Backport patches to fix the following security vulnerabilities:

CVE-2009-1312
	CVE-2009-0652
	CVE-2009-1302
	CVE-2009-1303

Obtained from:	Mozilla Bugzilla
Security:	http://www.vuxml.org/freebsd/3b18e237-2f15-11de-9672-0030843d3802.html

www/firefox-esr/Makefile

@@ -8,7 +8,7 @@
 
 PORTNAME=	firefox
 DISTVERSION=	2.0.0.20
-PORTREVISION=	6
+PORTREVISION=	7
 PORTEPOCH=	1
 CATEGORIES=	www ipv6
 MASTER_SITES=	${MASTER_SITE_MOZILLA_EXTENDED}

www/firefox-esr/files/patch-ff-453736

@@ -0,0 +1,46 @@
+diff -p -U 8 -r1.15 nsSVGScriptElement.cpp
+--- content/svg/content/src/nsSVGScriptElement.cpp	28 Apr 2005 23:47:55 -0000	1.15
++++ content/svg/content/src/nsSVGScriptElement.cpp	26 Feb 2009 21:03:08 -0000
+@@ -177,17 +177,40 @@ nsSVGScriptElement::Init()
+   }
+ 
+   return NS_OK;
+ }
+ 
+ //----------------------------------------------------------------------
+ // nsIDOMNode methods
+ 
+-NS_IMPL_DOM_CLONENODE_WITH_INIT(nsSVGScriptElement)
++nsresult
++nsSVGScriptElement::CloneNode(PRBool aDeep, nsIDOMNode** aReturn)
++{
++  *aReturn = nsnull;
++
++  nsSVGScriptElement* it = new nsSVGScriptElement(mNodeInfo);
++  if (!it) {
++    return NS_ERROR_OUT_OF_MEMORY;
++  }
++
++  nsCOMPtr<nsIDOMNode> kungFuDeathGrip(it);
++
++  CopyInnerTo(it, aDeep);
++
++  // The clone should be marked evaluated if we are.  It should also be marked
++  // evaluated if we're evaluating, to handle the case when this script node's
++  // script clones the node.
++  it->mIsEvaluated = mIsEvaluated || mEvaluating;
++  it->mLineNumber = mLineNumber;
++
++  kungFuDeathGrip.swap(*aReturn);
++
++  return NS_OK;
++}
+ 
+ //----------------------------------------------------------------------
+ // nsIDOMSVGScriptElement methods
+ 
+ /* attribute DOMString type; */
+ NS_IMETHODIMP
+ nsSVGScriptElement::GetType(nsAString & aType)
+ {
+

www/firefox-esr/files/patch-ff-474536

@@ -0,0 +1,28 @@
+diff -U 8 -p -r3.181.2.104 jsinterp.c
+--- js/src/jsinterp.c	20 Oct 2008 15:43:57 -0000	3.181.2.104
++++ js/src/jsinterp.c	2 Apr 2009 14:44:48 -0000
+@@ -4722,21 +4722,21 @@ interrupt:
+ 
+             /*
+              * Try to optimize a property we either just created, or found
+              * directly in the global object, that is permanent, has a slot,
+              * and has stub getter and setter, into a "fast global" accessed
+              * by the JSOP_*GVAR opcodes.
+              */
+             if (atomIndex < script->numGlobalVars &&
+-                (attrs & JSPROP_PERMANENT) &&
+                 obj2 == obj &&
+                 OBJ_IS_NATIVE(obj)) {
+                 sprop = (JSScopeProperty *) prop;
+-                if (SPROP_HAS_VALID_SLOT(sprop, OBJ_SCOPE(obj)) &&
++                if ((sprop->attrs & JSPROP_PERMANENT) &&
++                    SPROP_HAS_VALID_SLOT(sprop, OBJ_SCOPE(obj)) &&
+                     SPROP_HAS_STUB_GETTER(sprop) &&
+                     SPROP_HAS_STUB_SETTER(sprop)) {
+                     /*
+                      * Fast globals use fp->vars to map the global name's
+                      * atomIndex to the permanent fp->varobj slot number,
+                      * tagged as a jsval.  The atomIndex for the global's
+                      * name literal is identical to its fp->vars index.
+                      */
+

www/firefox-esr/files/patch-ff-479336

@@ -0,0 +1,13 @@
+diff -up mozilla/modules/libpref/src/init/all.js.479336 mozilla/modules/libpref/src/init/all.js
+--- modules/libpref/src/init/all.js.479336	2009-04-09 15:57:27.000000000 +0200
++++ modules/libpref/src/init/all.js	2009-04-09 15:59:56.000000000 +0200
+@@ -631,7 +631,7 @@ pref("network.IDN.whitelist.org", true);
+ // attempt and so we always display the domain name as punycode. This would 
+ // override the settings "network.IDN_show_punycode" and 
+ // "network.IDN.whitelist.*".
+-pref("network.IDN.blacklist_chars", "\u0020\u00A0\u00BC\u00BD\u01C3\u0337\u0338\u05C3\u05F4\u06D4\u0702\u115F\u1160\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200A\u200B\u2024\u2027\u2028\u2029\u202F\u2039\u203A\u2044\u205F\u2154\u2155\u2156\u2159\u215A\u215B\u215F\u2215\u23AE\u29F6\u29F8\u2AFB\u2AFD\u2FF0\u2FF1\u2FF2\u2FF3\u2FF4\u2FF5\u2FF6\u2FF7\u2FF8\u2FF9\u2FFA\u2FFB\u3000\u3002\u3014\u3015\u3033\u3164\u321D\u321E\u33AE\u33AF\u33C6\u33DF\uFE14\uFE15\uFE3F\uFE5D\uFE5E\uFEFF\uFF0E\uFF0F\uFF61\uFFA0\uFFF9\uFFFA\uFFFB\uFFFC\uFFFD");
++pref("network.IDN.blacklist_chars", "\u0020\u00A0\u00BC\u00BD\u00BE\u01C3\u02D0\u0337\u0338\u0589\u05C3\u05F4\u0609\u060A\u066A\u06D4\u0701\u0702\u0703\u0704\u115F\u1160\u1735\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200A\u200B\u2024\u2027\u2028\u2029\u202F\u2039\u203A\u2041\u2044\u2052\u205F\u2153\u2154\u2155\u2156\u2157\u2158\u2159\u215A\u215B\u215C\u215D\u215E\u215F\u2215\u2236\u23AE\u2571\u29F6\u29F8\u2AFB\u2AFD\u2FF0\u2FF1\u2FF2\u2FF3\u2FF4\u2FF5\u2FF6\u2FF7\u2FF8\u2FF9\u2FFA\u2FFB\u3000\u3002\u3014\u3015\u3033\u3164\u321D\u321E\u33AE\u33AF\u33C6\u33DF\uA789\uFE14\uFE15\uFE3F\uFE5D\uFE5E\uFEFF\uFF0E\uFF0F\uFF61\uFFA0\uFFF9\uFFFA\uFFFB\uFFFC\uFFFD");
+ 
+ // This preference specifies a list of domains for which DNS lookups will be
+ // IPv4 only. Works around broken DNS servers which can't handle IPv6 lookups
+

www/firefox/Makefile

@@ -8,7 +8,7 @@
 
 PORTNAME=	firefox
 DISTVERSION=	2.0.0.20
-PORTREVISION=	6
+PORTREVISION=	7
 PORTEPOCH=	1
 CATEGORIES=	www ipv6
 MASTER_SITES=	${MASTER_SITE_MOZILLA_EXTENDED}

www/firefox/files/patch-ff-453736

@@ -0,0 +1,46 @@
+diff -p -U 8 -r1.15 nsSVGScriptElement.cpp
+--- content/svg/content/src/nsSVGScriptElement.cpp	28 Apr 2005 23:47:55 -0000	1.15
++++ content/svg/content/src/nsSVGScriptElement.cpp	26 Feb 2009 21:03:08 -0000
+@@ -177,17 +177,40 @@ nsSVGScriptElement::Init()
+   }
+ 
+   return NS_OK;
+ }
+ 
+ //----------------------------------------------------------------------
+ // nsIDOMNode methods
+ 
+-NS_IMPL_DOM_CLONENODE_WITH_INIT(nsSVGScriptElement)
++nsresult
++nsSVGScriptElement::CloneNode(PRBool aDeep, nsIDOMNode** aReturn)
++{
++  *aReturn = nsnull;
++
++  nsSVGScriptElement* it = new nsSVGScriptElement(mNodeInfo);
++  if (!it) {
++    return NS_ERROR_OUT_OF_MEMORY;
++  }
++
++  nsCOMPtr<nsIDOMNode> kungFuDeathGrip(it);
++
++  CopyInnerTo(it, aDeep);
++
++  // The clone should be marked evaluated if we are.  It should also be marked
++  // evaluated if we're evaluating, to handle the case when this script node's
++  // script clones the node.
++  it->mIsEvaluated = mIsEvaluated || mEvaluating;
++  it->mLineNumber = mLineNumber;
++
++  kungFuDeathGrip.swap(*aReturn);
++
++  return NS_OK;
++}
+ 
+ //----------------------------------------------------------------------
+ // nsIDOMSVGScriptElement methods
+ 
+ /* attribute DOMString type; */
+ NS_IMETHODIMP
+ nsSVGScriptElement::GetType(nsAString & aType)
+ {
+

www/firefox/files/patch-ff-474536

@@ -0,0 +1,28 @@
+diff -U 8 -p -r3.181.2.104 jsinterp.c
+--- js/src/jsinterp.c	20 Oct 2008 15:43:57 -0000	3.181.2.104
++++ js/src/jsinterp.c	2 Apr 2009 14:44:48 -0000
+@@ -4722,21 +4722,21 @@ interrupt:
+ 
+             /*
+              * Try to optimize a property we either just created, or found
+              * directly in the global object, that is permanent, has a slot,
+              * and has stub getter and setter, into a "fast global" accessed
+              * by the JSOP_*GVAR opcodes.
+              */
+             if (atomIndex < script->numGlobalVars &&
+-                (attrs & JSPROP_PERMANENT) &&
+                 obj2 == obj &&
+                 OBJ_IS_NATIVE(obj)) {
+                 sprop = (JSScopeProperty *) prop;
+-                if (SPROP_HAS_VALID_SLOT(sprop, OBJ_SCOPE(obj)) &&
++                if ((sprop->attrs & JSPROP_PERMANENT) &&
++                    SPROP_HAS_VALID_SLOT(sprop, OBJ_SCOPE(obj)) &&
+                     SPROP_HAS_STUB_GETTER(sprop) &&
+                     SPROP_HAS_STUB_SETTER(sprop)) {
+                     /*
+                      * Fast globals use fp->vars to map the global name's
+                      * atomIndex to the permanent fp->varobj slot number,
+                      * tagged as a jsval.  The atomIndex for the global's
+                      * name literal is identical to its fp->vars index.
+                      */
+

www/firefox/files/patch-ff-479336

@@ -0,0 +1,13 @@
+diff -up mozilla/modules/libpref/src/init/all.js.479336 mozilla/modules/libpref/src/init/all.js
+--- modules/libpref/src/init/all.js.479336	2009-04-09 15:57:27.000000000 +0200
++++ modules/libpref/src/init/all.js	2009-04-09 15:59:56.000000000 +0200
+@@ -631,7 +631,7 @@ pref("network.IDN.whitelist.org", true);
+ // attempt and so we always display the domain name as punycode. This would 
+ // override the settings "network.IDN_show_punycode" and 
+ // "network.IDN.whitelist.*".
+-pref("network.IDN.blacklist_chars", "\u0020\u00A0\u00BC\u00BD\u01C3\u0337\u0338\u05C3\u05F4\u06D4\u0702\u115F\u1160\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200A\u200B\u2024\u2027\u2028\u2029\u202F\u2039\u203A\u2044\u205F\u2154\u2155\u2156\u2159\u215A\u215B\u215F\u2215\u23AE\u29F6\u29F8\u2AFB\u2AFD\u2FF0\u2FF1\u2FF2\u2FF3\u2FF4\u2FF5\u2FF6\u2FF7\u2FF8\u2FF9\u2FFA\u2FFB\u3000\u3002\u3014\u3015\u3033\u3164\u321D\u321E\u33AE\u33AF\u33C6\u33DF\uFE14\uFE15\uFE3F\uFE5D\uFE5E\uFEFF\uFF0E\uFF0F\uFF61\uFFA0\uFFF9\uFFFA\uFFFB\uFFFC\uFFFD");
++pref("network.IDN.blacklist_chars", "\u0020\u00A0\u00BC\u00BD\u00BE\u01C3\u02D0\u0337\u0338\u0589\u05C3\u05F4\u0609\u060A\u066A\u06D4\u0701\u0702\u0703\u0704\u115F\u1160\u1735\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200A\u200B\u2024\u2027\u2028\u2029\u202F\u2039\u203A\u2041\u2044\u2052\u205F\u2153\u2154\u2155\u2156\u2157\u2158\u2159\u215A\u215B\u215C\u215D\u215E\u215F\u2215\u2236\u23AE\u2571\u29F6\u29F8\u2AFB\u2AFD\u2FF0\u2FF1\u2FF2\u2FF3\u2FF4\u2FF5\u2FF6\u2FF7\u2FF8\u2FF9\u2FFA\u2FFB\u3000\u3002\u3014\u3015\u3033\u3164\u321D\u321E\u33AE\u33AF\u33C6\u33DF\uA789\uFE14\uFE15\uFE3F\uFE5D\uFE5E\uFEFF\uFF0E\uFF0F\uFF61\uFFA0\uFFF9\uFFFA\uFFFB\uFFFC\uFFFD");
+ 
+ // This preference specifies a list of domains for which DNS lookups will be
+ // IPv4 only. Works around broken DNS servers which can't handle IPv6 lookups
+

www/firefox36/Makefile

@@ -8,7 +8,7 @@
 
 PORTNAME=	firefox
 DISTVERSION=	2.0.0.20
-PORTREVISION=	6
+PORTREVISION=	7
 PORTEPOCH=	1
 CATEGORIES=	www ipv6
 MASTER_SITES=	${MASTER_SITE_MOZILLA_EXTENDED}

www/firefox36/files/patch-ff-453736

@@ -0,0 +1,46 @@
+diff -p -U 8 -r1.15 nsSVGScriptElement.cpp
+--- content/svg/content/src/nsSVGScriptElement.cpp	28 Apr 2005 23:47:55 -0000	1.15
++++ content/svg/content/src/nsSVGScriptElement.cpp	26 Feb 2009 21:03:08 -0000
+@@ -177,17 +177,40 @@ nsSVGScriptElement::Init()
+   }
+ 
+   return NS_OK;
+ }
+ 
+ //----------------------------------------------------------------------
+ // nsIDOMNode methods
+ 
+-NS_IMPL_DOM_CLONENODE_WITH_INIT(nsSVGScriptElement)
++nsresult
++nsSVGScriptElement::CloneNode(PRBool aDeep, nsIDOMNode** aReturn)
++{
++  *aReturn = nsnull;
++
++  nsSVGScriptElement* it = new nsSVGScriptElement(mNodeInfo);
++  if (!it) {
++    return NS_ERROR_OUT_OF_MEMORY;
++  }
++
++  nsCOMPtr<nsIDOMNode> kungFuDeathGrip(it);
++
++  CopyInnerTo(it, aDeep);
++
++  // The clone should be marked evaluated if we are.  It should also be marked
++  // evaluated if we're evaluating, to handle the case when this script node's
++  // script clones the node.
++  it->mIsEvaluated = mIsEvaluated || mEvaluating;
++  it->mLineNumber = mLineNumber;
++
++  kungFuDeathGrip.swap(*aReturn);
++
++  return NS_OK;
++}
+ 
+ //----------------------------------------------------------------------
+ // nsIDOMSVGScriptElement methods
+ 
+ /* attribute DOMString type; */
+ NS_IMETHODIMP
+ nsSVGScriptElement::GetType(nsAString & aType)
+ {
+

www/firefox36/files/patch-ff-474536

@@ -0,0 +1,28 @@
+diff -U 8 -p -r3.181.2.104 jsinterp.c
+--- js/src/jsinterp.c	20 Oct 2008 15:43:57 -0000	3.181.2.104
++++ js/src/jsinterp.c	2 Apr 2009 14:44:48 -0000
+@@ -4722,21 +4722,21 @@ interrupt:
+ 
+             /*
+              * Try to optimize a property we either just created, or found
+              * directly in the global object, that is permanent, has a slot,
+              * and has stub getter and setter, into a "fast global" accessed
+              * by the JSOP_*GVAR opcodes.
+              */
+             if (atomIndex < script->numGlobalVars &&
+-                (attrs & JSPROP_PERMANENT) &&
+                 obj2 == obj &&
+                 OBJ_IS_NATIVE(obj)) {
+                 sprop = (JSScopeProperty *) prop;
+-                if (SPROP_HAS_VALID_SLOT(sprop, OBJ_SCOPE(obj)) &&
++                if ((sprop->attrs & JSPROP_PERMANENT) &&
++                    SPROP_HAS_VALID_SLOT(sprop, OBJ_SCOPE(obj)) &&
+                     SPROP_HAS_STUB_GETTER(sprop) &&
+                     SPROP_HAS_STUB_SETTER(sprop)) {
+                     /*
+                      * Fast globals use fp->vars to map the global name's
+                      * atomIndex to the permanent fp->varobj slot number,
+                      * tagged as a jsval.  The atomIndex for the global's
+                      * name literal is identical to its fp->vars index.
+                      */
+

www/firefox36/files/patch-ff-479336

@@ -0,0 +1,13 @@
+diff -up mozilla/modules/libpref/src/init/all.js.479336 mozilla/modules/libpref/src/init/all.js
+--- modules/libpref/src/init/all.js.479336	2009-04-09 15:57:27.000000000 +0200
++++ modules/libpref/src/init/all.js	2009-04-09 15:59:56.000000000 +0200
+@@ -631,7 +631,7 @@ pref("network.IDN.whitelist.org", true);
+ // attempt and so we always display the domain name as punycode. This would 
+ // override the settings "network.IDN_show_punycode" and 
+ // "network.IDN.whitelist.*".
+-pref("network.IDN.blacklist_chars", "\u0020\u00A0\u00BC\u00BD\u01C3\u0337\u0338\u05C3\u05F4\u06D4\u0702\u115F\u1160\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200A\u200B\u2024\u2027\u2028\u2029\u202F\u2039\u203A\u2044\u205F\u2154\u2155\u2156\u2159\u215A\u215B\u215F\u2215\u23AE\u29F6\u29F8\u2AFB\u2AFD\u2FF0\u2FF1\u2FF2\u2FF3\u2FF4\u2FF5\u2FF6\u2FF7\u2FF8\u2FF9\u2FFA\u2FFB\u3000\u3002\u3014\u3015\u3033\u3164\u321D\u321E\u33AE\u33AF\u33C6\u33DF\uFE14\uFE15\uFE3F\uFE5D\uFE5E\uFEFF\uFF0E\uFF0F\uFF61\uFFA0\uFFF9\uFFFA\uFFFB\uFFFC\uFFFD");
++pref("network.IDN.blacklist_chars", "\u0020\u00A0\u00BC\u00BD\u00BE\u01C3\u02D0\u0337\u0338\u0589\u05C3\u05F4\u0609\u060A\u066A\u06D4\u0701\u0702\u0703\u0704\u115F\u1160\u1735\u2000\u2001\u2002\u2003\u2004\u2005\u2006\u2007\u2008\u2009\u200A\u200B\u2024\u2027\u2028\u2029\u202F\u2039\u203A\u2041\u2044\u2052\u205F\u2153\u2154\u2155\u2156\u2157\u2158\u2159\u215A\u215B\u215C\u215D\u215E\u215F\u2215\u2236\u23AE\u2571\u29F6\u29F8\u2AFB\u2AFD\u2FF0\u2FF1\u2FF2\u2FF3\u2FF4\u2FF5\u2FF6\u2FF7\u2FF8\u2FF9\u2FFA\u2FFB\u3000\u3002\u3014\u3015\u3033\u3164\u321D\u321E\u33AE\u33AF\u33C6\u33DF\uA789\uFE14\uFE15\uFE3F\uFE5D\uFE5E\uFEFF\uFF0E\uFF0F\uFF61\uFFA0\uFFF9\uFFFA\uFFFB\uFFFC\uFFFD");
+ 
+ // This preference specifies a list of domains for which DNS lookups will be
+ // IPv4 only. Works around broken DNS servers which can't handle IPv6 lookups
+