Mozilla has issued an advisory on August 6: https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/ The issue is fixed in versions 38.1.1 and 39.0.3. This issue is reportedly being exploited in the wild. I'll assign this to Thierry for Cauldron, and I can take care of stable. There's also a new rootcerts (checked into SVN) and it looks like nss 3.19.3 is supposed to be coming soon, so I'll take care of that when it lands. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Thierry, I've fixed the typo I made in the Cauldron firefox-l10n SPEC when I added the an language and checked in the update to 39.0.3 for that package in SVN. Please be careful with how you check in new sources. Do not use mgarepo sync -c, it makes a total mess out of SVN. When you updated to 39.0 it made like 90 SVN commits instead of what should have been one. Just use mgarepo sync -d to download the new source and then mgarepo ci to commit the updated SPEC and sha1.lst in one commit. I also fixed the xpidir and put a comment in there to change it back when we switch back to ESR.
It looks like the NSS 3.19.3 update will just be about the rootcerts update, so I'm not sure why they haven't finalized it yet. The release notes are here: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.3_release_notes
Updates are now checked into SVN for Mageia 4, Mageia 5, and Cauldron. Will start pushing the stable release builds soon.
ff-40 will be released in 4 days so we can as well wait for it for Cauldron
Of course, if the patch is already ready in the cauldron branch, let's go
(In reply to Thierry Vignaud from comment #4) > ff-40 will be released in 4 days so we can as well wait for it for Cauldron Yeah, I thought the timing was a bit odd, since I thought I remembered that the next Mozilla releases would be out August 12th. I guess you're saying the 11th, either way, 4 or 5 days away. I guess it's a serious enough issue that they really wanted to get this out now, since it's being actively exploited. (In reply to Thierry Vignaud from comment #5) > Of course, if the patch is already ready in the cauldron branch, let's go OK :o)
(In reply to David Walser from comment #6) No problem with that :-) (In reply to David Walser from comment #1) Yep, I could have searched for the origin of the bug, I just went the faster > Do not use mgarepo sync -c, it makes a total mess out of SVN Humm I never use "mgarepo sync -c" though... Just "mgarepo sync" What I do is: as the handling of files that are updated but keep the same name doesn't work well with mgarepo sync, I: 1) wipe the SOURCES/sha1.lst content, 2) remove all the xpi, 3) download the new ones, 4) then run "mgarepo sync" really sg like: (echo "new release">log; mgarepo sync && svn ci -m "$(<log)" && mgarepo submit</dev/null) About "mgarepo sync -d", I never looked at that one. I guess I should use "mgarepo sync -d" & "mgarepo ci" (especially if Colin ever do the switch to git :-) (echo "new release">log; mgarepo sync -d && mgarepo ci -F log" && mgarepo submit</dev/null) or: (mgarepo sync -d && mgarepo ci -m "new release" && mgarepo submit</dev/null)
Which reminds me, please put the actual version number in the log instead of "new release" which makes it impossible to find things in SVN history. But thanks for the clarification. I'm actually confused though. The process you outlined there won't commit each xpi file in a separate commit. The process you outlined is actually perfectly fine. If you look at "mgarepo log firefox-l10n" or here: http://svnweb.mageia.org/packages/cauldron/firefox-l10n/current/SOURCES/sha1.lst?view=log you see the large number of separate commits, silently uploading each xpi file one at a time. The only thing I know of that does this is mgarepo sync -c, which looks *exactly* like that when it operates. In fact, mgarepo sync -d by itself is fine for downloading and uploading source files when the name changes (usually because the version is in the name), but if the names don't change, as with the xpi files, you actually do need to clear them out of sha1.lst and delete them before you run mgarepo sync -d, just as you correctly stated. So it should be almost as you described at first: 0) edit SPEC file to update the version 1) echo -n "" > SOURCES/sha1.lst 2) rm -f SOURCES/*.xpi 3) mgarepo sync -d 4) mgarepo ci -m 'new version 38.1.1'
Thierry, the build in Cauldron failed: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20150807135859.luigiwalser.valstar.29013/log/firefox-39.0.3-1.mga6/build.0.20150807140003.log It ends with: + /usr/lib/rpm/brp-python-hardlink Processing files: firefox-39.0.3-1.mga6.i586 error: Empty %files file /home/iurt/rpmbuild/BUILD/mozilla-release/firefox.lang which I think means that %find_lang %{name} didn't find anything (though I don't know that the build should fail because of that). Maybe an RPM bug?
(In reply to David Walser from comment #9) > Thierry, the build in Cauldron failed: > http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/ > 20150807135859.luigiwalser.valstar.29013/log/firefox-39.0.3-1.mga6/build.0. > 20150807140003.log > > It ends with: > + /usr/lib/rpm/brp-python-hardlink > Processing files: firefox-39.0.3-1.mga6.i586 > error: Empty %files file > /home/iurt/rpmbuild/BUILD/mozilla-release/firefox.lang > > which I think means that %find_lang %{name} didn't find anything (though I > don't know that the build should fail because of that). Maybe an RPM bug? Or maybe the %find_lang call isn't needed.
Updated packages uploaded for Mageia 4 and Mageia 5. Cauldron fix pending. Note that this is urgent because this issue is being exploited in the wild. Also note that this fixes the missing Norwegian langpacks from the 38.1 update. Advisory: ======================== Updated firefox packages fix security vulnerability: Security researcher Cody Crews reported on a way to violate the same origin policy and inject script into a non-privileged part of the built-in PDF Viewer in Firefox. This would allow an attacker to read and steal sensitive local files on the victim's computer (CVE-2015-4495). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4495 https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/ https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ ======================== Updated packages in core/updates_testing: ======================== firefox-38.1.1-1.mga4 firefox-devel-38.1.1-1.mga4 firefox-af-38.1.1-1.mga4 firefox-an-38.1.1-1.mga4 firefox-ar-38.1.1-1.mga4 firefox-as-38.1.1-1.mga4 firefox-ast-38.1.1-1.mga4 firefox-az-38.1.1-1.mga4 firefox-be-38.1.1-1.mga4 firefox-bg-38.1.1-1.mga4 firefox-bn_IN-38.1.1-1.mga4 firefox-bn_BD-38.1.1-1.mga4 firefox-br-38.1.1-1.mga4 firefox-bs-38.1.1-1.mga4 firefox-ca-38.1.1-1.mga4 firefox-cs-38.1.1-1.mga4 firefox-cy-38.1.1-1.mga4 firefox-da-38.1.1-1.mga4 firefox-de-38.1.1-1.mga4 firefox-el-38.1.1-1.mga4 firefox-en_GB-38.1.1-1.mga4 firefox-en_US-38.1.1-1.mga4 firefox-en_ZA-38.1.1-1.mga4 firefox-eo-38.1.1-1.mga4 firefox-es_AR-38.1.1-1.mga4 firefox-es_CL-38.1.1-1.mga4 firefox-es_ES-38.1.1-1.mga4 firefox-es_MX-38.1.1-1.mga4 firefox-et-38.1.1-1.mga4 firefox-eu-38.1.1-1.mga4 firefox-fa-38.1.1-1.mga4 firefox-ff-38.1.1-1.mga4 firefox-fi-38.1.1-1.mga4 firefox-fr-38.1.1-1.mga4 firefox-fy_NL-38.1.1-1.mga4 firefox-ga_IE-38.1.1-1.mga4 firefox-gd-38.1.1-1.mga4 firefox-gl-38.1.1-1.mga4 firefox-gu_IN-38.1.1-1.mga4 firefox-he-38.1.1-1.mga4 firefox-hi_IN-38.1.1-1.mga4 firefox-hr-38.1.1-1.mga4 firefox-hsb-38.1.1-1.mga4 firefox-hu-38.1.1-1.mga4 firefox-hy_AM-38.1.1-1.mga4 firefox-id-38.1.1-1.mga4 firefox-is-38.1.1-1.mga4 firefox-it-38.1.1-1.mga4 firefox-ja-38.1.1-1.mga4 firefox-kk-38.1.1-1.mga4 firefox-km-38.1.1-1.mga4 firefox-kn-38.1.1-1.mga4 firefox-ko-38.1.1-1.mga4 firefox-lij-38.1.1-1.mga4 firefox-lt-38.1.1-1.mga4 firefox-lv-38.1.1-1.mga4 firefox-mai-38.1.1-1.mga4 firefox-mk-38.1.1-1.mga4 firefox-ml-38.1.1-1.mga4 firefox-mr-38.1.1-1.mga4 firefox-ms-38.1.1-1.mga4 firefox-nb_NO-38.1.1-1.mga4 firefox-nl-38.1.1-1.mga4 firefox-nn_NO-38.1.1-1.mga4 firefox-or-38.1.1-1.mga4 firefox-pa_IN-38.1.1-1.mga4 firefox-pl-38.1.1-1.mga4 firefox-pt_BR-38.1.1-1.mga4 firefox-pt_PT-38.1.1-1.mga4 firefox-ro-38.1.1-1.mga4 firefox-ru-38.1.1-1.mga4 firefox-si-38.1.1-1.mga4 firefox-sk-38.1.1-1.mga4 firefox-sl-38.1.1-1.mga4 firefox-sq-38.1.1-1.mga4 firefox-sr-38.1.1-1.mga4 firefox-sv_SE-38.1.1-1.mga4 firefox-ta-38.1.1-1.mga4 firefox-te-38.1.1-1.mga4 firefox-th-38.1.1-1.mga4 firefox-tr-38.1.1-1.mga4 firefox-uk-38.1.1-1.mga4 firefox-uz-38.1.1-1.mga4 firefox-vi-38.1.1-1.mga4 firefox-xh-38.1.1-1.mga4 firefox-zh_CN-38.1.1-1.mga4 firefox-zh_TW-38.1.1-1.mga4 firefox-38.1.1-1.mga5 firefox-devel-38.1.1-1.mga5 firefox-af-38.1.1-1.mga5 firefox-an-38.1.1-1.mga5 firefox-ar-38.1.1-1.mga5 firefox-as-38.1.1-1.mga5 firefox-ast-38.1.1-1.mga5 firefox-az-38.1.1-1.mga5 firefox-be-38.1.1-1.mga5 firefox-bg-38.1.1-1.mga5 firefox-bn_IN-38.1.1-1.mga5 firefox-bn_BD-38.1.1-1.mga5 firefox-br-38.1.1-1.mga5 firefox-bs-38.1.1-1.mga5 firefox-ca-38.1.1-1.mga5 firefox-cs-38.1.1-1.mga5 firefox-cy-38.1.1-1.mga5 firefox-da-38.1.1-1.mga5 firefox-de-38.1.1-1.mga5 firefox-el-38.1.1-1.mga5 firefox-en_GB-38.1.1-1.mga5 firefox-en_US-38.1.1-1.mga5 firefox-en_ZA-38.1.1-1.mga5 firefox-eo-38.1.1-1.mga5 firefox-es_AR-38.1.1-1.mga5 firefox-es_CL-38.1.1-1.mga5 firefox-es_ES-38.1.1-1.mga5 firefox-es_MX-38.1.1-1.mga5 firefox-et-38.1.1-1.mga5 firefox-eu-38.1.1-1.mga5 firefox-fa-38.1.1-1.mga5 firefox-ff-38.1.1-1.mga5 firefox-fi-38.1.1-1.mga5 firefox-fr-38.1.1-1.mga5 firefox-fy_NL-38.1.1-1.mga5 firefox-ga_IE-38.1.1-1.mga5 firefox-gd-38.1.1-1.mga5 firefox-gl-38.1.1-1.mga5 firefox-gu_IN-38.1.1-1.mga5 firefox-he-38.1.1-1.mga5 firefox-hi_IN-38.1.1-1.mga5 firefox-hr-38.1.1-1.mga5 firefox-hsb-38.1.1-1.mga5 firefox-hu-38.1.1-1.mga5 firefox-hy_AM-38.1.1-1.mga5 firefox-id-38.1.1-1.mga5 firefox-is-38.1.1-1.mga5 firefox-it-38.1.1-1.mga5 firefox-ja-38.1.1-1.mga5 firefox-kk-38.1.1-1.mga5 firefox-km-38.1.1-1.mga5 firefox-kn-38.1.1-1.mga5 firefox-ko-38.1.1-1.mga5 firefox-lij-38.1.1-1.mga5 firefox-lt-38.1.1-1.mga5 firefox-lv-38.1.1-1.mga5 firefox-mai-38.1.1-1.mga5 firefox-mk-38.1.1-1.mga5 firefox-ml-38.1.1-1.mga5 firefox-mr-38.1.1-1.mga5 firefox-ms-38.1.1-1.mga5 firefox-nb_NO-38.1.1-1.mga5 firefox-nl-38.1.1-1.mga5 firefox-nn_NO-38.1.1-1.mga5 firefox-or-38.1.1-1.mga5 firefox-pa_IN-38.1.1-1.mga5 firefox-pl-38.1.1-1.mga5 firefox-pt_BR-38.1.1-1.mga5 firefox-pt_PT-38.1.1-1.mga5 firefox-ro-38.1.1-1.mga5 firefox-ru-38.1.1-1.mga5 firefox-si-38.1.1-1.mga5 firefox-sk-38.1.1-1.mga5 firefox-sl-38.1.1-1.mga5 firefox-sq-38.1.1-1.mga5 firefox-sr-38.1.1-1.mga5 firefox-sv_SE-38.1.1-1.mga5 firefox-ta-38.1.1-1.mga5 firefox-te-38.1.1-1.mga5 firefox-th-38.1.1-1.mga5 firefox-tr-38.1.1-1.mga5 firefox-uk-38.1.1-1.mga5 firefox-uz-38.1.1-1.mga5 firefox-vi-38.1.1-1.mga5 firefox-xh-38.1.1-1.mga5 firefox-zh_CN-38.1.1-1.mga5 firefox-zh_TW-38.1.1-1.mga5 from SRPMS: firefox-38.1.1-1.mga4.src.rpm firefox-l10n-38.1.1-1.mga4.src.rpm firefox-38.1.1-1.mga5.src.rpm firefox-l10n-38.1.1-1.mga5.src.rpm
CC: (none) => thierry.vignaudVersion: Cauldron => 5Assignee: thierry.vignaud => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Thierry, the qemu build in Cauldron also failed for the same reason: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20150807142538.luigiwalser.valstar.13521/log/qemu-2.1.3-4.mga6/build.0.20150807142603.log Processing files: qemu-2.1.3-4.mga6.x86_64 error: Empty %files file /home/iurt/rpmbuild/BUILD/qemu-2.1.3/qemu.lang There's definitely an issue with RPM or find_lang in Cauldron.
Tested and working fine. Missing firefox-en_GB-38.1.1-1.mga5 from the mirror I used, assuming that's related to the aforementioned find_lang issue
CC: (none) => smorgan
Advisory uploaded. Will test mga4 32 when they land on my mirror.
Whiteboard: MGA4TOO => MGA4TOO advisory
en_GB present mga4
en_GB is not available on this mirror for mga5
Tested pdf viewer with a testcase from one of the references on mozilla's announcement. Doesn't test the vulnerability AFAICT but the builtin pdf viewer. https://bug1179262.bmoattachments.org/attachment.cgi?id=8628302 Tested flash at dailymotion, html5 at youtube, spellcheck here, javascript at sunspider http://www.webkit.org/perf/sunspider/sunspider.html All else appears normal.
Whiteboard: MGA4TOO advisory => MGA4TOO advisory has_procedure mga4-32-ok
Sorry, typo in previous comment. en_GB is NOW present on the mirror (mga5).
Everything's working fine on Mageia 4 and Mageia 5 i586.
Whiteboard: MGA4TOO advisory has_procedure mga4-32-ok => MGA4TOO advisory has_procedure mga4-32-ok mga5-32-ok
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0305.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/653867/
Testing Mageia 5 x64 Although the update had already been pushed, I tried the useful links from Claire's Comment 17. In fact the second one: http://www.webkit.org/perf/sunspider/sunspider.html recommends instead: http://browserbench.org/JetStream/ BTAIM I ran both, also the first PDF 3 x view URL, and looked at the BBC site. Seems OK.
CC: (none) => lewyssmithWhiteboard: MGA4TOO advisory has_procedure mga4-32-ok mga5-32-ok => MGA4TOO advisory has_procedure mga4-32-ok mga5-32-ok MGA4-64-OK