Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package MozillaFirefox for openSUSE:Factory
checked in at 2021-10-29 22:33:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/MozillaFirefox (Old)
and /work/SRC/openSUSE:Factory/.MozillaFirefox.new.1890 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "MozillaFirefox"
Fri Oct 29 22:33:08 2021 rev:348 rq:927811 version:93.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/MozillaFirefox/MozillaFirefox.changes
2021-10-20 20:24:40.125392315 +0200
+++ /work/SRC/openSUSE:Factory/.MozillaFirefox.new.1890/MozillaFirefox.changes
2021-10-29 22:33:23.383663004 +0200
@@ -1,0 +2,14 @@
+Tue Oct 26 19:48:24 UTC 2021 - Wolfgang Rosenauer <w...@rosenauer.org>
+
+- Drop unused pkgconfig(gdk-x11-2.0) BuildRequires
+- (re-)enable LTO on Tumbleweed
+
+-------------------------------------------------------------------
+Wed Oct 20 06:49:52 UTC 2021 - Martin Sirringhaus <martin.sirringh...@suse.com>
+
+- Rebase mozilla-sandbox-fips.patch to punch another hole in the
+ sandbox containment, to be able to open /proc/sys/crypto/fips_enabled
+ from within the newly introduced socket process sandbox.
+ This fixes bsc#1191815 and bsc#1190141
+
+-------------------------------------------------------------------
@@ -4 +18 @@
-- Add patch to fix build on aarch64 - bmo#1729124
+- Add patch to fix build on aarch64 (bmo#1729124)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ MozillaFirefox.spec ++++++
--- /var/tmp/diff_new_pack.LnIE2t/_old 2021-10-29 22:33:26.071664019 +0200
+++ /var/tmp/diff_new_pack.LnIE2t/_new 2021-10-29 22:33:26.075664021 +0200
@@ -145,7 +145,6 @@
%else
BuildRequires: clang-devel >= 5
%endif
-BuildRequires: pkgconfig(gdk-x11-2.0)
BuildRequires: pkgconfig(glib-2.0) >= 2.22
BuildRequires: pkgconfig(gobject-2.0)
BuildRequires: pkgconfig(gtk+-3.0) >= 3.14.0
@@ -522,7 +521,7 @@
%endif
%ifarch x86_64
# LTO needs newer toolchain stack only (at least GCC 8.2.1 (r268506)
-%if 0%{?suse_version} > 1500 && 0%{?suse_version} < 1550
+%if 0%{?suse_version} > 1500
ac_add_options --enable-lto
%if 0%{?do_profiling}
ac_add_options MOZ_PGO=1
++++++ mozilla-sandbox-fips.patch ++++++
--- /var/tmp/diff_new_pack.LnIE2t/_old 2021-10-29 22:33:26.383664137 +0200
+++ /var/tmp/diff_new_pack.LnIE2t/_new 2021-10-29 22:33:26.383664137 +0200
@@ -4,15 +4,11 @@
http://bugzilla.suse.com/show_bug.cgi?id=1167132
bsc#1174284 - Firefox tab just crashed in FIPS mode
-diff --git a/security/sandbox/linux/Sandbox.cpp
b/security/sandbox/linux/Sandbox.cpp
---- a/security/sandbox/linux/Sandbox.cpp
-+++ b/security/sandbox/linux/Sandbox.cpp
-@@ -650,16 +650,17 @@ void SetMediaPluginSandbox(const char* a
- SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath,
- strerror(errno));
- MOZ_CRASH("failed while trying to open the plugin file ");
- }
-
+Index: firefox-93.0/security/sandbox/linux/Sandbox.cpp
+===================================================================
+--- firefox-93.0.orig/security/sandbox/linux/Sandbox.cpp
++++ firefox-93.0/security/sandbox/linux/Sandbox.cpp
+@@ -655,6 +655,7 @@ void SetMediaPluginSandbox(const char* a
auto files = new SandboxOpenedFiles();
files->Add(std::move(plugin));
files->Add("/dev/urandom", SandboxOpenedFile::Dup::YES);
@@ -20,20 +16,11 @@
files->Add("/etc/ld.so.cache"); // Needed for NSS in clearkey.
files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
- files->Add("/proc/cpuinfo"); // Info also available via CPUID instruction.
- files->Add("/proc/sys/crypto/fips_enabled"); // Needed for NSS in clearkey.
- #ifdef __i386__
- files->Add("/proc/self/auxv"); // Info also in process's address space.
- #endif
-diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
---- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-+++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
-@@ -315,16 +315,18 @@ void SandboxBrokerPolicyFactory::InitCon
- policy->AddDir(rdwr, "/dev/dri");
- }
-
- // Bug 1575985: WASM library sandbox needs RW access to /dev/null
- policy->AddPath(rdwr, "/dev/null");
+Index:
firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+===================================================================
+---
firefox-93.0.orig/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ firefox-93.0/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -320,6 +320,8 @@ void SandboxBrokerPolicyFactory::InitCon
// Read permissions
policy->AddPath(rdonly, "/dev/urandom");
@@ -42,8 +29,12 @@
policy->AddPath(rdonly, "/proc/cpuinfo");
policy->AddPath(rdonly, "/proc/meminfo");
policy->AddDir(rdonly, "/sys/devices/cpu");
- policy->AddDir(rdonly, "/sys/devices/system/cpu");
- policy->AddDir(rdonly, "/lib");
- policy->AddDir(rdonly, "/lib64");
- policy->AddDir(rdonly, "/usr/lib");
- policy->AddDir(rdonly, "/usr/lib32");
+@@ -792,6 +794,8 @@ SandboxBrokerPolicyFactory::GetSocketPro
+ auto policy = MakeUnique<SandboxBroker::Policy>();
+
+ policy->AddPath(rdonly, "/dev/urandom");
++ policy->AddPath(rdonly, "/dev/random");
++ policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
+ policy->AddPath(rdonly, "/proc/cpuinfo");
+ policy->AddPath(rdonly, "/proc/meminfo");
+ policy->AddDir(rdonly, "/sys/devices/cpu");
