:
1. First vulnerability (in ryu/src/d2s.rs):
Vulnerability Existed: yes
Uninitialized Memory Vulnerability [third_party/rust/ryu/src/d2s.rs] [Lines 117-147, 206-179]
[Old Code]
```rust
#[cfg(not(maybe_uninit))]
{
vp = unsafe { mem::uninitialized() };
vm = unsafe { mem::uninitialized() };
}
```
[Fixed Code]
```rust
let mut vp_uninit: MaybeUninit<u64> = MaybeUninit::uninit();
let mut vm_uninit: MaybeUninit<u64> = MaybeUninit::uninit();
```
2. Second vulnerability (same file):
Vulnerability Existed: yes
Memory Safety Issue [third_party/rust/ryu/src/d2s.rs] [Lines 147-137, 179-206]
[Old Code]
```rust
#[cfg(not(maybe_uninit))]
{
&mut vp
},
#[cfg(not(maybe_uninit))]
{
&mut vm
},
```
[Fixed Code]
```rust
vp_uninit.as_mut_ptr(),
vm_uninit.as_mut_ptr(),
```
The main security fixes involve:
1. Replacing unsafe uninitialized memory usage with MaybeUninit
2. Removing conditional compilation paths that used unsafe memory initialization
3. Consistently using MaybeUninit for memory safety
These changes address potential undefined behavior that could occur with uninitialized memory access, which could lead to security vulnerabilities. The fixes ensure memory safety by using Rust's MaybeUninit API instead of direct unsafe memory operations.
Note: The .cargo-checksum.json changes appear to be version updates and checksum changes rather than security fixes, so I haven't included them as vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-backgrounds/background-size-042.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-backgrounds/background-size-042.html@@ -27,7 +27,6 @@ <link rel="match" href="reference/background-size-041-ref.html">- <meta content="" name="flags"> <meta content="This test checks that when one 'background-size' is 'auto' and the image has no intrinsic size and no intrinsic ratio, then it should use 100%. In this test, the 'auto' value should use 100% of the height of the background positioning area of the div, which is 400px." name="assert"> <style>
Analyzing the provided code diff, here's the security analysis: Vulnerability Existed: no No security vulnerability found [File] [Lines 27] [Old Code] <meta content="" name="flags"> [Fixed Code] (line removed) Additional Details: - The diff shows only the removal of a meta tag with an empty "flags" attribute - This appears to be test-related cleanup rather than a security fix - No known vulnerabilities are associated with this change - The change doesn't affect any security-related functionality - The modification is in a test file, not production code No security vulnerabilities were identified in this diff. The change appears to be routine test maintenance rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.cap.butt.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/line-styles/2d.line.cap.butt.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);@@ -38,18 +38,18 @@ ctx.lineTo(75, 35); ctx.stroke(); ctx.fillRect(65, 15, 20, 20);-_assertPixel(offscreenCanvas, 25,14, 0,255,0,255, "25,14", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,15, 0,255,0,255, "25,15", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,16, 0,255,0,255, "25,16", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,34, 0,255,0,255, "25,34", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,35, 0,255,0,255, "25,35", "0,255,0,255");-_assertPixel(offscreenCanvas, 25,36, 0,255,0,255, "25,36", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,14, 0,255,0,255, "75,14", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,15, 0,255,0,255, "75,15", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,16, 0,255,0,255, "75,16", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,34, 0,255,0,255, "75,34", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,35, 0,255,0,255, "75,35", "0,255,0,255");-_assertPixel(offscreenCanvas, 75,36, 0,255,0,255, "75,36", "0,255,0,255");+_assertPixel(canvas, 25,14, 0,255,0,255, "25,14", "0,255,0,255");+_assertPixel(canvas, 25,15, 0,255,0,255, "25,15", "0,255,0,255");+_assertPixel(canvas, 25,16, 0,255,0,255, "25,16", "0,255,0,255");+_assertPixel(canvas, 25,34, 0,255,0,255, "25,34", "0,255,0,255");+_assertPixel(canvas, 25,35, 0,255,0,255, "25,35", "0,255,0,255");+_assertPixel(canvas, 25,36, 0,255,0,255, "25,36", "0,255,0,255");+_assertPixel(canvas, 75,14, 0,255,0,255, "75,14", "0,255,0,255");+_assertPixel(canvas, 75,15, 0,255,0,255, "75,15", "0,255,0,255");+_assertPixel(canvas, 75,16, 0,255,0,255, "75,16", "0,255,0,255");+_assertPixel(canvas, 75,34, 0,255,0,255, "75,34", "0,255,0,255");+_assertPixel(canvas, 75,35, 0,255,0,255, "75,35", "0,255,0,255");+_assertPixel(canvas, 75,36, 0,255,0,255, "75,36", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and updating the corresponding assertions to use the new variable name. Here's the analysis:
Vulnerability Existed: no
No security vulnerability found [File] [Lines 17-18, 38-49]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 25,14, 0,255,0,255, "25,14", "0,255,0,255");
...
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 25,14, 0,255,0,255, "25,14", "0,255,0,255");
...
The changes are purely refactoring/renaming with no security implications. No known vulnerabilities are being addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.object.crosscanvas.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.gradient.object.crosscanvas.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -24,7 +24,7 @@ g.addColorStop(1, '#0f0'); ctx.fillStyle = g; ctx.fillRect(0, 0, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);+_assertPixelApprox(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming for better clarity. Here's the analysis:
Vulnerability Existed: no
Variable Renaming [File] [Lines 13-14, 24]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Vulnerability Existed: no
Variable Renaming [File] [Line 24]
[Old Code]
_assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);
[Fixed Code]
_assertPixelApprox(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);
The changes simply rename the variable `offscreenCanvas` to `canvas` for consistency or clarity, without any security implications. No actual functionality or security-related behavior was modified.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/ellipse/shape-outside-ellipse-051.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-shapes/shape-outside/supported-shapes/ellipse/shape-outside-ellipse-051.html@@ -9,7 +9,6 @@ <link rel="author" title="Mozilla" href="http://www.mozilla.org/"> <link rel="help" href="https://drafts.csswg.org/css-shapes-1/#supported-basic-shapes"> <link rel="match" href="reference/shape-outside-ellipse-051-ref.html">- <meta name="flags" content=""> <meta name="assert" content="Test the boxes are wrapping around the right float shape defined by the basic shape ellipse(closest-side farthest-side at left 40px top 60px) border-box"> <style> .container {
Based on the provided diff content, I'll analyze it for potential security vulnerabilities: Vulnerability Existed: no No security vulnerability found [File] [Lines 9] [Old Code] <meta name="flags" content=""> [Fixed Code] (line removed) Additional Details: - The change simply removes an empty meta tag for "flags" which appears to be test-related metadata - No actual security-related changes were made in this diff - The modification is purely cosmetic/cleanup of test code - No security implications can be identified from this change Since this is just test file cleanup with no security impact, no vulnerability exists in this case. The change appears to be part of routine test maintenance rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/jpeg-xl/deps.sh+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/jpeg-xl/deps.sh@@ -14,9 +14,10 @@ # Git revisions we use for the given submodules. Update these whenever you # update a git submodule. THIRD_PARTY_HIGHWAY="e69083a12a05caf037cabecdf1b248b7579705a5"-THIRD_PARTY_LODEPNG="8c6a9e30576f07bf470ad6f09458a2dcd7a6a84a" THIRD_PARTY_SKCMS="64374756e03700d649f897dbd98c95e78c30c7da" THIRD_PARTY_SJPEG="868ab558fad70fcbe8863ba4e85179eeb81cc840"+THIRD_PARTY_ZLIB="cacf7f1d4e3d44d871b605da3b647f07d718623f"+THIRD_PARTY_LIBPNG="a40189cf881e9f0db80511c382292a5604c3c3d1" # Download the target revision from GitHub. download_github() {@@ -70,10 +71,11 @@ # Sources downloaded from a tarball. download_github third_party/highway google/highway- download_github third_party/lodepng lvandeve/lodepng download_github third_party/sjpeg webmproject/sjpeg download_github third_party/skcms \ "https://skia.googlesource.com/skcms/+archive/"+ download_github third_party/zlib madler/zlib+ download_github third_party/libpng glennrp/libpng echo "Done." }
Based on the provided diff, I'll analyze the changes for potential security fixes: 1. Vulnerability Existed: not sure Dependency Update [File] third_party/jpeg-xl/deps.sh [Lines] 14-18 [Old Code] THIRD_PARTY_LODEPNG="8c6a9e30576f07bf470ad6f09458a2dcd7a6a84a" [Fixed Code] (Removed) THIRD_PARTY_ZLIB="cacf7f1d4e3d44d871b605da3b647f07d718623f" THIRD_PARTY_LIBPNG="a40189cf881e9f0db80511c382292a5604c3c3d1" 2. Vulnerability Existed: not sure Dependency Update [File] third_party/jpeg-xl/deps.sh [Lines] 70-75 [Old Code] download_github third_party/lodepng lvandeve/lodepng [Fixed Code] (Removed) download_github third_party/zlib madler/zlib download_github third_party/libpng glennrp/libpng The changes show: 1. Removal of lodepng dependency 2. Addition of zlib and libpng dependencies with specific commits While I can't identify specific vulnerabilities being fixed (no CVE references or security-related commit messages), dependency updates often include security fixes. The removal of lodepng might indicate it was replaced due to security concerns, but without more context, I can't be certain. Similarly, the addition of zlib and libpng with specific commit hashes might be addressing known vulnerabilities in older versions. Note: The changes could also be purely functional rather than security-related, but dependency updates in security-sensitive areas like image processing should always be reviewed for security implications.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/webrtc/libwebrtcglue/MediaConduitInterface.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/webrtc/libwebrtcglue/MediaConduitInterface.h@@ -114,6 +114,10 @@ } virtual Type type() const = 0;++ // Call thread only+ virtual Maybe<int> ActiveSendPayloadType() const = 0;+ virtual Maybe<int> ActiveRecvPayloadType() const = 0; // Whether transport is currently sending and receiving packets virtual void SetTransportActive(bool aActive) = 0;
After analyzing the provided code diff, here's the security assessment: Vulnerability Existed: not sure Potential Information Exposure [File] dom/media/webrtc/libwebrtcglue/MediaConduitInterface.h [Lines] 114-118 [Old Code] (virtual Type type() const = 0; with no following methods) [Fixed Code] (virtual Type type() const = 0; + // Call thread only + virtual Maybe<int> ActiveSendPayloadType() const = 0; + virtual Maybe<int> ActiveRecvPayloadType() const = 0;) Additional Details: The diff adds two new pure virtual methods that expose payload type information. While not clearly a vulnerability, exposing payload type information could potentially be used in fingerprinting or other information disclosure scenarios. The "Call thread only" comment suggests thread safety concerns, but without seeing the implementation, we can't determine if this could lead to race conditions. Note: This might be part of a larger security fix where payload type validation was added elsewhere, but we can't confirm that from this isolated diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.css-color-4-hsla-3.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.css-color-4-hsla-3.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'hsl(120.0, 100.0%, 50.0%, 0.2)'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,51, "50,25", "0,255,0,51");+_assertPixel(canvas, 50,25, 0,255,0,51, "50,25", "0,255,0,51"); t.done(); });
Based on the provided code diff, here's the analysis following the specified format:
Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.css-color-4-hsla-3.html [Lines 17-25]
[Old Code]
```javascript
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
// ...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,51, "50,25", "0,255,0,51");
```
[Fixed Code]
```javascript
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
// ...
_assertPixel(canvas, 50,25, 0,255,0,51, "50,25", "0,255,0,51");
```
The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) with no security implications. The functionality remains the same, and there's no evidence of any security vulnerability being fixed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/ipc/SocketProcessParent.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/ipc/SocketProcessParent.cpp@@ -31,7 +31,6 @@ #include "nsIOService.h" #include "nsHttpHandler.h" #include "nsHttpConnectionInfo.h"-#include "PSMIPCCommon.h" #include "secerr.h" #ifdef MOZ_WEBRTC # include "mozilla/dom/ContentProcessManager.h"@@ -296,9 +295,9 @@ } mozilla::ipc::IPCResult SocketProcessParent::RecvInitBackground(- Endpoint<PBackgroundParent>&& aEndpoint) {+ Endpoint<PBackgroundStarterParent>&& aEndpoint) { LOG(("SocketProcessParent::RecvInitBackground\n"));- if (!ipc::BackgroundParent::Alloc(nullptr, std::move(aEndpoint))) {+ if (!ipc::BackgroundParent::AllocStarter(nullptr, std::move(aEndpoint))) { return IPC_FAIL(this, "BackgroundParent::Alloc failed"); }@@ -330,12 +329,7 @@ RefPtr<nsIX509Cert> clientCert; if (aClientCert) {- clientCert = nsNSSCertificate::ConstructFromDER(- BitwiseCast<char*, uint8_t*>(aClientCert->data().Elements()),- aClientCert->data().Length());- if (!clientCert) {- return IPC_OK();- }+ clientCert = new nsNSSCertificate(std::move(aClientCert->data())); } ClientAuthInfo info(aHostName, aOriginAttributes, aPort, aProviderFlags,
Here's the analysis of the provided code diff for security fixes:
1. First change (removed include):
Vulnerability Existed: not sure
[No specific vulnerability name] [netwerk/ipc/SocketProcessParent.cpp] [Lines 31-34]
[Old Code]
#include "PSMIPCCommon.h"
[Fixed Code]
[Removed]
2. Second change (RecvInitBackground):
Vulnerability Existed: yes
[Insecure IPC Endpoint] [netwerk/ipc/SocketProcessParent.cpp] [Lines 296-300]
[Old Code]
mozilla::ipc::IPCResult SocketProcessParent::RecvInitBackground(
Endpoint<PBackgroundParent>&& aEndpoint) {
LOG(("SocketProcessParent::RecvInitBackground\n"));
if (!ipc::BackgroundParent::Alloc(nullptr, std::move(aEndpoint))) {
[Fixed Code]
mozilla::ipc::IPCResult SocketProcessParent::RecvInitBackground(
Endpoint<PBackgroundStarterParent>&& aEndpoint) {
LOG(("SocketProcessParent::RecvInitBackground\n"));
if (!ipc::BackgroundParent::AllocStarter(nullptr, std::move(aEndpoint))) {
3. Third change (client cert handling):
Vulnerability Existed: yes
[Potential Memory Safety Issue] [netwerk/ipc/SocketProcessParent.cpp] [Lines 330-337]
[Old Code]
clientCert = nsNSSCertificate::ConstructFromDER(
BitwiseCast<char*, uint8_t*>(aClientCert->data().Elements()),
aClientCert->data().Length());
if (!clientCert) {
return IPC_OK();
}
[Fixed Code]
clientCert = new nsNSSCertificate(std::move(aClientCert->data()));
Key observations:
1. The PSMIPCCommon.h removal might be related to security, but without more context it's hard to tell.
2. The change from PBackgroundParent to PBackgroundStarterParent suggests a security improvement in the IPC endpoint handling.
3. The client certificate handling change eliminates a potentially unsafe BitwiseCast operation and simplifies the certificate construction, which could prevent memory safety issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/uriloader/exthandler/nsExternalHelperAppService.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/uriloader/exthandler/nsExternalHelperAppService.cpp@@ -15,6 +15,7 @@ #include "mozilla/dom/BrowserChild.h" #include "mozilla/dom/CanonicalBrowsingContext.h" #include "mozilla/dom/WindowGlobalParent.h"+#include "mozilla/RandomNum.h" #include "mozilla/StaticPrefs_security.h" #include "mozilla/StaticPtr.h" #include "nsXULAppAPI.h"@@ -63,6 +64,7 @@ #include "nsDSURIContentListener.h" #include "nsMimeTypes.h"+#include "nsMIMEInfoImpl.h" // used for header disposition information. #include "nsIHttpChannel.h" #include "nsIHttpChannelInternal.h"@@ -76,7 +78,6 @@ # include "nsILocalFileMac.h" #endif-#include "nsPluginHost.h" #include "nsEscape.h" #include "nsIStringBundle.h" // XXX needed to localize error msgs@@ -95,6 +96,8 @@ #include "nsXULAppAPI.h" #include "nsPIDOMWindow.h" #include "ExternalHelperAppChild.h"++#include "mozilla/dom/nsHTTPSOnlyUtils.h" #ifdef XP_WIN # include "nsWindowsHelpers.h"@@ -455,6 +458,39 @@ NS_ASSERTION(dir, "Somehow we didn't get a download directory!"); dir.forget(_directory);+ return NS_OK;+}++/**+ * Helper for random bytes for the filename of downloaded part files.+ */+nsresult GenerateRandomName(nsACString& result) {+ // We will request raw random bytes, and transform that to a base64 string,+ // using url-based base64 encoding so that all characters from the base64+ // result will be acceptable for filenames.+ // For each three bytes of random data, we will get four bytes of ASCII.+ // Request a bit more, to be safe, then truncate in the end.++ nsresult rv;+ const uint32_t wantedFileNameLength = 8;+ const uint32_t requiredBytesLength =+ static_cast<uint32_t>((wantedFileNameLength + 1) / 4 * 3);++ uint8_t buffer[requiredBytesLength];+ if (!mozilla::GenerateRandomBytesFromOS(buffer, requiredBytesLength)) {+ return NS_ERROR_FAILURE;+ }++ nsAutoCString tempLeafName;+ // We're forced to specify a padding policy, though this is guaranteed+ // not to need padding due to requiredBytesLength being a multiple of 3.+ rv = Base64URLEncode(requiredBytesLength, buffer,+ Base64URLEncodePaddingPolicy::Omit, tempLeafName);+ NS_ENSURE_SUCCESS(rv, rv);++ tempLeafName.Truncate(wantedFileNameLength);++ result.Assign(tempLeafName); return NS_OK; }@@ -1554,36 +1590,9 @@ // At this point, we do not have a filename for the temp file. For security // purposes, this cannot be predictable, so we must use a cryptographic // quality PRNG to generate one.- // We will request raw random bytes, and transform that to a base64 string,- // as all characters from the base64 set are acceptable for filenames. For- // each three bytes of random data, we will get four bytes of ASCII. Request- // a bit more, to be safe, and truncate to the length we want in the end.-- const uint32_t wantedFileNameLength = 8;- const uint32_t requiredBytesLength =- static_cast<uint32_t>((wantedFileNameLength + 1) / 4 * 3);-- nsCOMPtr<nsIRandomGenerator> rg =- do_GetService("@mozilla.org/security/random-generator;1", &rv);+ nsAutoCString tempLeafName;+ rv = GenerateRandomName(tempLeafName); NS_ENSURE_SUCCESS(rv, rv);-- uint8_t* buffer;- rv = rg->GenerateRandomBytes(requiredBytesLength, &buffer);- NS_ENSURE_SUCCESS(rv, rv);-- nsAutoCString tempLeafName;- nsDependentCSubstring randomData(reinterpret_cast<const char*>(buffer),- requiredBytesLength);- rv = Base64Encode(randomData, tempLeafName);- free(buffer);- buffer = nullptr;- NS_ENSURE_SUCCESS(rv, rv);-- tempLeafName.Truncate(wantedFileNameLength);-- // Base64 characters are alphanumeric (a-zA-Z0-9) and '+' and '/', so we need- // to replace illegal characters -- notably '/'- tempLeafName.ReplaceChar(KNOWN_PATH_SEPARATORS FILE_ILLEGAL_CHARACTERS, '_'); // now append our extension. nsAutoCString ext;@@ -1741,6 +1750,17 @@ // Now get the URI if (aChannel) { aChannel->GetURI(getter_AddRefs(mSourceUrl));+ // HTTPS-Only/HTTPS-FirstMode tries to upgrade connections to https. Once+ // the download is in progress we set that flag so that timeout counter+ // measures do not kick in.+ nsCOMPtr<nsILoadInfo> loadInfo = aChannel->LoadInfo();+ bool isPrivateWin = loadInfo->GetOriginAttributes().mPrivateBrowsingId > 0;+ if (nsHTTPSOnlyUtils::IsHttpsOnlyModeEnabled(isPrivateWin) ||+ nsHTTPSOnlyUtils::IsHttpsFirstModeEnabled(isPrivateWin)) {+ uint32_t httpsOnlyStatus = loadInfo->GetHttpsOnlyStatus();+ httpsOnlyStatus |= nsILoadInfo::HTTPS_ONLY_DOWNLOAD_IN_PROGRESS;+ loadInfo->SetHttpsOnlyStatus(httpsOnlyStatus);+ } } if (!mForceSave && StaticPrefs::browser_download_enable_spam_prevention() &&@@ -1940,6 +1960,33 @@ action != nsIMIMEInfo::useHelperApp && action != nsIMIMEInfo::useSystemDefault && !shouldAutomaticallyHandleInternally;+ }++ // If we're handling with the OS default and we are that default, force+ // asking, so we don't end up in an infinite loop:+ if (!alwaysAsk && action == nsIMIMEInfo::useSystemDefault) {+ bool areOSDefault = false;+ alwaysAsk = NS_SUCCEEDED(mMimeInfo->IsCurrentAppOSDefault(&areOSDefault)) &&+ areOSDefault;+ } else if (!alwaysAsk && action == nsIMIMEInfo::useHelperApp) {+ nsCOMPtr<nsIHandlerApp> preferredApp;+ mMimeInfo->GetPreferredApplicationHandler(getter_AddRefs(preferredApp));+ nsCOMPtr<nsILocalHandlerApp> handlerApp = do_QueryInterface(preferredApp);+ if (handlerApp) {+ nsCOMPtr<nsIFile> executable;+ handlerApp->GetExecutable(getter_AddRefs(executable));+ nsCOMPtr<nsIFile> ourselves;+ if (executable &&+ // Despite the name, this really just fetches an nsIFile...+ NS_SUCCEEDED(NS_GetSpecialDirectory(XRE_EXECUTABLE_FILE,+ getter_AddRefs(ourselves)))) {+ ourselves = nsMIMEInfoBase::GetCanonicalExecutable(ourselves);+ executable = nsMIMEInfoBase::GetCanonicalExecutable(executable);+ bool isSameApp = false;+ alwaysAsk =+ NS_FAILED(executable->Equals(ourselves, &isSameApp)) || isSameApp;+ }+ } } // if we were told that we _must_ save to disk without asking, all the stuff@@ -2711,22 +2758,59 @@ nsCOMPtr<nsIFile> movedFile; mFinalFileDestination->Clone(getter_AddRefs(movedFile)); if (movedFile) {- // Get the old leaf name and append .part to it- nsAutoString name;- mFinalFileDestination->GetLeafName(name);- name.AppendLiteral(".part");- movedFile->SetLeafName(name);-- rv = mSaver->SetTarget(movedFile, true);- if (NS_FAILED(rv)) {+ nsAutoCString randomChars;+ rv = GenerateRandomName(randomChars);+ if (NS_SUCCEEDED(rv)) {+ // Get the leaf name, strip any extensions, then+ // add random bytes, followed by the extensions and '.part'.+ nsAutoString leafName;+ mFinalFileDestination->GetLeafName(leafName);+ auto nameWithoutExtensionLength = leafName.FindChar('.');+ nsAutoString extensions(u"");+ if (nameWithoutExtensionLength == kNotFound) {+ nameWithoutExtensionLength = leafName.Length();+ } else {+ extensions = Substring(leafName, nameWithoutExtensionLength);+ }+ leafName.Truncate(nameWithoutExtensionLength);++ nsAutoString suffix = u"."_ns + NS_ConvertASCIItoUTF16(randomChars) ++ extensions + u".part"_ns;+#ifdef XP_WIN+ // Deal with MAX_PATH on Windows. Worth noting that the original+ // path for mFinalFileDestination must be valid for us to get+ // here: either SetDownloadToLaunch or the caller of+ // SaveDestinationAvailable has called CreateUnique or similar+ // to ensure both a unique name and one that isn't too long.+ // The only issue is we're making it longer to get the part+ // file path... nsAutoString path;- mTempFile->GetPath(path);- SendStatusChange(kWriteError, rv, nullptr, path);- Cancel(rv);- return NS_OK;- }-- mTempFile = movedFile;+ mFinalFileDestination->GetPath(path);+ CheckedInt<uint16_t> fullPathLength =+ CheckedInt<uint16_t>(path.Length()) + 1 + randomChars.Length() ++ ArrayLength(".part");+ if (!fullPathLength.isValid()) {+ leafName.Truncate();+ } else if (fullPathLength.value() > MAX_PATH) {+ int32_t leafNameRemaining =+ (int32_t)leafName.Length() - (fullPathLength.value() - MAX_PATH);+ leafName.Truncate(std::max(leafNameRemaining, 0));+ }+#endif+ leafName.Append(suffix);+ movedFile->SetLeafName(leafName);++ rv = mSaver->SetTarget(movedFile, true);+ if (NS_FAILED(rv)) {+ nsAutoString path;+ mTempFile->GetPath(path);+ SendStatusChange(kWriteError, rv, nullptr, path);+ Cancel(rv);+ return NS_OK;+ }++ mTempFile = movedFile;+ } } }
I'll analyze the code diff for security fixes following the specified format. 1. Vulnerability Existed: yes Insecure Temporary File Creation [uriloader/exthandler/nsExternalHelperAppService.cpp] [Lines 1554-1590] [Old Code] Used nsIRandomGenerator service to generate random bytes for temp filenames, then Base64 encoded them and replaced illegal characters. [Fixed Code] New GenerateRandomName() function uses mozilla::GenerateRandomBytesFromOS() directly and Base64URL encoding which is more secure and doesn't require character replacement. 2. Vulnerability Existed: yes HTTPS-Only Mode Bypass [uriloader/exthandler/nsExternalHelperAppService.cpp] [Lines 1741-1750] [Old Code] No handling of HTTPS-Only/HTTPS-First mode status during downloads. [Fixed Code] Added code to set HTTPS_ONLY_DOWNLOAD_IN_PROGRESS flag to prevent timeout countermeasures from kicking in during downloads. 3. Vulnerability Existed: yes Infinite Loop Vulnerability [uriloader/exthandler/nsExternalHelperAppService.cpp] [Lines 1940-1960] [Old Code] No check for system default handler being the current app, which could cause infinite loops. [Fixed Code] Added check to force "always ask" if the OS default handler is the current app. 4. Vulnerability Existed: yes Predictable Temporary Filenames [uriloader/exthandler/nsExternalHelperAppService.cpp] [Lines 2711-2758] [Old Code] Used simple .part extension for temporary files, making them predictable. [Fixed Code] Added random characters to temporary filenames and improved path length handling on Windows. 5. Vulnerability Existed: not sure Potential Information Leak [uriloader/exthandler/nsExternalHelperAppService.cpp] [Lines 1960-1990] [Old Code] No check for helper app being the same as current app. [Fixed Code] Added check to compare executable paths when using helper apps to prevent potential information leaks. Note: While some of these changes may not correspond to known CVE vulnerabilities, they all represent security improvements in the code that address potential security issues. The changes improve random number generation, HTTPS enforcement, prevent infinite loops, make temporary filenames unpredictable, and add additional security checks.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/system/tests/ioutils/test_ioutils_mkdir.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/system/tests/ioutils/test_ioutils_mkdir.html@@ -18,8 +18,7 @@ add_task(async function test_make_directory() { info("Test creating a new directory");- const tmpDir = await PathUtils.getTempDir();- const newDirectoryName = PathUtils.join(tmpDir, "test_ioutils_new_dir.tmp.d");+ const newDirectoryName = PathUtils.join(PathUtils.tempDir, "test_ioutils_new_dir.tmp.d"); await IOUtils.makeDirectory(newDirectoryName); ok( await IOUtils.exists(newDirectoryName),@@ -39,7 +38,7 @@ ) info("Test creating a nested directory");- const parentDirName = PathUtils.join(tmpDir, "test_ioutils_mkdir_parent.tmp.d");+ const parentDirName = PathUtils.join(PathUtils.tempDir, "test_ioutils_mkdir_parent.tmp.d"); const nestedDirName = PathUtils.join( parentDirName, "test_ioutils_mkdir_child.tmp.d"@@ -61,8 +60,7 @@ add_task(async function test_make_directory_failure() { info("Try to create a directory where a file already exists");- const tmpDir = await PathUtils.getTempDir();- const notADirFileName = PathUtils.join(tmpDir, "test_ioutils_not_a_dir.tmp");+ const notADirFileName = PathUtils.join(PathUtils.tempDir, "test_ioutils_not_a_dir.tmp"); await createFile(notADirFileName); await Assert.rejects(@@ -88,8 +86,7 @@ return; }- const tmpDir = await PathUtils.getTempDir();- const newDir = PathUtils.join(tmpDir, "test_ioutils_mkdir_perms.tmp.d");+ const newDir = PathUtils.join(PathUtils.tempDir, "test_ioutils_mkdir_perms.tmp.d"); ok(!await IOUtils.exists(newDir), "Directory does not exist before creation"); await IOUtils.makeDirectory(newDir, { permissions: 0o751 });
Analyzing the provided code diff, here are the potential security vulnerabilities: 1. Vulnerability Existed: no No specific vulnerability [dom/system/tests/ioutils/test_ioutils_mkdir.html] [Lines 18-60] Old Code: const tmpDir = await PathUtils.getTempDir(); Fixed Code: Using PathUtils.tempDir directly Note: This appears to be a code simplification rather than a security fix. The change replaces an async call to getTempDir() with a direct property access to tempDir, which is likely more efficient but doesn't address any security vulnerability. 2. Vulnerability Existed: no No specific vulnerability [dom/system/tests/ioutils/test_ioutils_mkdir.html] [Lines 61-86] Old Code: const tmpDir = await PathUtils.getTempDir(); Fixed Code: Using PathUtils.tempDir directly Note: Similar to the first case, this is a code simplification in the test failure cases, not a security fix. The changes appear to be primarily refactoring to use PathUtils.tempDir directly instead of getting it asynchronously via getTempDir(). There's no indication of any security vulnerabilities being fixed in this diff. The changes are likely for performance or code consistency rather than security.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.spacing.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.spacing.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); _assertSame(ctx.letterSpacing, '0px', "ctx.letterSpacing", "'0px'"); _assertSame(ctx.wordSpacing, '0px', "ctx.wordSpacing", "'0px'");@@ -31,6 +31,11 @@ ctx.wordSpacing = '-1px'; _assertSame(ctx.letterSpacing, '-1px', "ctx.letterSpacing", "'-1px'"); _assertSame(ctx.wordSpacing, '-1px', "ctx.wordSpacing", "'-1px'");++ctx.letterSpacing = '1PX';+ctx.wordSpacing = '1EM';+_assertSame(ctx.letterSpacing, '1px', "ctx.letterSpacing", "'1px'");+_assertSame(ctx.wordSpacing, '1em', "ctx.wordSpacing", "'1em'"); t.done(); });
After analyzing the provided code diff, here's the security analysis following the requested format:
Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.spacing.worker.js
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.spacing.worker.js
[Old Code]
(no corresponding old code for new test cases)
[Fixed Code]
ctx.letterSpacing = '1PX';
ctx.wordSpacing = '1EM';
_assertSame(ctx.letterSpacing, '1px', "ctx.letterSpacing", "'1px'");
_assertSame(ctx.wordSpacing, '1em', "ctx.wordSpacing", "'1em'");
The changes appear to be:
1. A variable name change from `offscreenCanvas` to `canvas` (cosmetic/consistency change)
2. Addition of new test cases for case sensitivity in spacing values (feature testing)
No security vulnerabilities were identified in these changes. The modifications appear to be either cosmetic or adding test coverage for case sensitivity in CSS unit values.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/generic/nsImageFrame.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/generic/nsImageFrame.h@@ -158,8 +158,6 @@ const mozilla::layers::StackingContextHelper&, mozilla::layers::RenderRootStateManager*, nsDisplayListBuilder*, nsPoint aPt, uint32_t aFlags);-- nsRect GetInnerArea() const; /** * Return a map element associated with this image.@@ -236,7 +234,10 @@ bool IsServerImageMap();- void TranslateEventCoords(const nsPoint& aPoint, nsIntPoint& aResult);+ // Translate a point that is relative to our frame into a localized CSS pixel+ // coordinate that is relative to the content area of this frame (inside the+ // border+padding).+ mozilla::CSSIntPoint TranslateEventCoords(const nsPoint& aPoint); bool GetAnchorHREFTargetAndNode(nsIURI** aHref, nsString& aTarget, nsIContent** aNode);@@ -372,7 +373,11 @@ nsCOMPtr<imgIContainer> mImage; nsCOMPtr<imgIContainer> mPrevImage;++ // The content-box size as if we are not fragmented, cached in the most recent+ // reflow. nsSize mComputedSize;+ mozilla::IntrinsicSize mIntrinsicSize; // Stores mImage's intrinsic ratio, or a default AspectRatio if there's no@@ -477,9 +482,7 @@ nsRect GetBounds(bool* aSnap) const { *aSnap = true;-- nsImageFrame* imageFrame = static_cast<nsImageFrame*>(mFrame);- return imageFrame->GetInnerArea() + ToReferenceFrame();+ return Frame()->GetContentRectRelativeToSelf() + ToReferenceFrame(); } nsRect GetBounds(nsDisplayListBuilder*, bool* aSnap) const final {
Analyzing the provided code diff, here are the potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Information Leak or Incorrect Coordinate Translation] [layout/generic/nsImageFrame.h] [Lines 236]
[Old Code]
void TranslateEventCoords(const nsPoint& aPoint, nsIntPoint& aResult);
[Fixed Code]
mozilla::CSSIntPoint TranslateEventCoords(const nsPoint& aPoint);
2. Vulnerability Existed: not sure
[Potential Bounds Calculation Vulnerability] [layout/generic/nsImageFrame.h] [Lines 477-482]
[Old Code]
nsRect GetBounds(bool* aSnap) const {
*aSnap = true;
nsImageFrame* imageFrame = static_cast<nsImageFrame*>(mFrame);
return imageFrame->GetInnerArea() + ToReferenceFrame();
}
[Fixed Code]
nsRect GetBounds(bool* aSnap) const {
*aSnap = true;
return Frame()->GetContentRectRelativeToSelf() + ToReferenceFrame();
}
The changes appear to be related to coordinate translation and bounds calculation, but without more context about how these functions are used, it's difficult to determine if they were actual security vulnerabilities. The modifications suggest improvements in precision (switching to CSSIntPoint) and simplification of bounds calculation (removing the GetInnerArea() method and using GetContentRectRelativeToSelf() instead), which could potentially address security issues related to incorrect coordinate handling or bounds calculations.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.