M gnu-system.am => gnu-system.am +7 -0
@@ 387,6 387,7 @@ dist_patch_DATA = \
gnu/packages/patches/guix-test-networking.patch \
gnu/packages/patches/gtkglext-disable-disable-deprecated.patch \
gnu/packages/patches/hop-bigloo-4.0b.patch \
+ gnu/packages/patches/icecat-armhf-xpcom.patch \
gnu/packages/patches/icecat-CVE-2014-1587-bug-1042567.patch \
gnu/packages/patches/icecat-CVE-2014-1587-bug-1072847.patch \
gnu/packages/patches/icecat-CVE-2014-1587-bug-1079729.patch \
@@ 396,6 397,12 @@ dist_patch_DATA = \
gnu/packages/patches/icecat-CVE-2014-1592.patch \
gnu/packages/patches/icecat-CVE-2014-1593.patch \
gnu/packages/patches/icecat-CVE-2014-1594.patch \
+ gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch \
+ gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch \
+ gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch \
+ gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch \
+ gnu/packages/patches/icecat-CVE-2014-8639.patch \
+ gnu/packages/patches/icecat-CVE-2014-8641.patch \
gnu/packages/patches/irrlicht-mesa-10.patch \
gnu/packages/patches/jbig2dec-ignore-testtest.patch \
gnu/packages/patches/kmod-module-directory.patch \
M gnu/packages/gnuzilla.scm => gnu/packages/gnuzilla.scm +9 -2
@@ 1,7 1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2013, 2014 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2014 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
;;;
;;; This file is part of GNU Guix.
@@ 231,7 231,14 @@ standards.")
"icecat-CVE-2014-1590.patch"
"icecat-CVE-2014-1592.patch"
"icecat-CVE-2014-1593.patch"
- "icecat-CVE-2014-1594.patch")))))
+ "icecat-CVE-2014-1594.patch"
+ "icecat-armhf-xpcom.patch"
+ "icecat-CVE-2014-8639.patch"
+ "icecat-CVE-2014-8634-pt1.patch"
+ "icecat-CVE-2014-8634-pt2.patch"
+ "icecat-CVE-2014-8641.patch"
+ "icecat-CVE-2014-8638-pt1.patch"
+ "icecat-CVE-2014-8638-pt2.patch")))))
(build-system gnu-build-system)
(inputs
`(("alsa-lib" ,alsa-lib)
A gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch => gnu/packages/patches/icecat-CVE-2014-8634-pt1.patch +410 -0
@@ 0,0 1,410 @@
+From 4f447768a2ff6bf37d462e033c11e20c733129ba Mon Sep 17 00:00:00 2001
+From: Jan de Mooij <jdemooij@mozilla.com>
+Date: Tue, 16 Dec 2014 22:52:51 +0100
+Subject: [PATCH] Bug 1109889 - Share more exception handling code. r=nbp,
+ a=abillings
+
+---
+ js/src/jit/Ion.cpp | 11 ++++++++++-
+ js/src/jit/IonMacroAssembler.cpp | 8 ++++----
+ js/src/jit/JitCompartment.h | 8 ++++++--
+ js/src/jit/arm/MacroAssembler-arm.cpp | 11 ++---------
+ js/src/jit/arm/MacroAssembler-arm.h | 6 ++++--
+ js/src/jit/arm/Trampoline-arm.cpp | 4 ++--
+ js/src/jit/mips/MacroAssembler-mips.cpp | 11 ++---------
+ js/src/jit/mips/MacroAssembler-mips.h | 7 +++++--
+ js/src/jit/mips/Trampoline-mips.cpp | 4 ++--
+ js/src/jit/shared/MacroAssembler-x86-shared.h | 3 +++
+ js/src/jit/x64/MacroAssembler-x64.cpp | 11 ++---------
+ js/src/jit/x64/MacroAssembler-x64.h | 3 +--
+ js/src/jit/x64/Trampoline-x64.cpp | 4 ++--
+ js/src/jit/x86/MacroAssembler-x86.cpp | 11 ++---------
+ js/src/jit/x86/MacroAssembler-x86.h | 3 +--
+ js/src/jit/x86/Trampoline-x86.cpp | 4 ++--
+ 16 files changed, 50 insertions(+), 59 deletions(-)
+
+diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp
+index 9635742..a77f9b4 100644
+--- a/js/src/jit/Ion.cpp
++++ b/js/src/jit/Ion.cpp
+@@ -150,6 +150,7 @@ JitRuntime::JitRuntime()
+ : execAlloc_(nullptr),
+ ionAlloc_(nullptr),
+ exceptionTail_(nullptr),
++ exceptionTailParallel_(nullptr),
+ bailoutTail_(nullptr),
+ enterJIT_(nullptr),
+ bailoutHandler_(nullptr),
+@@ -198,10 +199,18 @@ JitRuntime::initialize(JSContext *cx)
+ return false;
+
+ IonSpew(IonSpew_Codegen, "# Emitting exception tail stub");
+- exceptionTail_ = generateExceptionTailStub(cx);
++
++ void *handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleException);
++ void *handlerParallel = JS_FUNC_TO_DATA_PTR(void *, jit::HandleParallelFailure);
++
++ exceptionTail_ = generateExceptionTailStub(cx, handler);
+ if (!exceptionTail_)
+ return false;
+
++ exceptionTailParallel_ = generateExceptionTailStub(cx, handlerParallel);
++ if (!exceptionTailParallel_)
++ return false;
++
+ IonSpew(IonSpew_Codegen, "# Emitting bailout tail stub");
+ bailoutTail_ = generateBailoutTailStub(cx);
+ if (!bailoutTail_)
+diff --git a/js/src/jit/IonMacroAssembler.cpp b/js/src/jit/IonMacroAssembler.cpp
+index 2326fe1..9f7cc8f 100644
+--- a/js/src/jit/IonMacroAssembler.cpp
++++ b/js/src/jit/IonMacroAssembler.cpp
+@@ -1030,18 +1030,18 @@ MacroAssembler::handleFailure(ExecutionMode executionMode)
+ sps_->skipNextReenter();
+ leaveSPSFrame();
+
+- void *handler;
++ JitCode *excTail;
+ switch (executionMode) {
+ case SequentialExecution:
+- handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleException);
++ excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+ break;
+ case ParallelExecution:
+- handler = JS_FUNC_TO_DATA_PTR(void *, jit::HandleParallelFailure);
++ excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTailParallel();
+ break;
+ default:
+ MOZ_ASSUME_UNREACHABLE("No such execution mode");
+ }
+- MacroAssemblerSpecific::handleFailureWithHandler(handler);
++ jump(excTail);
+
+ // Doesn't actually emit code, but balances the leave()
+ if (sps_)
+diff --git a/js/src/jit/JitCompartment.h b/js/src/jit/JitCompartment.h
+index 486a29d..475a685 100644
+--- a/js/src/jit/JitCompartment.h
++++ b/js/src/jit/JitCompartment.h
+@@ -153,8 +153,9 @@ class JitRuntime
+ // need for explicit interrupt checks.
+ JSC::ExecutableAllocator *ionAlloc_;
+
+- // Shared post-exception-handler tail
++ // Shared exception-handler tail.
+ JitCode *exceptionTail_;
++ JitCode *exceptionTailParallel_;
+
+ // Shared post-bailout-handler tail.
+ JitCode *bailoutTail_;
+@@ -214,7 +215,7 @@ class JitRuntime
+ InlineList<PatchableBackedge> backedgeList_;
+
+ private:
+- JitCode *generateExceptionTailStub(JSContext *cx);
++ JitCode *generateExceptionTailStub(JSContext *cx, void *handler);
+ JitCode *generateBailoutTailStub(JSContext *cx);
+ JitCode *generateEnterJIT(JSContext *cx, EnterJitType type);
+ JitCode *generateArgumentsRectifier(JSContext *cx, ExecutionMode mode, void **returnAddrOut);
+@@ -287,6 +288,9 @@ class JitRuntime
+ JitCode *getExceptionTail() const {
+ return exceptionTail_;
+ }
++ JitCode *getExceptionTailParallel() const {
++ return exceptionTailParallel_;
++ }
+
+ JitCode *getBailoutTail() const {
+ return bailoutTail_;
+diff --git a/js/src/jit/arm/MacroAssembler-arm.cpp b/js/src/jit/arm/MacroAssembler-arm.cpp
+index b34483c..63b3ff2 100644
+--- a/js/src/jit/arm/MacroAssembler-arm.cpp
++++ b/js/src/jit/arm/MacroAssembler-arm.cpp
+@@ -3984,25 +3984,18 @@ MacroAssemblerARMCompat::callWithABI(const Address &fun, MoveOp::Type result)
+ }
+
+ void
+-MacroAssemblerARMCompat::handleFailureWithHandler(void *handler)
++MacroAssemblerARMCompat::handleFailureWithHandlerTail(void *handler)
+ {
+ // Reserve space for exception information.
+ int size = (sizeof(ResumeFromException) + 7) & ~7;
+ ma_sub(Imm32(size), sp);
+ ma_mov(sp, r0);
+
+- // Ask for an exception handler.
++ // Call the handler.
+ setupUnalignedABICall(1, r1);
+ passABIArg(r0);
+ callWithABI(handler);
+
+- JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+- branch(excTail);
+-}
+-
+-void
+-MacroAssemblerARMCompat::handleFailureWithHandlerTail()
+-{
+ Label entryFrame;
+ Label catch_;
+ Label finally;
+diff --git a/js/src/jit/arm/MacroAssembler-arm.h b/js/src/jit/arm/MacroAssembler-arm.h
+index 00e8a03..6ccc0be 100644
+--- a/js/src/jit/arm/MacroAssembler-arm.h
++++ b/js/src/jit/arm/MacroAssembler-arm.h
+@@ -711,6 +711,9 @@ class MacroAssemblerARMCompat : public MacroAssemblerARM
+ void jump(Label *label) {
+ as_b(label);
+ }
++ void jump(JitCode *code) {
++ branch(code);
++ }
+ void jump(Register reg) {
+ ma_bx(reg);
+ }
+@@ -1202,8 +1205,7 @@ class MacroAssemblerARMCompat : public MacroAssemblerARM
+
+ void linkExitFrame();
+ void linkParallelExitFrame(const Register &pt);
+- void handleFailureWithHandler(void *handler);
+- void handleFailureWithHandlerTail();
++ void handleFailureWithHandlerTail(void *handler);
+
+ /////////////////////////////////////////////////////////////////
+ // Common interface.
+diff --git a/js/src/jit/arm/Trampoline-arm.cpp b/js/src/jit/arm/Trampoline-arm.cpp
+index e539c00..693dad8 100644
+--- a/js/src/jit/arm/Trampoline-arm.cpp
++++ b/js/src/jit/arm/Trampoline-arm.cpp
+@@ -928,11 +928,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx)
+ }
+
+ JitCode *
+-JitRuntime::generateExceptionTailStub(JSContext *cx)
++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler)
+ {
+ MacroAssembler masm;
+
+- masm.handleFailureWithHandlerTail();
++ masm.handleFailureWithHandlerTail(handler);
+
+ Linker linker(masm);
+ AutoFlushICache afc("ExceptionTailStub");
+diff --git a/js/src/jit/mips/MacroAssembler-mips.cpp b/js/src/jit/mips/MacroAssembler-mips.cpp
+index cee93a5..256434d 100644
+--- a/js/src/jit/mips/MacroAssembler-mips.cpp
++++ b/js/src/jit/mips/MacroAssembler-mips.cpp
+@@ -3139,25 +3139,18 @@ MacroAssemblerMIPSCompat::callWithABI(const Address &fun, MoveOp::Type result)
+ }
+
+ void
+-MacroAssemblerMIPSCompat::handleFailureWithHandler(void *handler)
++MacroAssemblerMIPSCompat::handleFailureWithHandlerTail(void *handler)
+ {
+ // Reserve space for exception information.
+ int size = (sizeof(ResumeFromException) + StackAlignment) & ~(StackAlignment - 1);
+ ma_subu(StackPointer, StackPointer, Imm32(size));
+ ma_move(a0, StackPointer); // Use a0 since it is a first function argument
+
+- // Ask for an exception handler.
++ // Call the handler.
+ setupUnalignedABICall(1, a1);
+ passABIArg(a0);
+ callWithABI(handler);
+
+- JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+- branch(excTail);
+-}
+-
+-void
+-MacroAssemblerMIPSCompat::handleFailureWithHandlerTail()
+-{
+ Label entryFrame;
+ Label catch_;
+ Label finally;
+diff --git a/js/src/jit/mips/MacroAssembler-mips.h b/js/src/jit/mips/MacroAssembler-mips.h
+index ed1f566..899a50e 100644
+--- a/js/src/jit/mips/MacroAssembler-mips.h
++++ b/js/src/jit/mips/MacroAssembler-mips.h
+@@ -481,6 +481,10 @@ class MacroAssemblerMIPSCompat : public MacroAssemblerMIPS
+ as_nop();
+ }
+
++ void jump(JitCode *code) {
++ branch(code);
++ }
++
+ void neg32(Register reg) {
+ ma_negu(reg, reg);
+ }
+@@ -842,8 +846,7 @@ public:
+
+ void linkExitFrame();
+ void linkParallelExitFrame(const Register &pt);
+- void handleFailureWithHandler(void *handler);
+- void handleFailureWithHandlerTail();
++ void handleFailureWithHandlerTail(void *handler);
+
+ /////////////////////////////////////////////////////////////////
+ // Common interface.
+diff --git a/js/src/jit/mips/Trampoline-mips.cpp b/js/src/jit/mips/Trampoline-mips.cpp
+index b456845..64c2385 100644
+--- a/js/src/jit/mips/Trampoline-mips.cpp
++++ b/js/src/jit/mips/Trampoline-mips.cpp
+@@ -960,11 +960,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx)
+
+
+ JitCode *
+-JitRuntime::generateExceptionTailStub(JSContext *cx)
++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler)
+ {
+ MacroAssembler masm;
+
+- masm.handleFailureWithHandlerTail();
++ masm.handleFailureWithHandlerTail(handler);
+
+ Linker linker(masm);
+ AutoFlushICache afc("ExceptionTailStub");
+diff --git a/js/src/jit/shared/MacroAssembler-x86-shared.h b/js/src/jit/shared/MacroAssembler-x86-shared.h
+index 01d1a4b..779cf83 100644
+--- a/js/src/jit/shared/MacroAssembler-x86-shared.h
++++ b/js/src/jit/shared/MacroAssembler-x86-shared.h
+@@ -287,6 +287,9 @@ class MacroAssemblerX86Shared : public Assembler
+ void jump(Label *label) {
+ jmp(label);
+ }
++ void jump(JitCode *code) {
++ jmp(code);
++ }
+ void jump(RepatchLabel *label) {
+ jmp(label);
+ }
+diff --git a/js/src/jit/x64/MacroAssembler-x64.cpp b/js/src/jit/x64/MacroAssembler-x64.cpp
+index 9a9f995..0db799c 100644
+--- a/js/src/jit/x64/MacroAssembler-x64.cpp
++++ b/js/src/jit/x64/MacroAssembler-x64.cpp
+@@ -287,24 +287,17 @@ MacroAssemblerX64::callWithABI(Address fun, MoveOp::Type result)
+ }
+
+ void
+-MacroAssemblerX64::handleFailureWithHandler(void *handler)
++MacroAssemblerX64::handleFailureWithHandlerTail(void *handler)
+ {
+ // Reserve space for exception information.
+ subq(Imm32(sizeof(ResumeFromException)), rsp);
+ movq(rsp, rax);
+
+- // Ask for an exception handler.
++ // Call the handler.
+ setupUnalignedABICall(1, rcx);
+ passABIArg(rax);
+ callWithABI(handler);
+
+- JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+- jmp(excTail);
+-}
+-
+-void
+-MacroAssemblerX64::handleFailureWithHandlerTail()
+-{
+ Label entryFrame;
+ Label catch_;
+ Label finally;
+diff --git a/js/src/jit/x64/MacroAssembler-x64.h b/js/src/jit/x64/MacroAssembler-x64.h
+index 2c11e9a..5010549 100644
+--- a/js/src/jit/x64/MacroAssembler-x64.h
++++ b/js/src/jit/x64/MacroAssembler-x64.h
+@@ -1288,8 +1288,7 @@ class MacroAssemblerX64 : public MacroAssemblerX86Shared
+ void callWithABI(AsmJSImmPtr imm, MoveOp::Type result = MoveOp::GENERAL);
+ void callWithABI(Address fun, MoveOp::Type result = MoveOp::GENERAL);
+
+- void handleFailureWithHandler(void *handler);
+- void handleFailureWithHandlerTail();
++ void handleFailureWithHandlerTail(void *handler);
+
+ void makeFrameDescriptor(Register frameSizeReg, FrameType type) {
+ shlq(Imm32(FRAMESIZE_SHIFT), frameSizeReg);
+diff --git a/js/src/jit/x64/Trampoline-x64.cpp b/js/src/jit/x64/Trampoline-x64.cpp
+index 72f4592..3b83850 100644
+--- a/js/src/jit/x64/Trampoline-x64.cpp
++++ b/js/src/jit/x64/Trampoline-x64.cpp
+@@ -785,11 +785,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx)
+ }
+
+ JitCode *
+-JitRuntime::generateExceptionTailStub(JSContext *cx)
++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler)
+ {
+ MacroAssembler masm;
+
+- masm.handleFailureWithHandlerTail();
++ masm.handleFailureWithHandlerTail(handler);
+
+ Linker linker(masm);
+ JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
+diff --git a/js/src/jit/x86/MacroAssembler-x86.cpp b/js/src/jit/x86/MacroAssembler-x86.cpp
+index d36f4d3..57a0f85 100644
+--- a/js/src/jit/x86/MacroAssembler-x86.cpp
++++ b/js/src/jit/x86/MacroAssembler-x86.cpp
+@@ -281,24 +281,17 @@ MacroAssemblerX86::callWithABI(const Address &fun, MoveOp::Type result)
+ }
+
+ void
+-MacroAssemblerX86::handleFailureWithHandler(void *handler)
++MacroAssemblerX86::handleFailureWithHandlerTail(void *handler)
+ {
+ // Reserve space for exception information.
+ subl(Imm32(sizeof(ResumeFromException)), esp);
+ movl(esp, eax);
+
+- // Ask for an exception handler.
++ // Call the handler.
+ setupUnalignedABICall(1, ecx);
+ passABIArg(eax);
+ callWithABI(handler);
+
+- JitCode *excTail = GetIonContext()->runtime->jitRuntime()->getExceptionTail();
+- jmp(excTail);
+-}
+-
+-void
+-MacroAssemblerX86::handleFailureWithHandlerTail()
+-{
+ Label entryFrame;
+ Label catch_;
+ Label finally;
+diff --git a/js/src/jit/x86/MacroAssembler-x86.h b/js/src/jit/x86/MacroAssembler-x86.h
+index 17de7a7..7e578c8 100644
+--- a/js/src/jit/x86/MacroAssembler-x86.h
++++ b/js/src/jit/x86/MacroAssembler-x86.h
+@@ -1086,8 +1086,7 @@ class MacroAssemblerX86 : public MacroAssemblerX86Shared
+ void callWithABI(const Address &fun, MoveOp::Type result = MoveOp::GENERAL);
+
+ // Used from within an Exit frame to handle a pending exception.
+- void handleFailureWithHandler(void *handler);
+- void handleFailureWithHandlerTail();
++ void handleFailureWithHandlerTail(void *handler);
+
+ void makeFrameDescriptor(Register frameSizeReg, FrameType type) {
+ shll(Imm32(FRAMESIZE_SHIFT), frameSizeReg);
+diff --git a/js/src/jit/x86/Trampoline-x86.cpp b/js/src/jit/x86/Trampoline-x86.cpp
+index 0a2f0de..9fd2c00 100644
+--- a/js/src/jit/x86/Trampoline-x86.cpp
++++ b/js/src/jit/x86/Trampoline-x86.cpp
+@@ -827,11 +827,11 @@ JitRuntime::generateDebugTrapHandler(JSContext *cx)
+ }
+
+ JitCode *
+-JitRuntime::generateExceptionTailStub(JSContext *cx)
++JitRuntime::generateExceptionTailStub(JSContext *cx, void *handler)
+ {
+ MacroAssembler masm;
+
+- masm.handleFailureWithHandlerTail();
++ masm.handleFailureWithHandlerTail(handler);
+
+ Linker linker(masm);
+ JitCode *code = linker.newCode<NoGC>(cx, JSC::OTHER_CODE);
+--
+2.1.2
+
A gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch => gnu/packages/patches/icecat-CVE-2014-8634-pt2.patch +30 -0
@@ 0,0 1,30 @@
+From e5de31c8f927b1aa06dde02c356cda33beb463d9 Mon Sep 17 00:00:00 2001
+From: Kyle Huey <khuey@kylehuey.com>
+Date: Fri, 19 Dec 2014 18:16:17 -0800
+Subject: [PATCH] Bug 1111737. r=smaug, a=bkerensa
+
+---
+ content/base/src/nsScriptLoader.cpp | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/content/base/src/nsScriptLoader.cpp b/content/base/src/nsScriptLoader.cpp
+index a6a4c34..7f3a76e 100644
+--- a/content/base/src/nsScriptLoader.cpp
++++ b/content/base/src/nsScriptLoader.cpp
+@@ -812,7 +812,12 @@ NotifyOffThreadScriptLoadCompletedRunnable::Run()
+ {
+ MOZ_ASSERT(NS_IsMainThread());
+
+- nsresult rv = mLoader->ProcessOffThreadRequest(mRequest, &mToken);
++ // We want these to be dropped on the main thread, once we return from this
++ // function.
++ nsRefPtr<nsScriptLoadRequest> request = mRequest.forget();
++ nsRefPtr<nsScriptLoader> loader = mLoader.forget();
++
++ nsresult rv = loader->ProcessOffThreadRequest(request, &mToken);
+
+ if (mToken) {
+ // The result of the off thread parse was not actually needed to process
+--
+2.1.2
+
A gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch => gnu/packages/patches/icecat-CVE-2014-8638-pt1.patch +27 -0
@@ 0,0 1,27 @@
+From 0c4a326295bdb37742fe23f0395916d2ba8ade53 Mon Sep 17 00:00:00 2001
+From: Christoph Kerschbaumer <mozilla@christophkerschbaumer.com>
+Date: Wed, 19 Nov 2014 16:03:39 -0800
+Subject: [PATCH 1/2] Bug 1080987 - navigator.sendBeacon() needs to sent origin
+ header. r=sicking, a=bkerensa
+
+---
+ dom/base/Navigator.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/dom/base/Navigator.cpp b/dom/base/Navigator.cpp
+index 0f03ad3..020e370 100644
+--- a/dom/base/Navigator.cpp
++++ b/dom/base/Navigator.cpp
+@@ -1265,6 +1265,9 @@ Navigator::SendBeacon(const nsAString& aUrl,
+ principal,
+ true);
+
++ rv = cors->Init(channel, true);
++ NS_ENSURE_SUCCESS(rv, false);
++
+ // Start a preflight if cross-origin and content type is not whitelisted
+ rv = secMan->CheckSameOriginURI(documentURI, uri, false);
+ bool crossOrigin = NS_FAILED(rv);
+--
+2.1.2
+
A gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch => gnu/packages/patches/icecat-CVE-2014-8638-pt2.patch +149 -0
@@ 0,0 1,149 @@
+From 0d47e593c685313571aaa00cb7341b458123c82f Mon Sep 17 00:00:00 2001
+From: Christoph Kerschbaumer <mozilla@christophkerschbaumer.com>
+Date: Wed, 19 Nov 2014 16:03:30 -0800
+Subject: [PATCH 2/2] Bug 1080987 - navigator.sendBeacon() needs to sent origin
+ header - test. r=sicking, a=bkerensa
+
+---
+ .../beacon/beacon-originheader-handler.sjs | 41 ++++++++++++++
+ dom/tests/mochitest/beacon/mochitest.ini | 2 +
+ .../mochitest/beacon/test_beaconOriginHeader.html | 64 ++++++++++++++++++++++
+ 3 files changed, 107 insertions(+)
+ create mode 100644 dom/tests/mochitest/beacon/beacon-originheader-handler.sjs
+ create mode 100644 dom/tests/mochitest/beacon/test_beaconOriginHeader.html
+
+diff --git a/dom/tests/mochitest/beacon/beacon-originheader-handler.sjs b/dom/tests/mochitest/beacon/beacon-originheader-handler.sjs
+new file mode 100644
+index 0000000..baed22c
+--- /dev/null
++++ b/dom/tests/mochitest/beacon/beacon-originheader-handler.sjs
+@@ -0,0 +1,41 @@
++/*
++ * TestSever customized specifically for the needs of:
++ * Bug 1080987 - navigator.sendBeacon() needs to sent origin header
++ */
++
++function handleRequest(request, response)
++{
++ response.setHeader("Cache-Control", "no-cache", false);
++ response.setHeader("Content-Type", "text/plain", false);
++
++ // case XHR-REQUEST: the xhr-request tries to query the
++ // stored header from the beacon request.
++ if (request.queryString == "queryheader") {
++ var header = getState("originHeader");
++ // if the beacon already stored the header - return.
++ if (header) {
++ response.write(header);
++ setState("originHeader", "");
++ return;
++ }
++ // otherwise wait for the beacon request
++ response.processAsync();
++ setObjectState("xhr-response", response);
++ return;
++ }
++
++ // case BEACON-REQUEST: get the beacon header and
++ // store the header on the server.
++ var header = request.getHeader("origin");
++ setState("originHeader", header);
++
++ // if there is an xhr-request waiting, return the header now.
++ getObjectState("xhr-response", function(xhrResponse) {
++ if (!xhrResponse) {
++ return;
++ }
++ setState("originHeader", "");
++ xhrResponse.write(header);
++ xhrResponse.finish();
++ });
++}
+diff --git a/dom/tests/mochitest/beacon/mochitest.ini b/dom/tests/mochitest/beacon/mochitest.ini
+index f65276e..6681fa4 100644
+--- a/dom/tests/mochitest/beacon/mochitest.ini
++++ b/dom/tests/mochitest/beacon/mochitest.ini
+@@ -2,8 +2,10 @@
+ skip-if = buildapp == 'b2g' || e10s
+ support-files = beacon-frame.html
+ beacon-handler.sjs
++ beacon-originheader-handler.sjs
+
+ [test_beacon.html]
+ [test_beaconFrame.html]
+ [test_beaconPreflight.html]
+ [test_beaconContentPolicy.html]
++[test_beaconOriginHeader.html]
+diff --git a/dom/tests/mochitest/beacon/test_beaconOriginHeader.html b/dom/tests/mochitest/beacon/test_beaconOriginHeader.html
+new file mode 100644
+index 0000000..b5684a9
+--- /dev/null
++++ b/dom/tests/mochitest/beacon/test_beaconOriginHeader.html
+@@ -0,0 +1,64 @@
++<!DOCTYPE HTML>
++<html>
++<head>
++ <title>Bug 1080987 - navigator.sendBeacon() needs to sent origin header</title>
++ <!-- Including SimpleTest.js so we can use waitForExplicitFinish !-->
++ <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
++ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
++</head>
++<body>
++ <p id="display"></p>
++ <div id="content" style="visibility: hidden">
++ <iframe style="width:100%;" id="testframe"></iframe>
++ </div>
++
++<script class="testbody" type="text/javascript">
++
++SimpleTest.waitForExplicitFinish();
++
++const BEACON_URL = "http://example.com/tests/dom/tests/mochitest/beacon/beacon-originheader-handler.sjs";
++const ORIGIN_HEADER = "http://mochi.test:8888";
++
++/* Description of the test:
++ * We call sendBeacon() cross origin and make sure that the
++ * origin header is actually set in the request.
++ *
++ * Since sendBeacon() does not expect any response, we are storing the
++ * header on the server (*.sjs) and use an XMLHttpRequest to actually
++ * retrieve the header back from the server. We assert that the header
++ * is indeed correct. Since sendBeacon() and also the XMLHttpRequest()
++ * are performed in an asynchronous fashion, there is no guarantee that
++ * the sendBeacon() is actually executed before the XMLHttpRequest().
++ * Hence the xhr-response might be processed asynchronously.
++ */
++
++SpecialPowers.pushPrefEnv({'set': [["beacon.enabled", true]]}, runTest);
++
++function queryHeaderFromServer() {
++ var xhr = new XMLHttpRequest();
++ xhr.open("GET", "beacon-originheader-handler.sjs?queryheader", true);
++ xhr.onload = function() {
++ is(xhr.responseText, ORIGIN_HEADER, "SendBeacon sends right origin header");
++ SimpleTest.finish();
++ };
++ xhr.onerror = function() {
++ ok(false, "xhr request returned error");
++ SimpleTest.finish();
++ };
++ xhr.send();
++}
++
++function runTest() {
++ // generate data and send beacon
++ var formData = new FormData();
++ formData.append('name', 'value');
++ navigator.sendBeacon(BEACON_URL, formData);
++
++ // start quering the result from the server
++ queryHeaderFromServer();
++}
++
++</script>
++</pre>
++</body>
++</html>
+--
+2.1.2
+
A gnu/packages/patches/icecat-CVE-2014-8639.patch => gnu/packages/patches/icecat-CVE-2014-8639.patch +92 -0
@@ 0,0 1,92 @@
+From f80b2eefd451b8ed0fd783d9b9ed0412c8d46efd Mon Sep 17 00:00:00 2001
+From: Patrick McManus <mcmanus@ducksong.com>
+Date: Thu, 11 Dec 2014 13:55:16 -0500
+Subject: [PATCH] bug 1095859 - proxy tweak r=valentin.gosu a=bkerensa
+
+---
+ netwerk/protocol/http/nsHttpChannel.cpp | 7 ++++++-
+ netwerk/test/unit/test_auth_proxy.js | 29 +++++++++++++++++++++++++++++
+ 2 files changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
+index f20e033..35e71c7 100644
+--- a/netwerk/protocol/http/nsHttpChannel.cpp
++++ b/netwerk/protocol/http/nsHttpChannel.cpp
+@@ -1237,7 +1237,12 @@ nsHttpChannel::ProcessResponse()
+ // notify "http-on-examine-response" observers
+ gHttpHandler->OnExamineResponse(this);
+
+- SetCookie(mResponseHead->PeekHeader(nsHttp::Set_Cookie));
++ // Cookies should not be handled on proxy failure either.
++ // This would be consolidated with ProcessSecurityHeaders but it should
++ // happen after OnExamineResponse.
++ if (!mTransaction->ProxyConnectFailed() && (httpStatus != 407)) {
++ SetCookie(mResponseHead->PeekHeader(nsHttp::Set_Cookie));
++ }
+
+ // handle unused username and password in url (see bug 232567)
+ if (httpStatus != 401 && httpStatus != 407) {
+diff --git a/netwerk/test/unit/test_auth_proxy.js b/netwerk/test/unit/test_auth_proxy.js
+index 6af4e98..9275d6d 100644
+--- a/netwerk/test/unit/test_auth_proxy.js
++++ b/netwerk/test/unit/test_auth_proxy.js
+@@ -172,6 +172,12 @@ var listener = {
+ // If we expect 200, the request should have succeeded
+ do_check_eq(this.expectedCode == 200, request.requestSucceeded);
+
++ var cookie = "";
++ try {
++ cookie = request.getRequestHeader("Cookie");
++ } catch (e) { }
++ do_check_eq(cookie, "");
++
+ } catch (e) {
+ do_throw("Unexpected exception: " + e);
+ }
+@@ -261,6 +267,25 @@ function test_all_ok() {
+ do_test_pending();
+ }
+
++function test_proxy_407_cookie() {
++ var chan = makeChan();
++ chan.notificationCallbacks = new Requestor(FLAG_RETURN_FALSE, 0);
++ chan.setRequestHeader("X-Set-407-Cookie", "1", false);
++ listener.expectedCode = 407; // Proxy Unauthorized
++ chan.asyncOpen(listener, null);
++
++ do_test_pending();
++}
++
++function test_proxy_200_cookie() {
++ var chan = makeChan();
++ chan.notificationCallbacks = new Requestor(0, 0);
++ chan.setRequestHeader("X-Set-407-Cookie", "1", false);
++ listener.expectedCode = 200; // OK
++ chan.asyncOpen(listener, null);
++ do_test_pending();
++}
++
+ function test_host_returnfalse() {
+ dump("\ntest: host returnfalse\n");
+ var chan = makeChan();
+@@ -301,6 +326,7 @@ function test_proxy_wrongpw_host_returnfalse() {
+ }
+
+ var tests = [test_proxy_returnfalse, test_proxy_wrongpw, test_all_ok,
++ test_proxy_407_cookie, test_proxy_200_cookie,
+ test_host_returnfalse, test_host_wrongpw,
+ test_proxy_wrongpw_host_wrongpw, test_proxy_wrongpw_host_returnfalse];
+
+@@ -331,6 +357,9 @@ function proxyAuthHandler(metadata, response) {
+ "Unauthorized by HTTP proxy");
+ response.setHeader("Proxy-Authenticate",
+ 'Basic realm="' + realm + '"', false);
++ if (metadata.hasHeader("X-Set-407-Cookie")) {
++ response.setHeader("Set-Cookie", "chewy", false);
++ }
+ body = "failed";
+ response.bodyOutputStream.write(body, body.length);
+ }
+--
+2.1.2
+
A gnu/packages/patches/icecat-CVE-2014-8641.patch => gnu/packages/patches/icecat-CVE-2014-8641.patch +29 -0
@@ 0,0 1,29 @@
+From e36a3dd359ff0ac9c8796d41bedc884218d479e7 Mon Sep 17 00:00:00 2001
+From: Paul Adenot <paul@paul.cx>
+Date: Tue, 16 Dec 2014 18:45:40 +0100
+Subject: [PATCH] Bug 1108455. r=kinetik, a=sledru
+
+---
+ media/libcubeb/src/cubeb_wasapi.cpp | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/media/libcubeb/src/cubeb_wasapi.cpp b/media/libcubeb/src/cubeb_wasapi.cpp
+index 135aa86..5387a4f 100644
+--- a/media/libcubeb/src/cubeb_wasapi.cpp
++++ b/media/libcubeb/src/cubeb_wasapi.cpp
+@@ -365,10 +365,8 @@ wasapi_stream_render_loop(LPVOID stream)
+ assert(padding <= stm->buffer_frame_count);
+
+ if (stm->draining) {
+- if (padding == 0) {
+- stm->state_callback(stm, stm->user_ptr, CUBEB_STATE_DRAINED);
+- is_playing = false;
+- }
++ stm->state_callback(stm, stm->user_ptr, CUBEB_STATE_DRAINED);
++ is_playing = false;
+ continue;
+ }
+
+--
+2.1.2
+
A gnu/packages/patches/icecat-armhf-xpcom.patch => gnu/packages/patches/icecat-armhf-xpcom.patch +25 -0
@@ 0,0 1,25 @@
+From 06198585dae1e4079b4b52b49827fd5b826030b7 Mon Sep 17 00:00:00 2001
+From: Douglas Crosher <dtc-moz@scieneer.com>
+Date: Sun, 16 Nov 2014 00:29:23 +1100
+Subject: [PATCH] Bug 1050258 - ARM hard-float XPCOM: correct argument passing.
+ r=mjrosenb, a=bkerensa
+
+---
+ xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp b/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp
+index 946b7e3..c1c536b 100644
+--- a/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp
++++ b/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_arm.cpp
+@@ -224,6 +224,7 @@ static inline void copy_dword(uint32_t* &ireg_args,
+ *(uint64_t *)ireg_args = data;
+ ireg_args += 2;
+ } else {
++ ireg_args = end;
+ if ((uint32_t)stack_args & 4) {
+ stack_args++;
+ }
+--
+2.1.2
+