Bug 22283 - Multiple security updates in iceape 2.49.1
Summary: Multiple security updates in iceape 2.49.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK MGA5-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-12-29 11:13 CET by Christiaan Welvaart
Modified: 2018-01-02 12:49 CET (History)
6 users (show)

See Also:
Source RPM: iceape-2.48-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description Christiaan Welvaart 2017-12-29 11:13:00 CET
Iceape's upstream released seamonkey 2.49.1 which fixes several security issues. It is based on firefox's 52 branch so all Firefox 52ESR security fixes can be applied to this iceape version as well.
Christiaan Welvaart 2017-12-29 11:13:42 CET

CC: (none) => cjw
Whiteboard: (none) => MGA5TOO
Status: NEW => ASSIGNED

Comment 1 Christiaan Welvaart 2017-12-29 11:19:28 CET
Updated packages are available for testing:

MGA5
SRPM:
iceape-2.49.1-2.mga5.src.rpm
RPMS:
iceape-2.49.1-2.mga5.i586.rpm
iceape-2.49.1-2.mga5.x86_64

MGA6
SRPM:
iceape-2.49.1-2.mga6.src.rpm
RPMS:
iceape-2.49.1-2.mga6.i586.rpm
iceape-2.49.1-2.mga6.x86_64
iceape-2.49.1-2.mga6.armv5tl.rpm
iceape-2.49.1-2.mga6.armv7hl.rpm


Proposed advisory:



Updated iceape packages include security fixes from upstream Seamonkey and Firefox:

Multiple flaws were found in the way Iceape 2.48 processes various types of web content, where loading a web page containing malicious content could cause Iceape to crash, execute arbitrary code, or disclose sensitive information. (CVE-2016-10196,CVE-2017-5398,CVE-2017-5399,CVE-2017-5400,CVE-2017-5401,CVE-2017-5402,CVE-2017-5403,CVE-2017-5404,CVE-2017-5405,CVE-2017-5406,CVE-2017-5407,CVE-2017-5409,CVE-2017-5410,CVE-2017-5411,CVE-2017-5408,CVE-2017-5412,CVE-2017-5413,CVE-2017-5414,CVE-2017-5415,CVE-2017-5416,CVE-2017-5417,CVE-2017-5425,CVE-2017-5426,CVE-2017-5427,CVE-2017-5418,CVE-2017-5419,CVE-2017-5420,CVE-2017-5421,CVE-2017-5422,CVE-2017-5429,CVE-2017-5430,CVE-2017-5432,CVE-2017-5433,CVE-2017-5434,CVE-2017-5435,CVE-2017-5436,CVE-2017-5438,CVE-2017-5439,CVE-2017-5440,CVE-2017-5441,CVE-2017-5442,CVE-2017-5443,CVE-2017-5444,CVE-2017-5445,CVE-2017-5446,CVE-2017-5447,CVE-2017-5448,CVE-2017-5449,CVE-2017-5451,CVE-2017-5454,CVE-2017-5455,CVE-2017-5456,CVE-2017-5459,CVE-2017-5460,CVE-2017-5461,CVE-2017-5462,CVE-2017-5464,CVE-2017-5465,CVE-2017-5466,CVE-2017-5467,CVE-2017-5469,CVE-2017-5470,CVE-2017-5472,CVE-2017-7749,CVE-2017-7750,CVE-2017-7751,CVE-2017-7752,CVE-2017-7753,CVE-2017-7754,CVE-2017-7755,CVE-2017-7756,CVE-2017-7757,CVE-2017-7758,CVE-2017-7760,CVE-2017-7761,CVE-2017-7763,CVE-2017-7764,CVE-2017-7765,CVE-2017-7766,CVE-2017-7767,CVE-2017-7768,CVE-2017-7778,CVE-2017-7779,CVE-2017-7782,CVE-2017-7784,CVE-2017-7785,CVE-2017-7786,CVE-2017-7787,CVE-2017-7791,CVE-2017-7792,CVE-2017-7793,CVE-2017-7798,CVE-2017-7800,CVE-2017-7801,CVE-2017-7802,CVE-2017-7803,CVE-2017-7804,CVE-2017-7805,CVE-2017-7807,CVE-2017-7809,CVE-2017-7810,CVE-2017-7814,CVE-2017-7818,CVE-2017-7819,CVE-2017-7823,CVE-2017-7824,CVE-2017-7825,CVE-2017-7826,CVE-2017-7828,CVE-2017-7830,CVE-2017-7843,CVE-2017-7845)


References:


https://www.mozilla.org/en-US/security/advisories/mfsa2017-05/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-12/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-19/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-22/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-25/
https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5398
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5399
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5400
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5401
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5404
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5405
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5406
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5407
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5408
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5409
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5413
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5419
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5421
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5430
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5432
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5434
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5436
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5439
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5440
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5441
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5442
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5443
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5444
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5445
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5446
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5447
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5448
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5451
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5454
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5455
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5456
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5459
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5461
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5465
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5467
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5469
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5472
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7749
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7750
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7751
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7752
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7754
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7755
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7756
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7757
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7758
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7760
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7761
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7764
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7765
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7766
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7767
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7768
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7779
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7785
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7792
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7802
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7804
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7805
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7807
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7809
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7818
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7819
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7823
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7824
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7825
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7826
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7828
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7830
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7843
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7845

Assignee: cjw => qa-bugs

Comment 2 Herman Viaene 2017-12-29 17:28:48 CET
MGA5-32 on Dell Latitude D600 Xfce
No installation issues
At first start iceape imported my Thunderbird settings, none bookmarks of Firefox. I could send an e-mail from iceape and browse the Mageia pages. OK for me

Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
CC: (none) => herman.viaene

Comment 3 Lewis Smith 2017-12-29 22:16:35 CET
Testing M5 x64

Installed issued version, started browser 'Navigator' which immediately & correctly complained about needing to be updated. Which I did from Updates Testing.

AFTER update to: iceape-2.49.1-2.mga5

 This thing is a shambles. It is supposed to offer:
This packages contains the web browser ("navigator"),
a WYSIWYG HTML editor ("composer"), and also:
"mail": an e-mail client, news reader, and address book
"irc": the chatzilla IRC client

There is only one binary 'iceape'; but menu items for the following applications:

- IceApe Address Book
This works. Common closure problem noted below.

- IceApe News
Brings up the e-mail program [mail], which works: I configured an e-mail account, and sent & received msgs on it. Common closure problem, below.

No sign of a separate 'news reader' application. Perhaps this e-mail component  does that.

- IceApe Navigator
The browser, which works: I am using it. I have tried all sorts of normal usage, including video with sound, all OK. Also configuring it. It is the target of the common closure problem.

- ChatZilla
*Does not exist* [irc]. Brings up the browser [navigator].

- IceApe Composer
Brings up an HTML editor which works. Common closure problem.

The application closure problem
-------------------------------
What I describe I have only tried with the browser running, which I could not close because this report is being done with it... The Address Book, E-mail and Composer programs do not close properly:
- Ctrl/Q
- File -> Quit
*both* divert to the browser, and pop up a dialogue asking about saving the open tabs before ending it.
 OTOH
- Window close button 'X'
- Alt/F4
both *do* work.

This needs some work before an OK. Hence the feedback request.

Keywords: (none) => advisory, feedback
CC: (none) => lewyssmith

Comment 4 Lewis Smith 2017-12-30 11:39:12 CET
I see that the e-mail program *is* for news feeds also.

I have just tested *without* the browser Navigator running, under KDE as previously (but not stated):
- Address book
- E-mail/News
- Composer
and all 3 *did* behave=end properly for Ctrl/Q and File->Quit.

Hope this helps. Do you want bugs for that problem; and the lack of 'chat'?
Comment 5 Christiaan Welvaart 2017-12-30 13:14:44 CET
Thanks for testing!

About chatzilla, I noticed it disappeared and removed it from the package description in cauldron (forgot about mga6&mga5). The thing you're complaining about is the desktop entry, which is more important than a package description. I'll remove this obsolete desktop entry (in cauldron at least).

iceape/seamonkey is one big application: the browser, mail&news, and HTML editor windows are not separate applications/processes. The different desktop entries can be confusing but this is a way to advertise the different features of iceape.

Specifically, CTRL-Q/File->Quit quits the whole iceape application, so the behavior you describe is correct.

Note that this is a (security) update - problems that already existed in the previous version (or specifically the original version in the stable mageia release) can be ignored.
Comment 6 Lewis Smith 2017-12-31 15:14:49 CET
Thank you Christiaan for your explanations.
I see that the curious sub-application closure problem was always there, so we can ignore.

> The thing you're complaining about is the desktop entry, which is more
> important than a package description. I'll remove this obsolete desktop
> entry (in cauldron at least).
It is certainly wrong to see:
- in the package description: "irc": the chatzilla IRC client
- in the menus, enries for the 'chat' client
which no longer exists.
If it would be easy to re-make these packages without these redundant references, please do so (needs a sub-version bump). If you feel it is not worth it, please say so here, and we will pass the packages as-are.
Trivial though this is, to a new M6 user (or existing user with the IRC client) it would matter - and warrant bugs.

> About chatzilla, I noticed it disappeared
If it is so that the previous version of iceape *had* the IRC client (I can revert & see), its disappearance also needs mentioning in the Advisory. Do you agree?
Comment 7 David Walser 2017-12-31 22:18:20 CET
Christiaan has removed the references to Chatzilla in the package.

iceape-2.49.1-3.mga5
iceape-2.49.1-3.mga6

from SRPMS:
iceape-2.49.1-3.mga5.src.rpm
iceape-2.49.1-3.mga6.src.rpm

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO
Keywords: advisory, feedback => (none)

Dave Hodgins 2018-01-01 08:37:39 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Thomas Andrews 2018-01-01 21:10:00 CET
Installed iceape 2.48.x into 64-bit Mageia 5, and worked on setting it up. Thunderbird settings were imported automatically, and Firefox bookmarks imported. 

I had to go back in time nearly 15 years for this one. Iceape/SeaMonkey works much like the old Netscape suite, before Mozilla split it off into Firefox and Thunderbird. A few points:

Herman, Iceape can import bookmarks from Firefox, but it isn't automatic. You have to export them from Firefox as an HTML file, then import them from Iceape.

Lewis, "News" is what became Thunderbird. It is both an email client and a newsgroup client. I haven't run into the window closure problem you mention, but then as yet I have not used it very much. Chatzilla is still available as a browser extension, but it is a "legacy" extension, so as with Firefox, even if it works now it probably won't after the next iceape update.

After updating to version 2.49.1-3, the first window I opened was the browser, and that took me directly to the release notes. Lots of information there, including a notice that Chatzilla is no longer included. I looked at some web pages, read some newsgroup messages, attempted unsuccessfully to find an ad blocker extension that would work, and left.

This app appears to be working as designed. Giving it the OK for MGA5-64

Whiteboard: MGA5TOO => MGA5TOO MGA5-64-OK
CC: (none) => andrewsfarm

Comment 9 Thomas Andrews 2018-01-01 21:46:27 CET
The Mageia 64-bit version acts the same. Giving it the OK, too.

Whiteboard: MGA5TOO MGA5-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK

Comment 10 Herman Viaene 2018-01-02 11:03:20 CET
Installed new version, surfed and checked and sent mail. OK to me.

Whiteboard: MGA5TOO MGA5-64-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-64-OK MGA5-32-OK

Comment 11 Lewis Smith 2018-01-02 12:04:39 CET
(In reply to David Walser from comment #7)
> Christiaan has removed the references to Chatzilla in the package.
Thank you for that. And sorry for so much noise about it.

Last look at : iceape-2.49.1-3.mga6
The 'chatzilla' menu entry has indeed gone. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2018-01-02 12:49:14 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0018.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.