gnu: icecat: Add several security fixes.

* gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch,
  gnu/packages/patches/icecat-CVE-2015-7188.patch,
  gnu/packages/patches/icecat-CVE-2015-7189.patch,
  gnu/packages/patches/icecat-CVE-2015-7193.patch,
  gnu/packages/patches/icecat-CVE-2015-7194.patch,
  gnu/packages/patches/icecat-CVE-2015-7196.patch,
  gnu/packages/patches/icecat-CVE-2015-7197.patch,
  gnu/packages/patches/icecat-CVE-2015-7198.patch,
  gnu/packages/patches/icecat-CVE-2015-7199.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.

1 files changed, 70 insertions, 0 deletions

diff --git a/gnu/packages/patches/icecat-CVE-2015-7197.patch b/gnu/packages/patches/icecat-CVE-2015-7197.patch
new file mode 100644
index 0000000000..1763341ff7
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7197.patch
@@ -0,0 +1,70 @@
+From a522e727bff0fb69cb0d34c2d2ad89168d15158d Mon Sep 17 00:00:00 2001
+From: Ehsan Akhgari <ehsan@mozilla.com>
+Date: Sat, 12 Sep 2015 17:38:51 -0400
+Subject: [PATCH] Bug 1204269 - Use the worker private in order to determine
+ the origin of the entry settings object for workers; r=smaug a=me
+
+---
+ dom/base/WebSocket.cpp | 46 ++++++++++++++++++++++++++--------------------
+ 1 file changed, 26 insertions(+), 20 deletions(-)
+
+diff --git a/dom/base/WebSocket.cpp b/dom/base/WebSocket.cpp
+index ea91232..26b94d0 100644
+--- a/dom/base/WebSocket.cpp
++++ b/dom/base/WebSocket.cpp
+@@ -1503,26 +1503,32 @@ WebSocketImpl::Init(JSContext* aCx,
+       !Preferences::GetBool("network.websocket.allowInsecureFromHTTPS",
+                             false)) {
+     // Confirmed we are opening plain ws:// and want to prevent this from a
+-    // secure context (e.g. https). Check the principal's uri to determine if
+-    // we were loaded from https.
+-    nsCOMPtr<nsIGlobalObject> globalObject(GetEntryGlobal());
+-    if (globalObject) {
+-      nsCOMPtr<nsIPrincipal> principal(globalObject->PrincipalOrNull());
+-      if (principal) {
+-        nsCOMPtr<nsIURI> uri;
+-        principal->GetURI(getter_AddRefs(uri));
+-        if (uri) {
+-          bool originIsHttps = false;
+-          aRv = uri->SchemeIs("https", &originIsHttps);
+-          if (NS_WARN_IF(aRv.Failed())) {
+-            return;
+-          }
+-
+-          if (originIsHttps) {
+-            aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
+-            return;
+-          }
+-        }
++    // secure context (e.g. https).
++    nsCOMPtr<nsIPrincipal> principal;
++    nsCOMPtr<nsIURI> originURI;
++    if (mWorkerPrivate) {
++      // For workers, retrieve the URI from the WorkerPrivate
++      principal = mWorkerPrivate->GetPrincipal();
++    } else {
++      // Check the principal's uri to determine if we were loaded from https.
++      nsCOMPtr<nsIGlobalObject> globalObject(GetEntryGlobal());
++      if (globalObject) {
++        principal = globalObject->PrincipalOrNull();
++      }
++    }
++
++    if (principal) {
++      principal->GetURI(getter_AddRefs(originURI));
++    }
++    if (originURI) {
++      bool originIsHttps = false;
++      aRv = originURI->SchemeIs("https", &originIsHttps);
++      if (NS_WARN_IF(aRv.Failed())) {
++        return;
++      }
++      if (originIsHttps) {
++        aRv.Throw(NS_ERROR_DOM_SECURITY_ERR);
++        return;
+       }
+     }
+   }
+-- 
+2.5.0
+