candidate patches

[classilla]

https://hg.mozilla.org/releases/mozilla-esr91/rev/cee76519645b (regression)

https://hg.mozilla.org/releases/mozilla-esr91/rev/b6173cd78c9d522f2e3257c408933db4f9cedc13 (NSS)
https://hg.mozilla.org/releases/mozilla-esr91/rev/45d3fd63bd24f66072a16d23fefc01c3c68a0bb1
https://bugzilla.mozilla.org/show_bug.cgi?id=1719150
https://hg.mozilla.org/releases/mozilla-esr91/rev/b2ce3f908336fe51762dfcea6c4f950841e174d5
https://hg.mozilla.org/releases/mozilla-esr91/rev/3eef2fe29d57c10fb53bab5000c948ee82b82c5e
https://hg.mozilla.org/releases/mozilla-esr91/rev/ec4389b44990 (OS X specific, may help with our widget weirdness)
https://hg.mozilla.org/releases/mozilla-esr91/rev/d350a75e651733f936836057c59a4e8f63a1d266
https://hg.mozilla.org/releases/mozilla-esr91/rev/da53bf5bac5da0dbc69fa6ec8c01afeaf187829a
https://hg.mozilla.org/releases/mozilla-esr91/rev/bd4d7d89779a2299d2b0e00049d951956f5a8735
https://hg.mozilla.org/releases/mozilla-esr91/rev/4b0d941ab1a32ee34cd62086aca5102a154cf1a4 (low priority)
https://hg.mozilla.org/releases/mozilla-esr91/rev/daa65d44963e88bcc4c4c295aa54116560087e5d

[roytam1]

maybe also https://hg.mozilla.org/projects/nss/rev/7d4f221b1fffcad72b18175b89e4d310307277ef for accessing microsoft.com

[classilla]

https://hg.mozilla.org/releases/mozilla-esr91/rev/aecc104f3229
https://hg.mozilla.org/releases/mozilla-esr91/rev/0fdb433668d85d55fd8616a35da6744932d43816
https://hg.mozilla.org/releases/mozilla-esr91/rev/0592ba15e779a54d0c40c2cf72c25f2875a77dcd
https://hg.mozilla.org/releases/mozilla-esr91/rev/a582903d08214edb92209a63768ed783245e3546 ???

[classilla]

Dropped for not relevant:
https://hg.mozilla.org/releases/mozilla-esr91/rev/45d3fd63bd24f66072a16d23fefc01c3c68a0bb1
https://hg.mozilla.org/releases/mozilla-esr91/rev/ba2641b50a76 (M1719150)
https://hg.mozilla.org/releases/mozilla-esr91/rev/b2ce3f908336fe51762dfcea6c4f950841e174d5
https://hg.mozilla.org/releases/mozilla-esr91/rev/3eef2fe29d57c10fb53bab5000c948ee82b82c5e
https://hg.mozilla.org/releases/mozilla-esr91/rev/0fdb433668d85d55fd8616a35da6744932d43816
https://hg.mozilla.org/releases/mozilla-esr91/rev/a582903d08214edb92209a63768ed783245e3546

Dropped to reconsider:
https://hg.mozilla.org/releases/mozilla-esr91/rev/0592ba15e779a54d0c40c2cf72c25f2875a77dcd

[roytam1]

maybe also https://hg.mozilla.org/projects/nss/rev/7d4f221b1fffcad72b18175b89e4d310307277ef for accessing microsoft.com

regarding rev fd2b82f , security/pkix need same fix as well.

[classilla]

Moar candidates. Through 4f04e2ff2289d04791cbe08b6b385d1a5eef350d

https://hg.mozilla.org/releases/mozilla-esr91/rev/5a03174e6432045adcc57d5ec545519c2e4981f2
https://hg.mozilla.org/releases/mozilla-esr91/rev/d39b3f8cdf1eb4d946d2084d4ce0bf1f101c7e9a (to dom/media/MP3Demuxer.cpp)
https://hg.mozilla.org/releases/mozilla-esr91/rev/e47b5b8be2786fd0d7be288ee471a58840fd345a
https://hg.mozilla.org/releases/mozilla-esr91/rev/0568371e8077958b2d3ef3c6d84c7ee920448d6b
https://hg.mozilla.org/releases/mozilla-esr91/rev/7310b48db9839e0d1a7c78bc35b84dc21f125fea
https://hg.mozilla.org/releases/mozilla-esr91/rev/24f825282ceac2a85f7f86f7c34224000f17beec vs https://hg.mozilla.org/releases/mozilla-esr91/rev/de8c6a1ba2c7f6003e795e63647f6ca1d3caccb0 plus backbugs
https://hg.mozilla.org/releases/mozilla-esr91/rev/f8c4d04f3a4ec233dbba71ec36a1b942b9213dd0 for completeness even though it is effectively no-op

Also look at https://bugzilla.mozilla.org/show_bug.cgi?id=1543191 based on https://hg.mozilla.org/releases/mozilla-esr91/rev/d50dfa8274c2a11e4e4ec25888cebd38439a92c2

Haven't decided about https://hg.mozilla.org/releases/mozilla-esr91/rev/4f04e2ff2289d04791cbe08b6b385d1a5eef350d . May be better just to fix call sites.

[roytam1]

XSLT:
https://hg.mozilla.org/releases/mozilla-esr91/rev/153b3922a318fdbd7f5cc9e9e2ec8d7d4eb8aa44

expat:
https://hg.mozilla.org/releases/mozilla-esr91/rev/c084e1e90301ca414be9dee690a3ca9ebc2a0a0e
https://hg.mozilla.org/releases/mozilla-esr91/rev/1ff49f5abe2f44fb90250abac9e71204e1e55ea2
https://hg.mozilla.org/releases/mozilla-esr91/rev/4a180bbf2d1b4114f66be985e35e2642a902aa19

for CVE-2022-26485

EDIT: ported to my tree: roytam1/mozilla45esr@ab2c4b0

[classilla]

https://hg.mozilla.org/releases/mozilla-esr91/rev/3b54d6b5407fca03efdb2e2f57a9838498e0d038 (and backbug on aRead = 0)
https://hg.mozilla.org/releases/mozilla-esr91/diff/d8503523b4cc610ec3bade0787f200afdef738e6/security/nss/lib/pki/trustdomain.c (simplify, we don't need all the (void) casts)
https://hg.mozilla.org/releases/mozilla-esr91/rev/d6b476cadd24b6e845de7853a19e71ba62c8a58d
Not sure if this actually fixes anything, but it seems "right": https://hg.mozilla.org/mozilla-central/rev/d8b66c3db775

Finally, add the DoubleCondition branch fix discovered on the POWER9 JIT, and look to see if the f32 bailout problem affects us as well.

We also need to wholesale pull-up modules/zlib to get bug 1761799. That might be a little later.

[classilla]

After testing, the DoubleCondition branch fix seems to go into an infinite loop on some sites, so deferring that; the branching code is somewhat different. But it does have the F32 bailout problem, and fixing that seems to stick.

[classilla]

ESR91 rollup through 54db1a154eb727e00d7911d10dca0ef47bb72599

modified https://hg.mozilla.org/releases/mozilla-esr91/rev/ef64358e527c39caf3f301a76d1c8ce692e34131
(we do have IsScriptEnabled())

https://hg.mozilla.org/releases/mozilla-esr91/rev/e70578598718b5b263d6a88bec3c1deccbb82e4a
needs backbugs from https://bugzilla.mozilla.org/show_bug.cgi?id=1714081 (specifically
https://hg.mozilla.org/releases/mozilla-esr91/annotate/e70578598718b5b263d6a88bec3c1deccbb82e4a/gfx/2d/BaseRect.h#l131

with changes https://hg.mozilla.org/releases/mozilla-esr91/rev/dddc25fd9e036de7730025f86a6c426e77d9c330

https://hg.mozilla.org/releases/mozilla-esr91/rev/60a5196e74adada73150e6519d57ffca3eccd94c
as MOZ_RELEASE_ASSERT()s

https://hg.mozilla.org/releases/mozilla-esr91/rev/7ac9b20c412b4641bd732e789a3be532fe3d4c43

https://hg.mozilla.org/releases/mozilla-esr91/rev/2f6ff5dba74d0eef844239f72412c039dabc97bc
(create new URI from spec, then use manual SetQuery and SetRef)

https://hg.mozilla.org/releases/mozilla-esr91/rev/b40d2204f6ce6174b6aad942332acdcfabb4e0f4 (JS)

This seems very extensive
https://hg.mozilla.org/releases/mozilla-esr91/rev/7d69277b335be5a5076e21c0fe9b73e85677e7ff

[classilla]

EV roots: update /security/certverifier/ExtendedValidation.cpp to 102
update /security/nss/lib/ckfw/builtins/certdata.txt to 102
add fx102 key to user agents
update STS preload script and upcert scripts
set CLOBBER

[classilla]

Through b07b4373ed3f7b392b2457b535c953176491de7b

https://hg.mozilla.org/releases/mozilla-esr102/rev/7b43b4ab4275 (different files in dom/html, note nsCOMPtr versions of CSP objects)
https://hg.mozilla.org/releases/mozilla-esr102/rev/80ecb3c8668b to nsCookieService.cpp
https://hg.mozilla.org/releases/mozilla-esr102/rev/084a542649289e7f4ad7636e24bb6588b1c2c63a target[size] to target[written] (readlink is called in two places but only one is wrong)
https://hg.mozilla.org/releases/mozilla-esr102/rev/c8dab52e2ead50f94859600571b48d9ac491c854 (we do have nsCCharSeparatedTokenizer, definitely want Xhr portion) (separate patch)
https://hg.mozilla.org/releases/mozilla-esr102/rev/bedc23ef1e13 (applies cleanly)
https://hg.mozilla.org/releases/mozilla-esr102/rev/b8cf39722afa (applies cleanly)
https://hg.mozilla.org/releases/mozilla-esr102/rev/47feff550f43 (applies cleanly)
https://hg.mozilla.org/releases/mozilla-esr102/rev/9968c9743e6aa71d64fefb57aff9242bebb801d9
https://hg.mozilla.org/releases/mozilla-esr102/rev/db6a4af87843519ecf8ce9d1285e38fafc484181 (nsPresShell.cpp:6599)
https://hg.mozilla.org/releases/mozilla-esr102/rev/f9180d5446f2b219dc06f2eafc3e14e987266f7a (add the new *loc entries to xpcom/io/nsLocalFileUnix.cpp)
https://hg.mozilla.org/releases/mozilla-esr102/rev/a6a77bf24308ab50226595c7623ff47c6bd606c3 (in dom/base)

deferred
:: https://hg.mozilla.org/releases/mozilla-esr102/rev/a4167befb70526e788c4eba9ee12925c764d40a0 needs plumbing apparently but we might want it
:: I don't think we're affected by https://hg.mozilla.org/releases/mozilla-esr102/rev/db9a92d5466c11e09d0e0c9a2813df175e7c7d42 but marking here for future check when the bug is open.
:: https://hg.mozilla.org/releases/mozilla-esr102/rev/c581112d97d4 if testcase https://bugzilla.mozilla.org/show_bug.cgi?id=1787633 generates debug assert (probably separate patch)
:: not sure what https://hg.mozilla.org/releases/mozilla-esr102/rev/48049cc5b3a854e027d8e3812fcaa07ec3670443 is fixing
:: not sure what https://hg.mozilla.org/releases/mozilla-esr102/rev/69926147e2c52ccd18f99944370ab6e6c3870077 is fixing, we go through the queue twice

[classilla]

Deciding to defer https://hg.mozilla.org/releases/mozilla-esr102/rev/7b43b4ab4275 and https://hg.mozilla.org/releases/mozilla-esr102/rev/c8dab52e2ead50f94859600571b48d9ac491c854 to next ESR/clobber.