mirror of
https://codeberg.org/guix/guix.git
synced 2026-05-13 06:53:44 +00:00
e5e2aaaf55
Contains fixes for:
CVE-2026-6746: Use-after-free in the DOM: Core & HTML component
CVE-2026-6747: Use-after-free in the WebRTC component
CVE-2026-6748: Uninitialized memory in the Audio/Video: Web Codecs
component
CVE-2026-6749: Information disclosure due to uninitialized memory in
the Graphics: Canvas2D component
CVE-2026-6750: Privilege escalation in the Graphics: WebRender
component
CVE-2026-6751: Uninitialized memory in the Audio/Video: Web Codecs
component
CVE-2026-6752: Incorrect boundary conditions in the WebRTC component
CVE-2026-6753: Incorrect boundary conditions in the WebRTC component
CVE-2026-6754: Use-after-free in the JavaScript Engine component
CVE-2026-6755: Mitigation bypass in the DOM: postMessage component
CVE-2026-6756: Mitigation bypass in Firefox for Android
CVE-2026-6757: Invalid pointer in the JavaScript: WebAssembly
component
CVE-2026-6758: Use-after-free in the JavaScript: WebAssembly component
CVE-2026-6759: Use-after-free in the Widget: Cocoa component
CVE-2026-6760: Mitigation bypass in the Networking: Cookies component
CVE-2026-6761: Privilege escalation in the Networking component
CVE-2026-6762: Spoofing issue in the DOM: Core & HTML component
CVE-2026-6763: Mitigation bypass in the File Handling component
CVE-2026-6764: Incorrect boundary conditions in the DOM: Device
Interfaces component
CVE-2026-6765: Information disclosure in the Form Autofill component
CVE-2026-6766: Incorrect boundary conditions in the Libraries
component in NSS
CVE-2026-6767: Other issue in the Libraries component in NSS
CVE-2026-6768: Mitigation bypass in the Networking: Cookies component
CVE-2026-6769: Privilege escalation in the Debugger component
CVE-2026-6770: Other issue in the Storage: IndexedDB component
CVE-2026-6771: Mitigation bypass in the DOM: Security component
CVE-2026-6772: Incorrect boundary conditions in the Libraries
component in NSS
CVE-2026-6773: Denial-of-service due to integer overflow in the
Graphics: WebGPU component
CVE-2026-6774: Mitigation bypass in the DOM: Security component
CVE-2026-6775: Incorrect boundary conditions in the WebRTC component
CVE-2026-6776: Incorrect boundary conditions in the WebRTC: Networking
component
CVE-2026-6777: Other issue in the Networking: DNS component
CVE-2026-6778: Invalid pointer in the Audio/Video: Playback component
CVE-2026-6779: Other issue in the JavaScript Engine component
CVE-2026-6780: Denial-of-service in the Audio/Video: Playback
component
CVE-2026-6781: Denial-of-service in the Audio/Video: Playback
component
CVE-2026-6782: Information disclosure in the IP Protection component
CVE-2026-6783: Incorrect boundary conditions, integer overflow in the
Audio/Video: Playback component
CVE-2026-6784: Memory safety bugs fixed in Firefox 150 and Thunderbird
150
CVE-2026-6785: Memory safety bugs fixed in Firefox ESR 115.35, Firefox
ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and
Thunderbird 150
CVE-2026-6786: Memory safety bugs fixed in Firefox ESR 140.10,
Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150
* gnu/packages/patches/librewolf-150.0-encoding_rs-rust-fix.patch: New file.
* gnu/local.mk: Add new patch to dist_patch_DATA.
* gnu/packages/librewolf.scm (make-librewolf-source): Apply new patch.
* gnu/packages/librewolf.scm (librewolf): Update to 150.0-1.
[arguments #:phases use-mozzarella]: Update Mozzarella URLs. Fixes #1923.
Change-Id: I7696abc0ac44d689190d9ef1e12704905c11d431
261 lines
8.6 KiB
Diff
261 lines
8.6 KiB
Diff
From d8702527f4f1f67f765330f5018bfcb182946c45 Mon Sep 17 00:00:00 2001
|
|
From: Henri Sivonen <hsivonen@hsivonen.fi>
|
|
Date: Tue, 21 Apr 2026 07:09:20 +0000
|
|
Subject: [PATCH] Bug 2033279 - Make --enable-rust-simd work with Rust 1.95.
|
|
r=firefox-build-system-reviewers,supply-chain-reviewers,ahochheiden
|
|
|
|
Differential Revision: https://phabricator.services.mozilla.com/D295287
|
|
---
|
|
.cargo/config.toml.in | 5 ++
|
|
Cargo.lock | 4 +-
|
|
Cargo.toml | 2 +
|
|
supply-chain/audits.toml | 6 ++
|
|
supply-chain/config.toml | 4 ++
|
|
.../rust/encoding_rs/.cargo-checksum.json | 2 +-
|
|
.../rust/encoding_rs/.cargo_vcs_info.json | 6 --
|
|
third_party/rust/encoding_rs/Cargo.toml | 60 ++++++++++---------
|
|
third_party/rust/encoding_rs/Cargo.toml.orig | 45 --------------
|
|
.../rust/encoding_rs/src/x_user_defined.rs | 2 +
|
|
10 files changed, 54 insertions(+), 82 deletions(-)
|
|
delete mode 100644 third_party/rust/encoding_rs/.cargo_vcs_info.json
|
|
delete mode 100644 third_party/rust/encoding_rs/Cargo.toml.orig
|
|
|
|
diff --git a/.cargo/config.toml.in b/.cargo/config.toml.in
|
|
index 8013ae5435dab..cabdee463415f 100644
|
|
--- a/.cargo/config.toml.in
|
|
+++ b/.cargo/config.toml.in
|
|
@@ -55,6 +55,11 @@ git = "https://github.com/hsivonen/any_all_workaround"
|
|
rev = "7fb1b7034c9f172aade21ee1c8554e8d8a48af80"
|
|
replace-with = "vendored-sources"
|
|
|
|
+[source."git+https://github.com/hsivonen/encoding_rs?rev=1236d1bc423e6ba35a06485f74a6304db2d703b5"]
|
|
+git = "https://github.com/hsivonen/encoding_rs"
|
|
+rev = "1236d1bc423e6ba35a06485f74a6304db2d703b5"
|
|
+replace-with = "vendored-sources"
|
|
+
|
|
[source."git+https://github.com/hsivonen/rust-harfbuzz?rev=9d58a23a98772a197291d04af93f7041b7093d95"]
|
|
git = "https://github.com/hsivonen/rust-harfbuzz"
|
|
rev = "9d58a23a98772a197291d04af93f7041b7093d95"
|
|
diff --git a/Cargo.lock b/Cargo.lock
|
|
index fea2f95fbb438..63b1f818d7971 100644
|
|
--- a/Cargo.lock
|
|
+++ b/Cargo.lock
|
|
@@ -1914,11 +1914,11 @@ dependencies = [
|
|
[[package]]
|
|
name = "encoding_rs"
|
|
version = "0.8.35"
|
|
-source = "registry+https://github.com/rust-lang/crates.io-index"
|
|
-checksum = "75030f3c4f45dafd7586dd6780965a8c7e8e285a5ecb86713e63a79c5b2766f3"
|
|
+source = "git+https://github.com/hsivonen/encoding_rs?rev=1236d1bc423e6ba35a06485f74a6304db2d703b5#1236d1bc423e6ba35a06485f74a6304db2d703b5"
|
|
dependencies = [
|
|
"any_all_workaround",
|
|
"cfg-if",
|
|
+ "rustversion",
|
|
]
|
|
|
|
[[package]]
|
|
diff --git a/Cargo.toml b/Cargo.toml
|
|
index 49c695809f302..2648c32ae57e8 100644
|
|
--- a/Cargo.toml
|
|
+++ b/Cargo.toml
|
|
@@ -287,6 +287,8 @@ harfbuzz-sys = { git = "https://github.com/hsivonen/rust-harfbuzz", rev = "9d58a
|
|
harfbuzz = { git = "https://github.com/hsivonen/rust-harfbuzz", rev = "9d58a23a98772a197291d04af93f7041b7093d95" }
|
|
# Also vendor `harfbuzz-traits` to keep cargo-vendor happy.
|
|
harfbuzz-traits = { git = "https://github.com/hsivonen/rust-harfbuzz", rev = "9d58a23a98772a197291d04af93f7041b7093d95" }
|
|
+# Make --enable-rust-simd compatible with Rust 1.95
|
|
+encoding_rs = { git = "https://github.com/hsivonen/encoding_rs", rev = "1236d1bc423e6ba35a06485f74a6304db2d703b5" }
|
|
|
|
# objc 0.2.7 + fa7ca43b862861dd1cd000d7ad01e6e0266cda13
|
|
objc = { git = "https://github.com/glandium/rust-objc", rev = "4de89f5aa9851ceca4d40e7ac1e2759410c04324" }
|
|
diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml
|
|
index 85b4037e03bdb..f4567ea6b6f94 100644
|
|
--- a/supply-chain/audits.toml
|
|
+++ b/supply-chain/audits.toml
|
|
@@ -2385,6 +2385,12 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.8.31 -> 0.8.32"
|
|
|
|
+[[audits.encoding_rs]]
|
|
+who = "Henri Sivonen <hsivonen@hsivonen.fi>"
|
|
+criteria = "safe-to-deploy"
|
|
+delta = "0.8.35 -> 0.8.35@git:1236d1bc423e6ba35a06485f74a6304db2d703b5"
|
|
+importable = false
|
|
+
|
|
[[audits.enum-map]]
|
|
who = "Kershaw Chang <kershaw@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
diff --git a/supply-chain/config.toml b/supply-chain/config.toml
|
|
index 4cfd83dc2d608..15deefbec0574 100644
|
|
--- a/supply-chain/config.toml
|
|
+++ b/supply-chain/config.toml
|
|
@@ -39,6 +39,10 @@ notes = "This is the upstream code not yet released"
|
|
audit-as-crates-io = true
|
|
notes = "This is upstream plus a warning fix from bug 1823866."
|
|
|
|
+[policy.encoding_rs]
|
|
+audit-as-crates-io = true
|
|
+notes = "This is upstream plus a build fix for bug 2033279."
|
|
+
|
|
[policy.firefox-on-glean]
|
|
audit-as-crates-io = false
|
|
notes = "The crates.io version of this is just a placeholder to allow public crates to depend on firefox-on-glean."
|
|
diff --git a/third_party/rust/encoding_rs/.cargo_vcs_info.json b/third_party/rust/encoding_rs/.cargo_vcs_info.json
|
|
deleted file mode 100644
|
|
index 6e5d699759e43..0000000000000
|
|
--- a/third_party/rust/encoding_rs/.cargo_vcs_info.json
|
|
+++ /dev/null
|
|
@@ -1,6 +0,0 @@
|
|
-{
|
|
- "git": {
|
|
- "sha1": "2fa58aecf537cc76ff52c0eb3d5e9f8fda466844"
|
|
- },
|
|
- "path_in_vcs": ""
|
|
-}
|
|
\ No newline at end of file
|
|
diff --git a/third_party/rust/encoding_rs/Cargo.toml b/third_party/rust/encoding_rs/Cargo.toml
|
|
index 2adac351c2edf..0239315bab180 100644
|
|
--- a/third_party/rust/encoding_rs/Cargo.toml
|
|
+++ b/third_party/rust/encoding_rs/Cargo.toml
|
|
@@ -16,6 +16,7 @@ name = "encoding_rs"
|
|
version = "0.8.35"
|
|
authors = ["Henri Sivonen <hsivonen@hsivonen.fi>"]
|
|
build = false
|
|
+autolib = false
|
|
autobins = false
|
|
autoexamples = false
|
|
autotests = false
|
|
@@ -39,33 +40,6 @@ categories = [
|
|
license = "(Apache-2.0 OR MIT) AND BSD-3-Clause"
|
|
repository = "https://github.com/hsivonen/encoding_rs"
|
|
|
|
-[profile.release]
|
|
-lto = true
|
|
-
|
|
-[lib]
|
|
-name = "encoding_rs"
|
|
-path = "src/lib.rs"
|
|
-
|
|
-[dependencies.any_all_workaround]
|
|
-version = "0.1.0"
|
|
-optional = true
|
|
-
|
|
-[dependencies.cfg-if]
|
|
-version = "1.0"
|
|
-
|
|
-[dependencies.serde]
|
|
-version = "1.0"
|
|
-optional = true
|
|
-
|
|
-[dev-dependencies.bincode]
|
|
-version = "1.0"
|
|
-
|
|
-[dev-dependencies.serde_derive]
|
|
-version = "1.0"
|
|
-
|
|
-[dev-dependencies.serde_json]
|
|
-version = "1.0"
|
|
-
|
|
[features]
|
|
alloc = []
|
|
default = ["alloc"]
|
|
@@ -84,4 +58,34 @@ fast-legacy-encode = [
|
|
less-slow-big5-hanzi-encode = []
|
|
less-slow-gb-hanzi-encode = []
|
|
less-slow-kanji-encode = []
|
|
-simd-accel = ["any_all_workaround"]
|
|
+simd-accel = [
|
|
+ "any_all_workaround",
|
|
+ "rustversion",
|
|
+]
|
|
+
|
|
+[lib]
|
|
+name = "encoding_rs"
|
|
+path = "src/lib.rs"
|
|
+
|
|
+[dependencies]
|
|
+cfg-if = "1.0"
|
|
+
|
|
+[dependencies.any_all_workaround]
|
|
+version = "0.1.0"
|
|
+optional = true
|
|
+
|
|
+[dependencies.rustversion]
|
|
+version = "1.0.19"
|
|
+optional = true
|
|
+
|
|
+[dependencies.serde]
|
|
+version = "1.0"
|
|
+optional = true
|
|
+
|
|
+[dev-dependencies]
|
|
+bincode = "1.0"
|
|
+serde_derive = "1.0"
|
|
+serde_json = "1.0"
|
|
+
|
|
+[profile.release]
|
|
+lto = true
|
|
diff --git a/third_party/rust/encoding_rs/Cargo.toml.orig b/third_party/rust/encoding_rs/Cargo.toml.orig
|
|
deleted file mode 100644
|
|
index 0f7639d5f879b..0000000000000
|
|
--- a/third_party/rust/encoding_rs/Cargo.toml.orig
|
|
+++ /dev/null
|
|
@@ -1,45 +0,0 @@
|
|
-[package]
|
|
-name = "encoding_rs"
|
|
-description = "A Gecko-oriented implementation of the Encoding Standard"
|
|
-version = "0.8.35"
|
|
-edition = '2018'
|
|
-authors = ["Henri Sivonen <hsivonen@hsivonen.fi>"]
|
|
-license = "(Apache-2.0 OR MIT) AND BSD-3-Clause"
|
|
-readme = "README.md"
|
|
-documentation = "https://docs.rs/encoding_rs/"
|
|
-homepage = "https://docs.rs/encoding_rs/"
|
|
-repository = "https://github.com/hsivonen/encoding_rs"
|
|
-keywords = ["encoding", "web", "unicode", "charset"]
|
|
-categories = ["text-processing", "encoding", "web-programming", "internationalization"]
|
|
-rust-version = "1.36"
|
|
-
|
|
-[features]
|
|
-default = ["alloc"]
|
|
-alloc = []
|
|
-simd-accel = ["any_all_workaround"]
|
|
-less-slow-kanji-encode = []
|
|
-less-slow-big5-hanzi-encode = []
|
|
-less-slow-gb-hanzi-encode = []
|
|
-fast-hangul-encode = []
|
|
-fast-hanja-encode = []
|
|
-fast-kanji-encode = []
|
|
-fast-gb-hanzi-encode = []
|
|
-fast-big5-hanzi-encode = []
|
|
-fast-legacy-encode = ["fast-hangul-encode",
|
|
- "fast-hanja-encode",
|
|
- "fast-kanji-encode",
|
|
- "fast-gb-hanzi-encode",
|
|
- "fast-big5-hanzi-encode"]
|
|
-
|
|
-[dependencies]
|
|
-cfg-if = "1.0"
|
|
-serde = { version = "1.0", optional = true }
|
|
-any_all_workaround = { version = "0.1.0" , optional = true }
|
|
-
|
|
-[dev-dependencies]
|
|
-serde_derive = "1.0"
|
|
-bincode = "1.0"
|
|
-serde_json = "1.0"
|
|
-
|
|
-[profile.release]
|
|
-lto = true
|
|
diff --git a/third_party/rust/encoding_rs/src/x_user_defined.rs b/third_party/rust/encoding_rs/src/x_user_defined.rs
|
|
index 7af7d5e3d69da..16f1a18d7f6ce 100644
|
|
--- a/third_party/rust/encoding_rs/src/x_user_defined.rs
|
|
+++ b/third_party/rust/encoding_rs/src/x_user_defined.rs
|
|
@@ -16,7 +16,8 @@ cfg_if! {
|
|
use simd_funcs::*;
|
|
use core::simd::u16x8;
|
|
use core::simd::cmp::SimdPartialOrd;
|
|
+ #[rustversion::since(1.95)]
|
|
use core::simd::Select;
|
|
|
|
#[inline(always)]
|
|
fn shift_upper(unpacked: u16x8) -> u16x8 {
|