Package: release.debian.org Control: affects -1 + src:mozjs102 X-Debbugs-Cc: mozjs...@packages.debian.org User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package mozjs102 [ Reason ] The new mozjs102 stable point release includes a security fix, CVE-2023-25751 [ Impact ] mozjs102 is only used by gjs which in turn is used by GNOME Shell and several GNOME apps written in JavaScript. [ Tests ] The build tests have passed successfully and the gjs autopkgtests triggered by this upload have passed too. (mozjs102 itself does not have autopkgtests yet). I also completed the manual test cases from https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs on Debian Testing. [ Risks ] [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] mozjs102 is the SpiderMonkey JavaScript engine from the current Firefox ESR stable branch. There are monthly releases until August. https://wiki.mozilla.org/Release_Management/Calendar I am unaware of anyone using Firefox vulnerabilities to attack GNOME Shell, but I think it's good to be prudent and apply available security updates. I don't think the Debian Security Team has done security uploads for mozjs*, in part because Mozilla's lifecycle is so short that it's difficult for an upstream supported mozjs to be in a Debian stable release. For more info about the commits, see the Github mirror: https://github.com/mozilla/gecko-dev/commits/esr102/js unblock mozjs102/102.9.0-1 Thank you, Jeremy Bicha
diff -Nru mozjs102-102.8.0/config/milestone.txt mozjs102-102.9.0/config/milestone.txt --- mozjs102-102.8.0/config/milestone.txt 2023-02-15 10:26:31.000000000 +0000 +++ mozjs102-102.9.0/config/milestone.txt 2023-03-13 14:54:55.000000000 +0000 @@ -10,4 +10,4 @@ # hardcoded milestones in the tree from these two files. #-------------------------------------------------------- -102.8.0 +102.9.0 diff -Nru mozjs102-102.8.0/debian/changelog mozjs102-102.9.0/debian/changelog --- mozjs102-102.8.0/debian/changelog 2023-02-15 13:57:21.000000000 +0000 +++ mozjs102-102.9.0/debian/changelog 2023-03-13 15:03:53.000000000 +0000 @@ -1,3 +1,15 @@ +mozjs102 (102.9.0-1) unstable; urgency=high + + [ Jeremy Bicha ] + * New upstream release + - CVE-2023-25751: Incorrect code generation during JIT compilation + + [ John Paul Adrian Glaubitz ] + * Disable large-arraybuffers/base.js on all big-endian targets + (Closes: #1020700) + + -- Jeremy Bicha <jbi...@ubuntu.com> Mon, 13 Mar 2023 11:03:53 -0400 + mozjs102 (102.8.0-1) unstable; urgency=medium * New upstream release diff -Nru mozjs102-102.8.0/debian/rules mozjs102-102.9.0/debian/rules --- mozjs102-102.8.0/debian/rules 2023-02-15 13:57:21.000000000 +0000 +++ mozjs102-102.9.0/debian/rules 2023-03-13 15:03:53.000000000 +0000 @@ -75,7 +75,7 @@ endif # See: https://bugzilla.mozilla.org/show_bug.cgi?id=1755540 -ifneq (,$(findstring $(DEB_BUILD_ARCH),s390x)) +ifneq (,$(findstring $(DEB_BUILD_ARCH),powerpc ppc64 sparc64 s390x)) EXCLUDED_TESTS += large-arraybuffers/basic.js endif diff -Nru mozjs102-102.8.0/js/src/devtools/automation/autospider.py mozjs102-102.9.0/js/src/devtools/automation/autospider.py --- mozjs102-102.8.0/js/src/devtools/automation/autospider.py 2023-02-15 10:26:31.000000000 +0000 +++ mozjs102-102.9.0/js/src/devtools/automation/autospider.py 2023-03-13 14:54:55.000000000 +0000 @@ -8,15 +8,12 @@ import json import logging import multiprocessing -import re import os import platform -import posixpath import shlex import shutil import subprocess import sys - from collections import Counter, namedtuple from logging import info from os import environ as env @@ -52,9 +49,6 @@ # paths. So for direct subprocess.* invocation, use normal paths from # DIR, but when running under the shell, use POSIX style paths. DIR = directories(os.path, os.getcwd()) -PDIR = directories( - posixpath, os.environ["PWD"], fixup=lambda s: re.sub(r"^(\w):", r"/\1", s) -) AUTOMATION = env.get("AUTOMATION", False) @@ -95,8 +89,8 @@ "--objdir", type=str, metavar="DIR", - # The real default must be set later so that OBJDIR and POBJDIR can be - # platform-dependent strings. + # The real default must be set later so that OBJDIR can be + # relative to the srcdir. default=env.get("OBJDIR"), help="object directory", ) @@ -185,8 +179,6 @@ OBJDIR = args.objdir or os.path.join(DIR.source, "obj-spider") OBJDIR = os.path.abspath(OBJDIR) OUTDIR = os.path.join(OBJDIR, "out") -POBJDIR = args.objdir or posixpath.join(PDIR.source, "obj-spider") -POBJDIR = posixpath.abspath(POBJDIR) MAKE = env.get("MAKE", "make") PYTHON = sys.executable @@ -466,7 +458,7 @@ env["MOZCONFIG"] = mozconfig -mach = posixpath.join(PDIR.source, "mach") +mach = os.path.join(DIR.source, "mach") if not args.nobuild: # Do the build diff -Nru mozjs102-102.8.0/js/src/jit/CacheIR.cpp mozjs102-102.9.0/js/src/jit/CacheIR.cpp --- mozjs102-102.8.0/js/src/jit/CacheIR.cpp 2023-02-15 10:26:32.000000000 +0000 +++ mozjs102-102.9.0/js/src/jit/CacheIR.cpp 2023-03-13 14:54:55.000000000 +0000 @@ -969,6 +969,10 @@ return false; } + if (obj->is<NativeObject>() && obj->as<NativeObject>().numFixedSlots() == 0) { + return false; + } + // Tell the analysis the |DOMInstanceClassHasProtoAtDepth| hook can't GC. JS::AutoSuppressGCAnalysis nogc; diff -Nru mozjs102-102.8.0/js/src/jit/CodeGenerator.cpp mozjs102-102.9.0/js/src/jit/CodeGenerator.cpp --- mozjs102-102.8.0/js/src/jit/CodeGenerator.cpp 2023-02-15 10:26:32.000000000 +0000 +++ mozjs102-102.9.0/js/src/jit/CodeGenerator.cpp 2023-03-13 14:54:55.000000000 +0000 @@ -357,6 +357,7 @@ // when returning from the call. Failures are handled with exceptions based // on the return value of the C functions. To guard the outcome of the // returned value, use another LIR instruction. + ensureOsiSpace(); uint32_t callOffset = masm.callJit(code); markSafepointAt(callOffset, ins); @@ -5120,6 +5121,7 @@ native = jitInfo->ignoresReturnValueMethod; } } + ensureOsiSpace(); masm.callWithABI(DynamicFunction<JSNative>(native), MoveOp::GENERAL, CheckUnsafeCallWithABI::DontCheckHasExitFrame); @@ -5281,6 +5283,7 @@ masm.passABIArg(argObj); masm.passABIArg(argPrivate); masm.passABIArg(argArgs); + ensureOsiSpace(); masm.callWithABI(DynamicFunction<JSJitMethodOp>(target->jitInfo()->method), MoveOp::GENERAL, CheckUnsafeCallWithABI::DontCheckHasExitFrame); @@ -5436,6 +5439,7 @@ // Finally call the function in objreg. masm.bind(&makeCall); + ensureOsiSpace(); uint32_t callOffset = masm.callJit(objreg); markSafepointAt(callOffset, call); @@ -5522,6 +5526,7 @@ masm.Push(Imm32(descriptor)); // Finally call the function in objreg. + ensureOsiSpace(); uint32_t callOffset = masm.callJit(objreg); markSafepointAt(callOffset, call); @@ -6058,6 +6063,7 @@ // Finally call the function in objreg, as assigned by one of the paths // above. + ensureOsiSpace(); uint32_t callOffset = masm.callJit(objreg); markSafepointAt(callOffset, apply); @@ -14822,6 +14828,7 @@ masm.passABIArg(ObjectReg); masm.passABIArg(PrivateReg); masm.passABIArg(ValueReg); + ensureOsiSpace(); masm.callWithABI(DynamicFunction<JSJitGetterOp>(ins->mir()->fun()), MoveOp::GENERAL, CheckUnsafeCallWithABI::DontCheckHasExitFrame); @@ -14942,6 +14949,7 @@ masm.passABIArg(ObjectReg); masm.passABIArg(PrivateReg); masm.passABIArg(ValueReg); + ensureOsiSpace(); masm.callWithABI(DynamicFunction<JSJitSetterOp>(ins->mir()->fun()), MoveOp::GENERAL, CheckUnsafeCallWithABI::DontCheckHasExitFrame); @@ -17063,6 +17071,7 @@ Register scratch = ToRegister(lir->temp()); uint32_t callOffset; + ensureOsiSpace(); GenerateDirectCallFromJit(masm, funcExport, instObj->instance(), stackArgs, scratch, &callOffset); diff -Nru mozjs102-102.8.0/js/src/jit/shared/CodeGenerator-shared.cpp mozjs102-102.9.0/js/src/jit/shared/CodeGenerator-shared.cpp --- mozjs102-102.8.0/js/src/jit/shared/CodeGenerator-shared.cpp 2023-02-15 10:26:32.000000000 +0000 +++ mozjs102-102.9.0/js/src/jit/shared/CodeGenerator-shared.cpp 2023-03-13 14:54:55.000000000 +0000 @@ -858,7 +858,6 @@ } MOZ_ASSERT_IF(!masm.oom(), masm.currentOffset() - lastOsiPointOffset_ >= Assembler::PatchWrite_NearCallSize()); - lastOsiPointOffset_ = masm.currentOffset(); } uint32_t CodeGeneratorShared::markOsiPoint(LOsiPoint* ins) { @@ -868,6 +867,7 @@ uint32_t offset = masm.currentOffset(); SnapshotOffset so = ins->snapshot()->snapshotOffset(); masm.propagateOOM(osiIndices_.append(OsiIndex(offset, so))); + lastOsiPointOffset_ = offset; return offset; }
