Backport security fixes from ESR 102.4 to ESR 91.13-based Tor Browser

Resolves #41359 (closed)

Backported all of the patches for the CVEs listed in the issue.

assigned to @richard

requested review from @boklm

This looks good to me.

I created a new branch and cherry-picked the patches, and got the same result as this MR. The only conflict was with 6d5378a6.

However I saw the patch for https://bugzilla.mozilla.org/show_bug.cgi?id=1791598 in the master branch of gecko-dev, but I don't see it in the esr102 branch. Any idea why Mozilla apparently did not backport this patch?

From what I can read from the issue, it seems like they think the issue cannot be hit due to how Firefox uses it, and mitigations from RLBox sandboxing in general mean it's low risk and didn't need ot be backported.

But it's an easy fix and it applies so why not?

changed title from Backport security fixes from ESR 102.4 to ERR 91.13-based Tor Browser to Backport security fixes from ESR 102.4 to ESR 91.13-based Tor Browser

merged

From what I can read from the issue, it seems like they think the issue cannot be hit due to how Firefox uses it, and mitigations from RLBox sandboxing in general.