Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 63996

Summary: net-www/mozilla*, mail-client/mozilla-thunderbird : new security fixes in latest version
Product: Gentoo Security Reporter: Carsten Lohrke (RETIRED) <carlo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: amd64, basic, brodigan, gnome, hanno, mozilla, polynomial-c, sekretarz
Priority: Highest    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3
Whiteboard: A2 [glsa] koon
Package list:
Runtime testing required: ---

Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-09-14 07:31:36 UTC
Mozilla team, please provide new ebuilds for :

net-www/mozilla
net-www/mozilla-bin
net-www/mozilla-firefox
net-www/mozilla-firefox-bin
mail-client/mozilla-thunderbird
mail-client/mozilla-thunderbird-bin

Gnome team, please check the following ebuilds to see if bumps are needed to make them use the latest Gecko :

net-www/epiphany
net-www/galeon
Comment 2 foser (RETIRED) gentoo-dev 2004-09-14 07:39:32 UTC
CC hanno for galeon
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2004-09-15 01:12:11 UTC
*** Bug 64095 has been marked as a duplicate of this bug. ***
Comment 4 Jason Short 2004-09-15 11:25:53 UTC
ebumped -bin ebuilds, they Just Work(tm)

source ebuilds for firefox and thunderbird require rearrangement of the SRC_URI, someone at mozilla can't decide to call it "source-${PV}" or "${PV}-source"

additionally, firefox and thunderbird compiles die unless configured with --enable-single-profile, which effectively clobbers the ability to run concurrent sessions from different profiles.

have not yet had the occasion to test moz 1.7.3 build for the same problem
Comment 5 Aron Griffis (RETIRED) gentoo-dev 2004-09-15 13:39:01 UTC
In portage now, marked ~arch:

net-www/mozilla-1.7.3
net-www/mozilla-bin-1.7.3
net-www/mozilla-firefox-1.0_pre
net-www/mozilla-firefox-bin-1.0_pre
mail-client/mozilla-thunderbird-0.8
mail-client/mozilla-thunderbird-bin-0.8
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2004-09-15 14:06:46 UTC
Arches, please mark stable :

x86,amd64 : mozilla-1.7.3 mozilla-firefox-1.0_pre mozilla-firefox-bin-1.0_pre mozilla-thunderbird
ppc : mozilla-1.7.3 mozilla-firefox-1.0_pre
sparc,alpha,ia64 : mozilla-1.7.3 mozilla-firefox-1.0_pre mozilla-thunderbird
Comment 7 Olivier Crete (RETIRED) gentoo-dev 2004-09-15 15:31:43 UTC
mozilla-bin and mozilla-firefox-bin are there for x86.. (for ppl who want a quick fix)
Comment 8 Jochen Maes (RETIRED) gentoo-dev 2004-09-16 04:57:06 UTC
stable on ppc
Comment 9 Tobias Sager 2004-09-16 06:13:32 UTC
Also see bug 63850.
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-16 06:56:27 UTC
mozilla-1.7.3 sparc stable.
FYI, epiphany-1.2.7-r1 and galeon-1.3.17 work just fine in upgrade and rebuild scenarios.
Also repoman complains about file.size on:
(27K) net-www/mozilla/files/gtk2mozilla_head_patch2
(35K) net-www/mozilla/files/mozilla-1.4-amd64.patch
(25K) net-www/mozilla/files/mozilla-1.7-amd64.patch
Comment 11 foser (RETIRED) gentoo-dev 2004-09-16 07:52:22 UTC
added epiphany-1.2.9-r1 to ~arch with patch to build to & dep on 1.7.3 
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 08:20:24 UTC
Updating call for arches to test and mark stable with epiphany. Still needed :

x86 :
net-www/mozilla-1.7.3
net-www/mozilla-firefox-1.0_pre
net-www/epiphany-1.2.9-r1

amd64 :
net-www/mozilla-1.7.3
net-www/mozilla-firefox-1.0_pre
net-www/mozilla-firefox-bin-1.0_pre
net-www/epiphany-1.2.9-r1

ppc :
net-www/epiphany-1.2.9-r1

sparc :
net-www/mozilla-firefox-1.0_pre
net-www/epiphany-1.2.9-r1

alpha, ia64 :
net-www/mozilla-1.7.3
net-www/mozilla-firefox-1.0_pre
net-www/epiphany-1.2.9-r1

There will be a galeon update to test in the near future.
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-16 08:27:19 UTC
mozilla-firefox-1.0_pre sparc stable.
we're looking into some issues with mozilla-thunderbird-0.8 which was keyworded as stable when bumped. more on this later.
Comment 14 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2004-09-16 08:32:10 UTC
Hi,

tested mozilla-1.7.3 for three days now on two x86 machines. Not one songle crash of mozilla compiled with these useflags: +crypt -debug -gnome +gtk2 +java -ldap -mozcalendar -mozdevelop +moznocompose +moznoirc +moznomail -moznoxft -mozsvg -mozxmlterm +ssl -xinerama +xprint

Poly
Comment 15 Travis Tilley (RETIRED) gentoo-dev 2004-09-16 12:44:53 UTC
those amd64 patches can be removed if the 1.6 and early 1.7 ebuilds are removed (which they should be)
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-16 12:59:24 UTC
epiphany-1.2.9-r1 sparc stable.
Comment 17 Jochen Maes (RETIRED) gentoo-dev 2004-09-17 01:35:41 UTC
epiphany stable on ppc
Comment 18 Hanno Böck gentoo-dev 2004-09-17 05:28:57 UTC
galeon-1.3.17 doesn't need to be rebuild with 1.7.3 and builds fine against it, so imho no need to change anything here.
I'll make it dep on >=mozilla-1.7.3 as soon as all archs marked 1.7.3 stable.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2004-09-17 14:07:54 UTC
sparc, ppc: thanks :)

Hanno : does it mean you don't need to update galeon to be protected, you just need to update the other packages ? If you need to rebuild galeon to take advantage of the fix, we'll need a revbump to force the upgrade, if not, we're set.

Stable still needed on :

x86 :
net-www/mozilla-1.7.3
net-www/mozilla-firefox-1.0_pre
net-www/epiphany-1.2.9-r1

amd64 :
net-www/epiphany-1.2.9-r1

alpha, ia64 :
net-www/mozilla-1.7.3
net-www/mozilla-firefox-1.0_pre
net-www/epiphany-1.2.9-r1
Comment 20 Olivier Crete (RETIRED) gentoo-dev 2004-09-17 14:17:47 UTC
firefox is there for x86.. testing mozilla now..
Comment 21 Olivier Crete (RETIRED) gentoo-dev 2004-09-17 21:00:22 UTC
mozilla 1.7.3 is there for x86.. but epiphany doesnt work with the realplayer8 plug-in.. is that normal ?
I get
LoadPlugin: failed to initialize shared library /opt/RealPlayer8/rpnp.so [/opt/RealPlayer8/rpnp.so: undefined symbol: __pure_virtual]

(I actually get the same error with firefox-bin...)
Comment 22 Karol Wojtaszek (RETIRED) gentoo-dev 2004-09-18 04:04:18 UTC
I think you shouldn't stabilize firefox-1.0pr, because it still contains many bugs in UI. You should add 0.9.3-r1 with patches that they'll fix vulnerabilities.
Comment 23 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-19 05:42:33 UTC
Alpha done.
Comment 24 foser (RETIRED) gentoo-dev 2004-09-19 05:55:36 UTC
epiphany-1.2.9-r1 x86 done
Comment 25 Olivier Crete (RETIRED) gentoo-dev 2004-09-19 15:00:59 UTC
all done on x86
Comment 26 Luke Macken (RETIRED) gentoo-dev 2004-09-19 22:59:46 UTC
*** Bug 64182 has been marked as a duplicate of this bug. ***
Comment 27 Thierry Carrez (RETIRED) gentoo-dev 2004-09-20 00:34:27 UTC
GLSA ready, blocked by amd64 needing to mark epiphany-1.2.9-r1 stable.
Comment 28 Malcolm Lashley (RETIRED) gentoo-dev 2004-09-20 08:49:15 UTC
stable on amd64
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2004-09-20 09:00:25 UTC
GLSA drafted, security, please review
Comment 30 Thierry Carrez (RETIRED) gentoo-dev 2004-09-20 13:57:23 UTC
Thx everyone
GLSA 200409-26 is out