Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/remote/doc/marionette/NewContributors.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/remote/doc/marionette/NewContributors.md@@ -43,12 +43,11 @@ [#webdriver:mozilla.org]: https://chat.mozilla.org/#/room/#webdriver:mozilla.org [Bugzilla]: https://bugzilla.mozilla.org/ [Mozillians]: https://mozillians.org/-[logbot]: https://mozilla.logbot.info/ateam/ Getting the code, running tests --------------------------------Follow the documentation on [Contributing](Contributing.html) to get a sense of+Follow the documentation on [Contributing](Contributing.md) to get a sense of our projects, and which is of most interest for you. You will also learn how to get the Firefox source code, build your custom Firefox build, and how to run the tests.@@ -59,7 +58,7 @@ Once you are familiar with the code of the test harnesses, and the tests you might want to start with your first contribution. The necessary steps to submit and verify-your patches are laid out in [Patches.md](Patches.html).+your patches are laid out in [Patches](Patches.md). Resources
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be documentation updates (file extension changes from .html to .md and removal of a logbot link). Here's the analysis: 1. Vulnerability Existed: no Documentation Update [File] remote/doc/marionette/NewContributors.md [Lines] 43-59 Old Code: [Contributing](Contributing.html), [Patches.md](Patches.html), [logbot]: https://mozilla.logbot.info/ateam/ Fixed Code: [Contributing](Contributing.md), [Patches](Patches.md), (logbot link removed) The changes are: 1. Updated file extensions in links from .html to .md 2. Removed a link to mozilla.logbot.info 3. Minor formatting changes These appear to be documentation maintenance changes rather than security fixes. The removal of the logbot link might be related to the service being deprecated or no longer available, but this doesn't indicate a security vulnerability was fixed.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/talos/talos/run_tests.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/talos/talos/run_tests.py@@ -117,7 +117,8 @@ paths = ["profile_path", "tpmanifest", "extensions", "setup", "cleanup"] for test_index, test in enumerate(tests):- test["suite"] = config["suite"]+ if config.get("suite", False):+ test["suite"] = config["suite"] if test_index == 0: test["is_first_test"] = True # Check for profile_path, tpmanifest and interpolate based on Talos
Analysis of the provided code diff:
1. Vulnerability Existed: yes
Insecure Direct Object Reference (IDOR) Potential [File] testing/talos/talos/run_tests.py [Lines] 117-118
[Old Code]
`test["suite"] = config["suite"]`
[Fixed Code]
`if config.get("suite", False): test["suite"] = config["suite"]`
Additional Details:
The original code directly assigned the suite value from config to test without checking if it existed, which could lead to potential undefined behavior or errors if 'suite' wasn't present in config. The fix adds a proper existence check using .get() with a default value, making the code more robust against missing configuration values. While not a direct security vulnerability, this could potentially be exploited if an attacker could control the config input and cause undefined behavior.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.put.nonfinite.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/pixel-manipulation/2d.imageData.put.nonfinite.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); var imgdata = ctx.getImageData(0, 0, 10, 10); assert_throws_js(TypeError, function() { ctx.putImageData(imgdata, Infinity, 10); });
Analysis of the provided code diff:
1. Vulnerability Existed: no
Variable Renaming [File] [Lines 17-18]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be a simple variable renaming from `offscreenCanvas` to `canvas` for consistency or clarity.
- There are no security vulnerabilities being fixed in this diff.
- The test continues to check for proper handling of non-finite values in putImageData calls, but this functionality wasn't modified in the diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/idna/tests/unit.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/idna/tests/unit.rs@@ -1,40 +1,116 @@-extern crate idna;-extern crate unicode_normalization;-+use assert_matches::assert_matches; use unicode_normalization::char::is_combining_mark;-fn _to_ascii(domain: &str) -> Result<String, idna::Errors> {- idna::Config::default()+/// https://github.com/servo/rust-url/issues/373+#[test]+fn test_punycode_prefix_with_length_check() {+ let config = idna::Config::default() .verify_dns_length(true)- .use_std3_ascii_rules(true)- .to_ascii(domain)+ .check_hyphens(true)+ .use_std3_ascii_rules(true);++ assert!(config.to_ascii("xn--").is_err());+ assert!(config.to_ascii("xn---").is_err());+ assert!(config.to_ascii("xn-----").is_err());+ assert!(config.to_ascii("xn--.").is_err());+ assert!(config.to_ascii("xn--...").is_err());+ assert!(config.to_ascii(".xn--").is_err());+ assert!(config.to_ascii("...xn--").is_err());+ assert!(config.to_ascii("xn--.xn--").is_err());+ assert!(config.to_ascii("xn--.example.org").is_err());+}++/// https://github.com/servo/rust-url/issues/373+#[test]+fn test_punycode_prefix_without_length_check() {+ let config = idna::Config::default()+ .verify_dns_length(false)+ .check_hyphens(true)+ .use_std3_ascii_rules(true);++ assert_eq!(config.to_ascii("xn--").unwrap(), "");+ assert!(config.to_ascii("xn---").is_err());+ assert!(config.to_ascii("xn-----").is_err());+ assert_eq!(config.to_ascii("xn--.").unwrap(), ".");+ assert_eq!(config.to_ascii("xn--...").unwrap(), "...");+ assert_eq!(config.to_ascii(".xn--").unwrap(), ".");+ assert_eq!(config.to_ascii("...xn--").unwrap(), "...");+ assert_eq!(config.to_ascii("xn--.xn--").unwrap(), ".");+ assert_eq!(config.to_ascii("xn--.example.org").unwrap(), ".example.org");+}++// http://www.unicode.org/reports/tr46/#Table_Example_Processing+#[test]+fn test_examples() {+ let mut codec = idna::Idna::default();+ let mut out = String::new();++ assert_matches!(codec.to_unicode("Bloß.de", &mut out), Ok(()));+ assert_eq!(out, "bloß.de");++ out.clear();+ assert_matches!(codec.to_unicode("xn--blo-7ka.de", &mut out), Ok(()));+ assert_eq!(out, "bloß.de");++ out.clear();+ assert_matches!(codec.to_unicode("u\u{308}.com", &mut out), Ok(()));+ assert_eq!(out, "ü.com");++ out.clear();+ assert_matches!(codec.to_unicode("xn--tda.com", &mut out), Ok(()));+ assert_eq!(out, "ü.com");++ out.clear();+ assert_matches!(codec.to_unicode("xn--u-ccb.com", &mut out), Err(_));++ out.clear();+ assert_matches!(codec.to_unicode("a⒈com", &mut out), Err(_));++ out.clear();+ assert_matches!(codec.to_unicode("xn--a-ecp.ru", &mut out), Err(_));++ out.clear();+ assert_matches!(codec.to_unicode("xn--0.pt", &mut out), Err(_));++ out.clear();+ assert_matches!(codec.to_unicode("日本語。JP", &mut out), Ok(()));+ assert_eq!(out, "日本語.jp");++ out.clear();+ assert_matches!(codec.to_unicode("☕.us", &mut out), Ok(()));+ assert_eq!(out, "☕.us"); } #[test] fn test_v5() {+ let config = idna::Config::default()+ .verify_dns_length(true)+ .use_std3_ascii_rules(true);+ // IdnaTest:784 蔏。𑰺 assert!(is_combining_mark('\u{11C3A}'));- assert!(_to_ascii("\u{11C3A}").is_err());- assert!(_to_ascii("\u{850f}.\u{11C3A}").is_err());- assert!(_to_ascii("\u{850f}\u{ff61}\u{11C3A}").is_err());+ assert!(config.to_ascii("\u{11C3A}").is_err());+ assert!(config.to_ascii("\u{850f}.\u{11C3A}").is_err());+ assert!(config.to_ascii("\u{850f}\u{ff61}\u{11C3A}").is_err()); } #[test] fn test_v8_bidi_rules() {- assert_eq!(_to_ascii("abc").unwrap(), "abc");- assert_eq!(_to_ascii("123").unwrap(), "123");- assert_eq!(_to_ascii("אבּג").unwrap(), "xn--kdb3bdf");- assert_eq!(_to_ascii("ابج").unwrap(), "xn--mgbcm");- assert_eq!(_to_ascii("abc.ابج").unwrap(), "abc.xn--mgbcm");- assert_eq!(- _to_ascii("אבּג.ابج").unwrap(),- "xn--kdb3bdf.xn--mgbcm"- );+ let config = idna::Config::default()+ .verify_dns_length(true)+ .use_std3_ascii_rules(true);++ assert_eq!(config.to_ascii("abc").unwrap(), "abc");+ assert_eq!(config.to_ascii("123").unwrap(), "123");+ assert_eq!(config.to_ascii("אבּג").unwrap(), "xn--kdb3bdf");+ assert_eq!(config.to_ascii("ابج").unwrap(), "xn--mgbcm");+ assert_eq!(config.to_ascii("abc.ابج").unwrap(), "abc.xn--mgbcm");+ assert_eq!(config.to_ascii("אבּג.ابج").unwrap(), "xn--kdb3bdf.xn--mgbcm"); // Bidi domain names cannot start with digits- assert!(_to_ascii("0a.\u{05D0}").is_err());- assert!(_to_ascii("0à.\u{05D0}").is_err());+ assert!(config.to_ascii("0a.\u{05D0}").is_err());+ assert!(config.to_ascii("0à.\u{05D0}").is_err()); // Bidi chars may be punycode-encoded- assert!(_to_ascii("xn--0ca24w").is_err());+ assert!(config.to_ascii("xn--0ca24w").is_err()); }
Analyzing the provided code diff, I don't see any direct security vulnerabilities being fixed. The changes appear to be primarily test case additions and refactoring of test code to better handle IDNA (Internationalizing Domain Names in Applications) processing. However, I'll analyze the changes carefully: 1. Vulnerability Existed: not sure [Potential IDNA Validation Issues] [third_party/rust/idna/tests/unit.rs] [Various test cases added] [Old Code: No explicit tests for punycode prefix handling] [Fixed Code: Added extensive test cases for punycode prefix validation] The added tests suggest there might have been concerns about proper handling of punycode prefixes (xn--) which could potentially be used in homograph attacks, but this is just test code being added rather than a direct fix. 2. Vulnerability Existed: not sure [Potential Unicode Normalization Issues] [third_party/rust/idna/tests/unit.rs] [Various test cases added] [Old Code: Limited test coverage for Unicode normalization] [Fixed Code: Added more comprehensive test cases for Unicode processing] The added tests for various Unicode cases might indicate concerns about proper normalization, but again this appears to be test coverage improvement rather than a direct vulnerability fix. The main changes are: 1. Added explicit tests for punycode prefix handling (xn--) 2. Added more comprehensive Unicode normalization tests 3. Refactored test code to use config objects directly rather than through a helper function 4. Added test cases from Unicode TR46 specification While these changes improve test coverage for potential IDNA/Unicode-related security issues (like homograph attacks), I don't see direct evidence of specific vulnerabilities being fixed in this diff. The changes appear to be preventative test coverage improvements rather than fixes for identified vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/public/UbiNode.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/public/UbiNode.h@@ -967,50 +967,51 @@ // // RootList::init itself causes a minor collection, but once the list of roots // has been created, GC must not occur, as the referent ubi::Nodes are not-// stable across GC. The init calls emplace on |noGC|'s AutoCheckCannotGC, whose-// lifetime must extend at least as long as the RootList itself.+// stable across GC. It returns a [[nodiscard]] AutoCheckCannotGC token in order+// to enforce this. The token's lifetime must extend at least as long as the+// RootList itself. Note that the RootList does not itself contain a nogc field,+// which means that it is possible to store it somewhere that it can escape+// the init()'s nogc scope. Don't do that. (Or you could call some function+// and pass in the RootList and GC, but that would be caught.) // // Example usage: // // {-// mozilla::Maybe<JS::AutoCheckCannotGC> maybeNoGC;-// JS::ubi::RootList rootList(cx, maybeNoGC);-// if (!rootList.init()) {+// JS::ubi::RootList rootList(cx);+// auto [ok, nogc] = rootList.init();+// if (!ok()) { // return false; // }-//-// // The AutoCheckCannotGC is guaranteed to exist if init returned true.-// MOZ_ASSERT(maybeNoGC.isSome()); // // JS::ubi::Node root(&rootList); // // ... // } class MOZ_STACK_CLASS JS_PUBLIC_API RootList {- Maybe<AutoCheckCannotGC>& noGC;- public: JSContext* cx; EdgeVector edges; bool wantNames;-- RootList(JSContext* cx, Maybe<AutoCheckCannotGC>& noGC,- bool wantNames = false);+ bool inited;++ explicit RootList(JSContext* cx, bool wantNames = false); // Find all GC roots.- [[nodiscard]] bool init();+ [[nodiscard]] std::pair<bool, JS::AutoCheckCannotGC> init(); // Find only GC roots in the provided set of |JS::Compartment|s. Note: it's // important to take a CompartmentSet and not a RealmSet: objects in // same-compartment realms can reference each other directly, without going // through CCWs, so if we used a RealmSet here we would miss edges.- [[nodiscard]] bool init(CompartmentSet& debuggees);+ [[nodiscard]] std::pair<bool, JS::AutoCheckCannotGC> init(+ CompartmentSet& debuggees); // Find only GC roots in the given Debugger object's set of debuggee // compartments.- [[nodiscard]] bool init(HandleObject debuggees);+ [[nodiscard]] std::pair<bool, JS::AutoCheckCannotGC> init(+ HandleObject debuggees); // Returns true if the RootList has been initialized successfully, false // otherwise.- bool initialized() { return noGC.isSome(); }+ bool initialized() { return inited; } // Explicitly add the given Node as a root in this RootList. If wantNames is // true, you must pass an edgeName. The RootList does not take ownership of
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Potential Use-After-Free or GC Safety Issue [js/public/UbiNode.h] [Lines 967-1017]
Old Code:
```cpp
class RootList {
Maybe<AutoCheckCannotGC>& noGC;
// ...
RootList(JSContext* cx, Maybe<AutoCheckCannotGC>& noGC, bool wantNames = false);
[[nodiscard]] bool init();
bool initialized() { return noGC.isSome(); }
```
Fixed Code:
```cpp
class RootList {
// noGC reference removed
// ...
explicit RootList(JSContext* cx, bool wantNames = false);
[[nodiscard]] std::pair<bool, JS::AutoCheckCannotGC> init();
bool initialized() { return inited; }
```
Additional Details:
- The vulnerability was related to garbage collection (GC) safety. The old code allowed the RootList to potentially outlive the AutoCheckCannotGC scope, which could lead to use-after-free issues if GC occurred while using the RootList.
- The fix enforces proper GC scoping by returning the AutoCheckCannotGC token directly from init() and removing the external reference, making it impossible for the RootList to outlive the GC protection.
- The comments explicitly warn against storing the RootList in a way that would let it escape the init()'s nogc scope, which was the core of the previous safety issue.
- The change from Maybe<AutoCheckCannotGC> to direct return of AutoCheckCannotGC ensures compile-time enforcement of proper lifetime management.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/ipc/DocAccessibleChildBase.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/ipc/DocAccessibleChildBase.cpp@@ -170,6 +170,15 @@ return IPC_OK(); }+mozilla::ipc::IPCResult DocAccessibleChildBase::RecvDoActionAsync(+ const uint64_t& aID, const uint8_t& aIndex) {+ if (LocalAccessible* acc = IdToAccessible(aID)) {+ Unused << acc->DoAction(aIndex);+ }++ return IPC_OK();+}+ LocalAccessible* DocAccessibleChildBase::IdToAccessible( const uint64_t& aID) const { if (!aID) return mDoc;
Let me analyze the code diff for potential security vulnerabilities.
Vulnerability Existed: not sure
Potential Race Condition Vulnerability [File] accessible/ipc/DocAccessibleChildBase.cpp [Lines] 170-178
[Old Code]
(None - this is a new function being added)
[Fixed Code]
mozilla::ipc::IPCResult DocAccessibleChildBase::RecvDoActionAsync(
const uint64_t& aID, const uint8_t& aIndex) {
if (LocalAccessible* acc = IdToAccessible(aID)) {
Unused << acc->DoAction(aIndex);
}
return IPC_OK();
}
Additional Details:
1. The new function RecvDoActionAsync performs an action asynchronously without any apparent synchronization mechanism. If the accessible object (acc) could be modified or deleted between the IdToAccessible check and the DoAction call, this could potentially lead to a race condition.
2. The use of Unused << suggests the return value of DoAction is being ignored, which might mask potential error conditions.
3. However, without more context about the IPC mechanism and object lifecycle management, I can't be certain this constitutes a vulnerability.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/modules/tests/browser/browser_Troubleshoot.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/modules/tests/browser/browser_Troubleshoot.js@@ -101,27 +101,35 @@ Services.prefs.setBoolPref(p, true); is(Services.prefs.getBoolPref(p), true, "The pref should be set: " + p); });+ Services.prefs.setCharPref("dom.push.userAgentID", "testvalue"); Troubleshoot.snapshot(function(snapshot) { let p = snapshot.modifiedPreferences; is( p["javascript.troubleshoot"], true,- "The pref should be present because it's whitelisted " +- "but not blacklisted."+ "The pref should be present because it's in the allowed prefs " ++ "and not in the pref regexes that are disallowed." ); ok( !("troubleshoot.foo" in p),- "The pref should be absent because it's not in the whitelist."+ "The pref should be absent because it's not in the allowed prefs." ); ok( !("network.proxy.troubleshoot" in p),- "The pref should be absent because it's blacklisted."+ "The pref should be absent because it's in the pref regexes " ++ "that are disallowed."+ );+ ok(+ !("dom.push.userAgentID" in p),+ "The pref should be absent because it's in the pref regexes " ++ "that are disallowed." ); ok( !("print.print_to_filename" in p),- "The pref should be absent because it's not whitelisted."+ "The pref should be absent because it's not in the allowed prefs." ); prefs.forEach(p => Services.prefs.deleteBranch(p));+ Services.prefs.clearUserPref("dom.push.userAgentID"); done(); }); },
Analyzing the provided code diff, here's the security analysis:
1. Vulnerability Existed: not sure
Terminology Update (No specific vulnerability) [File] [Lines 107-108, 111-112, 114-115, 119-120, 123-124]
[Old Code]
- "The pref should be present because it's whitelisted but not blacklisted."
- "The pref should be absent because it's not in the whitelist."
- "The pref should be absent because it's blacklisted."
- "The pref should be absent because it's not whitelisted."
[Fixed Code]
- "The pref should be present because it's in the allowed prefs and not in the pref regexes that are disallowed."
- "The pref should be absent because it's not in the allowed prefs."
- "The pref should be absent because it's in the pref regexes that are disallowed."
- "The pref should be absent because it's not in the allowed prefs."
2. Vulnerability Existed: yes
Sensitive Data Exposure [File] [Lines 101, 130]
[Old Code]
(No code handling dom.push.userAgentID)
[Fixed Code]
Services.prefs.setCharPref("dom.push.userAgentID", "testvalue");
...
Services.prefs.clearUserPref("dom.push.userAgentID");
Additional Notes:
1. The first change appears to be a terminology update from "whitelist/blacklist" to more inclusive language ("allowed prefs"/"disallowed"), which doesn't represent a security vulnerability but rather a language modernization.
2. The second change introduces handling of "dom.push.userAgentID" which could potentially be sensitive user data. The fix ensures this preference is:
- Added for testing purposes
- Verified to be excluded from snapshots (through the new test case)
- Properly cleaned up after the test
This prevents potential sensitive data leaks in troubleshooting snapshots.
No clear vulnerability was fixed, but the changes improve security by:
- Being more explicit about preference filtering rules
- Adding protection for sensitive push-related preferences
- Ensuring proper cleanup of test data
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/media/webrtc/jsapi/RTCStatsReport.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/media/webrtc/jsapi/RTCStatsReport.cpp@@ -8,6 +8,7 @@ #include "libwebrtcglue/SystemTime.h" #include "mozilla/dom/Performance.h" #include "nsRFPService.h"+#include "WebrtcGlobal.h" namespace mozilla::dom {@@ -114,15 +115,8 @@ } void RTCStatsReport::Incorporate(RTCStatsCollection& aStats) {- SetRTCStats(aStats.mIceCandidatePairStats);- SetRTCStats(aStats.mIceCandidateStats);- SetRTCStats(aStats.mInboundRtpStreamStats);- SetRTCStats(aStats.mOutboundRtpStreamStats);- SetRTCStats(aStats.mRemoteInboundRtpStreamStats);- SetRTCStats(aStats.mRemoteOutboundRtpStreamStats);- SetRTCStats(aStats.mRtpContributingSourceStats);- SetRTCStats(aStats.mTrickledIceCandidateStats);- SetRTCStats(aStats.mDataChannelStats);+ ForAllPublicRTCStatsCollectionMembers(+ aStats, [&](auto... aMember) { (SetRTCStats(aMember), ...); }); } void RTCStatsReport::Set(const nsAString& aKey, JS::Handle<JSObject*> aValue,@@ -130,4 +124,43 @@ RTCStatsReport_Binding::MaplikeHelpers::Set(this, aKey, aValue, aRv); }+namespace {+template <size_t I, typename... Ts>+bool MoveInto(std::tuple<Ts...>& aFrom, std::tuple<Ts*...>& aInto) {+ return std::get<I>(aInto)->AppendElements(std::move(std::get<I>(aFrom)),+ fallible);+}++template <size_t... Is, typename... Ts>+bool MoveInto(std::tuple<Ts...>&& aFrom, std::tuple<Ts*...>& aInto,+ std::index_sequence<Is...>) {+ return (... && MoveInto<Is>(aFrom, aInto));+}++template <typename... Ts>+bool MoveInto(std::tuple<Ts...>&& aFrom, std::tuple<Ts*...>& aInto) {+ return MoveInto(std::move(aFrom), aInto, std::index_sequence_for<Ts...>());+}+} // namespace++void MergeStats(UniquePtr<RTCStatsCollection> aFromStats,+ RTCStatsCollection* aIntoStats) {+ auto fromTuple = ForAllRTCStatsCollectionMembers(+ *aFromStats,+ [&](auto&... aMember) { return std::make_tuple(std::move(aMember)...); });+ auto intoTuple = ForAllRTCStatsCollectionMembers(+ *aIntoStats,+ [&](auto&... aMember) { return std::make_tuple(&aMember...); });+ if (!MoveInto(std::move(fromTuple), intoTuple)) {+ mozalloc_handle_oom(0);+ }+}++void FlattenStats(nsTArray<UniquePtr<RTCStatsCollection>> aFromStats,+ RTCStatsCollection* aIntoStats) {+ for (auto& stats : aFromStats) {+ MergeStats(std::move(stats), aIntoStats);+ }+}+ } // namespace mozilla::dom
I'll analyze the provided code diff for security fixes following the specified format. 1. Vulnerability Existed: not sure [Potential Memory Allocation Failure Handling] [dom/media/webrtc/jsapi/RTCStatsReport.cpp] [Lines 124-143] [Old Code: No explicit handling of memory allocation failures] [Fixed Code: Added oom handling in MoveInto function with mozalloc_handle_oom] 2. Vulnerability Existed: no [Code Refactoring] [dom/media/webrtc/jsapi/RTCStatsReport.cpp] [Lines 114-117] [Old Code: Multiple explicit SetRTCStats calls for different stats types] [Fixed Code: Replaced with template-based ForAllPublicRTCStatsCollectionMembers approach] 3. Vulnerability Existed: not sure [Potential Resource Management] [dom/media/webrtc/jsapi/RTCStatsReport.cpp] [Lines 124-143] [Old Code: No stats merging functionality] [Fixed Code: Added MergeStats and FlattenStats functions with move semantics] The most notable change is the addition of memory allocation failure handling in the MoveInto function, which could potentially address memory-related security issues. However, without more context about the specific threat model, I can't definitively classify this as a security fix for a known vulnerability. The other changes appear to be primarily code refactoring and adding new functionality for stats merging, which don't appear to be directly related to security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-1.html@@ -17,14 +17,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'hsl(120, 100%, 50%)'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely cosmetic/refactoring changes (variable renaming) rather than security-related fixes.
Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found [testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-1.html] [Lines 17-25]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
The changes simply rename the variable `offscreenCanvas` to `canvas` and update the references to it. There are no security implications to these changes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.nocontext.copy.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.nocontext.copy.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 255, 0.5)';@@ -22,7 +22,7 @@ ctx.globalCompositeOperation = 'copy'; var offscreenCanvas2 = new OffscreenCanvas(100, 50); ctx.drawImage(offscreenCanvas2, 0, 0);-_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);+_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5); t.done(); });
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't affect security aspects. Here's the analysis:
1. Vulnerability Existed: no
Variable Renaming [testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.nocontext.copy.worker.js] [Lines 13-14, 22]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);
The changes simply rename the variable `offscreenCanvas` to `canvas` and update all references to it. There are no security implications in this change. The functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-fonts/font-features-across-space-2.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-fonts/font-features-across-space-2.html@@ -7,7 +7,6 @@ <link rel="help" href="http://www.w3.org/TR/css-fonts-3/#font-feature-settings-prop"/> <link rel="reviewer" title="Chris Lilley" href="mailto:[email protected]" /> <link rel="match" href="font-features-across-space-1-ref.html"/>-<meta name="flags" content=""/> <meta name="assert" content="Ligature features should be handled across spaces with font-variant-ligatures"/> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <style type="text/css">
Based on the provided diff, I'll analyze it for security vulnerabilities: Vulnerability Existed: no [No specific vulnerability found] [testing/web-platform/tests/css/css-fonts/font-features-across-space-2.html] [Lines 7] [Old Code: <meta name="flags" content=""/>] [Fixed Code: [removed line]] Additional Details: - The change simply removes a meta tag with empty flags attribute, which doesn't appear to have any security implications - This seems to be a test file cleanup rather than a security fix - No known vulnerability patterns (XSS, injection, etc.) are present in this change - The modification doesn't affect any security-related functionality Note: If there was any security concern with the empty flags attribute, it would be extremely minor and theoretical at best, as it wasn't being used for any actual functionality.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/tools/wptrunner/wptrunner/executors/executorservodriver.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/tools/wptrunner/wptrunner/executors/executorservodriver.py@@ -4,13 +4,13 @@ import traceback from .base import (Protocol,- BaseProtocolPart, RefTestExecutor, RefTestImplementation, TestharnessExecutor, TimedRunner, strip_server)-from ..webdriver_server import wait_for_service+from .protocol import BaseProtocolPart+from ..environment import wait_for_service webdriver = None ServoCommandExtensions = None@@ -96,7 +96,7 @@ def connect(self): """Connect to browser via WebDriver."""- wait_for_service((self.host, self.port), timeout=self.init_timeout)+ wait_for_service(self.logger, self.host, self.port, timeout=self.init_timeout) self.session = webdriver.Session(self.host, self.port, extension=ServoCommandExtensions) self.session.start()
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Import Reorganization] [testing/web-platform/tests/tools/wptrunner/wptrunner/executors/executorservodriver.py] [Lines 4-9]
[Old Code]
from .base import (Protocol,
BaseProtocolPart,
RefTestExecutor,
RefTestImplementation,
TestharnessExecutor,
TimedRunner,
strip_server)
from ..webdriver_server import wait_for_service
[Fixed Code]
from .base import (Protocol,
RefTestExecutor,
RefTestImplementation,
TestharnessExecutor,
TimedRunner,
strip_server)
from .protocol import BaseProtocolPart
from ..environment import wait_for_service
2. Vulnerability Existed: yes
[Insufficient Service Connection Validation] [testing/web-platform/tests/tools/wptrunner/wptrunner/executors/executorservodriver.py] [Line 96]
[Old Code]
wait_for_service((self.host, self.port), timeout=self.init_timeout)
[Fixed Code]
wait_for_service(self.logger, self.host, self.port, timeout=self.init_timeout)
The second change appears to be a security improvement where the service connection validation is enhanced by:
1. Adding logger parameter for better error tracking
2. Explicitly passing host and port separately rather than as a tuple
3. This could help in better debugging and validation of the service connection
The first change appears to be code reorganization rather than a direct security fix, though it might have indirect security benefits by better organizing protocol-related code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/netwerk/ipc/NeckoParent.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/netwerk/ipc/NeckoParent.h@@ -30,8 +30,9 @@ friend class PNeckoParent; public:+ NS_INLINE_DECL_THREADSAFE_REFCOUNTING(NeckoParent, override)+ NeckoParent();- virtual ~NeckoParent() = default; [[nodiscard]] static const char* GetValidatedOriginAttributes( const SerializedLoadContext& aSerialized, PContentParent* aBrowser,@@ -57,6 +58,8 @@ } protected:+ virtual ~NeckoParent() = default;+ bool mSocketProcessBridgeInited; already_AddRefed<PHttpChannelParent> AllocPHttpChannelParent(
Here's the analysis of the provided code diff: 1. Vulnerability Existed: not sure Thread Safety Issue [netwerk/ipc/NeckoParent.h] [Lines 30-32] Old Code: ``` NeckoParent(); virtual ~NeckoParent() = default; ``` Fixed Code: ``` NS_INLINE_DECL_THREADSAFE_REFCOUNTING(NeckoParent, override) NeckoParent(); ``` Additional Details: The change adds thread-safe reference counting to the class, which suggests potential thread safety concerns in the previous version. However, without more context about how the class is used, we can't be certain if this was actually causing vulnerabilities. 2. Vulnerability Existed: not sure Destructor Visibility Issue [netwerk/ipc/NeckoParent.h] [Lines 57-58] Old Code: (No protected destructor shown) Fixed Code: ``` protected: virtual ~NeckoParent() = default; ``` Additional Details: Moving the destructor to protected section is generally a good practice for ref-counted classes to prevent direct deletion, but it's unclear if this was actually causing vulnerabilities in the previous version. Note: The changes appear to be related to improving thread safety and proper object lifecycle management, but without more context about how this class is used in the codebase, we can't definitively say these were fixing actual vulnerabilities. The changes are more likely preventive measures than fixes for existing vulnerabilities.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/xul/nsXULPopupManager.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/xul/nsXULPopupManager.cpp@@ -687,19 +687,37 @@ } }-void nsXULPopupManager::ShowMenu(nsIContent* aMenu, bool aSelectFirstItem,- bool aAsynchronous) {+auto nsXULPopupManager::MayShowMenu(nsIContent* aMenu) -> MayShowMenuResult { if (mNativeMenu && aMenu->IsElement() && mNativeMenu->Element()->Contains(aMenu)) {+ return {true};+ }++ nsMenuFrame* menuFrame = do_QueryFrame(aMenu->GetPrimaryFrame());+ if (!menuFrame || !menuFrame->IsMenu()) {+ return {};+ }++ nsMenuPopupFrame* popupFrame = menuFrame->GetPopup();+ if (!popupFrame || !MayShowPopup(popupFrame)) {+ return {};+ }+ return {false, menuFrame, popupFrame};+}++void nsXULPopupManager::ShowMenu(nsIContent* aMenu, bool aSelectFirstItem) {+ auto mayShowResult = MayShowMenu(aMenu);+ if (!mayShowResult) {+ return;+ }++ if (mayShowResult.mIsNative) { mNativeMenu->OpenSubmenu(aMenu->AsElement()); return; }- nsMenuFrame* menuFrame = do_QueryFrame(aMenu->GetPrimaryFrame());- if (!menuFrame || !menuFrame->IsMenu()) return;-- nsMenuPopupFrame* popupFrame = menuFrame->GetPopup();- if (!popupFrame || !MayShowPopup(popupFrame)) return;+ nsMenuFrame* menuFrame = mayShowResult.mMenuFrame;+ nsMenuPopupFrame* popupFrame = mayShowResult.mMenuPopupFrame; // inherit whether or not we're a context menu from the parent bool parentIsContextMenu = false;@@ -728,22 +746,8 @@ // there is no trigger event for menus popupFrame->InitializePopup(aMenu, nullptr, position, 0, 0, MenuPopupAnchorType_Node, true);-- if (aAsynchronous) {- nsCOMPtr<nsIRunnable> event =- NS_NewRunnableFunction("BeginShowingPopup", [=]() {- nsXULPopupManager* pm = nsXULPopupManager::GetInstance();- if (pm) {- PendingPopup pendingPopup(popupFrame->GetContent(), nullptr);- pm->BeginShowingPopup(pendingPopup, parentIsContextMenu,- aSelectFirstItem);- }- });- aMenu->OwnerDoc()->Dispatch(TaskCategory::Other, event.forget());- } else {- PendingPopup pendingPopup(popupFrame->GetContent(), nullptr);- BeginShowingPopup(pendingPopup, parentIsContextMenu, aSelectFirstItem);- }+ PendingPopup pendingPopup(popupFrame->GetContent(), nullptr);+ BeginShowingPopup(pendingPopup, parentIsContextMenu, aSelectFirstItem); } void nsXULPopupManager::ShowPopup(nsIContent* aPopup,@@ -1563,8 +1567,7 @@ bool aSelectFirstItem) { RefPtr<nsIContent> popup = aPendingPopup.mPopup;- nsMenuPopupFrame* popupFrame =- do_QueryFrame(popup->GetPrimaryFrame());+ nsMenuPopupFrame* popupFrame = do_QueryFrame(popup->GetPrimaryFrame()); if (!popupFrame) { return; }@@ -2207,7 +2210,7 @@ nsMenuFrame* menuToOpen = result->Enter(evt); if (menuToOpen) { nsCOMPtr<nsIContent> content = menuToOpen->GetContent();- ShowMenu(content, true, false);+ ShowMenu(content, true); } } return true;@@ -2306,7 +2309,7 @@ // Open the menu and select its first item. if (currentMenu) { nsCOMPtr<nsIContent> content = currentMenu->GetContent();- ShowMenu(content, true, false);+ ShowMenu(content, true); } return true; }@@ -2353,7 +2356,7 @@ !currentMenu->IsDisabled()) { // The menu is not yet open. Open it and select the first item. nsCOMPtr<nsIContent> content = currentMenu->GetContent();- ShowMenu(content, true, false);+ ShowMenu(content, true); return true; } }@@ -2491,7 +2494,7 @@ } if (menuToOpen) { nsCOMPtr<nsIContent> content = menuToOpen->GetContent();- ShowMenu(content, true, false);+ ShowMenu(content, true); } break; }
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Race Condition in Asynchronous Menu Display [layout/xul/nsXULPopupManager.cpp] [Lines 687-746]
Old Code:
```cpp
void nsXULPopupManager::ShowMenu(nsIContent* aMenu, bool aSelectFirstItem,
bool aAsynchronous) {
if (mNativeMenu && aMenu->IsElement() &&
mNativeMenu->Element()->Contains(aMenu)) {
mNativeMenu->OpenSubmenu(aMenu->AsElement());
return;
}
// ... [code continues with asynchronous handling]
```
Fixed Code:
```cpp
void nsXULPopupManager::ShowMenu(nsIContent* aMenu, bool aSelectFirstItem) {
auto mayShowResult = MayShowMenu(aMenu);
if (!mayShowResult) {
return;
}
// ... [code continues with synchronous handling only]
```
2. Vulnerability Existed: yes
Missing Input Validation [layout/xul/nsXULPopupManager.cpp] [Lines 687-746]
Old Code:
```cpp
void nsXULPopupManager::ShowMenu(nsIContent* aMenu, bool aSelectFirstItem,
bool aAsynchronous) {
if (mNativeMenu && aMenu->IsElement() &&
mNativeMenu->Element()->Contains(aMenu)) {
// ... [immediately proceeds with execution]
```
Fixed Code:
```cpp
auto nsXULPopupManager::MayShowMenu(nsIContent* aMenu) -> MayShowMenuResult {
if (mNativeMenu && aMenu->IsElement() &&
mNativeMenu->Element()->Contains(aMenu)) {
return {true};
}
// ... [added proper validation checks]
```
The changes indicate two security improvements:
1. Removal of asynchronous menu display which could lead to race conditions
2. Addition of proper input validation through the new MayShowMenu function before processing menu displays
The most significant change is the elimination of the asynchronous execution path, which could potentially lead to race conditions where menu state could be manipulated between the time of request and actual display. The new implementation enforces synchronous execution with proper validation checks.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/mochitest/tests/python/conftest.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/mochitest/tests/python/conftest.py@@ -12,7 +12,7 @@ import mozinfo from manifestparser import TestManifest, expression-from moztest.selftest.fixtures import binary, setup_test_harness # noqa+from moztest.selftest.fixtures import binary_fixture, setup_test_harness # noqa here = os.path.abspath(os.path.dirname(__file__)) setup_args = [os.path.join(here, "files"), "mochitest", "testing/mochitest"]@@ -102,11 +102,14 @@ def inner(*tests, **opts): assert len(tests) > 0- manifest = TestManifest()- # pylint --py3k: W1636- manifest.tests.extend(list(map(normalize, tests)))- options["manifestFile"] = manifest- options.update(opts)+ # Inject a TestManifest in the runtests option if one+ # has not been already included by the caller.+ if not isinstance(options["manifestFile"], TestManifest):+ manifest = TestManifest()+ options["manifestFile"] = manifest+ # pylint --py3k: W1636+ manifest.tests.extend(list(map(normalize, tests)))+ options.update(opts) result = runtests.run_test_harness(parser, Namespace(**options)) out = json.loads("[" + ",".join(buf.getvalue().splitlines()) + "]")@@ -137,7 +140,7 @@ runtests = pytest.importorskip("runtests") runtests.update_mozinfo()- skip_mozinfo = request.node.get_marker("skip_mozinfo")+ skip_mozinfo = request.node.get_closest_marker("skip_mozinfo") if skip_mozinfo: value = skip_mozinfo.args[0] if expression.parse(value, **mozinfo.info):
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Test Manifest Injection] [testing/mochitest/tests/python/conftest.py] [Lines 102-114]
[Old Code]
manifest = TestManifest()
# pylint --py3k: W1636
manifest.tests.extend(list(map(normalize, tests)))
options["manifestFile"] = manifest
options.update(opts)
[Fixed Code]
if not isinstance(options["manifestFile"], TestManifest):
manifest = TestManifest()
options["manifestFile"] = manifest
# pylint --py3k: W1636
manifest.tests.extend(list(map(normalize, tests)))
options.update(opts)
2. Vulnerability Existed: no
[Deprecated API Usage] [testing/mochitest/tests/python/conftest.py] [Line 140]
[Old Code]
skip_mozinfo = request.node.get_marker("skip_mozinfo")
[Fixed Code]
skip_mozinfo = request.node.get_closest_marker("skip_mozinfo")
3. Vulnerability Existed: not sure
[Import Change] [testing/mochitest/tests/python/conftest.py] [Line 12]
[Old Code]
from moztest.selftest.fixtures import binary, setup_test_harness # noqa
[Fixed Code]
from moztest.selftest.fixtures import binary_fixture, setup_test_harness # noqa
Notes:
1. The first change adds a check for existing TestManifest instances, which might prevent some kind of test manifest injection, but I'm not certain about the security implications.
2. The second change is clearly just updating to a newer pytest API and has no security implications.
3. The import change from 'binary' to 'binary_fixture' might be related to some security hardening, but without more context, I can't be certain.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/gfx/wr/wrench/src/blob.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/gfx/wr/wrench/src/blob.rs@@ -19,11 +19,11 @@ fn deserialize_blob(blob: &[u8]) -> Result<ColorU, ()> { let mut iter = blob.iter();- return match (iter.next(), iter.next(), iter.next(), iter.next()) {+ match (iter.next(), iter.next(), iter.next(), iter.next()) { (Some(&r), Some(&g), Some(&b), Some(&a)) => Ok(ColorU::new(r, g, b, a)), (Some(&a), None, None, None) => Ok(ColorU::new(a, a, a, a)), _ => Err(()),- };+ } } // perform floor((x * a) / 255. + 0.5) see "Three wrongs make a right" for derivation@@ -78,7 +78,7 @@ ImageFormat::BGRA8 => { let a = color.a * checker + tc; let pixel_offset = ((y * descriptor.rect.width() + x) * 4) as usize;- texels[pixel_offset + 0] = premul(color.b * checker + tc, a);+ texels[pixel_offset ] = premul(color.b * checker + tc, a); texels[pixel_offset + 1] = premul(color.g * checker + tc, a); texels[pixel_offset + 2] = premul(color.r * checker + tc, a); texels[pixel_offset + 3] = a;@@ -161,7 +161,7 @@ requests: &[BlobImageParams], ) { if !requests.is_empty() {- (self.callbacks.lock().unwrap().request)(&requests);+ (self.callbacks.lock().unwrap().request)(requests); } }@@ -191,7 +191,7 @@ requests: &[BlobImageParams], _low_priority: bool ) -> Vec<(BlobImageRequest, BlobImageResult)> {- let requests: Vec<Command> = requests.into_iter().map(+ let requests: Vec<Command> = requests.iter().map( |item| { let (color, tile_size) = self.image_cmds[&item.request.key];
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Possible Code Style/Consistency Issue] [gfx/wr/wrench/src/blob.rs] [19-23]
[Old Code]
return match (iter.next(), iter.next(), iter.next(), iter.next()) {
(Some(&r), Some(&g), Some(&b), Some(&a)) => Ok(ColorU::new(r, g, b, a)),
(Some(&a), None, None, None) => Ok(ColorU::new(a, a, a, a)),
_ => Err(()),
};
[Fixed Code]
match (iter.next(), iter.next(), iter.next(), iter.next()) {
(Some(&r), Some(&g), Some(&b), Some(&a)) => Ok(ColorU::new(r, g, b, a)),
(Some(&a), None, None, None) => Ok(ColorU::new(a, a, a, a)),
_ => Err(()),
}
2. Vulnerability Existed: not sure
[Possible Array Indexing Issue] [gfx/wr/wrench/src/blob.rs] [78]
[Old Code]
texels[pixel_offset + 0] = premul(color.b * checker + tc, a);
[Fixed Code]
texels[pixel_offset ] = premul(color.b * checker + tc, a);
3. Vulnerability Existed: not sure
[Possible Reference Handling Issue] [gfx/wr/wrench/src/blob.rs] [161]
[Old Code]
(self.callbacks.lock().unwrap().request)(&requests);
[Fixed Code]
(self.callbacks.lock().unwrap().request)(requests);
4. Vulnerability Existed: not sure
[Possible Iterator Issue] [gfx/wr/wrench/src/blob.rs] [191]
[Old Code]
let requests: Vec<Command> = requests.into_iter().map(
[Fixed Code]
let requests: Vec<Command> = requests.iter().map(
Note: While these changes appear to be improvements in code style, consistency, and potentially safety, I couldn't identify any specific security vulnerabilities that were clearly fixed by these changes. The modifications seem more related to code quality than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/tools/wptrunner/requirements_safari.txt+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/tools/wptrunner/requirements_safari.txt@@ -1,2 +1 @@-mozprocess==1.3.0 psutil==5.8.0
Let me analyze the provided code diff for security fixes. Analysis: 1. The diff shows a change in the requirements file for Safari testing, removing the `mozprocess` dependency while keeping `psutil`. 2. This appears to be a dependency cleanup rather than a security fix. 3. There are no obvious security vulnerabilities being fixed here. Answer: Vulnerability Existed: no [Dependency Removal] [testing/web-platform/tests/tools/wptrunner/requirements_safari.txt] [Lines 1] [mozprocess==1.3.0 psutil==5.8.0] [psutil==5.8.0] Additional Notes: - The removal of `mozprocess` might be related to test infrastructure changes rather than security concerns - The remaining `psutil` version (5.8.0) appears to be unchanged and doesn't indicate a security update - No CVE or known vulnerability is being addressed in this change
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInStroke.basic.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.isPointInStroke.basic.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.strokeStyle = '#0f0'; ctx.beginPath();
Analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 17-18]
Old Code:
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
Fixed Code:
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be purely a variable name change from `offscreenCanvas` to `canvas`
- No security implications are evident in this change
- The functionality remains identical, only the variable naming convention was modified
- This is likely a code style/consistency improvement rather than a security fix
No known vulnerabilities (like XSS, injection, etc.) are addressed by this change. The modification doesn't affect security-related aspects of the code.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/dom/push/test/test_error_reporting.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/dom/push/test/test_error_reporting.html@@ -55,7 +55,7 @@ function waitForDeliveryError(request) { return new Promise(resolve => { var data = new TextEncoder("utf-8").encode(JSON.stringify(request));- var principal = SpecialPowers.wrap(document).nodePrincipal;+ var principal = SpecialPowers.wrap(window).clientPrincipal; let messageId = "message-" + (idCounter++); reporters.set(messageId, resolve);@@ -88,7 +88,7 @@ } });- var principal = SpecialPowers.wrap(document).nodePrincipal;+ var principal = SpecialPowers.wrap(window).clientPrincipal; pushNotifier.notifyError(registration.scope, principal, "Push error", SpecialPowers.Ci.nsIScriptError.errorFlag); });
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Potential Principal Access Change] [dom/push/test/test_error_reporting.html] [Lines 55, 88]
[Old Code] var principal = SpecialPowers.wrap(document).nodePrincipal;
[Fixed Code] var principal = SpecialPowers.wrap(window).clientPrincipal;
Additional Details:
- The change involves switching from using `document.nodePrincipal` to `window.clientPrincipal`
- While this appears to be a security-related change (as it deals with principals), I'm not certain if this fixes a specific known vulnerability
- The change might be related to more accurate principal access in test code, but without more context about the specific security implications, I can't definitively identify a vulnerability
- The modification appears in two locations in the file, both making the same change from document to window principal access
Note: The change seems to be related to how test code accesses principals, which might be more about test accuracy than fixing a production vulnerability. However, principal handling is security-sensitive, so it's worth noting the change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/cleardata/tests/unit/test_security_settings.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/cleardata/tests/unit/test_security_settings.js@@ -109,28 +109,30 @@ add_task(async function test_baseDomain() { gSSService.clearAll();- addTestSecurityInfo();-- // Clear security settings of example.net including partitions.++ // ---- hsts cleaner ----+ addTestSecurityInfo();++ // Clear hsts data of example.net including partitions. await new Promise(aResolve => { Services.clearData.deleteDataFromBaseDomain( "example.net", false,- Ci.nsIClearDataService.CLEAR_SECURITY_SETTINGS,- aResolve- );- });-- testSecurityInfo({- host: "example.net",- expectedHSTS: false,- expectedCARS: false,- });- // SecuritySettingsCleaner also removes subdomain settings.- testSecurityInfo({- host: "test.example.net",- expectedHSTS: false,- expectedCARS: false,+ Ci.nsIClearDataService.CLEAR_HSTS,+ aResolve+ );+ });++ testSecurityInfo({+ host: "example.net",+ expectedHSTS: false,+ expectedCARS: true,+ });+ // HSTSCleaner also removes subdomain settings.+ testSecurityInfo({+ host: "test.example.net",+ expectedHSTS: false,+ expectedCARS: true, }); testSecurityInfo({ host: "example.org" });@@ -138,18 +140,63 @@ host: "example.com", topLevelBaseDomain: "example.net", expectedHSTS: false,- expectedCARS: false,- });- testSecurityInfo({- host: "example.net",- topLevelBaseDomain: "example.org",- expectedHSTS: false,- expectedCARS: false,- });- testSecurityInfo({- host: "test.example.net",- topLevelBaseDomain: "example.org",- expectedHSTS: false,+ expectedCARS: true,+ });+ testSecurityInfo({+ host: "example.net",+ topLevelBaseDomain: "example.org",+ expectedHSTS: false,+ expectedCARS: true,+ });+ testSecurityInfo({+ host: "test.example.net",+ topLevelBaseDomain: "example.org",+ expectedHSTS: false,+ expectedCARS: true,+ });++ // ---- client auth remember cleaner -----+ addTestSecurityInfo();++ // Clear security settings of example.net including partitions.+ await new Promise(aResolve => {+ Services.clearData.deleteDataFromBaseDomain(+ "example.net",+ false,+ Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE,+ aResolve+ );+ });++ testSecurityInfo({+ host: "example.net",+ expectedHSTS: true,+ expectedCARS: false,+ });+ // ClientAuthRememberCleaner also removes subdomain settings.+ testSecurityInfo({+ host: "test.example.net",+ expectedHSTS: true,+ expectedCARS: false,+ });+ testSecurityInfo({ host: "example.org" });++ testSecurityInfo({+ host: "example.com",+ topLevelBaseDomain: "example.net",+ expectedHSTS: true,+ expectedCARS: false,+ });+ testSecurityInfo({+ host: "example.net",+ topLevelBaseDomain: "example.org",+ expectedHSTS: true,+ expectedCARS: false,+ });+ testSecurityInfo({+ host: "test.example.net",+ topLevelBaseDomain: "example.org",+ expectedHSTS: true, expectedCARS: false, });@@ -159,6 +206,8 @@ add_task(async function test_host() { gSSService.clearAll();++ // ---- HSTS cleaer ---- addTestSecurityInfo(); // Clear security settings of example.net without partitions.@@ -166,15 +215,15 @@ Services.clearData.deleteDataFromHost( "example.net", false,- Ci.nsIClearDataService.CLEAR_SECURITY_SETTINGS,- aResolve- );- });-- testSecurityInfo({- host: "example.net",- expectedHSTS: false,- expectedCARS: false,+ Ci.nsIClearDataService.CLEAR_HSTS,+ aResolve+ );+ });++ testSecurityInfo({+ host: "example.net",+ expectedHSTS: false,+ expectedCARS: true, }); testSecurityInfo({ host: "test.example.net",@@ -188,7 +237,7 @@ host: "example.net", topLevelBaseDomain: "example.org", expectedHSTS: false,- expectedCARS: false,+ expectedCARS: true, }); testSecurityInfo({ host: "test.example.net",@@ -199,4 +248,47 @@ // Cleanup gSSService.clearAll();++ // --- clientAuthRemember cleaner ---++ addTestSecurityInfo();++ // Clear security settings of example.net without partitions.+ await new Promise(aResolve => {+ Services.clearData.deleteDataFromHost(+ "example.net",+ false,+ Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE,+ aResolve+ );+ });++ testSecurityInfo({+ host: "example.net",+ expectedHSTS: true,+ expectedCARS: false,+ });+ testSecurityInfo({+ host: "test.example.net",+ expectedHSTS: true,+ expectedCARS: true,+ });+ testSecurityInfo({ host: "example.org" });++ testSecurityInfo({ host: "example.com", topLevelBaseDomain: "example.net" });+ testSecurityInfo({+ host: "example.net",+ topLevelBaseDomain: "example.org",+ expectedHSTS: true,+ expectedCARS: false,+ });+ testSecurityInfo({+ host: "test.example.net",+ topLevelBaseDomain: "example.org",+ expectedHSTS: true,+ expectedCARS: true,+ });++ // Cleanup+ gSSService.clearAll(); });
I'll analyze the code diff for security fixes following the specified format.
1. Vulnerability Existed: not sure
[HSTS/CARS Clear Separation] [toolkit/components/cleardata/tests/unit/test_security_settings.js] [Lines 109-248]
[Old Code]
// Clear security settings of example.net including partitions.
await new Promise(aResolve => {
Services.clearData.deleteDataFromBaseDomain(
"example.net",
false,
Ci.nsIClearDataService.CLEAR_SECURITY_SETTINGS,
aResolve
);
});
[Fixed Code]
// ---- hsts cleaner ----
await new Promise(aResolve => {
Services.clearData.deleteDataFromBaseDomain(
"example.net",
false,
Ci.nsIClearDataService.CLEAR_HSTS,
aResolve
);
});
// ---- client auth remember cleaner -----
await new Promise(aResolve => {
Services.clearData.deleteDataFromBaseDomain(
"example.net",
false,
Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE,
aResolve
);
});
Additional Details: The diff shows a separation of security settings clearing into distinct operations for HSTS and client auth remember service. While not a direct vulnerability fix, this change improves security by allowing more granular control over which security settings are cleared.
2. Vulnerability Existed: not sure
[Subdomain Clearing Behavior] [toolkit/components/cleardata/tests/unit/test_security_settings.js] [Lines 109-248]
[Old Code]
// SecuritySettingsCleaner also removes subdomain settings.
testSecurityInfo({
host: "test.example.net",
expectedHSTS: false,
expectedCARS: false,
});
[Fixed Code]
// HSTSCleaner also removes subdomain settings.
testSecurityInfo({
host: "test.example.net",
expectedHSTS: false,
expectedCARS: true,
});
Additional Details: The change modifies the behavior of subdomain clearing, now preserving CARS (Client Auth Remember Service) settings when only HSTS is cleared. This appears to be a refinement of the clearing logic rather than a direct vulnerability fix.
The changes primarily focus on separating the clearing of different security settings (HSTS vs Client Auth Remember) rather than fixing specific vulnerabilities. The modifications improve the granularity and precision of security settings clearing operations.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.