* Unpatched security flaws in GNU IceCat 38 @ 2016-08-04 3:06 Mark H Weaver 2016-08-04 3:52 ` Mike Gerwitz ` (3 more replies) 0 siblings, 4 replies; 11+ messages in thread From: Mark H Weaver @ 2016-08-04 3:06 UTC (permalink / raw) To: guix-devel I'm sorry to report that GNU IceCat 38 can no longer be safely used, due to critical security flaws that are believed to allow remote code execution. I was unable to backport upstream fixes from 45.3 to 38. Until IceCat 45.3 is available, I recommend that you use Epiphany. Regretfully, Mark ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Unpatched security flaws in GNU IceCat 38 2016-08-04 3:06 Unpatched security flaws in GNU IceCat 38 Mark H Weaver @ 2016-08-04 3:52 ` Mike Gerwitz 2016-08-04 7:29 ` Mark H Weaver 2016-08-04 7:16 ` Danny Milosavljevic ` (2 subsequent siblings) 3 siblings, 1 reply; 11+ messages in thread From: Mike Gerwitz @ 2016-08-04 3:52 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 780 bytes --] Mark: On Wed, Aug 03, 2016 at 23:06:17 -0400, Mark H Weaver wrote: > I'm sorry to report that GNU IceCat 38 can no longer be safely used, due > to critical security flaws that are believed to allow remote code > execution. I was unable to backport upstream fixes from 45.3 to 38. > > Until IceCat 45.3 is available, I recommend that you use Epiphany. Could you elaborate? I assume you're referencing this: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.2 Are you going to be publishing an announcement about this? Sorry if I missed it; gnu.org/s/icecat doesn't mention anything. -- Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer https://mikegerwitz.com | GPG Key ID: 0x8EE30EAB [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 818 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Unpatched security flaws in GNU IceCat 38 2016-08-04 3:52 ` Mike Gerwitz @ 2016-08-04 7:29 ` Mark H Weaver 2016-08-04 8:27 ` Andreas Enge 0 siblings, 1 reply; 11+ messages in thread From: Mark H Weaver @ 2016-08-04 7:29 UTC (permalink / raw) To: Mike Gerwitz; +Cc: guix-devel Hi Mike, Mike Gerwitz <mtg@gnu.org> writes: > On Wed, Aug 03, 2016 at 23:06:17 -0400, Mark H Weaver wrote: >> I'm sorry to report that GNU IceCat 38 can no longer be safely used, due >> to critical security flaws that are believed to allow remote code >> execution. I was unable to backport upstream fixes from 45.3 to 38. >> >> Until IceCat 45.3 is available, I recommend that you use Epiphany. > > Could you elaborate? I assume you're referencing this: > > https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.2 Drop the "#firefoxesr45.2" to see the fixes in 45.3 as well: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ Upstream IceCat 38 is surely vulnerable to many of the flaws listed as fixed in ESR 45.2 and 45.3. The patched version of IceCat in GNU Guix does not include fixes from 45.3, but includes my "best effort" attempt to backport the most important fixes from ESR 45.2: http://git.savannah.gnu.org/cgit/guix.git/commit/?id=98d9182205e6655a0a55f1eadc84a0c9a1cdd9fa Although I felt sufficiently satisfied with the results to continue using IceCat before the 45.3 fixes were announced, I must stress that I am *not* familiar with the Mozilla code, and do not consider myself competent to reliably backport these fixes across 7 major versions of Firefox. (Also note that my backported fixes do *not* include critical fixes to the bundled copies of cairo and libvpx in IceCat, because in Guix we delete those bundled copies.) More specifically, I ran into difficulties attempting to backport the following changesets from the upstream mozilla-esr45 mercurial repo: [Critical] memory safety bugs (CVE-2016-2836): changeset: 312137:3a0deb9801ab user: Jon Coppeard <jcoppeard@mozilla.com> Date: Wed Jun 29 10:04:25 2016 +0100 summary: Bug 822081 - Allow barriers to fire while tracing the heap r=terrence a=abillings a=ritu changeset: 312162:1188098e26d5 user: Seth Fowler <mark.seth.fowler@gmail.com> Date: Tue Jun 21 17:56:24 2016 -0700 summary: Bug 1249578 (Part 1) - Verify that the size in the BIH header matches the ICO directory entry instead of fixing it. r=njn a=abillings, a=sylvestre [Critical] WebRTC - Use After Free in socket thread (CVE-2016-5258): changeset: 312151:cc258670af8f user: Nils Ohlmeier [:drno] <drno@ohlmeier.org> Date: Wed Jul 13 15:49:47 2016 -0700 summary: Bug 1279146 - Clean up streams on shutdown. r=bwc, a=lizzard [Critical] Yet another Use After Free in CanonicalizeXPCOMParticipant (CVE-2016-5259): changeset: 312145:380c05fc7d7f user: Andrea Marchesini <amarchesini@mozilla.com> Date: Wed Jul 06 08:36:54 2016 +0200 summary: Bug 1282992 - Improve sync event loop shutdown in workers, r=khuey a=ritu [High] Favicon request doesn't timeout, or close when related window is closed (CVE-2016-2830): (mozilla bug 1255270; unable to find associated changeset) [High] Heap-buffer-overflow in nsBidi::BracketData::AddOpening (CVE-2016-2838): changeset: 312120:5ffdebd7418e user: Jonathan Kew <jkew@mozilla.com> Date: Wed Jun 15 22:04:48 2016 +0100 summary: Bug 1279814 - Update mIsoRunLast index when handling PDI. r=xidorn, a=sylvestre [High] stack-buffer-overflow in mozilla::gfx::BasePoint4d (CVE-2016-5252): changeset: 312123:910b8f21e777 user: Carsten "Tomcat" Book <cbook@mozilla.com> Date: Thu Jun 23 12:41:04 2016 +0200 summary: Bug 1268854 - Break out of loop if no intersecting points on positive side of clipping plane. r=kip, a=sylvestre [High] Type confusion in nsDisplayList::HitTest (CVE-2016-5263): (mozilla bug 1276897; unable to find associated changeset) [Moderate] Heap-use-after-free in nsXULPopupManager::KeyDown (CVE-2016-5254): (mozilla bug 1266963; unable to find associated changeset) [Moderate] XSS out of iframe sandbox, iframe disabled javascript. marquee (CVE-2016-5262): (mozilla bug 1277475; unable to find associated changeset) [Moderate] Same origin policy bypass in local document/Universal xss (CVE-2016-5265): changeset: 312157:3e8a4fa8cb04 user: Christoph Kerschbaumer <ckerschb@christophkerschbaumer.com> Date: Wed Jun 22 17:15:06 2016 +0200 summary: Bug 1278013 - Remove SEC_FORCE_INHERIT_PRINCIPAL from loadinfo within baseChannel::Redirect. r=bz, a=sylvestre > Are you going to be publishing an announcement about this? Sorry if I > missed it; gnu.org/s/icecat doesn't mention anything. I do not have access to modify gnu.org/s/icecat. I raised an alarm on the Gnuzilla development list at the time, but so far there has been no developer response. http://lists.gnu.org/archive/html/bug-gnuzilla/2016-06/msg00005.html Mark ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Unpatched security flaws in GNU IceCat 38 2016-08-04 7:29 ` Mark H Weaver @ 2016-08-04 8:27 ` Andreas Enge 0 siblings, 0 replies; 11+ messages in thread From: Andreas Enge @ 2016-08-04 8:27 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel Hi Mark, thanks for the information, which is quite worrying. There used to be icecat versions every seven firefox releases, corresponding to the long term releases. So icecat 45 should have been out for some while now... Andreas ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Unpatched security flaws in GNU IceCat 38 2016-08-04 3:06 Unpatched security flaws in GNU IceCat 38 Mark H Weaver 2016-08-04 3:52 ` Mike Gerwitz @ 2016-08-04 7:16 ` Danny Milosavljevic 2016-08-04 9:18 ` Ricardo Wurmus 2016-10-12 5:42 ` GNU IceCat 45 beta now available in Guix Mark H Weaver 3 siblings, 0 replies; 11+ messages in thread From: Danny Milosavljevic @ 2016-08-04 7:16 UTC (permalink / raw) To: Mark H Weaver, guix-devel Hi Mark, On Wed, 03 Aug 2016 23:06:17 -0400 Mark H Weaver <mhw@netris.org> wrote: > I'm sorry to report that GNU IceCat 38 can no longer be safely used, due > to critical security flaws that are believed to allow remote code > execution. I was unable to backport upstream fixes from 45.3 to 38. > > Until IceCat 45.3 is available, I recommend that you use Epiphany. Thanks for the heads-up! However: $ guix package -i epiphany --keep-failed [...] Downloading invm90…-epiphany-3.20.1 (9.3MiB installed)... epiphany-3.20.1 734KiB/s 00:04 | 2.6MiB transferred grafting '/gnu/store/da02rjcnykk7nxq2819paqp6cs7w5caf-libwnck-3.14.1' -> '/gnu/store/bvjs813j4jmpdlm4q6gcjj65lwkfbipy-libwnck-3.14.1'... ERROR: In procedure char-set-contains?: Wrong type argument in position 2 (expecting character): note: keeping build directory `/tmp/guix-build-libwnck-3.14.1.drv-0' builder for `/gnu/store/1x5zl6wssilbdpmadmxzp14qv7rjapv9-libwnck-3.14.1.drv' failed due to signal 11 (Segmentation fault) cannot build derivation `/gnu/store/9zihnrz2q6vdkw6kgskdl8pzjwn2kqdz-epiphany-3.20.1.drv': 1 dependencies couldn't be built ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Unpatched security flaws in GNU IceCat 38 2016-08-04 3:06 Unpatched security flaws in GNU IceCat 38 Mark H Weaver 2016-08-04 3:52 ` Mike Gerwitz 2016-08-04 7:16 ` Danny Milosavljevic @ 2016-08-04 9:18 ` Ricardo Wurmus 2016-08-04 12:43 ` ng0 2016-10-12 5:42 ` GNU IceCat 45 beta now available in Guix Mark H Weaver 3 siblings, 1 reply; 11+ messages in thread From: Ricardo Wurmus @ 2016-08-04 9:18 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel Mark H Weaver <mhw@netris.org> writes: > I'm sorry to report that GNU IceCat 38 can no longer be safely used, due > to critical security flaws that are believed to allow remote code > execution. I was unable to backport upstream fixes from 45.3 to 38. > > Until IceCat 45.3 is available, I recommend that you use Epiphany. Thanks, Mark, for the heads-up. Since our package for Conkeror also uses IceCat under the hood I suppose our version of Conkeror also cannot be safely used at this point. ~~ Ricardo ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Unpatched security flaws in GNU IceCat 38 2016-08-04 9:18 ` Ricardo Wurmus @ 2016-08-04 12:43 ` ng0 0 siblings, 0 replies; 11+ messages in thread From: ng0 @ 2016-08-04 12:43 UTC (permalink / raw) To: guix-devel Ricardo Wurmus <ricardo.wurmus@mdc-berlin.de> writes: > Mark H Weaver <mhw@netris.org> writes: > >> I'm sorry to report that GNU IceCat 38 can no longer be safely used, due >> to critical security flaws that are believed to allow remote code >> execution. I was unable to backport upstream fixes from 45.3 to 38. >> >> Until IceCat 45.3 is available, I recommend that you use Epiphany. > > Thanks, Mark, for the heads-up. > > Since our package for Conkeror also uses IceCat under the hood I suppose > our version of Conkeror also cannot be safely used at this point. > > ~~ Ricardo This is bad news. Should we consider the efforts and get torbrowser packaged as I wrote about in the torbrowser thread, which is now at 45.3.0 with release torbrowser-6.0.3 to have at least one 45.3x firefox based browser? -- ♥Ⓐ ng0 Current Keys: https://we.make.ritual.n0.is/ng0.txt For non-prism friendly talk find me on http://www.psyced.org ^ permalink raw reply [flat|nested] 11+ messages in thread
* GNU IceCat 45 beta now available in Guix 2016-08-04 3:06 Unpatched security flaws in GNU IceCat 38 Mark H Weaver ` (2 preceding siblings ...) 2016-08-04 9:18 ` Ricardo Wurmus @ 2016-10-12 5:42 ` Mark H Weaver 2016-10-12 9:14 ` Ludovic Courtès ` (2 more replies) 3 siblings, 3 replies; 11+ messages in thread From: Mark H Weaver @ 2016-10-12 5:42 UTC (permalink / raw) To: guix-devel Hello Guix, I'm pleased to announce the availability of GNU IceCat 45.3.0-gnu1-beta with selected fixes cherry-picked from upstream, including all security fixes introduced in Firefox ESR 45.4.0, specifically: CVE-2016-5250 - Resource Timing API is storing resources sent by the previous page CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 CVE-2016-5261 - Integer overflow and memory corruption in WebSocketChannel CVE-2016-5270 - Heap-buffer-overflow in nsCaseTransformTextRunFactory::TransformString CVE-2016-5272 - Bad cast in nsImageGeometryMixin CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState CVE-2016-5276 - Heap-use-after-free in mozilla::a11y::DocAccessible::ProcessInvalidationList CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame CVE-2016-5280 - Use-after-free in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap CVE-2016-5281 - use-after-free in DOMSVGLength CVE-2016-5284 - Add-on update site certificate pin expiration Mark ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: GNU IceCat 45 beta now available in Guix 2016-10-12 5:42 ` GNU IceCat 45 beta now available in Guix Mark H Weaver @ 2016-10-12 9:14 ` Ludovic Courtès 2016-10-12 12:19 ` Adonay Felipe Nogueira 2016-10-12 14:32 ` Leo Famulari 2 siblings, 0 replies; 11+ messages in thread From: Ludovic Courtès @ 2016-10-12 9:14 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel Hi, Mark H Weaver <mhw@netris.org> skribis: > I'm pleased to announce the availability of GNU IceCat 45.3.0-gnu1-beta > with selected fixes cherry-picked from upstream, including all security > fixes introduced in Firefox ESR 45.4.0, specifically: Great, thanks a lot Mark! Ludo’. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: GNU IceCat 45 beta now available in Guix 2016-10-12 5:42 ` GNU IceCat 45 beta now available in Guix Mark H Weaver 2016-10-12 9:14 ` Ludovic Courtès @ 2016-10-12 12:19 ` Adonay Felipe Nogueira 2016-10-12 14:32 ` Leo Famulari 2 siblings, 0 replies; 11+ messages in thread From: Adonay Felipe Nogueira @ 2016-10-12 12:19 UTC (permalink / raw) To: guix-devel [-- Attachment #1: Type: text/plain, Size: 68 bytes --] Thanks, I have the new version and I plan to test it over time. :) [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 213 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: GNU IceCat 45 beta now available in Guix 2016-10-12 5:42 ` GNU IceCat 45 beta now available in Guix Mark H Weaver 2016-10-12 9:14 ` Ludovic Courtès 2016-10-12 12:19 ` Adonay Felipe Nogueira @ 2016-10-12 14:32 ` Leo Famulari 2 siblings, 0 replies; 11+ messages in thread From: Leo Famulari @ 2016-10-12 14:32 UTC (permalink / raw) To: Mark H Weaver; +Cc: guix-devel On Wed, Oct 12, 2016 at 01:42:26AM -0400, Mark H Weaver wrote: > Hello Guix, > > I'm pleased to announce the availability of GNU IceCat 45.3.0-gnu1-beta > with selected fixes cherry-picked from upstream, including all security > fixes introduced in Firefox ESR 45.4.0, specifically: > > CVE-2016-5250 - Resource Timing API is storing resources sent by > the previous page > CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4 > CVE-2016-5261 - Integer overflow and memory corruption in WebSocketChannel > CVE-2016-5270 - Heap-buffer-overflow in > nsCaseTransformTextRunFactory::TransformString > CVE-2016-5272 - Bad cast in nsImageGeometryMixin > CVE-2016-5274 - use-after-free in nsFrameManager::CaptureFrameState > CVE-2016-5276 - Heap-use-after-free in > mozilla::a11y::DocAccessible::ProcessInvalidationList > CVE-2016-5277 - Heap-use-after-free in nsRefreshDriver::Tick > CVE-2016-5278 - Heap-buffer-overflow in nsBMPEncoder::AddImageFrame > CVE-2016-5280 - Use-after-free in > mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap > CVE-2016-5281 - use-after-free in DOMSVGLength > CVE-2016-5284 - Add-on update site certificate pin expiration Thanks a lot for your work on this! ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2016-10-12 14:32 UTC | newest] Thread overview: 11+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-08-04 3:06 Unpatched security flaws in GNU IceCat 38 Mark H Weaver 2016-08-04 3:52 ` Mike Gerwitz 2016-08-04 7:29 ` Mark H Weaver 2016-08-04 8:27 ` Andreas Enge 2016-08-04 7:16 ` Danny Milosavljevic 2016-08-04 9:18 ` Ricardo Wurmus 2016-08-04 12:43 ` ng0 2016-10-12 5:42 ` GNU IceCat 45 beta now available in Guix Mark H Weaver 2016-10-12 9:14 ` Ludovic Courtès 2016-10-12 12:19 ` Adonay Felipe Nogueira 2016-10-12 14:32 ` Leo Famulari
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.