!25 fix CVE-2020-fix CVE-2020-15664 CVE-2020-15665 CVE-2020-15666 CVE-2020-15667 CVE-2020-15668 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678

From: @wangxiao65
Reviewed-by: @small_leek
Signed-off-by: @small_leek

CVE-2020-15664.patch

@@ -0,0 +1,34 @@
+# HG changeset patch
+# User Kris Maglione <maglione.k@gmail.com>
+# Date 1597420945 0
+#      Fri Aug 14 16:02:25 2020 +0000
+# Node ID 1edd9346c110b011ed87e50eb3d417202ea445fb
+# Parent  f69f80e5659f11977e7f1bd48386ea22e921dd52
+Bug 1658214: Only construct JS-implemented objects if inner window is current. r=bholley
+
+Differential Revision: https://phabricator.services.mozilla.com/D86614
+
+diff -r f69f80e5659f -r 1edd9346c110 dom/bindings/BindingUtils.cpp
+--- a/dom/bindings/BindingUtils.cpp	Fri Aug 14 15:57:45 2020 +0000
++++ b/dom/bindings/BindingUtils.cpp	Fri Aug 14 16:02:25 2020 +0000
+@@ -2547,6 +2547,12 @@
+   {
+     AutoNoJSAPI nojsapi;
+ 
++    nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(aGlobal);
++    if (!window->IsCurrentInnerWindow()) {
++      aRv.ThrowInvalidStateError("Window no longer active");
++      return;
++    }
++
+     // Get the XPCOM component containing the JS implementation.
+     nsresult rv;
+     nsCOMPtr<nsISupports> implISupports = do_CreateInstance(aContractId, &rv);
+@@ -2561,7 +2567,6 @@
+     // and our global is a window.
+     nsCOMPtr<nsIDOMGlobalPropertyInitializer> gpi =
+         do_QueryInterface(implISupports);
+-    nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(aGlobal);
+     if (gpi) {
+       JS::Rooted<JS::Value> initReturn(RootingCx());
+       rv = gpi->Init(window, &initReturn);

CVE-2020-15665.patch

@@ -0,0 +1,137 @@
+# HG changeset patch
+# User Gijs Kruitbosch <gijskruitbosch@gmail.com>
+# Date 1594843114 0
+#      Wed Jul 15 19:58:34 2020 +0000
+# Node ID 8079eea73df334803da5b07322b19d32aa8ed9e3
+# Parent  8dee8cb525a2c7cff36a89be107eb50628619201
+Bug 1651636 - reset the address bar when beforeunload prompts close, r=mak
+
+Differential Revision: https://phabricator.services.mozilla.com/D83213
+
+diff -r 8dee8cb525a2 -r 8079eea73df3 browser/actors/PromptParent.jsm
+--- a/browser/actors/PromptParent.jsm	Wed Jul 15 19:45:37 2020 +0000
++++ b/browser/actors/PromptParent.jsm	Wed Jul 15 19:58:34 2020 +0000
+@@ -169,7 +169,10 @@
+ 
+       this.unregisterPrompt(id);
+ 
+-      PromptUtils.fireDialogEvent(window, "DOMModalDialogClosed", browser);
++      PromptUtils.fireDialogEvent(window, "DOMModalDialogClosed", browser, {
++        wasPermitUnload: args.inPermitUnload,
++        areLeaving: args.ok,
++      });
+       resolver(args);
+       browser.maybeLeaveModalState();
+     };
+diff -r 8dee8cb525a2 -r 8079eea73df3 browser/base/content/tabbrowser.js
+--- a/browser/base/content/tabbrowser.js	Wed Jul 15 19:45:37 2020 +0000
++++ b/browser/base/content/tabbrowser.js	Wed Jul 15 19:58:34 2020 +0000
+@@ -5418,6 +5418,26 @@
+         true
+       );
+ 
++      // When cancelling beforeunload tabmodal dialogs, reset the URL bar to
++      // avoid spoofing risks.
++      this.addEventListener(
++        "DOMModalDialogClosed",
++        event => {
++          if (
++            !event.detail?.wasPermitUnload ||
++            event.detail.areLeaving ||
++            event.target.nodeName != "browser"
++          ) {
++            return;
++          }
++          event.target.userTypedValue = null;
++          if (event.target == this.selectedBrowser) {
++            gURLBar.setURI();
++          }
++        },
++        true
++      );
++
+       let onTabCrashed = event => {
+         if (!event.isTrusted || !event.isTopFrame) {
+           return;
+diff -r 8dee8cb525a2 -r 8079eea73df3 browser/base/content/test/tabPrompts/browser.ini
+--- a/browser/base/content/test/tabPrompts/browser.ini	Wed Jul 15 19:45:37 2020 +0000
++++ b/browser/base/content/test/tabPrompts/browser.ini	Wed Jul 15 19:58:34 2020 +0000
+@@ -1,3 +1,5 @@
++[browser_beforeunload_urlbar.js]
++support-files = file_beforeunload_stop.html
+ [browser_closeTabSpecificPanels.js]
+ skip-if = (verify && debug && (os == 'linux')) || (fission && os == 'linux' && bits == 64 && os_version == '18.04') # Bug 1548664
+ [browser_multiplePrompts.js]
+diff -r 8dee8cb525a2 -r 8079eea73df3 browser/base/content/test/tabPrompts/browser_beforeunload_urlbar.js
+--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
++++ b/browser/base/content/test/tabPrompts/browser_beforeunload_urlbar.js	Wed Jul 15 19:58:34 2020 +0000
+@@ -0,0 +1,57 @@
++/* Any copyright is dedicated to the Public Domain.
++   http://creativecommons.org/publicdomain/zero/1.0/ */
++
++"use strict";
++
++const TEST_ROOT = getRootDirectory(gTestPath).replace(
++  "chrome://mochitests/content",
++  "http://example.com"
++);
++
++add_task(async function test_beforeunload_stay_clears_urlbar() {
++  await SpecialPowers.pushPrefEnv({
++    set: [["dom.require_user_interaction_for_beforeunload", false]],
++  });
++  const TEST_URL = TEST_ROOT + "file_beforeunload_stop.html";
++  await BrowserTestUtils.withNewTab(TEST_URL, async function(browser) {
++    gURLBar.focus();
++    const inputValue = "http://example.org/?q=typed";
++    gURLBar.inputField.value = inputValue.slice(0, -1);
++    EventUtils.sendString(inputValue.slice(-1));
++
++    let promptOpenedPromise = TestUtils.topicObserved("tabmodal-dialog-loaded");
++    EventUtils.synthesizeKey("VK_RETURN");
++    await promptOpenedPromise;
++    let promptElement = browser.parentNode.querySelector("tabmodalprompt");
++
++    // Click the cancel button
++    promptElement.querySelector(".tabmodalprompt-button1").click();
++
++    await TestUtils.waitForCondition(
++      () => promptElement.parentNode == null,
++      "tabprompt should be removed"
++    );
++    // Can't just compare directly with TEST_URL because the URL may be trimmed.
++    // Just need it to not be the example.org thing we typed in.
++    ok(
++      gURLBar.value.endsWith("_stop.html"),
++      "Url bar should be reset to point to the stop html file"
++    );
++    ok(
++      gURLBar.value.includes("example.com"),
++      "Url bar should be reset to example.com"
++    );
++    // Check the lock/identity icons are back:
++    is(
++      gURLBar.textbox.getAttribute("pageproxystate"),
++      "valid",
++      "Should be in valid pageproxy state."
++    );
++
++    // Now we need to get rid of the handler to avoid the prompt coming up when trying to close the
++    // tab when we exit `withNewTab`. :-)
++    await SpecialPowers.spawn(browser, [], function() {
++      content.window.onbeforeunload = null;
++    });
++  });
++});
+diff -r 8dee8cb525a2 -r 8079eea73df3 browser/base/content/test/tabPrompts/file_beforeunload_stop.html
+--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
++++ b/browser/base/content/test/tabPrompts/file_beforeunload_stop.html	Wed Jul 15 19:58:34 2020 +0000
+@@ -0,0 +1,8 @@
++<body>
++  <p>I will ask not to be closed.</p>
++  <script>
++    window.onbeforeunload = function() {
++      return "true";
++    };
++  </script>
++</body>

CVE-2020-15666.patch

@@ -0,0 +1,113 @@
+# HG changeset patch
+# User Sebastian Streich <sstreich@mozilla.com>
+# Date 1594901018 0
+#      Thu Jul 16 12:03:38 2020 +0000
+# Node ID b8f37ab6318150a94022625b0500efce2c456947
+# Parent  7e7affa995d31d0325c26d7a9994971e7682f3a0
+Bug 1450853 - Use Generic Error for 3rdparty MediaElement r=ckerschb,smaug
+
+***
+Add test
+
+Differential Revision: https://phabricator.services.mozilla.com/D80080
+
+diff -r 7e7affa995d3 -r b8f37ab63181 dom/html/HTMLMediaElement.cpp
+--- a/dom/html/HTMLMediaElement.cpp	Thu Jul 16 12:23:08 2020 +0000
++++ b/dom/html/HTMLMediaElement.cpp	Thu Jul 16 12:03:38 2020 +0000
+@@ -2354,7 +2354,24 @@
+   if (mDecoder) {
+     ShutdownDecoder();
+   }
+-  mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED, aErrorDetails);
++
++  bool isThirdPartyLoad = false;
++  nsresult rv = NS_ERROR_NOT_AVAILABLE;
++  if (mSrcAttrTriggeringPrincipal) {
++    rv = mSrcAttrTriggeringPrincipal->IsThirdPartyURI(mLoadingSrc,
++                                                      &isThirdPartyLoad);
++  }
++
++  if (NS_SUCCEEDED(rv) && isThirdPartyLoad) {
++    // aErrorDetails can include sensitive details like MimeType or HTTP Status
++    // Code. In case we're loading a 3rd party resource we should not leak this
++    // and pass a Generic Error Message
++    mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED,
++                         NS_LITERAL_CSTRING("Failed to open media"));
++  } else {
++    mErrorSink->SetError(MEDIA_ERR_SRC_NOT_SUPPORTED, aErrorDetails);
++  }
++
+   RemoveMediaTracks();
+   ChangeDelayLoadStatus(false);
+   UpdateAudioChannelPlayingState();
+diff -r 7e7affa995d3 -r b8f37ab63181 dom/security/test/general/mochitest.ini
+--- a/dom/security/test/general/mochitest.ini	Thu Jul 16 12:23:08 2020 +0000
++++ b/dom/security/test/general/mochitest.ini	Thu Jul 16 12:03:38 2020 +0000
+@@ -63,3 +63,4 @@
+ [test_sec_fetch_websocket.html]
+ skip-if = toolkit == 'android' # no websocket support Bug 982828
+ support-files = file_sec_fetch_websocket_wsh.py
++[test_bug1450853.html]
+\ No newline at end of file
+diff -r 7e7affa995d3 -r b8f37ab63181 dom/security/test/general/test_bug1450853.html
+--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
++++ b/dom/security/test/general/test_bug1450853.html	Thu Jul 16 12:03:38 2020 +0000
+@@ -0,0 +1,58 @@
++<!DOCTYPE html>
++<html>
++<!--
++https://bugzilla.mozilla.org/show_bug.cgi?id=1450853
++-->
++<head>
++<meta charset="utf-8">
++<title>Test for Cross-origin resouce status leak via MediaError</title>
++<script src="/tests/SimpleTest/SimpleTest.js"></script>
++<script src="/tests/SimpleTest/ChromeTask.js"></script>
++<link rel="stylesheet" type="text/css" href="chrome://mochikit/content/tests/SimpleTest/test.css"/>
++
++<audio autoplay id="audio"></audio>
++
++<script type="application/javascript">
++
++/** Test for Bug 1450853 **/
++CONST_GENERIC_ERROR_MESSAGE = "Failed to open media";
++
++add_task(function() {
++  return new Promise((resolve) => {
++      let audioElement = document.getElementById("audio");
++
++      audioElement.onerror = function() {
++      let err = this.error;    
++      let message = err.message;
++      info(`Got Audio Error -> ${message}`);
++      ok(message.includes("404"), "Same-Origin Error Message may contain status data");
++      resolve();
++    };
++  audioElement.src = "/media/test.mp3";
++  });
++});
++
++add_task(function() {
++  return new Promise((resolve) => {
++      let audioElement = document.getElementById("audio");
++
++      audioElement.onerror = function() {
++      let err = this.error;    
++      let message = err.message;
++      
++      info(`Got Audio Error -> ${message}`);
++      is(message,CONST_GENERIC_ERROR_MESSAGE, "Cross-Origin Error Message is only Generic");
++      resolve();
++    };
++  audioElement.src = "https://example.com/media/test.mp3";
++  });
++});
++
++</script>
++</head>
++
++<body>
++    <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1450853">Mozilla Bug 1450853</a>
++    <iframe width="0" height="0"></iframe>
++  </body>
++</html>

CVE-2020-15667.patch

@@ -0,0 +1,22 @@
+# HG changeset patch
+# User Molly Howell <mhowell@mozilla.com>
+# Date 1595024754 0
+#      Fri Jul 17 22:25:54 2020 +0000
+# Node ID b79b6cc78248eea7fda10bfb76aa273c19c9fa65
+# Parent  0c0f777161a9499dd149853ff62d356f75d16c2a
+Bug 1653371 - Don't used a signed type for a length parameter. r=bytesized
+
+Differential Revision: https://phabricator.services.mozilla.com/D84031
+
+diff -r 0c0f777161a9 -r b79b6cc78248 modules/libmar/src/mar_read.c
+--- a/modules/libmar/src/mar_read.c	Sat Jul 18 02:57:28 2020 +0300
++++ b/modules/libmar/src/mar_read.c	Fri Jul 17 22:25:54 2020 +0000
+@@ -26,7 +26,7 @@
+   return CityHash64(name, strlen(name)) % TABLESIZE;
+ }
+ 
+-static int mar_insert_item(MarFile* mar, const char* name, int namelen,
++static int mar_insert_item(MarFile* mar, const char* name, uint32_t namelen,
+                            uint32_t offset, uint32_t length, uint32_t flags) {
+   MarItem *item, *root;
+   uint32_t hash;

CVE-2020-15668.patch

@@ -0,0 +1,38 @@
+# HG changeset patch
+# User Kevin Jacobs <kjacobs@mozilla.com>
+# Date 1594335948 0
+#      Thu Jul 09 23:05:48 2020 +0000
+# Node ID 06be9b59deb034f3ec6ab93c55e3ba4039f690cd
+# Parent  93092fe1e43c69a0b7e7b2960b4b55524ba30db0
+Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs
+2020-07-09  J.C. Jones  <jjones@mozilla.com>
+
+        * lib/softoken/pkcs11.c:
+        Bug 1651520 - slotLock race in NSC_GetTokenInfo r=kjacobs
+
+        Basically, NSC_GetTokenInfo doesn't lock slot->slotLock before
+        accessing slot after obtaining it, even though slotLock is defined
+        as its lock. [0]
+
+        [0] https://searchfox.org/nss/rev/a412e70e55218aaf670f1f10322fa734d8
+        a9fbde/lib/softoken/pkcs11i.h#320-321
+        [58c2abd7404e] [tip]
+
+diff -r 93092fe1e43c -r 06be9b59deb0 security/nss/lib/softoken/pkcs11.c
+--- a/security/nss/lib/softoken/pkcs11.c	Thu Jul 09 23:16:09 2020 +0000
++++ b/security/nss/lib/softoken/pkcs11.c	Thu Jul 09 23:05:48 2020 +0000
+@@ -3661,10 +3661,12 @@
+     PORT_Memcpy(pInfo->model, "NSS 3           ", 16);
+     PORT_Memcpy(pInfo->serialNumber, "0000000000000000", 16);
+     PORT_Memcpy(pInfo->utcTime, "0000000000000000", 16);
+-    pInfo->ulMaxSessionCount = 0; /* arbitrarily large */
++    pInfo->ulMaxSessionCount = 0;   /* arbitrarily large */
++    pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
++    PZ_Lock(slot->slotLock);        /* Protect sessionCount / rwSessioncount */
+     pInfo->ulSessionCount = slot->sessionCount;
+-    pInfo->ulMaxRwSessionCount = 0; /* arbitarily large */
+     pInfo->ulRwSessionCount = slot->rwSessionCount;
++    PZ_Unlock(slot->slotLock); /* Unlock before sftk_getKeyDB */
+     pInfo->firmwareVersion.major = 0;
+     pInfo->firmwareVersion.minor = 0;
+     PORT_Memcpy(pInfo->label, slot->tokDescription, sizeof(pInfo->label));

CVE-2020-15676.patch

@@ -0,0 +1,23 @@
+# HG changeset patch
+# User Kagami Sascha Rosylight <krosylight@mozilla.com>
+# Date 1599489912 0
+#      Mon Sep 07 14:45:12 2020 +0000
+# Node ID 67c242c00ce3e796dafb7e98bbbf025e29cc1c67
+# Parent  749fda4e5eb11918833fa57e25adc77e4ed1db95
+Bug 1646140 - Fire SVG onload only when scripting is enabled r=hsivonen
+
+Differential Revision: https://phabricator.services.mozilla.com/D89218
+
+diff -r 749fda4e5eb1 -r 67c242c00ce3 parser/html/nsHtml5TreeBuilderCppSupplement.h
+--- a/parser/html/nsHtml5TreeBuilderCppSupplement.h	Mon Sep 07 13:35:31 2020 +0000
++++ b/parser/html/nsHtml5TreeBuilderCppSupplement.h	Mon Sep 07 14:45:12 2020 +0000
+@@ -1072,6 +1072,9 @@
+   }
+   if (aNamespace == kNameSpaceID_SVG) {
+     if (aName == nsGkAtoms::svg) {
++      if (!scriptingEnabled || mPreventScriptExecution) {
++        return;
++      }
+       if (mBuilder) {
+         nsHtml5TreeOperation::SvgLoad(static_cast<nsIContent*>(aElement));
+         return;

CVE-2020-15677.patch

@@ -0,0 +1,30 @@
+# HG changeset patch
+# User Gijs Kruitbosch <gijskruitbosch@gmail.com>
+# Date 1597251031 0
+#      Wed Aug 12 16:50:31 2020 +0000
+# Node ID 082de8244278d76f9d6d216a7fd5da772b5152d3
+# Parent  cc6db3162f6e3e9cdb85749054b52074b78c1643
+Bug 1641487, r=jaws
+
+Differential Revision: https://phabricator.services.mozilla.com/D86761
+
+diff -r cc6db3162f6e -r 082de8244278 browser/components/downloads/DownloadsViewUI.jsm
+--- a/browser/components/downloads/DownloadsViewUI.jsm	Wed Aug 12 14:52:18 2020 +0000
++++ b/browser/components/downloads/DownloadsViewUI.jsm	Wed Aug 12 16:50:31 2020 +0000
+@@ -342,15 +342,7 @@
+    *        Downloads View. Type is either l10n object or string literal.
+    */
+   showStatusWithDetails(stateLabel, hoverStatus) {
+-    let referrer =
+-      this.download.source.referrerInfo &&
+-      this.download.source.referrerInfo.originalReferrer
+-        ? this.download.source.referrerInfo.originalReferrer.spec
+-        : null;
+-
+-    let [displayHost] = DownloadUtils.getURIHost(
+-      referrer || this.download.source.url
+-    );
++    let [displayHost] = DownloadUtils.getURIHost(this.download.source.url);
+     let [displayDate] = DownloadUtils.getReadableDates(
+       new Date(this.download.endTime)
+     );

CVE-2020-15678.patch

@@ -0,0 +1,48 @@
+# HG changeset patch
+# User Botond Ballo <botond@mozilla.com>
+# Date 1598039821 0
+#      Fri Aug 21 19:57:01 2020 +0000
+# Node ID 5718234b1f27780b0d98ca4e6f1a22e1b012205a
+# Parent  b6b562c539e326715fda1dcd020c1095a9520e93
+Bug 1660211 - Respect iterator invalidation rules in ComputeClippedCompositionBounds(). r=kats
+
+Differential Revision: https://phabricator.services.mozilla.com/D87893
+
+diff -r b6b562c539e3 -r 5718234b1f27 gfx/layers/apz/src/APZCTreeManager.cpp
+--- a/gfx/layers/apz/src/APZCTreeManager.cpp	Fri Aug 21 20:42:59 2020 +0000
++++ b/gfx/layers/apz/src/APZCTreeManager.cpp	Fri Aug 21 19:57:01 2020 +0000
+@@ -899,14 +899,13 @@
+ ParentLayerRect APZCTreeManager::ComputeClippedCompositionBounds(
+     const MutexAutoLock& aProofOfMapLock, ClippedCompositionBoundsMap& aDestMap,
+     ScrollableLayerGuid aGuid) {
+-  auto insertResult = aDestMap.insert(std::make_pair(aGuid, ParentLayerRect()));
+-  if (!insertResult.second) {
++  if (auto iter = aDestMap.find(aGuid); iter != aDestMap.end()) {
+     // We already computed it for this one, early-exit. This might happen
+     // because on a later iteration of mApzcMap we might encounter an ancestor
+     // of an APZC that we processed on an earlier iteration. In this case we
+     // would have computed the ancestor's clipped composition bounds when
+     // recursing up on the earlier iteration.
+-    return insertResult.first->second;
++    return iter->second;
+   }
+ 
+   ParentLayerRect bounds = mApzcMap[aGuid].apzc->GetCompositionBounds();
+@@ -916,7 +915,7 @@
+     // Recursion base case, where the APZC with guid `aGuid` has no parent.
+     // In this case, we don't need to clip `bounds` any further and can just
+     // early exit.
+-    insertResult.first->second = bounds;
++    aDestMap.emplace(aGuid, bounds);
+     return bounds;
+   }
+ 
+@@ -950,7 +949,7 @@
+                                PixelCastJustification::MovingDownToChildren));
+ 
+   // Done!
+-  insertResult.first->second = bounds;
++  aDestMap.emplace(aGuid, bounds);
+   return bounds;
+ }
+ 

firefox.spec

@@ -88,7 +88,7 @@
 Summary:             Mozilla Firefox Web browser
 Name:                firefox
 Version:             79.0
-Release:             3
+Release:             4
 URL:                 https://www.mozilla.org/firefox/
 License:             MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:             https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@@ -145,6 +145,14 @@ Patch589:            mozilla-1656436.patch
 Patch600:            pgo.patch
 Patch601:            mozilla-1516081.patch
 Patch602:            mozilla-1516803.patch
+Patch603:            CVE-2020-15664.patch
+Patch604:            CVE-2020-15665.patch
+Patch605:            CVE-2020-15666.patch
+Patch606:            CVE-2020-15667.patch
+Patch607:            CVE-2020-15668.patch
+Patch608:            CVE-2020-15676.patch
+Patch609:            CVE-2020-15677.patch
+Patch610:            CVE-2020-15678.patch
 %if %{?system_nss}
 BuildRequires:       pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
 BuildRequires:       nss-static >= %{nss_version}
@@ -281,6 +289,14 @@ tar -xf %{SOURCE3}
 %patch589 -p1 -b .mozilla-1656436
 %patch600 -p1 -b .pgo
 %patch602 -p1 -b .1516803
+%patch603 -p1
+%patch604 -p1
+%patch605 -p1
+%patch606 -p1
+%patch607 -p1
+%patch608 -p1
+%patch609 -p1
+%patch610 -p1
 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
 echo "ac_add_options --enable-default-toolkit=cairo-gtk3-wayland" >> .mozconfig
@@ -722,6 +738,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif
 
 %changelog
+* Wed Dec 16 2020 wangxiao <wangxiao65@huawei.com> - 79.0-4
+- Fix CVE-2020-15664 CVE-2020-15665 CVE-2020-15666 CVE-2020-15667
+  CVE-2020-15668 CVE-2020-15676 CVE-2020-15677 CVE-2020-15678
 
 * Thu Nov 28 2020 Jeffery.Gao <gaojianxing@huawei.com> - 79.0-3
 - Fix firefox downgrade error