Bug#1033019: unblock: mozjs102/102.9.0-1
Package: release.debian.org
Control: affects -1 + src:mozjs102
X-Debbugs-Cc: mozjs102@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package mozjs102
[ Reason ]
The new mozjs102 stable point release includes a security fix, CVE-2023-25751
[ Impact ]
mozjs102 is only used by gjs which in turn is used by GNOME Shell and
several GNOME apps written in JavaScript.
[ Tests ]
The build tests have passed successfully and the gjs autopkgtests
triggered by this upload have passed too. (mozjs102 itself
does not have autopkgtests yet).
I also completed the manual test cases from
https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs
on Debian Testing.
[ Risks ]
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
mozjs102 is the SpiderMonkey JavaScript engine from the current
Firefox ESR stable branch. There are monthly releases until August.
https://wiki.mozilla.org/Release_Management/Calendar
I am unaware of anyone using Firefox vulnerabilities to attack GNOME
Shell, but I think it's good to be prudent and apply available
security updates. I don't think the Debian Security Team has done
security uploads for mozjs*, in part because Mozilla's lifecycle is so
short that it's difficult for an upstream supported mozjs to be in a
Debian stable release.
For more info about the commits, see the Github mirror:
https://github.com/mozilla/gecko-dev/commits/esr102/js
unblock mozjs102/102.9.0-1
Thank you,
Jeremy Bicha
diff -Nru mozjs102-102.8.0/config/milestone.txt mozjs102-102.9.0/config/milestone.txt
--- mozjs102-102.8.0/config/milestone.txt 2023-02-15 10:26:31.000000000 +0000
+++ mozjs102-102.9.0/config/milestone.txt 2023-03-13 14:54:55.000000000 +0000
@@ -10,4 +10,4 @@
# hardcoded milestones in the tree from these two files.
#--------------------------------------------------------
-102.8.0
+102.9.0
diff -Nru mozjs102-102.8.0/debian/changelog mozjs102-102.9.0/debian/changelog
--- mozjs102-102.8.0/debian/changelog 2023-02-15 13:57:21.000000000 +0000
+++ mozjs102-102.9.0/debian/changelog 2023-03-13 15:03:53.000000000 +0000
@@ -1,3 +1,15 @@
+mozjs102 (102.9.0-1) unstable; urgency=high
+
+ [ Jeremy Bicha ]
+ * New upstream release
+ - CVE-2023-25751: Incorrect code generation during JIT compilation
+
+ [ John Paul Adrian Glaubitz ]
+ * Disable large-arraybuffers/base.js on all big-endian targets
+ (Closes: #1020700)
+
+ -- Jeremy Bicha <jbicha@ubuntu.com> Mon, 13 Mar 2023 11:03:53 -0400
+
mozjs102 (102.8.0-1) unstable; urgency=medium
* New upstream release
diff -Nru mozjs102-102.8.0/debian/rules mozjs102-102.9.0/debian/rules
--- mozjs102-102.8.0/debian/rules 2023-02-15 13:57:21.000000000 +0000
+++ mozjs102-102.9.0/debian/rules 2023-03-13 15:03:53.000000000 +0000
@@ -75,7 +75,7 @@
endif
# See: https://bugzilla.mozilla.org/show_bug.cgi?id=1755540
-ifneq (,$(findstring $(DEB_BUILD_ARCH),s390x))
+ifneq (,$(findstring $(DEB_BUILD_ARCH),powerpc ppc64 sparc64 s390x))
EXCLUDED_TESTS += large-arraybuffers/basic.js
endif
diff -Nru mozjs102-102.8.0/js/src/devtools/automation/autospider.py mozjs102-102.9.0/js/src/devtools/automation/autospider.py
--- mozjs102-102.8.0/js/src/devtools/automation/autospider.py 2023-02-15 10:26:31.000000000 +0000
+++ mozjs102-102.9.0/js/src/devtools/automation/autospider.py 2023-03-13 14:54:55.000000000 +0000
@@ -8,15 +8,12 @@
import json
import logging
import multiprocessing
-import re
import os
import platform
-import posixpath
import shlex
import shutil
import subprocess
import sys
-
from collections import Counter, namedtuple
from logging import info
from os import environ as env
@@ -52,9 +49,6 @@
# paths. So for direct subprocess.* invocation, use normal paths from
# DIR, but when running under the shell, use POSIX style paths.
DIR = directories(os.path, os.getcwd())
-PDIR = directories(
- posixpath, os.environ["PWD"], fixup=lambda s: re.sub(r"^(\w):", r"/\1", s)
-)
AUTOMATION = env.get("AUTOMATION", False)
@@ -95,8 +89,8 @@
"--objdir",
type=str,
metavar="DIR",
- # The real default must be set later so that OBJDIR and POBJDIR can be
- # platform-dependent strings.
+ # The real default must be set later so that OBJDIR can be
+ # relative to the srcdir.
default=env.get("OBJDIR"),
help="object directory",
)
@@ -185,8 +179,6 @@
OBJDIR = args.objdir or os.path.join(DIR.source, "obj-spider")
OBJDIR = os.path.abspath(OBJDIR)
OUTDIR = os.path.join(OBJDIR, "out")
-POBJDIR = args.objdir or posixpath.join(PDIR.source, "obj-spider")
-POBJDIR = posixpath.abspath(POBJDIR)
MAKE = env.get("MAKE", "make")
PYTHON = sys.executable
@@ -466,7 +458,7 @@
env["MOZCONFIG"] = mozconfig
-mach = posixpath.join(PDIR.source, "mach")
+mach = os.path.join(DIR.source, "mach")
if not args.nobuild:
# Do the build
diff -Nru mozjs102-102.8.0/js/src/jit/CacheIR.cpp mozjs102-102.9.0/js/src/jit/CacheIR.cpp
--- mozjs102-102.8.0/js/src/jit/CacheIR.cpp 2023-02-15 10:26:32.000000000 +0000
+++ mozjs102-102.9.0/js/src/jit/CacheIR.cpp 2023-03-13 14:54:55.000000000 +0000
@@ -969,6 +969,10 @@
return false;
}
+ if (obj->is<NativeObject>() && obj->as<NativeObject>().numFixedSlots() == 0) {
+ return false;
+ }
+
// Tell the analysis the |DOMInstanceClassHasProtoAtDepth| hook can't GC.
JS::AutoSuppressGCAnalysis nogc;
diff -Nru mozjs102-102.8.0/js/src/jit/CodeGenerator.cpp mozjs102-102.9.0/js/src/jit/CodeGenerator.cpp
--- mozjs102-102.8.0/js/src/jit/CodeGenerator.cpp 2023-02-15 10:26:32.000000000 +0000
+++ mozjs102-102.9.0/js/src/jit/CodeGenerator.cpp 2023-03-13 14:54:55.000000000 +0000
@@ -357,6 +357,7 @@
// when returning from the call. Failures are handled with exceptions based
// on the return value of the C functions. To guard the outcome of the
// returned value, use another LIR instruction.
+ ensureOsiSpace();
uint32_t callOffset = masm.callJit(code);
markSafepointAt(callOffset, ins);
@@ -5120,6 +5121,7 @@
native = jitInfo->ignoresReturnValueMethod;
}
}
+ ensureOsiSpace();
masm.callWithABI(DynamicFunction<JSNative>(native), MoveOp::GENERAL,
CheckUnsafeCallWithABI::DontCheckHasExitFrame);
@@ -5281,6 +5283,7 @@
masm.passABIArg(argObj);
masm.passABIArg(argPrivate);
masm.passABIArg(argArgs);
+ ensureOsiSpace();
masm.callWithABI(DynamicFunction<JSJitMethodOp>(target->jitInfo()->method),
MoveOp::GENERAL,
CheckUnsafeCallWithABI::DontCheckHasExitFrame);
@@ -5436,6 +5439,7 @@
// Finally call the function in objreg.
masm.bind(&makeCall);
+ ensureOsiSpace();
uint32_t callOffset = masm.callJit(objreg);
markSafepointAt(callOffset, call);
@@ -5522,6 +5526,7 @@
masm.Push(Imm32(descriptor));
// Finally call the function in objreg.
+ ensureOsiSpace();
uint32_t callOffset = masm.callJit(objreg);
markSafepointAt(callOffset, call);
@@ -6058,6 +6063,7 @@
// Finally call the function in objreg, as assigned by one of the paths
// above.
+ ensureOsiSpace();
uint32_t callOffset = masm.callJit(objreg);
markSafepointAt(callOffset, apply);
@@ -14822,6 +14828,7 @@
masm.passABIArg(ObjectReg);
masm.passABIArg(PrivateReg);
masm.passABIArg(ValueReg);
+ ensureOsiSpace();
masm.callWithABI(DynamicFunction<JSJitGetterOp>(ins->mir()->fun()),
MoveOp::GENERAL,
CheckUnsafeCallWithABI::DontCheckHasExitFrame);
@@ -14942,6 +14949,7 @@
masm.passABIArg(ObjectReg);
masm.passABIArg(PrivateReg);
masm.passABIArg(ValueReg);
+ ensureOsiSpace();
masm.callWithABI(DynamicFunction<JSJitSetterOp>(ins->mir()->fun()),
MoveOp::GENERAL,
CheckUnsafeCallWithABI::DontCheckHasExitFrame);
@@ -17063,6 +17071,7 @@
Register scratch = ToRegister(lir->temp());
uint32_t callOffset;
+ ensureOsiSpace();
GenerateDirectCallFromJit(masm, funcExport, instObj->instance(), stackArgs,
scratch, &callOffset);
diff -Nru mozjs102-102.8.0/js/src/jit/shared/CodeGenerator-shared.cpp mozjs102-102.9.0/js/src/jit/shared/CodeGenerator-shared.cpp
--- mozjs102-102.8.0/js/src/jit/shared/CodeGenerator-shared.cpp 2023-02-15 10:26:32.000000000 +0000
+++ mozjs102-102.9.0/js/src/jit/shared/CodeGenerator-shared.cpp 2023-03-13 14:54:55.000000000 +0000
@@ -858,7 +858,6 @@
}
MOZ_ASSERT_IF(!masm.oom(), masm.currentOffset() - lastOsiPointOffset_ >=
Assembler::PatchWrite_NearCallSize());
- lastOsiPointOffset_ = masm.currentOffset();
}
uint32_t CodeGeneratorShared::markOsiPoint(LOsiPoint* ins) {
@@ -868,6 +867,7 @@
uint32_t offset = masm.currentOffset();
SnapshotOffset so = ins->snapshot()->snapshotOffset();
masm.propagateOOM(osiIndices_.append(OsiIndex(offset, so)));
+ lastOsiPointOffset_ = offset;
return offset;
}
Reply to: