diff -Nru firefox-60.0.1+build2/browser/config/version_display.txt firefox-60.0.2+build1/browser/config/version_display.txt --- firefox-60.0.1+build2/browser/config/version_display.txt 2018-05-16 17:37:47.000000000 +0000 +++ firefox-60.0.2+build1/browser/config/version_display.txt 2018-06-07 15:16:50.000000000 +0000 @@ -1 +1 @@ -60.0.1 +60.0.2 diff -Nru firefox-60.0.1+build2/browser/config/version.txt firefox-60.0.2+build1/browser/config/version.txt --- firefox-60.0.1+build2/browser/config/version.txt 2018-05-16 17:37:47.000000000 +0000 +++ firefox-60.0.2+build1/browser/config/version.txt 2018-06-07 15:16:50.000000000 +0000 @@ -1 +1 @@ -60.0.1 +60.0.2 diff -Nru firefox-60.0.1+build2/config/milestone.txt firefox-60.0.2+build1/config/milestone.txt --- firefox-60.0.1+build2/config/milestone.txt 2018-05-16 17:37:47.000000000 +0000 +++ firefox-60.0.2+build1/config/milestone.txt 2018-06-07 15:16:50.000000000 +0000 @@ -10,4 +10,4 @@ # hardcoded milestones in the tree from these two files. #-------------------------------------------------------- -60.0.1 +60.0.2 diff -Nru firefox-60.0.1+build2/debian/changelog firefox-60.0.2+build1/debian/changelog --- firefox-60.0.1+build2/debian/changelog 2018-05-17 10:19:39.000000000 +0000 +++ firefox-60.0.2+build1/debian/changelog 2018-06-07 18:35:59.000000000 +0000 @@ -1,3 +1,9 @@ +firefox (60.0.2+build1-0ubuntu0.16.04.1) xenial-security; urgency=medium + + * New upstream stable release (60.0.2build1) + + -- Chris Coulson Thu, 07 Jun 2018 19:35:59 +0100 + firefox (60.0.1+build2-0ubuntu0.16.04.1) xenial-security; urgency=medium * New upstream stable release (60.0.1build2) diff -Nru firefox-60.0.1+build2/devtools/server/actors/inspector/node.js firefox-60.0.2+build1/devtools/server/actors/inspector/node.js --- firefox-60.0.1+build2/devtools/server/actors/inspector/node.js 2018-05-16 17:37:49.000000000 +0000 +++ firefox-60.0.2+build1/devtools/server/actors/inspector/node.js 2018-06-07 15:16:26.000000000 +0000 @@ -229,25 +229,29 @@ return null; } - return style.display; + let display = null; + try { + display = style.display; + } catch (e) { + // Fails for elements. + } + return display; }, /** - * Is the node's display computed style value other than "none" + * Is the node currently displayed? */ get isDisplayed() { - // Consider all non-element nodes as displayed. - if (InspectorActorUtils.isNodeDead(this) || - this.rawNode.nodeType !== Ci.nsIDOMNode.ELEMENT_NODE) { - return true; - } + let type = this.displayType; - let style = this.computedStyle; - if (!style) { + // Consider all non-elements or elements with no display-types to be displayed. + if (!type) { return true; } - return style.display !== "none"; + // Otherwise consider elements to be displayed only if their display-types is other + // than "none"". + return type !== "none"; }, /** diff -Nru firefox-60.0.1+build2/devtools/shared/fronts/node.js firefox-60.0.2+build1/devtools/shared/fronts/node.js --- firefox-60.0.1+build2/devtools/shared/fronts/node.js 2018-05-16 17:37:49.000000000 +0000 +++ firefox-60.0.2+build1/devtools/shared/fronts/node.js 2018-06-07 15:16:26.000000000 +0000 @@ -336,9 +336,7 @@ }, get isDisplayed() { - // The NodeActor's form contains the isDisplayed information as a boolean - // starting from FF32. Before that, the property is missing - return "isDisplayed" in this._form ? this._form.isDisplayed : true; + return this._form.isDisplayed; }, get isTreeDisplayed() { diff -Nru firefox-60.0.1+build2/gfx/skia/skia/src/core/SkScan_Path.cpp firefox-60.0.2+build1/gfx/skia/skia/src/core/SkScan_Path.cpp --- firefox-60.0.1+build2/gfx/skia/skia/src/core/SkScan_Path.cpp 2018-05-16 17:37:54.000000000 +0000 +++ firefox-60.0.2+build1/gfx/skia/skia/src/core/SkScan_Path.cpp 2018-06-07 15:16:28.000000000 +0000 @@ -564,7 +564,12 @@ // Bias used for conservative rounding of float rects to int rects, to nudge the irects a little // larger, so we don't "think" a path's bounds are inside a clip, when (due to numeric drift in // the scan-converter) we might walk beyond the predicted limits. -static const double kConservativeRoundBias = 0.5 + 0.5 / SK_FDot6One; +// +// This value has been determined trial and error: pick the smallest value (after the 0.5) that +// fixes any problematic cases (e.g. crbug.com/844457) +// NOTE: cubics appear to be the main reason for needing this slop. If we could (perhaps) have a +// more accurate walker for cubics, we may be able to reduce this fudge factor. +static const double kConservativeRoundBias = 0.5 + 1.5 / SK_FDot6One; /** * Round the value down. This is used to round the top and left of a rectangle, diff -Nru firefox-60.0.1+build2/old-configure.in firefox-60.0.2+build1/old-configure.in --- firefox-60.0.1+build2/old-configure.in 2018-05-16 17:38:24.000000000 +0000 +++ firefox-60.0.2+build1/old-configure.in 2018-06-07 15:16:35.000000000 +0000 @@ -1760,7 +1760,7 @@ _USE_SYSTEM_NSS=1 ) if test -n "$_USE_SYSTEM_NSS"; then - AM_PATH_NSS(3.36.1, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])]) + AM_PATH_NSS(3.36.4, [MOZ_SYSTEM_NSS=1], [AC_MSG_ERROR([you don't have NSS installed or your version is too old])]) fi if test -n "$MOZ_SYSTEM_NSS"; then diff -Nru firefox-60.0.1+build2/security/nss/automation/abi-check/expected-report-libssl3.so.txt firefox-60.0.2+build1/security/nss/automation/abi-check/expected-report-libssl3.so.txt --- firefox-60.0.1+build2/security/nss/automation/abi-check/expected-report-libssl3.so.txt 2018-05-16 17:38:24.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/automation/abi-check/expected-report-libssl3.so.txt 2018-06-07 15:16:36.000000000 +0000 @@ -4,7 +4,7 @@ [C]'function SECStatus SSL_GetChannelInfo(PRFileDesc*, SSLChannelInfo*, PRUintn)' at sslinfo.c:12:1 has some indirect sub-type changes: parameter 2 of type 'SSLChannelInfo*' has sub-type changes: in pointed to type 'typedef SSLChannelInfo' at sslt.h:318:1: - underlying type 'struct SSLChannelInfoStr' at sslt.h:259:1 changed: + underlying type 'struct SSLChannelInfoStr' at sslt.h:251:1 changed: type size hasn't changed 1 data member change: type of 'SSLSignatureScheme SSLChannelInfoStr::signatureScheme' changed: diff -Nru firefox-60.0.1+build2/security/nss/coreconf/coreconf.dep firefox-60.0.2+build1/security/nss/coreconf/coreconf.dep --- firefox-60.0.1+build2/security/nss/coreconf/coreconf.dep 2018-05-16 17:38:21.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/coreconf/coreconf.dep 2018-06-07 15:16:36.000000000 +0000 @@ -10,3 +10,4 @@ */ #error "Do not include this header file." + diff -Nru firefox-60.0.1+build2/security/nss/cpputil/scoped_ptrs.h firefox-60.0.2+build1/security/nss/cpputil/scoped_ptrs.h --- firefox-60.0.1+build2/security/nss/cpputil/scoped_ptrs.h 2018-05-16 17:38:22.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/cpputil/scoped_ptrs.h 2018-06-07 15:16:36.000000000 +0000 @@ -10,6 +10,7 @@ #include #include "cert.h" #include "keyhi.h" +#include "p12.h" #include "pk11pub.h" #include "pkcs11uri.h" #include "sslexp.h" @@ -41,6 +42,9 @@ void operator()(SSLResumptionTokenInfo* token) { SSL_DestroyResumptionTokenInfo(token); } + void operator()(SEC_PKCS12DecoderContext* dcx) { + SEC_PKCS12DecoderFinish(dcx); + } }; template @@ -73,6 +77,7 @@ SCOPED(PK11Context); SCOPED(PK11GenericObject); SCOPED(SSLResumptionTokenInfo); +SCOPED(SEC_PKCS12DecoderContext); #undef SCOPED diff -Nru firefox-60.0.1+build2/security/nss/gtests/der_gtest/der_gtest.gyp firefox-60.0.2+build1/security/nss/gtests/der_gtest/der_gtest.gyp --- firefox-60.0.1+build2/security/nss/gtests/der_gtest/der_gtest.gyp 2018-05-16 17:38:26.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/gtests/der_gtest/der_gtest.gyp 2018-06-07 15:16:36.000000000 +0000 @@ -13,6 +13,7 @@ 'sources': [ 'der_getint_unittest.cc', 'der_quickder_unittest.cc', + 'p12_import_unittest.cc', '<(DEPTH)/gtests/common/gtests.cc' ], 'dependencies': [ @@ -21,6 +22,8 @@ '<(DEPTH)/lib/util/util.gyp:nssutil3', '<(DEPTH)/lib/ssl/ssl.gyp:ssl3', '<(DEPTH)/lib/nss/nss.gyp:nss3', + '<(DEPTH)/lib/pkcs12/pkcs12.gyp:pkcs12', + '<(DEPTH)/lib/pkcs7/pkcs7.gyp:pkcs7', ] } ], diff -Nru firefox-60.0.1+build2/security/nss/gtests/der_gtest/manifest.mn firefox-60.0.2+build1/security/nss/gtests/der_gtest/manifest.mn --- firefox-60.0.1+build2/security/nss/gtests/der_gtest/manifest.mn 2018-05-16 17:38:21.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/gtests/der_gtest/manifest.mn 2018-06-07 15:16:36.000000000 +0000 @@ -9,6 +9,7 @@ CPPSRCS = \ der_getint_unittest.cc \ der_quickder_unittest.cc \ + p12_import_unittest.cc \ $(NULL) INCLUDES += -I$(CORE_DEPTH)/gtests/google_test/gtest/include \ diff -Nru firefox-60.0.1+build2/security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc firefox-60.0.2+build1/security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc --- firefox-60.0.1+build2/security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc 2018-05-16 17:38:24.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/gtests/ssl_gtest/ssl_tls13compat_unittest.cc 2018-06-07 15:16:36.000000000 +0000 @@ -344,4 +344,20 @@ EXPECT_EQ(0U, session_id_len); } +TEST_F(Tls13CompatTest, ConnectWith12ThenAttemptToResume13CompatMode) { + ConfigureSessionCache(RESUME_SESSIONID, RESUME_SESSIONID); + ConfigureVersion(SSL_LIBRARY_VERSION_TLS_1_2); + Connect(); + + Reset(); + ExpectResumption(RESUME_NONE); + version_ = SSL_LIBRARY_VERSION_TLS_1_3; + client_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, + SSL_LIBRARY_VERSION_TLS_1_3); + server_->SetVersionRange(SSL_LIBRARY_VERSION_TLS_1_2, + SSL_LIBRARY_VERSION_TLS_1_3); + EnableCompatMode(); + Connect(); +} + } // namespace nss_test diff -Nru firefox-60.0.1+build2/security/nss/lib/dev/devslot.c firefox-60.0.2+build1/security/nss/lib/dev/devslot.c --- firefox-60.0.1+build2/security/nss/lib/dev/devslot.c 2018-05-16 17:38:18.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/lib/dev/devslot.c 2018-06-07 15:16:36.000000000 +0000 @@ -153,7 +153,7 @@ /* set up condition so only one thread is active in this part of the code at a time */ PZ_Lock(slot->isPresentLock); while (slot->isPresentThread) { - PR_WaitCondVar(slot->isPresentCondition, 0); + PR_WaitCondVar(slot->isPresentCondition, PR_INTERVAL_NO_TIMEOUT); } /* if we were one of multiple threads here, the first thread will have * given us the answer, no need to make more queries of the token. */ diff -Nru firefox-60.0.1+build2/security/nss/lib/nss/nss.h firefox-60.0.2+build1/security/nss/lib/nss/nss.h --- firefox-60.0.1+build2/security/nss/lib/nss/nss.h 2018-05-16 17:38:26.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/lib/nss/nss.h 2018-06-07 15:16:37.000000000 +0000 @@ -22,10 +22,10 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define NSS_VERSION "3.36.1" _NSS_CUSTOMIZED +#define NSS_VERSION "3.36.4" _NSS_CUSTOMIZED #define NSS_VMAJOR 3 #define NSS_VMINOR 36 -#define NSS_VPATCH 1 +#define NSS_VPATCH 4 #define NSS_VBUILD 0 #define NSS_BETA PR_FALSE diff -Nru firefox-60.0.1+build2/security/nss/lib/pkcs12/p12d.c firefox-60.0.2+build1/security/nss/lib/pkcs12/p12d.c --- firefox-60.0.1+build2/security/nss/lib/pkcs12/p12d.c 2018-05-16 17:38:22.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/lib/pkcs12/p12d.c 2018-06-07 15:16:36.000000000 +0000 @@ -813,6 +813,7 @@ unsigned int cnt = p12dcx->safeContentsCnt - 1; safeContentsCtx = p12dcx->safeContentsList[cnt]; if (safeContentsCtx->safeContentsA1Dcx) { + SEC_ASN1DecoderClearFilterProc(p12dcx->aSafeA1Dcx); SEC_ASN1DecoderFinish(safeContentsCtx->safeContentsA1Dcx); safeContentsCtx->safeContentsA1Dcx = NULL; } diff -Nru firefox-60.0.1+build2/security/nss/lib/pkcs7/p7decode.c firefox-60.0.2+build1/security/nss/lib/pkcs7/p7decode.c --- firefox-60.0.1+build2/security/nss/lib/pkcs7/p7decode.c 2018-05-16 17:38:18.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/lib/pkcs7/p7decode.c 2018-06-07 15:16:36.000000000 +0000 @@ -560,6 +560,7 @@ return SECSuccess; no_decryption: + PK11_FreeSymKey(bulkkey); /* * For some reason (error set already, if appropriate), we cannot * decrypt the content. I am not sure what exactly is the right @@ -1031,6 +1032,11 @@ SEC_PKCS7DecoderUpdate(SEC_PKCS7DecoderContext *p7dcx, const char *buf, unsigned long len) { + if (!p7dcx) { + PORT_SetError(SEC_ERROR_INVALID_ARGS); + return SECFailure; + } + if (p7dcx->cinfo != NULL && p7dcx->dcx != NULL) { PORT_Assert(p7dcx->error == 0); if (p7dcx->error == 0) { diff -Nru firefox-60.0.1+build2/security/nss/lib/softoken/softkver.h firefox-60.0.2+build1/security/nss/lib/softoken/softkver.h --- firefox-60.0.1+build2/security/nss/lib/softoken/softkver.h 2018-05-16 17:38:26.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/lib/softoken/softkver.h 2018-06-07 15:16:37.000000000 +0000 @@ -17,10 +17,10 @@ * The format of the version string should be * ".[.[.]][ ][ ]" */ -#define SOFTOKEN_VERSION "3.36.1" SOFTOKEN_ECC_STRING +#define SOFTOKEN_VERSION "3.36.4" SOFTOKEN_ECC_STRING #define SOFTOKEN_VMAJOR 3 #define SOFTOKEN_VMINOR 36 -#define SOFTOKEN_VPATCH 1 +#define SOFTOKEN_VPATCH 4 #define SOFTOKEN_VBUILD 0 #define SOFTOKEN_BETA PR_FALSE diff -Nru firefox-60.0.1+build2/security/nss/lib/ssl/ssl3con.c firefox-60.0.2+build1/security/nss/lib/ssl/ssl3con.c --- firefox-60.0.1+build2/security/nss/lib/ssl/ssl3con.c 2018-05-16 17:38:23.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/lib/ssl/ssl3con.c 2018-06-07 15:16:36.000000000 +0000 @@ -6152,6 +6152,48 @@ return ssl3_SetupCipherSuite(ss, initHashes); } +/* Check that session ID we received from the server, if any, matches our + * expectations, depending on whether we're in compat mode and whether we + * negotiated TLS 1.3+ or TLS 1.2-. + */ +static PRBool +ssl_CheckServerSessionIdCorrectness(sslSocket *ss, SECItem *sidBytes) +{ + sslSessionID *sid = ss->sec.ci.sid; + PRBool sidMatch = PR_FALSE; + PRBool sentFakeSid = PR_FALSE; + PRBool sentRealSid = sid && sid->version < SSL_LIBRARY_VERSION_TLS_1_3; + + /* If attempting to resume a TLS 1.2 connection, the session ID won't be a + * fake. Check for the real value. */ + if (sentRealSid) { + sidMatch = (sidBytes->len == sid->u.ssl3.sessionIDLength) && + PORT_Memcmp(sid->u.ssl3.sessionID, sidBytes->data, sidBytes->len) == 0; + } else { + /* Otherwise, the session ID was a fake if TLS 1.3 compat mode is + * enabled. If so, check for the fake value. */ + sentFakeSid = ss->opt.enableTls13CompatMode && !IS_DTLS(ss); + if (sentFakeSid && sidBytes->len == SSL3_SESSIONID_BYTES) { + PRUint8 buf[SSL3_SESSIONID_BYTES]; + ssl_MakeFakeSid(ss, buf); + sidMatch = PORT_Memcmp(buf, sidBytes->data, sidBytes->len) == 0; + } + } + + /* TLS 1.2: Session ID shouldn't match if we sent a fake. */ + if (ss->version < SSL_LIBRARY_VERSION_TLS_1_3) { + return !sentFakeSid || !sidMatch; + } + + /* TLS 1.3: We sent a session ID. The server's should match. */ + if (sentRealSid || sentFakeSid) { + return sidMatch; + } + + /* TLS 1.3: The server shouldn't send a session ID. */ + return sidBytes->len == 0; +} + /* Called from ssl3_HandleHandshakeMessage() when it has deciphered a complete * ssl3 ServerHello message. * Caller must hold Handshake and RecvBuf locks. @@ -6359,22 +6401,10 @@ } /* Check that the session ID is as expected. */ - if (ss->version >= SSL_LIBRARY_VERSION_TLS_1_3) { - PRUint8 buf[SSL3_SESSIONID_BYTES]; - unsigned int expectedSidLen; - if (ss->opt.enableTls13CompatMode && !IS_DTLS(ss)) { - expectedSidLen = SSL3_SESSIONID_BYTES; - ssl_MakeFakeSid(ss, buf); - } else { - expectedSidLen = 0; - } - if (sidBytes.len != expectedSidLen || - (expectedSidLen > 0 && - PORT_Memcmp(buf, sidBytes.data, expectedSidLen) != 0)) { - desc = illegal_parameter; - errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO; - goto alert_loser; - } + if (!ssl_CheckServerSessionIdCorrectness(ss, &sidBytes)) { + desc = illegal_parameter; + errCode = SSL_ERROR_RX_MALFORMED_SERVER_HELLO; + goto alert_loser; } /* Only initialize hashes if this isn't a Hello Retry. */ diff -Nru firefox-60.0.1+build2/security/nss/lib/util/nssutil.h firefox-60.0.2+build1/security/nss/lib/util/nssutil.h --- firefox-60.0.1+build2/security/nss/lib/util/nssutil.h 2018-05-16 17:38:26.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/lib/util/nssutil.h 2018-06-07 15:16:36.000000000 +0000 @@ -19,10 +19,10 @@ * The format of the version string should be * ".[.[.]][ ]" */ -#define NSSUTIL_VERSION "3.36.1" +#define NSSUTIL_VERSION "3.36.4" #define NSSUTIL_VMAJOR 3 #define NSSUTIL_VMINOR 36 -#define NSSUTIL_VPATCH 1 +#define NSSUTIL_VPATCH 4 #define NSSUTIL_VBUILD 0 #define NSSUTIL_BETA PR_FALSE diff -Nru firefox-60.0.1+build2/security/nss/lib/util/secasn1d.c firefox-60.0.2+build1/security/nss/lib/util/secasn1d.c --- firefox-60.0.1+build2/security/nss/lib/util/secasn1d.c 2018-05-16 17:38:22.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/lib/util/secasn1d.c 2018-06-07 15:16:37.000000000 +0000 @@ -175,7 +175,7 @@ } } } else { - sprintf(buf, " [%d]", k); + sprintf(buf, " [%lu]", k); } buf += strlen(buf); @@ -982,7 +982,7 @@ #ifdef DEBUG_ASN1D_STATES { - printf("Found Length %d %s\n", state->contents_length, + printf("Found Length %lu %s\n", state->contents_length, state->indefinite ? "indefinite" : ""); } #endif @@ -2717,16 +2717,15 @@ } i = formatKind(state->theTemplate->kind, kindBuf); - printf("%s: tmpl %08x, kind%s", + printf("%s: tmpl kind %s", (state == cx->current) ? "STATE" : "State", - state->theTemplate, kindBuf); printf(" %s", (state->place >= 0 && state->place <= notInUse) ? place_names[state->place] : "(undefined)"); if (!i) - printf(", expect 0x%02x", + printf(", expect 0x%02lx", state->expect_tag_number | state->expect_tag_modifiers); - printf("%s%s%s %d\n", + printf("%s%s%s %lu\n", state->indefinite ? ", indef" : "", state->missing ? ", miss" : "", state->endofcontents ? ", EOC" : "", @@ -2754,7 +2753,7 @@ what = SEC_ASN1_Contents; consumed = 0; #ifdef DEBUG_ASN1D_STATES - printf("\nPLACE = %s, next byte = 0x%02x, %08x[%d]\n", + printf("\nPLACE = %s, next byte = 0x%02x, %p[%lu]\n", (state->place >= 0 && state->place <= notInUse) ? place_names[state->place] : "(undefined)", len ? (unsigned int)((unsigned char *)buf)[consumed] : 0, buf, consumed); @@ -2977,7 +2976,7 @@ { SECStatus rv; - if (cx->status == needBytes) { + if (!cx || cx->status == needBytes) { PORT_SetError(SEC_ERROR_BAD_DER); rv = SECFailure; } else { diff -Nru firefox-60.0.1+build2/security/nss/TAG-INFO firefox-60.0.2+build1/security/nss/TAG-INFO --- firefox-60.0.1+build2/security/nss/TAG-INFO 2018-05-16 17:38:17.000000000 +0000 +++ firefox-60.0.2+build1/security/nss/TAG-INFO 2018-06-07 15:16:36.000000000 +0000 @@ -1 +1 @@ -NSS_3_36_1_RTM +NSS_3_36_4_RTM diff -Nru firefox-60.0.1+build2/security/sandbox/mac/SandboxPolicies.h firefox-60.0.2+build1/security/sandbox/mac/SandboxPolicies.h --- firefox-60.0.1+build2/security/sandbox/mac/SandboxPolicies.h 2018-05-16 17:38:19.000000000 +0000 +++ firefox-60.0.2+build1/security/sandbox/mac/SandboxPolicies.h 2018-06-07 15:16:36.000000000 +0000 @@ -344,6 +344,22 @@ ; automatically issued by the font server in response to font ; API calls. (extension "com.apple.app-sandbox.read")) + + ; Fonts + ; Workaround for sandbox extensions not being automatically + ; issued for fonts on 10.11 and earlier versions (bug 1460917). + (if (<= macosMinorVersion 11) + (allow file-read* + (regex #"\.[oO][tT][fF]$" ; otf + #"\.[tT][tT][fF]$" ; ttf + #"\.[tT][tT][cC]$" ; ttc + #"\.[oO][tT][cC]$" ; otc + #"\.[dD][fF][oO][nN][tT]$") ; dfont + (home-subpath "/Library/FontCollections") + (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype") + (home-subpath "/Library/Application Support/FontAgent") + (regex #"\.fontvault/") + (home-subpath "/FontExplorer X/Font Library"))) )SANDBOX_LITERAL"; // These are additional rules that are added to the content process rules for @@ -501,6 +517,9 @@ (define home-library-path (string-append homeDir "/Library")) + (define (home-subpath home-relative-subpath) + (subpath (string-append homeDir home-relative-subpath))) + (define home-library-prefs-path (string-append homeDir "/Library" "/Preferences")) @@ -610,6 +629,22 @@ ; API calls. (extension "com.apple.app-sandbox.read")) + ; Fonts + ; Workaround for sandbox extensions not being automatically + ; issued for fonts on 10.11 and earlier versions (bug 1460917). + (if (<= macosMinorVersion 11) + (allow file-read* + (regex #"\.[oO][tT][fF]$" ; otf + #"\.[tT][tT][fF]$" ; ttf + #"\.[tT][tT][cC]$" ; ttc + #"\.[oO][tT][cC]$" ; otc + #"\.[dD][fF][oO][nN][tT]$") ; dfont + (home-subpath "/Library/FontCollections") + (home-subpath "/Library/Application Support/Adobe/CoreSync/plugins/livetype") + (home-subpath "/Library/Application Support/FontAgent") + (regex #"\.fontvault/") + (home-subpath "/FontExplorer X/Font Library"))) + (allow ipc-posix-shm* (ipc-posix-name-regex #"^AudioIO") (ipc-posix-name-regex #"^CFPBS:")) diff -Nru firefox-60.0.1+build2/SOURCE_CHANGESET firefox-60.0.2+build1/SOURCE_CHANGESET --- firefox-60.0.1+build2/SOURCE_CHANGESET 2018-05-16 17:38:47.000000000 +0000 +++ firefox-60.0.2+build1/SOURCE_CHANGESET 2018-06-07 15:16:50.000000000 +0000 @@ -1 +1 @@ -03d4f76300bedeffd47c726ce7fee0221873da11 \ No newline at end of file +a0b222c551f586904f51228c49149d9b6b7e2a81 \ No newline at end of file diff -Nru firefox-60.0.1+build2/taskcluster/ci/release-update-verify/kind.yml firefox-60.0.2+build1/taskcluster/ci/release-update-verify/kind.yml --- firefox-60.0.1+build2/taskcluster/ci/release-update-verify/kind.yml 2018-05-16 17:38:19.000000000 +0000 +++ firefox-60.0.2+build1/taskcluster/ci/release-update-verify/kind.yml 2018-06-07 15:16:37.000000000 +0000 @@ -56,6 +56,7 @@ maple: "beta-localtest" mozilla-beta: "beta-localtest" mozilla-release: "release-localtest" + mozilla-esr60: "esr-localtest" default: "default" treeherder: symbol: UV @@ -77,6 +78,7 @@ maple: "beta-localtest" mozilla-beta: "beta-localtest" mozilla-release: "release-localtest" + mozilla-esr60: "esr-localtest" default: "default" treeherder: symbol: UV @@ -98,6 +100,7 @@ maple: "beta-localtest" mozilla-beta: "beta-localtest" mozilla-release: "release-localtest" + mozilla-esr60: "esr-localtest" default: "default" treeherder: symbol: UV @@ -119,6 +122,7 @@ maple: "beta-localtest" mozilla-beta: "beta-localtest" mozilla-release: "release-localtest" + mozilla-esr60: "esr-localtest" default: "default" treeherder: symbol: UV @@ -140,6 +144,7 @@ maple: "beta-localtest" mozilla-beta: "beta-localtest" mozilla-release: "release-localtest" + mozilla-esr60: "esr-localtest" default: "default" treeherder: symbol: UV diff -Nru firefox-60.0.1+build2/taskcluster/ci/release-update-verify-config/kind.yml firefox-60.0.2+build1/taskcluster/ci/release-update-verify-config/kind.yml --- firefox-60.0.1+build2/taskcluster/ci/release-update-verify-config/kind.yml 2018-05-16 17:38:26.000000000 +0000 +++ firefox-60.0.2+build1/taskcluster/ci/release-update-verify-config/kind.yml 2018-06-07 15:16:37.000000000 +0000 @@ -57,7 +57,7 @@ maple: beta mozilla-beta: beta mozilla-release: nonbeta - mozilla-esr60: nonbeta + mozilla-esr60: esr default: null last-watershed: by-project: @@ -112,6 +112,7 @@ mozilla-beta: "beta-localtest" mozilla-release: "release-localtest" mozilla-esr52: "esr-localtest" + mozilla-esr60: "esr-localtest" default: "default" mar-channel-id-override: by-project: @@ -140,6 +141,7 @@ mozilla-beta: "beta-localtest" mozilla-release: "release-localtest" mozilla-esr52: "esr-localtest" + mozilla-esr60: "esr-localtest" default: "default" mar-channel-id-override: by-project: @@ -168,6 +170,7 @@ mozilla-beta: "beta-localtest" mozilla-release: "release-localtest" mozilla-esr52: "esr-localtest" + mozilla-esr60: "esr-localtest" default: "default" mar-channel-id-override: by-project: @@ -196,6 +199,7 @@ mozilla-beta: "beta-localtest" mozilla-release: "release-localtest" mozilla-esr52: "esr-localtest" + mozilla-esr60: "esr-localtest" default: "default" mar-channel-id-override: by-project: @@ -224,6 +228,7 @@ mozilla-beta: "beta-localtest" mozilla-release: "release-localtest" mozilla-esr52: "esr-localtest" + mozilla-esr60: "esr-localtest" default: "default" mar-channel-id-override: by-project: diff -Nru firefox-60.0.1+build2/taskcluster/taskgraph/transforms/update_verify_config.py firefox-60.0.2+build1/taskcluster/taskgraph/transforms/update_verify_config.py --- firefox-60.0.1+build2/taskcluster/taskgraph/transforms/update_verify_config.py 2018-05-16 17:38:26.000000000 +0000 +++ firefox-60.0.2+build1/taskcluster/taskgraph/transforms/update_verify_config.py 2018-06-07 15:16:37.000000000 +0000 @@ -20,13 +20,15 @@ # In the rare event that we do ship a point # release to beta, we need to either: # 1) update these regexes to match that specific version -# 2) pass a second include version that matches that specifivc version +# 2) pass a second include version that matches that specific version INCLUDE_VERSION_REGEXES = { "beta": r"'^(\d+\.\d+(b\d+)?)$'", "nonbeta": r"'^\d+\.\d+(\.\d+)?$'", # Same as beta, except excludes 58.0b1 due to issues with it not being able # to update to latest "devedition_hack": r"'^((?!58\.0b1$)\d+\.\d+(b\d+)?)$'", + # Same as nonbeta, except for the esr suffix + "esr": r"'^\d+\.\d+(\.\d+)?esr$'", } MAR_CHANNEL_ID_OVERRIDE_REGEXES = { diff -Nru firefox-60.0.1+build2/testing/mozharness/scripts/desktop_partner_repacks.py firefox-60.0.2+build1/testing/mozharness/scripts/desktop_partner_repacks.py --- firefox-60.0.1+build2/testing/mozharness/scripts/desktop_partner_repacks.py 2018-05-16 17:38:25.000000000 +0000 +++ firefox-60.0.2+build1/testing/mozharness/scripts/desktop_partner_repacks.py 2018-06-07 15:16:37.000000000 +0000 @@ -163,8 +163,9 @@ for taskId in self.config['taskIds']: repack_cmd.extend(["--taskid", taskId]) - return self.run_command(repack_cmd, - cwd=self.query_abs_dirs()['abs_scripts_dir']) + self.run_command(repack_cmd, + cwd=self.query_abs_dirs()['abs_scripts_dir'], + halt_on_failure=True) # main {{{ diff -Nru firefox-60.0.1+build2/testing/mozharness/scripts/release/update-verify-config-creator.py firefox-60.0.2+build1/testing/mozharness/scripts/release/update-verify-config-creator.py --- firefox-60.0.1+build2/testing/mozharness/scripts/release/update-verify-config-creator.py 2018-05-16 17:38:27.000000000 +0000 +++ firefox-60.0.2+build1/testing/mozharness/scripts/release/update-verify-config-creator.py 2018-06-07 15:16:37.000000000 +0000 @@ -211,7 +211,6 @@ releases = json.load(ret)["releases"] for release_name, release_info in reversed(sorted(releases.items())): product, version = release_name.split("-", 1) - version = version.rstrip("esr") tag = "{}_{}_RELEASE".format(product.upper(), version.replace(".", "_")) # Product details has a "category" for releases that we can use to # determine the repo path. This will fail if any previous releases