Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 608180 - www-client/firefox depends on =dev-libs/libevent-2.0*
Summary: www-client/firefox depends on =dev-libs/libevent-2.0*
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Mozilla Gentoo Team
URL:
Whiteboard:
Keywords:
: 609550 (view as bug list)
Depends on:
Blocks: CVE-2016-10195, CVE-2016-10196, CVE-2016-10197
  Show dependency tree
 
Reported: 2017-02-04 08:41 UTC by Klaus Kusche
Modified: 2017-03-25 08:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
libevent-2.1 support patch (firefox-libevent-2.1.patch,1.15 KB, patch)
2017-02-04 12:48 UTC, Jory A. Pratt 		Details | Diff
libevent 2.1 support (0001_fix_esr_libevent-21.patch,6.78 KB, patch)
2017-02-04 18:33 UTC, Jory A. Pratt 		Details | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Klaus Kusche 2017-02-04 08:41:34 UTC 
libevent-2.0.22-r2 was dropped from the tree.
This is the only 2.0 ebuild of libevent which supported libressl,
all other 2.0 ebuilds only support openssl.

However, firefox depends on libevent 2.0 and cannot be build with libevent 2.1.
This means that it is no longer possible to have a system with firefox and libressl, firefox now indirectly forces openssl via libevent.

Please add back 2.0.22-r2 or some other 2.0 version which supports libressl.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-04 09:48:16 UTC 
(In reply to Klaus Kusche from comment #0)
> However, firefox depends on libevent 2.0

Conditionally, that is, on USE=system-libevent.

> and cannot be build with libevent 2.1.

> This means that it is no longer possible to have a system with firefox and
> libressl, firefox now indirectly forces openssl via libevent.

You can emerge firefox with USE=-system-libevent.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-04 09:51:08 UTC 
(In reply to Jeroen Roovers from comment #1)
> You can emerge firefox with USE=-system-libevent.

But then you might hit bug #535774 as firefox 45.7.0 still uses 2.0.21. Of course they might have patched the vulns out in their bundled copy.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-04 10:04:49 UTC 
(In reply to Jeroen Roovers from comment #2)
> But then you might hit bug #535774 as firefox 45.7.0 still uses 2.0.21. Of
> course they might have patched the vulns out in their bundled copy.

firefox-51.0 also still uses libevent-2.0.21. I am not saying that makes Firefox vulnerable, though, as it doesn't seem to use evbuffer_add() at all.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2017-02-04 11:02:51 UTC 
2.0.22-r2 is back in the tree now for anyone who must have firefox with USE=system-libevent and libevent with USE=libressl. I'm just not sure for how long.
Comment 5 Jory A. Pratt gentoo-dev 2017-02-04 12:48:13 UTC 
Created attachment 462422 [details, diff]
libevent-2.1 support patch

If someone one esr branch can test we will land and update the eclass to support 2.1
Comment 6 Jory A. Pratt gentoo-dev 2017-02-04 18:33:17 UTC 
Created attachment 462454 [details, diff]
libevent 2.1 support

Simply solution for those wanting to test the current change but do not want to use the mozilla overlay. Just apply the patch and test with libevent-2.1.8
Comment 7 Ian Stakenvicius (RETIRED) gentoo-dev 2017-02-04 21:04:12 UTC 
(In reply to Jory A. Pratt from comment #5)
> Created attachment 462422 [details, diff] [details, diff]
> libevent-2.1 support patch
> 
> If someone one esr branch can test we will land and update the eclass to
> support 2.1

firefox-45.7 seems fine, should we test thunderbird also?
Comment 8 Jory A. Pratt gentoo-dev 2017-02-04 22:10:58 UTC 
(In reply to Ian Stakenvicius from comment #7)
> (In reply to Jory A. Pratt from comment #5)
> > Created attachment 462422 [details, diff] [details, diff] [details, diff]
> > libevent-2.1 support patch
> > 
> > If someone one esr branch can test we will land and update the eclass to
> > support 2.1
> 
> firefox-45.7 seems fine, should we test thunderbird also?

I added it to patchset, refer to mozilla overlay for more info.
Comment 9 Jory A. Pratt gentoo-dev 2017-02-05 00:14:59 UTC 
We have fixed latest esr builds of thunderbird and firefox, we also fixed testing for firefox. Thanks for your report.
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2017-03-25 08:41:31 UTC 
*** Bug 609550 has been marked as a duplicate of this bug. ***