please revbump seamonkey to version 1.0.1 . The following patches from the seamonkey-1.0-patches-0.4.tar.bz2 file can be dropped: ./patch/065_firefox-1.5-nsStackFrameUnix.patch.bz2 ./patch/066_firefox-1.5-nsStackFrameUnix.patch.bz2
Mozilla team, please provide new ebuilds, thank you. Fixed in SeaMonkey 1.0.1 MFSA 2006-29 Spoofing with translucent windows MFSA 2006-28 Security check of js_ValueToFunctionObject() can be circumvented MFSA 2006-26 Mail Multiple Information Disclosure MFSA 2006-25 Privilege escalation through Print Preview MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest MFSA 2006-23 File stealing by changing input type MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability MFSA 2006-20 Crashes with evidence of memory corruption (rv:1.8.0.2)
(In reply to comment #1) > Mozilla team, please provide new ebuilds, thank you. > > Fixed in SeaMonkey 1.0.1 > MFSA 2006-29 Spoofing with translucent windows > MFSA 2006-28 Security check of js_ValueToFunctionObject() can be circumvented > MFSA 2006-26 Mail Multiple Information Disclosure > MFSA 2006-25 Privilege escalation through Print Preview > MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest > MFSA 2006-23 File stealing by changing input type > MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability Ebuild will be avaliable when I have time to work on it. As package is masked as of right now there is no rush we have 45 days. > MFSA 2006-20 Crashes with evidence of memory corruption (rv:1.8.0.2) >
Another fix: http://groups.google.com/group/mozilla.dev.planning/msg/06f5306d65d64b54 http://groups.google.com/group/mozilla.dev.apps.seamonkey/msg/c6079691432512a7 (seamonkey 1.0.2 with Gecko 1.8.0.4)
Created attachment 86039 [details] seamonkey-1.0.1.ebuild
Created attachment 86040 [details, diff] seamonkey-1.0-r1--1.0.1_ebuild.diff
Created attachment 86041 [details, diff] CVE-2006-1993.diff This patch fixes http://bugs.gentoo.org/show_bug.cgi?id=131138 which also affects seamonkey-1.0.1. The patch can be found at https://bugzilla.mozilla.org/show_bug.cgi?id=334515#c31 (direct link: https://bugzilla.mozilla.org/attachment.cgi?id=219958&action=view )
WFM
Moz team: time to patch it :)
Was already masked, now the maskline states there are unsolved security problems with it. Setting to enhancements so that it gets out of main scope, until such time it is resolved.
Created attachment 87136 [details] seamonkey-1.0.2.ebuild The upcoming seamonkey 1.0.2 http://weblogs.mozillazine.org/seamonkey-qa/archives/2006/05/smoketests_for_upcoming_seamon.html
Created attachment 87137 [details, diff] 005_mozilla-firefox-1.1a2-ia64.patch 005_mozilla-firefox-1.1a2-ia64.patch minus the mozilla/js/src/fdlibm/fdlibm.h part, as it is already included in seamonkey-1.0.2.
Created attachment 87139 [details] seamonkey-1.0.1-1.0.2.diff.bz2 diff seamonkey from 1.0.1 to 1.0.2 : checkout start: Sat May 20 14:09:05 CEST 2006
Comment on attachment 87136 [details] seamonkey-1.0.2.ebuild correct MIME Type
Created attachment 87140 [details] seamonkey-1.0.2.ebuild (propper access to DISTDIR)
Update is in the tree, still p.mask so noone needs to worry about marking stable.
Jory, you forgot to add the CVE-2003-1993 patch. So seamonkey is still vulnerable against http://www.securident.com/vuln/ffdos.htm Poly-C
whoops, I meant CVE-2006-1993 patch, not CVE-2003-1993
Curious if 1.0.2 of 2006-05-20 11:49 PST ebuild is safe against vulnerabilities...
*** Bug 135285 has been marked as a duplicate of this bug. ***
Hmm... Perhaps I'm not seeing the big picture here, but the last ebuild here goes through a lot of hoops to patch the 1.0.1 tarball from upstream (see the 'MY_PV="1.0.1"' in the last ebuild here - attachment 87140 [details]), while the bug in Comment #19 marked as a "duplicate" is focused on the new, no-patch-needed tarball released today - http://ftp.mozilla.org/pub/mozilla.org/seamonkey/releases/1.0.2/seamonkey-1.0.2.en-US.linux-i686.tar.gz . Why was the other bug marked as a duplicate, and this "Resolved:Fixed", when it really seems that this bug is just no longer relevant because of the supported solution which Upstream is providing?
Ah, apparently the duplicate bug's solution is the same as this bugs, patching the 1.0.1 release with custom patchsets. Apologies. (In reply to comment #20) > Hmm... Perhaps I'm not seeing the big picture here, but the last ebuild here > goes through a lot of hoops to patch the 1.0.1 tarball from upstream (see the > 'MY_PV="1.0.1"' in the last ebuild here - attachment 87140 [details] [edit]), while the bug in > Comment #19 marked as a "duplicate" is focused on the new, no-patch-needed > tarball released today - > http://ftp.mozilla.org/pub/mozilla.org/seamonkey/releases/1.0.2/seamonkey-1.0.2.en-US.linux-i686.tar.gz > . > > Why was the other bug marked as a duplicate, and this "Resolved:Fixed", when it > really seems that this bug is just no longer relevant because of the supported > solution which Upstream is providing? >
Jesse, I marked it as a dupe when I saw version 1.0.2 in both bug reports. Also seamonkey is still masked so security wise we're not going to force an upgrade. If you want your initial report to be handled as a normal non-security bug (Gentoo Linux bugzilla product rather than Gentoo Linux) handled by package maintainers you're free to reopen.
