From 89d9eb3ce541c705fc4be6943c3f63ecf877060f Mon Sep 17 00:00:00 2001 From: Jacob Wang Date: Fri, 12 Dec 2025 09:47:35 +0800 Subject: [PATCH 1/2] [CVE]update to firefox-140.6.0-1 to #IDCIBW update to firefox-140.6.0-1 for CVE-2025-14321 CVE-2025-14322 CVE-2025-14323 CVE-2025-14324 CVE-2025-14325 Project: TC2024080204 Signed-off-by: Jacob Wang --- build-workaround-s390x.patch | 49 +++++++++++++++ download | 4 +- ...refs.js => firefox-redhat-default-prefs.js | 4 +- firefox.spec | 63 ++++++++++--------- wasi.patch | 2 +- 5 files changed, 87 insertions(+), 35 deletions(-) create mode 100644 build-workaround-s390x.patch rename firefox-anolis-default-prefs.js => firefox-redhat-default-prefs.js (93%) diff --git a/build-workaround-s390x.patch b/build-workaround-s390x.patch new file mode 100644 index 0000000..6e03f55 --- /dev/null +++ b/build-workaround-s390x.patch @@ -0,0 +1,49 @@ +From 13858b4787c24a40cdce819b963baebff186cfe0 Mon Sep 17 00:00:00 2001 +From: Paul Murphy +Date: Tue, 25 Nov 2025 08:55:25 -0600 +Subject: [PATCH] HACK: workaround s390x + +Attempt to workaround what seems to be a codegen related bug on s390x. + +This seems to avoid a crash related to Ident or Punct structures on +s390x. + +For: RHEL-118250 +--- + third_party/rust/proc-macro2/.cargo-checksum.json | 2 +- + third_party/rust/proc-macro2/src/lib.rs | 4 ++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/third_party/rust/proc-macro2/.cargo-checksum.json b/third_party/rust/proc-macro2/.cargo-checksum.json +index b0d735a3a2d6..c47ce4ac5611 100644 +--- a/third_party/rust/proc-macro2/.cargo-checksum.json ++++ b/third_party/rust/proc-macro2/.cargo-checksum.json +@@ -1 +1 @@ +-{"files":{"Cargo.toml":"41a9465146a2b62a642e29f065718649e686d3c9585736596392dd941c9b0bef","LICENSE-APACHE":"62c7a1e35f56406896d7aa7ca52d0cc0d272ac022b5d2796e7d6905db8a3636a","LICENSE-MIT":"23f18e03dc49df91622fe2a76176497404e46ced8a715d9d2b67a7446571cca3","README.md":"c609b6865476d6c35879784e9155367a97a0da496aa5c3c61488440a20f59883","build.rs":"cf78c0005f11d54ca42dbaee77cb76a440e6fa2e0b64798d3f74c04770a0ad2b","build/probe.rs":"971fd2178dc506ccdc5c2065c37b77696a4aee8e00330ca52625db4a857f68d3","rust-toolchain.toml":"6bbb61302978c736b2da03e4fb40e3beab908f85d533ab46fd541e637b5f3e0f","src/detection.rs":"ed9a5f9a979ab01247d7a68eeb1afa3c13209334c5bfff0f9289cb07e5bb4e8b","src/extra.rs":"29f094473279a29b71c3cc9f5fa27c2e2c30c670390cf7e4b7cf451486cc857e","src/fallback.rs":"be1ce5e32c88c29d41d2ab663375951817d52decce3dc9e335ec22378be8fa65","src/lib.rs":"97ca48f50ad15fbcef42b31fb4fbfb8e4a1c5f946d776aa44fd04b37d7c64b32","src/location.rs":"9225c5a55f03b56cce42bc55ceb509e8216a5e0b24c94aa1cd071b04e3d6c15f","src/marker.rs":"c11c5a1be8bdf18be3fcd224393f350a9aae7ce282e19ce583c84910c6903a8f","src/parse.rs":"4b77cddbc2752bc4d38a65acd8b96b6786c5220d19b1e1b37810257b5d24132d","src/rcvec.rs":"1c3c48c4f819927cc445ae15ca3bb06775feff2fd1cb21901ae4c40c7e6b4e82","src/wrapper.rs":"e41df9abc846b40f0cf01150d22b91944d07cde93bc72aa34798101652675844","tests/comments.rs":"31115b3a56c83d93eef2fb4c9566bf4543e302560732986161b98aef504785ed","tests/features.rs":"a86deb8644992a4eb64d9fd493eff16f9cf9c5cb6ade3a634ce0c990cf87d559","tests/marker.rs":"473e962ee1aa0633dd5cf9a973b3bbd0ef43b740d4b7f6d008ff455a6b89d386","tests/test.rs":"2e7106f582367d168638be7364d4e9aadbe0affca8b51dd80f0b3977cc2fcf83","tests/test_fmt.rs":"b7743b612af65f2c88cbe109d50a093db7aa7e87f9e37bf45b7bbaeb240aa020","tests/test_size.rs":"62d8373ea46b669b87bc90a9c49b6d02f90ff4c21f9a25acebf60c9926e01fb7"},"package":"5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77"} +\ No newline at end of file ++{"files":{},"package":"5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77"} +diff --git a/third_party/rust/proc-macro2/src/lib.rs b/third_party/rust/proc-macro2/src/lib.rs +index 1430306bb31d..81f8c15a67e4 100644 +--- a/third_party/rust/proc-macro2/src/lib.rs ++++ b/third_party/rust/proc-macro2/src/lib.rs +@@ -806,6 +806,8 @@ impl Debug for Group { + /// `Punct` with different forms of `Spacing` returned. + #[derive(Clone)] + pub struct Punct { ++ #[cfg(target_arch = "s390x")] ++ foo: u64, + ch: char, + spacing: Spacing, + span: Span, +@@ -834,6 +836,8 @@ impl Punct { + /// which can be further configured with the `set_span` method below. + pub fn new(ch: char, spacing: Spacing) -> Self { + Punct { ++ #[cfg(target_arch = "s390x")] ++ foo: 0xabcd, + ch, + spacing, + span: Span::call_site(), +-- +2.51.1 + diff --git a/download b/download index 7f9b525..5ebd32c 100644 --- a/download +++ b/download @@ -1,6 +1,6 @@ bbd51396c9f1f79afb128af28627b207 cbindgen-vendor.tar.xz -926b80b785731cf19cbf0f8a8a6247b6 firefox-140.5.0esr.processed-source.tar.xz -892675243c19e46bfa66bf76a72384c7 firefox-langpacks-140.5.0esr-20251107.tar.xz +beb5de684e75ea24f7d4baf834b1e597 firefox-140.6.0esr.processed-source.tar.xz +c8aade52b232f80aad7d400ce0a56966 firefox-langpacks-140.6.0esr-20251202.tar.xz b3c1d2ea615cb0195f4f62b005773262 mochitest-python.tar.gz 2d901c7a62fc68bbd8816e8c4c6276c1 wasi-sdk-20.tar.gz eac5020733316a7fb17c9da54eeabf69 nspr-4.36.0-2.el8_2.src.rpm diff --git a/firefox-anolis-default-prefs.js b/firefox-redhat-default-prefs.js similarity index 93% rename from firefox-anolis-default-prefs.js rename to firefox-redhat-default-prefs.js index ad8dbea..4263a3d 100644 --- a/firefox-anolis-default-prefs.js +++ b/firefox-redhat-default-prefs.js @@ -14,8 +14,8 @@ pref("browser.shell.checkDefaultBrowser", false); pref("network.manage-offline-status", true); pref("extensions.shownSelectionUI", true); pref("ui.SpellCheckerUnderlineStyle", 1); -pref("startup.homepage_override_url", "https://openanolis.cn/"); -pref("startup.homepage_welcome_url", "https://openanolis.cn/"); +pref("startup.homepage_override_url", "%HOMEPAGE%"); +pref("startup.homepage_welcome_url", "%HOMEPAGE%"); pref("browser.startup.homepage", "data:text/plain,browser.startup.homepage=file:///%PREFIX%/share/doc/HTML/index.html"); pref("media.gmp-gmpopenh264.autoupdate",true); pref("media.gmp-gmpopenh264.enabled",false); diff --git a/firefox.spec b/firefox.spec index bf2231a..ff508bc 100644 --- a/firefox.spec +++ b/firefox.spec @@ -1,4 +1,3 @@ -%define anolis_release .0.1 %define homepage %(grep '^HOME_URL\s*=' /etc/os-release | sed 's/^HOME_URL\s*=//;s/^\s*"//;s/"\s*$//') %global disable_toolsets 0 @@ -35,17 +34,17 @@ %{lua: function dist_to_rhel_minor(str, start) - match = string.match(str, ".module%+an8.%d+") + match = string.match(str, ".module%+el8.%d+") if match then return string.sub(match, 13) end - match = string.match(str, ".an8_%d+") + match = string.match(str, ".el8_%d+") if match then return string.sub(match, 6) end - match = string.match(str, ".an8") + match = string.match(str, ".el8") if match then - return 8 + return 10 end match = string.match(str, ".module%+el9.%d+") if match then @@ -144,11 +143,11 @@ end} %if 0%{?rhel} > 7 && 0%{?rhel} < 10 %global use_gcc_ts 1 - %if (0%{?rhel} == 9 && %{rhel_minor_version} >= 6) || (0%{?rhel} == 8 && %{rhel_minor_version} >= 10) + %if 0%{?rhel} == 9 && %{rhel_minor_version} >= 6 # clang depends on gcc-toolset-14-gcc-c++ - %global gts_version 13 + %global gts_version 14 %else - %global gts_version 13 + %global gts_version 14 %endif %endif @@ -192,13 +191,11 @@ end} Summary: Mozilla Firefox Web browser Name: firefox -Version: 140.5.0 -Release: 1%{anolis_release}%{?dist} +Version: 140.6.0 +Release: 1%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ -ExcludeArch: loongarch64 - %if 0%{?rhel} >= 9 ExcludeArch: %{ix86} %endif @@ -225,12 +222,12 @@ ExcludeArch: aarch64 s390 ppc # Link to original tarball: https://archive.mozilla.org/pub/firefox/releases/%%{version}%%{?pre_version}/source/firefox-%%{version}%%{?pre_version}.source.tar.xz Source0: firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz %if %{with langpacks} -Source1: firefox-langpacks-%{version}%{?pre_version}-20251107.tar.xz +Source1: firefox-langpacks-%{version}%{?pre_version}-20251202.tar.xz %endif Source2: cbindgen-vendor.tar.xz Source3: process-official-tarball Source10: firefox-mozconfig -Source12: firefox-anolis-default-prefs.js +Source12: firefox-redhat-default-prefs.js Source20: firefox.desktop Source21: firefox.sh.in Source23: firefox.1 @@ -273,6 +270,7 @@ Patch10: build-disable-gamepad.patch Patch11: rhbz-71999-fips-youtube.patch Patch13: firefox-fix-build-with-system-pipewire.patch Patch14: build-system-nss.patch +Patch15: build-workaround-s390x.patch # -- Upstreamed patches -- Patch51: mozilla-bmo1170092.patch @@ -466,10 +464,10 @@ BuildRequires: mesa-libgbm-devel BuildRequires: pipewire-devel %endif -#%if !0%{?flatpak} +%if !0%{?flatpak} #TODO -#BuildRequires: system-bookmarks -#%endif +BuildRequires: system-bookmarks +%endif %if 0%{?test_on_wayland} BuildRequires: dbus-x11 @@ -524,10 +522,8 @@ BuildRequires: gcc-toolset-%{gts_version}-runtime BuildRequires: gcc-toolset-%{gts_version}-binutils BuildRequires: gcc-toolset-%{gts_version}-gcc BuildRequires: gcc-toolset-%{gts_version}-gcc-plugin-annobin -# Do not explicitly require gcc-toolset-%%{gts_version}-gcc-c++ instead fail +# Do not explicitly require gcc-toolset-%{gts_version}-gcc-g++ instead fail # when clang is upgraded to depend on a later toolset and adjust version. -# ERROR: The target C compiler is version 13.3.1, while the target C++ compiler is version 8.5.0. Need to use the same compiler version. -BuildRequires: gcc-toolset-%{gts_version}-gcc-c++ %endif Requires: mozilla-filesystem @@ -1332,6 +1328,10 @@ echo "--------------------------------------------" %patch -P14 -p1 -b .system-nss %endif +%ifarch s390x +%patch -P15 -p1 -b .s390x_workaround +%endif + # We need to create the wasi.patch with the correct path to the wasm libclang_rt. %if %{with_wasi_sdk} export LIBCLANG_RT=`pwd`/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.builtins-wasm32.a; cat %{SOURCE38} | envsubst > %{_sourcedir}/wasi.patch @@ -1690,7 +1690,8 @@ MOZ_LINK_FLAGS="-Wl,--no-keep-memory -Wl,--reduce-memory-overheads" # __global_ldflags that normally sets this. MOZ_LINK_FLAGS="$MOZ_LINK_FLAGS -L%{_libdir}" %endif -%ifarch %{ix86} %{s390x} + +%ifarch %{ix86} s390x export RUSTFLAGS="-Cdebuginfo=0" echo 'export RUSTFLAGS="-Cdebuginfo=0"' >> .mozconfig %endif @@ -1760,8 +1761,11 @@ cp %{SOURCE36} . export PATH=%{_buildrootdir}/%{bundled_install_path}/bin:$PATH echo $PKG_CONFIG_PATH %endif - -./mach build -v 2>&1 || exit 1 +%ifarch s390x + setarch s390x -R ./mach build -v 2>&1 || exit 1 +%else + ./mach build -v 2>&1 || exit 1 +%endif #--------------------------------------------------------------------- %install @@ -1834,10 +1838,10 @@ EOF %endif # set up our default bookmarks -#%if !0%{?flatpak} - #%global default_bookmarks_file /usr/share/bookmarks/default-bookmarks.html - #%{__cp} -p %{default_bookmarks_file} objdir/dist/bin/browser/chrome/browser/content/browser/default-bookmarks.html -#%endif +%if !0%{?flatpak} + %global default_bookmarks_file /usr/share/bookmarks/default-bookmarks.html + %{__cp} -p %{default_bookmarks_file} objdir/dist/bin/browser/chrome/browser/content/browser/default-bookmarks.html +%endif # Make sure locale works for langpacks %{__cat} > objdir/dist/bin/browser/defaults/preferences/firefox-l10n.js << EOF @@ -2132,9 +2136,8 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog -* Mon Dec 01 2025 Liwei Ge - 140.5.0-1.0.1 -- Add firefox-anolis-default-prefs.js -- Remove bookmarks and loongarch64 +* Tue Dec 2 2025 Jan Horak - 140.6.0-1 +- Update to 140.6.0 ESR * Fri Nov 7 2025 Jan Horak - 140.5.0-1 - Update to 140.5.0 ESR diff --git a/wasi.patch b/wasi.patch index a52dc1d..9d9fd75 100644 --- a/wasi.patch +++ b/wasi.patch @@ -6,7 +6,7 @@ diff -up firefox-121.0.1/toolkit/moz.configure.wasi firefox-121.0.1/toolkit/moz. if wasi_sysroot: log.info("Using wasi sysroot in %s", wasi_sysroot) - return ["--sysroot=%s" % wasi_sysroot] -+ return ["--sysroot=%s" % wasi_sysroot, "-nodefaultlibs", "-lc", "-lwasi-emulated-process-clocks", "-lc++", "-lc++abi", "/home/jhorak/r/firefox/firefox-140.5.0-build/firefox-140.5.0/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.builtins-wasm32.a"] ++ return ["--sysroot=%s" % wasi_sysroot, "-nodefaultlibs", "-lc", "-lwasi-emulated-process-clocks", "-lc++", "-lc++abi", "/home/jhorak/centpackages/NEW_ERA/firefox-2/firefox-140.6.0-build/firefox-140.6.0/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.builtins-wasm32.a"] return [] set_config("WASI_SYSROOT", wasi_sysroot) -- Gitee From be6db1db0facccb989e6889a65b8c7826196c6c2 Mon Sep 17 00:00:00 2001 From: Zhao Hang Date: Thu, 16 Dec 2021 06:12:47 +0000 Subject: [PATCH 2/2] rebrand: add firefox-anolis-default-prefs.js --- ...refs.js => firefox-anolis-default-prefs.js | 4 +- firefox.spec | 39 ++++++++++++------- 2 files changed, 26 insertions(+), 17 deletions(-) rename firefox-redhat-default-prefs.js => firefox-anolis-default-prefs.js (93%) diff --git a/firefox-redhat-default-prefs.js b/firefox-anolis-default-prefs.js similarity index 93% rename from firefox-redhat-default-prefs.js rename to firefox-anolis-default-prefs.js index 4263a3d..ad8dbea 100644 --- a/firefox-redhat-default-prefs.js +++ b/firefox-anolis-default-prefs.js @@ -14,8 +14,8 @@ pref("browser.shell.checkDefaultBrowser", false); pref("network.manage-offline-status", true); pref("extensions.shownSelectionUI", true); pref("ui.SpellCheckerUnderlineStyle", 1); -pref("startup.homepage_override_url", "%HOMEPAGE%"); -pref("startup.homepage_welcome_url", "%HOMEPAGE%"); +pref("startup.homepage_override_url", "https://openanolis.cn/"); +pref("startup.homepage_welcome_url", "https://openanolis.cn/"); pref("browser.startup.homepage", "data:text/plain,browser.startup.homepage=file:///%PREFIX%/share/doc/HTML/index.html"); pref("media.gmp-gmpopenh264.autoupdate",true); pref("media.gmp-gmpopenh264.enabled",false); diff --git a/firefox.spec b/firefox.spec index ff508bc..8ff1f80 100644 --- a/firefox.spec +++ b/firefox.spec @@ -1,3 +1,4 @@ +%define anolis_release .0.1 %define homepage %(grep '^HOME_URL\s*=' /etc/os-release | sed 's/^HOME_URL\s*=//;s/^\s*"//;s/"\s*$//') %global disable_toolsets 0 @@ -34,17 +35,17 @@ %{lua: function dist_to_rhel_minor(str, start) - match = string.match(str, ".module%+el8.%d+") + match = string.match(str, ".module%+an8.%d+") if match then return string.sub(match, 13) end - match = string.match(str, ".el8_%d+") + match = string.match(str, ".an8_%d+") if match then return string.sub(match, 6) end - match = string.match(str, ".el8") + match = string.match(str, ".an8") if match then - return 10 + return 8 end match = string.match(str, ".module%+el9.%d+") if match then @@ -145,9 +146,9 @@ end} %global use_gcc_ts 1 %if 0%{?rhel} == 9 && %{rhel_minor_version} >= 6 # clang depends on gcc-toolset-14-gcc-c++ - %global gts_version 14 + %global gts_version 13 %else - %global gts_version 14 + %global gts_version 13 %endif %endif @@ -192,10 +193,12 @@ end} Summary: Mozilla Firefox Web browser Name: firefox Version: 140.6.0 -Release: 1%{?dist} +Release: 1%{anolis_release}%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ +ExcludeArch: loongarch64 + %if 0%{?rhel} >= 9 ExcludeArch: %{ix86} %endif @@ -227,7 +230,7 @@ Source1: firefox-langpacks-%{version}%{?pre_version}-20251202.tar.xz Source2: cbindgen-vendor.tar.xz Source3: process-official-tarball Source10: firefox-mozconfig -Source12: firefox-redhat-default-prefs.js +Source12: firefox-anolis-default-prefs.js Source20: firefox.desktop Source21: firefox.sh.in Source23: firefox.1 @@ -464,10 +467,10 @@ BuildRequires: mesa-libgbm-devel BuildRequires: pipewire-devel %endif -%if !0%{?flatpak} +#%if !0%{?flatpak} #TODO -BuildRequires: system-bookmarks -%endif +#BuildRequires: system-bookmarks +#%endif %if 0%{?test_on_wayland} BuildRequires: dbus-x11 @@ -524,6 +527,8 @@ BuildRequires: gcc-toolset-%{gts_version}-gcc BuildRequires: gcc-toolset-%{gts_version}-gcc-plugin-annobin # Do not explicitly require gcc-toolset-%{gts_version}-gcc-g++ instead fail # when clang is upgraded to depend on a later toolset and adjust version. +# ERROR: The target C compiler is version 13.3.1, while the target C++ compiler is version 8.5.0. Need to use the same compiler version. +BuildRequires: gcc-toolset-%{gts_version}-gcc-c++ %endif Requires: mozilla-filesystem @@ -1838,10 +1843,10 @@ EOF %endif # set up our default bookmarks -%if !0%{?flatpak} - %global default_bookmarks_file /usr/share/bookmarks/default-bookmarks.html - %{__cp} -p %{default_bookmarks_file} objdir/dist/bin/browser/chrome/browser/content/browser/default-bookmarks.html -%endif +#%if !0%{?flatpak} + #%global default_bookmarks_file /usr/share/bookmarks/default-bookmarks.html + #%{__cp} -p %{default_bookmarks_file} objdir/dist/bin/browser/chrome/browser/content/browser/default-bookmarks.html +#%endif # Make sure locale works for langpacks %{__cat} > objdir/dist/bin/browser/defaults/preferences/firefox-l10n.js << EOF @@ -2136,6 +2141,10 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog +* Fri Dec 12 2025 Liwei Ge - 140.6.0-1.0.1 +- Add firefox-anolis-default-prefs.js +- Remove bookmarks and loongarch64 + * Tue Dec 2 2025 Jan Horak - 140.6.0-1 - Update to 140.6.0 ESR -- Gitee