Version in base suite: 2.0.0.15-0etch1 Version in overlay suite: (not present) Base version: iceweasel_2.0.0.15-0etch1 Target version: iceweasel_2.0.0.16-0etch1 Base file: /org/ftp.debian.org/ftp/pool/main/i/iceweasel/iceweasel_2.0.0.15-0etch1.dsc Target file: /org/ftp.debian.org/queue/p-u-new/iceweasel_2.0.0.16-0etch1.dsc gpg: failed to create temporary file `/home/pkern/.gnupg/.#lk0x1ddf4f0.ries.13392': Permission denied gpg: keyblock resource `/home/pkern/.gnupg/pubring.gpg': general error gpg: Signature made Tue 08 Jul 2008 00:41:08 UTC using DSA key ID 16D970C6 gpg: can't access `/home/pkern/.gnupg/trustdb.gpg': Permission denied gpg: fatal: can't init trustdb: trust database error secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 gpg: failed to create temporary file `/home/pkern/.gnupg/.#lk0x12434f0.ries.13408': Permission denied gpg: keyblock resource `/home/pkern/.gnupg/pubring.gpg': general error gpg: Signature made Mon 21 Jul 2008 04:22:20 UTC using DSA key ID 16D970C6 gpg: can't access `/home/pkern/.gnupg/trustdb.gpg': Permission denied gpg: fatal: can't init trustdb: trust database error secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768 diff -Nru iceweasel-2.0.0.15/browser/app/module.ver iceweasel-2.0.0.16/browser/app/module.ver --- iceweasel-2.0.0.15/browser/app/module.ver 2008-06-12 19:15:05.000000000 +0000 +++ iceweasel-2.0.0.16/browser/app/module.ver 2008-07-02 11:38:46.000000000 +0000 @@ -1,7 +1,7 @@ WIN32_MODULE_COMPANYNAME=Mozilla Corporation WIN32_MODULE_COPYRIGHT=©Firefox and Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL 2.1 licenses, as applicable. -WIN32_MODULE_PRODUCTVERSION=2,0,0,15 -WIN32_MODULE_PRODUCTVERSION_STRING=2.0.0.15 +WIN32_MODULE_PRODUCTVERSION=2,0,0,16 +WIN32_MODULE_PRODUCTVERSION_STRING=2.0.0.16 WIN32_MODULE_TRADEMARKS=Firefox is a Trademark of The Mozilla Foundation. WIN32_MODULE_DESCRIPTION=Firefox WIN32_MODULE_PRODUCTNAME=Firefox diff -Nru iceweasel-2.0.0.15/browser/base/content/browser.js iceweasel-2.0.0.16/browser/base/content/browser.js --- iceweasel-2.0.0.15/browser/base/content/browser.js 2008-03-08 13:23:01.000000000 +0000 +++ iceweasel-2.0.0.16/browser/base/content/browser.js 2008-07-01 05:50:49.000000000 +0000 @@ -740,7 +740,13 @@ window.tryToClose = WindowIsClosing; var uriToLoad = null; - // Check for window.arguments[0]. If present, use that for uriToLoad. + + // window.arguments[0]: URI to load (string), or an nsISupportsArray of + // nsISupportsStrings to load + // [1]: character set (string) + // [2]: referrer (nsIURI) + // [3]: postData (nsIInputStream) + // [4]: allowThirdPartyFixup (bool) if ("arguments" in window && window.arguments[0]) uriToLoad = window.arguments[0]; @@ -754,10 +760,26 @@ #else # only load url passed in when we're not page cycling if (uriToLoad && !gIsLoadingBlank) { - if (window.arguments.length >= 3) + if (uriToLoad instanceof Components.interfaces.nsISupportsArray) { + var count = uriToLoad.Count(); + var specs = []; + for (var i = 0; i < count; i++) { + var urisstring = uriToLoad.GetElementAt(i).QueryInterface(Components.interfaces.nsISupportsString); + specs.push(urisstring.data); + } + + // This function throws for certain malformed URIs, so use exception handling + // so that we don't disrupt startup + try { + gBrowser.loadTabs(specs, false, true); + } catch (e) {} + } + else if (window.arguments.length >= 3) { loadURI(uriToLoad, window.arguments[2], window.arguments[3] || null, window.arguments[4] || false); - + } + // Note: loadOneOrMoreURIs *must not* be called if window.arguments.length >= 3. + // Such callers expect that window.arguments[0] is handled as a single URI. else loadOneOrMoreURIs(uriToLoad); } @@ -4101,7 +4123,7 @@ var url = aURI ? aURI.spec : "about:blank"; switch(aWhere) { case nsCI.nsIBrowserDOMWindow.OPEN_NEWWINDOW : - newWindow = openDialog(getBrowserURL(), "_blank", "all,dialog=no", url); + newWindow = openDialog(getBrowserURL(), "_blank", "all,dialog=no", url, null, null, null); break; case nsCI.nsIBrowserDOMWindow.OPEN_NEWTAB : var loadInBackground = gPrefService.getBoolPref("browser.tabs.loadDivertedInBackground"); diff -Nru iceweasel-2.0.0.15/browser/components/nsBrowserContentHandler.js iceweasel-2.0.0.16/browser/components/nsBrowserContentHandler.js --- iceweasel-2.0.0.15/browser/components/nsBrowserContentHandler.js 2007-09-14 19:59:42.000000000 +0000 +++ iceweasel-2.0.0.16/browser/components/nsBrowserContentHandler.js 2008-07-02 09:11:00.000000000 +0000 @@ -173,17 +173,60 @@ } } -function openWindow(parent, url, target, features, args) { +// Flag used to indicate that the arguments to openWindow can be passed directly. +const NO_EXTERNAL_URIS = 1; + +function openWindow(parent, url, target, features, args, noExternalArgs) { var wwatch = Components.classes["@mozilla.org/embedcomp/window-watcher;1"] .getService(nsIWindowWatcher); - var argstring; - if (args) { - argstring = Components.classes["@mozilla.org/supports-string;1"] + if (noExternalArgs == NO_EXTERNAL_URIS) { + // Just pass in the defaultArgs directly + var argstring; + if (args) { + argstring = Components.classes["@mozilla.org/supports-string;1"] .createInstance(nsISupportsString); - argstring.data = args; + argstring.data = args; + } + + return wwatch.openWindow(parent, url, target, features, argstring); + } + + // Pass an array to avoid the browser "|"-splitting behavior. + var argArray = Components.classes["@mozilla.org/supports-array;1"] + .createInstance(Components.interfaces.nsISupportsArray); + + // add args to the arguments array + var stringArgs = null; + if (args instanceof Array) // array + stringArgs = args; + else if (args) // string + stringArgs = [args]; + + if (stringArgs) { + // put the URIs into argArray + var uriArray = Components.classes["@mozilla.org/supports-array;1"] + .createInstance(Components.interfaces.nsISupportsArray); + stringArgs.forEach(function (uri) { + var sstring = Components.classes["@mozilla.org/supports-string;1"] + .createInstance(nsISupportsString); + sstring.data = uri; + uriArray.AppendElement(sstring); + }); + argArray.AppendElement(uriArray); + } else { + argArray.AppendElement(null); } - return wwatch.openWindow(parent, url, target, features, argstring); + + // Pass these as null to ensure that we always trigger the "single URL" + // behavior in browser.js's BrowserStartup (which handles the window + // arguments) + argArray.AppendElement(null); // charset + argArray.AppendElement(null); // referer + argArray.AppendElement(null); // postData + argArray.AppendElement(null); // allowThirdPartyFixup + + return wwatch.openWindow(parent, url, target, features, argArray); } function openPreferences() { @@ -313,9 +356,10 @@ /* nsICommandLineHandler */ handle : function bch_handle(cmdLine) { if (cmdLine.handleFlag("browser", false)) { + // Passing defaultArgs, so use NO_EXTERNAL_URIS openWindow(null, this.chromeURL, "_blank", "chrome,dialog=no,all" + this.getFeatures(cmdLine), - this.defaultArgs); + this.defaultArgs, NO_EXTERNAL_URIS); cmdLine.preventDefault = true; } @@ -376,9 +420,10 @@ if (remoteParams[0].toLowerCase() != "openbrowser") throw NS_ERROR_ABORT; + // Passing defaultArgs, so use NO_EXTERNAL_URIS openWindow(null, this.chromeURL, "_blank", "chrome,dialog=no,all" + this.getFeatures(cmdLine), - this.defaultArgs); + this.defaultArgs, NO_EXTERNAL_URIS); break; default: @@ -446,7 +491,7 @@ } if (!uri.schemeIs("javascript") && !uri.schemeIs("data")) { var features = "chrome,dialog=no,all" + this.getFeatures(cmdLine); - openWindow(null, uri.spec, "_blank", features, ""); + openWindow(null, uri.spec, "_blank", features); cmdLine.preventDefault = true; } } @@ -785,23 +830,19 @@ } } - var speclist = []; - for (uri in urilist) { - if (shouldLoadURI(urilist[uri])) - speclist.push(urilist[uri].spec); - } - - if (speclist.length) { + var URLlist = urilist.filter(shouldLoadURI).map(function (u) { return u.spec; }); + if (URLlist.length) { openWindow(null, nsBrowserContentHandler.chromeURL, "_blank", "chrome,dialog=no,all" + nsBrowserContentHandler.getFeatures(cmdLine), - speclist.join("|")); + URLlist); } } else if (!cmdLine.preventDefault) { + // Passing defaultArgs, so use NO_EXTERNAL_URIS openWindow(null, nsBrowserContentHandler.chromeURL, "_blank", "chrome,dialog=no,all" + nsBrowserContentHandler.getFeatures(cmdLine), - nsBrowserContentHandler.defaultArgs); + nsBrowserContentHandler.defaultArgs, NO_EXTERNAL_URIS); } }, diff -Nru iceweasel-2.0.0.15/browser/config/version.txt iceweasel-2.0.0.16/browser/config/version.txt --- iceweasel-2.0.0.15/browser/config/version.txt 2008-06-12 19:15:05.000000000 +0000 +++ iceweasel-2.0.0.16/browser/config/version.txt 2008-07-02 11:38:46.000000000 +0000 @@ -1 +1 @@ -2.0.0.15 +2.0.0.16 diff -Nru iceweasel-2.0.0.15/client.mk iceweasel-2.0.0.16/client.mk --- iceweasel-2.0.0.15/client.mk 2008-06-12 19:15:04.000000000 +0000 +++ iceweasel-2.0.0.16/client.mk 2008-07-02 11:38:46.000000000 +0000 @@ -257,11 +257,11 @@ # # For branches, uncomment the MOZ_CO_TAG line with the proper tag, # and commit this file on that tag. -MOZ_CO_TAG = FIREFOX_2_0_0_15_RELEASE -NSPR_CO_TAG = FIREFOX_2_0_0_15_RELEASE -NSS_CO_TAG = FIREFOX_2_0_0_15_RELEASE -LDAPCSDK_CO_TAG = FIREFOX_2_0_0_15_RELEASE -LOCALES_CO_TAG = FIREFOX_2_0_0_15_RELEASE +MOZ_CO_TAG = FIREFOX_2_0_0_16_RELEASE +NSPR_CO_TAG = FIREFOX_2_0_0_16_RELEASE +NSS_CO_TAG = FIREFOX_2_0_0_16_RELEASE +LDAPCSDK_CO_TAG = FIREFOX_2_0_0_16_RELEASE +LOCALES_CO_TAG = FIREFOX_2_0_0_16_RELEASE NSS_FIPS_CO_TAG = NSS_3_11_4_RTM NSS_FIPS_CO_DIR = nss-fips diff -Nru iceweasel-2.0.0.15/config/milestone.txt iceweasel-2.0.0.16/config/milestone.txt --- iceweasel-2.0.0.15/config/milestone.txt 2008-06-12 19:15:05.000000000 +0000 +++ iceweasel-2.0.0.16/config/milestone.txt 2008-07-02 11:38:46.000000000 +0000 @@ -10,4 +10,4 @@ # hardcoded milestones in the tree from these two files. #-------------------------------------------------------- -1.8.1.15 +1.8.1.16 diff -Nru iceweasel-2.0.0.15/debian/changelog iceweasel-2.0.0.16/debian/changelog --- iceweasel-2.0.0.15/debian/changelog 2008-07-31 19:27:57.000000000 +0000 +++ iceweasel-2.0.0.16/debian/changelog 2008-07-31 19:28:02.000000000 +0000 @@ -1,3 +1,11 @@ +iceweasel (2.0.0.16-0etch1) stable-security; urgency=critical + + * New upstream security release. + * Fixes mfsa 20008-34 aka CVE-2008-2785; mfsa 2008-35 aka + CVE-2008-2933. (Closes: #491524) + + -- Eric Dorland Sun, 20 Jul 2008 02:03:56 -0400 + iceweasel (2.0.0.15-0etch1) stable-security; urgency=critical * New upstream security release. diff -Nru iceweasel-2.0.0.15/layout/style/nsCSSValue.h iceweasel-2.0.0.16/layout/style/nsCSSValue.h --- iceweasel-2.0.0.15/layout/style/nsCSSValue.h 2006-08-28 16:56:08.000000000 +0000 +++ iceweasel-2.0.0.16/layout/style/nsCSSValue.h 2008-07-01 22:49:45.000000000 +0000 @@ -322,10 +322,18 @@ } void AddRef() { + if (mRefCnt == PR_UINT16_MAX) { + NS_WARNING("refcount overflow, leaking nsCSSValue::Array"); + return; + } ++mRefCnt; NS_LOG_ADDREF(this, mRefCnt, "nsCSSValue::Array", sizeof(*this)); } void Release() { + if (mRefCnt == PR_UINT16_MAX) { + NS_WARNING("refcount overflow, leaking nsCSSValue::Array"); + return; + } --mRefCnt; NS_LOG_RELEASE(this, mRefCnt, "nsCSSValue::Array"); if (mRefCnt == 0) diff -Nru iceweasel-2.0.0.15/mail/config/version.txt iceweasel-2.0.0.16/mail/config/version.txt --- iceweasel-2.0.0.15/mail/config/version.txt 2008-04-04 22:23:20.000000000 +0000 +++ iceweasel-2.0.0.16/mail/config/version.txt 2008-06-12 19:01:30.000000000 +0000 @@ -1 +1 @@ -2.0.0.15pre +2.0.0.16pre diff -Nru iceweasel-2.0.0.15/rdf/base/src/nsInMemoryDataSource.cpp iceweasel-2.0.0.16/rdf/base/src/nsInMemoryDataSource.cpp --- iceweasel-2.0.0.15/rdf/base/src/nsInMemoryDataSource.cpp 2006-09-12 18:26:48.000000000 +0000 +++ iceweasel-2.0.0.16/rdf/base/src/nsInMemoryDataSource.cpp 2008-07-01 22:49:45.000000000 +0000 @@ -157,11 +157,22 @@ ~Assertion(); - void AddRef() { ++mRefCnt; } + void AddRef() { + if (mRefCnt == PR_UINT16_MAX) { + NS_WARNING("refcount overflow, leaking Assertion"); + return; + } + ++mRefCnt; + } void Release(nsFixedSizeAllocator& aAllocator) { + if (mRefCnt == PR_UINT16_MAX) { + NS_WARNING("refcount overflow, leaking Assertion"); + return; + } if (--mRefCnt == 0) - Destroy(aAllocator, this); } + Destroy(aAllocator, this); + } // For nsIRDFPurgeableDataSource inline void Mark() { u.as.mMarked = PR_TRUE; } @@ -194,7 +205,7 @@ // also shared between hash/as (see the union above) // but placed after union definition to ensure that // all 32-bit entries are long aligned - PRInt16 mRefCnt; + PRUint16 mRefCnt; PRPackedBool mHashEntry; private: diff -Nru iceweasel-2.0.0.15/security/manager/ssl/src/nsClientAuthRemember.cpp iceweasel-2.0.0.16/security/manager/ssl/src/nsClientAuthRemember.cpp --- iceweasel-2.0.0.15/security/manager/ssl/src/nsClientAuthRemember.cpp 2008-06-04 21:25:05.000000000 +0000 +++ iceweasel-2.0.0.16/security/manager/ssl/src/nsClientAuthRemember.cpp 2008-06-30 22:54:10.000000000 +0000 @@ -58,8 +58,9 @@ #include "nsNSSCleaner.h" NSSCleanupAutoPtrClass(CERTCertificate, CERT_DestroyCertificate) -NS_IMPL_THREADSAFE_ISUPPORTS1(nsClientAuthRememberService, - nsIObserver) +NS_IMPL_THREADSAFE_ISUPPORTS2(nsClientAuthRememberService, + nsIObserver, + nsISupportsWeakReference) nsClientAuthRememberService::nsClientAuthRememberService() { diff -Nru iceweasel-2.0.0.15/security/manager/ssl/src/nsClientAuthRemember.h iceweasel-2.0.0.16/security/manager/ssl/src/nsClientAuthRemember.h --- iceweasel-2.0.0.15/security/manager/ssl/src/nsClientAuthRemember.h 2008-06-04 20:42:04.000000000 +0000 +++ iceweasel-2.0.0.16/security/manager/ssl/src/nsClientAuthRemember.h 2008-06-30 22:54:11.000000000 +0000 @@ -46,6 +46,7 @@ #include "nsAutoPtr.h" #include "nsNSSCertificate.h" #include "nsString.h" +#include "nsWeakReference.h" #include "prmon.h" class nsClientAuthRemember @@ -138,7 +139,8 @@ nsCString mHostWithCert; }; -class nsClientAuthRememberService : public nsIObserver +class nsClientAuthRememberService : public nsIObserver, + public nsSupportsWeakReference { public: NS_DECL_ISUPPORTS diff -Nru iceweasel-2.0.0.15/security/manager/ssl/src/nsNSSComponent.cpp iceweasel-2.0.0.16/security/manager/ssl/src/nsNSSComponent.cpp --- iceweasel-2.0.0.15/security/manager/ssl/src/nsNSSComponent.cpp 2008-06-04 20:42:04.000000000 +0000 +++ iceweasel-2.0.0.16/security/manager/ssl/src/nsNSSComponent.cpp 2008-06-30 22:54:11.000000000 +0000 @@ -290,7 +290,9 @@ mObserversRegistered = PR_FALSE; nsSSLIOLayerHelpers::Init(); - mClientAuthRememberService.Init(); + mClientAuthRememberService = new nsClientAuthRememberService; + if (mClientAuthRememberService) + mClientAuthRememberService->Init(); NS_ASSERTION( (0 == mInstanceCount), "nsNSSComponent is a singleton, but instantiated multiple times!"); ++mInstanceCount; @@ -1554,7 +1556,9 @@ ShutdownSmartCardThreads(); SSL_ClearSessionCache(); - mClientAuthRememberService.ClearRememberedDecisions(); + if (mClientAuthRememberService) { + mClientAuthRememberService->ClearRememberedDecisions(); + } PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("evaporating psm resources\n")); mShutdownObjectList->evaporateAllNSSResources(); if (SECSuccess != ::NSS_Shutdown()) { @@ -2044,7 +2048,9 @@ nsresult nsNSSComponent::LogoutAuthenticatedPK11() { - mClientAuthRememberService.ClearRememberedDecisions(); + if (mClientAuthRememberService) { + mClientAuthRememberService->ClearRememberedDecisions(); + } return mShutdownObjectList->doPK11Logout(); } @@ -2115,7 +2121,8 @@ nsNSSComponent::GetClientAuthRememberService(nsClientAuthRememberService **cars) { NS_ENSURE_ARG_POINTER(cars); - *cars = &mClientAuthRememberService; + NS_IF_ADDREF(*cars = mClientAuthRememberService); + return NS_OK; } //--------------------------------------------- diff -Nru iceweasel-2.0.0.15/security/manager/ssl/src/nsNSSComponent.h iceweasel-2.0.0.16/security/manager/ssl/src/nsNSSComponent.h --- iceweasel-2.0.0.15/security/manager/ssl/src/nsNSSComponent.h 2008-06-04 20:42:04.000000000 +0000 +++ iceweasel-2.0.0.16/security/manager/ssl/src/nsNSSComponent.h 2008-06-30 22:54:11.000000000 +0000 @@ -278,7 +278,7 @@ nsSSLThread *mSSLThread; nsCertVerificationThread *mCertVerificationThread; nsNSSHttpInterface mHttpForNSS; - nsClientAuthRememberService mClientAuthRememberService; + nsRefPtr mClientAuthRememberService; }; class PSMContentListener : public nsIURIContentListener, diff -Nru iceweasel-2.0.0.15/security/manager/ssl/src/nsNSSIOLayer.cpp iceweasel-2.0.0.16/security/manager/ssl/src/nsNSSIOLayer.cpp --- iceweasel-2.0.0.15/security/manager/ssl/src/nsNSSIOLayer.cpp 2008-06-04 20:42:04.000000000 +0000 +++ iceweasel-2.0.0.16/security/manager/ssl/src/nsNSSIOLayer.cpp 2008-06-30 22:54:11.000000000 +0000 @@ -2407,15 +2407,9 @@ nsresult rv; NS_DEFINE_CID(nssComponentCID, NS_NSSCOMPONENT_CID); nsCOMPtr nssComponent(do_GetService(nssComponentCID, &rv)); - // it's ok to keep our raw pointer to the nsClientAuthRememberService - // as long as we hold the reference to the nssComponent. - // Yes, this sucks, but this is branch only code, - // and I don't want to deal with new interfaces, and want to use full - // typed pointers. - // Note nsINSSComponent is NOT exposed to anywhere outside of PSM. - nsClientAuthRememberService *cars = nsnull; + nsRefPtr cars; if (nssComponent) { - nssComponent->GetClientAuthRememberService(&cars); + nssComponent->GetClientAuthRememberService(getter_AddRefs(cars)); } PRBool hasRemembered = PR_FALSE; diff -Nru iceweasel-2.0.0.15/xpfe/bootstrap/module.ver iceweasel-2.0.0.16/xpfe/bootstrap/module.ver --- iceweasel-2.0.0.15/xpfe/bootstrap/module.ver 2008-06-15 21:02:08.000000000 +0000 +++ iceweasel-2.0.0.16/xpfe/bootstrap/module.ver 2008-06-18 12:30:04.000000000 +0000 @@ -1,7 +1,7 @@ WIN32_MODULE_COMPANYNAME=mozilla.org WIN32_MODULE_COPYRIGHT=©Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL 2.1 licenses, as applicable. -WIN32_MODULE_PRODUCTVERSION=1,1,10,0 -WIN32_MODULE_PRODUCTVERSION_STRING=1.1.10 +WIN32_MODULE_PRODUCTVERSION=1,1,11,0 +WIN32_MODULE_PRODUCTVERSION_STRING=1.1.11pre WIN32_MODULE_TRADEMARKS=SeaMonkey and Mozilla are trademarks of The Mozilla Foundation. WIN32_MODULE_DESCRIPTION=@MOZ_APP_DISPLAYNAME@ WIN32_MODULE_PRODUCTNAME=@MOZ_APP_DISPLAYNAME@ diff -Nru iceweasel-2.0.0.15/xpfe/bootstrap/version.txt iceweasel-2.0.0.16/xpfe/bootstrap/version.txt --- iceweasel-2.0.0.15/xpfe/bootstrap/version.txt 2008-06-15 21:02:08.000000000 +0000 +++ iceweasel-2.0.0.16/xpfe/bootstrap/version.txt 2008-06-18 12:30:04.000000000 +0000 @@ -1 +1 @@ -1.1.10 \ No newline at end of file +1.1.11pre \ No newline at end of file