Bug 22776 - Firefox 52.7.3
Summary: Firefox 52.7.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK mga6-32-ok
Keywords: advisory, has_procedure, validated_update
Depends on: 22788
Blocks: 22904
  Show dependency treegraph
 
Reported: 2018-03-15 15:04 CET by David Walser
Modified: 2018-04-15 15:34 CEST (History)
8 users (show)

See Also:
Source RPM: nspr, firefox
CVE:
Status comment:


Attachments

Description David Walser 2018-03-15 15:04:11 CET
RedHat has issued an advisory today (March 15):
https://access.redhat.com/errata/RHSA-2018:0527

nspr also needs to be updated to 4.19.

nss (in Cauldron *only*) also needs to be updated to 3.36:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.36_release_notes

No rootcerts update is needed for this update.
David Walser 2018-03-15 15:04:33 CET

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2018-03-15 18:22:46 CET Comment hidden (obsolete)

Version: 6 => Cauldron
Whiteboard: MGA5TOO => MGA5TOO, MGA6TOO
CC: (none) => marja11
Source RPM: nspr, firefox => nspr, firefox, nss

Marja Van Waes 2018-03-15 18:23:24 CET

Summary: Firefox 52.7 => Firefox 52.7, nspr and (only for cauldron) nss

Comment 2 David Walser 2018-03-15 18:28:02 CET Comment hidden (obsolete)

Summary: Firefox 52.7, nspr and (only for cauldron) nss => Firefox 52.7
Version: Cauldron => 6
Whiteboard: MGA5TOO, MGA6TOO => MGA5TOO

Comment 3 Marja Van Waes 2018-03-15 18:41:40 CET Comment hidden (off-topic)

CC: (none) => tmb

Comment 4 David Walser 2018-03-15 18:47:55 CET Comment hidden (off-topic)
Comment 5 David Walser 2018-03-15 20:39:53 CET
nspr updates built:
libnspr4-4.19-1.mga5
libnspr-devel-4.19-1.mga5
libnspr4-4.19-1.mga6
libnspr-devel-4.19-1.mga6

nss update also built for Cauldron.

Firefox failed to build, and it's not apparent from the build logs why.  It could be that the build system blew up:
http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20180315190450.luigiwalser.duvel.12432/log/firefox-52.7.0-1.mga5/build.0.20180315191734.log
http://pkgsubmit.mageia.org/uploads/failure/6/core/updates_testing/20180315190337.luigiwalser.duvel.12264/log/firefox-52.7.0-1.mga6/build.0.20180315190635.log

RedHat didn't have to make any special adjustments to make 52.7.0 build.

Status comment: (none) => Update checked into SVN, Firefox failed to build

Comment 6 David Walser 2018-03-15 22:57:03 CET
The builds seem to be failing with:

virtual memory exhausted: Operation not permitted
/home/iurt/rpmbuild/BUILD/firefox-52.7.0esr/config/rules.mk:951: recipe for target 'UnifiedBindings21.o' failed

after the last g++ command which is trying to build firefox-52.7.0esr/objdir/media/webrtc/trunk/webrtc/modules/modules_neteq/Unified_cpp_webrtc_modules0.cpp
katnatek 2018-03-16 01:36:59 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=20617

Comment 7 katnatek 2018-03-16 01:57:40 CET
(In reply to David Walser from comment #6)
> The builds seem to be failing with:
> 
Don't know if help, but maybe you can check

https://forums.gentoo.org/viewtopic-p-7907754.html?sid=5de1fdc938300c197bf436f902476dcd#7907754

and 

https://www.linuxquestions.org/questions/linux-from-scratch-13/firefox-error-compilling-4175562649/
Comment 8 David Walser 2018-03-16 02:10:04 CET
Doesn't look like any of that is directly relevant, but it does sound like the build system may be running out of memory, as was the case in that last link.

See Also: https://bugs.mageia.org/show_bug.cgi?id=20617 => (none)

Comment 9 David Walser 2018-03-16 15:33:47 CET
Same error while trying to build 52.7.1, which apparently only fixes an issue with firefox-it:
https://www.mozilla.org/en-US/firefox/52.7.1/releasenotes/
Comment 10 David Walser 2018-03-16 18:50:55 CET
Firefox 52.7.2 has been released today (March 16):
https://www.mozilla.org/en-US/firefox/52.7.2/releasenotes/

It includes additional fixes for libvorbis (and libtremor on ARM):
https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/

The libtremor fix required adding an additional patch (Mageia 6 only):
http://openwall.com/lists/oss-security/2018/03/16/3

That's all checked into SVN.

We'll need to update the system libvorbis as well, which I've built:
libvorbis0-1.3.5-1.3.mga5
libvorbis-devel-1.3.5-1.3.mga5
libvorbisenc2-1.3.5-1.3.mga5
libvorbisfile3-1.3.5-1.3.mga5
libvorbis0-1.3.5-2.3.mga6
libvorbis-devel-1.3.5-2.3.mga6
libvorbisenc2-1.3.5-2.3.mga6
libvorbisfile3-1.3.5-2.3.mga6

from SRPMS:
libvorbis-1.3.5-1.3.mga5.src.rpm
libvorbis-1.3.5-2.3.mga6.src.rpm

Summary: Firefox 52.7 => Firefox 52.7.2 (and libvorbis new security issue CVE-2018-5146)
Source RPM: nspr, firefox, nss => nspr, firefox, libvorbis-1.3.5-3.mga7.src.rpm

Comment 11 David Walser 2018-03-17 04:34:59 CET
Moving libvorbis to Bug 22788.

Source RPM: nspr, firefox, libvorbis-1.3.5-3.mga7.src.rpm => nspr, firefox
Summary: Firefox 52.7.2 (and libvorbis new security issue CVE-2018-5146) => Firefox 52.7.2

David Walser 2018-03-17 04:35:03 CET

Depends on: (none) => 22788

Comment 12 Marja Van Waes 2018-03-17 10:35:08 CET
(In reply to David Walser from comment #10)
> Firefox 52.7.2 has been released today (March 16):
> https://www.mozilla.org/en-US/firefox/52.7.2/releasenotes/
> 
> It includes additional fixes for libvorbis (and libtremor on ARM):
> https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/
> 
> The libtremor fix required adding an additional patch (Mageia 6 only):
> http://openwall.com/lists/oss-security/2018/03/16/3
> 
> That's all checked into SVN.
> 

Now really assigning to all packagers collectively.

Atm, firefox-52.7.1-1.mga6 is still in the "builds in progress:" list for arm.

Assignee: bugsquad => pkg-bugs
Status comment: Update checked into SVN, Firefox failed to build => Update checked into SVN, Firefox-52.7.1 and 52.7.0 failed to build

Comment 13 David Walser 2018-03-17 17:36:24 CET
I've also checked a rediffed patch for sqlite3's CVE-2018-8740 (Bug 22792) in to Mageia 5 SVN for the firefox package, as it builds with the bundled sqlite3 (Mageia 6 uses the system sqlite3).

Status comment: Update checked into SVN, Firefox-52.7.1 and 52.7.0 failed to build => Update checked into SVN, Firefox failed to build
Assignee: pkg-bugs => sysadmin-bugs

Comment 14 David Walser 2018-03-19 12:55:33 CET
RedHat has issued an advisory for Firefox 52.7.2 today (March 19):
https://access.redhat.com/errata/RHSA-2018:0549
Comment 15 David Walser 2018-03-27 03:59:43 CEST
Firefox 52.7.3 has been released today (March 26):
https://www.mozilla.org/en-US/firefox/52.7.3/releasenotes/

It fixes one additional issue:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/

It has been checked into SVN.

Summary: Firefox 52.7.2 => Firefox 52.7.3

Comment 16 Thomas Backlund 2018-04-13 10:34:17 CEST

firefox-52.7.3-2.mga6 in now built on i586, x86_64 build is still in progress...

The needed fixes from Cauldron firefox was:

--- firefox.spec        2018-04-13 11:24:02.702645518 +0300
+++ firefox.spec.new    2018-04-13 10:59:26.432716546 +0300
@@ -293,6 +302,14 @@
 # See also https://fedoraproject.org/wiki/Changes/Harden_All_Packages
 MOZ_OPT_FLAGS="$MOZ_OPT_FLAGS -Wformat-security -Wformat -Werror=format-security"
 MOZ_OPT_FLAGS="$MOZ_OPT_FLAGS -fPIC -Wl,-z,relro -Wl,-z,now"
+%ifnarch x86_64
+MOZ_OPT_FLAGS=$(echo "$MOZ_OPT_FLAGS" | %{__sed} -e 's/-g/-g1/')
+# If MOZ_DEBUG_FLAGS is empty, firefox's build will default it to "-g" which
+# overrides the -g1 from line above and breaks building on s390
+# (OOM when linking, rhbz#1238225)
+export MOZ_DEBUG_FLAGS=" "
+%endif
+
 %ifarch %{arm}
 MOZ_LINK_FLAGS="-Wl,--no-keep-memory -Wl,--reduce-memory-overheads"
 %endif
@@ -310,7 +327,9 @@
 %ifarch %{ix86} x86_64 ppc ppc64 ppc64le aarch64
 [ -z "$RPM_BUILD_NCPUS" ] && \
      RPM_BUILD_NCPUS="`/usr/bin/getconf _NPROCESSORS_ONLN`"
-MOZ_SMP_FLAGS=-j$RPM_BUILD_NCPUS
+[ "$RPM_BUILD_NCPUS" -ge 2 ] && MOZ_SMP_FLAGS=-j2
+[ "$RPM_BUILD_NCPUS" -ge 4 ] && MOZ_SMP_FLAGS=-j4
+[ "$RPM_BUILD_NCPUS" -ge 8 ] && MOZ_SMP_FLAGS=-j8
 %endif

 make -f client.mk build STRIP="/bin/true" MOZ_MAKE_FLAGS="$MOZ_SMP_FLAGS" MOZ_SERVICES_SYNC="1"
Comment 17 David Walser 2018-04-13 16:57:57 CEST
Maybe you got lucky, because even with those changes it failed to build with the same error in Mageia 5:
http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20180413142204.luigiwalser.duvel.25073/log/firefox-52.7.3-2.mga5/build.0.20180413142311.log
Comment 18 Thomas Backlund 2018-04-13 19:50:11 CEST
Yeah well, I tried limiting it more, but it fails in other places...

And its not memory problems as such on the build nodes as ecosse has 32GB and rabbit 48GB of ram ... It just is something in the build process triggering g++ to try and allocate more than 2GB process, and it fails...

Maybe it exposes a bug in gcc, maybe not... 
But I dont see any point in wasting time on debugging it on mga5 anymore, so lets clone the bug then for mga5 if someone cares, and get the mga6 update out...
David Walser 2018-04-14 02:20:25 CEST

Blocks: (none) => 22904

Comment 19 David Walser 2018-04-14 02:32:49 CEST
SRPMS:
nspr-4.19-1.mga6.src.rpm
firefox-52.7.3-2.mga6.src.rpm
firefox-l10n-52.7.3-1.mga6.src.rpm

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Memory safety bugs fixed in Firefox ESR 52.7 (CVE-2018-5125).

Buffer overflow manipulating SVG animatedPathSegList (CVE-2018-5127).

Out-of-bounds write with malformed IPC messages (CVE-2018-5129).

Mismatched RTP payload type can trigger memory corruption (CVE-2018-5130).

Fetch API improperly returns cached copies of no-store/no-cache resources
(CVE-2018-5131).

Integer overflow during Unicode conversion (CVE-2018-5144).

Memory safety bugs fixed in Firefox ESR 52.7 (CVE-2018-5145).

A use-after-free vulnerability can occur in the compositor during certain
graphics operations when a raw pointer is used instead of a reference counted
one. This results in a potentially exploitable crash (CVE-2018-5148).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5125
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5127
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5129
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5130
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5144
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5148
https://www.mozilla.org/en-US/security/advisories/mfsa2018-07/
https://www.mozilla.org/en-US/security/advisories/mfsa2018-10/
https://www.mozilla.org/security/known-vulnerabilities/firefox-esr/
https://access.redhat.com/errata/RHSA-2018:0527

Status comment: Update checked into SVN, Firefox failed to build => (none)
Assignee: sysadmin-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)

Comment 20 Bill Wilkinson 2018-04-14 04:55:49 CEST
Tested mga6-64

general browsing, Acid3, jetstream, video play tested, all OK

CC: (none) => wrw105
Whiteboard: (none) => mga4-64-ok has_procedure

Bill Wilkinson 2018-04-14 04:58:54 CEST

Whiteboard: mga4-64-ok has_procedure => mga6-64-ok has_procedure

David Walser 2018-04-14 05:00:23 CEST

Keywords: (none) => has_procedure
Whiteboard: mga6-64-ok has_procedure => MGA6-64-OK

Comment 21 Len Lawrence 2018-04-14 09:35:44 CEST
Mageia 6, x86_64

Working fine here.
General browsing, examination of local directories and viewing PDF.
Checking localhost informed me that hiawatha might be running.  It was; stopped hiawatha, started apache and re-launched firefox.
Watched a Youtube NASA video in theatre mode.
$ sudo localhost:631
launched the CUPS management interface in a separate window.
$ php -S localhost:8000 -t /home/lcl/dev/php
Addressing localhost:8000/sample.php displayed the string encoded in sample.php.

CC: (none) => tarazed25

Comment 22 Brian Rockwell 2018-04-14 21:44:09 CEST
mageia 6, 32-bit

$ uname -a
Linux localhost 4.14.30-desktop-3.mga6 #1 SMP Sun Mar 25 23:26:07 UTC 2018 i686 i686 i686 GNU/Linux


The following 5 packages are going to be installed:

- firefox-52.7.3-2.mga6.i586
- firefox-en_GB-52.7.3-1.mga6.noarch
- firefox-en_US-52.7.3-1.mga6.noarch
- firefox-en_ZA-52.7.3-1.mga6.noarch
- libnspr4-4.19-1.mga6.i586

121KB of additional disk space will be used.

52MB of packages will be retrieved.

Is it ok to continue?


---

started firefox

checked version

52.7.3 (32-bit)

-Bookmarks are intact
-Able to connect to my preferred sites and pull up pdf and ppt documents without an issues


working as designed.

Whiteboard: MGA6-64-OK => MGA6-64-OK mga6-32-ok
CC: (none) => brtians1

Comment 23 Thomas Andrews 2018-04-15 02:14:37 CEST
Looking good here on both arches, 64-bit Plasma 5.12.2, and 32-bit Xfce. Using it to make this comment.

CC: (none) => andrewsfarm

Comment 24 Dave Hodgins 2018-04-15 02:53:18 CEST
Testing ok here, including with the latest flash update.
Advisory committed to svn.
Validating the update.

Keywords: (none) => advisory, validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 25 Mageia Robot 2018-04-15 15:34:39 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0202.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.