Bug 6611

Summary: eclipse-swt is built with old xulrunner, exposing it to security issues
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, shlomif, stormi-mageia, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard: MGA1TOO, has_procedure, mga2-32-OK, mga1-32-OK, mga1-64-OK, mga2-64-OK
Source RPM: eclipse-3.6.2-12.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-06-28 19:00:02 CEST 
The SWT component for building the Browser widget against xulrunner will not build with current versions of xulrunner and probably does not still work.

Maybe Eclipse 3.7.x from Mageia 2 could be built for Mageia 1?
David Walser 2012-06-28 19:00:30 CEST

Assignee: bugsquad => dmorganec

Comment 1 D Morgan 2012-07-04 08:03:51 CEST 
we do not build eclipse against xulrunner anymore.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 2 David Walser 2012-07-04 14:55:08 CEST 
We haven't pushed any updates for it.

rpm -qp --requires /home/linux/mageia/distrib/1/i586/media/core/release/eclipse-swt-3.6.2-12.mga1.i586.rpm # includes:

xulrunner
libxpcom.so  
libxul.so

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 3 D Morgan 2012-07-04 22:31:22 CEST 
I though this had been pushed with firefox. Anyway they are on updates_testing for mga 1 and 2

Assignee: dmorganec => bugsquad

Comment 4 David Walser 2012-07-04 22:59:17 CEST 
Right.  Doesn't this just break the Browser widget?  I guess it's a tough call between disabling functionality or leaving something mildly vulnerable (assuming you don't want to update Eclipse to a newer version).

Perhaps worthy of a discussion on mageia-dev?

CC: (none) => dmorganec

Comment 5 D Morgan 2012-07-04 23:29:54 CEST 
this have been discussed with fedora eclipse maintainer. This is the best solution and btw this is done the same way on all our releases of mga.
Comment 6 David Walser 2012-07-05 00:09:13 CEST 
Fair enough.  Thanks D Morgan.  Assigning to QA then.

Advisory
========

The xulrunner library, which is used by the eclipse-swt package to provide
the functionality of the Browser widget in applications using the SWT
user interface library (including Eclipse itself), has been found to have
numerous security vulnerabilities (see our previous advisories for Firefox
for more information on these).

Eclipse has now been built without support for xulrunner, so that users of
Eclipse and other SWT programs will not be exposed to these security
vulnerabilities.  The SWT Browser widget will no longer be functional in
any applications that use it.  Users that require SWT Browser widget
functionality will need to use an Eclipse distribution from upstream.

Packages in core/updates_testing:
eclipse-jdt-3.6.2-12.1.mga1
eclipse-pde-3.6.2-12.1.mga1
eclipse-platform-3.6.2-12.1.mga1
eclipse-rcp-3.6.2-12.1.mga1
eclipse-swt-3.6.2-12.1.mga1
eclipse-equinox-osgi-3.7.1-3.1.mga2
eclipse-jdt-3.7.1-3.1.mga2
eclipse-pde-3.7.1-3.1.mga2
eclipse-platform-3.7.1-3.1.mga2
eclipse-rcp-3.7.1-3.1.mga2
eclipse-swt-3.7.1-3.1.mga2

from SRPMS:
eclipse-3.6.2-12.1.mga1.src.rpm
eclipse-3.7.1-3.1.mga2.src.rpm

Version: 1 => 2
Assignee: bugsquad => qa-bugs
Whiteboard: (none) => MGA1TOO

David Walser 2012-07-05 00:10:03 CEST

Summary: eclipse-swt in Mageia 1 may need to be updated to work with current xulrunner => eclipse-swt is built with old xulrunner, exposing it to security issues

Comment 7 Dave Hodgins 2012-07-05 05:33:00 CEST 
Are the various ant packages in Core Updates Testing part of this update?

I'm testing on Mageia 2 i586.

CC: (none) => davidwhodgins

Comment 8 Dave Hodgins 2012-07-05 05:39:37 CEST 
Some errors during installation ...

    71/73: eclipse-platform      #################################################################################
warning: %post(eclipse-platform-1:3.7.1-3.1.mga2.i586) scriptlet failed, exit status 1
    72/73: eclipse-jdt           #################################################################################
warning: %post(eclipse-jdt-1:3.7.1-3.1.mga2.i586) scriptlet failed, exit status 1
    73/73: eclipse-pde           #################################################################################
warning: %post(eclipse-pde-1:3.7.1-3.1.mga2.i586) scriptlet failed, exit status 1

They all have ...
postinstall scriptlet (using /bin/sh):
eclipse-reconciler.sh > /dev/null
Comment 9 Dave Hodgins 2012-07-05 05:51:05 CEST 
Testing complete on Mageia 2 i586.

Just testing that eclipse is working.

After installing eclipse, went through the tutorial to create and run a java
HelloWorld project.

I'll leave it for D Morgan to decide whether or not to fix the scriplet errors.

Whiteboard: MGA1TOO => MGA1TOO, mga2-32-OK

Comment 10 D Morgan 2012-07-05 07:35:38 CEST 
yes let see what is broken
Comment 11 D Morgan 2012-07-05 08:11:46 CEST 
please test eclipse-3.7.1-3.3.mga2
Comment 12 David Walser 2012-07-05 13:27:19 CEST 
ant is part of the Bug 6331 update.  Updating advisory for new package version.

Advisory
========

The xulrunner library, which is used by the eclipse-swt package to provide
the functionality of the Browser widget in applications using the SWT
user interface library (including Eclipse itself), has been found to have
numerous security vulnerabilities (see our previous advisories for Firefox
for more information on these).

Eclipse has now been built without support for xulrunner, so that users of
Eclipse and other SWT programs will not be exposed to these security
vulnerabilities.  The SWT Browser widget will no longer be functional in
any applications that use it.  Users that require SWT Browser widget
functionality will need to use an Eclipse distribution from upstream.

Packages in core/updates_testing:
eclipse-jdt-3.6.2-12.1.mga1
eclipse-pde-3.6.2-12.1.mga1
eclipse-platform-3.6.2-12.1.mga1
eclipse-rcp-3.6.2-12.1.mga1
eclipse-swt-3.6.2-12.1.mga1
eclipse-equinox-osgi-3.7.1-3.3.mga2
eclipse-jdt-3.7.1-3.3.mga2
eclipse-pde-3.7.1-3.3.mga2
eclipse-platform-3.7.1-3.3.mga2
eclipse-rcp-3.7.1-3.3.mga2
eclipse-swt-3.7.1-3.3.mga2

from SRPMS:
eclipse-3.6.2-12.1.mga1.src.rpm
eclipse-3.7.1-3.3.mga2.src.rpm
Comment 13 Samuel Verschelde 2012-07-23 21:24:48 CEST 
Testing complete on Mageia 1 32 bits. I followed and completed the Hello World tutorial.

CC: (none) => stormi
Whiteboard: MGA1TOO, mga2-32-OK => MGA1TOO, mga2-32-OK, mga1-32-OK

Comment 14 Samuel Verschelde 2012-07-23 23:53:49 CEST 
Testing complete on Mageia 1 64 bits.

Whiteboard: MGA1TOO, mga2-32-OK, mga1-32-OK => MGA1TOO, mga2-32-OK, mga1-32-OK, mga1-64-OK

Comment 15 Samuel Verschelde 2012-07-28 17:03:58 CEST 
Testing still needed on Mageia 2 64 bits.

Procedure:
- urpmi eclipse
- start eclipse, then follow the "Hello world" tutorial which is included in eclipse.

Whiteboard: MGA1TOO, mga2-32-OK, mga1-32-OK, mga1-64-OK => MGA1TOO, has_procedure, mga2-32-OK, mga1-32-OK, mga1-64-OK

Comment 16 Shlomi Fish 2012-07-28 19:25:57 CEST 
(In reply to comment #15)
> Testing still needed on Mageia 2 64 bits.
> 
> Procedure:
> - urpmi eclipse
> - start eclipse, then follow the "Hello world" tutorial which is included in
> eclipse.

Done. Works fine.

Regards,

-- Shlomi Fish

CC: (none) => shlomif
Whiteboard: MGA1TOO, has_procedure, mga2-32-OK, mga1-32-OK, mga1-64-OK => MGA1TOO, has_procedure, mga2-32-OK, mga1-32-OK, mga1-64-OK, mga2-64-OK

Comment 17 Samuel Verschelde 2012-07-28 20:07:40 CEST 
Thanks Shlomi.

Update validated. No linking required.

See comment #12 for advisory and packages.
Comment 18 Samuel Verschelde 2012-07-28 20:08:05 CEST 
update validated, see previous comment and comment #12

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 19 Thomas Backlund 2012-07-29 22:29:47 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0183

Status: REOPENED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED