Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package mozjs140 for openSUSE:Factory checked in at 2026-04-28 14:29:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/mozjs140 (Old) and /work/SRC/openSUSE:Factory/.mozjs140.new.11940 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mozjs140" Tue Apr 28 14:29:41 2026 rev:11 rq:1349527 version:140.10.0 Changes: -------- --- /work/SRC/openSUSE:Factory/mozjs140/mozjs140.changes 2026-02-26 18:51:34.296823536 +0100 +++ /work/SRC/openSUSE:Factory/.mozjs140.new.11940/mozjs140.changes 2026-04-28 14:30:15.782221170 +0200 @@ -1,0 +2,16 @@ +Sat Apr 25 13:19:48 UTC 2026 - Michael Gorse <[email protected]> + +- Add security fixes: + + mozjs140-CVE-2026-32776.patch (bsc#1259728 CVE-2026-32776) + + mozjs140-CVE-2026-32777.patch (bsc#1259713 CVE-2026-32777) + + mozjs140-CVE-2026-32778.patch (bsc#1259731 CVE-2026-32778) + +------------------------------------------------------------------- +Wed Apr 22 16:43:15 UTC 2026 - Bjørn Lie <[email protected]> + +- Update to version 140.10.0: + + Security Vulnerabilities fixed in Firefox ESR 140.10 + + See https://www.firefox.com/en-US/firefox/140.10.0/releasenotes/ + + See https://www.firefox.com/en-US/firefox/140.9.0/releasenotes/ + +------------------------------------------------------------------- Old: ---- firefox-140.8.0esr.source.tar.xz firefox-140.8.0esr.source.tar.xz.asc New: ---- _scmsync.obsinfo build.specials.obscpio firefox-140.10.0esr.source.tar.xz firefox-140.10.0esr.source.tar.xz.asc mozjs140-CVE-2026-32776.patch mozjs140-CVE-2026-32777.patch mozjs140-CVE-2026-32778.patch ----------(New B)---------- New:- Add security fixes: + mozjs140-CVE-2026-32776.patch (bsc#1259728 CVE-2026-32776) + mozjs140-CVE-2026-32777.patch (bsc#1259713 CVE-2026-32777) New: + mozjs140-CVE-2026-32776.patch (bsc#1259728 CVE-2026-32776) + mozjs140-CVE-2026-32777.patch (bsc#1259713 CVE-2026-32777) + mozjs140-CVE-2026-32778.patch (bsc#1259731 CVE-2026-32778) New: + mozjs140-CVE-2026-32777.patch (bsc#1259713 CVE-2026-32777) + mozjs140-CVE-2026-32778.patch (bsc#1259731 CVE-2026-32778) ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozjs140.spec ++++++ --- /var/tmp/diff_new_pack.H7kML6/_old 2026-04-28 14:30:33.934958575 +0200 +++ /var/tmp/diff_new_pack.H7kML6/_new 2026-04-28 14:30:33.938958736 +0200 @@ -41,7 +41,7 @@ %global big_endian 1 %endif Name: mozjs%{major} -Version: 140.8.0 +Version: 140.10.0 Release: 1%{?dist} Summary: SpiderMonkey JavaScript library License: MPL-2.0 @@ -77,6 +77,12 @@ Patch18: spidermonkey_style_check_disable_s390x.patch # PATCH-FIX-OPENSUSE Patch20: Fix-i586-float-math.patch +# PATCH-FIX-UPSTREAM mozjs140-CVE-2026-32776.patch bsc#1259728 [email protected] -- libexpat: NULL pointer dereference when processing empty external parameter entities inside an entity declaration value +Patch21: mozjs140-CVE-2026-32776.patch +# PATCH-FIX-UPSTREAM mozjs140-CVE-2026-32777.patch bsc#1259713 [email protected] -- libexpat: denial of service due to infinite loop in DTD content parsing +Patch22: mozjs140-CVE-2026-32777.patch +# PATCH-FIX-UPSTREAM mozjs140-CVE-2026-32778.patch bsc#1259731 [email protected] -- libexpat: NULL pointer dereference in `setContext` on retry after an out-of-memory condition +Patch23: mozjs140-CVE-2026-32778.patch BuildRequires: cargo BuildRequires: ccache BuildRequires: clang @@ -160,6 +166,9 @@ %patch -P 18 -p1 %endif %patch -P 20 -p1 +%patch -P 21 -p1 +%patch -P 22 -p1 +%patch -P 23 -p1 %if %{pkg_vcmp libicu-devel >= 76.1} sed -i 's/icu-i18n/icu-uc &/' js/moz.configure ++++++ _scmsync.obsinfo ++++++ mtime: 1777196873 commit: fa096beb870fd405ca816a389511e419d1d45e8cf6d03108d66c551ed0cc41aa url: https://src.opensuse.org/GNOME/mozjs140 revision: fa096beb870fd405ca816a389511e419d1d45e8cf6d03108d66c551ed0cc41aa projectscmsync: https://src.opensuse.org/GNOME/_ObsPrj ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-04-26 11:47:53.000000000 +0200 @@ -0,0 +1,4 @@ +*.obscpio +*.osc +_build.* +.pbuild ++++++ firefox-140.8.0esr.source.tar.xz -> firefox-140.10.0esr.source.tar.xz ++++++ /work/SRC/openSUSE:Factory/mozjs140/firefox-140.8.0esr.source.tar.xz /work/SRC/openSUSE:Factory/.mozjs140.new.11940/firefox-140.10.0esr.source.tar.xz differ: char 15, line 1 ++++++ mozjs140-CVE-2026-32776.patch ++++++ >From 5be25657583ea91b09025c858b4785834c20f59c Mon Sep 17 00:00:00 2001 From: Francesco Bertolaccini <[email protected]> Date: Tue, 3 Mar 2026 16:41:43 +0100 Subject: [PATCH] Fix NULL function-pointer dereference for empty external parameter entities When an external parameter entity with empty text is referenced inside an entity declaration value, the sub-parser created to handle it receives 0 bytes of input. Processing enters entityValueInitProcessor which calls storeEntityValue() with the parser's encoding; since no bytes were ever processed, encoding detection has not yet occurred and the encoding is still the initial probing encoding set up by XmlInitEncoding(). That encoding only populates scanners[] (for prolog and content), not literalScanners[]. XmlEntityValueTok() calls through literalScanners[XML_ENTITY_VALUE_LITERAL] which is NULL, causing a SEGV. Skip the tokenization loop entirely when entityTextPtr >= entityTextEnd, and initialize the `next` pointer before the early exit so that callers (callStoreEntityValue) receive a valid value through nextPtr. --- expat/lib/xmlparse.c | 9 ++++++++- expat/tests/basic_tests.c | 19 +++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff -urp firefox-140.10.0.orig/parser/expat/expat/lib/xmlparse.c firefox-140.10.0/parser/expat/expat/lib/xmlparse.c --- firefox-140.10.0.orig/parser/expat/expat/lib/xmlparse.c 2026-04-14 20:59:56.000000000 -0500 +++ firefox-140.10.0/parser/expat/expat/lib/xmlparse.c 2026-04-25 08:13:47.152594606 -0500 @@ -7093,7 +7093,14 @@ storeEntityValue(XML_Parser parser, cons return XML_ERROR_NO_MEMORY; } - const char *next; + const char *next = entityTextPtr; + + /* Nothing to tokenize. */ + if (entityTextPtr >= entityTextEnd) { + result = XML_ERROR_NONE; + goto endEntityValue; + } + for (;;) { next = entityTextPtr; /* XmlEntityValueTok doesn't always set the last arg */ ++++++ mozjs140-CVE-2026-32777.patch ++++++ >From 55cda8c7125986e17d7e1825cba413bd94a35d02 Mon Sep 17 00:00:00 2001 From: Sebastian Pipping <[email protected]> Date: Sun, 1 Mar 2026 20:16:13 +0100 Subject: [PATCH 1/2] lib: Reject XML_TOK_INSTANCE_START infinite loop in entityValueProcessor .. that OSS-Fuzz/ClusterFuzz uncovered --- expat/lib/xmlparse.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff -urp firefox-140.10.0.orig/parser/expat/expat/lib/xmlparse.c firefox-140.10.0/parser/expat/expat/lib/xmlparse.c --- firefox-140.10.0.orig/parser/expat/expat/lib/xmlparse.c 2026-04-25 08:15:32.003800977 -0500 +++ firefox-140.10.0/parser/expat/expat/lib/xmlparse.c 2026-04-25 08:16:11.540255867 -0500 @@ -5378,7 +5378,7 @@ entityValueInitProcessor(XML_Parser pars } /* If we get this token, we have the start of what might be a normal tag, but not a declaration (i.e. it doesn't begin with - "<!"). In a DTD context, that isn't legal. + "<!" or "<?"). In a DTD context, that isn't legal. */ else if (tok == XML_TOK_INSTANCE_START) { *nextPtr = next; @@ -5467,6 +5467,15 @@ entityValueProcessor(XML_Parser parser, /* found end of entity value - can store it now */ return storeEntityValue(parser, enc, s, end, XML_ACCOUNT_DIRECT, NULL); } + /* If we get this token, we have the start of what might be a + normal tag, but not a declaration (i.e. it doesn't begin with + "<!" or "<?"). In a DTD context, that isn't legal. + */ + else if (tok == XML_TOK_INSTANCE_START) { + *nextPtr = next; + return XML_ERROR_SYNTAX; + } + start = next; } } ++++++ mozjs140-CVE-2026-32778.patch ++++++ >From 576b61e42feeea704253cb7c7bedb2eeb3754387 Mon Sep 17 00:00:00 2001 From: laserbear <[email protected]> Date: Sun, 8 Mar 2026 17:28:06 -0700 Subject: [PATCH 1/2] copy prefix name to pool before lookup .. so that we cannot end up with a zombie PREFIX in the pool that has NULL for a name. Co-authored-by: Sebastian Pipping <[email protected]> --- expat/lib/xmlparse.c | 43 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 35 insertions(+), 8 deletions(-) diff -urp firefox-140.10.0.orig/parser/expat/expat/lib/xmlparse.c firefox-140.10.0/parser/expat/expat/lib/xmlparse.c --- firefox-140.10.0.orig/parser/expat/expat/lib/xmlparse.c 2026-04-25 08:17:30.407163262 -0500 +++ firefox-140.10.0/parser/expat/expat/lib/xmlparse.c 2026-04-25 08:19:09.064298358 -0500 @@ -625,6 +625,8 @@ static XML_Char *poolStoreString(STRING_ static XML_Bool FASTCALL poolGrow(STRING_POOL *pool); static const XML_Char *FASTCALL poolCopyString(STRING_POOL *pool, const XML_Char *s); +static const XML_Char *FASTCALL poolCopyStringNoFinish(STRING_POOL *pool, + const XML_Char *s); static const XML_Char *poolCopyStringN(STRING_POOL *pool, const XML_Char *s, int n); static const XML_Char *FASTCALL poolAppendString(STRING_POOL *pool, @@ -7759,16 +7761,24 @@ setContext(XML_Parser parser, const XML_ else { if (! poolAppendChar(&parser->m_tempPool, XML_T('\0'))) return XML_FALSE; - prefix - = (PREFIX *)lookup(parser, &dtd->prefixes, - poolStart(&parser->m_tempPool), sizeof(PREFIX)); - if (! prefix) + const XML_Char *const prefixName = poolCopyStringNoFinish( + &dtd->pool, poolStart(&parser->m_tempPool)); + if (! prefixName) { return XML_FALSE; - if (prefix->name == poolStart(&parser->m_tempPool)) { - prefix->name = poolCopyString(&dtd->pool, prefix->name); - if (! prefix->name) - return XML_FALSE; } + + prefix = (PREFIX *)lookup(parser, &dtd->prefixes, prefixName, + sizeof(PREFIX)); + + const bool prefixNameUsed = prefix && prefix->name == prefixName; + if (prefixNameUsed) + poolFinish(&dtd->pool); + else + poolDiscard(&dtd->pool); + + if (! prefix) + return XML_FALSE; + poolDiscard(&parser->m_tempPool); } for (context = s + 1; *context != CONTEXT_SEP && *context != XML_T('\0'); @@ -8364,6 +8374,23 @@ poolCopyString(STRING_POOL *pool, const return s; } +// A version of `poolCopyString` that does not call `poolFinish` +// and reverts any partial advancement upon failure. +static const XML_Char *FASTCALL +poolCopyStringNoFinish(STRING_POOL *pool, const XML_Char *s) { + const XML_Char *const original = s; + do { + if (! poolAppendChar(pool, *s)) { + // Revert any previously successful advancement + const ptrdiff_t advancedBy = s - original; + if (advancedBy > 0) + pool->ptr -= advancedBy; + return NULL; + } + } while (*s++); + return pool->start; +} + static const XML_Char * poolCopyStringN(STRING_POOL *pool, const XML_Char *s, int n) { if (! pool->ptr && ! poolGrow(pool)) {
