diff --git a/.firefox.metadata b/.firefox.metadata index 4beb894..890456c 100644 --- a/.firefox.metadata +++ b/.firefox.metadata @@ -1,6 +1,6 @@ 511960dd78451a06c9df76509635aeec05b2051a SOURCES/Python-2.7.8.tgz 467bdb846d67c01aed9e521fe0ef280065a50c3c SOURCES/devtoolset-2-binutils-2.23.52.0.1-10.el5.src.rpm 894159e3100a3a90f893ac85a6b650c6b813c4c6 SOURCES/firefox-52.2.0esr.source.tar.xz -253c930cc2c81174c9e7304ebf8b0db3f2063dec SOURCES/firefox-langpacks-52.2.0esr-20170608.tar.xz +7c0d2017daefbdadf2b7b0ad01ab37f667d77fcc SOURCES/firefox-langpacks-52.2.0esr-20170613.tar.xz e5ba84786af5d0e0e23b1a9112c76821ef23306c SOURCES/gcc48-4.8.2-16.el5.src.rpm 77fd30f7ebc12a629a31c1e252cec06af55a71fe SOURCES/yasm-1.2.0-3.el5.src.rpm diff --git a/.gitignore b/.gitignore index 5b01c20..8c084f3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ SOURCES/Python-2.7.8.tgz SOURCES/devtoolset-2-binutils-2.23.52.0.1-10.el5.src.rpm SOURCES/firefox-52.2.0esr.source.tar.xz -SOURCES/firefox-langpacks-52.2.0esr-20170608.tar.xz +SOURCES/firefox-langpacks-52.2.0esr-20170613.tar.xz SOURCES/gcc48-4.8.2-16.el5.src.rpm SOURCES/yasm-1.2.0-3.el5.src.rpm diff --git a/SOURCES/firefox-centos-default-prefs.js b/SOURCES/firefox-centos-default-prefs.js deleted file mode 100644 index fd3108f..0000000 --- a/SOURCES/firefox-centos-default-prefs.js +++ /dev/null @@ -1,27 +0,0 @@ -pref("app.update.auto", false); -pref("app.update.enabled", false); -pref("app.update.autoInstallEnabled", false); -pref("browser.backspace_action", 2); -pref("browser.display.use_system_colors", true); -pref("browser.download.folderList", 1); -pref("browser.link.open_external", 3); -pref("browser.shell.checkDefaultBrowser", false); -pref("general.smoothScroll", true); -pref("general.useragent.vendor", "CentOS"); -pref("general.useragent.vendorSub", "FIREFOX_RPM_VR"); -pref("intl.locale.matchOS", true); -pref("storage.nfs_filesystem", false); -pref("dom.ipc.plugins.enabled.nswrapper*", false); -pref("network.manage-offline-status", true); -pref("toolkit.networkmanager.disable", false); -pref("browser.startup.homepage", "data:text/plain,browser.startup.homepage=file:///usr/share/doc/HTML/index.html"); -pref("toolkit.storage.synchronous", 0); -pref("startup.homepage_override_url", "http://www.centos.org"); -pref("startup.homepage_welcome_url", "http://www.centos.org"); -pref("extensions.shownSelectionUI", true); -/* Workaround for rhbz#1110291 */ -pref("network.negotiate-auth.allow-insecure-ntlm-v1", true); -/* Workaround for mozbz#1063315 */ -pref("security.use_mozillapkix_verification", false); -pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); -pref("browser.tabs.remote.autostart", false); diff --git a/SOURCES/firefox-redhat-default-prefs.js b/SOURCES/firefox-redhat-default-prefs.js new file mode 100644 index 0000000..02113f4 --- /dev/null +++ b/SOURCES/firefox-redhat-default-prefs.js @@ -0,0 +1,27 @@ +pref("app.update.auto", false); +pref("app.update.enabled", false); +pref("app.update.autoInstallEnabled", false); +pref("browser.backspace_action", 2); +pref("browser.display.use_system_colors", true); +pref("browser.download.folderList", 1); +pref("browser.link.open_external", 3); +pref("browser.shell.checkDefaultBrowser", false); +pref("general.smoothScroll", true); +pref("general.useragent.vendor", "Red Hat"); +pref("general.useragent.vendorSub", "FIREFOX_RPM_VR"); +pref("intl.locale.matchOS", true); +pref("storage.nfs_filesystem", false); +pref("dom.ipc.plugins.enabled.nswrapper*", false); +pref("network.manage-offline-status", true); +pref("toolkit.networkmanager.disable", false); +pref("browser.startup.homepage", "data:text/plain,browser.startup.homepage=file:///usr/share/doc/HTML/index.html"); +pref("toolkit.storage.synchronous", 0); +pref("startup.homepage_override_url", "http://www.redhat.com"); +pref("startup.homepage_welcome_url", "http://www.redhat.com"); +pref("extensions.shownSelectionUI", true); +/* Workaround for rhbz#1110291 */ +pref("network.negotiate-auth.allow-insecure-ntlm-v1", true); +/* Workaround for mozbz#1063315 */ +pref("security.use_mozillapkix_verification", false); +pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); +pref("browser.tabs.remote.autostart", false); diff --git a/SOURCES/mozilla-1005640-accept-lang.patch b/SOURCES/mozilla-1005640-accept-lang.patch new file mode 100644 index 0000000..29d3833 --- /dev/null +++ b/SOURCES/mozilla-1005640-accept-lang.patch @@ -0,0 +1,30 @@ +diff -up firefox-51.0/toolkit/mozapps/extensions/internal/XPIProvider.jsm.1005640-accept-lang firefox-51.0/toolkit/mozapps/extensions/internal/XPIProvider.jsm +--- firefox-51.0/toolkit/mozapps/extensions/internal/XPIProvider.jsm.1005640-accept-lang 2017-01-16 17:16:52.000000000 +0100 ++++ firefox-51.0/toolkit/mozapps/extensions/internal/XPIProvider.jsm 2017-01-18 12:35:29.380394216 +0100 +@@ -2852,6 +2852,11 @@ this.XPIProvider = { + this.addAddonsToCrashReporter(); + } + ++ // Save locale settings to compare it later to check whenever some addon ++ // changed it. ++ var previousLocale = Cc["@mozilla.org/chrome/chrome-registry;1"] ++ .getService(Ci.nsIXULChromeRegistry).getSelectedLocale("global"); ++ + try { + AddonManagerPrivate.recordTimestamp("XPI_bootstrap_addons_begin"); + +@@ -2880,6 +2885,14 @@ this.XPIProvider = { + AddonManagerPrivate.recordException("XPI-BOOTSTRAP", "startup failed", e); + } + ++ var currentLocale = Cc["@mozilla.org/chrome/chrome-registry;1"] ++ .getService(Ci.nsIXULChromeRegistry).getSelectedLocale("global"); ++ if (currentLocale != previousLocale) { ++ // We have to flush string cache if the locale was changed during loading ++ // of addons ++ Services.obs.notifyObservers(null, "chrome-flush-caches", null); ++ } ++ + // Let these shutdown a little earlier when they still have access to most + // of XPCOM + Services.obs.addObserver({ diff --git a/SOURCES/mozilla-1324096.patch b/SOURCES/mozilla-1324096.patch new file mode 100644 index 0000000..4a2691e --- /dev/null +++ b/SOURCES/mozilla-1324096.patch @@ -0,0 +1,72 @@ +diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp +--- a/security/certverifier/CertVerifier.cpp ++++ b/security/certverifier/CertVerifier.cpp +@@ -120,16 +120,20 @@ IsCertChainRootBuiltInRoot(const UniqueC + } + CERTCertificate* root = rootNode->cert; + if (!root) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; + } + return IsCertBuiltInRoot(root, result); + } + ++// The term "builtin root" traditionally refers to a root CA certificate that ++// has been added to the NSS trust store, because it has been approved ++// for inclusion according to the Mozilla CA policy, and might be accepted ++// by Mozilla applications as an issuer for certificates seen on the public web. + Result + IsCertBuiltInRoot(CERTCertificate* cert, bool& result) + { + result = false; + #ifdef DEBUG + nsCOMPtr component(do_GetService(PSM_COMPONENT_CONTRACTID)); + if (!component) { + return Result::FATAL_ERROR_LIBRARY_FAILURE; +@@ -142,25 +146,38 @@ IsCertBuiltInRoot(CERTCertificate* cert, + return Success; + } + #endif // DEBUG + AutoSECMODListReadLock lock; + for (SECMODModuleList* list = SECMOD_GetDefaultModuleList(); list; + list = list->next) { + for (int i = 0; i < list->module->slotCount; i++) { + PK11SlotInfo* slot = list->module->slots[i]; +- // PK11_HasRootCerts should return true if and only if the given slot has +- // an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST, which +- // should be true only of the builtin root list. +- // If we can find a copy of the given certificate on the slot with the +- // builtin root list, that certificate must be a builtin. +- if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot) && +- PK11_FindCertInSlot(slot, cert, nullptr) != CK_INVALID_HANDLE) { +- result = true; +- return Success; ++ // We're searching for the "builtin root module", which is a module that ++ // contains an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST. ++ // We use PK11_HasRootCerts() to identify a module with that property. ++ // In the past, we exclusively used the PKCS#11 module named nssckbi, ++ // which is provided by the NSS library. ++ // Nowadays, some distributions use a replacement module, which contains ++ // the builtin roots, but which also contains additional CA certificates, ++ // such as CAs trusted in a local deployment. ++ // We want to be able to distinguish between these two categories, ++ // because a CA, which may issue certificates for the public web, ++ // is expected to comply with additional requirements. ++ // If the certificate has attribute CKA_NSS_MOZILLA_CA_POLICY set to true, ++ // then we treat it as a "builtin root". ++ if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot)) { ++ CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(slot, cert, nullptr); ++ if (handle != CK_INVALID_HANDLE && ++ PK11_HasAttributeSet(slot, handle, CKA_NSS_MOZILLA_CA_POLICY, ++ false)) { ++ // Attribute was found, and is set to true ++ result = true; ++ break; ++ } + } + } + } + return Success; + } + + static Result + BuildCertChainForOneKeyUsage(NSSCertDBTrustDomain& trustDomain, Input certDER, diff --git a/SOURCES/rhbz-1414535.patch b/SOURCES/rhbz-1414535.patch deleted file mode 100644 index f9cc7c2..0000000 --- a/SOURCES/rhbz-1414535.patch +++ /dev/null @@ -1,37 +0,0 @@ -diff -up ./CertVerifier.cpp.ignoreBuiltinStatus ./CertVerifier.cpp ---- ./security/certverifier/CertVerifier.cpp.ignoreBuiltinStatus 2016-10-31 21:15:28.000000000 +0100 -+++ ./security/certverifier/CertVerifier.cpp 2016-12-16 21:35:32.155105623 +0100 -@@ -65,6 +65,9 @@ InitCertVerifierLog() - Result - IsCertChainRootBuiltInRoot(const UniqueCERTCertList& chain, bool& result) - { -+ result = false; -+ return Success; -+#if 0 - if (!chain || CERT_LIST_EMPTY(chain)) { - return Result::FATAL_ERROR_LIBRARY_FAILURE; - } -@@ -77,12 +80,15 @@ IsCertChainRootBuiltInRoot(const UniqueC - return Result::FATAL_ERROR_LIBRARY_FAILURE; - } - return IsCertBuiltInRoot(root, result); -+#endif - } - - Result - IsCertBuiltInRoot(CERTCertificate* cert, bool& result) - { - result = false; -+ return Success; -+#if 0 - #ifdef DEBUG - nsCOMPtr component(do_GetService(PSM_COMPONENT_CONTRACTID)); - if (!component) { -@@ -114,6 +120,7 @@ IsCertBuiltInRoot(CERTCertificate* cert, - } - } - return Success; -+#endif - } - - static Result diff --git a/SOURCES/rhbz-1451055.patch b/SOURCES/rhbz-1451055.patch deleted file mode 100644 index b07036f..0000000 --- a/SOURCES/rhbz-1451055.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up firefox-52.1.1esr/layout/style/nsCSSPseudoElements.h.old firefox-52.1.1esr/layout/style/nsCSSPseudoElements.h ---- firefox-52.1.1esr/layout/style/nsCSSPseudoElements.h.old 2017-05-17 11:40:23.609432532 +0200 -+++ firefox-52.1.1esr/layout/style/nsCSSPseudoElements.h 2017-05-17 12:11:01.635624205 +0200 -@@ -109,7 +109,7 @@ private: - - // Work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64037 , - // which is a general gcc bug that we seem to have hit only on Android/x86. --#if defined(ANDROID) && defined(__i386__) && defined(__GNUC__) && \ -+#if defined(__i386__) && defined(__GNUC__) && \ - !defined(__clang__) - #if (MOZ_GCC_VERSION_AT_LEAST(4,8,0) && MOZ_GCC_VERSION_AT_MOST(4,8,4)) || \ - (MOZ_GCC_VERSION_AT_LEAST(4,9,0) && MOZ_GCC_VERSION_AT_MOST(4,9,2)) diff --git a/SPECS/firefox.spec b/SPECS/firefox.spec index e6bba55..a72f21c 100644 --- a/SPECS/firefox.spec +++ b/SPECS/firefox.spec @@ -77,7 +77,7 @@ Summary: Mozilla Firefox Web browser Name: firefox Version: 52.2.0 -Release: 1%{?dist} +Release: 2%{?dist} URL: http://www.mozilla.org/projects/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ Group: Applications/Internet @@ -88,10 +88,10 @@ Group: Applications/Internet # From ftp://archive.mozilla.org/pub/firefox/releases/%{version}%{?ext_version}/source Source0: firefox-%{version}%{?ext_version}.source.tar.xz %if %{build_langpacks} -Source1: firefox-langpacks-%{version}%{?ext_version}-20170608.tar.xz +Source1: firefox-langpacks-%{version}%{?ext_version}-20170613.tar.xz %endif Source10: firefox-mozconfig -Source12: firefox-centos-default-prefs.js +Source12: firefox-redhat-default-prefs.js Source20: firefox.desktop Source600: firefox.sh.in.rhel6 Source700: firefox.sh.in.rhel7 @@ -108,12 +108,13 @@ Patch0: firefox-install-dir.patch Patch5: xulrunner-24.0-jemalloc-ppc.patch Patch6: webrtc-arch-cpu.patch Patch8: firefox-ppc64le.patch -Patch9: build-s390-missing-include.patch +#ALREADY Patch19: mozilla-1319374-skia-endian.patch Patch20: build-s390-atomic.patch Patch21: build-icu-big-endian.patch Patch22: build-missing-getrandom.patch Patch23: build-nss-version.patch Patch24: build-nss-prbool.patch +Patch25: build-s390-missing-include.patch # RHEL patches Patch101: firefox-default.patch @@ -124,17 +125,20 @@ Patch106: firefox-enable-plugins.patch Patch110: mozilla-1170092-etc-conf.patch Patch111: rhbz-1173156.patch Patch112: mozilla-256180.patch -Patch113: rhbz-1414535.patch Patch114: rhbz-1423012.patch +Patch116: mozilla-1005640-accept-lang.patch # Upstream patches +# Skia support for big endian platforms, since patch got review- I think we can delete that: +#Patch201: mozilla-1005535.patch # Kaie's patch, we'll most likely need this one Patch202: mozilla-1152515.patch +Patch203: mozilla-1324096.patch # RHEL7 patches # RHEL6 patches -Patch300: rhbz-1451055.patch +# HOPEFULY fixed Patch401: build-el6-harfbuzz-old-glib.patch # --------------------------------------------------- BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -202,6 +206,7 @@ BuildRequires: system-bookmarks Requires: mozilla-filesystem Requires: liberation-fonts-common Requires: liberation-sans-fonts +BuildRequires: dbus-glib-devel >= 0.60 %endif # RHEL6 requires @@ -361,11 +366,12 @@ cd %{tarballdir} %patch5 -p1 -b .jemalloc-ppc.patch %patch6 -p1 -b .webrtc-arch-cpu %patch8 -p2 -b .ppc64le -%patch9 -p1 -b .s390-missing-include +#ALREADY %patch19 -p1 -b .skia-endian %patch20 -p1 -b .s390-atomic %patch22 -p1 -b .missing-getrandom %patch23 -p1 -b .nss-version %patch24 -p1 -b .nss-prbool +%patch25 -p1 -b .s390-missing-include # RPM specific patches %patch101 -p1 -b .default @@ -375,19 +381,21 @@ cd %{tarballdir} %patch110 -p1 -b .moz-1170092-etc-conf %patch111 -p2 -b .rhbz-1173156 %patch112 -p1 -b .mozbz-256180 -%patch113 -p1 -b .rhbz-1414535 %patch114 -p1 -b .rhbz-1423012 +%patch116 -p1 -b .mozbz-1005640-accept-lang # Upstream patches +#%patch201 -p1 -b .mozbz-1005535 see Patch201 comment %patch202 -p1 -b .mozbz-1152515 +%patch203 -p1 -b .mozbz-1324096 # RHEL7 only patches %if %{?rhel} == 7 %endif -%if %{?rhel} == 6 -%patch300 -p1 -b .rhbz-1451055 -%endif +#%if %{?rhel} == 6 +#HOPEFULY FIXED %patch401 -p1 -b .harfbuzz-old-glib +#%endif # Patch for big endian platforms only %if 0%{?big_endian} @@ -877,23 +885,18 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog -* Wed Jun 14 2017 Johnny Hughes - 52.2.0-1 -- Manual Debranding after Auto Debranding failed. - -* Thu Jun 8 2017 Jan Horak - 52.2.0-1 +* Tue Jun 13 2017 Jan Horak - 52.2.0-1 - Update to 52.2.0 ESR -* Wed May 17 2017 Martin Stransky - 52.1.1-2 -- Added fix for rhbz#1451055 - -* Fri May 5 2017 Jan Horak - 52.1.1-1 -- Update to 52.1.1 ESR +* Wed May 24 2017 Jan Horak - 52.1.2-1 +- Update to 52.1.2 ESR -* Wed Apr 19 2017 Martin Stransky - 52.1.0-2 -- Update to 52.1.0 ESR (Build3) +* Wed May 24 2017 Jan Horak - 52.0-7 +- Added fix for accept language (rhbz#1454322) -* Tue Apr 11 2017 Jan Horak - 52.1.0-1 -- Update to 52.1.0 ESR +* Wed Mar 22 2017 Jan Horak - 52.0-6 +- Removing patch required for older NSS from RHEL 7.3 +- Added patch for rhbz#1414564 * Fri Mar 17 2017 Martin Stransky - 52.0-5 - Added fix for mozbz#1348168/CVE-2017-5428