Bug 24258

Hi Thierry, any chance you can help rediff the patch in Firefox 60.5?

CC: (none) => thierry.vignaud

uh? which patch?

(In reply to Thierry Vignaud from comment #2)
> uh? which patch?

The one that failed, build-jit-atomic-always-lucky.patch

(In reply to Thierry Vignaud from comment #2)
> uh? which patch?

The one that failed, build-jit-atomic-always-lucky.patch

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some more committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => ghibomgx, mageia, marja11, mrambo

RedHat has issued an advisory for this today (January 30):
https://access.redhat.com/errata/RHSA-2019:0219

ALl patches seems to apply cleanly

(In reply to Thierry Vignaud from comment #7)
> ALl patches seems to apply cleanly

Yeah, Nicolas Salguero just fixed it this morning.

Nicolas, thanks for your help.  Do be careful to make sure firefox builds first before pushing l10n.

CC: (none) => nicolas.salguero

Firefox is building now.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Use-after-free parsing HTML5 stream (CVE-2018-18500).

Memory safety bugs fixed in Firefox 65 and Firefox ESR 60.5 (CVE-2018-18501).

Privilege escalation through IPC channel messages (CVE-2018-18505).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18505
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36.7_release_notes
https://www.mozilla.org/en-US/security/advisories/mfsa2019-02/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://access.redhat.com/errata/RHSA-2019:0219

Assignee: pkg-bugs => qa-bugs

On real hardware, Intel Core2Duo, 8GB RAM, Intel graphics, wired Internet, 64-bit Plasma install.

The following 4 packages are going to be installed:

- firefox-60.5.0-1.mga6.x86_64
- firefox-en_US-60.5.0-1.mga6.noarch
- lib64nss3-3.36.7-1.mga6.x86_64
- nss-3.36.7-1.mga6.x86_64

Packages installed cleanly. Started Firefox and visited several sites, including some known to give either Flash or my ad blocker a workout. Everything looks good on this hardware.

CC: (none) => andrewsfarm

64 bit OK so far, though not thorough testing.
Real hardware, Plasma, Nvidia proprietary, Swedish.
Using all in updates updates_testing.
It picked up all hundred tabs i had before closing the former version.
Have been using it for an hour browsing incl video on svtplay.se.

CC: (none) => fri

on mga6-64 plasma

packages installed cleanly:
- firefox-60.5.0-1.mga6.x86_64
- firefox-en_GB-60.5.0-1.mga6.noarch
- lib64nss3-3.36.7-1.mga6.x86_64
- nss-3.36.7-1.mga6.x86_64

no regressions observed 
looks OK for mga6-64 on this system:

Machine:   Device: desktop System: Dell product: Precision Tower 3620
           Mobo: Dell model: 09WH54 v: A00 UEFI [Legacy]: Dell v: 2.7.3 date: 01/31/2018
CPU:       Quad core Intel Core i7-6700 (-HT-MCP-)
Graphics:  Card: Intel HD Graphics 530
           Display Server: Mageia X.org 119.5 drivers: v4l,intel 
           Resolution: 1920x1080@60.00hz
           GLX Renderer: Mesa DRI Intel HD Graphics 530 (Skylake GT2) 
           GLX Version: 3.0 Mesa 17.3.9
Network:   Card: Intel Ethernet Connection (2) I219-LM driver: e1000e

I got a single crash with it (firefox closed when there were 8-10 tabs opened) but can't reproduce anymore.

In case you are interested I upgraded the spec file, with the following changes:

- rediffed and upgraded and enabled the firefox-kde.patch and mozilla-kde.patch (patch1011 and 1012).
- correct minimal version number for nss
- build more verbosely
- add conditional flag for building with bundled/system nss
- add proper requires|provides_exclude for conditional system_nss flag

I attach here the diff of the spec file and the new patchset. The kde extra patches works; I saw they were recently disabled probably because they weren't applying anymore.

Created attachment 10716 [details]
diff for firefox.spec file

Created attachment 10717 [details]
rediffed firefox-kde.patch

Created attachment 10718 [details]
rediffed mozilla-kde.patch

On mga6-32  plasma  in a vbox VM

packages installed cleanly:
- firefox-60.5.0-1.mga6.i586
- firefox-en_GB-60.5.0-1.mga6.noarch
- libnss3-3.36.7-1.mga6.i586
- nss-3.36.7-1.mga6.i586

No regressions noted

looks OK for mga6-32 in a vbox VM

CC: (none) => jim

on mga6-64 plasma in a vbox VM

packages installed cleanly:
- firefox-60.5.0-1.mga6.x86_64
- firefox-en_GB-60.5.0-1.mga6.noarch
- lib64nss3-3.36.7-1.mga6.x86_64
- nss-3.36.7-1.mga6.x86_64

No regressions noted

looks OK for mga6-64 in a vbox VM

Looks good as is, but holding off on OKs and validation until someone lets us know what you want to do with the proposed patches from Comment 13.

(In reply to Thomas Andrews from comment #19)
> Looks good as is, but holding off on OKs and validation until someone lets
> us know what you want to do with the proposed patches from Comment 13.

Don't worry about that stuff.  I added the KDE patches in SVN and we'll have them for 60.6.  Go ahead and validate it.

M6 x64 real hardware, Radeon video.
No problems encountered.

(In reply to David Walser from comment #20)
> (In reply to Thomas Andrews from comment #19)
> > Looks good as is, but holding off on OKs and validation until someone lets
> > us know what you want to do with the proposed patches from Comment 13.
> Don't worry about that stuff.  I added the KDE patches in SVN and we'll have
> them for 60.6.  Go ahead and validate it.
OK.
Advisory from comments 9 & 0.

Whiteboard: (none) => MGA6-32-OK MGA6-64-OK
Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0060.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

The nss 3.36.7 update in this bug also fixed CVE-2018-18508.