FF.spec: Update to FF 68.7

firefox/MozillaFirefox.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package MozillaFirefox
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2020 SUSE LLC
 #               2006-2019 Wolfgang Rosenauer <wr@rosenauer.org>
 #
 # All modifications and additions to the file contributed by third parties
@@ -26,8 +26,8 @@
 # major 69
 # mainver %major.99
 %define major          68
-%define mainver        %major.6.0
-%define orig_version   68.6.0
+%define mainver        %major.7.0
+%define orig_version   68.7.0
 %define orig_suffix    esr
 %define update_channel esr68
 %define branding       1
@@ -206,6 +206,7 @@ Patch26:        mozilla-bmo1504834-part4.patch
 # Firefox/browser
 Patch101:       firefox-kde.patch
 Patch102:       firefox-branded-icons.patch
+Patch103:       firefox-fips.patch
 %endif # only_print_mozconfig
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Requires(post):   coreutils shared-mime-info desktop-file-utils
@@ -346,6 +347,7 @@ cd $RPM_BUILD_DIR/%{srcname}-%{orig_version}
 # Firefox
 %patch101 -p1
 %patch102 -p1
+%patch103 -p1
 %endif # only_print_mozconfig
 
 %build

firefox/firefox-fips.patch

@@ -0,0 +1,48 @@
+# HG changeset patch
+# User cgrobertson@suse.com
+# Date 1584727901 -0600
+#      Fri, 20 Mar 2020 12:16:42 -0600
+# Parent  cd14d9f66b6634f14aff500ceb128da2d7bc9cbe
+
+diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
+--- a/security/sandbox/linux/Sandbox.cpp
++++ b/security/sandbox/linux/Sandbox.cpp
+@@ -635,16 +635,17 @@ void SetMediaPluginSandbox(const char* a
+     SANDBOX_LOG_ERROR("failed to open plugin file %s: %s", aFilePath,
+                       strerror(errno));
+     MOZ_CRASH("failed while trying to open the plugin file ");
+   }
+
+   auto files = new SandboxOpenedFiles();
+   files->Add(std::move(plugin));
+   files->Add("/dev/urandom", true);
++  files->Add("/proc/sys/crypto/fips_enabled");
+   files->Add("/sys/devices/system/cpu/cpu0/tsc_freq_khz");
+   files->Add("/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq");
+   files->Add("/proc/cpuinfo");  // Info also available via CPUID instruction.
+ #ifdef __i386__
+   files->Add("/proc/self/auxv");  // Info also in process's address space.
+ #endif
+
+   // Finally, start the sandbox.
+diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
++++ b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+@@ -207,16 +207,17 @@ SandboxBrokerPolicyFactory::SandboxBroke
+   // Bug 1308851: NVIDIA proprietary driver when using WebGL
+   policy->AddFilePrefix(rdwr, "/dev", "nvidia");
+
+   // Bug 1312678: radeonsi/Intel with DRI when using WebGL
+   policy->AddDir(rdwr, "/dev/dri");
+
+   // Read permissions
+   policy->AddPath(rdonly, "/dev/urandom");
++  policy->AddPath(rdonly, "/proc/sys/crypto/fips_enabled");
+   policy->AddPath(rdonly, "/proc/cpuinfo");
+   policy->AddPath(rdonly, "/proc/meminfo");
+   policy->AddDir(rdonly, "/sys/devices/cpu");
+   policy->AddDir(rdonly, "/sys/devices/system/cpu");
+   policy->AddDir(rdonly, "/lib");
+   policy->AddDir(rdonly, "/lib64");
+   policy->AddDir(rdonly, "/usr/lib");
+   policy->AddDir(rdonly, "/usr/lib32");

firefox/tar_stamps

@@ -1,10 +1,10 @@
 PRODUCT="firefox"
 CHANNEL="esr68"
-VERSION="68.6.0"
+VERSION="68.7.0"
 VERSION_SUFFIX="esr"
-PREV_VERSION="68.5.0"
+PREV_VERSION="68.6.1"
 PREV_VERSION_SUFFIX="esr"
 #SKIP_LOCALES="" # Uncomment to skip l10n and compare-locales-generation
 RELEASE_REPO="https://hg.mozilla.org/releases/mozilla-esr68"
-RELEASE_TAG="d5bc259574e77a27496e5bbbc56f635ff669e24f"
-RELEASE_TIMESTAMP="20200305175243"
+RELEASE_TAG="1081a5ebf803f8a22ddbe03d73e61e3346243786"
+RELEASE_TIMESTAMP="20200403171148"