community/firefox-esr: upgrade to 60.5.0

OK ncopa@

6 files changed, 83 insertions, 389 deletions

diff --git a/community/firefox-esr/APKBUILD b/community/firefox-esr/APKBUILD
index fa9d658c5d..62bbb2ad2e 100644
--- a/community/firefox-esr/APKBUILD
+++ b/community/firefox-esr/APKBUILD
@@ -1,8 +1,8 @@
 # Contributor: William Pitcock <nenolod@dereferenced.org>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=firefox-esr
-pkgver=60.4.0
-pkgrel=2
+pkgver=60.5.0
+pkgrel=0
 pkgdesc="Firefox web browser - Extended Support Release"
 url="https://www.mozilla.org/en-US/firefox/organizations/"
 # limited by rust and cargo
@@ -60,7 +60,6 @@ source="https://ftp.mozilla.org/pub/firefox/releases/${pkgver}esr/source/firefox
 	fix-tools.patch
 	mallinfo.patch
 
-	fix-arm-atomics-grsec.patch
 	fix-arm-version-detect.patch
 	mozilla-build-arm.patch
 	disable-moz-stackwalk.patch
@@ -79,6 +78,10 @@ _mozappdir=/usr/lib/firefox
 ldpath="$_mozappdir"
 
 # secfixes:
+#   60.5.0-r0:
+#     - CVE-2018-18500
+#     - CVE-2018-18505
+#     - CVE-2018-18501
 #   52.6.0-r0:
 #     - CVE-2018-5089
 #     - CVE-2018-5091
@@ -223,19 +226,18 @@ __EOF__
 	rm -f "$pkgdir"/${_mozappdirdev}/sdk/lib/libxul.so
 }
 
-sha512sums="8119f52b2fc06f76868bf0781fec9d46c8551f0a3ca832ac9bdef6aa6d77c1d785e50d35059f0df5e3586f3396b912af06e448d65e7f5d1f468338eebe8b2cd4  firefox-60.4.0esr.source.tar.xz
+sha512sums="dd47e38a87a1339b733c06ea3f235576bf8dce414194ab308d0dda07bf15290afbbad92b8484732daa53cf6a48b57412f7f41e30ae0ac21144c8657b86047aec  firefox-60.5.0esr.source.tar.xz
 0b3f1e4b9fdc868e4738b5c81fd6c6128ce8885b260affcb9a65ff9d164d7232626ce1291aaea70132b3e3124f5e13fef4d39326b8e7173e362a823722a85127  stab.h
 2f4f15974d52de4bb273b62a332d13620945d284bbc6fe6bd0a1f58ff7388443bc1d3bf9c82cc31a8527aad92b0cd3a1bc41d0af5e1800e0dcbd7033e58ffd71  fix-fortify-system-wrappers.patch
 09bc32cf9ee81b9cc6bb58ddbc66e6cc5c344badff8de3435cde5848e5a451e0172153231db85c2385ff05b5d9c20760cb18e4138dfc99060a9e960de2befbd5  fix-fortify-inline.patch
 0fcc647af53a3ce21c2bc36e5631eb0935e7243ebb3ab59b5719542cc54a6ac023a4a857b43b75756efb9ed80c0aecaa94dc5679a3b3792f82e87bf2c1af82e1  disable-hunspell_hooks.patch
-2f713a270f7d1588ec4a0b9c21e5a0d20823954e6a64293ee1a391f80d38af6c0a80b3d35c3ada59b605f6032fb2af3040cd8ca7f424b0e620cc53fd12674fd9  fix-seccomp-bpf.patch
-a2925045154f4fd34e5fc056656f4f9da100341529e5d4104d249154db0c7863384083f421ce6e47e0f20566a8b20787fa35444c7933c03cd03f96f06dcd4532  fix-toolkit.patch
-b46cb90d4fdd1a925a61e2c6c545489cd542f5d82980c529361c02042eed31d5c26972b5e237c1a020f87ffcfd12736d1f4f6e33eaa83ae156d523c808c718cb  fix-tools.patch
+3414fd06110e853b01043d5d1090cfe1e6c13e8aa3c9f97a91ba390b37d6e909d3e836dbc9b2c261e636056ac10ca78de07adbd27f68102b979fc533b2f9c560  fix-seccomp-bpf.patch
+892d6a5544c23983a2d62eab954a9b68883e3c0b66e3bdc47255f21ef700bda6fce90657249cbc59f88b1372f4fb83e2f0a7cfd62201d58a5cd6089358223cf3  fix-toolkit.patch
+2024a81e867fba6dbd31971ae7a8a984a4db5d4b5fc6dafba92521ac8e0b3e99cc80f1e0bd079faef0d1bb5cb5ea1040ecb4da085fe2bf2a640f3cc4da3ec5c5  fix-tools.patch
 bdcd1b402d2ec94957ba5d08cbad7b1a7f59c251c311be9095208491a05abb05a956c79f27908e1f26b54a3679387b2f33a51e945b650671ad85c0a2d59a5a29  mallinfo.patch
-ed0d344c66fc8e1cc83a11e9858b32c42e841cbeedd9eb9438811e9fcc3593dc824a8336d00058d55836cedc970aeadd6a82c6dcd7bc0fb746e564d8b478cc6c  fix-arm-atomics-grsec.patch
 015e1ff6dbf920033982b5df95d869a0b7bf56c6964e45e50649ddf46d1ce09563458e45240c3ecb92808662b1300b67507f7af272ba184835d91068a9e7d5b0  fix-arm-version-detect.patch
 e61664bc93eadce5016a06a4d0684b34a05074f1815e88ef2613380d7b369c6fd305fb34f83b5eb18b9e3138273ea8ddcfdcb1084fdcaa922a1e5b30146a3b18  mozilla-build-arm.patch
-4797d2d89ac63a57abb826b8ea9f751314ce66946194033deb9d78c2ff377b88106fd2c7bc5034dc13ad03dd5085b1893c3ccae1a9e63fde35655bb0921f7188  disable-moz-stackwalk.patch
+251c170504f3418e47feeaee5cc5a7cf7fdf4a5ee0283b1497933fdce1857a3fe299da1178a044d5d39f84ddbca761fb542345f8f183bf62c3557cba4a47a874  disable-moz-stackwalk.patch
 42cc44fda4b05259b38f055d6f51461746aa89a474cedc5e92fb9d20879da0d12b1b515b273a549e7302cda9c7eddde20d5fdba09853e5c658784ad6d0b20078  fix-rust-target.patch
 a50b412edf9573a0bd04a43578b1c927967a616b73a5995eefb15bfa78fd2bd14e36ec05315a0703f6370ecd524e6bcb012e7285beb1245e9add9b8553acb79e  fix-bug-1261392.patch
 01b48a708cc6bc6e3cd7cc7b16f5137ec344566ac891d699b65e322bc992726072fa14a54cef1a7775799fcbbcf90a6c170107c8524caba3bc311b42d93b7581  rust-unitialized-field.patch
diff --git a/community/firefox-esr/disable-moz-stackwalk.patch b/community/firefox-esr/disable-moz-stackwalk.patch
index c83ae7eae9..99ac8dee2c 100644
--- a/community/firefox-esr/disable-moz-stackwalk.patch
+++ b/community/firefox-esr/disable-moz-stackwalk.patch
@@ -1,12 +1,12 @@
 diff --git a/mozglue/misc/StackWalk.cpp b/mozglue/misc/StackWalk.cpp
-index a208bad..14e1f0d 100644
+index e39e38b4c..a8b7251c5 100644
 --- a/mozglue/misc/StackWalk.cpp
 +++ b/mozglue/misc/StackWalk.cpp
-@@ -41,13 +41,7 @@ static CriticalAddress gCriticalAddress;
+@@ -32,13 +32,7 @@ using namespace mozilla;
  #define MOZ_STACKWALK_SUPPORTS_MACOSX 0
  #endif
  
--#if (defined(linux) && \
+-#if (defined(linux) &&                                            \
 -     ((defined(__GNUC__) && (defined(__i386) || defined(PPC))) || \
 -      defined(HAVE__UNWIND_BACKTRACE)))
 -#define MOZ_STACKWALK_SUPPORTS_LINUX 1
diff --git a/community/firefox-esr/fix-arm-atomics-grsec.patch b/community/firefox-esr/fix-arm-atomics-grsec.patch
deleted file mode 100644
index 0eb58f093f..0000000000
--- a/community/firefox-esr/fix-arm-atomics-grsec.patch
+++ /dev/null
@@ -1,306 +0,0 @@
---- mozilla-release/ipc/chromium/src/base/atomicops_internals_arm_gcc.h.orig
-+++ mozilla-release/ipc/chromium/src/base/atomicops_internals_arm_gcc.h
-@@ -12,43 +35,194 @@
- namespace base {
- namespace subtle {
- 
--// 0xffff0fc0 is the hard coded address of a function provided by
--// the kernel which implements an atomic compare-exchange. On older
--// ARM architecture revisions (pre-v6) this may be implemented using
--// a syscall. This address is stable, and in active use (hard coded)
--// by at least glibc-2.7 and the Android C library.
--typedef Atomic32 (*LinuxKernelCmpxchgFunc)(Atomic32 old_value,
--                                           Atomic32 new_value,
--                                           volatile Atomic32* ptr);
--LinuxKernelCmpxchgFunc pLinuxKernelCmpxchg __attribute__((weak)) =
--    (LinuxKernelCmpxchgFunc) 0xffff0fc0;
-+// Memory barriers on ARM are funky, but the kernel is here to help:
-+//
-+// * ARMv5 didn't support SMP, there is no memory barrier instruction at
-+//   all on this architecture, or when targeting its machine code.
-+//
-+// * Some ARMv6 CPUs support SMP. A full memory barrier can be produced by
-+//   writing a random value to a very specific coprocessor register.
-+//
-+// * On ARMv7, the "dmb" instruction is used to perform a full memory
-+//   barrier (though writing to the co-processor will still work).
-+//   However, on single core devices (e.g. Nexus One, or Nexus S),
-+//   this instruction will take up to 200 ns, which is huge, even though
-+//   it's completely un-needed on these devices.
-+//
-+// * There is no easy way to determine at runtime if the device is
-+//   single or multi-core. However, the kernel provides a useful helper
-+//   function at a fixed memory address (0xffff0fa0), which will always
-+//   perform a memory barrier in the most efficient way. I.e. on single
-+//   core devices, this is an empty function that exits immediately.
-+//   On multi-core devices, it implements a full memory barrier.
-+//
-+// * This source could be compiled to ARMv5 machine code that runs on a
-+//   multi-core ARMv6 or ARMv7 device. In this case, memory barriers
-+//   are needed for correct execution. Always call the kernel helper, even
-+//   when targeting ARMv5TE.
-+//
- 
--typedef void (*LinuxKernelMemoryBarrierFunc)(void);
--LinuxKernelMemoryBarrierFunc pLinuxKernelMemoryBarrier __attribute__((weak)) =
--    (LinuxKernelMemoryBarrierFunc) 0xffff0fa0;
-+inline void MemoryBarrier() {
-+#if defined(__ARM_ARCH_7__) || defined(__ARM_ARCH_7A__) || \
-+    defined(__ARM_ARCH_7R__) || defined(__ARM_ARCH_7M__)
-+  __asm__ __volatile__("dmb ish" ::: "memory");
-+#elif defined(__ARM_ARCH_6__) || defined(__ARM_ARCH_6J__) || \
-+      defined(__ARM_ARCH_6K__) || defined(__ARM_ARCH_6Z__) || \
-+      defined(__ARM_ARCH_6ZK__) || defined(__ARM_ARCH_6T2__)
-+  __asm__ __volatile__("mcr p15,0,r0,c7,c10,5" ::: "memory");
-+#elif defined(__linux__) || defined(__ANDROID__)
-+  // Note: This is a function call, which is also an implicit compiler barrier.
-+  typedef void (*KernelMemoryBarrierFunc)();
-+  ((KernelMemoryBarrierFunc)0xffff0fa0)();
-+#error MemoryBarrier() is not implemented on this platform.
-+#endif
-+}
- 
-+// An ARM toolchain would only define one of these depending on which
-+// variant of the target architecture is being used. This tests against
-+// any known ARMv6 or ARMv7 variant, where it is possible to directly
-+// use ldrex/strex instructions to implement fast atomic operations.
-+#if defined(__ARM_ARCH_7__) || defined(__ARM_ARCH_7A__) || \
-+    defined(__ARM_ARCH_7R__) || defined(__ARM_ARCH_7M__) || \
-+    defined(__ARM_ARCH_6__) || defined(__ARM_ARCH_6J__) || \
-+    defined(__ARM_ARCH_6K__) || defined(__ARM_ARCH_6Z__) || \
-+    defined(__ARM_ARCH_6ZK__) || defined(__ARM_ARCH_6T2__)
- 
- inline Atomic32 NoBarrier_CompareAndSwap(volatile Atomic32* ptr,
-                                          Atomic32 old_value,
-                                          Atomic32 new_value) {
--  Atomic32 prev_value = *ptr;
-+  Atomic32 prev_value;
-+  int reloop;
-   do {
--    if (!pLinuxKernelCmpxchg(old_value, new_value,
--                             const_cast<Atomic32*>(ptr))) {
--      return old_value;
--    }
--    prev_value = *ptr;
--  } while (prev_value == old_value);
-+    // The following is equivalent to:
-+    //
-+    //   prev_value = LDREX(ptr)
-+    //   reloop = 0
-+    //   if (prev_value != old_value)
-+    //      reloop = STREX(ptr, new_value)
-+    __asm__ __volatile__("    ldrex %0, [%3]\n"
-+                         "    mov %1, #0\n"
-+                         "    cmp %0, %4\n"
-+#ifdef __thumb2__
-+                         "    it eq\n"
-+#endif
-+                         "    strexeq %1, %5, [%3]\n"
-+                         : "=&r"(prev_value), "=&r"(reloop), "+m"(*ptr)
-+                         : "r"(ptr), "r"(old_value), "r"(new_value)
-+                         : "cc", "memory");
-+  } while (reloop != 0);
-   return prev_value;
- }
- 
-+inline Atomic32 Acquire_CompareAndSwap(volatile Atomic32* ptr,
-+                                       Atomic32 old_value,
-+                                       Atomic32 new_value) {
-+  Atomic32 result = NoBarrier_CompareAndSwap(ptr, old_value, new_value);
-+  MemoryBarrier();
-+  return result;
-+}
-+
-+inline Atomic32 Release_CompareAndSwap(volatile Atomic32* ptr,
-+                                       Atomic32 old_value,
-+                                       Atomic32 new_value) {
-+  MemoryBarrier();
-+  return NoBarrier_CompareAndSwap(ptr, old_value, new_value);
-+}
-+
-+inline Atomic32 NoBarrier_AtomicIncrement(volatile Atomic32* ptr,
-+                                          Atomic32 increment) {
-+  Atomic32 value;
-+  int reloop;
-+  do {
-+    // Equivalent to:
-+    //
-+    //  value = LDREX(ptr)
-+    //  value += increment
-+    //  reloop = STREX(ptr, value)
-+    //
-+    __asm__ __volatile__("    ldrex %0, [%3]\n"
-+                         "    add %0, %0, %4\n"
-+                         "    strex %1, %0, [%3]\n"
-+                         : "=&r"(value), "=&r"(reloop), "+m"(*ptr)
-+                         : "r"(ptr), "r"(increment)
-+                         : "cc", "memory");
-+  } while (reloop);
-+  return value;
-+}
-+
-+inline Atomic32 Barrier_AtomicIncrement(volatile Atomic32* ptr,
-+                                        Atomic32 increment) {
-+  // TODO(digit): Investigate if it's possible to implement this with
-+  // a single MemoryBarrier() operation between the LDREX and STREX.
-+  // See http://crbug.com/246514
-+  MemoryBarrier();
-+  Atomic32 result = NoBarrier_AtomicIncrement(ptr, increment);
-+  MemoryBarrier();
-+  return result;
-+}
-+
- inline Atomic32 NoBarrier_AtomicExchange(volatile Atomic32* ptr,
-                                          Atomic32 new_value) {
-   Atomic32 old_value;
-+  int reloop;
-   do {
-+    // old_value = LDREX(ptr)
-+    // reloop = STREX(ptr, new_value)
-+    __asm__ __volatile__("   ldrex %0, [%3]\n"
-+                         "   strex %1, %4, [%3]\n"
-+                         : "=&r"(old_value), "=&r"(reloop), "+m"(*ptr)
-+                         : "r"(ptr), "r"(new_value)
-+                         : "cc", "memory");
-+  } while (reloop != 0);
-+  return old_value;
-+}
-+
-+// This tests against any known ARMv5 variant.
-+#elif defined(__ARM_ARCH_5__) || defined(__ARM_ARCH_5T__) || \
-+      defined(__ARM_ARCH_5TE__) || defined(__ARM_ARCH_5TEJ__)
-+
-+// The kernel also provides a helper function to perform an atomic
-+// compare-and-swap operation at the hard-wired address 0xffff0fc0.
-+// On ARMv5, this is implemented by a special code path that the kernel
-+// detects and treats specially when thread pre-emption happens.
-+// On ARMv6 and higher, it uses LDREX/STREX instructions instead.
-+//
-+// Note that this always perform a full memory barrier, there is no
-+// need to add calls MemoryBarrier() before or after it. It also
-+// returns 0 on success, and 1 on exit.
-+//
-+// Available and reliable since Linux 2.6.24. Both Android and ChromeOS
-+// use newer kernel revisions, so this should not be a concern.
-+namespace {
-+
-+inline int LinuxKernelCmpxchg(Atomic32 old_value,
-+                              Atomic32 new_value,
-+                              volatile Atomic32* ptr) {
-+  typedef int (*KernelCmpxchgFunc)(Atomic32, Atomic32, volatile Atomic32*);
-+  return ((KernelCmpxchgFunc)0xffff0fc0)(old_value, new_value, ptr);
-+}
-+
-+}  // namespace
-+
-+inline Atomic32 NoBarrier_CompareAndSwap(volatile Atomic32* ptr,
-+                                         Atomic32 old_value,
-+                                         Atomic32 new_value) {
-+  Atomic32 prev_value;
-+  for (;;) {
-+    prev_value = *ptr;
-+    if (prev_value != old_value)
-+      return prev_value;
-+    if (!LinuxKernelCmpxchg(old_value, new_value, ptr))
-+      return old_value;
-+  }
-+}
-+
-+inline Atomic32 NoBarrier_AtomicExchange(volatile Atomic32* ptr,
-+                                         Atomic32 new_value) {
-+  Atomic32 old_value;
-+  do {
-     old_value = *ptr;
--  } while (pLinuxKernelCmpxchg(old_value, new_value,
--                               const_cast<Atomic32*>(ptr)));
-+  } while (LinuxKernelCmpxchg(old_value, new_value, ptr));
-   return old_value;
- }
- 
-@@ -63,36 +237,57 @@
-     // Atomic exchange the old value with an incremented one.
-     Atomic32 old_value = *ptr;
-     Atomic32 new_value = old_value + increment;
--    if (pLinuxKernelCmpxchg(old_value, new_value,
--                            const_cast<Atomic32*>(ptr)) == 0) {
-+    if (!LinuxKernelCmpxchg(old_value, new_value, ptr)) {
-       // The exchange took place as expected.
-       return new_value;
-     }
-     // Otherwise, *ptr changed mid-loop and we need to retry.
-   }
--
- }
- 
- inline Atomic32 Acquire_CompareAndSwap(volatile Atomic32* ptr,
-                                        Atomic32 old_value,
-                                        Atomic32 new_value) {
--  return NoBarrier_CompareAndSwap(ptr, old_value, new_value);
-+  Atomic32 prev_value;
-+  for (;;) {
-+    prev_value = *ptr;
-+    if (prev_value != old_value) {
-+      // Always ensure acquire semantics.
-+      MemoryBarrier();
-+      return prev_value;
-+    }
-+    if (!LinuxKernelCmpxchg(old_value, new_value, ptr))
-+      return old_value;
-+  }
- }
- 
- inline Atomic32 Release_CompareAndSwap(volatile Atomic32* ptr,
-                                        Atomic32 old_value,
-                                        Atomic32 new_value) {
--  return NoBarrier_CompareAndSwap(ptr, old_value, new_value);
-+  // This could be implemented as:
-+  //    MemoryBarrier();
-+  //    return NoBarrier_CompareAndSwap();
-+  //
-+  // But would use 3 barriers per succesful CAS. To save performance,
-+  // use Acquire_CompareAndSwap(). Its implementation guarantees that:
-+  // - A succesful swap uses only 2 barriers (in the kernel helper).
-+  // - An early return due to (prev_value != old_value) performs
-+  //   a memory barrier with no store, which is equivalent to the
-+  //   generic implementation above.
-+  return Acquire_CompareAndSwap(ptr, old_value, new_value);
- }
- 
-+#else
-+#  error "Your CPU's ARM architecture is not supported yet"
-+#endif
-+
-+// NOTE: Atomicity of the following load and store operations is only
-+// guaranteed in case of 32-bit alignement of |ptr| values.
-+
- inline void NoBarrier_Store(volatile Atomic32* ptr, Atomic32 value) {
-   *ptr = value;
- }
- 
--inline void MemoryBarrier() {
--  pLinuxKernelMemoryBarrier();
--}
--
- inline void Acquire_Store(volatile Atomic32* ptr, Atomic32 value) {
-   *ptr = value;
-   MemoryBarrier();
-@@ -103,9 +298,7 @@
-   *ptr = value;
- }
- 
--inline Atomic32 NoBarrier_Load(volatile const Atomic32* ptr) {
--  return *ptr;
--}
-+inline Atomic32 NoBarrier_Load(volatile const Atomic32* ptr) { return *ptr; }
- 
- inline Atomic32 Acquire_Load(volatile const Atomic32* ptr) {
-   Atomic32 value = *ptr;
-@@ -118,7 +311,6 @@
-   return *ptr;
- }
- 
--} // namespace base::subtle
--} // namespace base
-+} }  // namespace base::subtle
- 
- #endif  // BASE_ATOMICOPS_INTERNALS_ARM_GCC_H_
diff --git a/community/firefox-esr/fix-seccomp-bpf.patch b/community/firefox-esr/fix-seccomp-bpf.patch
index ee6d666400..c44d9ea48e 100644
--- a/community/firefox-esr/fix-seccomp-bpf.patch
+++ b/community/firefox-esr/fix-seccomp-bpf.patch
@@ -1,6 +1,7 @@
-diff -ru firefox-62.0.3.orig/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc firefox-62.0.3/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc
---- firefox-62.0.3.orig/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc	2018-12-14 08:53:46.083976137 +0000
-+++ firefox-62.0.3/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc	2018-12-14 08:51:22.084596411 +0000
+diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc
+index 003708d2c..79488795d 100644
+--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc
++++ b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc
 @@ -25,6 +25,11 @@
  #include "sandbox/linux/system_headers/linux_seccomp.h"
  #include "sandbox/linux/system_headers/linux_signal.h"
@@ -13,14 +14,15 @@ diff -ru firefox-62.0.3.orig/security/sandbox/chromium/sandbox/linux/seccomp-bpf
  namespace {
  
  struct arch_sigsys {
-diff -ru firefox-62.0.3.orig/security/sandbox/linux/SandboxFilter.cpp firefox-62.0.3/security/sandbox/linux/SandboxFilter.cpp
---- firefox-62.0.3.orig/security/sandbox/linux/SandboxFilter.cpp	2018-10-01 18:35:28.000000000 +0000
-+++ firefox-62.0.3/security/sandbox/linux/SandboxFilter.cpp	2018-12-14 08:57:50.645264590 +0000
-@@ -1005,6 +1005,7 @@
-         // ffmpeg, and anything else that calls isatty(), will be told
-         // that nothing is a typewriter:
-         .ElseIf(request == TCGETS, Error(ENOTTY))
-+        .ElseIf(request == TIOCGWINSZ, Error(ENOTTY))
-         // Allow anything that isn't a tty ioctl, for now; bug 1302711
-         // will cover changing this to a default-deny policy.
-         .ElseIf(shifted_type != kTtyIoctls, Allow())
+diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
+index 0f59f2a87..5c07dbb31 100644
+--- a/security/sandbox/linux/SandboxFilter.cpp
++++ b/security/sandbox/linux/SandboxFilter.cpp
+@@ -989,6 +989,7 @@ class ContentSandboxPolicy : public SandboxPolicyCommon {
+             // ffmpeg, and anything else that calls isatty(), will be told
+             // that nothing is a typewriter:
+             .ElseIf(request == TCGETS, Error(ENOTTY))
++            .ElseIf(request == TIOCGWINSZ, Error(ENOTTY))
+             // Allow anything that isn't a tty ioctl, for now; bug 1302711
+             // will cover changing this to a default-deny policy.
+             .ElseIf(shifted_type != kTtyIoctls, Allow())
diff --git a/community/firefox-esr/fix-toolkit.patch b/community/firefox-esr/fix-toolkit.patch
index 58fe5a3a9a..6cd48dde8b 100644
--- a/community/firefox-esr/fix-toolkit.patch
+++ b/community/firefox-esr/fix-toolkit.patch
@@ -1,8 +1,7 @@
-diff --git a/toolkit/crashreporter/google-breakpad/src/common/linux/dump_symbols.cc b/toolkit/crashreporter/google-breakpad/src/common/linux/dump_symbols.cc
-index 4222ce3..4d40c6a 100644
---- a/toolkit/crashreporter/google-breakpad/src/common/linux/dump_symbols.cc
-+++ b/toolkit/crashreporter/google-breakpad/src/common/linux/dump_symbols.cc
-@@ -45,6 +45,7 @@
+diff -upr /tmp/firefox-60.5.0.orig/toolkit/crashreporter/google-breakpad/src/common/linux/dump_symbols.cc firefox-60.5.0/toolkit/crashreporter/google-breakpad/src/common/linux/dump_symbols.cc
+--- /tmp/firefox-60.5.0.orig/toolkit/crashreporter/google-breakpad/src/common/linux/dump_symbols.cc	2019-02-11 18:55:48.607258656 +0100
++++ firefox-60.5.0/toolkit/crashreporter/google-breakpad/src/common/linux/dump_symbols.cc	2019-02-11 20:57:51.386533134 +0100
+@@ -46,6 +46,7 @@
  #include <sys/mman.h>
  #include <sys/stat.h>
  #include <unistd.h>
@@ -10,10 +9,9 @@ index 4222ce3..4d40c6a 100644
  
  #include <iostream>
  #include <set>
-diff --git a/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.cc b/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.cc
-index 6019fc7..5953e32 100644
---- a/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.cc
-+++ b/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.cc
+diff -upr /tmp/firefox-60.5.0.orig/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.cc firefox-60.5.0/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.cc
+--- /tmp/firefox-60.5.0.orig/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.cc	2019-02-11 18:55:48.610591990 +0100
++++ firefox-60.5.0/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.cc	2019-02-11 20:57:51.386533134 +0100
 @@ -41,6 +41,10 @@
  
  #include "common/using_std_string.h"
@@ -25,10 +23,9 @@ index 6019fc7..5953e32 100644
  using std::vector;
  
  namespace google_breakpad {
-diff --git a/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.h b/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.h
-index 98ee2dd..d57aa68 100644
---- a/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.h
-+++ b/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.h
+diff -upr /tmp/firefox-60.5.0.orig/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.h firefox-60.5.0/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.h
+--- /tmp/firefox-60.5.0.orig/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.h	2019-02-11 18:55:48.610591990 +0100
++++ firefox-60.5.0/toolkit/crashreporter/google-breakpad/src/common/stabs_reader.h	2019-02-11 20:57:51.389866466 +0100
 @@ -55,7 +55,7 @@
  
  #ifdef HAVE_MACH_O_NLIST_H
@@ -38,11 +35,10 @@ index 98ee2dd..d57aa68 100644
  #include <a.out.h>
  #endif
  
-diff --git a/toolkit/crashreporter/google-breakpad/src/third_party/lss/linux_syscall_support.h b/toolkit/crashreporter/google-breakpad/src/third_party/lss/linux_syscall_support.h
-index 93fdad7..f34e5e0 100644
---- a/toolkit/crashreporter/google-breakpad/src/third_party/lss/linux_syscall_support.h
-+++ b/toolkit/crashreporter/google-breakpad/src/third_party/lss/linux_syscall_support.h
-@@ -1134,6 +1134,12 @@ struct kernel_statfs {
+diff -upr /tmp/firefox-60.5.0.orig/toolkit/crashreporter/google-breakpad/src/third_party/lss/linux_syscall_support.h firefox-60.5.0/toolkit/crashreporter/google-breakpad/src/third_party/lss/linux_syscall_support.h
+--- /tmp/firefox-60.5.0.orig/toolkit/crashreporter/google-breakpad/src/third_party/lss/linux_syscall_support.h	2019-02-11 18:55:48.647258669 +0100
++++ firefox-60.5.0/toolkit/crashreporter/google-breakpad/src/third_party/lss/linux_syscall_support.h	2019-02-11 19:01:23.614038547 +0100
+@@ -1210,6 +1210,12 @@ struct kernel_statfs {
  #ifndef __NR_fallocate
  #define __NR_fallocate          285
  #endif
@@ -55,32 +51,30 @@ index 93fdad7..f34e5e0 100644
  /* End of x86-64 definitions                                                 */
  #elif defined(__mips__)
  #if _MIPS_SIM == _MIPS_SIM_ABI32
-diff --git a/toolkit/mozapps/update/common/updatedefines.h b/toolkit/mozapps/update/common/updatedefines.h
-index 026e7ed..0801f14 100644
---- a/toolkit/mozapps/update/common/updatedefines.h
-+++ b/toolkit/mozapps/update/common/updatedefines.h
-@@ -117,7 +117,7 @@ static inline int mywcsprintf(WCHAR* dest, size_t count, const WCHAR* fmt, ...)
+diff -upr /tmp/firefox-60.5.0.orig/toolkit/mozapps/update/common/updatedefines.h firefox-60.5.0/toolkit/mozapps/update/common/updatedefines.h
+--- /tmp/firefox-60.5.0.orig/toolkit/mozapps/update/common/updatedefines.h	2019-02-11 18:55:49.287258893 +0100
++++ firefox-60.5.0/toolkit/mozapps/update/common/updatedefines.h	2019-02-11 20:58:30.753178073 +0100
+@@ -100,7 +100,7 @@ static inline int mywcsprintf(WCHAR* des
  
  #ifdef SOLARIS
- # include <sys/stat.h>
+ #include <sys/stat.h>
 -#else
 +#elif !defined(__linux__) || defined(__GLIBC__)
- # include <fts.h>
+ #include <fts.h>
  #endif
- # include <dirent.h>
-diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp
-index 257ccb4..01314e4 100644
---- a/toolkit/mozapps/update/updater/updater.cpp
-+++ b/toolkit/mozapps/update/updater/updater.cpp
-@@ -3737,6 +3737,7 @@ int add_dir_entries(const NS_tchar *dirpath, ActionList *list)
- int add_dir_entries(const NS_tchar *dirpath, ActionList *list)
- {
+ #include <dirent.h>
+diff -upr /tmp/firefox-60.5.0.orig/toolkit/mozapps/update/updater/updater.cpp firefox-60.5.0/toolkit/mozapps/update/updater/updater.cpp
+--- /tmp/firefox-60.5.0.orig/toolkit/mozapps/update/updater/updater.cpp	2019-02-11 18:55:49.283925558 +0100
++++ firefox-60.5.0/toolkit/mozapps/update/updater/updater.cpp	2019-02-11 20:57:57.303196520 +0100
+@@ -3733,6 +3733,7 @@ int add_dir_entries(const NS_tchar *dirp
+ 
+ int add_dir_entries(const NS_tchar *dirpath, ActionList *list) {
    int rv = OK;
 +#if !defined(__linux__) || defined(__GLIBC__)
    FTS *ftsdir;
    FTSENT *ftsdirEntry;
-   NS_tchar searchpath[MAXPATHLEN];
-@@ -3840,6 +3841,7 @@ int add_dir_entries(const NS_tchar *dirpath, ActionList *list)
+   mozilla::UniquePtr<NS_tchar[]> searchpath(get_full_path(dirpath));
+@@ -3833,6 +3834,7 @@ int add_dir_entries(const NS_tchar *dirp
    }
  
    fts_close(ftsdir);
diff --git a/community/firefox-esr/fix-tools.patch b/community/firefox-esr/fix-tools.patch
index 84f7fa9cb8..fdb08845d9 100644
--- a/community/firefox-esr/fix-tools.patch
+++ b/community/firefox-esr/fix-tools.patch
@@ -1,22 +1,38 @@
---- a/tools/profiler/core/platform.h
-+++ b/tools/profiler/core/platform.h
+diff -upr /tmp/firefox-60.5.0.orig/tools/profiler/core/platform-linux-android.cpp firefox-60.5.0/tools/profiler/core/platform-linux-android.cpp
+--- /tmp/firefox-60.5.0.orig/tools/profiler/core/platform-linux-android.cpp	2019-02-11 18:55:48.543925300 +0100
++++ firefox-60.5.0/tools/profiler/core/platform-linux-android.cpp	2019-02-12 10:00:02.735569929 +0100
+@@ -497,8 +497,10 @@ static void PlatformInit(PSLockRef aLock
+ ucontext_t sSyncUContext;
+ 
+ void Registers::SyncPopulate() {
++#if defined(__GLIBC__)
+   if (!getcontext(&sSyncUContext)) {
+     PopulateRegsFromContext(*this, &sSyncUContext);
+   }
++#endif
+ }
+ #endif
+diff -upr /tmp/firefox-60.5.0.orig/tools/profiler/core/platform.h firefox-60.5.0/tools/profiler/core/platform.h
+--- /tmp/firefox-60.5.0.orig/tools/profiler/core/platform.h	2019-02-11 18:55:48.540591965 +0100
++++ firefox-60.5.0/tools/profiler/core/platform.h	2019-02-12 10:00:02.735569929 +0100
 @@ -29,6 +29,8 @@
  #ifndef TOOLS_PLATFORM_H_
  #define TOOLS_PLATFORM_H_
-
+ 
 +#include <sys/types.h>
 +
  #include <stdint.h>
  #include <math.h>
  #include "MainThreadUtils.h"
---- a/tools/profiler/lul/LulElf.cpp
-+++ b/tools/profiler/lul/LulElf.cpp
-@@ -579,10 +579,10 @@
+diff -upr /tmp/firefox-60.5.0.orig/tools/profiler/lul/LulElf.cpp firefox-60.5.0/tools/profiler/lul/LulElf.cpp
+--- /tmp/firefox-60.5.0.orig/tools/profiler/lul/LulElf.cpp	2019-02-11 18:55:48.547258635 +0100
++++ firefox-60.5.0/tools/profiler/lul/LulElf.cpp	2019-02-12 10:00:59.802296448 +0100
+@@ -459,10 +459,10 @@ string FormatIdentifier(unsigned char id
  // Return the non-directory portion of FILENAME: the portion after the
  // last slash, or the whole filename if there are no slashes.
- string BaseFileName(const string &filename) {
+ string BaseFileName(const string& filename) {
 -  // Lots of copies!  basename's behavior is less than ideal.
--  char *c_filename = strdup(filename.c_str());
+-  char* c_filename = strdup(filename.c_str());
 -  string base = basename(c_filename);
 -  free(c_filename);
 +  // basename's behavior is less than ideal so avoid it
@@ -25,18 +41,4 @@
 +  string base = p ? p+1 : c_filename;
    return base;
  }
-
---- a/tools/profiler/core/platform-linux-android.cpp.orig
-+++ b/tools/profiler/core/platform-linux-android.cpp
-@@ -534,9 +534,11 @@
- void
- Registers::SyncPopulate()
- {
-+#if defined(__GLIBC__)
-   if (!getcontext(&sSyncUContext)) {
-     PopulateRegsFromContext(*this, &sSyncUContext);
-   }
-+#endif
- }
- #endif