Bug#1033019: unblock: mozjs102/102.9.0-1

To: submit@bugs.debian.org
Subject: Bug#1033019: unblock: mozjs102/102.9.0-1
From: Jeremy Bícha <jeremy.bicha@canonical.com>
Date: Wed, 15 Mar 2023 15:46:07 -0400
Message-id: <[🔎] CAD+GYvxPZEKEd8VRLr-hK8-pFRungtx5xZFhCOxy1HDokJ5yDg@mail.gmail.com>
Reply-to: Jeremy Bícha <jeremy.bicha@canonical.com>, 1033019@bugs.debian.org

Package: release.debian.org
Control: affects -1 + src:mozjs102
X-Debbugs-Cc: mozjs102@packages.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package mozjs102

[ Reason ]
The new mozjs102 stable point release includes a security fix, CVE-2023-25751

[ Impact ]
mozjs102 is only used by gjs which in turn is used by GNOME Shell and
several GNOME apps written in JavaScript.

[ Tests ]
The build tests have passed successfully and the gjs autopkgtests
triggered by this upload have passed too. (mozjs102 itself
does not have autopkgtests yet).

I also completed the manual test cases from
https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs
on Debian Testing.

[ Risks ]

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
mozjs102 is the SpiderMonkey JavaScript engine from the current
Firefox ESR stable branch. There are monthly releases until August.

https://wiki.mozilla.org/Release_Management/Calendar

I am unaware of anyone using Firefox vulnerabilities to attack GNOME
Shell, but I think it's good to be prudent and apply available
security updates. I don't think the Debian Security Team has done
security uploads for mozjs*, in part because Mozilla's lifecycle is so
short that it's difficult for an upstream supported mozjs to be in a
Debian stable release.

For more info about the commits, see the Github mirror:
https://github.com/mozilla/gecko-dev/commits/esr102/js

unblock mozjs102/102.9.0-1

Thank you,
Jeremy Bicha

diff -Nru mozjs102-102.8.0/config/milestone.txt mozjs102-102.9.0/config/milestone.txt
--- mozjs102-102.8.0/config/milestone.txt	2023-02-15 10:26:31.000000000 +0000
+++ mozjs102-102.9.0/config/milestone.txt	2023-03-13 14:54:55.000000000 +0000
@@ -10,4 +10,4 @@
 # hardcoded milestones in the tree from these two files.
 #--------------------------------------------------------
 
-102.8.0
+102.9.0
diff -Nru mozjs102-102.8.0/debian/changelog mozjs102-102.9.0/debian/changelog
--- mozjs102-102.8.0/debian/changelog	2023-02-15 13:57:21.000000000 +0000
+++ mozjs102-102.9.0/debian/changelog	2023-03-13 15:03:53.000000000 +0000
@@ -1,3 +1,15 @@
+mozjs102 (102.9.0-1) unstable; urgency=high
+
+  [ Jeremy Bicha ]
+  * New upstream release
+    - CVE-2023-25751: Incorrect code generation during JIT compilation
+
+  [ John Paul Adrian Glaubitz ]
+  * Disable large-arraybuffers/base.js on all big-endian targets
+    (Closes: #1020700)
+
+ -- Jeremy Bicha <jbicha@ubuntu.com>  Mon, 13 Mar 2023 11:03:53 -0400
+
 mozjs102 (102.8.0-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru mozjs102-102.8.0/debian/rules mozjs102-102.9.0/debian/rules
--- mozjs102-102.8.0/debian/rules	2023-02-15 13:57:21.000000000 +0000
+++ mozjs102-102.9.0/debian/rules	2023-03-13 15:03:53.000000000 +0000
@@ -75,7 +75,7 @@
 endif
 
 # See: https://bugzilla.mozilla.org/show_bug.cgi?id=1755540
-ifneq (,$(findstring $(DEB_BUILD_ARCH),s390x))
+ifneq (,$(findstring $(DEB_BUILD_ARCH),powerpc ppc64 sparc64 s390x))
 	EXCLUDED_TESTS += large-arraybuffers/basic.js
 endif
 
diff -Nru mozjs102-102.8.0/js/src/devtools/automation/autospider.py mozjs102-102.9.0/js/src/devtools/automation/autospider.py
--- mozjs102-102.8.0/js/src/devtools/automation/autospider.py	2023-02-15 10:26:31.000000000 +0000
+++ mozjs102-102.9.0/js/src/devtools/automation/autospider.py	2023-03-13 14:54:55.000000000 +0000
@@ -8,15 +8,12 @@
 import json
 import logging
 import multiprocessing
-import re
 import os
 import platform
-import posixpath
 import shlex
 import shutil
 import subprocess
 import sys
-
 from collections import Counter, namedtuple
 from logging import info
 from os import environ as env
@@ -52,9 +49,6 @@
 # paths. So for direct subprocess.* invocation, use normal paths from
 # DIR, but when running under the shell, use POSIX style paths.
 DIR = directories(os.path, os.getcwd())
-PDIR = directories(
-    posixpath, os.environ["PWD"], fixup=lambda s: re.sub(r"^(\w):", r"/\1", s)
-)
 
 AUTOMATION = env.get("AUTOMATION", False)
 
@@ -95,8 +89,8 @@
     "--objdir",
     type=str,
     metavar="DIR",
-    # The real default must be set later so that OBJDIR and POBJDIR can be
-    # platform-dependent strings.
+    # The real default must be set later so that OBJDIR can be
+    # relative to the srcdir.
     default=env.get("OBJDIR"),
     help="object directory",
 )
@@ -185,8 +179,6 @@
 OBJDIR = args.objdir or os.path.join(DIR.source, "obj-spider")
 OBJDIR = os.path.abspath(OBJDIR)
 OUTDIR = os.path.join(OBJDIR, "out")
-POBJDIR = args.objdir or posixpath.join(PDIR.source, "obj-spider")
-POBJDIR = posixpath.abspath(POBJDIR)
 MAKE = env.get("MAKE", "make")
 PYTHON = sys.executable
 
@@ -466,7 +458,7 @@
 
 env["MOZCONFIG"] = mozconfig
 
-mach = posixpath.join(PDIR.source, "mach")
+mach = os.path.join(DIR.source, "mach")
 
 if not args.nobuild:
     # Do the build
diff -Nru mozjs102-102.8.0/js/src/jit/CacheIR.cpp mozjs102-102.9.0/js/src/jit/CacheIR.cpp
--- mozjs102-102.8.0/js/src/jit/CacheIR.cpp	2023-02-15 10:26:32.000000000 +0000
+++ mozjs102-102.9.0/js/src/jit/CacheIR.cpp	2023-03-13 14:54:55.000000000 +0000
@@ -969,6 +969,10 @@
     return false;
   }
 
+  if (obj->is<NativeObject>() && obj->as<NativeObject>().numFixedSlots() == 0) {
+    return false;
+  }
+
   // Tell the analysis the |DOMInstanceClassHasProtoAtDepth| hook can't GC.
   JS::AutoSuppressGCAnalysis nogc;
 
diff -Nru mozjs102-102.8.0/js/src/jit/CodeGenerator.cpp mozjs102-102.9.0/js/src/jit/CodeGenerator.cpp
--- mozjs102-102.8.0/js/src/jit/CodeGenerator.cpp	2023-02-15 10:26:32.000000000 +0000
+++ mozjs102-102.9.0/js/src/jit/CodeGenerator.cpp	2023-03-13 14:54:55.000000000 +0000
@@ -357,6 +357,7 @@
   // when returning from the call.  Failures are handled with exceptions based
   // on the return value of the C functions.  To guard the outcome of the
   // returned value, use another LIR instruction.
+  ensureOsiSpace();
   uint32_t callOffset = masm.callJit(code);
   markSafepointAt(callOffset, ins);
 
@@ -5120,6 +5121,7 @@
       native = jitInfo->ignoresReturnValueMethod;
     }
   }
+  ensureOsiSpace();
   masm.callWithABI(DynamicFunction<JSNative>(native), MoveOp::GENERAL,
                    CheckUnsafeCallWithABI::DontCheckHasExitFrame);
 
@@ -5281,6 +5283,7 @@
   masm.passABIArg(argObj);
   masm.passABIArg(argPrivate);
   masm.passABIArg(argArgs);
+  ensureOsiSpace();
   masm.callWithABI(DynamicFunction<JSJitMethodOp>(target->jitInfo()->method),
                    MoveOp::GENERAL,
                    CheckUnsafeCallWithABI::DontCheckHasExitFrame);
@@ -5436,6 +5439,7 @@
 
   // Finally call the function in objreg.
   masm.bind(&makeCall);
+  ensureOsiSpace();
   uint32_t callOffset = masm.callJit(objreg);
   markSafepointAt(callOffset, call);
 
@@ -5522,6 +5526,7 @@
   masm.Push(Imm32(descriptor));
 
   // Finally call the function in objreg.
+  ensureOsiSpace();
   uint32_t callOffset = masm.callJit(objreg);
   markSafepointAt(callOffset, call);
 
@@ -6058,6 +6063,7 @@
 
     // Finally call the function in objreg, as assigned by one of the paths
     // above.
+    ensureOsiSpace();
     uint32_t callOffset = masm.callJit(objreg);
     markSafepointAt(callOffset, apply);
 
@@ -14822,6 +14828,7 @@
   masm.passABIArg(ObjectReg);
   masm.passABIArg(PrivateReg);
   masm.passABIArg(ValueReg);
+  ensureOsiSpace();
   masm.callWithABI(DynamicFunction<JSJitGetterOp>(ins->mir()->fun()),
                    MoveOp::GENERAL,
                    CheckUnsafeCallWithABI::DontCheckHasExitFrame);
@@ -14942,6 +14949,7 @@
   masm.passABIArg(ObjectReg);
   masm.passABIArg(PrivateReg);
   masm.passABIArg(ValueReg);
+  ensureOsiSpace();
   masm.callWithABI(DynamicFunction<JSJitSetterOp>(ins->mir()->fun()),
                    MoveOp::GENERAL,
                    CheckUnsafeCallWithABI::DontCheckHasExitFrame);
@@ -17063,6 +17071,7 @@
   Register scratch = ToRegister(lir->temp());
 
   uint32_t callOffset;
+  ensureOsiSpace();
   GenerateDirectCallFromJit(masm, funcExport, instObj->instance(), stackArgs,
                             scratch, &callOffset);
 
diff -Nru mozjs102-102.8.0/js/src/jit/shared/CodeGenerator-shared.cpp mozjs102-102.9.0/js/src/jit/shared/CodeGenerator-shared.cpp
--- mozjs102-102.8.0/js/src/jit/shared/CodeGenerator-shared.cpp	2023-02-15 10:26:32.000000000 +0000
+++ mozjs102-102.9.0/js/src/jit/shared/CodeGenerator-shared.cpp	2023-03-13 14:54:55.000000000 +0000
@@ -858,7 +858,6 @@
   }
   MOZ_ASSERT_IF(!masm.oom(), masm.currentOffset() - lastOsiPointOffset_ >=
                                  Assembler::PatchWrite_NearCallSize());
-  lastOsiPointOffset_ = masm.currentOffset();
 }
 
 uint32_t CodeGeneratorShared::markOsiPoint(LOsiPoint* ins) {
@@ -868,6 +867,7 @@
   uint32_t offset = masm.currentOffset();
   SnapshotOffset so = ins->snapshot()->snapshotOffset();
   masm.propagateOOM(osiIndices_.append(OsiIndex(offset, so)));
+  lastOsiPointOffset_ = offset;
 
   return offset;
 }

Reply to:

Follow-Ups:
- Processed: unblock: mozjs102/102.9.0-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1033019: marked as done (unblock: mozjs102/102.9.0-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1032999: unblock: mesa/22.3.6-1
Next by Date: Bug#1033009: marked as done (unblock: calamares-settings-debian/12.0.5-1)
Previous by thread: Processed: unblock: sudo/1.9.13p3-1
Next by thread: Processed: unblock: mozjs102/102.9.0-1
Index(es):
- Date
- Thread