| Summary: | Firefox 52.7.3 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, davidwhodgins, marja11, sysadmin-bugs, tarazed25, tmb, wrw105 |
| Version: | 6 | Keywords: | advisory, has_procedure, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-64-OK mga6-32-ok | ||
| Source RPM: | nspr, firefox | CVE: | |
| Status comment: | |||
| Bug Depends on: | 22788 | ||
| Bug Blocks: | 22904 | ||
|
Description
David Walser
2018-03-15 15:04:11 CET
David Walser
2018-03-15 15:04:33 CET
Whiteboard:
(none) =>
MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for firefox nor for nspr (nor for nss) (In reply to David Walser from comment #0) > RedHat has issued an advisory today (March 15): > https://access.redhat.com/errata/RHSA-2018:0527 > > nspr also needs to be updated to 4.19. > > nss (in Cauldron *only*) also needs to be updated to 3.36: > https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3. > 36_release_notes > > No rootcerts update is needed for this update. I don't see nss or nspr were updated in Cauldron, changing version for this report, even if FF is already on version 59.0 there. Version:
6 =>
Cauldron
Marja Van Waes
2018-03-15 18:23:24 CET
Summary:
Firefox 52.7 =>
Firefox 52.7, nspr and (only for cauldron) nss The main crux of the bug is for Firefox, which isn't on the 52.x branch in Cauldron. We'll deal with it all together though. I'd have started on it already if I had access to SVN. Summary:
Firefox 52.7, nspr and (only for cauldron) nss =>
Firefox 52.7 (In reply to David Walser from comment #2) > The main crux of the bug is for Firefox, which isn't on the 52.x branch in > Cauldron. We'll deal with it all together though. I'd have started on it > already if I had access to SVN. Do you still not have access? :-( :-( :-( Please send your id_rsa.pub to tmb or attach it to a bug report, that you assign to sysadmin team while CC'ing tmb CC:
(none) =>
tmb Thanks. I had e-mailed tmb this morning. He just replied that it has been added and it works now :D nspr updates built: libnspr4-4.19-1.mga5 libnspr-devel-4.19-1.mga5 libnspr4-4.19-1.mga6 libnspr-devel-4.19-1.mga6 nss update also built for Cauldron. Firefox failed to build, and it's not apparent from the build logs why. It could be that the build system blew up: http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20180315190450.luigiwalser.duvel.12432/log/firefox-52.7.0-1.mga5/build.0.20180315191734.log http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20180315190337.luigiwalser.duvel.12264/log/firefox-52.7.0-1.mga6/build.0.20180315190635.log RedHat didn't have to make any special adjustments to make 52.7.0 build. Status comment:
(none) =>
Update checked into SVN, Firefox failed to build The builds seem to be failing with: virtual memory exhausted: Operation not permitted /home/iurt/rpmbuild/BUILD/firefox-52.7.0esr/config/rules.mk:951: recipe for target 'UnifiedBindings21.o' failed after the last g++ command which is trying to build firefox-52.7.0esr/objdir/media/webrtc/trunk/webrtc/modules/modules_neteq/Unified_cpp_webrtc_modules0.cpp
katnatek
2018-03-16 01:36:59 CET
See Also:
(none) =>
https://bugs.mageia.org/show_bug.cgi?id=20617 (In reply to David Walser from comment #6) > The builds seem to be failing with: > Don't know if help, but maybe you can check https://forums.gentoo.org/viewtopic-p-7907754.html?sid=5de1fdc938300c197bf436f902476dcd#7907754 and https://www.linuxquestions.org/questions/linux-from-scratch-13/firefox-error-compilling-4175562649/ Doesn't look like any of that is directly relevant, but it does sound like the build system may be running out of memory, as was the case in that last link. See Also:
https://bugs.mageia.org/show_bug.cgi?id=20617 =>
(none) Same error while trying to build 52.7.1, which apparently only fixes an issue with firefox-it: https://www.mozilla.org/en-US/firefox/52.7.1/releasenotes/ Firefox 52.7.2 has been released today (March 16): https://www.mozilla.org/en-US/firefox/52.7.2/releasenotes/ It includes additional fixes for libvorbis (and libtremor on ARM): https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ The libtremor fix required adding an additional patch (Mageia 6 only): http://openwall.com/lists/oss-security/2018/03/16/3 That's all checked into SVN. We'll need to update the system libvorbis as well, which I've built: libvorbis0-1.3.5-1.3.mga5 libvorbis-devel-1.3.5-1.3.mga5 libvorbisenc2-1.3.5-1.3.mga5 libvorbisfile3-1.3.5-1.3.mga5 libvorbis0-1.3.5-2.3.mga6 libvorbis-devel-1.3.5-2.3.mga6 libvorbisenc2-1.3.5-2.3.mga6 libvorbisfile3-1.3.5-2.3.mga6 from SRPMS: libvorbis-1.3.5-1.3.mga5.src.rpm libvorbis-1.3.5-2.3.mga6.src.rpm Summary:
Firefox 52.7 =>
Firefox 52.7.2 (and libvorbis new security issue CVE-2018-5146) Moving libvorbis to Bug 22788. Source RPM:
nspr, firefox, libvorbis-1.3.5-3.mga7.src.rpm =>
nspr, firefox
David Walser
2018-03-17 04:35:03 CET
Depends on:
(none) =>
22788 (In reply to David Walser from comment #10) > Firefox 52.7.2 has been released today (March 16): > https://www.mozilla.org/en-US/firefox/52.7.2/releasenotes/ > > It includes additional fixes for libvorbis (and libtremor on ARM): > https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/ > > The libtremor fix required adding an additional patch (Mageia 6 only): > http://openwall.com/lists/oss-security/2018/03/16/3 > > That's all checked into SVN. > Now really assigning to all packagers collectively. Atm, firefox-52.7.1-1.mga6 is still in the "builds in progress:" list for arm. Assignee:
bugsquad =>
pkg-bugs I've also checked a rediffed patch for sqlite3's CVE-2018-8740 (Bug 22792) in to Mageia 5 SVN for the firefox package, as it builds with the bundled sqlite3 (Mageia 6 uses the system sqlite3). Status comment:
Update checked into SVN, Firefox-52.7.1 and 52.7.0 failed to build =>
Update checked into SVN, Firefox failed to build RedHat has issued an advisory for Firefox 52.7.2 today (March 19): https://access.redhat.com/errata/RHSA-2018:0549 Firefox 52.7.3 has been released today (March 26): https://www.mozilla.org/en-US/firefox/52.7.3/releasenotes/ It fixes one additional issue: https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/ It has been checked into SVN. Summary:
Firefox 52.7.2 =>
Firefox 52.7.3 firefox-52.7.3-2.mga6 in now built on i586, x86_64 build is still in progress... The needed fixes from Cauldron firefox was: --- firefox.spec 2018-04-13 11:24:02.702645518 +0300 +++ firefox.spec.new 2018-04-13 10:59:26.432716546 +0300 @@ -293,6 +302,14 @@ # See also https://fedoraproject.org/wiki/Changes/Harden_All_Packages MOZ_OPT_FLAGS="$MOZ_OPT_FLAGS -Wformat-security -Wformat -Werror=format-security" MOZ_OPT_FLAGS="$MOZ_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now" +%ifnarch x86_64 +MOZ_OPT_FLAGS=$(echo "$MOZ_OPT_FLAGS" | %{__sed} -e 's/-g/-g1/') +# If MOZ_DEBUG_FLAGS is empty, firefox's build will default it to "-g" which +# overrides the -g1 from line above and breaks building on s390 +# (OOM when linking, rhbz#1238225) +export MOZ_DEBUG_FLAGS=" " +%endif + %ifarch %{arm} MOZ_LINK_FLAGS="-Wl,--no-keep-memory -Wl,--reduce-memory-overheads" %endif @@ -310,7 +327,9 @@ %ifarch %{ix86} x86_64 ppc ppc64 ppc64le aarch64 [ -z "$RPM_BUILD_NCPUS" ] && \ RPM_BUILD_NCPUS="`/usr/bin/getconf _NPROCESSORS_ONLN`" -MOZ_SMP_FLAGS=-j$RPM_BUILD_NCPUS +[ "$RPM_BUILD_NCPUS" -ge 2 ] && MOZ_SMP_FLAGS=-j2 +[ "$RPM_BUILD_NCPUS" -ge 4 ] && MOZ_SMP_FLAGS=-j4 +[ "$RPM_BUILD_NCPUS" -ge 8 ] && MOZ_SMP_FLAGS=-j8 %endif make -f client.mk build STRIP="/bin/true" MOZ_MAKE_FLAGS="$MOZ_SMP_FLAGS" MOZ_SERVICES_SYNC="1" Maybe you got lucky, because even with those changes it failed to build with the same error in Mageia 5: http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20180413142204.luigiwalser.duvel.25073/log/firefox-52.7.3-2.mga5/build.0.20180413142311.log Yeah well, I tried limiting it more, but it fails in other places... And its not memory problems as such on the build nodes as ecosse has 32GB and rabbit 48GB of ram ... It just is something in the build process triggering g++ to try and allocate more than 2GB process, and it fails... Maybe it exposes a bug in gcc, maybe not... But I dont see any point in wasting time on debugging it on mga5 anymore, so lets clone the bug then for mga5 if someone cares, and get the mga6 update out...
David Walser
2018-04-14 02:20:25 CEST
Blocks:
(none) =>
22904 SRPMS: nspr-4.19-1.mga6.src.rpm firefox-52.7.3-2.mga6.src.rpm firefox-l10n-52.7.3-1.mga6.src.rpm Advisory: ======================== Updated firefox packages fix security vulnerabilities: Memory safety bugs fixed in Firefox ESR 52.7 (CVE-2018-5125). Buffer overflow manipulating SVG animatedPathSegList (CVE-2018-5127). Out-of-bounds write with malformed IPC messages (CVE-2018-5129). Mismatched RTP payload type can trigger memory corruption (CVE-2018-5130). Fetch API improperly returns cached copies of no-store/no-cache resources (CVE-2018-5131). Integer overflow during Unicode conversion (CVE-2018-5144). Memory safety bugs fixed in Firefox ESR 52.7 (CVE-2018-5145). A use-after-free vulnerability can occur in the compositor during certain graphics operations when a raw pointer is used instead of a reference counted one. This results in a potentially exploitable crash (CVE-2018-5148). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5125 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5127 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5129 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5130 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5148 https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/ https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/ https://www.mozilla.org/security/known-vulnerabilities/firefox-esr/ https://access.redhat.com/errata/RHSA-2018:0527 Status comment:
Update checked into SVN, Firefox failed to build =>
(none) Tested mga6-64 general browsing, Acid3, jetstream, video play tested, all OK CC:
(none) =>
wrw105
Bill Wilkinson
2018-04-14 04:58:54 CEST
Whiteboard:
mga4-64-ok has_procedure =>
mga6-64-ok has_procedure
David Walser
2018-04-14 05:00:23 CEST
Keywords:
(none) =>
has_procedure Mageia 6, x86_64 Working fine here. General browsing, examination of local directories and viewing PDF. Checking localhost informed me that hiawatha might be running. It was; stopped hiawatha, started apache and re-launched firefox. Watched a Youtube NASA video in theatre mode. $ sudo localhost:631 launched the CUPS management interface in a separate window. $ php -S localhost:8000 -t /home/lcl/dev/php Addressing localhost:8000/sample.php displayed the string encoded in sample.php. CC:
(none) =>
tarazed25 mageia 6, 32-bit $ uname -a Linux localhost 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 23:26:07 UTC 2018 i686 i686 i686 GNU/Linux The following 5 packages are going to be installed: - firefox-52.7.3-2.mga6.i586 - firefox-en_GB-52.7.3-1.mga6.noarch - firefox-en_US-52.7.3-1.mga6.noarch - firefox-en_ZA-52.7.3-1.mga6.noarch - libnspr4-4.19-1.mga6.i586 121KB of additional disk space will be used. 52MB of packages will be retrieved. Is it ok to continue? --- started firefox checked version 52.7.3 (32-bit) -Bookmarks are intact -Able to connect to my preferred sites and pull up pdf and ppt documents without an issues working as designed. Whiteboard:
MGA6-64-OK =>
MGA6-64-OK mga6-32-ok Looking good here on both arches, 64-bit Plasma 5.12.2, and 32-bit Xfce. Using it to make this comment. CC:
(none) =>
andrewsfarm Testing ok here, including with the latest flash update. Advisory committed to svn. Validating the update. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0202.html Status:
NEW =>
RESOLVED |