Description of problem: Several critical security vulnerabilities have been found in seamonkey 2.14.x which is the upstream of iceape 2.14.1. They have been fixed in version 2.15. This update also fixes the problem of opus HTML5 audio not playing. It was caused by enabling gstreamer for h.264 playback which also took over ogg playing, including opus. The update switches back to the mozilla ogg player and following basic security policy it uses packaged ogg, vorbis, theora, and opus libraries instead of the versions bundled with mozilla source code. Since opus was not available at the time when Mageia 2 was released it needs to be added. I do not expect any real problems for a new package even if it is a library. It may also be used by firefox 17esr. Updated packages are ready for testing. Source RPMs: iceape-2.15-1.mga2.src.rpm opus-1.0.2-1.mga2.src.rpm Binary RPMs for mga2: iceape-2.15-1.mga2.i586.rpm libopus0-1.0.2-1.mga2.i586.rpm libopus-devel-1.0.2-1.mga2.i586.rpm iceape-2.15-1.mga2.x86_64.rpm lib64opus0-1.0.2-1.mga2.x86_64.rpm lib64opus-devel-1.0.2-1.mga2.x86_64.rpm Proposed Advisory: Updated iceape packages fix security issues: Nemory safety problems and crashes that affect Firefox ESR 10, Firefox ESR 17, and Firefox 17. (CVE-2013-0769, MFSA 2013-01) Nemory safety problems and crashes that affect Firefox ESR 17 and Firefox 17. (CVE-2013-0749, MFSA 2013-01) Nmemory safety problems and crashes that affect Firefox 17. (CVE-2013-0770, MFSA 2013-01) Global-buffer-overflow in CharDistributionAnalysis::HandleOneChar. (CVE-2013-0760, MFSA 2013-02) Heap-use-after-free in imgRequest::OnStopFrame. (CVE-2013-0762, MFSA 2013-02) Heap-use-after-free in ~nsHTMLEditRules. (CVE-2013-0766, MFSA 2013-02) Out of bounds read in nsSVGPathElement::GetPathLengthScale. (CVE-2013-0767, MFSA 2013-02) Heap-use-after-free in mozilla::TrackUnionStream::EndTrack. (CVE-2013-0761, MFSA 2013-02) Heap-use-after-free in Mesa, triggerable by resizing a WebGL canvas. (CVE-2013-0763, MFSA 2013-02) Heap-buffer-overflow in gfxTextRun::ShrinkToLigatureBoundaries. (CVE-2013-0771, MFSA 2013-02) Heap-based buffer overflow in the nsWindow::OnExposeEvent function in Mozilla Firefox before 17.0, Firefox ESR 10.x before 10.0.11, Thunderbird before 17.0, Thunderbird ESR 10.x before 10.0.11, and SeaMonkey before 2.14 allows remote attackers to execute arbitrary code via unspecified vectors. (CVE-2012-5829) Stack buffer overflow with canvas. (CVE-2013-0768, MFSA 2013-03) URL spoofing with credentials info of URL & 204. (CVE-2013-0759, MFSA 2013-04) Heap-use-after-free in TableBackgroundPainter::TableBackgroundData::Destroy. (CVE-2013-0744, MFSA 2013-05) Touch events are shared across iframes (CVE-2013-0751, MFSA 2013-06) Crash [@ nsSOCKSSocketInfo::ConnectToProxy(PRFileDesc*) ] clicking "Download the rest of the message" (CVE-2013-0764, MFSA 2013-07) The AutoWrapperChanger class fails to keep some javascript objects alive during garbage collection. This can lead to an exploitable crash allowing for arbitrary code execution. (CVE-2013-0745, MFSA 2013-08) In com cases, jsval-returning quickstubs fail to wrap their return values, causing a compartment mismatch. This mismatch can cause garbage collection to occur incorrectly and lead to a potentially exploitable crash. (CVE-2013-0746, MFSA 2013-09) Events in the plugin handler can be manipulated by web content to bypass same-origin policy (SOP) restrictions. This can allow for clickjacking on malicious web pages. (CVE-2013-0747, MFSA 2013-10) Using the toString function of XBL objects can lead to inappropriate information leakage by revealing the address space layout instead of just the ID of the object. This layout information could potentially be used to bypass ASLR and other security protections. (CVE-2013-0748, MFSA 2013-11) An integer overflow is possible when calculating the length for a Javascript string concatenation, which is then used for memory allocation. This results in a buffer overflow, leading to a potentially exploitable memory corruption. (CVE-2013-0750, MFSA 2013-12) When using an XBL file containing multiple XML bindings with SVG content, a memory corruption can occur. In concern with remote XUL, this can lead to an exploitable crash. (CVE-2013-0752, MFSA 2013-13) It is possible to change the prototype of an object and bypass Chrome Object Wrappers (COW) to gain access to chrome privileged functions. This could allow for arbitrary code execution. (CVE-2013-0757, MFSA 2013-14) It is possible to open a chrome privileged web page through plugin objects through interaction with SVG elements. This could allow for arbitrary code execution. (CVE-2013-0758, MFSA 2013-15) By the exposing of serializeToStream to web content, a use-after-free may occur in XMLSerializer. This can lead to arbitrary code execution when exploited. (CVE-2013-0753, MFSA 2013-16) A use-after-free was reported within the ListenerManager when garbage collection is forced after data in listener objects have been allocated in some circumstances. This can lead to arbitrary code execution. (CVE-2013-0754, MFSA 2013-17) Using the domDoc pointer within Vibrate library, memory may be used after being freed. This can lead to arbitrary code execution when exploited. (CVE-2013-0755, MFSA 2013-18) A garbage collection flaw in Javascript Proxy objects can lead to a use-after-free leading to arbitrary code execution. (CVE-2013-0756, MFSA 2013-19) TURKTRUST, a certificate authority in Mozilla\u2019s root program, has mis-issued two intermediate certificates to customers. The issue was not specific to Firefox but there was evidence that one of the certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking the trust for these specific mis-issued certificates. (CVE-2013-0743, MFSA 2013-20) This update also fixes HTML5 opus audio playback. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5829 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0744 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0745 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0747 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0749 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0750 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0751 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0752 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0753 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0754 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0755 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0756 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0757 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0758 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0759 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0760 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0760 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0761 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0762 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0763 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0764 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0766 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0767 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0769 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0770 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0771 http://www.mozilla.org/security/announce/2013/mfsa2013-01.html http://www.mozilla.org/security/announce/2013/mfsa2013-02.html http://www.mozilla.org/security/announce/2013/mfsa2013-03.html http://www.mozilla.org/security/announce/2013/mfsa2013-04.html http://www.mozilla.org/security/announce/2013/mfsa2013-05.html http://www.mozilla.org/security/announce/2013/mfsa2013-06.html http://www.mozilla.org/security/announce/2013/mfsa2013-07.html http://www.mozilla.org/security/announce/2013/mfsa2013-08.html http://www.mozilla.org/security/announce/2013/mfsa2013-09.html http://www.mozilla.org/security/announce/2013/mfsa2013-10.html http://www.mozilla.org/security/announce/2013/mfsa2013-11.html http://www.mozilla.org/security/announce/2013/mfsa2013-12.html http://www.mozilla.org/security/announce/2013/mfsa2013-13.html http://www.mozilla.org/security/announce/2013/mfsa2013-14.html http://www.mozilla.org/security/announce/2013/mfsa2013-15.html http://www.mozilla.org/security/announce/2013/mfsa2013-16.html http://www.mozilla.org/security/announce/2013/mfsa2013-17.html http://www.mozilla.org/security/announce/2013/mfsa2013-18.html http://www.mozilla.org/security/announce/2013/mfsa2013-19.html http://www.mozilla.org/security/announce/2013/mfsa2013-20.html
I was unable to find test cases for the security updates upstream through mozilla bugzilla. Testing the opus codec on http://people.xiph.org/~giles/2012/opus/ was successful. Operation on several web sites including flash showed no problems. Mail and chat work as expected. Iceape is showing icedtea-web 1.3.1 plugin in plugin manager, but java testers (e.g. http://www.javatester.org/version.html ) are showing java as disabled. x86_64.
CC: (none) => wrw105
Just double checked after an iceape restart - the plugin wasn't originally enabled, but reenabling it and restarting again showed java working, reporting 1.6.0_24. x86_64 working well.
Well done Bill. You just need to set the whiteboard keyword.
Whiteboard: (none) => MGA2-64-OK
MGA2 32 bits Updating from an everyday used iceape 2.14.1-1 to 2.15-1 Everything went fine : the mail, news and chatzilla configurations are preserved The mail folders are OK the previously installed plugins and extensions for the web browser are verified and working the opus codec is OK and tested no problem for java ( it was already installed and enabled) The bundled lightning module (version 2.0b1) and timezone calendar module are proposed to get activated (they were not for previous version of iceape) and work (though the lightning is not yet well localized, and has not yet a working link to a french page ) There's only a cosmetic problem about the global language which is reverted to english (the bundled language packs allow to choose again your native language but you must know where to configure this ... and know enough English to read the menus....) : strangely, these last preferences are lost in prefs.js user_pref("general.useragent.locale", "fr") user_pref("intl.accept_languages", "fr,fr-fr,en-us,en") become user_pref("general.useragent.locale", "en") user_pref("intl.accept_languages", "en-us,en") Many Thanks to Christiaan I would say it's OK for MGA32 bits (unless the little language problem prevents to validate it)
CC: (none) => philippedidier
To Christiaan Sorry : I did a mistake and a wrong diagnostic about language preferences and user interface language... Tried again with backuped profiles uninstall iceape 2.15-1 recover the last previous backup profile install last iceape 2.14.1-1 Everything OK : user interface language is french, prefered browser language is French, language spelling is French with iceape 2.14.1-1 Update to iceape 2.15-1 User interface language is now English and can't be modified . (/menu/edit/preference/appearance : => no other choice than English) nevertheless the prefered browser language selected is always French, the language spelling selected is French. but don't work :-( the prefs.js file is not modified at all. There's only one way to correct this : disable and enable again the French language pack ( /menu/tools/add-on manager) and then everything is corrected (/menu/edit/preference/appearance : => french is selected without anything to do) quit and start again iceape and the user interface is right... doing this we get a modification in prefs.js : it is now user_pref("extensions.bootstrappedAddons", "{\"langpack-fr@seamonkey.mozilla.org\":{\"version\":\"2.15\",\"type\":\"locale\",\"descriptor\":\"/usr/lib/iceape-2.15/extensions/langpack-fr@seamonkey.mozilla.org\"}}"); and it was user_pref("extensions.bootstrappedAddons", "{\"langpack-fr@seamonkey.mozilla.org\":{\"version\":\"2.14\",\"type\":\"locale\",\"descriptor\":\"/usr/lib/iceape-2.14/extensions/langpack-fr@seamonkey.mozilla.org\"}}"); To summarize : the bundled langpack has a hard address in user's profile : prefs.js (/usr/lib/iceape-2.14/extensions/langpack-*) and when we update iceape from 2.14 to 2.15 this address is not automatically modified and there is no link to /usr/lib/iceape-2.15/extensions/langpack-*) (there's no problem with the extensions added in the user profile directory, such as flashgot, adblock ... : their address remain identical) I don't know how it could be automatically modified in each user profile ! The update needs an advice about this for non English users : After having updated, you need to disable and reenable your langpack in /menu/tools/add-on manager besides this little problem (with this simple workaround) the update is OK ! Philippe
Post scriptum Beware of the fact that depending on which news browser you use to follow gmane.linux.mageia.bugs you may have a wrong display of the extract of prefs.js that I provided : the folder name : langpack-fr@seamonkey.mozilla.org\ may become wrongly displayed as a mail address (!!!???) : langpack-fr-fXE7c0Za+ZTWuHeTmpe1rYaCUm+kVXi4@public.gmane.org\ it is correctly displayed when using firefox to read : https://bugs.mageia.org/show_bug.cgi?id=8673 Philippe
Post post scriptum :) Definitely unable to correctly display this in a news browser :-( The post scriptum is even worse to read !!!! just can say that I never wanted to write any mail address but only a folder name including an arobase : (@) langpack-frarobaseseamonkey.mozilla.org
Thanks Bill and Philippe Validating Advisory & srpms in comment 0 Could sysadmin please push from core/updates_testing to core/updates Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA2-64-OK => MGA2-64-OK mga2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0008
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED