Bug 6611 - eclipse-swt is built with old xulrunner, exposing it to security issues
: eclipse-swt is built with old xulrunner, exposing it to security issues
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: MGA1TOO, has_procedure, mga2-32-OK, m...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-28 19:00 CEST by David Walser
Modified: 2012-07-29 22:29 CEST (History)
6 users (show)

See Also:
Source RPM: eclipse-3.6.2-12.mga1.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-06-28 19:00:02 CEST
The SWT component for building the Browser widget against xulrunner will not build with current versions of xulrunner and probably does not still work.

Maybe Eclipse 3.7.x from Mageia 2 could be built for Mageia 1?
Comment 1 D Morgan 2012-07-04 08:03:51 CEST
we do not build eclipse against xulrunner anymore.
Comment 2 David Walser 2012-07-04 14:55:08 CEST
We haven't pushed any updates for it.

rpm -qp --requires /home/linux/mageia/distrib/1/i586/media/core/release/eclipse-swt-3.6.2-12.mga1.i586.rpm # includes:

xulrunner
libxpcom.so  
libxul.so
Comment 3 D Morgan 2012-07-04 22:31:22 CEST
I though this had been pushed with firefox. Anyway they are on updates_testing for mga 1 and 2
Comment 4 David Walser 2012-07-04 22:59:17 CEST
Right.  Doesn't this just break the Browser widget?  I guess it's a tough call between disabling functionality or leaving something mildly vulnerable (assuming you don't want to update Eclipse to a newer version).

Perhaps worthy of a discussion on mageia-dev?
Comment 5 D Morgan 2012-07-04 23:29:54 CEST
this have been discussed with fedora eclipse maintainer. This is the best solution and btw this is done the same way on all our releases of mga.
Comment 6 David Walser 2012-07-05 00:09:13 CEST
Fair enough.  Thanks D Morgan.  Assigning to QA then.

Advisory
========

The xulrunner library, which is used by the eclipse-swt package to provide
the functionality of the Browser widget in applications using the SWT
user interface library (including Eclipse itself), has been found to have
numerous security vulnerabilities (see our previous advisories for Firefox
for more information on these).

Eclipse has now been built without support for xulrunner, so that users of
Eclipse and other SWT programs will not be exposed to these security
vulnerabilities.  The SWT Browser widget will no longer be functional in
any applications that use it.  Users that require SWT Browser widget
functionality will need to use an Eclipse distribution from upstream.

Packages in core/updates_testing:
eclipse-jdt-3.6.2-12.1.mga1
eclipse-pde-3.6.2-12.1.mga1
eclipse-platform-3.6.2-12.1.mga1
eclipse-rcp-3.6.2-12.1.mga1
eclipse-swt-3.6.2-12.1.mga1
eclipse-equinox-osgi-3.7.1-3.1.mga2
eclipse-jdt-3.7.1-3.1.mga2
eclipse-pde-3.7.1-3.1.mga2
eclipse-platform-3.7.1-3.1.mga2
eclipse-rcp-3.7.1-3.1.mga2
eclipse-swt-3.7.1-3.1.mga2

from SRPMS:
eclipse-3.6.2-12.1.mga1.src.rpm
eclipse-3.7.1-3.1.mga2.src.rpm
Comment 7 Dave Hodgins 2012-07-05 05:33:00 CEST
Are the various ant packages in Core Updates Testing part of this update?

I'm testing on Mageia 2 i586.
Comment 8 Dave Hodgins 2012-07-05 05:39:37 CEST
Some errors during installation ...

    71/73: eclipse-platform      #################################################################################
warning: %post(eclipse-platform-1:3.7.1-3.1.mga2.i586) scriptlet failed, exit status 1
    72/73: eclipse-jdt           #################################################################################
warning: %post(eclipse-jdt-1:3.7.1-3.1.mga2.i586) scriptlet failed, exit status 1
    73/73: eclipse-pde           #################################################################################
warning: %post(eclipse-pde-1:3.7.1-3.1.mga2.i586) scriptlet failed, exit status 1

They all have ...
postinstall scriptlet (using /bin/sh):
eclipse-reconciler.sh > /dev/null
Comment 9 Dave Hodgins 2012-07-05 05:51:05 CEST
Testing complete on Mageia 2 i586.

Just testing that eclipse is working.

After installing eclipse, went through the tutorial to create and run a java
HelloWorld project.

I'll leave it for D Morgan to decide whether or not to fix the scriplet errors.
Comment 10 D Morgan 2012-07-05 07:35:38 CEST
yes let see what is broken
Comment 11 D Morgan 2012-07-05 08:11:46 CEST
please test eclipse-3.7.1-3.3.mga2
Comment 12 David Walser 2012-07-05 13:27:19 CEST
ant is part of the Bug 6331 update.  Updating advisory for new package version.

Advisory
========

The xulrunner library, which is used by the eclipse-swt package to provide
the functionality of the Browser widget in applications using the SWT
user interface library (including Eclipse itself), has been found to have
numerous security vulnerabilities (see our previous advisories for Firefox
for more information on these).

Eclipse has now been built without support for xulrunner, so that users of
Eclipse and other SWT programs will not be exposed to these security
vulnerabilities.  The SWT Browser widget will no longer be functional in
any applications that use it.  Users that require SWT Browser widget
functionality will need to use an Eclipse distribution from upstream.

Packages in core/updates_testing:
eclipse-jdt-3.6.2-12.1.mga1
eclipse-pde-3.6.2-12.1.mga1
eclipse-platform-3.6.2-12.1.mga1
eclipse-rcp-3.6.2-12.1.mga1
eclipse-swt-3.6.2-12.1.mga1
eclipse-equinox-osgi-3.7.1-3.3.mga2
eclipse-jdt-3.7.1-3.3.mga2
eclipse-pde-3.7.1-3.3.mga2
eclipse-platform-3.7.1-3.3.mga2
eclipse-rcp-3.7.1-3.3.mga2
eclipse-swt-3.7.1-3.3.mga2

from SRPMS:
eclipse-3.6.2-12.1.mga1.src.rpm
eclipse-3.7.1-3.3.mga2.src.rpm
Comment 13 Samuel Verschelde 2012-07-23 21:24:48 CEST
Testing complete on Mageia 1 32 bits. I followed and completed the Hello World tutorial.
Comment 14 Samuel Verschelde 2012-07-23 23:53:49 CEST
Testing complete on Mageia 1 64 bits.
Comment 15 Samuel Verschelde 2012-07-28 17:03:58 CEST
Testing still needed on Mageia 2 64 bits.

Procedure:
- urpmi eclipse
- start eclipse, then follow the "Hello world" tutorial which is included in eclipse.
Comment 16 Shlomi Fish 2012-07-28 19:25:57 CEST
(In reply to comment #15)
> Testing still needed on Mageia 2 64 bits.
> 
> Procedure:
> - urpmi eclipse
> - start eclipse, then follow the "Hello world" tutorial which is included in
> eclipse.

Done. Works fine.

Regards,

-- Shlomi Fish
Comment 17 Samuel Verschelde 2012-07-28 20:07:40 CEST
Thanks Shlomi.

Update validated. No linking required.

See comment #12 for advisory and packages.
Comment 18 Samuel Verschelde 2012-07-28 20:08:05 CEST
update validated, see previous comment and comment #12
Comment 19 Thomas Backlund 2012-07-29 22:29:47 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0183

Note You need to log in before you can comment on or make changes to this bug.