Commit in firefox/trunk (2 files)

Fri, 10 Mar 2023 16:23:11 -0800 

    Date: Saturday, March 11, 2023 @ 00:23:02
  Author: heftig
Revision: 470553

110.0.1-4: FS#77805 add patch to restore tweetdeck

Added:
  firefox/trunk/0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch
Modified:
  firefox/trunk/PKGBUILD

-----------------------------------------------------------------+
 0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch |  165 
++++++++++
 PKGBUILD                                                        |   13 
 2 files changed, 175 insertions(+), 3 deletions(-)

Added: 0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch
===================================================================
--- 0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch             
                (rev 0)
+++ 0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch     
2023-03-11 00:23:02 UTC (rev 470553)
@@ -0,0 +1,165 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Dennis Jackson <[email protected]>
+Date: Thu, 9 Mar 2023 22:05:17 +0000
+Subject: [PATCH] Bug 1821359: Disable TLS Key Pinning for Twitter Domains.
+ r=keeler, a=dmeehan
+
+This patch removes Twitter domains from the list of sites we statically pin in 
Firefox
+and regenerates the associated headers. Note that the Twitter domains are still
+imported from Chrome's list of pins, but now have the test flag set, making 
them inert.
+
+Differential Revision: https://phabricator.services.mozilla.com/D172161
+---
+ security/manager/ssl/StaticHPKPins.h         | 18 ++++++++--------
+ security/manager/tools/PreloadedHPKPins.json | 22 ++------------------
+ 2 files changed, 11 insertions(+), 29 deletions(-)
+
+diff --git a/security/manager/ssl/StaticHPKPins.h 
b/security/manager/ssl/StaticHPKPins.h
+index 3adda637832a..e558393a3218 100644
+--- a/security/manager/ssl/StaticHPKPins.h
++++ b/security/manager/ssl/StaticHPKPins.h
+@@ -602,26 +602,26 @@ static const TransportSecurityPreload 
kPublicKeyPinningPreloadList[] = {
+   { "admin.google.com", true, false, false, -1, &kPinset_google_root_pems },
+   { "android.com", true, false, false, -1, &kPinset_google_root_pems },
+   { "api.accounts.firefox.com", true, false, true, 5, 
&kPinset_mozilla_services },
+-  { "api.twitter.com", true, false, false, -1, &kPinset_twitterCDN },
++  { "api.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
+   { "apis.google.com", true, false, false, -1, &kPinset_google_root_pems },
+   { "appengine.google.com", true, false, false, -1, &kPinset_google_root_pems 
},
+   { "apps.facebook.com", true, false, false, -1, &kPinset_facebook },
+   { "appspot.com", true, false, false, -1, &kPinset_google_root_pems },
+   { "at.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "au.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "aus4.mozilla.org", true, true, true, 3, &kPinset_mozilla_services },
+   { "aus5.mozilla.org", true, true, true, 7, &kPinset_mozilla_services },
+   { "az.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "be.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "bi.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "blog.torproject.org", true, false, false, -1, &kPinset_tor },
+   { "blogger.com", true, false, false, -1, &kPinset_google_root_pems },
+   { "blogspot.com", true, false, false, -1, &kPinset_google_root_pems },
+   { "br.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "bugs.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
+   { "build.chromium.org", true, false, false, -1, &kPinset_google_root_pems },
+   { "business.facebook.com", true, false, false, -1, &kPinset_facebook },
+-  { "business.twitter.com", true, false, false, -1, &kPinset_twitterCom },
++  { "business.twitter.com", true, true, false, -1, &kPinset_twitterCom },
+   { "ca.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "calendar.google.com", true, false, false, -1, &kPinset_google_root_pems 
},
+   { "cd.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+@@ -661,7 +661,7 @@ static const TransportSecurityPreload 
kPublicKeyPinningPreloadList[] = {
+   { "ct.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "datastudio.google.com", true, false, false, -1, 
&kPinset_google_root_pems },
+   { "de.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+-  { "dev.twitter.com", true, false, false, -1, &kPinset_twitterCom },
++  { "dev.twitter.com", true, true, false, -1, &kPinset_twitterCom },
+   { "developer.android.com", true, false, false, -1, 
&kPinset_google_root_pems },
+   { "developers.facebook.com", true, false, false, -1, &kPinset_facebook },
+   { "dist.torproject.org", true, false, false, -1, &kPinset_tor },
+@@ -973,34 +973,34 @@ static const TransportSecurityPreload 
kPublicKeyPinningPreloadList[] = {
+   { "mbasic.facebook.com", true, false, false, -1, &kPinset_facebook },
+   { "meet.google.com", true, false, false, -1, &kPinset_google_root_pems },
+   { "messenger.com", true, false, false, -1, &kPinset_facebook },
+-  { "mobile.twitter.com", true, false, false, -1, &kPinset_twitterCom },
++  { "mobile.twitter.com", true, true, false, -1, &kPinset_twitterCom },
+   { "mt.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "mtouch.facebook.com", true, false, false, -1, &kPinset_facebook },
+   { "mu.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "mw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "mx.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "myaccount.google.com", true, false, false, -1, &kPinset_google_root_pems 
},
+   { "myactivity.google.com", true, false, false, -1, 
&kPinset_google_root_pems },
+   { "ni.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "nl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "no.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "np.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "nz.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+-  { "oauth.twitter.com", true, false, false, -1, &kPinset_twitterCom },
++  { "oauth.twitter.com", true, true, false, -1, &kPinset_twitterCom },
+   { "oauthaccountmanager.googleapis.com", true, false, false, -1, 
&kPinset_google_root_pems },
+   { "pa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "passwords.google.com", true, false, false, -1, &kPinset_google_root_pems 
},
+   { "passwordsleakcheck-pa.googleapis.com", true, false, false, -1, 
&kPinset_google_root_pems },
+   { "payments.google.com", true, false, false, -1, &kPinset_google_root_pems 
},
+   { "pe.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "ph.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "pinning-test.badssl.com", true, false, false, -1, &kPinset_test },
+   { "pinningtest.appspot.com", true, false, false, -1, &kPinset_test },
+   { "pixel.facebook.com", true, false, false, -1, &kPinset_facebook },
+   { "pixel.google.com", true, false, false, -1, &kPinset_google_root_pems },
+   { "pk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "pl.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+-  { "platform.twitter.com", true, false, false, -1, &kPinset_twitterCDN },
++  { "platform.twitter.com", true, true, false, -1, &kPinset_twitterCDN },
+   { "play.google.com", true, false, false, -1, &kPinset_google_root_pems },
+   { "plus.google.com", true, false, false, -1, &kPinset_google_root_pems },
+   { "plus.sandbox.google.com", true, false, false, -1, 
&kPinset_google_root_pems },
+@@ -1043,8 +1043,8 @@ static const TransportSecurityPreload 
kPublicKeyPinningPreloadList[] = {
+   { "tunnel.googlezip.net", true, false, false, -1, &kPinset_google_root_pems 
},
+   { "tv.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "tw.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+-  { "twimg.com", true, false, false, -1, &kPinset_twitterCDN },
+-  { "twitter.com", true, false, false, -1, &kPinset_twitterCDN },
++  { "twimg.com", true, true, false, -1, &kPinset_twitterCDN },
++  { "twitter.com", false, true, false, -1, &kPinset_twitterCom },
+   { "ua.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "ua5v.com", true, false, false, -1, &kPinset_google_root_pems },
+   { "uk.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+@@ -1079,7 +1079,7 @@ static const TransportSecurityPreload 
kPublicKeyPinningPreloadList[] = {
+   { "www.googlemail.com", false, false, false, -1, &kPinset_google_root_pems 
},
+   { "www.messenger.com", true, false, false, -1, &kPinset_facebook },
+   { "www.torproject.org", true, false, false, -1, &kPinset_tor },
+-  { "www.twitter.com", true, false, false, -1, &kPinset_twitterCom },
++  { "www.twitter.com", true, true, false, -1, &kPinset_twitterCom },
+   { "xa.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+   { "xbrlsuccess.appspot.com", true, false, false, -1, 
&kPinset_google_root_pems },
+   { "xn--7xa.google.com", true, false, false, -1, &kPinset_google_root_pems },
+diff --git a/security/manager/tools/PreloadedHPKPins.json 
b/security/manager/tools/PreloadedHPKPins.json
+index 243625852686..c7c20ea6f680 100644
+--- a/security/manager/tools/PreloadedHPKPins.json
++++ b/security/manager/tools/PreloadedHPKPins.json
+@@ -44,29 +44,16 @@
+       // Dropbox
+       "dropbox.com",
+       "www.dropbox.com",
+-      // Twitter
+-      "api.twitter.com",
+-      "business.twitter.com",
+-      "dev.twitter.com",
+-      "mobile.twitter.com",
+-      "oauth.twitter.com",
+-      "platform.twitter.com",
+-      "twimg.com",
+-      "www.twitter.com",
+       // Tor
+       "torproject.org",
+       "blog.torproject.org",
+       "check.torproject.org",
+       "dist.torproject.org",
+       "www.torproject.org",
+       // SpiderOak
+       "spideroak.com"
+     ],
+-    "exclude_domains" : [
+-      // Chrome's entry for twitter.com doesn't include subdomains, so replace
+-      // it with our own entry below which also uses an expanded pinset.
+-      "twitter.com"
+-    ]
++    "exclude_domains" : []
+    },
+   "pinsets": [
+     {
+@@ -193,12 +180,7 @@
+       "include_subdomains": false, "pins": "mozilla_test",
+       "test_mode": false },
+     { "name": "test-mode.pinning.example.com", "include_subdomains": true,
+-      "pins": "mozilla_test", "test_mode": true },
+-    // Expand twitter's pinset to include all of *.twitter.com and use
+-    // twitterCDN. More specific rules take precedence because we search for
+-    // exact domain name first.
+-    { "name": "twitter.com", "include_subdomains": true,
+-      "pins": "twitterCDN", "test_mode": false }
++      "pins": "mozilla_test", "test_mode": true }
+   ],
+   // When pinning to non-root certs, like intermediates,
+   // place the PEM of the pinned certificate in this array

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2023-03-11 00:12:56 UTC (rev 470552)
+++ PKGBUILD    2023-03-11 00:23:02 UTC (rev 470553)
@@ -4,7 +4,7 @@
 
 pkgname=firefox
 pkgver=110.0.1
-pkgrel=3
+pkgrel=4
 pkgdesc="Standalone web browser from mozilla.org"
 url="https://www.mozilla.org/firefox/";
 arch=(x86_64)
@@ -69,6 +69,7 @@
   0001-libwebrtc-screen-cast-sync.patch
   0002-Bug-1819374-Squashed-ffmpeg-6.0-update.patch
   0003-Bug-1820416-Use-correct-FFVPX-headers-from-ffmpeg-6..patch
+  0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch
 )
 validpgpkeys=(
   '14F26682D0916CDD81E37B6D61B7B526D98F0353'  # Mozilla Software Releases 
<[email protected]>
@@ -79,7 +80,8 @@
             'a9b8b4a0a1f4a7b4af77d5fc70c2686d624038909263c795ecc81e0aec7711e9'
             '43c83101b7ad7dba6f5fffeb89b70a661a547d506a031ea2beada42ccf04eec7'
             '9347e45cfe3e915b2293f7467fd61c216ec10823e91c70e5aeb9ca08cc5fcfcf'
-            'be9ba079a931d5e881ce38430d418cc834e8c6b157af6c79ea267998caece806')
+            'be9ba079a931d5e881ce38430d418cc834e8c6b157af6c79ea267998caece806'
+            'e4193f0a31a11ec6f5e16ac8d25c866867742d2c6917f34a87d73fa35eb55c55')
 
b2sums=('ff196016e0271f7828163b8f767f3321b5ee08ef6bd0b03b134e17a1e5b62666f10ae80a14569438f6ac1c995a7a8422265eaabbc505b6a86e95a66b5db07209'
         'SKIP'
         
'e18f2c22e394ca3b6758bc130245b254947e4d15921be3da443d6d7c3c4b0d22ead1b39fbc10a4f896edd19e2a1dffbd1cbb34dc4beb0621a6ddb70ccc53b3a7'
@@ -86,7 +88,8 @@
         
'63a8dd9d8910f9efb353bed452d8b4b2a2da435857ccee083fc0c557f8c4c1339ca593b463db320f70387a1b63f1a79e709e9d12c69520993e26d85a3d742e34'
         
'2bf65874c8c1f41c9273b68d74f4fe5c81dca5acbad0b9a5f917df1d46e1b2a1fb25d42a419eb885e76f4d193483cdeb6294e14ed4b2e241c34b84565b6ffd72'
         
'086ed7d2c2d4efd441220e2d5244afd8a9a1327fed42b98f1a9e0eb05590abbf893716b3f5e01db1234eafe5386097013578dfc7c20fc8367860ce5cd9611aac'
-        
'be47c370c1b765921a6ffbb0eeaceaabc26483629b2ebd73c38f36b3ac418d1746fa021b5d444264641ff7c0c13e688a752758bd75c84e0297aceeaec0062ff2')
+        
'be47c370c1b765921a6ffbb0eeaceaabc26483629b2ebd73c38f36b3ac418d1746fa021b5d444264641ff7c0c13e688a752758bd75c84e0297aceeaec0062ff2'
+        
'219ad84cbd9fe6284e61ded5813c1ca36158067e796ae6532cacfe9aeeb7c716c0382d991df5026c3f880dd39c271c6478bc4f56d4cecb14baa05921cf4dd567')
 
 # Google API keys (see http://www.chromium.org/developers/how-tos/api-keys)
 # Note: These are for Arch Linux use ONLY. For your own distribution, please
@@ -116,6 +119,10 @@
   # https://bugzilla.mozilla.org/show_bug.cgi?id=1820416
   patch -Np1 -i 
../0003-Bug-1820416-Use-correct-FFVPX-headers-from-ffmpeg-6..patch
 
+  # https://bugs.archlinux.org/task/77805
+  # https://bugzilla.mozilla.org/show_bug.cgi?id=1821359
+  patch -Np1 -i 
../0004-Bug-1821359-Disable-TLS-Key-Pinning-for-Twitter-Doma.patch
+
   echo -n "$_google_api_key" >google-api-key
   echo -n "$_mozilla_api_key" >mozilla-api-key

Reply via email to