Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/streams/transform-streams/flush.any.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/streams/transform-streams/flush.any.js@@ -1,4 +1,4 @@-// META: global=window,worker,jsshell+// META: global=window,worker // META: script=../resources/test-utils.js 'use strict';
Analysis of the provided code diff: 1. Vulnerability Existed: no [Removed jsshell from test environment globals] [testing/web-platform/tests/streams/transform-streams/flush.any.js] [Lines 1] Old Code: `// META: global=window,worker,jsshell` Fixed Code: `// META: global=window,worker` Additional Details: - The change simply removes 'jsshell' from the list of test environments where this test should run - This appears to be a test configuration change rather than a security fix - No actual vulnerability is being fixed here, just narrowing the test scope - The modification suggests the test isn't relevant or doesn't work properly in jsshell environment No security vulnerabilities were identified in this diff. The change is purely related to test environment configuration.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.fill.unaffected.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.fill.unaffected.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -30,8 +30,8 @@ ctx.fillStyle = '#0f0'; ctx.fill();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");-_assertPixel(offscreenCanvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255"); t.done(); });
After analyzing the provided code diff, here's the security assessment:
1. Vulnerability Existed: no
No specific vulnerability found [File] testing/web-platform/tests/html/canvas/offscreen/text/2d.text.draw.fill.unaffected.worker.js [Lines] 13-30
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
...
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
_assertPixel(offscreenCanvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255");
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
...
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
_assertPixel(canvas, 5,45, 0,255,0,255, "5,45", "0,255,0,255");
The changes appear to be purely cosmetic, renaming the variable from `offscreenCanvas` to `canvas`. There are no security-related changes in this diff. The functionality remains identical, only the variable name has been changed for consistency or clarity.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/fetch/corb/README.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/fetch/corb/README.md@@ -3,7 +3,7 @@ ### Summary This directory contains tests related to the-[Cross-Origin Resource Blocking (CORB)](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md)+[Cross-Origin Resource Blocking (CORB)](https://chromium.googlesource.com/chromium/src/+/main/services/network/cross_origin_read_blocking_explainer.md) algorithm. The tests in this directory interact with various, random features,
Based on the provided diff, I'll analyze it for security fixes: 1. Vulnerability Existed: not sure [Documentation Link Update] [testing/web-platform/tests/fetch/corb/README.md] [Lines 3-7] [Old Code] [Cross-Origin Resource Blocking (CORB)](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md) [Fixed Code] [Cross-Origin Resource Blocking (CORB)](https://chromium.googlesource.com/chromium/src/+/main/services/network/cross_origin_read_blocking_explainer.md) Additional Details: - The change updates a documentation link from "master" branch to "main" branch reference - This appears to be more of a maintenance/documentation update rather than a security fix - The change doesn't directly address any specific vulnerability, but rather reflects Chromium's branch naming convention change - The CORB (Cross-Origin Resource Blocking) feature itself is a security mechanism, but this particular change doesn't modify its implementation or behavior Note: While the change involves a security-related feature (CORB), the diff itself doesn't represent a security fix but rather a documentation update.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-pseudo/selection-contenteditable-011.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-pseudo/selection-contenteditable-011.html@@ -9,7 +9,6 @@ <link rel="match" href="reference/selection-contenteditable-011-ref.html"> <!-- Allow different antialiased pixels on the focus ring. --> <meta name="fuzzy" content="0-5;0-255">- <meta content="" name="flags"> <style> div
Let me analyze the code diff for potential security vulnerabilities. Vulnerability Existed: no No specific vulnerability [File] [Lines 9-10] [Old Code] <meta content="" name="flags"> [Fixed Code] (removed line) Additional Details: - This appears to be a simple removal of a meta tag that wasn't serving any purpose (empty "flags" attribute) - The change doesn't relate to any known security vulnerability patterns - The modification seems to be cleanup rather than a security fix - No security-relevant functionality was altered in this change No other vulnerabilities were detected in this small diff. The change is purely removing an unused meta tag from the HTML test file.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/darling/README.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/darling/README.md@@ -1,7 +1,7 @@ Darling =======-[](https://travis-ci.org/TedDriggs/darling)+[](https://github.com/TedDriggs/darling/actions) [](https://crates.io/crates/darling) [](https://blog.rust-lang.org/2018/12/06/Rust-1.31-and-rust-2018.html)@@ -18,6 +18,7 @@ 2. `FromDeriveInput` is implemented or derived by each proc-macro crate which depends on `darling`. This is the root for input parsing; it gets access to the identity, generics, and visibility of the target type, and can specify which attribute names should be parsed or forwarded from the input AST. 3. `FromField` is implemented or derived by each proc-macro crate which depends on `darling`. Structs deriving this trait will get access to the identity (if it exists), type, and visibility of the field. 4. `FromVariant` is implemented or derived by each proc-macro crate which depends on `darling`. Structs deriving this trait will get access to the identity and contents of the variant, which can be transformed the same as any other `darling` input.+5. `FromAttributes` is a lower-level version of the more-specific `FromDeriveInput`, `FromField`, and `FromVariant` traits. Structs deriving this trait get a meta-item extractor and error collection which works for any syntax element, including traits, trait items, and functions. This is useful for non-derive proc macros. ## Additional Modules * `darling::ast` provides generic types for representing the AST.@@ -40,7 +41,7 @@ } #[derive(FromDeriveInput)]-#[darling(from_ident, attributes(my_crate), forward_attrs(allow, doc, cfg))]+#[darling(attributes(my_crate), forward_attrs(allow, doc, cfg))] pub struct MyTraitOpts { ident: syn::Ident, attrs: Vec<syn::Attribute>,@@ -53,7 +54,7 @@ ```rust,ignore /// A doc comment which will be available in `MyTraitOpts::attrs`. #[derive(MyTrait)]-#[my_crate(lorem(dolor = "Hello", ipsum))]+#[my_crate(lorem(dolor = "Hello", sit))] pub struct ConsumingType; ```@@ -82,7 +83,7 @@ let _args = match MacroArgs::from_list(&attr_args) { Ok(v) => v,- Err(e) => { return e.write_errors(); }+ Err(e) => { return TokenStream::from(e.write_errors()); } }; // do things with `args`@@ -106,8 +107,8 @@ * **Defaults**: Supports struct- and field-level defaults, using the same path syntax as `serde`. * **Field Renaming**: Fields can have different names in usage vs. the backing code. * **Auto-populated fields**: Structs deriving `FromDeriveInput` and `FromField` can declare properties named `ident`, `vis`, `ty`, `attrs`, and `generics` to automatically get copies of the matching values from the input AST. `FromDeriveInput` additionally exposes `data` to get access to the body of the deriving type, and `FromVariant` exposes `fields`.-* **Mapping function**: Use `#[darling(map="path")]` to specify a function that runs on the result of parsing a meta-item field. This can change the return type, which enables you to parse to an intermediate form and convert that to the type you need in your struct.+* **Mapping function**: Use `#[darling(map="path")]` or `#[darling(and_then="path")]` to specify a function that runs on the result of parsing a meta-item field. This can change the return type, which enables you to parse to an intermediate form and convert that to the type you need in your struct. * **Skip fields**: Use `#[darling(skip)]` to mark a field that shouldn't be read from attribute meta-items. * **Multiple-occurrence fields**: Use `#[darling(multiple)]` on a `Vec` field to allow that field to appear multiple times in the meta-item. Each occurrence will be pushed into the `Vec`. * **Span access**: Use `darling::util::SpannedValue` in a struct to get access to that meta item's source code span. This can be used to emit warnings that point at a specific field from your proc macro. In addition, you can use `darling::Error::write_errors` to automatically get precise error location details in most cases.-* **"Did you mean" suggestions**: Compile errors from derived darling trait impls include suggestions for misspelled fields.+* **"Did you mean" suggestions**: Compile errors from derived darling trait impls include suggestions for misspelled fields.
After analyzing the provided code diff, I don't find any security vulnerabilities being fixed. The changes appear to be documentation updates, CI system migration, and minor feature additions/improvements. Here's the analysis:
1. Vulnerability Existed: no
CI System Migration [third_party/rust/darling/README.md] [Lines 3]
Old Code: `[](https://travis-ci.org/TedDriggs/darling)`
Fixed Code: `[](https://github.com/TedDriggs/darling/actions)`
2. Vulnerability Existed: no
Documentation Update [third_party/rust/darling/README.md] [Lines 18]
Old Code: (no mention of FromAttributes trait)
Fixed Code: Added description of `FromAttributes` trait
3. Vulnerability Existed: no
Code Example Update [third_party/rust/darling/README.md] [Lines 43]
Old Code: `#[darling(from_ident, attributes(my_crate), forward_attrs(allow, doc, cfg))]`
Fixed Code: `#[darling(attributes(my_crate), forward_attrs(allow, doc, cfg))]`
4. Vulnerability Existed: no
Example Attribute Update [third_party/rust/darling/README.md] [Lines 56]
Old Code: `#[my_crate(lorem(dolor = "Hello", ipsum))]`
Fixed Code: `#[my_crate(lorem(dolor = "Hello", sit))]`
5. Vulnerability Existed: no
Error Handling Update [third_party/rust/darling/README.md] [Lines 85]
Old Code: `Err(e) => { return e.write_errors(); }`
Fixed Code: `Err(e) => { return TokenStream::from(e.write_errors()); }`
6. Vulnerability Existed: no
Documentation Update [third_party/rust/darling/README.md] [Lines 109]
Old Code: `#[darling(map="path")]`
Fixed Code: `#[darling(map="path")] or #[darling(and_then="path")]`
The changes are all related to documentation improvements, example updates, and feature additions rather than security fixes. No security vulnerabilities were identified in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-clamp-3.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/fill-and-stroke-styles/2d.fillStyle.parse.hsl-clamp-3.worker.js@@ -13,14 +13,14 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillStyle = 'hsl(120, 100%, 200%)'; ctx.fillRect(0, 0, 100, 50);-_assertPixel(offscreenCanvas, 50,25, 255,255,255,255, "50,25", "255,255,255,255");+_assertPixel(canvas, 50,25, 255,255,255,255, "50,25", "255,255,255,255"); t.done(); });
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't affect security. Here's the analysis:
1. Vulnerability Existed: no
No Vulnerability Found [File] [Lines 13-14, 19]
Old Code:
```
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
_assertPixel(offscreenCanvas, 50,25, 255,255,255,255, "50,25", "255,255,255,255");
```
Fixed Code:
```
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
_assertPixel(canvas, 50,25, 255,255,255,255, "50,25", "255,255,255,255");
```
The changes simply rename the variable `offscreenCanvas` to `canvas` for consistency or readability, but this doesn't represent a security fix. The functionality remains exactly the same.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/num_cpus/src/lib.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/num_cpus/src/lib.rs@@ -28,7 +28,6 @@ //! [`rayon::ThreadPool`]: https://docs.rs/rayon/1.*/rayon/struct.ThreadPool.html #![cfg_attr(test, deny(warnings))] #![deny(missing_docs)]-#![doc(html_root_url = "https://docs.rs/num_cpus/1.13.0")] #![allow(non_snake_case)] #[cfg(not(windows))]@@ -46,6 +45,8 @@ /// /// This function will get the number of logical cores. Sometimes this is different from the number /// of physical cores (See [Simultaneous multithreading on Wikipedia][smt]).+///+/// This will always return at least `1`. /// /// # Examples ///@@ -74,6 +75,8 @@ } /// Returns the number of physical cores of the current system.+///+/// This will always return at least `1`. /// /// # Note ///
Based on the provided diff, I don't see any clear security vulnerabilities being fixed. The changes appear to be documentation updates and minor cleanup. Here's the analysis: 1. Vulnerability Existed: no Documentation Update [third_party/rust/num_cpus/src/lib.rs] [Lines 28] Old Code: #![doc(html_root_url = "https://docs.rs/num_cpus/1.13.0")] Fixed Code: (removed) 2. Vulnerability Existed: no Documentation Enhancement [third_party/rust/num_cpus/src/lib.rs] [Lines 46,74] Old Code: (no explicit guarantee about minimum return value) Fixed Code: Added documentation stating "This will always return at least `1`" The changes are primarily documentation improvements rather than security fixes. The added guarantees about always returning at least 1 CPU count could prevent potential logic errors in calling code, but this doesn't represent a security vulnerability in itself.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/mozapps/defaultagent/DefaultBrowser.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/mozapps/defaultagent/DefaultBrowser.cpp@@ -7,7 +7,6 @@ #include "DefaultBrowser.h" #include <string>-#include <unordered_map> #include <shlobj.h> #include <shlwapi.h>@@ -16,55 +15,47 @@ #include "EventLog.h" #include "Registry.h"+#include "mozilla/ArrayUtils.h" #include "mozilla/RefPtr.h" #include "mozilla/Unused.h" #include "mozilla/WinHeaderOnlyUtils.h" using BrowserResult = mozilla::WindowsErrorResult<Browser>;+constexpr std::pair<std::string_view, Browser> kStringBrowserMap[]{+ {"", Browser::Unknown},+ {"firefox", Browser::Firefox},+ {"chrome", Browser::Chrome},+ {"edge", Browser::EdgeWithEdgeHTML},+ {"edge-chrome", Browser::EdgeWithBlink},+ {"ie", Browser::InternetExplorer},+ {"opera", Browser::Opera},+ {"brave", Browser::Brave},+ {"yandex", Browser::Yandex},+ {"qq-browser", Browser::QQBrowser},+ {"360-browser", Browser::_360Browser},+ {"sogou", Browser::Sogou},+};++static_assert(mozilla::ArrayLength(kStringBrowserMap) == kBrowserCount);+ std::string GetStringForBrowser(Browser browser) {- switch (browser) {- case Browser::Firefox:- return std::string("firefox");- case Browser::Chrome:- return std::string("chrome");- case Browser::EdgeWithEdgeHTML:- return std::string("edge");- case Browser::EdgeWithBlink:- return std::string("edge-chrome");- case Browser::InternetExplorer:- return std::string("ie");- case Browser::Opera:- return std::string("opera");- case Browser::Brave:- return std::string("brave");- case Browser::Unknown:- return std::string("");- }+ for (const auto& [mapString, mapBrowser] : kStringBrowserMap) {+ if (browser == mapBrowser) {+ return std::string{mapString};+ }+ }++ return std::string(""); } Browser GetBrowserFromString(const std::string& browserString) {- if (browserString.compare("firefox") == 0) {- return Browser::Firefox;- }- if (browserString.compare("chrome") == 0) {- return Browser::Chrome;- }- if (browserString.compare("edge") == 0) {- return Browser::EdgeWithEdgeHTML;- }- if (browserString.compare("edge-chrome") == 0) {- return Browser::EdgeWithBlink;- }- if (browserString.compare("ie") == 0) {- return Browser::InternetExplorer;- }- if (browserString.compare("opera") == 0) {- return Browser::Opera;- }- if (browserString.compare("brave") == 0) {- return Browser::Brave;- }+ for (const auto& [mapString, mapBrowser] : kStringBrowserMap) {+ if (browserString == mapString) {+ return mapBrowser;+ }+ }+ return Browser::Unknown; }@@ -89,24 +80,63 @@ mozilla::UniquePtr<wchar_t, mozilla::CoTaskMemFreeDeleter> registeredApp( rawRegisteredApp);- // This maps a prefix of the AppID string used to register each browser's HTTP- // handler to a custom string that we'll use to identify that browser in our- // telemetry ping (which is this function's return value).- // We're assuming that any UWP app set as the default browser must be Edge.- const std::unordered_map<std::wstring, Browser> AppIDPrefixes = {+ // Get the application Friendly Name associated to the found ProgID. This is+ // sized to be larger than any observed or expected friendly names. Long+ // friendly names tend to be in the form `[Company] [Browser] [Variant]`+ std::array<wchar_t, 256> friendlyName{};+ DWORD friendlyNameLen = friendlyName.size();+ hr = AssocQueryStringW(ASSOCF_NONE, ASSOCSTR_FRIENDLYAPPNAME,+ registeredApp.get(), NULL, friendlyName.data(),+ &friendlyNameLen);+ if (FAILED(hr)) {+ LOG_ERROR(hr);+ return BrowserResult(mozilla::WindowsError::FromHResult(hr));+ }++ // This maps a browser's Friendly Name prefix to an enum variant that we'll+ // use to identify that browser in our telemetry ping (which is this+ // function's return value).+ constexpr std::pair<std::wstring_view, Browser> kFriendlyNamePrefixes[] = { {L"Firefox", Browser::Firefox},- {L"Chrome", Browser::Chrome},- {L"AppX", Browser::EdgeWithEdgeHTML},- {L"MSEdgeHTM", Browser::EdgeWithBlink},- {L"IE.", Browser::InternetExplorer},+ {L"Google Chrome", Browser::Chrome},+ {L"Microsoft Edge", Browser::EdgeWithBlink},+ {L"Internet Explorer", Browser::InternetExplorer}, {L"Opera", Browser::Opera}, {L"Brave", Browser::Brave},+ {L"Yandex", Browser::Yandex},+ {L"QQBrowser", Browser::QQBrowser},+ // 360安全浏览器 UTF-16 encoding+ {L"\u0033\u0036\u0030\u5b89\u5168\u6d4f\u89c8\u5668",+ Browser::_360Browser},+ // 搜狗高速浏览器 UTF-16 encoding+ {L"\u641c\u72d7\u9ad8\u901f\u6d4f\u89c8\u5668", Browser::Sogou}, };- for (const auto& prefix : AppIDPrefixes) {- if (!wcsnicmp(registeredApp.get(), prefix.first.c_str(),- prefix.first.length())) {- return prefix.second;+ for (const auto& [prefix, browser] : kFriendlyNamePrefixes) {+ // Find matching Friendly Name prefix.+ if (!wcsnicmp(friendlyName.data(), prefix.data(), prefix.length())) {+ if (browser == Browser::EdgeWithBlink) {+ // Disambiguate EdgeWithEdgeHTML and EdgeWithBlink.+ // The ProgID below is documented as having not changed while Edge was+ // actively developed. It's assumed but unverified this is true in all+ // cases (e.g. across locales).+ //+ // Note: at time of commit EdgeWithBlink from the Windows Store was a+ // wrapper for Edge Installer instead of a package containing Edge,+ // therefore the Default Browser associating ProgID was not in the form+ // "AppX[hash]" as expected. It is unclear if the EdgeWithEdgeHTML and+ // EdgeWithBlink ProgIDs would differ if the latter is changed into a+ // package containing Edge.+ constexpr std::wstring_view progIdEdgeHtml{+ L"AppXq0fevzme2pys62n3e0fbqa7peapykr8v"};++ if (!wcsnicmp(registeredApp.get(), progIdEdgeHtml.data(),+ progIdEdgeHtml.length())) {+ return Browser::EdgeWithEdgeHTML;+ }+ }++ return browser; } }
Here's the analysis of the provided code diff for security fixes: 1. Vulnerability Existed: no No specific vulnerability found [File] [Lines] [Old Code] [Fixed Code] The diff shows a significant refactoring of the browser identification logic, but there's no clear security vulnerability being fixed. The changes include: - Replacing switch-case and if-else chains with lookup tables (kStringBrowserMap and kFriendlyNamePrefixes) - Adding support for more browsers (Yandex, QQBrowser, 360Browser, Sogou) - Switching from AppID prefix matching to Friendly Name prefix matching - Adding better Edge browser version differentiation While these changes improve code maintainability and add new browser support, they don't appear to address any specific security vulnerabilities. The changes are more about functionality improvements and code organization rather than security fixes. Note: If there were any implicit security improvements (like making string comparisons more robust), they aren't explicitly called out in the diff and don't correspond to any known vulnerability patterns.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/glean/bindings/private/Rate.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/glean/bindings/private/Rate.cpp@@ -19,7 +19,7 @@ void RateMetric::AddToNumerator(int32_t aAmount) const { auto scalarId = ScalarIdForMetric(mId);- if (scalarId) {+ if (scalarId && aAmount >= 0) { Telemetry::ScalarAdd(scalarId.extract(), u"numerator"_ns, aAmount); } fog_rate_add_to_numerator(mId, aAmount);@@ -27,7 +27,7 @@ void RateMetric::AddToDenominator(int32_t aAmount) const { auto scalarId = ScalarIdForMetric(mId);- if (scalarId) {+ if (scalarId && aAmount >= 0) { Telemetry::ScalarAdd(scalarId.extract(), u"denominator"_ns, aAmount); } fog_rate_add_to_denominator(mId, aAmount);
Here's the analysis of the provided code diff following the specified format:
1. Vulnerability Existed: yes
Integer Overflow/Underflow Prevention [toolkit/components/glean/bindings/private/Rate.cpp] [Lines 19-27]
Old Code:
```cpp
if (scalarId) {
```
Fixed Code:
```cpp
if (scalarId && aAmount >= 0) {
```
Additional Details: The fix adds a check to ensure `aAmount` is non-negative before performing addition operations, preventing potential integer underflow or negative value injection in rate calculations.
2. Vulnerability Existed: not sure
Potential Data Validation Improvement [toolkit/components/glean/bindings/private/Rate.cpp] [Lines 19-27]
Old Code:
```cpp
if (scalarId) {
```
Fixed Code:
```cpp
if (scalarId && aAmount >= 0) {
```
Additional Details: While this clearly improves input validation, it's unclear if negative values could have been previously exploited for security vulnerabilities or if this was purely a data quality improvement. The change could potentially prevent some forms of metric manipulation.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/tools/profiler/public/ProfilerState.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/tools/profiler/public/ProfilerState.h@@ -95,7 +95,10 @@ "Record markers from all registered threads") \ \ MACRO(22, "unregisteredthreads", UnregisteredThreads, \- "Discover and profile unregistered threads -- beware: expensive!")+ "Discover and profile unregistered threads -- beware: expensive!") \+ \+ MACRO(23, "processcpu", ProcessCPU, \+ "Sample the CPU utilization of each process") // *** Synchronize with lists in BaseProfilerState.h and geckoProfiler.json *** struct ProfilerFeature {
Based on the provided diff, I don't see any security vulnerabilities being fixed. The changes appear to be adding a new feature (ProcessCPU sampling) rather than addressing security issues.
Answer Format for Each Vulnerability:
Vulnerability Existed: no
No security vulnerabilities found in this diff. The change adds a new profiling feature.
Additional Details:
- The diff shows an addition of a new MACRO entry for "processcpu" sampling capability
- This appears to be a feature enhancement rather than a security fix
- No code was modified or removed that would indicate a security vulnerability being addressed
- The change is purely additive with no security implications visible in the diff
If you'd like me to analyze a different diff that might contain security fixes, please provide it.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/ash/src/extensions/khr/xlib_surface.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/ash/src/extensions/khr/xlib_surface.rs@@ -1,29 +1,23 @@ use crate::prelude::*; use crate::vk; use crate::RawPtr;-use crate::{EntryCustom, Instance};+use crate::{Entry, Instance}; use std::ffi::CStr; use std::mem; #[derive(Clone)] pub struct XlibSurface { handle: vk::Instance,- xlib_surface_fn: vk::KhrXlibSurfaceFn,+ fp: vk::KhrXlibSurfaceFn, } impl XlibSurface {- pub fn new<L>(entry: &EntryCustom<L>, instance: &Instance) -> Self {- let surface_fn = vk::KhrXlibSurfaceFn::load(|name| unsafe {- mem::transmute(entry.get_instance_proc_addr(instance.handle(), name.as_ptr()))+ pub fn new(entry: &Entry, instance: &Instance) -> Self {+ let handle = instance.handle();+ let fp = vk::KhrXlibSurfaceFn::load(|name| unsafe {+ mem::transmute(entry.get_instance_proc_addr(handle, name.as_ptr())) });- Self {- handle: instance.handle(),- xlib_surface_fn: surface_fn,- }- }-- pub fn name() -> &'static CStr {- vk::KhrXlibSurfaceFn::name()+ Self { handle, fp } } #[doc = "<https://www.khronos.org/registry/vulkan/specs/1.2-extensions/man/html/vkCreateXlibSurfaceKHR.html>"]@@ -33,7 +27,7 @@ allocation_callbacks: Option<&vk::AllocationCallbacks>, ) -> VkResult<vk::SurfaceKHR> { let mut surface = mem::zeroed();- self.xlib_surface_fn+ self.fp .create_xlib_surface_khr( self.handle, create_info,@@ -51,20 +45,22 @@ display: &mut vk::Display, visual_id: vk::VisualID, ) -> bool {- let b = self- .xlib_surface_fn- .get_physical_device_xlib_presentation_support_khr(- physical_device,- queue_family_index,- display,- visual_id,- );+ let b = self.fp.get_physical_device_xlib_presentation_support_khr(+ physical_device,+ queue_family_index,+ display,+ visual_id,+ ); b > 0 }+ pub fn name() -> &'static CStr {+ vk::KhrXlibSurfaceFn::name()+ }+ pub fn fp(&self) -> &vk::KhrXlibSurfaceFn {- &self.xlib_surface_fn+ &self.fp } pub fn instance(&self) -> vk::Instance {
Analyzing the provided code diff, here's the security assessment: 1. Vulnerability Existed: no The changes appear to be primarily structural/refactoring changes rather than security fixes. The main changes are: - Changed from `EntryCustom<L>` to `Entry` - Renamed `xlib_surface_fn` to `fp` - Reordered some methods - Simplified the `new()` function implementation No specific vulnerabilities are being addressed in this diff. The changes seem focused on code organization and simplification rather than patching security issues. 2. Vulnerability Existed: not sure Potential Type Safety Concern [third_party/rust/ash/src/extensions/khr/xlib_surface.rs] [Lines involving mem::transmute] Old Code: ```rust mem::transmute(entry.get_instance_proc_addr(instance.handle(), name.as_ptr())) ``` Fixed Code: ```rust mem::transmute(entry.get_instance_proc_addr(handle, name.as_ptr())) ``` The unsafe transmute operation remains, though the surrounding code is simplified. While this isn't a direct vulnerability fix, the continued use of transmute with raw pointers could potentially be a security concern if not handled properly. 3. Vulnerability Existed: no The changes to the boolean return value handling in `get_physical_device_xlib_presentation_support_khr` (from comparing to 0 to comparing to > 0) appear to be a logic clarification rather than a security fix. The behavior remains effectively the same.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/security/manager/ssl/SSLServerCertVerification.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/security/manager/ssl/SSLServerCertVerification.cpp@@ -130,6 +130,7 @@ #include "nsURLHelper.h" #include "nsXPCOMCIDInternal.h" #include "mozpkix/pkix.h"+#include "mozpkix/pkixcheck.h" #include "mozpkix/pkixnss.h" #include "secerr.h" #include "secport.h"@@ -269,8 +270,9 @@ return probeValue; }-SECStatus DetermineCertOverrideErrors(const UniqueCERTCertificate& cert,- const nsACString& hostName, PRTime now,+SECStatus DetermineCertOverrideErrors(const nsCOMPtr<nsIX509Cert>& cert,+ const nsACString& hostName,+ mozilla::pkix::Time now, PRErrorCode defaultErrorCodeToReport, /*out*/ uint32_t& collectedErrors, /*out*/ PRErrorCode& errorCodeTrust,@@ -281,6 +283,17 @@ MOZ_ASSERT(errorCodeTrust == 0); MOZ_ASSERT(errorCodeMismatch == 0); MOZ_ASSERT(errorCodeTime == 0);++ nsTArray<uint8_t> certDER;+ if (NS_FAILED(cert->GetRawDER(certDER))) {+ PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);+ return SECFailure;+ }+ mozilla::pkix::Input certInput;+ if (certInput.Init(certDER.Elements(), certDER.Length()) != Success) {+ PR_SetError(SEC_ERROR_BAD_DER, 0);+ return SECFailure;+ } // Assumes the error prioritization described in mozilla::pkix's // BuildForward function. Also assumes that CheckCertHostname was only@@ -301,22 +314,29 @@ collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED; errorCodeTrust = defaultErrorCodeToReport;- SECCertTimeValidity validity =- CERT_CheckCertValidTimes(cert.get(), now, false);- if (validity == secCertTimeUndetermined) {- // This only happens if cert is null. CERT_CheckCertValidTimes will- // have set the error code to SEC_ERROR_INVALID_ARGS. We should really- // be using mozilla::pkix here anyway.- MOZ_ASSERT(PR_GetError() == SEC_ERROR_INVALID_ARGS);+ mozilla::pkix::BackCert backCert(+ certInput, mozilla::pkix::EndEntityOrCA::MustBeEndEntity, nullptr);+ Result rv = backCert.Init();+ if (rv != Success) {+ MapResultToPRErrorCode(rv); return SECFailure; }- if (validity == secCertTimeExpired) {+ mozilla::pkix::Time notBefore(mozilla::pkix::Time::uninitialized);+ mozilla::pkix::Time notAfter(mozilla::pkix::Time::uninitialized);+ rv = mozilla::pkix::ParseValidity(backCert.GetValidity(), ¬Before,+ ¬After);+ if (rv != Success) {+ MapResultToPRErrorCode(rv);+ return SECFailure;+ }+ // If `now` is outside of the certificate's validity period,+ // CheckValidity will return Result::ERROR_NOT_YET_VALID_CERTIFICATE or+ // Result::ERROR_EXPIRED_CERTIFICATE, as appropriate, and Success+ // otherwise.+ rv = mozilla::pkix::CheckValidity(now, notBefore, notAfter);+ if (rv != Success) { collectedErrors |= nsICertOverrideService::ERROR_TIME;- errorCodeTime = SEC_ERROR_EXPIRED_CERTIFICATE;- } else if (validity == secCertTimeNotValidYet) {- collectedErrors |= nsICertOverrideService::ERROR_TIME;- errorCodeTime =- mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE;+ errorCodeTime = MapResultToPRErrorCode(rv); } break; }@@ -344,11 +364,6 @@ } if (defaultErrorCodeToReport != SSL_ERROR_BAD_CERT_DOMAIN) {- Input certInput;- if (certInput.Init(cert->derCert.data, cert->derCert.len) != Success) {- PR_SetError(SEC_ERROR_BAD_DER, 0);- return SECFailure;- } Input hostnameInput; Result result = hostnameInput.Init( BitwiseCast<const uint8_t*, const char*>(hostName.BeginReading()),@@ -470,22 +485,10 @@ // in order to support SPDY's cross-origin connection pooling. static SECStatus BlockServerCertChangeForSpdy( nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& serverCert) {- // Get the existing cert. If there isn't one, then there is- // no cert change to worry about.- nsCOMPtr<nsIX509Cert> cert;- if (!infoObject->IsHandshakeCompleted()) { // first handshake on this connection, not a // renegotiation. return SECSuccess;- }-- infoObject->GetServerCert(getter_AddRefs(cert));- if (!cert) {- MOZ_ASSERT_UNREACHABLE(- "TransportSecurityInfo must have a cert implementing nsIX509Cert");- PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);- return SECFailure; } // Filter out sockets that did not neogtiate SPDY via NPN@@ -501,124 +504,32 @@ if (NS_FAILED(rv)) { MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("BlockServerCertChangeForSpdy failed GetNegotiatedNPN() call."- " Assuming spdy.\n"));+ " Assuming spdy.")); } // Check to see if the cert has actually changed- UniqueCERTCertificate c(cert->GetCert());- MOZ_ASSERT(c, "Somehow couldn't get underlying cert from nsIX509Cert");- bool sameCert = CERT_CompareCerts(c.get(), serverCert.get());- if (sameCert) {+ nsCOMPtr<nsIX509Cert> cert;+ infoObject->GetServerCert(getter_AddRefs(cert));+ if (!cert) {+ PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);+ return SECFailure;+ }+ nsTArray<uint8_t> certDER;+ if (NS_FAILED(cert->GetRawDER(certDER))) {+ PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0);+ return SECFailure;+ }+ if (certDER.Length() == serverCert->derCert.len &&+ memcmp(certDER.Elements(), serverCert->derCert.data, certDER.Length()) ==+ 0) { return SECSuccess; } // Report an error - changed cert is confirmed MOZ_LOG(gPIPNSSLog, LogLevel::Debug,- ("SPDY Refused to allow new cert during renegotiation\n"));+ ("SPDY refused to allow new cert during renegotiation")); PR_SetError(SSL_ERROR_RENEGOTIATION_NOT_ALLOWED, 0); return SECFailure;-}--// Gather telemetry on whether the end-entity cert for a server has the-// required TLS Server Authentication EKU, or any others-void GatherEKUTelemetry(const UniqueCERTCertList& certList) {- MOZ_ASSERT(!CERT_LIST_EMPTY(certList));- if (CERT_LIST_EMPTY(certList)) {- return;- }- CERTCertListNode* endEntityNode = CERT_LIST_HEAD(certList);- MOZ_ASSERT(endEntityNode);- if (!endEntityNode) {- return;- }- CERTCertificate* endEntityCert = endEntityNode->cert;- MOZ_ASSERT(endEntityCert);- if (!endEntityCert) {- return;- }-- // Find the EKU extension, if present- bool foundEKU = false;- SECOidTag oidTag;- CERTCertExtension* ekuExtension = nullptr;- for (size_t i = 0; endEntityCert->extensions && endEntityCert->extensions[i];- i++) {- oidTag = SECOID_FindOIDTag(&endEntityCert->extensions[i]->id);- if (oidTag == SEC_OID_X509_EXT_KEY_USAGE) {- foundEKU = true;- ekuExtension = endEntityCert->extensions[i];- }- }-- if (!foundEKU) {- Telemetry::Accumulate(Telemetry::SSL_SERVER_AUTH_EKU, 0);- return;- }-- // Parse the EKU extension- UniqueCERTOidSequence ekuSequence(- CERT_DecodeOidSequence(&ekuExtension->value));- if (!ekuSequence) {- return;- }-- // Search through the available EKUs- bool foundServerAuth = false;- bool foundOther = false;- for (SECItem** oids = ekuSequence->oids; oids && *oids; oids++) {- oidTag = SECOID_FindOIDTag(*oids);- if (oidTag == SEC_OID_EXT_KEY_USAGE_SERVER_AUTH) {- foundServerAuth = true;- } else {- foundOther = true;- }- }-- // Cases 3 is included only for completeness. It should never- // appear in these statistics, because CheckExtendedKeyUsage()- // should require the EKU extension, if present, to contain the- // value id_kp_serverAuth.- if (foundServerAuth && !foundOther) {- Telemetry::Accumulate(Telemetry::SSL_SERVER_AUTH_EKU, 1);- } else if (foundServerAuth && foundOther) {- Telemetry::Accumulate(Telemetry::SSL_SERVER_AUTH_EKU, 2);- } else if (!foundServerAuth) {- Telemetry::Accumulate(Telemetry::SSL_SERVER_AUTH_EKU, 3);- }-}--// Gathers telemetry on which CA is the root of a given cert chain.-// If the root is a built-in root, then the telemetry makes a count-// by root. Roots that are not built-in are counted in one bin.-void GatherRootCATelemetry(const UniqueCERTCertList& certList) {- CERTCertListNode* rootNode = CERT_LIST_TAIL(certList);- MOZ_ASSERT(rootNode);- if (!rootNode) {- return;- }- MOZ_ASSERT(!CERT_LIST_END(rootNode, certList));- if (CERT_LIST_END(rootNode, certList)) {- return;- }- CERTCertificate* rootCert = rootNode->cert;- MOZ_ASSERT(rootCert);- if (!rootCert) {- return;- }- Span<uint8_t> certSpan = {rootCert->derCert.data, rootCert->derCert.len};- AccumulateTelemetryForRootCA(Telemetry::CERT_VALIDATION_SUCCESS_BY_CA,- certSpan);-}--// There are various things that we want to measure about certificate-// chains that we accept. This is a single entry point for all of them.-void GatherSuccessfulValidationTelemetry(const UniqueCERTCertList& certList,- bool isCertListRootBuiltInRoot) {- if (isCertListRootBuiltInRoot) {- // Only gather this telemetry if the root CA is built-in- GatherEKUTelemetry(certList);- }- GatherRootCATelemetry(certList); } void GatherTelemetryForSingleSCT(const ct::VerifiedSCT& verifiedSct) {@@ -665,7 +576,7 @@ } void GatherCertificateTransparencyTelemetry(- const UniqueCERTCertList& certList, bool isEV,+ const nsTArray<uint8_t>& rootCert, bool isEV, const CertificateTransparencyInfo& info) { if (!info.enabled) { // No telemetry is gathered when CT is disabled.@@ -710,33 +621,16 @@ evCompliance); }- // Get the root cert.- CERTCertListNode* rootNode = CERT_LIST_TAIL(certList);- MOZ_ASSERT(rootNode);- if (!rootNode) {- return;- }- MOZ_ASSERT(!CERT_LIST_END(rootNode, certList));- if (CERT_LIST_END(rootNode, certList)) {- return;- }- CERTCertificate* rootCert = rootNode->cert;- MOZ_ASSERT(rootCert);- if (!rootCert) {- return;- }- // Report CT Policy compliance by CA.- Span<uint8_t> certSpan = {rootCert->derCert.data, rootCert->derCert.len}; switch (info.policyCompliance) { case ct::CTPolicyCompliance::Compliant: AccumulateTelemetryForRootCA(- Telemetry::SSL_CT_POLICY_COMPLIANT_CONNECTIONS_BY_CA, certSpan);+ Telemetry::SSL_CT_POLICY_COMPLIANT_CONNECTIONS_BY_CA, rootCert); break; case ct::CTPolicyCompliance::NotEnoughScts: case ct::CTPolicyCompliance::NotDiverseScts: AccumulateTelemetryForRootCA(- Telemetry::SSL_CT_POLICY_NON_COMPLIANT_CONNECTIONS_BY_CA, certSpan);+ Telemetry::SSL_CT_POLICY_NON_COMPLIANT_CONNECTIONS_BY_CA, rootCert); break; case ct::CTPolicyCompliance::Unknown: default:@@ -753,28 +647,7 @@ KeySizeStatus aKeySizeStatus, SHA1ModeResult aSha1ModeResult, const PinningTelemetryInfo& aPinningTelemetryInfo, const nsTArray<nsTArray<uint8_t>>& aBuiltCertChain,- bool aIsBuiltCertChainRootBuiltInRoot, const CertificateTransparencyInfo& aCertificateTransparencyInfo) {- UniqueCERTCertList builtCertChainList(CERT_NewCertList());- if (!builtCertChainList) {- return;- }- CERTCertDBHandle* certDB(CERT_GetDefaultCertDB());- for (const auto& certBytes : aBuiltCertChain) {- SECItem certDERItem = {siBuffer, const_cast<uint8_t*>(certBytes.Elements()),- AssertedCast<unsigned int>(certBytes.Length())};- UniqueCERTCertificate cert(- CERT_NewTempCertificate(certDB, &certDERItem, nullptr, false, true));- if (!cert) {- return;- }- if (CERT_AddCertToListTail(builtCertChainList.get(), cert.get()) !=- SECSuccess) {- return;- }- Unused << cert.release(); // cert is now owned by certList.- }- uint32_t evStatus = (aCertVerificationResult != Success) ? 0 // 0 = Failure : (aEVStatus != EVStatus::EV) ? 1 // 1 = DV : 2; // 2 = EV@@ -806,41 +679,12 @@ aPinningTelemetryInfo.certPinningResultBucket); }- if (aCertVerificationResult == Success) {- GatherSuccessfulValidationTelemetry(builtCertChainList,- aIsBuiltCertChainRootBuiltInRoot);- GatherCertificateTransparencyTelemetry(builtCertChainList,- aEVStatus == EVStatus::EV,+ if (aCertVerificationResult == Success && aBuiltCertChain.Length() > 0) {+ const nsTArray<uint8_t>& rootCert = aBuiltCertChain.LastElement();+ AccumulateTelemetryForRootCA(Telemetry::CERT_VALIDATION_SUCCESS_BY_CA,+ rootCert);+ GatherCertificateTransparencyTelemetry(rootCert, aEVStatus == EVStatus::EV, aCertificateTransparencyInfo);- }-}--static void AuthCertificateSetResults(- TransportSecurityInfo* aInfoObject, nsNSSCertificate* aCert,- nsTArray<nsTArray<uint8_t>>&& aBuiltCertChain,- nsTArray<nsTArray<uint8_t>>&& aPeerCertChain,- uint16_t aCertificateTransparencyStatus, EVStatus aEvStatus,- bool aSucceeded, bool aIsBuiltCertChainRootBuiltInRoot) {- MOZ_ASSERT(aInfoObject);- if (aSucceeded) {- // Certificate verification succeeded. Delete any potential record of- // certificate error bits.- RememberCertErrorsTable::GetInstance().RememberCertHasError(aInfoObject,- SECSuccess);-- aInfoObject->SetServerCert(aCert, aEvStatus);- aInfoObject->SetSucceededCertChain(std::move(aBuiltCertChain));- MOZ_LOG(gPIPNSSLog, LogLevel::Debug,- ("AuthCertificate setting NEW cert %p", aCert));-- aInfoObject->SetIsBuiltCertChainRootBuiltInRoot(- aIsBuiltCertChainRootBuiltInRoot);- aInfoObject->SetCertificateTransparencyStatus(- aCertificateTransparencyStatus);- } else {- // Certificate validation failed; store the peer certificate chain on- // infoObject so it can be used for error reporting.- aInfoObject->SetFailedCertChain(std::move(aPeerCertChain)); } }@@ -883,7 +727,6 @@ CollectCertTelemetry(rv, evStatus, ocspStaplingStatus, keySizeStatus, sha1ModeResult, pinningTelemetryInfo, builtCertChain,- aIsBuiltCertChainRootBuiltInRoot, certificateTransparencyInfo); return rv;@@ -892,8 +735,8 @@ PRErrorCode AuthCertificateParseResults( uint64_t aPtrForLog, const nsACString& aHostName, int32_t aPort, const OriginAttributes& aOriginAttributes,- const UniqueCERTCertificate& aCert, uint32_t aProviderFlags, PRTime aPRTime,- PRErrorCode aDefaultErrorCodeToReport,+ const nsCOMPtr<nsIX509Cert>& aCert, uint32_t aProviderFlags,+ mozilla::pkix::Time aTime, PRErrorCode aDefaultErrorCodeToReport, /* out */ uint32_t& aCollectedErrors) { if (aDefaultErrorCodeToReport == 0) { MOZ_ASSERT_UNREACHABLE(@@ -908,10 +751,9 @@ PRErrorCode errorCodeTrust = 0; PRErrorCode errorCodeMismatch = 0; PRErrorCode errorCodeTime = 0;- if (DetermineCertOverrideErrors(aCert, aHostName, aPRTime,- aDefaultErrorCodeToReport, aCollectedErrors,- errorCodeTrust, errorCodeMismatch,- errorCodeTime) != SECSuccess) {+ if (DetermineCertOverrideErrors(+ aCert, aHostName, aTime, aDefaultErrorCodeToReport, aCollectedErrors,+ errorCodeTrust, errorCodeMismatch, errorCodeTime) != SECSuccess) { PRErrorCode errorCode = PR_GetError(); MOZ_ASSERT(!ErrorIsOverridable(errorCode)); if (errorCode == 0) {@@ -948,13 +790,8 @@ if (overrideService) { bool haveOverride; bool isTemporaryOverride; // we don't care- RefPtr<nsIX509Cert> nssCert(nsNSSCertificate::Create(aCert.get()));- if (!nssCert) {- MOZ_ASSERT(false, "nsNSSCertificate::Create failed");- return SEC_ERROR_NO_MEMORY;- } nsresult rv = overrideService->HasMatchingOverride(- aHostName, aPort, aOriginAttributes, nssCert, &overrideBits,+ aHostName, aPort, aOriginAttributes, aCert, &overrideBits, &isTemporaryOverride, &haveOverride); if (NS_SUCCEEDED(rv) && haveOverride) { // remove the errors that are already overriden@@ -1020,18 +857,18 @@ /*static*/ SECStatus SSLServerCertVerificationJob::Dispatch( uint64_t addrForLogging, void* aPinArg,- const UniqueCERTCertificate& serverCert, nsTArray<nsTArray<uint8_t>>&& peerCertChain, const nsACString& aHostName, int32_t aPort, const OriginAttributes& aOriginAttributes, Maybe<nsTArray<uint8_t>>& stapledOCSPResponse, Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, Maybe<DelegatedCredentialInfo>& dcInfo, uint32_t providerFlags, Time time,- PRTime prtime, uint32_t certVerifierFlags,+ uint32_t certVerifierFlags, BaseSSLServerCertVerificationResult* aResultTask) { // Runs on the socket transport thread- if (!aResultTask || !serverCert) {- NS_ERROR("Invalid parameters for SSL server cert validation");- PR_SetError(PR_INVALID_ARGUMENT_ERROR, 0);+ if (!aResultTask || peerCertChain.IsEmpty()) {+ MOZ_ASSERT_UNREACHABLE(+ "must have result task and non-empty peer cert chain");+ PR_SetError(SEC_ERROR_LIBRARY_FAILURE, 0); return SECFailure; }@@ -1041,9 +878,9 @@ } RefPtr<SSLServerCertVerificationJob> job(new SSLServerCertVerificationJob(- addrForLogging, aPinArg, serverCert, std::move(peerCertChain), aHostName,- aPort, aOriginAttributes, stapledOCSPResponse, sctsFromTLSExtension,- dcInfo, providerFlags, time, prtime, certVerifierFlags, aResultTask));+ addrForLogging, aPinArg, std::move(peerCertChain), aHostName, aPort,+ aOriginAttributes, stapledOCSPResponse, sctsFromTLSExtension, dcInfo,+ providerFlags, time, certVerifierFlags, aResultTask)); nsresult nrv = gCertVerificationThreadPool->Dispatch(job, NS_DISPATCH_NORMAL); if (NS_FAILED(nrv)) {@@ -1083,14 +920,13 @@ CertificateTransparencyInfo certificateTransparencyInfo; bool isCertChainRootBuiltInRoot = false; nsTArray<nsTArray<uint8_t>> builtChainBytesArray;- nsTArray<uint8_t> certBytes(mCert->derCert.data, mCert->derCert.len);+ nsTArray<uint8_t> certBytes(mPeerCertChain.ElementAt(0).Clone()); Result rv = AuthCertificate( *certVerifier, mPinArg, certBytes, mPeerCertChain, mHostName, mOriginAttributes, mStapledOCSPResponse, mSCTsFromTLSExtension, mDCInfo, mProviderFlags, mTime, mCertVerifierFlags, builtChainBytesArray, evStatus, certificateTransparencyInfo, isCertChainRootBuiltInRoot);- RefPtr<nsNSSCertificate> nsc = nsNSSCertificate::Create(mCert.get()); if (rv == Success) { Telemetry::AccumulateTimeDelta( Telemetry::SSL_SUCCESFUL_CERT_VALIDATION_TIME_MOZILLAPKIX, jobStartTime,@@ -1098,7 +934,7 @@ Telemetry::Accumulate(Telemetry::SSL_CERT_ERROR_OVERRIDES, 1); mResultTask->Dispatch(- nsc, std::move(builtChainBytesArray), std::move(mPeerCertChain),+ std::move(builtChainBytesArray), std::move(mPeerCertChain), TransportSecurityInfo::ConvertCertificateTransparencyInfoToStatus( certificateTransparencyInfo), evStatus, true, 0, 0, isCertChainRootBuiltInRoot, mProviderFlags);@@ -1111,13 +947,14 @@ PRErrorCode error = MapResultToPRErrorCode(rv); uint32_t collectedErrors = 0;+ nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(certBytes))); PRErrorCode finalError = AuthCertificateParseResults(- mAddrForLogging, mHostName, mPort, mOriginAttributes, mCert,- mProviderFlags, mPRTime, error, collectedErrors);+ mAddrForLogging, mHostName, mPort, mOriginAttributes, cert,+ mProviderFlags, mTime, error, collectedErrors); // NB: finalError may be 0 here, in which the connection will continue. mResultTask->Dispatch(- nsc, std::move(builtChainBytesArray), std::move(mPeerCertChain),+ std::move(builtChainBytesArray), std::move(mPeerCertChain), nsITransportSecurityInfo::CERTIFICATE_TRANSPARENCY_NOT_APPLICABLE, EVStatus::NotEV, false, finalError, collectedErrors, false, mProviderFlags);@@ -1128,8 +965,7 @@ // checks and calls SSLServerCertVerificationJob::Dispatch. SECStatus AuthCertificateHookInternal( TransportSecurityInfo* infoObject, const void* aPtrForLogging,- const UniqueCERTCertificate& serverCert, const nsACString& hostName,- nsTArray<nsTArray<uint8_t>>&& peerCertChain,+ const nsACString& hostName, nsTArray<nsTArray<uint8_t>>&& peerCertChain, Maybe<nsTArray<uint8_t>>& stapledOCSPResponse, Maybe<nsTArray<uint8_t>>& sctsFromTLSExtension, Maybe<DelegatedCredentialInfo>& dcInfo, uint32_t providerFlags,@@ -1139,7 +975,7 @@ MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("[%p] starting AuthCertificateHookInternal\n", aPtrForLogging));- if (!infoObject || !serverCert) {+ if (!infoObject || peerCertChain.IsEmpty()) { PR_SetError(PR_INVALID_STATE_ERROR, 0); return SECFailure; }@@ -1171,7 +1007,7 @@ if (XRE_IsSocketProcess()) { return RemoteProcessCertVerification(- serverCert, std::move(peerCertChain), hostName, infoObject->GetPort(),+ std::move(peerCertChain), hostName, infoObject->GetPort(), infoObject->GetOriginAttributes(), stapledOCSPResponse, sctsFromTLSExtension, dcInfo, providerFlags, certVerifierFlags, resultTask);@@ -1182,10 +1018,10 @@ // and we *want* to do certificate verification on a background thread // because of the performance benefits of doing so. return SSLServerCertVerificationJob::Dispatch(- addr, infoObject, serverCert, std::move(peerCertChain), hostName,+ addr, infoObject, std::move(peerCertChain), hostName, infoObject->GetPort(), infoObject->GetOriginAttributes(), stapledOCSPResponse, sctsFromTLSExtension, dcInfo, providerFlags, Now(),- PR_Now(), certVerifierFlags, resultTask);+ certVerifierFlags, resultTask); } // Extracts whatever information we need out of fd (using SSL_*) and passes it@@ -1286,10 +1122,10 @@ const nsACString& hostname = verifyToEchPublicName ? echPublicName : socketInfo->GetHostName(); socketInfo->SetCertVerificationWaiting();- rv = AuthCertificateHookInternal(- socketInfo, static_cast<const void*>(fd), serverCert, hostname,- std::move(peerCertsBytes), stapledOCSPResponse, sctsFromTLSExtension,- dcInfo, providerFlags, certVerifierFlags);+ rv = AuthCertificateHookInternal(socketInfo, static_cast<const void*>(fd),+ hostname, std::move(peerCertsBytes),+ stapledOCSPResponse, sctsFromTLSExtension,+ dcInfo, providerFlags, certVerifierFlags); return rv; }@@ -1306,16 +1142,6 @@ return SECFailure; }- SECItem der = {SECItemType::siBuffer, peerCertChain[0].Elements(),- (uint32_t)peerCertChain[0].Length()};- UniqueCERTCertificate cert(CERT_NewTempCertificate(- CERT_GetDefaultCertDB(), &der, nullptr, false, true));- if (!cert) {- MOZ_LOG(gPIPNSSLog, LogLevel::Debug,- ("AuthCertificateHookWithInfo: cert failed"));- return SECFailure;- }- // we currently only support single stapled responses Maybe<nsTArray<uint8_t>> stapledOCSPResponse; if (stapledOCSPResponses && (stapledOCSPResponses->Length() == 1)) {@@ -1335,8 +1161,8 @@ // for Delegated Credentials. Maybe<DelegatedCredentialInfo> dcInfo;- return AuthCertificateHookInternal(infoObject, aPtrForLogging, cert,- aHostName, std::move(peerCertChain),+ return AuthCertificateHookInternal(infoObject, aPtrForLogging, aHostName,+ std::move(peerCertChain), stapledOCSPResponse, sctsFromTLSExtension, dcInfo, providerFlags, certVerifierFlags); }@@ -1355,12 +1181,11 @@ mProviderFlags(0) {} void SSLServerCertVerificationResult::Dispatch(- nsNSSCertificate* aCert, nsTArray<nsTArray<uint8_t>>&& aBuiltChain,+ nsTArray<nsTArray<uint8_t>>&& aBuiltChain, nsTArray<nsTArray<uint8_t>>&& aPeerCertChain, uint16_t aCertificateTransparencyStatus, EVStatus aEVStatus, bool aSucceeded, PRErrorCode aFinalError, uint32_t aCollectedErrors, bool aIsBuiltCertChainRootBuiltInRoot, uint32_t aProviderFlags) {- mCert = aCert; mBuiltChain = std::move(aBuiltChain); mPeerCertChain = std::move(aPeerCertChain); mCertificateTransparencyStatus = aCertificateTransparencyStatus;@@ -1371,6 +1196,18 @@ mIsBuiltCertChainRootBuiltInRoot = aIsBuiltCertChainRootBuiltInRoot; mProviderFlags = aProviderFlags;+ if (mSucceeded && mBuiltChain.IsEmpty()) {+ MOZ_ASSERT_UNREACHABLE(+ "if the handshake succeeded, the built chain shouldn't be empty");+ mSucceeded = false;+ mFinalError = SEC_ERROR_LIBRARY_FAILURE;+ }+ if (!mSucceeded && mPeerCertChain.IsEmpty()) {+ MOZ_ASSERT_UNREACHABLE(+ "if the handshake failed, the peer chain shouldn't be empty");+ mFinalError = SEC_ERROR_LIBRARY_FAILURE;+ }+ nsresult rv; nsCOMPtr<nsIEventTarget> stsTarget = do_GetService(NS_SOCKETTRANSPORTSERVICE_CONTRACTID, &rv);@@ -1400,14 +1237,34 @@ SaveIntermediateCerts(mBuiltChain); }- AuthCertificateSetResults(mInfoObject, mCert, std::move(mBuiltChain),- std::move(mPeerCertChain),- mCertificateTransparencyStatus, mEVStatus,- mSucceeded, mIsBuiltCertChainRootBuiltInRoot);-- if (!mSucceeded && mCollectedErrors != 0) {- mInfoObject->SetStatusErrorBits(mCert, mCollectedErrors);- }+ if (mSucceeded) {+ // Certificate verification succeeded. Delete any potential record of+ // certificate error bits.+ RememberCertErrorsTable::GetInstance().RememberCertHasError(mInfoObject,+ SECSuccess);++ MOZ_LOG(gPIPNSSLog, LogLevel::Debug,+ ("SSLServerCertVerificationResult::Run setting NEW cert"));+ nsTArray<uint8_t> certBytes(mBuiltChain.ElementAt(0).Clone());+ nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(certBytes)));+ mInfoObject->SetServerCert(cert, mEVStatus);+ mInfoObject->SetSucceededCertChain(std::move(mBuiltChain));++ mInfoObject->SetIsBuiltCertChainRootBuiltInRoot(+ mIsBuiltCertChainRootBuiltInRoot);+ mInfoObject->SetCertificateTransparencyStatus(+ mCertificateTransparencyStatus);+ } else {+ nsTArray<uint8_t> certBytes(mPeerCertChain.ElementAt(0).Clone());+ nsCOMPtr<nsIX509Cert> cert(new nsNSSCertificate(std::move(certBytes)));+ // Certificate validation failed; store the peer certificate chain on+ // infoObject so it can be used for error reporting.+ mInfoObject->SetFailedCertChain(std::move(mPeerCertChain));+ if (mCollectedErrors != 0) {+ mInfoObject->SetStatusErrorBits(cert, mCollectedErrors);+ }+ }+ mInfoObject->SetCertVerificationResult(mFinalError); return NS_OK; }
I'll analyze the provided code diff for security fixes following the specified format.
1. Vulnerability Existed: yes
Certificate Validation Improvement [security/manager/ssl/SSLServerCertVerification.cpp] [Lines 269-344]
Old Code:
```cpp
SECStatus DetermineCertOverrideErrors(const UniqueCERTCertificate& cert,
const nsACString& hostName, PRTime now,
PRErrorCode defaultErrorCodeToReport,
/*out*/ uint32_t& collectedErrors,
/*out*/ PRErrorCode& errorCodeTrust,
/*out*/ PRErrorCode& errorCodeMismatch,
/*out*/ PRErrorCode& errorCodeTime) {
// Old validation using CERT_CheckCertValidTimes
SECCertTimeValidity validity =
CERT_CheckCertValidTimes(cert.get(), now, false);
if (validity == secCertTimeExpired) {
collectedErrors |= nsICertOverrideService::ERROR_TIME;
errorCodeTime = SEC_ERROR_EXPIRED_CERTIFICATE;
} else if (validity == secCertTimeNotValidYet) {
collectedErrors |= nsICertOverrideService::ERROR_TIME;
errorCodeTime = mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE;
}
}
```
Fixed Code:
```cpp
SECStatus DetermineCertOverrideErrors(const nsCOMPtr<nsIX509Cert>& cert,
const nsACString& hostName,
mozilla::pkix::Time now,
PRErrorCode defaultErrorCodeToReport,
/*out*/ uint32_t& collectedErrors,
/*out*/ PRErrorCode& errorCodeTrust,
/*out*/ PRErrorCode& errorCodeMismatch,
/*out*/ PRErrorCode& errorCodeTime) {
// New validation using mozilla::pkix
mozilla::pkix::Time notBefore(mozilla::pkix::Time::uninitialized);
mozilla::pkix::Time notAfter(mozilla::pkix::Time::uninitialized);
rv = mozilla::pkix::ParseValidity(backCert.GetValidity(), ¬Before,
¬After);
rv = mozilla::pkix::CheckValidity(now, notBefore, notAfter);
if (rv != Success) {
collectedErrors |= nsICertOverrideService::ERROR_TIME;
errorCodeTime = MapResultToPRErrorCode(rv);
}
}
```
Additional Details: The fix replaces NSS's certificate validation with mozilla::pkix's more robust validation, including proper parsing of validity periods and better error handling.
2. Vulnerability Existed: yes
SPDY Certificate Change Protection [security/manager/ssl/SSLServerCertVerification.cpp] [Lines 470-535]
Old Code:
```cpp
static SECStatus BlockServerCertChangeForSpdy(
nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& serverCert) {
// Old comparison using CERT_CompareCerts
UniqueCERTCertificate c(cert->GetCert());
bool sameCert = CERT_CompareCerts(c.get(), serverCert.get());
}
```
Fixed Code:
```cpp
static SECStatus BlockServerCertChangeForSpdy(
nsNSSSocketInfo* infoObject, const UniqueCERTCertificate& serverCert) {
// New comparison using raw DER bytes
if (certDER.Length() == serverCert->derCert.len &&
memcmp(certDER.Elements(), serverCert->derCert.data, certDER.Length()) ==
0) {
return SECSuccess;
}
}
```
Additional Details: The fix changes from using CERT_CompareCerts (which might have subtle comparison issues) to direct DER byte comparison, making the certificate change detection more reliable.
3. Vulnerability Existed: yes
Certificate Chain Validation Improvement [security/manager/ssl/SSLServerCertVerification.cpp] [Lines 857-965]
Old Code:
```cpp
SECStatus AuthCertificateHookInternal(
TransportSecurityInfo* infoObject, const void* aPtrForLogging,
const UniqueCERTCertificate& serverCert, const nsACString& hostName,
nsTArray<nsTArray<uint8_t>>&& peerCertChain,
// ... other params
) {
// Old code accepted empty peerCertChain
if (!infoObject || !serverCert) {
PR_SetError(PR_INVALID_STATE_ERROR, 0);
return SECFailure;
}
}
```
Fixed Code:
```cpp
SECStatus AuthCertificateHookInternal(
TransportSecurityInfo* infoObject, const void* aPtrForLogging,
const nsACString& hostName, nsTArray<nsTArray<uint8_t>>&& peerCertChain,
// ... other params
) {
// New code requires non-empty peerCertChain
if (!infoObject || peerCertChain.IsEmpty()) {
PR_SetError(PR_INVALID_STATE_ERROR, 0);
return SECFailure;
}
}
```
Additional Details: The fix adds validation to ensure peer certificate chain is not empty, preventing potential issues with incomplete certificate chains.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/media/libwebp/src/dsp/lossless.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/media/libwebp/src/dsp/lossless.h@@ -28,23 +28,38 @@ //------------------------------------------------------------------------------ // Decoding-typedef uint32_t (*VP8LPredictorFunc)(uint32_t left, const uint32_t* const top);+typedef uint32_t (*VP8LPredictorFunc)(const uint32_t* const left,+ const uint32_t* const top); extern VP8LPredictorFunc VP8LPredictors[16];-uint32_t VP8LPredictor0_C(uint32_t left, const uint32_t* const top);-uint32_t VP8LPredictor1_C(uint32_t left, const uint32_t* const top);-uint32_t VP8LPredictor2_C(uint32_t left, const uint32_t* const top);-uint32_t VP8LPredictor3_C(uint32_t left, const uint32_t* const top);-uint32_t VP8LPredictor4_C(uint32_t left, const uint32_t* const top);-uint32_t VP8LPredictor5_C(uint32_t left, const uint32_t* const top);-uint32_t VP8LPredictor6_C(uint32_t left, const uint32_t* const top);-uint32_t VP8LPredictor7_C(uint32_t left, const uint32_t* const top);-uint32_t VP8LPredictor8_C(uint32_t left, const uint32_t* const top);-uint32_t VP8LPredictor9_C(uint32_t left, const uint32_t* const top);-uint32_t VP8LPredictor10_C(uint32_t left, const uint32_t* const top);-uint32_t VP8LPredictor11_C(uint32_t left, const uint32_t* const top);-uint32_t VP8LPredictor12_C(uint32_t left, const uint32_t* const top);-uint32_t VP8LPredictor13_C(uint32_t left, const uint32_t* const top);+uint32_t VP8LPredictor0_C(const uint32_t* const left,+ const uint32_t* const top);+uint32_t VP8LPredictor1_C(const uint32_t* const left,+ const uint32_t* const top);+uint32_t VP8LPredictor2_C(const uint32_t* const left,+ const uint32_t* const top);+uint32_t VP8LPredictor3_C(const uint32_t* const left,+ const uint32_t* const top);+uint32_t VP8LPredictor4_C(const uint32_t* const left,+ const uint32_t* const top);+uint32_t VP8LPredictor5_C(const uint32_t* const left,+ const uint32_t* const top);+uint32_t VP8LPredictor6_C(const uint32_t* const left,+ const uint32_t* const top);+uint32_t VP8LPredictor7_C(const uint32_t* const left,+ const uint32_t* const top);+uint32_t VP8LPredictor8_C(const uint32_t* const left,+ const uint32_t* const top);+uint32_t VP8LPredictor9_C(const uint32_t* const left,+ const uint32_t* const top);+uint32_t VP8LPredictor10_C(const uint32_t* const left,+ const uint32_t* const top);+uint32_t VP8LPredictor11_C(const uint32_t* const left,+ const uint32_t* const top);+uint32_t VP8LPredictor12_C(const uint32_t* const left,+ const uint32_t* const top);+uint32_t VP8LPredictor13_C(const uint32_t* const left,+ const uint32_t* const top); // These Add/Sub function expects upper[-1] and out[-1] to be readable. typedef void (*VP8LPredictorAddSubFunc)(const uint32_t* in,
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Potential Pointer Safety Issue] [media/libwebp/src/dsp/lossless.h] [Lines 28-38]
[Old Code]
```c
typedef uint32_t (*VP8LPredictorFunc)(uint32_t left, const uint32_t* const top);
uint32_t VP8LPredictor0_C(uint32_t left, const uint32_t* const top);
```
[Fixed Code]
```c
typedef uint32_t (*VP8LPredictorFunc)(const uint32_t* const left,
const uint32_t* const top);
uint32_t VP8LPredictor0_C(const uint32_t* const left,
const uint32_t* const top);
```
Additional Details:
- The change modifies the function signatures to take pointers for both `left` and `top` parameters instead of passing `left` by value.
- While this doesn't clearly indicate a specific known vulnerability, it could be related to:
* Potential buffer safety improvements
* Better handling of memory accesses
* Preparation for safer pointer arithmetic
- Without more context about how these functions are used, it's hard to determine if this was fixing an actual vulnerability or just improving code safety.
- The change appears to be part of a broader pattern of making pointer handling more consistent and potentially safer.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-contain/contain-strict-002.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-contain/contain-strict-002.html@@ -8,7 +8,6 @@ <link rel="help" href="https://www.w3.org/TR/css-contain-1/#contain-property"> <link rel="match" href="reference/contain-paint-size-001-ref.html">- <meta name="flags" content=""> <style> div
Analyzing the provided code diff for security fixes: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-contain/contain-strict-002.html [Lines] 8 [Old Code] `<meta name="flags" content="">` [Fixed Code] (line removed) Additional Details: - The change simply removes an empty meta tag with a "flags" attribute, which doesn't appear to be security-related - This appears to be a test file cleanup rather than a security fix - No known vulnerability patterns or security issues are addressed by this change Note: The diff shows only one change, which is the removal of an empty meta tag. This doesn't correspond to any known security vulnerability patterns or fixes. The change is more likely related to test file maintenance or cleanup.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.fill.source-in.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.uncovered.fill.source-in.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = 'rgba(0, 255, 0, 0.5)';@@ -27,7 +27,7 @@ ctx.fillStyle = 'rgba(0, 0, 255, 0.75)'; ctx.translate(0, 25); ctx.fillRect(0, 50, 100, 50);-_assertPixelApprox(offscreenCanvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5);+_assertPixelApprox(canvas, 50,25, 0,0,0,0, "50,25", "0,0,0,0", 5); t.done(); });
After analyzing the provided code diff, I don't find any security vulnerabilities. The changes appear to be purely variable renaming and don't affect the security of the code. Vulnerability Existed: no No security vulnerabilities found in this diff. The changes are: 1. Variable renaming from `offscreenCanvas` to `canvas` 2. Corresponding update in the `_assertPixelApprox` call to use the new variable name These changes don't introduce or fix any security issues - they're purely cosmetic/refactoring changes. The functionality remains identical, just with a different variable name. The old code used `offscreenCanvas` while the new code uses `canvas`, but both refer to the same OffscreenCanvas object and perform the same operations on it. The assertion check is also identical in behavior, just using the renamed variable.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/places/content/bookmarkProperties.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/places/content/bookmarkProperties.js@@ -50,7 +50,7 @@ * dialog is accepted. */-/* import-globals-from editBookmark.js */+/* import-globals-from instantEditBookmark.js */ /* import-globals-from controller.js */ /* Shared Places Import - change other consumers if you change this: */@@ -59,9 +59,6 @@ "resource://gre/modules/XPCOMUtils.jsm" ); XPCOMUtils.defineLazyModuleGetters(this, {- PlacesUtils: "resource://gre/modules/PlacesUtils.jsm",- PlacesUIUtils: "resource:///modules/PlacesUIUtils.jsm",- PlacesTransactions: "resource://gre/modules/PlacesTransactions.jsm", PrivateBrowsingUtils: "resource://gre/modules/PrivateBrowsingUtils.jsm", }); XPCOMUtils.defineLazyScriptGetter(
Based on the provided code diff, I'll analyze it for potential security vulnerabilities:
1. Vulnerability Existed: not sure
[Module Import Changes] [browser/components/places/content/bookmarkProperties.js] [Lines 59-62]
[Old Code]
XPCOMUtils.defineLazyModuleGetters(this, {
PlacesUtils: "resource://gre/modules/PlacesUtils.jsm",
PlacesUIUtils: "resource:///modules/PlacesUIUtils.jsm",
PlacesTransactions: "resource://gre/modules/PlacesTransactions.jsm",
PrivateBrowsingUtils: "resource://gre/modules/PrivateBrowsingUtils.jsm",
});
[Fixed Code]
XPCOMUtils.defineLazyModuleGetters(this, {
PrivateBrowsingUtils: "resource://gre/modules/PrivateBrowsingUtils.jsm",
});
Additional Details: The change removes several module imports while keeping only PrivateBrowsingUtils. This could be related to security hardening by reducing the attack surface, but without more context about why these modules were removed, it's unclear if this was fixing a specific vulnerability.
2. Vulnerability Existed: not sure
[File Reference Change] [browser/components/places/content/bookmarkProperties.js] [Line 50]
[Old Code]
/* import-globals-from editBookmark.js */
[Fixed Code]
/* import-globals-from instantEditBookmark.js */
Additional Details: The change updates the imported globals file reference. This could be related to security if the old file had vulnerabilities, but without seeing the contents of either file, we can't determine if this was a security fix.
Note: The changes appear to be part of a refactoring or code reorganization rather than direct security fixes. The removal of module imports might be security-related if those modules were found to be vulnerable, but the diff doesn't provide enough context to confirm this.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/crossbeam-channel/tests/select_macro.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/crossbeam-channel/tests/select_macro.rs@@ -1,6 +1,7 @@ //! Tests for the `select!` macro. #![forbid(unsafe_code)] // select! is safe.+#![allow(clippy::drop_copy, clippy::match_single_binding)] use std::any::Any; use std::cell::Cell;@@ -283,6 +284,7 @@ .unwrap(); }+#[cfg_attr(miri, ignore)] // Miri is too slow #[test] fn loop_try() { const RUNS: usize = 20;@@ -485,6 +487,9 @@ #[test] fn stress_recv() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 10_000; let (s1, r1) = unbounded();@@ -518,6 +523,9 @@ #[test] fn stress_send() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 10_000; let (s1, r1) = bounded(0);@@ -548,6 +556,9 @@ #[test] fn stress_mixed() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 10_000; let (s1, r1) = bounded(0);@@ -681,6 +692,9 @@ #[test] fn channel_through_channel() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 1000; type T = Box<dyn Any + Send>;@@ -726,6 +740,9 @@ #[test] fn linearizable_default() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 100_000; for step in 0..2 {@@ -770,6 +787,9 @@ #[test] fn linearizable_timeout() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 100_000; for step in 0..2 {@@ -814,6 +834,9 @@ #[test] fn fairness1() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 10_000; let (s1, r1) = bounded::<()>(COUNT);@@ -838,6 +861,9 @@ #[test] fn fairness2() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 10_000; let (s1, r1) = unbounded::<()>();@@ -875,6 +901,9 @@ #[test] fn fairness_recv() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 10_000; let (s1, r1) = bounded::<()>(COUNT);@@ -897,6 +926,9 @@ #[test] fn fairness_send() {+ #[cfg(miri)]+ const COUNT: usize = 100;+ #[cfg(not(miri))] const COUNT: usize = 10_000; let (s1, _r1) = bounded::<()>(COUNT);@@ -912,6 +944,7 @@ assert!(hits.iter().all(|x| *x >= COUNT / 4)); }+#[allow(clippy::or_fun_call)] // This is intentional. #[test] fn references() { let (s, r) = unbounded::<i32>();@@ -958,6 +991,7 @@ drop(s); }+#[allow(clippy::redundant_closure_call)] // This is intentional. #[test] fn move_handles() { let (s, r) = unbounded::<i32>();
After analyzing the provided code diff, I don't find any security vulnerabilities being fixed. The changes are primarily related to test configuration adjustments and linter allowances. Here's the analysis: 1. Vulnerability Existed: no No security vulnerability [third_party/rust/crossbeam-channel/tests/select_macro.rs] [Various lines] [Old test configurations with fixed constants] [New test configurations with conditional constants for Miri] 2. Vulnerability Existed: no No security vulnerability [third_party/rust/crossbeam-channel/tests/select_macro.rs] [Line 1] [Old code without linter allowances] [New code with added linter allowances] 3. Vulnerability Existed: no No security vulnerability [third_party/rust/crossbeam-channel/tests/select_macro.rs] [Line 283] [Old code without Miri ignore attribute] [New code with added Miri ignore attribute] The changes appear to be: 1. Adding linter allowances for the test file 2. Adding Miri-specific test configurations (reducing iteration counts when running under Miri) 3. Adding ignore attribute for Miri on a slow test 4. Adding allow attributes for specific lint warnings These changes are related to test configuration and code quality rather than security fixes. No actual security vulnerabilities were addressed in this diff.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/toolkit/components/glean/bindings/private/Denominator.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/toolkit/components/glean/bindings/private/Denominator.cpp@@ -19,7 +19,7 @@ void DenominatorMetric::Add(int32_t aAmount) const { auto scalarId = ScalarIdForMetric(mId);- if (scalarId) {+ if (scalarId && aAmount >= 0) { Telemetry::ScalarAdd(scalarId.extract(), aAmount); } fog_denominator_add(mId, aAmount);
Let me analyze the code diff for security fixes:
Vulnerability Existed: yes
Integer Overflow/Underflow Vulnerability [toolkit/components/glean/bindings/private/Denominator.cpp] [Lines 19]
[Old Code]
if (scalarId) {
[Fixed Code]
if (scalarId && aAmount >= 0) {
Additional Details:
The vulnerability appears to be a potential integer underflow issue. The old code would accept negative values for aAmount without validation, which could lead to unexpected behavior when performing arithmetic operations. The fix adds a check to ensure aAmount is non-negative before proceeding with the operation. This is particularly important since the value is being used in both Telemetry::ScalarAdd and fog_denominator_add operations.
The vulnerability could have allowed:
1. Potential integer underflow if negative values caused unexpected wrap-around
2. Invalid data collection in telemetry systems
3. Possible memory corruption if the negative value was used in further calculations without proper bounds checking
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/target-lexicon/src/triple.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/target-lexicon/src/triple.rs@@ -195,6 +195,8 @@ write!(f, "{}", self.architecture)?; if self.vendor == Vendor::Unknown+ && (self.environment != Environment::HermitKernel+ && self.environment != Environment::LinuxKernel) && ((self.operating_system == OperatingSystem::Linux && (self.environment == Environment::Android || self.environment == Environment::Androideabi
Let me analyze this code diff for potential security fixes.
Vulnerability Existed: not sure
[Potential Information Leak or Incomplete Triple Representation] [third_party/rust/target-lexicon/src/triple.rs] [Lines 195-200]
[Old Code]
write!(f, "{}", self.architecture)?;
if self.vendor == Vendor::Unknown
&& ((self.operating_system == OperatingSystem::Linux
&& (self.environment == Environment::Android
|| self.environment == Environment::Androideabi
[Fixed Code]
write!(f, "{}", self.architecture)?;
if self.vendor == Vendor::Unknown
&& (self.environment != Environment::HermitKernel
&& self.environment != Environment::LinuxKernel)
&& ((self.operating_system == OperatingSystem::Linux
&& (self.environment == Environment::Android
|| self.environment == Environment::Androideabi
Additional Details:
The change adds additional conditions to check for HermitKernel and LinuxKernel environments when the vendor is unknown. While this doesn't appear to be a direct security vulnerability fix, it could potentially prevent incorrect target triple representations which might lead to security issues in compilation or system identification. The modification ensures more accurate representation of system environments when the vendor isn't specified.
Note: This doesn't clearly match any standard vulnerability name, but improves the robustness of environment identification which could have security implications in some contexts.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.image.scale.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.image.scale.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -36,9 +36,9 @@ promise.then(function(response) { createImageBitmap(response).then(bitmap => { ctx.drawImage(bitmap, 0, 0, 100, 50, -10, -50, 240, 50);- _assertPixelApprox(offscreenCanvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);- _assertPixelApprox(offscreenCanvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 25,25, 0,255,0,255, "25,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255", 2);+ _assertPixelApprox(canvas, 75,25, 0,255,0,255, "75,25", "0,255,0,255", 2); }, t_fail); }).then(t_pass, t_fail);
After analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming (from `offscreenCanvas` to `canvas`) and corresponding updates to the variable name in the assertions. Here's the analysis following your requested format:
Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/shadows/2d.shadow.image.scale.html
Lines: Variable renaming throughout the file
Old Code: var offscreenCanvas = new OffscreenCanvas(100, 50);
Fixed Code: var canvas = new OffscreenCanvas(100, 50);
The changes are purely cosmetic/refactoring in nature and don't address any security issues. The functionality remains exactly the same, just with a different variable name.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.