From 61e7d0cd0c4201f0264faee81a884ad37ea51447 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 27 Nov 2024 05:45:59 -0500 Subject: Fix CVE-2024-11697. * data/patches/CVE-2024-11697.patch: New file. --- data/patches/CVE-2024-11697.patch | 40 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 data/patches/CVE-2024-11697.patch diff --git a/data/patches/CVE-2024-11697.patch b/data/patches/CVE-2024-11697.patch new file mode 100644 index 0000000..a22dd3e --- /dev/null +++ b/data/patches/CVE-2024-11697.patch @@ -0,0 +1,40 @@ +Fixes CVE-2024-11697 (Improper Keypress Handling in Executable File Confirmation Dialog) +Copied from + +# HG changeset patch +# User Gijs Kruitbosch +# Date 1731505009 0 +# Node ID 936e95e3b008cb9bcccd1512332b45757a4bb7f6 +# Parent fbed98e3e9cdc2f99af7a2a14f7184f51fe07d8e +Bug 1842187 a=dmeehan + +Original Revision: https://phabricator.services.mozilla.com/D223948 + +Differential Revision: https://phabricator.services.mozilla.com/D228631 + +diff --git a/toolkit/components/downloads/DownloadUIHelper.sys.mjs b/toolkit/components/downloads/DownloadUIHelper.sys.mjs +--- a/toolkit/components/downloads/DownloadUIHelper.sys.mjs ++++ b/toolkit/components/downloads/DownloadUIHelper.sys.mjs +@@ -166,17 +166,20 @@ DownloadPrompter.prototype = { + + const title = lazy.l10n.formatValueSync( + "download-ui-file-executable-security-warning-title" + ); + const message = lazy.l10n.formatValueSync( + "download-ui-file-executable-security-warning", + { executable: PathUtils.filename(path) } + ); +- return this._prompter.confirm(title, message); ++ let flags = ++ Ci.nsIPrompt.BUTTON_DELAY_ENABLE | Ci.nsIPrompt.STD_OK_CANCEL_BUTTONS; ++ let nulls = Array(4).fill(null); ++ return 0 == this._prompter.confirmEx(title, message, flags, ...nulls, {}); + }, + + /** + * Displays a warning message box that informs that there are active + * downloads, and asks whether the user wants to cancel them or not. + * + * @param aDownloadsCount + * The current downloads count. + -- cgit v1.2.3