FS#3205 - Firefox Update Desperately Needed

Attached to Project: Arch Linux
Opened by Vardyr (Vardyr) - Wednesday, 21 September 2005, 16:38 GMT
Task Type Bug Report
Category Packages: Current
Status Closed
Assigned To Jan de Groot (JGC)
Architecture not specified
Severity Low
Priority Normal
Reported Version 0.7 Wombat
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Please update the Firefox package in [current]. 1.0.7 came out today, and it has been far too long since the last update (1.0.4). That makes us more than two months and three versions behind on a major package.

A list of the MANY security issues (not including other fixes) Archlinux's Firefox package has:
(taken from http://www.mozilla.org/products/firefox/releases/1.0.7.html and http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox)

- Fix for a potential buffer overflow vulnerability when loading a hostname with all soft-hyphens
- Fix to prevent URLs passed from external programs from being parsed by the shell (Linux only)
- Code execution through shared function objects
- XHTML node spoofing
- Javascript prompt origin spoofing
- Standalone applications can run arbitrary code through the browser
- The return of frame-injection spoofing
- Possibly exploitable crash in InstallVersion.compareTo()
- Script injection from Firefox sidebar panel using data:
- Same-origin violation with InstallTrigger callback
- Code execution via "Set as Wallpaper" (doesn't really apply to Linux)
- XBL scripts ran even when Javascript disabled
- Content-generated event vulnerabilities

I run nightly builds, myself, but it is a pressing concern of mine that we keep packages secure when there are readily available fixes that require a very small amount of effort to implement.

This has been expressed a few times on the forums, with the latest thread being http://bbs.archlinux.org/viewtopic.php?t=15311
This task depends upon

Closed by  Jan de Groot (JGC)
Sunday, 02 October 2005, 10:36 GMT
Reason for closing:  Implemented
Comment by Jan de Groot (JGC) - Wednesday, 21 September 2005, 16:46 GMT
I tried to build it today (should be simple, change version and md5sum and run makepkg), but the sources were not available at that moment, only pre-built binaries.

Edit: still no source available..
Comment by Vardyr (Vardyr) - Wednesday, 21 September 2005, 17:09 GMT
I've looked into the source issue, and I've discovered https://bugzilla.mozilla.org/show_bug.cgi?id=309481

Apparently they didn't flag some of the files for 1.0.7 properly, so until that happens it's not even available via CVS, much less a source tarball.

We'll just have to wait, it seems :-)

I want to note that I realize my report seemed quite pushy, though that was not my intention. I filed this bug mainly so everyone is properly aware of the security issues and can take the appropriate precautions to prevent them from being exploited. I have yet to hear about any cases of these bugs being exploited, but it's better to know about it and be safe than to magically bork your system and wonder what happened. Also, I understand everyone is quite busy with GCC4 and libtool-slay as well.
Comment by Alex Matviychuk (alexmat) - Wednesday, 21 September 2005, 18:44 GMT
The bug has apparently been resolved on bugzilla now:

"Apparently around 26,750 files were tagged and 450 missed. I'm not sure why but it looks like the tag process exited abruptly. This should be fixed now."

Hopefully that fixes the source not available issue.
Comment by Vardyr (Vardyr) - Sunday, 02 October 2005, 08:52 GMT
This is resolved in [current] now :-)

Loading...