Overview

Request 897726 accepted

- Mozilla Firefox 89.0
* UI redesign
* The Event Timing API is now supported
* The CSS forced-colors media query is now supported
MFSA 2021-23 (bsc#1186696)
* CVE-2021-29965 (bmo#1709257)
Password Manager on Firefox for Android susceptible to domain
spoofing
* CVE-2021-29960 (bmo#1675965)
Filenames printed from private browsing mode incorrectly
retained in preferences
* CVE-2021-29961 (bmo#1700235)
Firefox UI spoof using `` elements and CSS scaling
* CVE-2021-29963 (bmo#1705068)
Shared cookies for search suggestions in private browsing mode
* CVE-2021-29964 (bmo#1706501)
Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29959 (bmo#1395819)
Devices could be re-enabled without additional permission prompt
* CVE-2021-29962 (bmo#1701673)
No rate-limiting for popups on Firefox for Android
* CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
bmo#1704722, bmo#1706041)
Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11
* CVE-2021-29966 (bmo#1660307, bmo#1686154, bmo#1702948, bmo#1708124)
Memory safety bugs fixed in Firefox 89
- require
NSS >= 3.64
rust-cbindgen >= 0.19.0
- do not rely on nodejs10 packagename anymore


Hans-Peter Jansen's avatar

Dear Wolfgang,

I just wanted to let you know, that this release suffers from a significant performance regression relative to 88.0.1 here.

This is a traditional X based desktop with admittedly rather heavy (some may call this pathological) firefox setup. Let's say, I have many windows open, each with many tabs.

The effect is, that switching between windows creates huge lags, during which Xorg.bin(!) is under fire. Also memory allocation went through the roof (11.9G of 64G, Ryzen 9, NVidia).

Switched swap off, and still it lags. Selecting a room in meet.opensuse.org takes 15 secs, enabling the camera 2, joining the selected room another 15, switching back to this window 15, during which the video frame rate drops to ~0.2 (eg. a new video frame every 5 secs). It looks like something is serializing all X calls and the js engine, now. If you feel like it, I can show you this live.

Will revert to 88.0.1-2.3 now (hopefully, they didn't migrated the databases to a new layout between these versions (again)).


Wolfgang Rosenauer's avatar

I'm on TW with Xfce and Gnome (different machines) w/o wayland and I don't see what you are describing. This could be anything incl. nvidia related. I would propose to open a bugreport first. Just not sure if we are able to find the issue. One thing which changed is that this release switched from gcc to clang and we had to turn off LTO/PGO due to toolchain issues. I never noticed such a noticable impact caused by this though.


Hans-Peter Jansen's avatar

[rewritten, because OBS login lost, and firefox has thrown away the almost finished text]

Not many users hit firefox as hard as me.

For the record, reverting MozillaFirefox-88.0.1-2.3.x86_64, MozillaFirefox-translations-common-88.0.1-2.2.x86_64 and restoring Monday's backup ~/.mozilla/firefox fixed things for me.

firefox responsiveness is back to normal, same setup +/- one or two windows, Xorg contention disappeared completely, memory allocation after about a day (~8G) seems a lot lower than with v89.

So, yes, v89 is completely messed up from my POV. I cannot imagine, that changing the compiler makes such a big difference. I would expect significant differences in a prominent layer, like Javascript, X/Wayland integration being the cause for such a change. If you have some more ideas, let me know, please.

I will record an upstream issue and let's see, what that results in.

https://bugzilla.mozilla.org/show_bug.cgi?id=1716989



Dominique Leuenberger's avatar
[  227s]  1:51.82 /home/abuild/rpmbuild/BUILD/obj/dist/include/nsTHashtable.h:317:27: error: no matching function for call to ‘nsTHashtable<detail::VoidPtrHashKey>::WithEntryHandle(const void*&, const fallible_t&, nsTHashtable<detail::VoidPtrHashKey>::PutEntry(nsTHashtable<detail::VoidPtrHashKey>::KeyType, const fallible_t&)::<lambda(auto:7)>)’

Wolfgang Rosenauer's avatar

Hmm, the first build after the source change worked. So is there a way to find out what changed between 1st and 2nd build?


Dominique Leuenberger's avatar

not straight forward - after the first failure osc triggerreason would have given away what the meta change was to rebuild the package.

I 'think' by exploring the content of the _builenv https://build.opensuse.org/package/binary/download/mozilla:Factory/MozillaFirefox/openSUSE_Factory/x86_64/_buildenv vs osc buildinfo we should be able to identify some changes


Dominique Leuenberger's avatar

The most notable difference is gcc10 vs gcc11



Wolfgang Rosenauer's avatar

Thanks. Nice though that TW/x86_64 is the only platform which still uses gcc. The others had to switch to clang before but TW/x86_64 had build issues before with clang. So for completeness trying clang now.


Wolfgang Rosenauer's avatar

The clang build fails because of https://bugs.llvm.org/show_bug.cgi?id=47872 Now trying to build with clang but w/o LTO to get something out of the door if possible.

Request History
Wolfgang Rosenauer's avatar

wrosenauer created request

- Mozilla Firefox 89.0
* UI redesign
* The Event Timing API is now supported
* The CSS forced-colors media query is now supported
MFSA 2021-23 (bsc#1186696)
* CVE-2021-29965 (bmo#1709257)
Password Manager on Firefox for Android susceptible to domain
spoofing
* CVE-2021-29960 (bmo#1675965)
Filenames printed from private browsing mode incorrectly
retained in preferences
* CVE-2021-29961 (bmo#1700235)
Firefox UI spoof using `` elements and CSS scaling
* CVE-2021-29963 (bmo#1705068)
Shared cookies for search suggestions in private browsing mode
* CVE-2021-29964 (bmo#1706501)
Out of bounds-read when parsing a `WM_COPYDATA` message
* CVE-2021-29959 (bmo#1395819)
Devices could be re-enabled without additional permission prompt
* CVE-2021-29962 (bmo#1701673)
No rate-limiting for popups on Firefox for Android
* CVE-2021-29967 (bmo#1602862, bmo#1703191, bmo#1703760,
bmo#1704722, bmo#1706041)
Memory safety bugs fixed in Firefox 89 and Firefox ESR 78.11
* CVE-2021-29966 (bmo#1660307, bmo#1686154, bmo#1702948, bmo#1708124)
Memory safety bugs fixed in Firefox 89
- require
NSS >= 3.64
rust-cbindgen >= 0.19.0
- do not rely on nodejs10 packagename anymore


Factory Auto's avatar

factory-auto added opensuse-review-team as a reviewer

Please review sources


Factory Auto's avatar

factory-auto accepted review

Check script succeeded


Saul Goodman's avatar

licensedigger accepted review

ok


Ismail Dönmez's avatar

namtrac accepted review


Dominique Leuenberger's avatar

dimstar_suse set openSUSE:Factory:Staging:D as a staging project

Being evaluated by staging project "openSUSE:Factory:Staging:D"


Dominique Leuenberger's avatar

dimstar_suse accepted review

Picked "openSUSE:Factory:Staging:D"


Dominique Leuenberger's avatar

dimstar_suse accepted review

Staging Project openSUSE:Factory:Staging:D got accepted.


Dominique Leuenberger's avatar

dimstar_suse approved review

Staging Project openSUSE:Factory:Staging:D got accepted.


Dominique Leuenberger's avatar

dimstar_suse accepted request

Staging Project openSUSE:Factory:Staging:D got accepted.

openSUSE Build Service is sponsored by