Bug 195559 - www/firefox et al. update to fix CVE-2014-{1587..1595} and CVE-2014-1569
Summary: www/firefox et al. update to fix CVE-2014-{1587..1595} and CVE-2014-1569
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-gecko (Nobody)
URL: https://www.mozilla.org/en-US/firefox...
Keywords:
Depends on: 195596
Blocks: 194490 194863
  Show dependency treegraph
 
Reported: 2014-12-01 18:23 UTC by Jan Beich
Modified: 2014-12-21 17:41 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (gecko)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Beich freebsd_committer freebsd_triage 2014-12-01 18:23:37 UTC
+++ This bug was initially created as a clone of Bug #194356 +++

$ svn export https://trillian.chruetertee.ch/svn/freebsd-gecko/branches/firefox34
$ (cd firefox34; for d in */*/files; do rm -rf /usr/ports/$d; done)
$ cp -R firefox34/ /usr/ports/

See URL for general changes.
See firefox34/Gecko_ChangeLog file for port-specific changes beyond updates.
See firefox34/VuXML file to put an entry into security/vuxml/vuln.xml.

www/firefox is at 34.0.5, not 34.0. So, Yahoo! is default for NA.
Comment 1 Bugzilla Automation freebsd_committer freebsd_triage 2014-12-01 18:23:37 UTC
Auto-assigned to maintainer gecko@FreeBSD.org
Comment 2 Jan Beich freebsd_committer freebsd_triage 2014-12-02 13:52:49 UTC
No MFSA for CVE-2014-1569. Let's add to VuXML anyway.

https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17.3_release_notes
Comment 3 commit-hook freebsd_committer freebsd_triage 2014-12-03 11:21:51 UTC
A commit references this bug:

Author: beat
Date: Wed Dec  3 11:20:52 UTC 2014
New revision: 373807
URL: https://svnweb.freebsd.org/changeset/ports/373807

Log:
  Document mozilla vulnerabilities

  PR:		195559
  Submitted by:	Jan Beich

Changes:
  head/security/vuxml/vuln.xml
Comment 4 commit-hook freebsd_committer freebsd_triage 2014-12-03 14:56:13 UTC
A commit references this bug:

Author: beat
Date: Wed Dec  3 14:55:30 UTC 2014
New revision: 373830
URL: https://svnweb.freebsd.org/changeset/ports/373830

Log:
  - Update Thunderbird to 31.3.0
  - Update gmp-api to 35.0
  - Update openh264 to 1.2
  - Update NSS to 3.17.3
  - Update Firefox to 34.0.5
  - Update Firefox ESR 31.3.0
  - Update libxul to 31.3.0
  - Improve CONFIGURE_TARGET handling
  - Always build using client.mk
  - Switch to clang by default on systems without libc++
    (/stable/8 and /stable/9)
  - Drop lang/python2 dependency, only lang/python27 is required
    to build
  - Use DuckDuckGo searchplugin from upstream (has suggestions
    and purposes)
  - Backport a few about:memory fixes
  - Backport Web Notifications libnotify integration
  - Add GTK3 option for www/firefox. Adwaita is a bit broken
    since Gtk 3.14, see:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1073117

  PR:		195559
  Submitted by:	Jan Beich
  MFH:		2014Q4
  Security:	http://vuxml.org/freebsd/7ae61870-9dd2-4884-a2f2-f19bb5784d09.html

Changes:
  head/Mk/Uses/gecko.mk
  head/Mk/bsd.gecko.mk
  head/mail/linux-thunderbird/Makefile
  head/mail/linux-thunderbird/distinfo
  head/mail/thunderbird/Makefile
  head/mail/thunderbird/distinfo
  head/mail/thunderbird/files/patch-bug1076983
  head/mail/thunderbird/files/patch-bug1082199
  head/mail/thunderbird/files/patch-bug1103858
  head/mail/thunderbird/files/patch-bug858919
  head/mail/thunderbird-i18n/Makefile
  head/mail/thunderbird-i18n/distinfo
  head/multimedia/gmp-api/Makefile
  head/multimedia/gmp-api/distinfo
  head/multimedia/openh264/Makefile
  head/multimedia/openh264/distinfo
  head/multimedia/openh264/files/patch-Makefile
  head/security/ca_root_nss/Makefile
  head/security/ca_root_nss/distinfo
  head/security/nss/Makefile
  head/security/nss/distinfo
  head/www/firefox/Makefile
  head/www/firefox/Makefile.options
  head/www/firefox/distinfo
  head/www/firefox/files/patch-bug1021761
  head/www/firefox/files/patch-bug1041381
  head/www/firefox/files/patch-bug1046224
  head/www/firefox/files/patch-bug1076983
  head/www/firefox/files/patch-bug1082199
  head/www/firefox/files/patch-bug1097592
  head/www/firefox/files/patch-bug1103858
  head/www/firefox/files/patch-bug702179
  head/www/firefox/files/patch-bug826985
  head/www/firefox/files/patch-bug847568
  head/www/firefox/files/patch-bug858919
  head/www/firefox/files/patch-bug877605
  head/www/firefox/files/patch-bug899126
  head/www/firefox/files/patch-duckduckgo
  head/www/firefox/files/patch-system-openh264
  head/www/firefox/files/patch-z-bug517422
  head/www/firefox-esr/Makefile
  head/www/firefox-esr/distinfo
  head/www/firefox-esr/files/patch-bug1061736
  head/www/firefox-esr/files/patch-bug1076983
  head/www/firefox-esr/files/patch-bug1082199
  head/www/firefox-esr/files/patch-bug1103858
  head/www/firefox-esr/files/patch-bug858919
  head/www/firefox-esr/files/patch-duckduckgo
  head/www/firefox-esr-i18n/Makefile
  head/www/firefox-esr-i18n/distinfo
  head/www/firefox-i18n/Makefile
  head/www/firefox-i18n/Makefile.lang
  head/www/firefox-i18n/Makefile.option
  head/www/firefox-i18n/distinfo
  head/www/libxul/Makefile
  head/www/libxul/distinfo
  head/www/libxul/files/patch-bug1061736
  head/www/libxul/files/patch-bug1076983
  head/www/libxul/files/patch-bug1082199
  head/www/libxul/files/patch-bug1103858
  head/www/libxul/files/patch-bug858919
  head/www/libxul/files/patch-duckduckgo
  head/www/linux-firefox/Makefile
  head/www/linux-firefox/distinfo
  head/www/linux-firefox/pkg-plist
Comment 5 c.kworr 2014-12-03 23:12:03 UTC
On the GTK3, looks like gtk2 plugins are not working yet they should: https://bugzilla.mozilla.org/show_bug.cgi?id=624422
Comment 6 commit-hook freebsd_committer freebsd_triage 2014-12-05 08:37:32 UTC
A commit references this bug:

Author: beat
Date: Fri Dec  5 08:36:34 UTC 2014
New revision: 373997
URL: https://svnweb.freebsd.org/changeset/ports/373997

Log:
  - Update to 2.31

  PR:		195559
  Submitted by:	Jan Beich
  MFH:		2014Q4
  Security:	http://vuxml.org/freebsd/7ae61870-9dd2-4884-a2f2-f19bb5784d09.html

Changes:
  head/Mk/Uses/gecko.mk
  head/www/linux-seamonkey/Makefile
  head/www/linux-seamonkey/distinfo
  head/www/linux-seamonkey/pkg-plist
  head/www/seamonkey/Makefile
  head/www/seamonkey/distinfo
  head/www/seamonkey/files/patch-bug1021761
  head/www/seamonkey/files/patch-bug1041381
  head/www/seamonkey/files/patch-bug1046224
  head/www/seamonkey/files/patch-bug1061736
  head/www/seamonkey/files/patch-bug1076983
  head/www/seamonkey/files/patch-bug1082199
  head/www/seamonkey/files/patch-bug1103858
  head/www/seamonkey/files/patch-bug702179
  head/www/seamonkey/files/patch-bug826985
  head/www/seamonkey/files/patch-bug847568
  head/www/seamonkey/files/patch-bug858919
  head/www/seamonkey/files/patch-bug899126
  head/www/seamonkey/files/patch-duckduckgo
  head/www/seamonkey/files/patch-ldap-xpcom-src-Makefile.in
  head/www/seamonkey/files/patch-system-openh264
  head/www/seamonkey/files/patch-z-bug517422
  head/www/seamonkey-i18n/Makefile
  head/www/seamonkey-i18n/distinfo
Comment 7 Jan Beich freebsd_committer freebsd_triage 2014-12-05 09:17:01 UTC
(In reply to c.kworr from comment #5)
> On the GTK3, looks like gtk2 plugins are not working yet they should:
> https://bugzilla.mozilla.org/show_bug.cgi?id=624422

Indeed, Firefox 34 + GTK3 has libxul.so linked against both libmozgtk and libgtk-3 which leads to:

  (<unknown>:98362): Gtk-ERROR **: GTK+ 2.x symbols detected. Using GTK+ 2.x and GTK+ 3 in the same process is not supported

https://bugzilla.mozilla.org/show_bug.cgi?id=1051209
https://trillian.chruetertee.ch/freebsd-gecko/changeset/1786/branches/firefox34/www/firefox
Comment 8 commit-hook freebsd_committer freebsd_triage 2014-12-08 15:20:02 UTC
A commit references this bug:

Author: beat
Date: Mon Dec  8 15:19:46 UTC 2014
New revision: 374273
URL: https://svnweb.freebsd.org/changeset/ports/374273

Log:
  MFH: r373830

  - Update Thunderbird to 31.3.0
  - Update gmp-api to 35.0
  - Update openh264 to 1.2
  - Update NSS to 3.17.3
  - Update Firefox to 34.0.5
  - Update Firefox ESR 31.3.0
  - Update libxul to 31.3.0
  - Improve CONFIGURE_TARGET handling
  - Always build using client.mk
  - Switch to clang by default on systems without libc++
    (/stable/8 and /stable/9)
  - Drop lang/python2 dependency, only lang/python27 is required
    to build
  - Use DuckDuckGo searchplugin from upstream (has suggestions
    and purposes)
  - Backport a few about:memory fixes
  - Backport Web Notifications libnotify integration
  - Add GTK3 option for www/firefox. Adwaita is a bit broken
    since Gtk 3.14, see:
    https://bugzilla.mozilla.org/show_bug.cgi?id=1073117

  PR:		195559
  Submitted by:	Jan Beich
  Security:	http://vuxml.org/freebsd/7ae61870-9dd2-4884-a2f2-f19bb5784d09.html
  Approved by:	portmgr (bapt)

Changes:
_U  branches/2014Q4/
  branches/2014Q4/Mk/Uses/gecko.mk
  branches/2014Q4/Mk/bsd.gecko.mk
  branches/2014Q4/mail/linux-thunderbird/Makefile
  branches/2014Q4/mail/linux-thunderbird/distinfo
  branches/2014Q4/mail/thunderbird/Makefile
  branches/2014Q4/mail/thunderbird/distinfo
  branches/2014Q4/mail/thunderbird/files/patch-bug1076983
  branches/2014Q4/mail/thunderbird/files/patch-bug1082199
  branches/2014Q4/mail/thunderbird/files/patch-bug1103858
  branches/2014Q4/mail/thunderbird/files/patch-bug858919
  branches/2014Q4/mail/thunderbird-i18n/Makefile
  branches/2014Q4/mail/thunderbird-i18n/distinfo
  branches/2014Q4/multimedia/gmp-api/Makefile
  branches/2014Q4/multimedia/gmp-api/distinfo
  branches/2014Q4/multimedia/openh264/Makefile
  branches/2014Q4/multimedia/openh264/distinfo
  branches/2014Q4/multimedia/openh264/files/patch-Makefile
  branches/2014Q4/security/ca_root_nss/Makefile
  branches/2014Q4/security/ca_root_nss/distinfo
  branches/2014Q4/security/nss/Makefile
  branches/2014Q4/security/nss/distinfo
  branches/2014Q4/www/firefox/Makefile
  branches/2014Q4/www/firefox/distinfo
  branches/2014Q4/www/firefox/files/patch-bug1021761
  branches/2014Q4/www/firefox/files/patch-bug1041381
  branches/2014Q4/www/firefox/files/patch-bug1046224
  branches/2014Q4/www/firefox/files/patch-bug1076983
  branches/2014Q4/www/firefox/files/patch-bug1082199
  branches/2014Q4/www/firefox/files/patch-bug1097592
  branches/2014Q4/www/firefox/files/patch-bug1103858
  branches/2014Q4/www/firefox/files/patch-bug702179
  branches/2014Q4/www/firefox/files/patch-bug826985
  branches/2014Q4/www/firefox/files/patch-bug847568
  branches/2014Q4/www/firefox/files/patch-bug858919
  branches/2014Q4/www/firefox/files/patch-bug877605
  branches/2014Q4/www/firefox/files/patch-bug899126
  branches/2014Q4/www/firefox/files/patch-duckduckgo
  branches/2014Q4/www/firefox/files/patch-system-openh264
  branches/2014Q4/www/firefox/files/patch-z-bug517422
  branches/2014Q4/www/firefox-esr/Makefile
  branches/2014Q4/www/firefox-esr/distinfo
  branches/2014Q4/www/firefox-esr/files/patch-bug1061736
  branches/2014Q4/www/firefox-esr/files/patch-bug1076983
  branches/2014Q4/www/firefox-esr/files/patch-bug1082199
  branches/2014Q4/www/firefox-esr/files/patch-bug1103858
  branches/2014Q4/www/firefox-esr/files/patch-bug858919
  branches/2014Q4/www/firefox-esr/files/patch-duckduckgo
  branches/2014Q4/www/firefox-esr-i18n/Makefile
  branches/2014Q4/www/firefox-esr-i18n/distinfo
  branches/2014Q4/www/firefox-i18n/Makefile
  branches/2014Q4/www/firefox-i18n/Makefile.lang
  branches/2014Q4/www/firefox-i18n/Makefile.option
  branches/2014Q4/www/firefox-i18n/distinfo
  branches/2014Q4/www/libxul/Makefile
  branches/2014Q4/www/libxul/distinfo
  branches/2014Q4/www/libxul/files/patch-bug1061736
  branches/2014Q4/www/libxul/files/patch-bug1076983
  branches/2014Q4/www/libxul/files/patch-bug1082199
  branches/2014Q4/www/libxul/files/patch-bug1103858
  branches/2014Q4/www/libxul/files/patch-bug858919
  branches/2014Q4/www/libxul/files/patch-duckduckgo
  branches/2014Q4/www/linux-firefox/Makefile
  branches/2014Q4/www/linux-firefox/distinfo
  branches/2014Q4/www/linux-firefox/pkg-plist
Comment 9 commit-hook freebsd_committer freebsd_triage 2014-12-08 15:22:04 UTC
A commit references this bug:

Author: beat
Date: Mon Dec  8 15:21:46 UTC 2014
New revision: 374274
URL: https://svnweb.freebsd.org/changeset/ports/374274

Log:
  MFH: r373997

  - Update to 2.31

  PR:		195559
  Submitted by:	Jan Beich
  Security:	http://vuxml.org/freebsd/7ae61870-9dd2-4884-a2f2-f19bb5784d09.html
  Approved by:	portmgr (bapt)

Changes:
_U  branches/2014Q4/
  branches/2014Q4/Mk/Uses/gecko.mk
  branches/2014Q4/www/linux-seamonkey/Makefile
  branches/2014Q4/www/linux-seamonkey/distinfo
  branches/2014Q4/www/linux-seamonkey/pkg-plist
  branches/2014Q4/www/seamonkey/Makefile
  branches/2014Q4/www/seamonkey/distinfo
  branches/2014Q4/www/seamonkey/files/patch-bug1021761
  branches/2014Q4/www/seamonkey/files/patch-bug1041381
  branches/2014Q4/www/seamonkey/files/patch-bug1046224
  branches/2014Q4/www/seamonkey/files/patch-bug1061736
  branches/2014Q4/www/seamonkey/files/patch-bug1076983
  branches/2014Q4/www/seamonkey/files/patch-bug1082199
  branches/2014Q4/www/seamonkey/files/patch-bug1103858
  branches/2014Q4/www/seamonkey/files/patch-bug702179
  branches/2014Q4/www/seamonkey/files/patch-bug826985
  branches/2014Q4/www/seamonkey/files/patch-bug847568
  branches/2014Q4/www/seamonkey/files/patch-bug858919
  branches/2014Q4/www/seamonkey/files/patch-bug899126
  branches/2014Q4/www/seamonkey/files/patch-duckduckgo
  branches/2014Q4/www/seamonkey/files/patch-ldap-xpcom-src-Makefile.in
  branches/2014Q4/www/seamonkey/files/patch-system-openh264
  branches/2014Q4/www/seamonkey/files/patch-z-bug517422
  branches/2014Q4/www/seamonkey-i18n/Makefile
  branches/2014Q4/www/seamonkey-i18n/distinfo
Comment 10 Stefan Farfeleder freebsd_committer freebsd_triage 2014-12-21 17:41:07 UTC
(In reply to Jan Beich from comment #7)
> (In reply to c.kworr from comment #5)
> > On the GTK3, looks like gtk2 plugins are not working yet they should:
> > https://bugzilla.mozilla.org/show_bug.cgi?id=624422
> 
> Indeed, Firefox 34 + GTK3 has libxul.so linked against both libmozgtk and
> libgtk-3 which leads to:
> 
>   (<unknown>:98362): Gtk-ERROR **: GTK+ 2.x symbols detected. Using GTK+ 2.x
> and GTK+ 3 in the same process is not supported
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1051209
> https://trillian.chruetertee.ch/freebsd-gecko/changeset/1786/branches/
> firefox34/www/firefox

Can patch-bug1051209 please be added? It stops plugin-container dumping core all the time for me (with GTK3 enabled).