Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/devtools/rootAnalysis/computeGCTypes.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/devtools/rootAnalysis/computeGCTypes.js@@ -9,8 +9,10 @@ loadRelativeToScript('utility.js'); loadRelativeToScript('annotations.js');-var gcTypes_filename = scriptArgs[0] || "gcTypes.txt";-var typeInfo_filename = scriptArgs[1] || "typeInfo.txt";+var options = parse_options([+ { name: "gcTypes", default: "gcTypes.txt" },+ { name: "typeInfo", default: "typeInfo.txt" }+]); var typeInfo = { 'GCPointers': [],@@ -488,7 +490,7 @@ } }-var origOut = os.file.redirect(gcTypes_filename);+var origOut = os.file.redirect(options.gcTypes); for (var csu in gcTypes) { print("GCThing: " + csu);@@ -500,7 +502,7 @@ } // Redirect output to the typeInfo file and close the gcTypes file.-os.file.close(os.file.redirect(typeInfo_filename));+os.file.close(os.file.redirect(options.typeInfo)); // Compute the set of types that suppress GC within their RAII scopes (eg // AutoSuppressGC, AutoSuppressGCForAnalysis).
Here's the analysis following your requested format:
1. Vulnerability Existed: yes
Command Injection Vulnerability [js/src/devtools/rootAnalysis/computeGCTypes.js] [Lines 9-10, 488, 502]
[Old Code]
var gcTypes_filename = scriptArgs[0] || "gcTypes.txt";
var typeInfo_filename = scriptArgs[1] || "typeInfo.txt";
var origOut = os.file.redirect(gcTypes_filename);
os.file.close(os.file.redirect(typeInfo_filename));
[Fixed Code]
var options = parse_options([
{ name: "gcTypes", default: "gcTypes.txt" },
{ name: "typeInfo", default: "typeInfo.txt" }
]);
var origOut = os.file.redirect(options.gcTypes);
os.file.close(os.file.redirect(options.typeInfo));
2. Vulnerability Existed: not sure
Potential Path Traversal Vulnerability [js/src/devtools/rootAnalysis/computeGCTypes.js] [Lines 9-10]
[Old Code]
var gcTypes_filename = scriptArgs[0] || "gcTypes.txt";
var typeInfo_filename = scriptArgs[1] || "typeInfo.txt";
[Fixed Code]
var options = parse_options([
{ name: "gcTypes", default: "gcTypes.txt" },
{ name: "typeInfo", default: "typeInfo.txt" }
]);
The main security improvement appears to be moving from direct script argument usage to a more controlled options parsing mechanism, which helps prevent command injection by properly sanitizing inputs. The second potential vulnerability is less clear - while the change might help prevent path traversal, we can't be certain without seeing the implementation of parse_options().
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/tools/profiler/public/ProfilerChild.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/tools/profiler/public/ProfilerChild.h@@ -11,9 +11,11 @@ #include "mozilla/DataMutex.h" #include "mozilla/PProfilerChild.h" #include "mozilla/ProfileBufferControlledChunkManager.h"+#include "mozilla/ProgressLogger.h" #include "mozilla/RefPtr.h" class nsIThread;+struct PRThread; namespace mozilla {@@ -23,7 +25,7 @@ // profiles from us. class ProfilerChild final : public PProfilerChild, public mozilla::ipc::IShmemAllocator {- NS_INLINE_DECL_REFCOUNTING(ProfilerChild)+ NS_INLINE_DECL_THREADSAFE_REFCOUNTING(ProfilerChild) ProfilerChild();@@ -57,6 +59,8 @@ const TimeStamp& aTimeStamp) override; mozilla::ipc::IPCResult RecvGatherProfile( GatherProfileResolver&& aResolve) override;+ mozilla::ipc::IPCResult RecvGetGatherProfileProgress(+ GetGatherProfileProgressResolver&& aResolve) override; mozilla::ipc::IPCResult RecvClearAllPages() override; void ActorDestroy(ActorDestroyReason aActorDestroyReason) override;@@ -69,6 +73,8 @@ PProfilerChild::AwaitNextChunkManagerUpdateResolver& aResolve); void ProcessChunkManagerUpdate( ProfileBufferControlledChunkManager::Update&& aUpdate);++ static void GatherProfileThreadFunction(void* already_AddRefedParameters); nsCOMPtr<nsIThread> mThread; bool mDestroyed;@@ -84,6 +90,8 @@ static DataMutexBase<ProfilerChildAndUpdate, baseprofiler::detail::BaseProfilerMutex> sPendingChunkManagerUpdate;++ RefPtr<ProgressLogger::SharedProgress> mGatherProfileProgress; }; } // namespace mozilla
Here's the analysis of the provided code diff following the specified format: 1. Vulnerability Existed: yes Thread Safety Vulnerability [File] tools/profiler/public/ProfilerChild.h [Lines 23] [Old Code] `NS_INLINE_DECL_REFCOUNTING(ProfilerChild)` [Fixed Code] `NS_INLINE_DECL_THREADSAFE_REFCOUNTING(ProfilerChild)` Additional Details: The change from regular reference counting to thread-safe reference counting suggests the class may be accessed from multiple threads, making the original implementation potentially unsafe. 2. Vulnerability Existed: not sure Potential Race Condition [File] tools/profiler/public/ProfilerChild.h [Lines 69-73] [Old Code] (No equivalent code existed) [Fixed Code] `static void GatherProfileThreadFunction(void* already_AddRefedParameters);` Additional Details: The addition of a thread function suggests potential multi-threading operations, but without seeing the implementation, it's unclear if this introduces or fixes any race conditions. 3. Vulnerability Existed: not sure Missing Progress Tracking [File] tools/profiler/public/ProfilerChild.h [Lines 84] [Old Code] (No equivalent code existed) [Fixed Code] `RefPtr<ProgressLogger::SharedProgress> mGatherProfileProgress;` Additional Details: The addition of progress tracking suggests previous versions might have lacked proper progress monitoring, but it's unclear if this was an actual security vulnerability or just an improvement. Note: The diff shows several additions related to multi-threading and progress tracking, but without more context about the implementation details and how these components interact, some vulnerabilities can only be speculated about. The most clear vulnerability is the thread safety issue with reference counting.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/tools/profiler/rust-api/src/gecko_bindings/profiling_categories.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/tools/profiler/rust-api/src/gecko_bindings/profiling_categories.rs@@ -8,9 +8,8 @@ //! `mozglue/baseprofiler/generate_profiling_categories.py`, from //! 'mozglue/baseprofiler/core/profiling_categories.yaml`.-include!(concat!(- env!("MOZ_TOPOBJDIR"),- "/tools/profiler/rust-api/src/gecko_bindings/profiling_categories.rs"+include!(mozbuild::objdir_path!(+ "tools/profiler/rust-api/src/gecko_bindings/profiling_categories.rs" )); /// Helper macro that returns the profiling category pair from either only
Here's the analysis following your requested format:
Vulnerability Existed: not sure
Potential Path Traversal or Build System Vulnerability [tools/profiler/rust-api/src/gecko_bindings/profiling_categories.rs] [Lines 8-12]
[Old Code]
include!(concat!(
env!("MOZ_TOPOBJDIR"),
"/tools/profiler/rust-api/src/gecko_bindings/profiling_categories.rs"
));
[Fixed Code]
include!(mozbuild::objdir_path!(
"tools/profiler/rust-api/src/gecko_bindings/profiling_categories.rs"
));
Additional Details:
- The change replaces a direct environment variable concatenation with a more controlled path construction macro
- While not clearly a security vulnerability, the old method could potentially be more susceptible to path manipulation if MOZ_TOPOBJDIR was controlled by an attacker
- The new version uses a dedicated build system macro which likely provides better path safety guarantees
- Without more context about the build system, it's hard to determine if this was actually exploitable
Note: There appears to be only one security-relevant change in this diff. The rest of the diff (the macro definition part) was cut off in the provided content.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-transforms/css-skew-002.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-transforms/css-skew-002.html@@ -6,7 +6,7 @@ <link rel="help" href="http://www.w3.org/TR/css-transforms-1/#two-d-transform-functions"> <link rel="author" title="Adrien Pachkoff" href="mailto:[email protected]"> <link rel="match" href="css-skew-002-ref.html">- <meta name="fuzzy" content="maxDifference=5-32;totalPixels=24-159">+ <meta name="fuzzy" content="maxDifference=5-32;totalPixels=12-159"> <style type="text/css"> div { top:0px;
Based on the provided diff, I don't see any security vulnerabilities being fixed. This appears to be a test file adjustment changing the fuzzy matching parameters for pixel differences in a CSS transform test.
Answer Format for Each Vulnerability:
Vulnerability Existed: no
No security vulnerability found in this diff. The change only adjusts test tolerance parameters.
Additional Details:
The modification changes the `totalPixels` range in the fuzzy matching meta tag from "24-159" to "12-159", which appears to be a test refinement rather than a security fix. No code execution, injection, or other security-relevant changes are present in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ash/src/extensions/khr/maintenance1.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ash/src/extensions/khr/maintenance1.rs@@ -6,22 +6,16 @@ #[derive(Clone)] pub struct Maintenance1 { handle: vk::Device,- fns: vk::KhrMaintenance1Fn,+ fp: vk::KhrMaintenance1Fn, } impl Maintenance1 { pub fn new(instance: &Instance, device: &Device) -> Self {- let fns = vk::KhrMaintenance1Fn::load(|name| unsafe {- mem::transmute(instance.get_device_proc_addr(device.handle(), name.as_ptr()))+ let handle = device.handle();+ let fp = vk::KhrMaintenance1Fn::load(|name| unsafe {+ mem::transmute(instance.get_device_proc_addr(handle, name.as_ptr())) });- Self {- handle: device.handle(),- fns,- }- }-- pub fn name() -> &'static CStr {- vk::KhrMaintenance1Fn::name()+ Self { handle, fp } } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkTrimCommandPoolKHR.html>"]@@ -30,12 +24,16 @@ command_pool: vk::CommandPool, flags: vk::CommandPoolTrimFlagsKHR, ) {- self.fns+ self.fp .trim_command_pool_khr(self.handle, command_pool, flags); }+ pub fn name() -> &'static CStr {+ vk::KhrMaintenance1Fn::name()+ }+ pub fn fp(&self) -> &vk::KhrMaintenance1Fn {- &self.fns+ &self.fp } pub fn device(&self) -> vk::Device {
Analyzing the provided code diff, here's the security analysis:
1. Vulnerability Existed: not sure
[Potential Unsafe Pointer Handling] [third_party/rust/ash/src/extensions/khr/maintenance1.rs] [Lines 6-16]
[Old Code]
let fns = vk::KhrMaintenance1Fn::load(|name| unsafe {
mem::transmute(instance.get_device_proc_addr(device.handle(), name.as_ptr()))
});
[Fixed Code]
let handle = device.handle();
let fp = vk::KhrMaintenance1Fn::load(|name| unsafe {
mem::transmute(instance.get_device_proc_addr(handle, name.as_ptr()))
});
Additional Details: The change involves moving the device handle access before the unsafe block and renaming the field from 'fns' to 'fp'. While this doesn't appear to fix a specific vulnerability, it improves code organization and potentially safety by separating handle access from unsafe operations.
2. Vulnerability Existed: no
[Field Renaming and Code Reorganization] [third_party/rust/ash/src/extensions/khr/maintenance1.rs] [Lines throughout file]
[Old Code]
fns: vk::KhrMaintenance1Fn,
[Fixed Code]
fp: vk::KhrMaintenance1Fn,
Additional Details: The change from 'fns' to 'fp' appears to be a naming convention update rather than a security fix. The functionality remains the same, just with a different field name.
3. Vulnerability Existed: no
[Method Reordering] [third_party/rust/ash/src/extensions/khr/maintenance1.rs] [Lines 18-20, 28-30]
[Old Code]
pub fn name() -> &'static CStr {
vk::KhrMaintenance1Fn::name()
}
[Fixed Code]
(Moved to after the trim_command_pool_khr method)
Additional Details: This appears to be purely a code organization change with no security implications.
The changes appear to be primarily code quality improvements rather than security fixes. The most significant change is the reorganization of the unsafe block, which might marginally improve safety but doesn't address any specific known vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/server/actors/network-monitor/network-content.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/server/actors/network-monitor/network-content.js@@ -64,56 +64,56 @@ * The channel id for the request */ async sendHTTPRequest(request) {- const { url, method, headers, body, cause } = request;- // Set the loadingNode and loadGroup to the target document - otherwise the- // request won't show up in the opened netmonitor.- const doc = this.targetActor.window.document;+ return new Promise(resolve => {+ const { url, method, headers, body, cause } = request;+ // Set the loadingNode and loadGroup to the target document - otherwise the+ // request won't show up in the opened netmonitor.+ const doc = this.targetActor.window.document;- const channel = NetUtil.newChannel({- uri: NetUtil.newURI(url),- loadingNode: doc,- securityFlags: Ci.nsILoadInfo.SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL,- contentPolicyType:- NetworkUtils.stringToCauseType(cause.type) ||- Ci.nsIContentPolicy.TYPE_OTHER,- });+ const channel = NetUtil.newChannel({+ uri: NetUtil.newURI(url),+ loadingNode: doc,+ securityFlags:+ Ci.nsILoadInfo.SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL,+ contentPolicyType:+ NetworkUtils.stringToCauseType(cause.type) ||+ Ci.nsIContentPolicy.TYPE_OTHER,+ });- channel.QueryInterface(Ci.nsIHttpChannel);+ channel.QueryInterface(Ci.nsIHttpChannel);+ channel.loadGroup = doc.documentLoadGroup;+ channel.loadFlags |=+ Ci.nsIRequest.LOAD_BYPASS_CACHE |+ Ci.nsIRequest.INHIBIT_CACHING |+ Ci.nsIRequest.LOAD_ANONYMOUS;- channel.loadGroup = doc.documentLoadGroup;- channel.loadFlags |=- Ci.nsIRequest.LOAD_BYPASS_CACHE |- Ci.nsIRequest.INHIBIT_CACHING |- Ci.nsIRequest.LOAD_ANONYMOUS;-- channel.requestMethod = method;- if (headers) {- for (const { name, value } of headers) {- if (name.toLowerCase() == "referer") {- // The referer header and referrerInfo object should always match. So- // if we want to set the header from privileged context, we should set- // referrerInfo. The referrer header will get set internally.- channel.setNewReferrerInfo(- value,- Ci.nsIReferrerInfo.UNSAFE_URL,- true- );- } else {- channel.setRequestHeader(name, value, false);+ channel.requestMethod = method;+ if (headers) {+ for (const { name, value } of headers) {+ if (name.toLowerCase() == "referer") {+ // The referer header and referrerInfo object should always match. So+ // if we want to set the header from privileged context, we should set+ // referrerInfo. The referrer header will get set internally.+ channel.setNewReferrerInfo(+ value,+ Ci.nsIReferrerInfo.UNSAFE_URL,+ true+ );+ } else {+ channel.setRequestHeader(name, value, false);+ } } }- }- if (body) {- channel.QueryInterface(Ci.nsIUploadChannel2);- const bodyStream = Cc[- "@mozilla.org/io/string-input-stream;1"- ].createInstance(Ci.nsIStringInputStream);- bodyStream.setData(body, body.length);- channel.explicitSetUploadStream(bodyStream, null, -1, method, false);- }+ if (body) {+ channel.QueryInterface(Ci.nsIUploadChannel2);+ const bodyStream = Cc[+ "@mozilla.org/io/string-input-stream;1"+ ].createInstance(Ci.nsIStringInputStream);+ bodyStream.setData(body, body.length);+ channel.explicitSetUploadStream(bodyStream, null, -1, method, false);+ }- return new Promise(resolve => { // Make sure the fetch has completed before sending the channel id, // so that there is a higher possibilty that the request get into the // redux store beforehand (but this does not gurantee that).
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Potential Promise Handling Issue] [devtools/server/actors/network-monitor/network-content.js] [Lines 64-122]
[Old Code]
```javascript
async sendHTTPRequest(request) {
const { url, method, headers, body, cause } = request;
// ... original code ...
return new Promise(resolve => {
```
[Fixed Code]
```javascript
async sendHTTPRequest(request) {
return new Promise(resolve => {
const { url, method, headers, body, cause } = request;
// ... fixed code ...
```
Additional Details: The change wraps all the channel creation and configuration inside the Promise constructor. While this might improve error handling, it's unclear if this was fixing a specific security vulnerability or just improving code structure.
2. Vulnerability Existed: not sure
[Potential Referrer Header Security Issue] [devtools/server/actors/network-monitor/network-content.js] [Lines 90-96]
[Old Code]
```javascript
channel.setNewReferrerInfo(
value,
Ci.nsIReferrerInfo.UNSAFE_URL,
true
);
```
[Fixed Code]
```javascript
channel.setNewReferrerInfo(
value,
Ci.nsIReferrerInfo.UNSAFE_URL,
true
);
```
Additional Details: While the referrer handling code remains unchanged, the context suggests this might be related to security as it's specifically handling the Referer header. However, there's no visible change in this part of the code.
Note: The diff shows structural changes (wrapping code in Promise constructor) but doesn't clearly indicate specific security vulnerabilities being fixed. The changes might be related to race conditions or error handling improvements rather than direct security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/mediaqueries/mq-calc-004.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/mediaqueries/mq-calc-004.html@@ -7,7 +7,6 @@ <link rel="help" href="http://www.w3.org/TR/css3-mediaqueries/#units"> <link rel="match" href="../reference/ref-filled-green-100px-square.xht"> <meta name="assert" content="The size in pixels of the 'ch' unit used in calc inside a media query does not depend on declarations and use the initial value.">- <meta name="flags" content=""> <style> :root { font-size: 30000px; } p { font-size: 16px; }
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/mediaqueries/mq-calc-004.html [Lines] 7 [Old Code] `<meta name="flags" content="">` [Fixed Code] (line removed) Additional Details: - The change simply removes an empty meta tag that wasn't serving any purpose. - No security vulnerability is being fixed here - this appears to be a minor cleanup of test metadata. - The "flags" meta tag is typically used in web platform tests to indicate special test requirements, and its removal doesn't impact security. No other vulnerabilities or security-related changes were detected in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-rgb-2.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-rgb-2.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#0f0'; try { ctx.fillStyle = 'rgb(255 0 0, 1)'; } catch (e) { } // this shouldn't throw, but it shouldn't matter here if it does ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Analyzing the provided code diff, here's the security assessment:
Vulnerability Existed: no
[No specific vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.invalid.css-color-4-rgb-2.worker.js] [Lines 13-21]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = 'rgb(255 0 0, 1)'; } catch (e) { }
ctx.fillRect(0, 0, 100, 50);
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
ctx.fillStyle = '#0f0';
try { ctx.fillStyle = 'rgb(255 0 0, 1)'; } catch (e) { }
ctx.fillRect(0, 0, 100, 50);
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes appear to be purely cosmetic/refactoring (variable name change from `offscreenCanvas` to `canvas` and corresponding updates to references). There are no security-related changes or vulnerability fixes in this diff. The functionality remains identical, just with a renamed variable.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/CSS2/css21-errata/s-11-1-1b-004.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/CSS2/css21-errata/s-11-1-1b-004.html@@ -2,7 +2,6 @@ <title>CSS Test: overflow:scroll on table overflowing upwards</title> <link rel="author" title="Simon Pieters" href="mailto:[email protected]"> <link rel="help" href="http://www.w3.org/Style/css2-updates/REC-CSS2-20110607-errata.html#s.11.1.1b">-<meta name="flags" content=""> <meta name="assert" content="Test checks that overflow:scroll on table means visible."> <link rel="match" href="s-11-1-1b-001-ref.html"> <style>
Based on the provided diff, here's the analysis: Vulnerability Existed: no No security vulnerability found [File] testing/web-platform/tests/css/CSS2/css21-errata/s-11-1-1b-004.html [Lines 2-6] [Old Code] <meta name="flags" content=""> [Fixed Code] (removed line) Additional Details: 1. The change simply removes an empty meta tag for "flags" which appears to be test-related metadata. 2. This doesn't appear to be a security fix but rather a cleanup of test metadata. 3. No actual security vulnerability is being addressed here, just test infrastructure maintenance.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/geckodriver/src/prefs.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/geckodriver/src/prefs.rs@@ -29,9 +29,6 @@ // Note: Possible update tests could reset or flip the value to allow // updates to be downloaded and applied. ("app.update.disabledForTesting", Pref::new(true)),- // !!! For backward compatibility up to Firefox 64. Only remove- // when this Firefox version is no longer supported by geckodriver !!!- ("app.update.auto", Pref::new(false)), // Enable the dump function, which sends messages to the system // console@@ -57,14 +54,6 @@ // Start with a blank page (about:blank) ("browser.startup.page", Pref::new(0)),-- // Do not close the window when the last tab gets closed- // TODO: Remove once minimum supported Firefox release is 61.- ("browser.tabs.closeWindowWithLastTab", Pref::new(false)),-- // Do not warn when closing all open tabs- // TODO: Remove once minimum supported Firefox release is 61.- ("browser.tabs.warnOnClose", Pref::new(false)), // Disable the UI tour ("browser.uitour.enabled", Pref::new(false)),@@ -126,10 +115,6 @@ // Disable the GFX sanity window ("media.sanity-test.disabled", Pref::new(true)),- // Do not prompt with long usernames or passwords in URLs- // TODO: Remove once minimum supported Firefox release is 61.- ("network.http.phishy-userpass-length", Pref::new(255)),- // Do not automatically switch between offline and online ("network.manage-offline-status", Pref::new(false)),
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: not sure
[Removed deprecated preference] [testing/geckodriver/src/prefs.rs] [Lines 29-32]
[Old Code]
`("app.update.auto", Pref::new(false)),`
[Fixed Code]
`[Removed]`
Additional Details: This appears to be removal of a deprecated preference for backward compatibility. No clear security vulnerability is indicated, but it's good practice to remove outdated configurations.
2. Vulnerability Existed: not sure
[Removed deprecated tab behavior preferences] [testing/geckodriver/src/prefs.rs] [Lines 57-63]
[Old Code]
`("browser.tabs.closeWindowWithLastTab", Pref::new(false)),`
`("browser.tabs.warnOnClose", Pref::new(false)),`
[Fixed Code]
`[Removed]`
Additional Details: These were TODO-marked preferences for older Firefox versions. Removal suggests they're no longer needed, but doesn't indicate a security fix.
3. Vulnerability Existed: not sure
[Removed phishing-related preference] [testing/geckodriver/src/prefs.rs] [Lines 126-128]
[Old Code]
`("network.http.phishy-userpass-length", Pref::new(255)),`
[Fixed Code]
`[Removed]`
Additional Details: This preference controlled warnings for long credentials in URLs. Its removal might affect security visibility, but the impact is unclear.
Note: The diff shows removal of several deprecated configuration options, but none clearly indicate security vulnerability fixes. The changes appear to be cleanup of outdated preferences rather than direct security patches. Without more context about why these preferences were security concerns (if they were), we can't definitively state these were vulnerability fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/backgroundhangmonitor/tests/child_cause_hang.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/backgroundhangmonitor/tests/child_cause_hang.js@@ -7,19 +7,13 @@ // Starting and stopping the profiler with the "stackwalk" flag will cause the // profiler's stackwalking features to be synchronously initialized. This // should prevent us from not initializing BHR quickly enough.- if (!Services.profiler.CanProfile()) {- return false;- } let features = ["stackwalk"]; Services.profiler.StartProfiler(1000, 10, features); Services.profiler.StopProfiler();- return true; } add_task(async function childCauseHang() {- if (!ensureProfilerInitialized()) {- return;- }+ ensureProfilerInitialized(); executeSoon(() => { let startTime = Date.now();
Based on the provided code diff, here's the analysis:
Vulnerability Existed: no
[No specific vulnerability found] [toolkit/components/backgroundhangmonitor/tests/child_cause_hang.js] [Lines 7-19]
[Old Code]
if (!Services.profiler.CanProfile()) {
return false;
}
let features = ["stackwalk"];
Services.profiler.StartProfiler(1000, 10, features);
Services.profiler.StopProfiler();
return true;
}
add_task(async function childCauseHang() {
if (!ensureProfilerInitialized()) {
return;
}
[Fixed Code]
let features = ["stackwalk"];
Services.profiler.StartProfiler(1000, 10, features);
Services.profiler.StopProfiler();
}
add_task(async function childCauseHang() {
ensureProfilerInitialized();
Additional Details:
The changes appear to be test code modifications rather than security fixes. The main changes are:
1. Removal of profiler capability check (CanProfile())
2. Removal of early return in the test function
3. Simplification of the profiler initialization flow
These changes don't appear to address any specific security vulnerability but rather streamline the test code. The modifications suggest the test will now always attempt to initialize the profiler rather than skipping if the profiler isn't available.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/server/actors/descriptors/tab.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/server/actors/descriptors/tab.js@@ -25,6 +25,9 @@ const { ActorClassWithSpec, Actor } = require("devtools/shared/protocol"); const { tabDescriptorSpec } = require("devtools/shared/specs/descriptors/tab"); const { AppConstants } = require("resource://gre/modules/AppConstants.jsm");+const {+ createBrowserElementSessionContext,+} = require("devtools/server/actors/watcher/session-context"); loader.lazyRequireGetter( this,@@ -183,11 +186,10 @@ if (!this.watcher) { this.watcher = new WatcherActor( this.conn,- {- type: "browser-element",- browserId: this._browser.browserId,- },- config+ createBrowserElementSessionContext(this._browser, {+ isServerTargetSwitchingEnabled: config.isServerTargetSwitchingEnabled,+ isPopupDebuggingEnabled: config.isPopupDebuggingEnabled,+ }) ); this.manage(this.watcher); }
Here's the analysis following the requested format:
Vulnerability Existed: not sure
[Potential Session Context Security Improvement] [devtools/server/actors/descriptors/tab.js] [Lines 183-191]
[Old Code]
this.watcher = new WatcherActor(
this.conn,
{
type: "browser-element",
browserId: this._browser.browserId,
},
config
)
[Fixed Code]
this.watcher = new WatcherActor(
this.conn,
createBrowserElementSessionContext(this._browser, {
isServerTargetSwitchingEnabled: config.isServerTargetSwitchingEnabled,
isPopupDebuggingEnabled: config.isPopupDebuggingEnabled,
})
)
Additional Details:
1. The change replaces direct object construction with a dedicated function call (createBrowserElementSessionContext)
2. The new version appears to more carefully control which config properties are passed through
3. While not clearly fixing a specific known vulnerability, this change improves security by:
- Using a centralized function for session context creation
- Explicitly filtering which config options are passed
- Potentially adding validation in the createBrowserElementSessionContext function
4. The change could be related to preventing information leakage or ensuring proper session isolation
Note: Without seeing the implementation of createBrowserElementSessionContext, we can't be certain about specific vulnerabilities being fixed, but the pattern suggests security hardening.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/printing/tests/browser_destination_change.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/printing/tests/browser_destination_change.js@@ -28,10 +28,15 @@ async function changeDestination(helper, dir) { let picker = helper.get("printer-picker"); let changed = BrowserTestUtils.waitForEvent(picker, "change");+ let pickerOpened = BrowserTestUtils.waitForEvent(+ document.getElementById("ContentSelectDropdown"),+ "popupshown"+ ); picker.focus(); EventUtils.sendKey("space", helper.win);- EventUtils.sendKey(dir, helper.win);- EventUtils.sendKey("return", helper.win);+ await pickerOpened;+ EventUtils.sendKey(dir, window);+ EventUtils.sendKey("return", window); await changed; }
Analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: not sure
Potential Race Condition [File] browser_destination_change.js [Lines] 28-38
[Old Code]
picker.focus();
EventUtils.sendKey("space", helper.win);
EventUtils.sendKey(dir, helper.win);
EventUtils.sendKey("return", helper.win);
await changed;
[Fixed Code]
picker.focus();
EventUtils.sendKey("space", helper.win);
await pickerOpened;
EventUtils.sendKey(dir, window);
EventUtils.sendKey("return", window);
await changed;
Additional Details:
- The fix adds a wait for the "popupshown" event before sending keyboard events, which suggests there might have been a potential race condition where keyboard events could be sent before the dropdown was fully visible/ready. While this improves reliability, it's not clear if this was actually exploitable as a security vulnerability.
- The change from helper.win to window for the key events might be related to event targeting, but doesn't appear to be a security fix.
- No specific CVE or known vulnerability name applies to this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit/x64/Trampoline-x64.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit/x64/Trampoline-x64.cpp@@ -858,7 +858,6 @@ break; case Type_Double:- MOZ_ASSERT(JitOptions.supportsFloatingPoint); masm.loadDouble(Address(esp, 0), ReturnDoubleReg); masm.freeStack(sizeof(double)); break;
Let me analyze the code diff for potential security vulnerabilities:
Vulnerability Existed: not sure
[Potential Floating Point Support Check Removal] [js/src/jit/x64/Trampoline-x64.cpp] [Lines 858-861]
[Old Code]
MOZ_ASSERT(JitOptions.supportsFloatingPoint);
masm.loadDouble(Address(esp, 0), ReturnDoubleReg);
masm.freeStack(sizeof(double));
[Fixed Code]
masm.loadDouble(Address(esp, 0), ReturnDoubleReg);
masm.freeStack(sizeof(double));
Additional Details:
The diff shows the removal of a MOZ_ASSERT check for floating point support (JitOptions.supportsFloatingPoint) before performing double operations. While this is an assertion (which would only fail in debug builds), its removal could potentially lead to issues if floating point operations are attempted on hardware that doesn't support them. However, without more context about how the JIT compiler handles floating point support detection and fallback in release builds, it's difficult to determine if this constitutes a security vulnerability. The change might simply reflect that the check is now handled elsewhere or that floating point support is now guaranteed in all target environments.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/wr/webrender_api/src/display_item.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/wr/webrender_api/src/display_item.rs@@ -7,7 +7,7 @@ use std::ops::Not; // local imports use crate::font;-use crate::{PipelineId, PropertyBinding};+use crate::{APZScrollGeneration, HasScrollLinkedEffect, PipelineId, PropertyBinding}; use crate::color::ColorF; use crate::image::{ColorDepth, ImageKey}; use crate::units::*;@@ -334,6 +334,10 @@ /// should be added to those display item coordinates in order to get a /// normalized value that is consistent across display lists. pub external_scroll_offset: LayoutVector2D,+ /// The generation of the external_scroll_offset.+ pub scroll_offset_generation: APZScrollGeneration,+ /// Whether this scrollframe document has any scroll-linked effect or not.+ pub has_scroll_linked_effect: HasScrollLinkedEffect, /// A unique (per-pipeline) key for this spatial that is stable across display lists. pub key: SpatialTreeItemKey, }@@ -774,6 +778,10 @@ /// Marks that the transform should be snapped. Used for transforms which animate in /// response to scrolling, eg for zooming or dynamic toolbar fixed-positioning. should_snap: bool,+ /// Marks the transform being a part of the CSS stacking context that also has+ /// a perspective. In this case, backface visibility takes this perspective into+ /// account.+ paired_with_perspective: bool, }, /// A perspective transform, that optionally scrolls relative to a specific scroll node Perspective {@@ -825,6 +833,11 @@ /// Computed reference frame which dynamically calculates the transform /// based on the given parameters. The reference is the content size of /// the parent iframe, which is affected by snapping.+ ///+ /// This is used when a transform depends on the layout size of an+ /// element, otherwise the difference between the unsnapped size+ /// used in the transform, and the snapped size calculated during scene+ /// building can cause seaming. Computed { scale_from: Option<LayoutSize>, vertical_flip: bool,@@ -1772,6 +1785,7 @@ ReferenceFrameKind => Transform { is_2d_scale_translation: false, should_snap: false,+ paired_with_perspective: false, }, Rotation => Degree0, TransformStyle => Flat,
Analyzing the provided code diff, I'll identify potential security vulnerabilities following the specified format:
1. Vulnerability Existed: not sure
[Potential Missing Input Validation] [gfx/wr/webrender_api/src/display_item.rs] [Lines 334-338]
[Old Code]
pub external_scroll_offset: LayoutVector2D,
[Fixed Code]
pub external_scroll_offset: LayoutVector2D,
/// The generation of the external_scroll_offset.
pub scroll_offset_generation: APZScrollGeneration,
/// Whether this scrollframe document has any scroll-linked effect or not.
pub has_scroll_linked_effect: HasScrollLinkedEffect,
2. Vulnerability Existed: not sure
[Potential Missing Field Validation] [gfx/wr/webrender_api/src/display_item.rs] [Lines 774-778]
[Old Code]
should_snap: bool,
[Fixed Code]
should_snap: bool,
/// Marks the transform being a part of the CSS stacking context that also has
/// a perspective. In this case, backface visibility takes this perspective into
/// account.
paired_with_perspective: bool,
3. Vulnerability Existed: not sure
[Potential Documentation Improvement for Security] [gfx/wr/webrender_api/src/display_item.rs] [Lines 825-834]
[Old Code]
/// Computed reference frame which dynamically calculates the transform
/// based on the given parameters. The reference is the content size of
/// the parent iframe, which is affected by snapping.
[Fixed Code]
/// Computed reference frame which dynamically calculates the transform
/// based on the given parameters. The reference is the content size of
/// the parent iframe, which is affected by snapping.
///
/// This is used when a transform depends on the layout size of an
/// element, otherwise the difference between the unsnapped size
/// used in the transform, and the snapped size calculated during scene
/// building can cause seaming.
Note: While these changes appear to be feature additions and documentation improvements rather than direct security fixes, they could potentially relate to security in the following ways:
1. The new scroll-related fields might help prevent scroll-related timing attacks
2. The perspective-related field might help prevent visual spoofing attacks
3. The improved documentation clarifies behavior that could potentially lead to layout-based attacks if misunderstood
However, without more context about the specific threat model and how these features are used, I can't definitively identify any security vulnerabilities that were fixed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-tables/percent-width-ignored-002.tentative.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-tables/percent-width-ignored-002.tentative.html@@ -4,7 +4,6 @@ <script src='/resources/check-layout-th.js'></script> <link rel="author" title="David Grogan" href="[email protected]"> <link rel="help" href="https://github.com/w3c/csswg-drafts/issues/3336">-<meta name="flags" content="" /> <meta name="assert" content="Should cell's percent width be ignored when its table is nested in a shrink to fit block?" /> <p>Edge 44.17763 and Chrome 70 make this 300px wide. FF makes it 150px wide.</p> <div id="stf" style="position:absolute; background:blue;" data-expected-width=300>
Based on the provided diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be related to test metadata and documentation rather than security fixes. Analysis: 1. The diff shows removal of a `<meta name="flags" content="" />` tag which appears to be test configuration metadata 2. The rest of the changes are related to test assertions and documentation Vulnerability Existed: no No security vulnerability found in this diff. The changes appear to be test configuration updates. The modifications are: 1. Removal of empty flags meta tag 2. Minor documentation updates about browser behavior Since this is a test file and the changes don't involve any security-sensitive code, there don't appear to be any security fixes in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/crossbeam-epoch/src/deferred.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/crossbeam-epoch/src/deferred.rs@@ -81,6 +81,8 @@ #[cfg(all(test, not(crossbeam_loom)))] mod tests {+ #![allow(clippy::drop_copy)]+ use super::Deferred; use std::cell::Cell;
Based on the provided diff, here's the analysis:
Vulnerability Existed: no
[No specific vulnerability] [third_party/rust/crossbeam-epoch/src/deferred.rs] [Lines 81-83]
[Old Code]
#[cfg(all(test, not(crossbeam_loom)))]
mod tests {
[Fixed Code]
#[cfg(all(test, not(crossbeam_loom)))]
mod tests {
#![allow(clippy::drop_copy)]
The change appears to be a minor addition of a lint allowance (`clippy::drop_copy`) in test code. This doesn't indicate any security vulnerability fix, but rather a code quality/static analysis adjustment. The `drop_copy` lint warns about potentially confusing behavior when dropping values that implement Copy, but this doesn't represent a security issue.
No security vulnerabilities were identified in this diff. The change is purely related to test configuration and linting.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/taskcluster/ci/test/talos.yml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/taskcluster/ci/test/talos.yml@@ -31,16 +31,11 @@ treeherder-symbol: T(bcv) variants: - fission- - fission-webrender-sw- - webrender-sw- run-on-projects:- by-variant:- fission-webrender-sw:- by-test-platform:- (linux1804|macosx1015|windows10)-64-shippable-qr/opt: [mozilla-beta, trunk]- (windows10-64|macosx1015-64).*-qr.*: [trunk]- default: []- webrender-sw:+ - webrender-sw+fission+ run-without-variant: false+ run-on-projects:+ by-variant:+ webrender-sw+fission: by-test-platform: (linux1804|macosx1015|windows10)-64-shippable-qr/opt: [mozilla-beta, trunk] (windows10-64|macosx1015-64).*-qr.*: [trunk]@@ -62,6 +57,7 @@ treeherder-symbol: T-Prof(bcv) tier: 2 variants: [fission]+ run-without-variant: false run-on-projects: [] max-run-time: 1800 mozharness:@@ -75,8 +71,8 @@ treeherder-symbol: T(c) variants: - fission- - fission-webrender-sw- - webrender-sw+ - webrender-sw+fission+ run-without-variant: false run-on-projects: by-test-platform: windows.*-32.*: []@@ -95,6 +91,7 @@ tier: 2 max-run-time: 1200 variants: [fission]+ run-without-variant: false run-on-projects: [] mozharness: extra-options:@@ -108,20 +105,11 @@ max-run-time: 5400 variants: - fission- - fission-webrender-sw- - webrender-sw- run-on-projects:- by-variant:- fission:- by-test-platform:- (linux1804-64|windows10-64)-shippable-qr/opt: [mozilla-central, autoland]- # Bug 1657864 - Disabled on macos for high frequency intermittents- default: []- fission-webrender-sw:- by-test-platform:- (linux1804|windows10|macosx1015)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- webrender-sw:+ - webrender-sw+fission+ run-without-variant: false+ run-on-projects:+ by-variant:+ webrender-sw+fission: by-test-platform: (linux1804|windows10|macosx1015)-64-shippable-qr.*: [mozilla-beta, trunk] default: []@@ -130,7 +118,6 @@ windows.*-32-shippable.*/.*: [] (linux|windows|macos)(?!.*shippable).*: [] (linux|windows10-64|macos)(?!.*-qr).*: []- macosx1014.*: [] default: [mozilla-beta, trunk] mozharness: extra-options:@@ -143,6 +130,7 @@ tier: 2 max-run-time: 5400 variants: [fission]+ run-without-variant: false run-on-projects: [] mozharness: extra-options:@@ -155,6 +143,7 @@ treeherder-symbol: T(d) max-run-time: 2100 variants: [fission]+ run-without-variant: false run-on-projects: by-test-platform: windows.*-32.*: []@@ -172,6 +161,7 @@ tier: 2 max-run-time: 2100 variants: [fission]+ run-without-variant: false run-on-projects: [] mozharness: extra-options:@@ -182,20 +172,15 @@ description: Talos XUL flexbox emulation enabled try-name: flex treeherder-symbol: T(f)- tier:- by-variant:- fission: 2- default: 3- variants: [fission]- run-on-projects:- by-variant:- fission: []- default:- by-test-platform:- windows.*-32.*: []- (linux|windows10-64|macos)(?!.*shippable).*: []- (linux|windows10-64|macos)(?!.*-qr).*: []- default: [mozilla-central]+ tier: 2+ variants: [fission]+ run-without-variant: false+ run-on-projects:+ by-test-platform:+ windows.*-32.*: []+ (linux|windows10-64|macos)(?!.*shippable).*: []+ (linux|windows10-64|macos)(?!.*-qr).*: []+ default: [mozilla-central] max-run-time: 1800 mozharness: extra-options:@@ -207,14 +192,12 @@ treeherder-symbol: T-Prof(f) tier: 3 variants: [fission]- run-on-projects:- by-variant:- fission: []- default:- by-test-platform:- windows.*-32.*: []- (linux|windows10-64|macos)(?!.*shippable).*: []- default: [mozilla-central]+ run-without-variant: false+ run-on-projects:+ by-test-platform:+ windows.*-32.*: []+ (linux|windows10-64|macos)(?!.*shippable).*: []+ default: [mozilla-central] max-run-time: 1800 mozharness: extra-options:@@ -227,19 +210,11 @@ treeherder-symbol: T(g1) variants: - fission- - fission-webrender-sw- - webrender-sw- run-on-projects:- by-variant:- fission:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- fission-webrender-sw:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- webrender-sw:+ - webrender-sw+fission+ run-without-variant: false+ run-on-projects:+ by-variant:+ webrender-sw+fission: by-test-platform: (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk] default: []@@ -263,6 +238,7 @@ treeherder-symbol: T-Prof(g1) tier: 2 variants: [fission]+ run-without-variant: false run-on-projects: [] max-run-time: by-test-platform:@@ -279,19 +255,11 @@ treeherder-symbol: T(g3) variants: - fission- - fission-webrender-sw- - webrender-sw- run-on-projects:- by-variant:- fission:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- fission-webrender-sw:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- webrender-sw:+ - webrender-sw+fission+ run-without-variant: false+ run-on-projects:+ by-variant:+ webrender-sw+fission: by-test-platform: (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk] default: []@@ -313,6 +281,7 @@ tier: 2 max-run-time: 900 variants: [fission]+ run-without-variant: false run-on-projects: [] mozharness: extra-options:@@ -325,19 +294,11 @@ treeherder-symbol: T(g4) variants: - fission- - fission-webrender-sw- - webrender-sw- run-on-projects:- by-variant:- fission:- by-test-platform:- (linux1804-64|windows10-64)-shippable-qr/opt: [mozilla-central, autoland]- default: []- fission-webrender-sw:- by-test-platform:- (linux1804|windows10|macosx1015)-64-shippable-qr/opt: [mozilla-beta, trunk]- default: []- webrender-sw:+ - webrender-sw+fission+ run-without-variant: false+ run-on-projects:+ by-variant:+ webrender-sw+fission: by-test-platform: (linux1804|windows10|macosx1015)-64-shippable-qr/opt: [mozilla-beta, trunk] default: []@@ -365,6 +326,7 @@ linux1804-64.*: 1500 default: 1800 variants: [fission]+ run-without-variant: false run-on-projects: [] mozharness: extra-options:@@ -380,19 +342,11 @@ - --suite=g5 variants: - fission- - fission-webrender-sw- - webrender-sw- run-on-projects:- by-variant:- fission:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- fission-webrender-sw:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- webrender-sw:+ - webrender-sw+fission+ run-without-variant: false+ run-on-projects:+ by-variant:+ webrender-sw+fission: by-test-platform: (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk] default: []@@ -414,6 +368,7 @@ treeherder-symbol: T-Prof(g5) tier: 2 variants: [fission]+ run-without-variant: false run-on-projects: [] mozharness: extra-options:@@ -429,6 +384,7 @@ try-name: h1 treeherder-symbol: T(h1) variants: [fission]+ run-without-variant: false run-on-projects: by-test-platform: windows.*-32.*: []@@ -448,6 +404,7 @@ try-name: h2 treeherder-symbol: T(h2) variants: [fission]+ run-without-variant: false run-on-projects: by-test-platform: windows.*-32.*: []@@ -467,6 +424,7 @@ try-name: motionmark treeherder-symbol: T(mm) variants: [fission]+ run-without-variant: false run-on-projects: by-test-platform: (linux|windows10-64|macos)(?!.*shippable).*: []@@ -483,6 +441,7 @@ try-name: motionmark-prof treeherder-symbol: T-Prof(mm) variants: [fission]+ run-without-variant: false run-on-projects: [] max-run-time: 3600 tier: 2@@ -497,19 +456,11 @@ treeherder-symbol: T(o) variants: - fission- - fission-webrender-sw- - webrender-sw- run-on-projects:- by-variant:- fission:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- fission-webrender-sw:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- webrender-sw:+ - webrender-sw+fission+ run-without-variant: false+ run-on-projects:+ by-variant:+ webrender-sw+fission: by-test-platform: (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk] default: []@@ -529,6 +480,7 @@ try-name: other-prof treeherder-symbol: T-Prof(o) variants: [fission]+ run-without-variant: false run-on-projects: [] tier: 2 max-run-time: 1500@@ -543,19 +495,11 @@ treeherder-symbol: T(smw) variants: - fission- - fission-webrender-sw- - webrender-sw- run-on-projects:- by-variant:- fission:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-central, autoland]- default: []- fission-webrender-sw:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-central, autoland]- default: []- webrender-sw:+ - webrender-sw+fission+ run-without-variant: false+ run-on-projects:+ by-variant:+ webrender-sw+fission: by-test-platform: (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-central, autoland] default: []@@ -576,6 +520,7 @@ treeherder-symbol: T-Prof(smw) tier: 2 variants: [fission]+ run-without-variant: false run-on-projects: [] max-run-time: 1500 mozharness:@@ -589,19 +534,11 @@ treeherder-symbol: T(p) variants: - fission- - fission-webrender-sw- - webrender-sw- run-on-projects:- by-variant:- fission:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- fission-webrender-sw:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- webrender-sw:+ - webrender-sw+fission+ run-without-variant: false+ run-on-projects:+ by-variant:+ webrender-sw+fission: by-test-platform: (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk] default: []@@ -622,6 +559,7 @@ treeherder-symbol: T-Prof(p) tier: 2 variants: [fission]+ run-without-variant: false run-on-projects: [] max-run-time: 1200 mozharness:@@ -634,6 +572,7 @@ try-name: perf-reftest-singletons treeherder-symbol: T(ps) variants: [fission]+ run-without-variant: false run-on-projects: by-test-platform: windows.*-32.*: []@@ -651,6 +590,7 @@ treeherder-symbol: T-Prof(ps) tier: 2 variants: [fission]+ run-without-variant: false run-on-projects: [] max-run-time: 1500 mozharness:@@ -664,19 +604,11 @@ treeherder-symbol: T(s) variants: - fission- - fission-webrender-sw- - webrender-sw- run-on-projects:- by-variant:- fission:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- fission-webrender-sw:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- webrender-sw:+ - webrender-sw+fission+ run-without-variant: false+ run-on-projects:+ by-variant:+ webrender-sw+fission: by-test-platform: (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk] default: []@@ -697,6 +629,7 @@ treeherder-symbol: T-Prof(s) tier: 2 variants: [fission]+ run-without-variant: false run-on-projects: [] max-run-time: 1800 mozharness:@@ -710,19 +643,11 @@ treeherder-symbol: T(tp) variants: - fission- - fission-webrender-sw- - webrender-sw- run-on-projects:- by-variant:- fission:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- fission-webrender-sw:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- webrender-sw:+ - webrender-sw+fission+ run-without-variant: false+ run-on-projects:+ by-variant:+ webrender-sw+fission: by-test-platform: (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk] default: []@@ -743,6 +668,7 @@ treeherder-symbol: T-Prof(tp) tier: 2 variants: [fission]+ run-without-variant: false run-on-projects: [] max-run-time: 1800 mozharness:@@ -756,19 +682,11 @@ treeherder-symbol: T(tabswitch) variants: - fission- - fission-webrender-sw- - webrender-sw- run-on-projects:- by-variant:- fission:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- fission-webrender-sw:- by-test-platform:- (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- webrender-sw:+ - webrender-sw+fission+ run-without-variant: false+ run-on-projects:+ by-variant:+ webrender-sw+fission: by-test-platform: (linux1804|windows10|macosx.*)-64-shippable-qr.*: [mozilla-beta, trunk] default: []@@ -789,6 +707,7 @@ treeherder-symbol: T-Prof(tabswitch) tier: 2 variants: [fission]+ run-without-variant: false run-on-projects: [] max-run-time: 1200 mozharness:@@ -801,27 +720,23 @@ try-name: webgl treeherder-symbol: T(webgl) variants:- - webgl-ipc- - fission-webrender-sw- - webrender-sw- run-on-projects:- by-variant:- webgl-ipc:+ - fission+ - webrender-sw+fission+ - webgl-ipc+fission+ run-without-variant: false+ run-on-projects:+ by-variant:+ webgl-ipc+fission: by-test-platform: (linux1804|windows10|macosx1015)-64.*: [trunk] default: []- fission-webrender-sw:+ webrender-sw+fission: by-test-platform: (linux1804|windows10|macosx1015)-64-shippable-qr.*: [mozilla-beta, trunk] default: []- webrender-sw:- by-test-platform:- (linux1804|windows10|macosx1015)-64-shippable-qr.*: [mozilla-beta, trunk]- default: []- default:- by-test-platform:- windows.*-32.*: []- macosx1014.*: []+ default:+ by-test-platform:+ windows.*-32.*: [] (linux|windows10-64|macos)(?!.*shippable).*: [] (linux|windows10-64|macos)(?!.*-qr).*: [] default: [mozilla-beta, trunk]@@ -841,7 +756,7 @@ treeherder-symbol: T-Prof(webgl) tier: 2 variants:- - webgl-ipc+ - webgl-ipc+fission run-on-projects: [] max-run-time: 1800 mozharness:@@ -861,8 +776,8 @@ windows10-64.*: true variants: - fission- - fission-webrender-sw- - webrender-sw+ - webrender-sw+fission+ run-without-variant: false run-on-projects: by-test-platform: windows.*-32-shippable(?:-qr)?/.*: []@@ -881,6 +796,7 @@ try-name: realworld-webextensions treeherder-symbol: T(realwebext) variants: [fission]+ run-without-variant: false run-on-projects: by-test-platform: windows.*-32.*: []@@ -898,6 +814,7 @@ treeherder-symbol: T-Prof(realwebext) tier: 2 variants: [fission]+ run-without-variant: false run-on-projects: [] max-run-time: 1500 mozharness:
After analyzing the provided code diff, I don't find any obvious security vulnerabilities being fixed. The changes appear to be primarily configuration updates and test suite modifications rather than security fixes. Here's the analysis: 1. Vulnerability Existed: no Configuration Update [File] [Lines] Old variants and run configurations Consolidated variants and added run-without-variant: false 2. Vulnerability Existed: no Test Configuration Cleanup [File] [Various] Multiple variant configurations and platform-specific rules Simplified variant structure with combined webrender-sw+fission 3. Vulnerability Existed: no Tier Consistency Update [File] [Lines] Variant-dependent tier settings Unified tier setting and run configurations The changes primarily involve: 1. Consolidating variant configurations (combining webrender-sw and fission variants) 2. Adding explicit run-without-variant: false flags 3. Simplifying test platform configurations 4. Making tier settings consistent across variants These appear to be test infrastructure improvements rather than security fixes. No specific vulnerabilities are being addressed in this diff. Note: While there are no obvious security vulnerabilities being fixed, the changes do improve the robustness of the test configuration by making variant handling more explicit and consistent.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/darling_core/src/error/kind.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/darling_core/src/error/kind.rs@@ -1,6 +1,6 @@ use std::fmt;-use error::Error;+use crate::error::Error; type DeriveInputShape = String; type FieldName = String;@@ -10,7 +10,7 @@ // Don't want to publicly commit to ErrorKind supporting equality yet, but // not having it makes testing very difficult. #[cfg_attr(test, derive(Clone, PartialEq, Eq))]-pub(in error) enum ErrorKind {+pub(in crate::error) enum ErrorKind { /// An arbitrary error message. Custom(String), DuplicateField(FieldName),@@ -108,7 +108,7 @@ // Don't want to publicly commit to ErrorKind supporting equality yet, but // not having it makes testing very difficult. #[cfg_attr(test, derive(Clone, PartialEq, Eq))]-pub(in error) struct ErrorUnknownField {+pub(in crate::error) struct ErrorUnknownField { name: String, did_you_mean: Option<String>, }@@ -130,7 +130,7 @@ } #[cfg(feature = "diagnostics")]- pub fn to_diagnostic(self, span: Option<::proc_macro2::Span>) -> ::proc_macro::Diagnostic {+ pub fn into_diagnostic(self, span: Option<::proc_macro2::Span>) -> ::proc_macro::Diagnostic { let base = span .unwrap_or_else(::proc_macro2::Span::call_site) .unwrap()@@ -185,10 +185,7 @@ candidate = Some((confidence, pv.as_ref())); } }- match candidate {- None => None,- Some((_, candidate)) => Some(candidate.into()),- }+ candidate.map(|(_, candidate)| candidate.into()) } #[cfg(not(feature = "suggestions"))]
Based on the provided code diff, I'll analyze it for security vulnerabilities: 1. Vulnerability Existed: no No specific vulnerability found [File] [Lines 1-185] The changes appear to be primarily about: - Updating module paths from `error::Error` to `crate::error::Error` - Changing visibility modifiers from `pub(in error)` to `pub(in crate::error)` - Renaming `to_diagnostic` to `into_diagnostic` - Simplifying a match expression to use `map` 2. Vulnerability Existed: not sure Potential API misuse [File] [Lines 130-138] Old Code: `pub fn to_diagnostic(self, span: Option<::proc_macro2::Span>) -> ::proc_macro::Diagnostic` Fixed Code: `pub fn into_diagnostic(self, span: Option<::proc_macro2::Span>) -> ::proc_macro::Diagnostic` The change from `to_` to `into_` prefix suggests this might be related to Rust's ownership conventions, but it's not clear if this was fixing a security issue or just improving API design. The changes appear to be more about code organization and API improvements rather than security fixes. No specific vulnerabilities (like injection, memory safety issues, etc.) are being addressed in this diff. The most significant change is the method rename which follows Rust conventions better, but this doesn't appear to be security-related.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-backgrounds/box-shadow-042.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-backgrounds/box-shadow-042.html@@ -8,7 +8,6 @@ <link rel="help" href="https://www.w3.org/TR/css-backgrounds-3/#the-box-shadow"> <link rel="match" href="reference/box-shadow-042-ref.html">- <meta content="" name="flags"> <!--
Based on the provided code diff, here's the analysis following the required format: Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-backgrounds/box-shadow-042.html [Lines] 8 [Old Code] `<meta content="" name="flags">` [Fixed Code] (Line removed) Additional Details: This appears to be a simple removal of an empty meta tag with a "flags" attribute, which doesn't appear to be security-related. The change seems to be cleaning up unnecessary markup rather than fixing a security vulnerability. The "flags" meta tag doesn't appear to be associated with any known security vulnerability patterns.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.