| Summary: | [Update Request]Update firefox and thunderbird package to fix CVE-2013-0787 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Funda Wang <fundawang> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | dmorganec, oe, sysadmin-bugs, wrw105 |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.mozilla.org/security/announce/2013/mfsa2013-29.html | ||
| Whiteboard: | has_procedure mga2-32-ok mga2-64-ok | ||
| Source RPM: | firefox-17.0.4-1.mga2, firefox-l10n-17.0.4-1.mga2, thunderbird-17.0.4-1.mga2, thunderbird-l10n-17.0.4-1.mga2 | CVE: | |
| Status comment: | |||
|
Description
Funda Wang
2013-03-12 06:41:26 CET
The upstream bug is public now and has a PoC: https://bugzilla.mozilla.org/show_bug.cgi?id=848644 FF 17.0.4 is already in updates_testing for mga2 CC:
(none) =>
oe can we have list of rpm ? a reason for not have and update of nss ? (like always)
claire robinson
2013-03-12 13:20:41 CET
Whiteboard:
(none) =>
feedback This is the only change:
[oden@localhost BUILD]$ cat firefox-17.0.4esr.diff
--- firefox-17.0.3esr/editor/libeditor/base/nsEditor.cpp 2013-02-15 21:59:12.000000000 +0100
+++ firefox-17.0.4esr/editor/libeditor/base/nsEditor.cpp 2013-03-07 19:17:39.000000000 +0100
@@ -4027,9 +4027,9 @@ nsEditor::IsPreformatted(nsIDOMNode *aNo
content = content->GetParent();
}
if (content && content->IsElement()) {
- elementStyle = nsComputedDOMStyle::GetStyleContextForElement(content->AsElement(),
- nullptr,
- ps);
+ elementStyle = nsComputedDOMStyle::GetStyleContextForElementNoFlush(content->AsElement(),
+ nullptr,
+ ps);
}
if (!elementStyle)
Oden are you saying it's not necessary to update nss and nspr for this update? firefox-17.0.4-1.mga2.src.rpm firefox-l10n-17.0.4-1.mga2.src.rpm thunderbird-17.0.4-1.mga2.src.rpm thunderbird-l10n-17.0.4-1.mga2.src.rpm firefox-17.0.4-1.mga2.i586.rpm firefox-17.0.4-1.mga2.x86_64.rpm firefox-af-17.0.4-1.mga2.noarch.rpm firefox-ar-17.0.4-1.mga2.noarch.rpm firefox-ast-17.0.4-1.mga2.noarch.rpm firefox-be-17.0.4-1.mga2.noarch.rpm firefox-bg-17.0.4-1.mga2.noarch.rpm firefox-bn_BD-17.0.4-1.mga2.noarch.rpm firefox-bn_IN-17.0.4-1.mga2.noarch.rpm firefox-br-17.0.4-1.mga2.noarch.rpm firefox-bs-17.0.4-1.mga2.noarch.rpm firefox-ca-17.0.4-1.mga2.noarch.rpm firefox-cs-17.0.4-1.mga2.noarch.rpm firefox-cy-17.0.4-1.mga2.noarch.rpm firefox-da-17.0.4-1.mga2.noarch.rpm firefox-de-17.0.4-1.mga2.noarch.rpm firefox-devel-17.0.4-1.mga2.i586.rpm firefox-devel-17.0.4-1.mga2.x86_64.rpm firefox-el-17.0.4-1.mga2.noarch.rpm firefox-en_GB-17.0.4-1.mga2.noarch.rpm firefox-en_ZA-17.0.4-1.mga2.noarch.rpm firefox-eo-17.0.4-1.mga2.noarch.rpm firefox-es_AR-17.0.4-1.mga2.noarch.rpm firefox-es_CL-17.0.4-1.mga2.noarch.rpm firefox-es_ES-17.0.4-1.mga2.noarch.rpm firefox-es_MX-17.0.4-1.mga2.noarch.rpm firefox-et-17.0.4-1.mga2.noarch.rpm firefox-eu-17.0.4-1.mga2.noarch.rpm firefox-fa-17.0.4-1.mga2.noarch.rpm firefox-fi-17.0.4-1.mga2.noarch.rpm firefox-fr-17.0.4-1.mga2.noarch.rpm firefox-fy-17.0.4-1.mga2.noarch.rpm firefox-ga_IE-17.0.4-1.mga2.noarch.rpm firefox-gd-17.0.4-1.mga2.noarch.rpm firefox-gl-17.0.4-1.mga2.noarch.rpm firefox-gu_IN-17.0.4-1.mga2.noarch.rpm firefox-he-17.0.4-1.mga2.noarch.rpm firefox-hi-17.0.4-1.mga2.noarch.rpm firefox-hr-17.0.4-1.mga2.noarch.rpm firefox-hu-17.0.4-1.mga2.noarch.rpm firefox-hy-17.0.4-1.mga2.noarch.rpm firefox-id-17.0.4-1.mga2.noarch.rpm firefox-is-17.0.4-1.mga2.noarch.rpm firefox-it-17.0.4-1.mga2.noarch.rpm firefox-ja-17.0.4-1.mga2.noarch.rpm firefox-kk-17.0.4-1.mga2.noarch.rpm firefox-kn-17.0.4-1.mga2.noarch.rpm firefox-ko-17.0.4-1.mga2.noarch.rpm firefox-ku-17.0.4-1.mga2.noarch.rpm firefox-lg-17.0.4-1.mga2.noarch.rpm firefox-lt-17.0.4-1.mga2.noarch.rpm firefox-lv-17.0.4-1.mga2.noarch.rpm firefox-mai-17.0.4-1.mga2.noarch.rpm firefox-mk-17.0.4-1.mga2.noarch.rpm firefox-ml-17.0.4-1.mga2.noarch.rpm firefox-mr-17.0.4-1.mga2.noarch.rpm firefox-nb_NO-17.0.4-1.mga2.noarch.rpm firefox-nl-17.0.4-1.mga2.noarch.rpm firefox-nn_NO-17.0.4-1.mga2.noarch.rpm firefox-nso-17.0.4-1.mga2.noarch.rpm firefox-or-17.0.4-1.mga2.noarch.rpm firefox-pa_IN-17.0.4-1.mga2.noarch.rpm firefox-pl-17.0.4-1.mga2.noarch.rpm firefox-pt_BR-17.0.4-1.mga2.noarch.rpm firefox-pt_PT-17.0.4-1.mga2.noarch.rpm firefox-ro-17.0.4-1.mga2.noarch.rpm firefox-ru-17.0.4-1.mga2.noarch.rpm firefox-si-17.0.4-1.mga2.noarch.rpm firefox-sk-17.0.4-1.mga2.noarch.rpm firefox-sl-17.0.4-1.mga2.noarch.rpm firefox-sq-17.0.4-1.mga2.noarch.rpm firefox-sr-17.0.4-1.mga2.noarch.rpm firefox-sv_SE-17.0.4-1.mga2.noarch.rpm firefox-ta-17.0.4-1.mga2.noarch.rpm firefox-ta_LK-17.0.4-1.mga2.noarch.rpm firefox-te-17.0.4-1.mga2.noarch.rpm firefox-th-17.0.4-1.mga2.noarch.rpm firefox-tr-17.0.4-1.mga2.noarch.rpm firefox-uk-17.0.4-1.mga2.noarch.rpm firefox-vi-17.0.4-1.mga2.noarch.rpm firefox-zh_CN-17.0.4-1.mga2.noarch.rpm firefox-zh_TW-17.0.4-1.mga2.noarch.rpm firefox-zu-17.0.4-1.mga2.noarch.rpm nsinstall-17.0.4-1.mga2.i586.rpm nsinstall-17.0.4-1.mga2.x86_64.rpm thunderbird-17.0.4-1.mga2.i586.rpm thunderbird-17.0.4-1.mga2.x86_64.rpm thunderbird-ar-17.0.4-1.mga2.noarch.rpm thunderbird-ast-17.0.4-1.mga2.noarch.rpm thunderbird-be-17.0.4-1.mga2.noarch.rpm thunderbird-bg-17.0.4-1.mga2.noarch.rpm thunderbird-bn_BD-17.0.4-1.mga2.noarch.rpm thunderbird-br-17.0.4-1.mga2.noarch.rpm thunderbird-ca-17.0.4-1.mga2.noarch.rpm thunderbird-cs-17.0.4-1.mga2.noarch.rpm thunderbird-da-17.0.4-1.mga2.noarch.rpm thunderbird-de-17.0.4-1.mga2.noarch.rpm thunderbird-el-17.0.4-1.mga2.noarch.rpm thunderbird-en_GB-17.0.4-1.mga2.noarch.rpm thunderbird-enigmail-17.0.4-1.mga2.i586.rpm thunderbird-enigmail-17.0.4-1.mga2.x86_64.rpm thunderbird-es_AR-17.0.4-1.mga2.noarch.rpm thunderbird-es_ES-17.0.4-1.mga2.noarch.rpm thunderbird-et-17.0.4-1.mga2.noarch.rpm thunderbird-eu-17.0.4-1.mga2.noarch.rpm thunderbird-fi-17.0.4-1.mga2.noarch.rpm thunderbird-fr-17.0.4-1.mga2.noarch.rpm thunderbird-fy-17.0.4-1.mga2.noarch.rpm thunderbird-ga-17.0.4-1.mga2.noarch.rpm thunderbird-gd-17.0.4-1.mga2.noarch.rpm thunderbird-gl-17.0.4-1.mga2.noarch.rpm thunderbird-he-17.0.4-1.mga2.noarch.rpm thunderbird-hu-17.0.4-1.mga2.noarch.rpm thunderbird-id-17.0.4-1.mga2.noarch.rpm thunderbird-is-17.0.4-1.mga2.noarch.rpm thunderbird-it-17.0.4-1.mga2.noarch.rpm thunderbird-ja-17.0.4-1.mga2.noarch.rpm thunderbird-ko-17.0.4-1.mga2.noarch.rpm thunderbird-lt-17.0.4-1.mga2.noarch.rpm thunderbird-nb_NO-17.0.4-1.mga2.noarch.rpm thunderbird-nl-17.0.4-1.mga2.noarch.rpm thunderbird-nn_NO-17.0.4-1.mga2.noarch.rpm thunderbird-pa_IN-17.0.4-1.mga2.noarch.rpm thunderbird-pl-17.0.4-1.mga2.noarch.rpm thunderbird-pt_BR-17.0.4-1.mga2.noarch.rpm thunderbird-pt_PT-17.0.4-1.mga2.noarch.rpm thunderbird-ro-17.0.4-1.mga2.noarch.rpm thunderbird-ru-17.0.4-1.mga2.noarch.rpm thunderbird-si-17.0.4-1.mga2.noarch.rpm thunderbird-sk-17.0.4-1.mga2.noarch.rpm thunderbird-sl-17.0.4-1.mga2.noarch.rpm thunderbird-sq-17.0.4-1.mga2.noarch.rpm thunderbird-sv_SE-17.0.4-1.mga2.noarch.rpm thunderbird-ta_LK-17.0.4-1.mga2.noarch.rpm thunderbird-tr-17.0.4-1.mga2.noarch.rpm thunderbird-uk-17.0.4-1.mga2.noarch.rpm thunderbird-vi-17.0.4-1.mga2.noarch.rpm thunderbird-zh_CN-17.0.4-1.mga2.noarch.rpm thunderbird-zh_TW-17.0.4-1.mga2.noarch.rpm (In reply to claire robinson from comment #4) > Oden are you saying it's not necessary to update nss and nspr for this > update? This does not affect NSPR/NSS. PoC is still private but some help with testing here: https://bugzilla.mozilla.org/show_bug.cgi?id=848644#c46 There's a test case in https://bugzilla.mozilla.org/show_bug.cgi?id=848644#c68 and info to reproduce in https://bugzilla.mozilla.org/show_bug.cgi?id=848644#c58 but haven't been able to reproduce. Digging more.... CC:
(none) =>
wrw105 No crash from that one (PoC that doesn't depend on browser UI) here either. I think the working one is the one which is still private. There is very little information elsewhere, which is to be expected. Just testing for regressions, also using the the live demo at etherpad.org and selecting text then ctrl-b to make it bold, check it doesn't open the bookmarks sidebar. Flash, java and spellcheck & general browsing etc ok in firefox Imap, pop3, nntp, spelling & enigmail etc ok thunderbird Testing complete mga2 32 Whiteboard:
(none) =>
has_procedure mga2-32-ok testing MGa2-64 bolding in etherpad online doesn't open bookmarks sidebar Java, javascript, general browsing, flash, OK in firefox IMAP, SMTP spelling OK in thunderbird validating Please see advisory in comment 0 and package list in comment 5. Can someone in the sysadmin group please move from core/updates_testing to core/updates? Thanks Keywords:
(none) =>
validated_update
Bill Wilkinson
2013-03-12 16:01:39 CET
CC:
(none) =>
sysadmin-bugs Just to be clear, *before* each FF/TB update is built, we should check to see if updates for rootcerts, nspr, or nss are available. At least nspr and nss usually are. The reason they weren't in this case is that this is an out-of-band update (I think that's the right term), basically done apart from their regular schedule and not including any of the other fixes they have in the current ESR tree. It was just an emergency update to fix one vulnerability found at a hacking conference that got a lot of publicity. update pushed : https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0093 Status:
NEW =>
RESOLVED |