Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mozjs115 for openSUSE:Factory checked in at 2026-04-26 21:12:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mozjs115 (Old) and /work/SRC/openSUSE:Factory/.mozjs115.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozjs115" Sun Apr 26 21:12:11 2026 rev:17 rq:1349354 version:115.15.0 Changes: -------- --- /work/SRC/openSUSE:Factory/mozjs115/mozjs115.changes 2025-11-12 21:18:00.023220547 +0100 +++ /work/SRC/openSUSE:Factory/.mozjs115.new.11940/mozjs115.changes 2026-04-26 21:14:58.758406019 +0200 @@ -1,0 +2,8 @@ +Sat Apr 25 14:38:40 UTC 2026 - Michael Gorse <[email protected]> + +- Add security fixes: + + mozjs115-CVE-2026-32776.patch (bsc#1259728 CVE-2026-32776) + + mozjs115-CVE-2026-32777.patch (bsc#1259713 CVE-2026-32777) + + mozjs115-CVE-2026-32778.patch (bsc#1259731 CVE-2026-32778) + +------------------------------------------------------------------- New: ---- _scmsync.obsinfo build.specials.obscpio mozjs115-CVE-2026-32776.patch mozjs115-CVE-2026-32777.patch mozjs115-CVE-2026-32778.patch ----------(New B)---------- New:- Add security fixes: + mozjs115-CVE-2026-32776.patch (bsc#1259728 CVE-2026-32776) + mozjs115-CVE-2026-32777.patch (bsc#1259713 CVE-2026-32777) New: + mozjs115-CVE-2026-32776.patch (bsc#1259728 CVE-2026-32776) + mozjs115-CVE-2026-32777.patch (bsc#1259713 CVE-2026-32777) + mozjs115-CVE-2026-32778.patch (bsc#1259731 CVE-2026-32778) New: + mozjs115-CVE-2026-32777.patch (bsc#1259713 CVE-2026-32777) + mozjs115-CVE-2026-32778.patch (bsc#1259731 CVE-2026-32778) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozjs115.spec ++++++ --- /var/tmp/diff_new_pack.UMfA9s/_old 2026-04-26 21:15:02.202546243 +0200 +++ /var/tmp/diff_new_pack.UMfA9s/_new 2026-04-26 21:15:02.206546407 +0200 @@ -92,6 +92,12 @@ Patch26: mozjs115-CVE-2024-11498.patch # PATCH-FIX-UPSTREAM libtheora-avoid-negative-shift.patch bsc#1234837 [email protected] -- avoid negative shift in huffdec.c. Patch27: libtheora-avoid-negative-shift.patch +# PATCH-FIX-UPSTREAM mozjs115-CVE-2026-32776.patch bsc#1259728 [email protected] -- libexpat: NULL pointer dereference when processing empty external parameter entities inside an entity declaration value +Patch28: mozjs115-CVE-2026-32776.patch +# PATCH-FIX-UPSTREAM mozjs115-CVE-2026-32777.patch bsc#1259713 [email protected] -- libexpat: denial of service due to infinite loop in DTD content parsing +Patch29: mozjs115-CVE-2026-32777.patch +# PATCH-FIX-UPSTREAM mozjs115-CVE-2026-32778.patch bsc#1259731 [email protected] -- libexpat: NULL pointer dereference in `setContext` on retry after an out-of-memory condition +Patch30: mozjs115-CVE-2026-32778.patch BuildRequires: autoconf213 BuildRequires: cargo BuildRequires: ccache @@ -183,6 +189,9 @@ %patch -P 25 -p1 %patch -P 26 -p1 %patch -P 27 -p1 +%patch -P 28 -p1 +%patch -P 29 -p1 +%patch -P 30 -p1 %if %{pkg_vcmp libicu-devel >= 76.1} sed -i 's/icu-i18n/icu-uc &/' js/moz.configure ++++++ _scmsync.obsinfo ++++++ mtime: 1777127934 commit: 03faefebd5df7ed8ef62e14e56a9f388646f3a2526d268e308b8d2be947f3cb9 url: https://src.opensuse.org/GNOME/mozjs115 revision: 03faefebd5df7ed8ef62e14e56a9f388646f3a2526d268e308b8d2be947f3cb9 projectscmsync: https://src.opensuse.org/GNOME/_ObsPrj ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-04-25 16:38:54.000000000 +0200 @@ -0,0 +1,4 @@ +*.obscpio +*.osc +_build.* +.pbuild ++++++ mozjs115-CVE-2026-32776.patch ++++++ >From 5be25657583ea91b09025c858b4785834c20f59c Mon Sep 17 00:00:00 2001 From: Francesco Bertolaccini <[email protected]> Date: Tue, 3 Mar 2026 16:41:43 +0100 Subject: [PATCH] Fix NULL function-pointer dereference for empty external parameter entities When an external parameter entity with empty text is referenced inside an entity declaration value, the sub-parser created to handle it receives 0 bytes of input. Processing enters entityValueInitProcessor which calls storeEntityValue() with the parser's encoding; since no bytes were ever processed, encoding detection has not yet occurred and the encoding is still the initial probing encoding set up by XmlInitEncoding(). That encoding only populates scanners[] (for prolog and content), not literalScanners[]. XmlEntityValueTok() calls through literalScanners[XML_ENTITY_VALUE_LITERAL] which is NULL, causing a SEGV. Skip the tokenization loop entirely when entityTextPtr >= entityTextEnd, and initialize the `next` pointer before the early exit so that callers (callStoreEntityValue) receive a valid value through nextPtr. --- diff -urp firefox-115.4.0.orig/parser/expat/lib/xmlparse.c firefox-115.4.0/parser/expat/lib/xmlparse.c --- firefox-115.4.0.orig/parser/expat/lib/xmlparse.c 2023-10-16 21:48:57.000000000 -0500 +++ firefox-115.4.0/parser/expat/lib/xmlparse.c 2026-04-25 04:55:34.512578221 -0500 @@ -5875,8 +5875,18 @@ storeEntityValue(XML_Parser parser, return XML_ERROR_NO_MEMORY; } + const char *next = entityTextPtr; + + /* Nothing to tokenize. */ + if (entityTextPtr >= entityTextEnd) { + result = XML_ERROR_NONE; + goto endEntityValue; + } + for (;;) { - const char *next; + next + = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */ + int tok = XmlEntityValueTok(enc, entityTextPtr, entityTextEnd, &next); switch (tok) { case XML_TOK_PARAM_ENTITY_REF: ++++++ mozjs115-CVE-2026-32777.patch ++++++ >From 55cda8c7125986e17d7e1825cba413bd94a35d02 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping <[email protected]> Date: Sun, 1 Mar 2026 20:16:13 +0100 Subject: [PATCH 1/2] lib: Reject XML_TOK_INSTANCE_START infinite loop in entityValueProcessor .. that OSS-Fuzz/ClusterFuzz uncovered --- expat/lib/xmlparse.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff -urp firefox-115.4.0.orig/parser/expat/lib/xmlparse.c firefox-115.4.0/parser/expat/lib/xmlparse.c --- firefox-115.4.0.orig/parser/expat/lib/xmlparse.c 2026-04-25 05:00:29.864994760 -0500 +++ firefox-115.4.0/parser/expat/lib/xmlparse.c 2026-04-25 05:01:09.737259756 -0500 @@ -4346,7 +4346,7 @@ entityValueInitProcessor(XML_Parser pars } /* If we get this token, we have the start of what might be a normal tag, but not a declaration (i.e. it doesn't begin with - "<!"). In a DTD context, that isn't legal. + "<!" or "<?"). In a DTD context, that isn't legal. */ else if (tok == XML_TOK_INSTANCE_START) { *nextPtr = next; @@ -4430,6 +4430,15 @@ entityValueProcessor(XML_Parser parser, /* found end of entity value - can store it now */ return storeEntityValue(parser, enc, s, end); } + /* If we get this token, we have the start of what might be a + normal tag, but not a declaration (i.e. it doesn't begin with + "<!" or "<?"). In a DTD context, that isn't legal. + */ + else if (tok == XML_TOK_INSTANCE_START) { + *nextPtr = next; + return XML_ERROR_SYNTAX; + } + start = next; } } ++++++ mozjs115-CVE-2026-32778.patch ++++++ >From 576b61e42feeea704253cb7c7bedb2eeb3754387 Mon Sep 17 00:00:00 2001 From: laserbear <[email protected]> Date: Sun, 8 Mar 2026 17:28:06 -0700 Subject: [PATCH 1/2] copy prefix name to pool before lookup .. so that we cannot end up with a zombie PREFIX in the pool that has NULL for a name. Co-authored-by: Sebastian Pipping <[email protected]> --- expat/lib/xmlparse.c | 43 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 35 insertions(+), 8 deletions(-) diff -urp firefox-115.4.0.orig/parser/expat/lib/xmlparse.c firefox-115.4.0/parser/expat/lib/xmlparse.c --- firefox-115.4.0.orig/parser/expat/lib/xmlparse.c 2026-04-25 05:11:04.630386451 -0500 +++ firefox-115.4.0/parser/expat/lib/xmlparse.c 2026-04-25 05:15:19.059008170 -0500 @@ -6395,13 +6395,24 @@ setContext(XML_Parser parser, const XML_ return XML_FALSE; prefix = (PREFIX *)lookup(parser, &dtd->prefixes, poolStart(&tempPool), sizeof(PREFIX)); - if (!prefix) + const XML_Char *const prefixName = poolCopyStringNoFinish( + &dtd->pool, poolStart(&parser->m_tempPool)); + if (! prefixName) { return XML_FALSE; - if (prefix->name == poolStart(&tempPool)) { - prefix->name = poolCopyString(&dtd->pool, prefix->name); - if (!prefix->name) - return XML_FALSE; } + + prefix = (PREFIX *)lookup(parser, &dtd->prefixes, prefixName, + sizeof(PREFIX)); + + const bool prefixNameUsed = prefix && prefix->name == prefixName; + if (prefixNameUsed) + poolFinish(&dtd->pool); + else + poolDiscard(&dtd->pool); + + if (! prefix) + return XML_FALSE; + poolDiscard(&tempPool); } for (context = s + 1; @@ -7016,6 +7027,23 @@ poolCopyString(STRING_POOL *pool, const return s; } +// A version of `poolCopyString` that does not call `poolFinish` +// and reverts any partial advancement upon failure. +static const XML_Char *FASTCALL +poolCopyStringNoFinish(STRING_POOL *pool, const XML_Char *s) { + const XML_Char *const original = s; + do { + if (! poolAppendChar(pool, *s)) { + // Revert any previously successful advancement + const ptrdiff_t advancedBy = s - original; + if (advancedBy > 0) + pool->ptr -= advancedBy; + return NULL; + } + } while (*s++); + return pool->start; +} + static const XML_Char * poolCopyStringN(STRING_POOL *pool, const XML_Char *s, int n) {
