all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Mark H Weaver <mhw@netris.org>
To: Mike Gerwitz <mtg@gnu.org>
Cc: guix-devel@gnu.org
Subject: Re: Unpatched security flaws in GNU IceCat 38
Date: Thu, 04 Aug 2016 03:29:59 -0400	[thread overview]
Message-ID: <87h9b1yoso.fsf@netris.org> (raw)
In-Reply-To: <87wpjxdwdb.fsf@gnu.org> (Mike Gerwitz's message of "Wed, 03 Aug 2016 23:52:00 -0400")

Hi Mike,

Mike Gerwitz <mtg@gnu.org> writes:

> On Wed, Aug 03, 2016 at 23:06:17 -0400, Mark H Weaver wrote:
>> I'm sorry to report that GNU IceCat 38 can no longer be safely used, due
>> to critical security flaws that are believed to allow remote code
>> execution.  I was unable to backport upstream fixes from 45.3 to 38.
>>
>> Until IceCat 45.3 is available, I recommend that you use Epiphany.
>
> Could you elaborate?  I assume you're referencing this:
>
>   https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr45.2

Drop the "#firefoxesr45.2" to see the fixes in 45.3 as well:

  https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

Upstream IceCat 38 is surely vulnerable to many of the flaws listed as
fixed in ESR 45.2 and 45.3.  The patched version of IceCat in GNU Guix
does not include fixes from 45.3, but includes my "best effort" attempt
to backport the most important fixes from ESR 45.2:

  http://git.savannah.gnu.org/cgit/guix.git/commit/?id=98d9182205e6655a0a55f1eadc84a0c9a1cdd9fa

Although I felt sufficiently satisfied with the results to continue
using IceCat before the 45.3 fixes were announced, I must stress that I
am *not* familiar with the Mozilla code, and do not consider myself
competent to reliably backport these fixes across 7 major versions of
Firefox.  (Also note that my backported fixes do *not* include critical
fixes to the bundled copies of cairo and libvpx in IceCat, because in
Guix we delete those bundled copies.)

More specifically, I ran into difficulties attempting to backport the
following changesets from the upstream mozilla-esr45 mercurial repo:

[Critical] memory safety bugs (CVE-2016-2836):

  changeset:   312137:3a0deb9801ab
  user:        Jon Coppeard <jcoppeard@mozilla.com>
  Date:        Wed Jun 29 10:04:25 2016 +0100
  summary:     Bug 822081 - Allow barriers to fire while tracing the heap r=terrence a=abillings a=ritu

  changeset:   312162:1188098e26d5
  user:        Seth Fowler <mark.seth.fowler@gmail.com>
  Date:        Tue Jun 21 17:56:24 2016 -0700
  summary:     Bug 1249578 (Part 1) - Verify that the size in the BIH header matches the ICO directory entry instead of fixing it. r=njn a=abillings, a=sylvestre

[Critical] WebRTC - Use After Free in socket thread (CVE-2016-5258):

  changeset:   312151:cc258670af8f
  user:        Nils Ohlmeier [:drno] <drno@ohlmeier.org>
  Date:        Wed Jul 13 15:49:47 2016 -0700
  summary:     Bug 1279146 - Clean up streams on shutdown. r=bwc, a=lizzard

[Critical] Yet another Use After Free in CanonicalizeXPCOMParticipant
(CVE-2016-5259):

  changeset:   312145:380c05fc7d7f
  user:        Andrea Marchesini <amarchesini@mozilla.com>
  Date:        Wed Jul 06 08:36:54 2016 +0200
  summary:     Bug 1282992 - Improve sync event loop shutdown in workers, r=khuey a=ritu

[High] Favicon request doesn't timeout, or close when related window is
closed (CVE-2016-2830):

  (mozilla bug 1255270; unable to find associated changeset)

[High] Heap-buffer-overflow in nsBidi::BracketData::AddOpening
(CVE-2016-2838):

  changeset:   312120:5ffdebd7418e
  user:        Jonathan Kew <jkew@mozilla.com>
  Date:        Wed Jun 15 22:04:48 2016 +0100
  summary:     Bug 1279814 - Update mIsoRunLast index when handling PDI. r=xidorn, a=sylvestre

[High] stack-buffer-overflow in mozilla::gfx::BasePoint4d
(CVE-2016-5252):

  changeset:   312123:910b8f21e777
  user:        Carsten "Tomcat" Book <cbook@mozilla.com>
  Date:        Thu Jun 23 12:41:04 2016 +0200
  summary:     Bug 1268854 - Break out of loop if no intersecting points on positive side of clipping plane. r=kip, a=sylvestre

[High] Type confusion in nsDisplayList::HitTest (CVE-2016-5263):

  (mozilla bug 1276897; unable to find associated changeset)

[Moderate] Heap-use-after-free in nsXULPopupManager::KeyDown
(CVE-2016-5254):

  (mozilla bug 1266963; unable to find associated changeset)

[Moderate] XSS out of iframe sandbox, iframe disabled
javascript. marquee (CVE-2016-5262):

  (mozilla bug 1277475; unable to find associated changeset)

[Moderate] Same origin policy bypass in local document/Universal xss
(CVE-2016-5265):

  changeset:   312157:3e8a4fa8cb04
  user:        Christoph Kerschbaumer <ckerschb@christophkerschbaumer.com>
  Date:        Wed Jun 22 17:15:06 2016 +0200
  summary:     Bug 1278013 - Remove SEC_FORCE_INHERIT_PRINCIPAL from loadinfo within baseChannel::Redirect. r=bz, a=sylvestre

> Are you going to be publishing an announcement about this?  Sorry if I
> missed it; gnu.org/s/icecat doesn't mention anything.

I do not have access to modify gnu.org/s/icecat.  I raised an alarm on
the Gnuzilla development list at the time, but so far there has been no
developer response.

  http://lists.gnu.org/archive/html/bug-gnuzilla/2016-06/msg00005.html

      Mark

  reply	other threads:[~2016-08-04  7:30 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-04  3:06 Unpatched security flaws in GNU IceCat 38 Mark H Weaver
2016-08-04  3:52 ` Mike Gerwitz
2016-08-04  7:29   ` Mark H Weaver [this message]
2016-08-04  8:27     ` Andreas Enge
2016-08-04  7:16 ` Danny Milosavljevic
2016-08-04  9:18 ` Ricardo Wurmus
2016-08-04 12:43   ` ng0
2016-10-12  5:42 ` GNU IceCat 45 beta now available in Guix Mark H Weaver
2016-10-12  9:14   ` Ludovic Courtès
2016-10-12 12:19   ` Adonay Felipe Nogueira
2016-10-12 14:32   ` Leo Famulari

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87h9b1yoso.fsf@netris.org \
    --to=mhw@netris.org \
    --cc=guix-devel@gnu.org \
    --cc=mtg@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.