diff options
author | Figue | 2018-01-07 14:28:48 +0100 |
---|---|---|
committer | Figue | 2018-01-07 14:28:48 +0100 |
commit | 0c2405e51a416ad5dc8bc76dfaa18d1282935e02 (patch) | |
tree | b4bda40edc592d966380f7a93af701ae7cff3853 | |
parent | a0c77be0e91f2dff5eba7347571dd5fdae20381f (diff) | |
download | aur-0c2405e51a416ad5dc8bc76dfaa18d1282935e02.tar.gz |
Temporally add Spectre mitigation patch
-rw-r--r-- | .SRCINFO | 4 | ||||
-rw-r--r-- | PKGBUILD | 11 | ||||
-rw-r--r-- | icecat-bug-1427870-spectre-mitigation.patch | 49 |
3 files changed, 60 insertions, 4 deletions
@@ -1,7 +1,7 @@ pkgbase = icecat pkgdesc = GNU version of the Firefox browser. pkgver = 52.3.0 - pkgrel = 2 + pkgrel = 3 url = http://www.gnu.org/software/gnuzilla/ arch = i686 arch = x86_64 @@ -51,6 +51,7 @@ pkgbase = icecat source = clip-ft-glyph-52esr.diff source = harmony-fix.diff source = glibc-2.26-fix.diff + source = icecat-bug-1427870-spectre-mitigation.patch validpgpkeys = A57369A8BABC2542B5A0368C3C76EED7D7E04784 sha256sums = 699ab2b41d4428ef5e360f3f33d98bc52723315cedac20bb03619846ca895302 sha256sums = SKIP @@ -63,6 +64,7 @@ pkgbase = icecat sha256sums = dc4feddbf22ea11ae2513c68b7f3fc9047850d055a7f30d31a7ee94d7d5de12a sha256sums = 16bb776e9f3039321db747b2eaece0cda1320f3711fb853a68d67247b0aa065d sha256sums = cd7ff441da66a287f8712e60cdc9e216c30355d521051e2eaae28a66d81915e8 + sha256sums = 8088e9d3116f12e32e17a019918ab45f93e2a2f819ff9372949e33ca428d3129 pkgname = icecat @@ -9,7 +9,7 @@ pkgname=icecat pkgver=52.3.0 _pkgver=${pkgver}-gnu1 _pkgverbase=${pkgver%%.*} -pkgrel=2 +pkgrel=3 pkgdesc="GNU version of the Firefox browser." arch=(i686 x86_64) url="http://www.gnu.org/software/gnuzilla/" @@ -27,7 +27,8 @@ source=(http://ftpmirror.gnu.org/gnuzilla/${pkgver}/${pkgname}-${_pkgver}.tar.bz #source=(http://jenkins.trisquel.info/icecat/${pkgname}-${_pkgver}.tar.bz2 ## Official developer (Ruben Rodriguez) site. Probably only has developer releases. mozconfig icecat.desktop icecat-safe.desktop vendor.js fix-wifi-scanner.diff no-crmf.diff - clip-ft-glyph-52esr.diff harmony-fix.diff glibc-2.26-fix.diff) + clip-ft-glyph-52esr.diff harmony-fix.diff glibc-2.26-fix.diff + icecat-bug-1427870-spectre-mitigation.patch) sha256sums=('699ab2b41d4428ef5e360f3f33d98bc52723315cedac20bb03619846ca895302' 'SKIP' @@ -39,7 +40,8 @@ sha256sums=('699ab2b41d4428ef5e360f3f33d98bc52723315cedac20bb03619846ca895302' 'ada119174a2a1779c4195a1b4506e8ae67c49c5306103158805a390237acc1c6' 'dc4feddbf22ea11ae2513c68b7f3fc9047850d055a7f30d31a7ee94d7d5de12a' '16bb776e9f3039321db747b2eaece0cda1320f3711fb853a68d67247b0aa065d' - 'cd7ff441da66a287f8712e60cdc9e216c30355d521051e2eaae28a66d81915e8') + 'cd7ff441da66a287f8712e60cdc9e216c30355d521051e2eaae28a66d81915e8' + '8088e9d3116f12e32e17a019918ab45f93e2a2f819ff9372949e33ca428d3129') validpgpkeys=(A57369A8BABC2542B5A0368C3C76EED7D7E04784) # Ruben Rodriguez (GNU IceCat releases key) <ruben@gnu.org> @@ -67,6 +69,9 @@ prepare() { # https://bugzilla.mozilla.org/show_bug.cgi?id=1400721 patch -Np1 -i ../harmony-fix.diff + # mitigation to Spectre for GNU IceCat. It's best this than nothing until official patches will be posted + patch -Np1 -i ../icecat-bug-1427870-spectre-mitigation.patch + msg2 "Starting build..." cp -v ${srcdir}/mozconfig .mozconfig diff --git a/icecat-bug-1427870-spectre-mitigation.patch b/icecat-bug-1427870-spectre-mitigation.patch new file mode 100644 index 000000000000..6b088286cb0c --- /dev/null +++ b/icecat-bug-1427870-spectre-mitigation.patch @@ -0,0 +1,49 @@ +Mitigate Spectre by reducing the resolution of performance.now() to 20 +microseconds. Based on: + + https://hg.mozilla.org/releases/mozilla-release/rev/afa87f9be3a8 + +For more details, see: + + https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ + +This patch was modified to apply cleanly to GNU IceCat. + + +# HG changeset patch +# User Tom Ritter <tom@mozilla.com> +# Date 1514660820 21600 +# Node ID afa87f9be3a8852da3a30f286b15ae599c7874f6 +# Parent 6caa457ebedc915b43dc1d054b8fe22e82ca7447 +Bug 1427870 - Change resolution of .now() to 20us. r=bkelly, a=lizzard + +The comment about workers was introduced in Bug 1186489 but became obsolete some time after that +(definitely by Bug 1278838) + +diff --git a/dom/performance/Performance.cpp b/dom/performance/Performance.cpp +--- a/dom/performance/Performance.cpp ++++ b/dom/performance/Performance.cpp +@@ -234,20 +234,19 @@ Performance::ClearResourceTimings() + { + MOZ_ASSERT(NS_IsMainThread()); + mResourceEntries.Clear(); + } + + DOMHighResTimeStamp + Performance::RoundTime(double aTime) const + { +- // Round down to the nearest 5us, because if the timer is too accurate people +- // can do nasty timing attacks with it. See similar code in the worker +- // Performance implementation. +- const double maxResolutionMs = 0.005; ++ // Round down to the nearest 20us, because if the timer is too accurate people ++ // can do nasty timing attacks with it. ++ const double maxResolutionMs = 0.020; + return floor(aTime / maxResolutionMs) * maxResolutionMs; + } + + + void + Performance::Mark(const nsAString& aName, ErrorResult& aRv) + { + // Don't add the entry if the buffer is full. XXX should be removed by bug 1159003. |