Firefox-58.0 is released. https://www.mozilla.org/en-US/firefox/58.0/releasenotes/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-02/ Related CVE numbers: CVE-2018-5091: Use-after-free with DTMF timers CVE-2018-5092: Use-after-free in Web Workers CVE-2018-5093: Buffer overflow in WebAssembly during Memory/Table resizing CVE-2018-5094: Buffer overflow in WebAssembly with garbage collection on uninitialized memory CVE-2018-5095: Integer overflow in Skia library during edge builder allocation CVE-2018-5097: Use-after-free when source document is manipulated during XSLT CVE-2018-5098: Use-after-free while manipulating form input elements CVE-2018-5099: Use-after-free with widget listener CVE-2018-5100: Use-after-free when IsPotentiallyScrollable arguments are freed from memory CVE-2018-5101: Use-after-free with floating first-letter style elements CVE-2018-5102: Use-after-free in HTML media elements CVE-2018-5103: Use-after-free during mouse event handling CVE-2018-5104: Use-after-free during font face manipulation CVE-2018-5105: WebExtensions can save and execute files on local file system without user prompts CVE-2018-5106: Developer Tools can expose style editor information cross-origin through service worker CVE-2018-5107: Printing process will follow symlinks for local file access CVE-2018-5108: Manually entered blob URL can be accessed by subsequent private browsing tabs CVE-2018-5109: Audio capture prompts and starts with incorrect origin attribution CVE-2018-5110: Cursor can be made invisible on OS X CVE-2018-5111: URL spoofing in addressbar through drag and drop CVE-2018-5112: Extension development tools panel can open a non-relative URL in the panel CVE-2018-5113: WebExtensions can load non-HTTPS pages with browser.identity.launchWebAuthFlow CVE-2018-5114: The old value of a cookie changed to HttpOnly remains accessible to scripts CVE-2018-5115: Background network requests can open HTTP authentication in unrelated foreground tabs CVE-2018-5116: WebExtension ActiveTab permission allows cross-origin frame content access CVE-2018-5117: URL spoofing with right-to-left text aligned left-to-right CVE-2018-5118: Activity Stream images can attempt to load local content through file: CVE-2018-5119: Reader view will load cross-origin content in violation of CORS headers CVE-2018-5121: OS X Tibetan characters render incompletely in the addressbar CVE-2018-5122: Potential integer overflow in DoCrypt CVE-2018-5090: Memory safety bugs fixed in Firefox 58 CVE-2018-5089: Memory safety bugs fixed in Firefox 58 and Firefox ESR 52.6
Please be aware that using firefox built with alsa support instead of pulseaudio fails to play any sound and gives Sandbox errors. It is required to append "16" (amd64) or "54" (i386,arm) to "security.sandbox.content.syscall_whitelist"
(In reply to Constantine D. Kardaris from comment #1) > ... firefox built with alsa support instead of > pulseaudio ... C.f. https://bugs.gentoo.org/613370#c12 ff.
(In reply to Constantine D. Kardaris from comment #1) > Please be aware that using firefox built with alsa support instead of > pulseaudio fails to play any sound and gives Sandbox errors. > It is required to append "16" (amd64) or "54" (i386,arm) to > "security.sandbox.content.syscall_whitelist" Thank you for this, this is exactly what I was trying to find to confirm IUSE="pulseaudio"
Unfortunately I'm still working on sound issues related to sandboxing. I've found the relevant portions of code in the sandbox that looks to block the syscall that alsa (and presumably apulse) needs, however there is already an exception in place in that code segment to allow the syscall so I'm trying to figure out why it's not working.
(In reply to Ian Stakenvicius from comment #4) > Unfortunately I'm still working on sound issues related to sandboxing. I've > found the relevant portions of code in the sandbox that looks to block the > syscall that alsa (and presumably apulse) needs, however there is already an > exception in place in that code segment to allow the syscall so I'm trying > to figure out why it's not working. This might be relevant: https://bugzilla.mozilla.org/show_bug.cgi?id=1430274 It appears there is a patch here: https://hg.mozilla.org/mozilla-central/rev/b2a41379cc75
As I found in my repo (I have a firefox-58.0 ebuild), and an user reported this: DEPEND >=media-libs/libpng-1.6.34 is needed for FF58 to configure source, otherwise it fails. I hope it helps.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ab6c61a91b1e2d945cd9def0f9b9f2976a366efd commit ab6c61a91b1e2d945cd9def0f9b9f2976a366efd Author: Ian Stakenvicius <axs@gentoo.org> AuthorDate: 2018-01-29 05:17:09 +0000 Commit: Ian Stakenvicius <axs@gentoo.org> CommitDate: 2018-01-29 05:21:48 +0000 www-client/firefox: bump to 58.0 Apulse users may have issues with sound support; pulseaudio and alsa seem solid however. Bug: http://bugs.gentoo.org/645494 Package-Manager: Portage-2.3.13, Repoman-2.3.3 eclass/mozconfig-v6.58.eclass | 394 +++++++++++++++++++++ www-client/firefox/Manifest | 186 +++++----- .../{firefox-57.0.4.ebuild => firefox-58.0.ebuild} | 87 ++--- 3 files changed, 510 insertions(+), 157 deletions(-)}
Why pgo was dropped?
(In reply to soredake from comment #8) > Why pgo was dropped? Because it's buggy and unreliable within an ebuild sandbox, because it adds barely 0.05% impovement vs regular compilation, and because with the switch to "mach" from using make targets directly means we no longer have the control we need during the build process to control the different phases of a PGO build.
