Bug 261410 - www/firefox: Update to 96.0.3 (unfixed security vulnerabilities)
Summary: www/firefox: Update to 96.0.3 (unfixed security vulnerabilities)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Christoph Moench-Tegeder
URL: https://www.mozilla.org/en-US/securit...
Keywords: needs-qa, security
Depends on:
Blocks:
 
Reported: 2022-01-23 06:28 UTC by Stefan Ehmann
Modified: 2022-01-28 21:10 UTC (History)
10 users (show)

See Also:
bugzilla: maintainer-feedback? (gecko)
koobs: merge-quarterly?


Attachments
v0 (unzstd ff96.patch.zst && git am ff96.patch) (27.69 KB, application/octet-stream)
2022-01-23 20:34 UTC, Evgeniy Khramtsov
no flags Details
v0.3 (zstd as well, only build tested until jail gets unborked) (70.45 KB, application/octet-stream)
2022-01-25 22:30 UTC, Evgeniy Khramtsov
no flags Details
v0.8 (zstd, git) (83.18 KB, application/octet-stream)
2022-01-26 22:37 UTC, Evgeniy Khramtsov
no flags Details
v1.0 (zstd, git) (87.00 KB, application/octet-stream)
2022-01-28 04:39 UTC, Evgeniy Khramtsov
jbeich: maintainer-approval+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Ehmann 2022-01-23 06:28:41 UTC
The current port version 95.0.2 has several security vulnerabilities which are fixed in firefox 96: <https://www.mozilla.org/en-US/security/advisories/mfsa2022-01/>

The following are classified as high impact:
* CVE-2022-22746
* CVE-2022-22743
* CVE-2022-22741
* CVE-2022-22740
* CVE-2022-22738
* CVE-2022-22737
* CVE-2021-4140
* CVE-2022-22751

There are also no entries in security/vuxml.

Is anyone working on the upgrade to 96.0.2?
Unfortunately, the update is not trivial. Some larger patches no longer apply.
Comment 1 Evgeniy Khramtsov 2022-01-23 20:34:32 UTC
Created attachment 231253 [details]
v0 (unzstd ff96.patch.zst && git am ff96.patch)

One can try an incomplete v0 without regened manifests (no WebRTC) and comments in patches. Builds and runs in 13.0/amd64 jail via x11-wm/cage (native and XWayland).

Due to dropped >20K line manifest and resulting >1 MB patch, a compressed patch is attached.

Note: For some reason I'm still subscribed to FreeBSD-gecko and decided to help.
I'm on 95 and will migrate to WebKit later in Q2-Q3, so I am no longer interested in gecko ports and spending more time on this. Anyone else can regen manifests, return comments to local patches, and check if patches are fine beyond {applies,builds,runs}.
Comment 2 Graham Perrin 2022-01-24 02:09:44 UTC
From <https://forums.freebsd.org/posts/552582>: 

> <https://www.freshports.org/vuxml.php?package=firefox>
> 
> I don't know why 95.0.2_2,2 is not yet marked as vulnerable. …
Comment 3 Stefan Ehmann 2022-01-24 18:48:08 UTC
Thanks for you patch, Evgeniy!

Can confirm that it works on 13.0/amd64.

While I don't use WebRTC on this machine, it's likely important for many users.
Comment 4 Evgeniy Khramtsov 2022-01-24 19:20:39 UTC
For anyone interested in WebRTC:

WEBRTC_POSIX isn't defined for libwebrtc, resulting in:

[...]
/wrkdirs/usr/ports/www/firefox/work/firefox-96.0.2/third_party/libwebrtc/rtc_base/platform_thread_types.h:47:1: error: unknown type name 'PlatformThreadId'
PlatformThreadId CurrentThreadId();                                             
[...]

from https://searchfox.org/mozilla-release/source/third_party/libwebrtc/rtc_base/platform_thread_types.h#41

It is defined from the generated gn manifests:
https://searchfox.org/mozilla-release/source/dom/media/webrtc/third_party_build/gn-configs

Seems like OpenBSD already generated them, and also provided a how-to for upstream:
https://github.com/mozilla/gecko-dev/commit/f65bde9a0
https://github.com/mozilla/gecko-dev/tree/f65bde9/dom/media/webrtc/third_party_build/gn-configs

One can try generating one for FreeBSD after mach bootstrap.

I could do that, but currently ENOTIME unfortunately.
Comment 5 Stefan Ehmann 2022-01-25 19:42:21 UTC
Thanks for the pointers. Unfortunately, the buildfile generation for webkit has changed.

The current procedure is documented in firefox-96.0.2/dom/media/webrtc/third_party_build/gn-configs/README.md. This procedure failed rather early for me.

In the recent commit "Bug 1749604 - simplified moz.build generation for libwebrtc", the instructions changed again. I tried with the latest version and got a bit further but for today I'm stuck with:

 0:06.93 checking for clang for bindgen... /usr/bin/clang++
 0:06.94 checking for libclang for bindgen... not found
 0:06.95 ERROR: Could not find libclang to generate rust bindings for C/C++. Please install the necessary packages, run `mach bootstrap`, or use --with-libclang-path to give the path containing it.
Comment 6 Evgeniy Khramtsov 2022-01-25 22:30:02 UTC
Created attachment 231338 [details]
v0.3 (zstd as well, only build tested until jail gets unborked)

I am working on it. I could regen manifest and build passed. I am attaching my WIP.
Now I need to unbork my testing jail, test/unbreak/rebase PipeWire and ABI related
patch, cleanup the mess, return WEBRTC_BSD, etc. I have patched depot_tools etc. I will notify if I give up.

21 files changed, 93301 insertions(+), 26443 deletions(-)
(Wew)
Comment 7 Stefan Ehmann 2022-01-26 21:21:35 UTC
Thanks for your continued effort!

Can confirm that WebRTC is now working with v0.3.

I just tried the first demo page that I found: <https://mozilla.github.io/webrtc-landing/canvas_demo.html>. With v0 it didn't work.
Comment 8 Evgeniy Khramtsov 2022-01-26 22:37:09 UTC
Created attachment 231369 [details]
v0.8 (zstd, git)

Upstream bug 1654448 [1] was filed for BSD build issues after libwebrtc
2H2020 import. OpenBSD has patches in 97, but 96 is marked as "wontfix".

I backported the patches for 96 and added WEBRTC_BSD (BUILD.gn is_bsd)
back with s/OpenBSD/FreeBSD gn and manifest regen.

Reproducing build environment and providing Ala-OpenBSD how-to is hard
at the moment due to numerous hacks locally. 97+ should be easier due
to landed upstream changes and simplified manifest regen [2].

There are __STDC_CONSTANT_MACROS redefinition warnings for libwebrtc
likely due to mozilla-config.h.in defining it [3] while
__STDC_CONSTANT_MACROS is also defined for Linux targets and OpenBSD
in 97+. I chose to do the same as Linux and OpenBSD to avoid regression.

Manifest for FreeBSD/i386 was generated via generate-gn-build-files.sh
and seems to be the way it is generated for 32-bit PCs running Linux [4].

Notice that host_cpu and HOST_CPU_ARCH are for 64-bit PC, but the manifest
is still for 32-bit Linux. The same also applies for ARM64 macOS [5].

FreeBSD/aarch64 wasn't generated via script as rustup doesn't provide aarch64
target for FreeBSD, and lang/rust in ports symlinked to rustup bin directory
doesn't provide rust-std for aarch64. generate-gn-build-files.sh hard fails
without Rust target. One could try via Rust via qemu (IIRC it doesn't work),
but I tried semi-automatic manifest generation by git diff'ing x64 and arm64
Linux manifests and porting the diff to x64 FreeBSD manifest copy for arm64.
If aarch64 build passes, then good. If no, I suggest --disable-webrtc for ARM
until a solution is found.

WebRTC microphone on FreeBSD/13.0 seems to be "okayish" as the first five seconds of a talk seem to be cut off, then enough data is buffered and recording is fine.
There is also an OSS related patch in files/, so IDK, maybe git bisect later.
Also see bug 257639 which might be related.

Speed is limited due to QA of 12.2{amd64,i386}, 13.0{i386}, PipeWire Wayland screencapture, inverted OPTIONS tests, completely new workflow. I need to build several large repos and do some testing I never did before. Setting up PipeWire may take long as I did it a year ago and things could change. I also don't have
a webcam and can't test one, it is unobtainable where I'm located.

Also, no idea at the moment where to look for the minimum required library
versions to update Makefile. I'll try to update lib versions in Makefile after testing. Patches deleted seem to be upstream or no longer needed.

[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1654448
[2]: https://github.com/mozilla/gecko-dev/commit/e6f459cd77e3
[3]: https://searchfox.org/mozilla-central/source/mozilla-config.h.in#31
[4]: https://raw.githubusercontent.com/mozilla/gecko-dev/release/dom/media/webrtc/third_party_build/gn-configs/x64_False_x86_linux.json
[5]: https://raw.githubusercontent.com/mozilla/gecko-dev/release/dom/media/webrtc/third_party_build/gn-configs/x64_False_arm64_mac.json
Comment 9 Evgeniy Khramtsov 2022-01-28 04:39:24 UTC
Created attachment 231401 [details]
v1.0 (zstd, git)

Updated to 96.0.3, regenerated json+moz.build for aarch64 using
qemu-user-static 13.0/aarch64 chroot, adjusted BUILD_DEPENDS
versions according to rg 'pkg_check_modules'.

QA checklist:
12.2/{i386,amd64}, 13.0/amd64: build tested.
12.2/i386, 13.0/amd64: runtime tested.

13.0/i386 isn't Tier 1 so isn't QA'ed in order to not block security update for Tier 1.

aarch64 build should likely pass. If it doesn't, consider reverting:
--- x64_False_arm64_freebsd.json
+++ arm64_False_arm64_freebsd.json
@@ -1,13 +1,13 @@
 {
     "gn_gen_args": {
-        "host_cpu": "x64",
+        "host_cpu": "arm64",
         "is_debug": false,
         "target_cpu": "arm64",
         "target_os": "freebsd"
     },
     "mozbuild_args": {
         "CPU_ARCH": "aarch64",
-        "HOST_CPU_ARCH": "x86_64",
+        "HOST_CPU_ARCH": "aarch64",
         "MOZ_DEBUG": null,
         "OS_TARGET": "FreeBSD"
     },

and/or renaming arm64_False_arm64_freebsd.json to x64_False_arm64_freebsd.json.
I followed the rules for generating and target CPU literally from:
https://github.com/mozilla/gecko-dev/blob/release/dom/media/webrtc/third_party_build/gn-configs/README.md
arm64 -> x64 adjustment may be needed if the documentation is incorrect.

ppc64 can also follow later after aarch64 is OK and we get to reproduce
the regen environment/how-to. I already written down some steps non-sequentielly.

Since v0.8 was proven to be stable for >day by cmt, and this is a point
release with minor moz.build+json readjustment (guard sse2 and avx2 for
PCs, enable neon on aarch64), I believe that regression from v0.8 is
unlikely, which received the following QA:

12.2/{i386,amd64}, 13.0/{amd64}, -CURRENT: build/runtime tested (me).
PipeWire screencapture: tested (jbeich).
v0.8 + 96.0.3: tested for a day (cmt).

--

It seems that I borked my /dev or whatever again, **95.0.2 in the
official repos** and both 96.0.3 can't move tabs with MOZ_ENABLE_WAYLAND
under x11-wm/cage with /dev, XDG_RUNTIME_DIR, WAYLAND_DISPLAY passed
from -CURRENT host. I believe that my issue is not related to 96.0.3
update, but any final testing would be appreciated. I can't test 96
on host because it is far away from vanilla FreeBSD and testing on it
would require rebasing local no-X11 patches on top of 96 which I don't want.

I now disappear for some time to rest.
Comment 10 Stefan Ehmann 2022-01-28 09:06:29 UTC
Can confirm 96.0.3 is working on 13.0/amd64. No issues so far.

Thanks again for you work.

I got the generate-gn-build-files.sh (bug 1749604 version) finally working, but by the time you had already posted a patch with full port integration. Would have taking me a long time (or probably would have given up on webrtc).
Comment 11 Jan Beich freebsd_committer 2022-01-28 15:53:56 UTC
Comment on attachment 231401 [details]
v1.0 (zstd, git)

Awesome work! Looks generally fine. Some nitpicks:

> -		harfbuzz>=2.9.1:print/harfbuzz \
> +		harfbuzz>=2.7.4:print/harfbuzz \

Firefox 96 bundles harfbuzz 3.1.2, so the version check in files/patch-bug847568 is stale

https://searchfox.org/mozilla-release/rev/713683b4a6b0/gfx/harfbuzz/src/hb-version.h

> -		libvpx>=1.8.2:multimedia/libvpx \
> +		libvpx>=1.8.0:multimedia/libvpx \

Firefox 96 bundles libvpx 1.8.2, so upstream version check in toolkit/moz.configure is stale

https://searchfox.org/mozilla-release/rev/713683b4a6b0/media/libvpx/config/vpx_version.h

> -index 75c2c5e435e35..4d8c09c02759b 100644
> +index af08811..77a3b18 100644

(Cosmetic) "git add -p" makes it easy to skip such noise.

> -@@ -39,7 +39,7 @@ pref("extensions.postDownloadThirdPartyPrompt", true);
> +@@ -38,7 +38,7 @@ pref("extensions.postDownloadThirdPartyPrompt", true);

(Cosmetic) When only offset changes but context (surrounding lines) remains the same regenerating diffs can be skipped.

> diff --git gfx/2d/DrawTargetSkia.cpp gfx/2d/DrawTargetSkia.cpp

(Cosmetic) Sorting by Git kinda obfuscates what has really changed.

> +--- config/makefiles/rust.mk.orig      2020-05-12 09:36:22 UTC

(Cosmetic) Don't keep garbage from the old version.

> +Subject: [PATCH] Backport OpenBSD changes from 97 and WEBRTC_BSD, regen
> + gn+manifest for amd64 and i386 (actually, i686 with -msse2)

PkgSrc version for comparison: https://github.com/NetBSD/pkgsrc/blob/5261ee98811c/www/firefox/patches/patch-libwebrtc.diff
Curiously, Firefox < 96 had x64*dragonfly.json but wasn't used due to https://github.com/DragonFlyBSD/DeltaPorts/commit/92611d22ee0d

> dom/media/webrtc/third_party_build/gn-configs/x64_False_x64_freebsd.json

gn-configs/ and BUILD.gn aren't used during Firefox build, only to generate moz.build in a separate step.
Dropping those will shrink patch-webrtc by 92% i.e., from 9.7 MiB to 698 KiB

> ++  # Comment-out rustup on aarch64; no binary rustup for FreeBSD/aarch64

Confusing wording. "Comment-out" -> "Commented out" and ";" -> ":"

i686 works on x86_64 via rustup due to /usr/lib32 but aarch64 libs aren't installed on x86_64 by default. Partial --sysroot can help e.g.,

  $ fetch https://pkg.freebsd.org/FreeBSD:14:aarch64/latest/All/rust-1.58.0.pkg
  $ tar xf rust-1.58.0.pkg
  $ cp -a ./usr/local/lib/rustlib/*-unknown-freebsd /usr/local/lib/rustlib/

  $ echo 'fn main() {}' >foo.rs
  $ rustc --target=aarch64-unknown-freebsd foo.rs
  error: linking with `cc` failed: exit status: 1
  [...]
    = note: ld: error: foo.foo.32c0c825-cgu.0.rcgu.o is incompatible with /usr/lib/Scrt1.o
	    ld: error: foo.foo.32c0c825-cgu.1.rcgu.o is incompatible with /usr/lib/Scrt1.o
	    ld: error: foo.foo.32c0c825-cgu.2.rcgu.o is incompatible with /usr/lib/Scrt1.o
	    ld: error: foo.foo.32c0c825-cgu.3.rcgu.o is incompatible with /usr/lib/Scrt1.o
	    ld: error: foo.foo.32c0c825-cgu.4.rcgu.o is incompatible with /usr/lib/Scrt1.o
	    ld: error: foo.foo.32c0c825-cgu.5.rcgu.o is incompatible with /usr/lib/Scrt1.o
	    ld: error: foo.foo.32c0c825-cgu.6.rcgu.o is incompatible with /usr/lib/Scrt1.o
	    ld: error: foo.50rnet0thytpgybx.rcgu.o is incompatible with /usr/lib/Scrt1.o
	    cc: error: linker command failed with exit code 1 (use -v to see invocation)
  $ rustc -C link-args="--sysroot /poudriere/jails/main-aarch64" --target=aarch64-unknown-freebsd foo.rs
  $ file foo
  foo: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, FreeBSD-style, with debug_info, not stripped

  $ cargo new --bin bar
  $ cd bar
  $ export RUSTFLAGS='-C link-arg=--sysroot -C link-arg=/poudriere/jails/main-aarch64 --target=aarch64-unknown-freebsd'
  $ cargo build
  $ file target/debug/bar
  target/debug/bar: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, FreeBSD-style, with debug_info, not stripped
Comment 12 Evgeniy Khramtsov 2022-01-28 16:30:18 UTC
(In reply to Jan Beich from comment #11)

Thanks for review.

> (Cosmetic)
> git [...] noise
> (upstream) [...] version check is stale
> [...] Dropping those will shrink patch-webrtc by 92% i.e., from 9.7 MiB to 698 KiB [...]
> Confusing wording

Noted.

> Partial --sysroot can help

Awesome.

Addressing nitpicks would take time because I would need to rebuild and test everything again to be 100% sure. QA takes a ton of time and I can't see Firefox again this weekend because ENOTIME. One could either git commit --amend or address nitpicks in separate commit(s).

I'll address the above for the 97 update, as well as sharing the step-by-step
how-to on getting patch-webrtc for 97. I hope this is fine for gecko@.
Comment 13 commit-hook freebsd_committer 2022-01-28 21:01:47 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=7b007c9d1e67ccffc09f0b60d1d039cc7f8af693

commit 7b007c9d1e67ccffc09f0b60d1d039cc7f8af693
Author:     Evgeniy Khramtsov <evgeniy@khramtsov.org>
AuthorDate: 2022-01-28 02:30:16 +0000
Commit:     Christoph Moench-Tegeder <cmt@FreeBSD.org>
CommitDate: 2022-01-28 20:59:37 +0000

    www/firefox: update to 96.0.3

    PR:             261410
    Reported by:    Stefan Ehmann
    Tested by:      Stefan Ehmann (prior v0.3),
                    jbeich (PipeWire screen capture) (prior v0.8 via mail),
                    cmt (prior v0.8 + 96.0.3 bump)

 Mk/bsd.gecko.mk                                    |      3 +
 www/firefox/Makefile                               |      7 +-
 www/firefox/distinfo                               |      6 +-
 www/firefox/files/patch-addon-search               |     16 +-
 .../files/patch-browser-app-nsBrowserApp.cpp       |     14 +-
 www/firefox/files/patch-bug1288587 (gone)          |     37 -
 www/firefox/files/patch-bug1504834_comment10       |     10 +-
 www/firefox/files/patch-bug1504834_comment5        |     71 +-
 www/firefox/files/patch-bug1559213                 |     24 +-
 www/firefox/files/patch-bug1612184 (gone)          |  25961 --
 www/firefox/files/patch-bug1618914 (gone)          |     35 -
 www/firefox/files/patch-bug1626236                 |     40 +-
 www/firefox/files/patch-bug1628567                 |      4 +-
 www/firefox/files/patch-bug1640982                 |     16 +-
 www/firefox/files/patch-bug1676134 (gone)          |    122 -
 www/firefox/files/patch-bug1745560 (gone)          |     26 -
 www/firefox/files/patch-bug847568                  |     89 +-
 www/firefox/files/patch-pipewire_init              |     41 +-
 www/firefox/files/patch-webrtc (new)               | 253107 ++++++++++++++++++
 19 files changed, 253299 insertions(+), 26330 deletions(-)
Comment 14 commit-hook freebsd_committer 2022-01-28 21:03:48 UTC
A commit in branch 2022Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=52389fd51a12d674f56c44b6f31adb1cd9f3a1b5

commit 52389fd51a12d674f56c44b6f31adb1cd9f3a1b5
Author:     Evgeniy Khramtsov <evgeniy@khramtsov.org>
AuthorDate: 2022-01-28 02:30:16 +0000
Commit:     Christoph Moench-Tegeder <cmt@FreeBSD.org>
CommitDate: 2022-01-28 21:02:42 +0000

    www/firefox: update to 96.0.3

    PR:             261410
    Reported by:    Stefan Ehmann
    Tested by:      Stefan Ehmann (prior v0.3),
                    jbeich (PipeWire screen capture) (prior v0.8 via mail),
                    cmt (prior v0.8 + 96.0.3 bump)

    (cherry picked from commit 7b007c9d1e67ccffc09f0b60d1d039cc7f8af693)

 Mk/bsd.gecko.mk                                    |      3 +
 www/firefox/Makefile                               |      7 +-
 www/firefox/distinfo                               |      6 +-
 www/firefox/files/patch-addon-search               |     16 +-
 .../files/patch-browser-app-nsBrowserApp.cpp       |     14 +-
 www/firefox/files/patch-bug1288587 (gone)          |     37 -
 www/firefox/files/patch-bug1504834_comment10       |     10 +-
 www/firefox/files/patch-bug1504834_comment5        |     71 +-
 www/firefox/files/patch-bug1559213                 |     24 +-
 www/firefox/files/patch-bug1612184 (gone)          |  25961 --
 www/firefox/files/patch-bug1618914 (gone)          |     35 -
 www/firefox/files/patch-bug1626236                 |     40 +-
 www/firefox/files/patch-bug1628567                 |      4 +-
 www/firefox/files/patch-bug1640982                 |     16 +-
 www/firefox/files/patch-bug1676134 (gone)          |    122 -
 www/firefox/files/patch-bug1745560 (gone)          |     26 -
 www/firefox/files/patch-bug847568                  |     89 +-
 www/firefox/files/patch-pipewire_init              |     41 +-
 www/firefox/files/patch-webrtc (new)               | 253107 ++++++++++++++++++
 19 files changed, 253299 insertions(+), 26330 deletions(-)
Comment 15 Christoph Moench-Tegeder freebsd_committer 2022-01-28 21:10:00 UTC
comitted, thanks a lot!