[Bug 261410] www/firefox: Update to 96.0.3 (unfixed security vulnerabilities)

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 261410] www/firefox: unfixed security vulnerabilities"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: <bugzilla-noreply_at_freebsd.org>
Date: Fri, 28 Jan 2022 15:53:56 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=261410

Jan Beich <jbeich@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #231401|maintainer-approval?(gecko@ |maintainer-approval+
              Flags|FreeBSD.org)                |

--- Comment #11 from Jan Beich <jbeich@FreeBSD.org> ---
Comment on attachment 231401
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=231401
v1.0 (zstd, git)

Awesome work! Looks generally fine. Some nitpicks:

> -		harfbuzz>=2.9.1:print/harfbuzz \
> +		harfbuzz>=2.7.4:print/harfbuzz \

Firefox 96 bundles harfbuzz 3.1.2, so the version check in
files/patch-bug847568 is stale

https://searchfox.org/mozilla-release/rev/713683b4a6b0/gfx/harfbuzz/src/hb-version.h

> -		libvpx>=1.8.2:multimedia/libvpx \
> +		libvpx>=1.8.0:multimedia/libvpx \

Firefox 96 bundles libvpx 1.8.2, so upstream version check in
toolkit/moz.configure is stale

https://searchfox.org/mozilla-release/rev/713683b4a6b0/media/libvpx/config/vpx_version.h

> -index 75c2c5e435e35..4d8c09c02759b 100644
> +index af08811..77a3b18 100644

(Cosmetic) "git add -p" makes it easy to skip such noise.

> -@@ -39,7 +39,7 @@ pref("extensions.postDownloadThirdPartyPrompt", true);
> +@@ -38,7 +38,7 @@ pref("extensions.postDownloadThirdPartyPrompt", true);

(Cosmetic) When only offset changes but context (surrounding lines) remains the
same regenerating diffs can be skipped.

> diff --git gfx/2d/DrawTargetSkia.cpp gfx/2d/DrawTargetSkia.cpp

(Cosmetic) Sorting by Git kinda obfuscates what has really changed.

> +--- config/makefiles/rust.mk.orig      2020-05-12 09:36:22 UTC

(Cosmetic) Don't keep garbage from the old version.

> +Subject: [PATCH] Backport OpenBSD changes from 97 and WEBRTC_BSD, regen
> + gn+manifest for amd64 and i386 (actually, i686 with -msse2)

PkgSrc version for comparison:
https://github.com/NetBSD/pkgsrc/blob/5261ee98811c/www/firefox/patches/patch-libwebrtc.diff
Curiously, Firefox < 96 had x64*dragonfly.json but wasn't used due to
https://github.com/DragonFlyBSD/DeltaPorts/commit/92611d22ee0d

> dom/media/webrtc/third_party_build/gn-configs/x64_False_x64_freebsd.json

gn-configs/ and BUILD.gn aren't used during Firefox build, only to generate
moz.build in a separate step.
Dropping those will shrink patch-webrtc by 92% i.e., from 9.7 MiB to 698 KiB

> ++  # Comment-out rustup on aarch64; no binary rustup for FreeBSD/aarch64

Confusing wording. "Comment-out" -> "Commented out" and ";" -> ":"

i686 works on x86_64 via rustup due to /usr/lib32 but aarch64 libs aren't
installed on x86_64 by default. Partial --sysroot can help e.g.,

  $ fetch https://pkg.freebsd.org/FreeBSD:14:aarch64/latest/All/rust-1.58.0.pkg
  $ tar xf rust-1.58.0.pkg
  $ cp -a ./usr/local/lib/rustlib/*-unknown-freebsd /usr/local/lib/rustlib/

  $ echo 'fn main() {}' >foo.rs
  $ rustc --target=aarch64-unknown-freebsd foo.rs
  error: linking with `cc` failed: exit status: 1
  [...]
    = note: ld: error: foo.foo.32c0c825-cgu.0.rcgu.o is incompatible with
/usr/lib/Scrt1.o
            ld: error: foo.foo.32c0c825-cgu.1.rcgu.o is incompatible with
/usr/lib/Scrt1.o
            ld: error: foo.foo.32c0c825-cgu.2.rcgu.o is incompatible with
/usr/lib/Scrt1.o
            ld: error: foo.foo.32c0c825-cgu.3.rcgu.o is incompatible with
/usr/lib/Scrt1.o
            ld: error: foo.foo.32c0c825-cgu.4.rcgu.o is incompatible with
/usr/lib/Scrt1.o
            ld: error: foo.foo.32c0c825-cgu.5.rcgu.o is incompatible with
/usr/lib/Scrt1.o
            ld: error: foo.foo.32c0c825-cgu.6.rcgu.o is incompatible with
/usr/lib/Scrt1.o
            ld: error: foo.50rnet0thytpgybx.rcgu.o is incompatible with
/usr/lib/Scrt1.o
            cc: error: linker command failed with exit code 1 (use -v to see
invocation)
  $ rustc -C link-args="--sysroot /poudriere/jails/main-aarch64"
--target=aarch64-unknown-freebsd foo.rs
  $ file foo
  foo: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (FreeBSD),
dynamically linked, interpreter /libexec/ld-elf.so.1, FreeBSD-style, with
debug_info, not stripped

  $ cargo new --bin bar
  $ cd bar
  $ export RUSTFLAGS='-C link-arg=--sysroot -C
link-arg=/poudriere/jails/main-aarch64 --target=aarch64-unknown-freebsd'
  $ cargo build
  $ file target/debug/bar
  target/debug/bar: ELF 64-bit LSB pie executable, ARM aarch64, version 1
(FreeBSD), dynamically linked, interpreter /libexec/ld-elf.so.1, FreeBSD-style,
with debug_info, not stripped

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.