Temporally add Spectre mitigation patch

author: Figue 2018-01-07 14:28:48 +0100
committer: Figue 2018-01-07 14:28:48 +0100
commit: 0c2405e51a416ad5dc8bc76dfaa18d1282935e02 (patch)
tree: b4bda40edc592d966380f7a93af701ae7cff3853
parent: a0c77be0e91f2dff5eba7347571dd5fdae20381f (diff)
download: aur-0c2405e51a416ad5dc8bc76dfaa18d1282935e02.tar.gz
3 files changed, 60 insertions, 4 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 14c4b8a44b15..7fb95b49ad92 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = icecat
 	pkgdesc = GNU version of the Firefox browser.
 	pkgver = 52.3.0
-	pkgrel = 2
+	pkgrel = 3
 	url = http://www.gnu.org/software/gnuzilla/
 	arch = i686
 	arch = x86_64
@@ -51,6 +51,7 @@ pkgbase = icecat
 	source = clip-ft-glyph-52esr.diff
 	source = harmony-fix.diff
 	source = glibc-2.26-fix.diff
+	source = icecat-bug-1427870-spectre-mitigation.patch
 	validpgpkeys = A57369A8BABC2542B5A0368C3C76EED7D7E04784
 	sha256sums = 699ab2b41d4428ef5e360f3f33d98bc52723315cedac20bb03619846ca895302
 	sha256sums = SKIP
@@ -63,6 +64,7 @@ pkgbase = icecat
 	sha256sums = dc4feddbf22ea11ae2513c68b7f3fc9047850d055a7f30d31a7ee94d7d5de12a
 	sha256sums = 16bb776e9f3039321db747b2eaece0cda1320f3711fb853a68d67247b0aa065d
 	sha256sums = cd7ff441da66a287f8712e60cdc9e216c30355d521051e2eaae28a66d81915e8
+	sha256sums = 8088e9d3116f12e32e17a019918ab45f93e2a2f819ff9372949e33ca428d3129
 
 pkgname = icecat
 
diff --git a/PKGBUILD b/PKGBUILD
index 5a9501720372..db2056bea5db 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -9,7 +9,7 @@ pkgname=icecat
 pkgver=52.3.0
 _pkgver=${pkgver}-gnu1
 _pkgverbase=${pkgver%%.*}
-pkgrel=2
+pkgrel=3
 pkgdesc="GNU version of the Firefox browser."
 arch=(i686 x86_64)
 url="http://www.gnu.org/software/gnuzilla/"
@@ -27,7 +27,8 @@ source=(http://ftpmirror.gnu.org/gnuzilla/${pkgver}/${pkgname}-${_pkgver}.tar.bz
 #source=(http://jenkins.trisquel.info/icecat/${pkgname}-${_pkgver}.tar.bz2      ## Official developer (Ruben Rodriguez) site. Probably only has developer releases.
         mozconfig icecat.desktop icecat-safe.desktop vendor.js
         fix-wifi-scanner.diff no-crmf.diff
-		clip-ft-glyph-52esr.diff harmony-fix.diff glibc-2.26-fix.diff)
+		clip-ft-glyph-52esr.diff harmony-fix.diff glibc-2.26-fix.diff
+        icecat-bug-1427870-spectre-mitigation.patch)
 
 sha256sums=('699ab2b41d4428ef5e360f3f33d98bc52723315cedac20bb03619846ca895302'
             'SKIP'
@@ -39,7 +40,8 @@ sha256sums=('699ab2b41d4428ef5e360f3f33d98bc52723315cedac20bb03619846ca895302'
             'ada119174a2a1779c4195a1b4506e8ae67c49c5306103158805a390237acc1c6'
             'dc4feddbf22ea11ae2513c68b7f3fc9047850d055a7f30d31a7ee94d7d5de12a'
             '16bb776e9f3039321db747b2eaece0cda1320f3711fb853a68d67247b0aa065d'
-            'cd7ff441da66a287f8712e60cdc9e216c30355d521051e2eaae28a66d81915e8')
+            'cd7ff441da66a287f8712e60cdc9e216c30355d521051e2eaae28a66d81915e8'
+            '8088e9d3116f12e32e17a019918ab45f93e2a2f819ff9372949e33ca428d3129')
 
 validpgpkeys=(A57369A8BABC2542B5A0368C3C76EED7D7E04784) # Ruben Rodriguez (GNU IceCat releases key) <ruben@gnu.org>
 
@@ -67,6 +69,9 @@ prepare() {
   # https://bugzilla.mozilla.org/show_bug.cgi?id=1400721
   patch -Np1 -i ../harmony-fix.diff
 
+  # mitigation to Spectre for GNU IceCat. It's best this than nothing until official patches will be posted
+  patch -Np1 -i ../icecat-bug-1427870-spectre-mitigation.patch
+
   msg2 "Starting build..."
 
   cp -v ${srcdir}/mozconfig .mozconfig
diff --git a/icecat-bug-1427870-spectre-mitigation.patch b/icecat-bug-1427870-spectre-mitigation.patch
new file mode 100644
index 000000000000..6b088286cb0c
--- /dev/null
+++ b/icecat-bug-1427870-spectre-mitigation.patch
@@ -0,0 +1,49 @@
+Mitigate Spectre by reducing the resolution of performance.now() to 20
+microseconds.  Based on:
+
+  https://hg.mozilla.org/releases/mozilla-release/rev/afa87f9be3a8
+
+For more details, see:
+
+  https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/
+
+This patch was modified to apply cleanly to GNU IceCat.
+
+
+# HG changeset patch
+# User Tom Ritter <tom@mozilla.com>
+# Date 1514660820 21600
+# Node ID afa87f9be3a8852da3a30f286b15ae599c7874f6
+# Parent  6caa457ebedc915b43dc1d054b8fe22e82ca7447
+Bug 1427870 - Change resolution of .now() to 20us. r=bkelly, a=lizzard
+
+The comment about workers was introduced in Bug 1186489 but became obsolete some time after that
+(definitely by Bug 1278838)
+
+diff --git a/dom/performance/Performance.cpp b/dom/performance/Performance.cpp
+--- a/dom/performance/Performance.cpp
++++ b/dom/performance/Performance.cpp
+@@ -234,20 +234,19 @@ Performance::ClearResourceTimings()
+ {
+   MOZ_ASSERT(NS_IsMainThread());
+   mResourceEntries.Clear();
+ }
+ 
+ DOMHighResTimeStamp
+ Performance::RoundTime(double aTime) const
+ {
+-  // Round down to the nearest 5us, because if the timer is too accurate people
+-  // can do nasty timing attacks with it.  See similar code in the worker
+-  // Performance implementation.
+-  const double maxResolutionMs = 0.005;
++  // Round down to the nearest 20us, because if the timer is too accurate people
++  // can do nasty timing attacks with it.
++  const double maxResolutionMs = 0.020;
+   return floor(aTime / maxResolutionMs) * maxResolutionMs;
+ }
+ 
+ 
+ void
+ Performance::Mark(const nsAString& aName, ErrorResult& aRv)
+ {
+   // Don't add the entry if the buffer is full. XXX should be removed by bug 1159003.
author	Figue	2018-01-07 14:28:48 +0100
committer	Figue	2018-01-07 14:28:48 +0100
commit	0c2405e51a416ad5dc8bc76dfaa18d1282935e02 (patch)
tree	b4bda40edc592d966380f7a93af701ae7cff3853
parent	a0c77be0e91f2dff5eba7347571dd5fdae20381f (diff)
download	aur-0c2405e51a416ad5dc8bc76dfaa18d1282935e02.tar.gz