Thursday, August 31, 2023

August patch set for TenFourFox

The next patch set has landed, bringing the TenFourFox security base up to 115ESR. This includes the usual new certificate roots and updates to pins, HSTS and TLDs, as well as applicable security updates such as a full pull-up to the browser's SCTP support (not that this is frequently used in TenFourFox but rather to make future patches a little more tractable). On the bug fix side there is an update to the ATSUI font blocklist (thanks Chris T) and a wallpaper for a JavaScript-related crash on apple.com (thanks roytam1). Finally, basic adblock has been made stricter and is now also targetting invasive fingerprinting scripts. This adds a bit more overhead to checking the origin but that all runs at native C++ speed, and ensures we're less likely to get bogged down running JavaScript that we'd really rather not.

As this is a base pullup, building this time around will require a full clobber, so be sure to clear out everything before you begin.

For our next set, I'm thinking of an update to Reader Mode, since I firmly believe that's one of the most useful modes to run TenFourFox in on limited Power Mac hardware. That's why we made it sticky and provided a way to automatically open it by site (under Preferences, TenFourFox) — on resource-limited systems a resource-light view of a resource-heavy page is pretty much the way to go. And isn't everything resource-heavy to a Power Mac?

4 comments:

  1. I wonder if you will have a look on that webp CVE bug? I tried to port that change[1] to our libwebp[2], hope it is correct.

    [1] https://github.com/webmproject/libwebp/commit/902bc9190331343b2017211debcec8d2ab87e17a
    [2] https://github.com/roytam1/palemoon27/commit/efdf1d591dfae496bed7f8e17103f4d08bcd52f2

    ReplyDelete
    Replies
    1. mozilla did same: https://hg.mozilla.org/releases/mozilla-release/rev/e245ca2125a6eb1e2d08cc9e5824f15e1e67a566

      Delete
    2. I don't see anything obviously wrong with it. Does it render images? It looks cleaner than my attempt.

      Delete
    3. that CVE affects webp loseless decoder, and I tested with google's samples and it seems to be fine.

      Delete

Due to an increased frequency of spam, comments are now subject to moderation.