From a5e55dfbb7318f8c79e9d56f8c8dcd5b20566efb Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Fri, 7 Aug 2015 23:06:02 -0400
Subject: [PATCH] gnu: icecat: Add fix for CVE-2015-4495.

* gnu/packages/patches/icecat-CVE-2015-4495.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patch.  Move the 'patches'
  field above the snippet.
---
 gnu-system.am                                 |  1 +
 gnu/packages/gnuzilla.scm                     |  9 +++---
 .../patches/icecat-CVE-2015-4495.patch        | 28 +++++++++++++++++++
 3 files changed, 34 insertions(+), 4 deletions(-)
 create mode 100644 gnu/packages/patches/icecat-CVE-2015-4495.patch

diff --git a/gnu-system.am b/gnu-system.am
index 1946ee2a65f..43ea021536f 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -483,6 +483,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/hwloc-gather-topology-lstopo.patch	\
   gnu/packages/patches/hydra-automake-1.15.patch		\
   gnu/packages/patches/hydra-disable-darcs-test.patch		\
+  gnu/packages/patches/icecat-CVE-2015-4495.patch		\
   gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch \
   gnu/packages/patches/icecat-freetype-2.6.patch		\
   gnu/packages/patches/icecat-libvpx-1.4.patch			\
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index dfa1d5d8a43..0200039f5ca 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -240,6 +240,10 @@ (define-public icecat
       (sha256
        (base32
         "11wx29mb5pcg4mgk07a6vjwh52ca90k0x4m9wv0v3y5dmp88f01p"))
+      (patches (map search-patch '("icecat-CVE-2015-4495.patch"
+                                   "icecat-enable-acceleration-and-webgl.patch"
+                                   "icecat-freetype-2.6.patch"
+                                   "icecat-libvpx-1.4.patch")))
       (modules '((guix build utils)))
       (snippet
        '(begin
@@ -277,10 +281,7 @@ (define-public icecat
                       "gfx/cairo"
                       "js/src/ctypes/libffi"
                       "db/sqlite3"))
-          #t))
-      (patches (map search-patch '("icecat-enable-acceleration-and-webgl.patch"
-                                   "icecat-freetype-2.6.patch"
-                                   "icecat-libvpx-1.4.patch")))))
+          #t))))
     (build-system gnu-build-system)
     (inputs
      `(("alsa-lib" ,alsa-lib)
diff --git a/gnu/packages/patches/icecat-CVE-2015-4495.patch b/gnu/packages/patches/icecat-CVE-2015-4495.patch
new file mode 100644
index 00000000000..e7514d9a5e7
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4495.patch
@@ -0,0 +1,28 @@
+Backported from upstream commits labelled "Bug 1178058" from the esr38 branch
+by Boris Zbarsky <bzbarsky@mit.edu> and Bobby Holley <bobbyholley@gmail.com>.
+
+--- icecat-31.8.0/docshell/base/nsDocShell.cpp
++++ icecat-31.8.0/docshell/base/nsDocShell.cpp
+@@ -1546,12 +1546,21 @@
+ 
+     if (owner && mItemType != typeChrome) {
+         nsCOMPtr<nsIPrincipal> ownerPrincipal = do_QueryInterface(owner);
+-        if (nsContentUtils::IsSystemOrExpandedPrincipal(ownerPrincipal)) {
++        if (nsContentUtils::IsSystemPrincipal(ownerPrincipal)) {
+             if (ownerIsExplicit) {
+                 return NS_ERROR_DOM_SECURITY_ERR;
+             }
+             owner = nullptr;
+             inheritOwner = true;
++        } else if (nsContentUtils::IsExpandedPrincipal(ownerPrincipal)) {
++            if (ownerIsExplicit) {
++                return NS_ERROR_DOM_SECURITY_ERR;
++            }
++            // Don't inherit from the current page.  Just do the safe thing
++            // and pretend that we were loaded by a nullprincipal.
++            owner = do_CreateInstance("@mozilla.org/nullprincipal;1");
++            NS_ENSURE_TRUE(owner, NS_ERROR_FAILURE);
++            inheritOwner = false;
+         }
+     }
+     if (!owner && !inheritOwner && !ownerIsExplicit) {
-- 
GitLab