33864 – mozjs78 new security issue CVE-2024-50602

Bug 33864 - mozjs78 new security issue CVE-2024-50602

Summary: mozjs78 new security issue CVE-2024-50602

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2024-12-18 16:13 CET by Nicolas Salguero
Modified:	2024-12-21 21:17 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	mozjs78-78.15.0-7.1.mga9.src.rpm
CVE:	CVE-2024-50602
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-12-18 16:13:30 CET

openSUSE has issued an advisory on December 17:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/X3V7QAWJ6AWA3YEKX4DEGJFLTQ6ASRC3/

For Cauldron, mozjs78 should be dropped.

Nicolas Salguero 2024-12-18 16:14:06 CET

CVE: (none) => CVE-2024-50602
Status comment: (none) => Patch available from openSUSE
Source RPM: (none) => mozjs78-78.15.0-7.1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-12-18 21:10:11 CET

Puzzled. Following links leads to [lib]expat.
 https://www.suse.com/security/cve/CVE-2024-50602.html
Upstream information
CVE-2024-50602 at MITRE
Description
An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.
but I cannot see the patch in question. Suse have pushed updates.

 https://nvd.nist.gov/vuln/detail/CVE-2024-50602 similar
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50602 similar
 https://github.com/libexpat/libexpat/pull/915 looks close to a fix
 
Assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-12-19 14:53:18 CET

mozjs78 dropped from Cauldron.



Suggested advisory:
========================

The updated packages fix a security vulnerability:

An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser. (CVE-2024-50602)

References:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/X3V7QAWJ6AWA3YEKX4DEGJFLTQ6ASRC3/
========================

Updated packages in core/updates_testing:
========================
lib(64)mozjs78-78.15.0-7.2.mga9
lib(64)mozjs78-devel-78.15.0-7.2.mga9

from SRPM:
mozjs78-78.15.0-7.2.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Status comment: Patch available from openSUSE => (none)
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

Comment 3 David GEIGER 2024-12-20 06:51:52 CET

(In reply to Nicolas Salguero from comment #2)
> mozjs78 dropped from Cauldron.


Or not!!

You should remove explicitly all sub-pkgs from mozjs78-78.15.0-8.mga10.src.rpm 

libmozjs78 < 78.15.0-9
lib64mozjs78 < 78.15.0-9
libmozjs78-devel < 78.15.0-9
lib64mozjs78-devel < 78.15.0-9

CC: (none) => geiger.david68210

Comment 4 Nicolas Salguero 2024-12-20 09:28:41 CET

(In reply to David GEIGER from comment #3)
> (In reply to Nicolas Salguero from comment #2)
> > mozjs78 dropped from Cauldron.
> 
> 
> Or not!!
> 
> You should remove explicitly all sub-pkgs from
> mozjs78-78.15.0-8.mga10.src.rpm 
> 
> libmozjs78 < 78.15.0-9
> lib64mozjs78 < 78.15.0-9
> libmozjs78-devel < 78.15.0-9
> lib64mozjs78-devel < 78.15.0-9

Indeed, sorry!

task-obsolete-10-73.mga10 fixes that issue.

katnatek 2024-12-20 21:10:49 CET

Keywords: (none) => advisory

Comment 5 katnatek 2024-12-20 21:34:53 CET

This fix also https://bugs.mageia.org/show_bug.cgi?id=33691?

Comment 6 Nicolas Salguero 2024-12-20 21:46:58 CET

(In reply to katnatek from comment #5)
> This fix also https://bugs.mageia.org/show_bug.cgi?id=33691?

No, it does not.  I am unsure we can fix it.  Firefox, Thunderbird and mozjs are using embedded expat since many versions.

Comment 7 Thomas Andrews 2024-12-20 23:39:52 CET

MGA9-64 Plasma in VirtualBox. This is not an easy one. From bug 33630:

$ urpmq --whatrequires lib64mozjs78
couchdb
lib64cjs0
lib64mozjs78
lib64mozjs78-devel

In its last two updates, bug 30342 and bug 29548, QA attempted to test couchdb, but eventually validated based on a clean update over the existing version. Not particularly satisfactory, so I looked further:

$ urpmq --whatrequires-recursive lib64mozjs78
cinnamon
cinnamon-devel-doc
cjs
couchdb
lib64cjs-devel
lib64cjs-gir1.0
lib64cjs0
lib64mozjs78
lib64mozjs78-devel
nemo-preview
task-cinnamon
task-cinnamon-devel
task-cinnamon-minimal

This might be more promising. I installed task-cinnamon-minimal, which did indeed draw in lib64cjs-gir1.0, lib64cjs0, and lib64mozjs78 - among many others. I rebooted, and there were two new choices for login, cinnamon and cinnamon(software rendering). I tried cinnamon first.

I've never used cinnamon before, but I played around for a bit, and nothing bad happened, so I guess it's OK. So then I tried the same with the software rendering login, and nothing bad happened there, either.

I'm calling that good enough to validate for MGA9. 

On another note, just to be sure it wasn't forgotten, you did address the potential dependencies when you dropped mozjs78 in Cauldron, right? In that MGA9 guest, attempting to remove lib64mozjs78 would have forced the removal of cinnamon, as well.

CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update

Comment 8 Mageia Robot 2024-12-21 21:17:44 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0396.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.