Opened 12 years ago

Closed 12 years ago

#694 closed defect (wontfix)

xulrunner: security update

Reported by: sascha_silbe Owned by: sascha_silbe
Priority: Urgent Milestone: Unspecified
Component: sugar-jhbuild Version: Git as of bugdate
Severity: Critical Keywords:
Cc: Distribution/OS: Unspecified
Bug Status: Assigned

Description

xulrunner 1.9.0.7 has security issues that are already fixed in the distros, but 1.9.0.8 has not been released yet, so we need to pull the patches from e.g. Debian and apply on our own.

Change History (3)

comment:1 in reply to: ↑ description Changed 12 years ago by tomeu

Replying to sascha_silbe:

xulrunner 1.9.0.7 has security issues that are already fixed in the distros, but 1.9.0.8 has not been released yet, so we need to pull the patches from e.g. Debian and apply on our own.

Should we move to 1.9.1 now that most distros are using it? The closer jhbuild is to the current development versions of distros, the easier will be to catch integration issues in jhbuild, where it's easier to fix them.

Also, do we need to worry about security in jhbuild? Given that it is a development tool.

comment:2 Changed 12 years ago by sascha_silbe

Should we move to 1.9.1 now that most distros are using it?

I'm unsure about that. We'd loose support for Ubuntu intrepid (which still has support at least up to 2010.04) and Fedora 10 (don't know anything about Fedora support periods) - or at least would require people trying to get Sugar 0.86 running on those distros to backport latest xulrunner. Debian lenny (just released!) already isn't good enough due to dependency on gio.
OTOH, given that xulrunner is supported rather shortly upstream, depending on old versions might not be a good idea either.

Also, do we need to worry about security in jhbuild? Given that it is a development tool.

Especially in that case. Think of what happens if a developer machine gets taken over (we still have no Rainbow in place that would prevent that)!

comment:3 Changed 12 years ago by sascha_silbe

  • Resolution set to wontfix
  • Status changed from new to closed

I won't fix this one and instead wait for 1.9.0.8. Debian doesn't include any patches for it, but instead modified the source directly (500kB uncompressed diff for all changes). Mozilla didn't point to any official patch or even a SVN/whatever revision where the fix got applied, so getting it from there would mean scanning all recent changes to the repository (if it's public at all, haven't checked).
If somebody else has a patch I'll apply it, but I don't have the time for further research.
+2 for kicking xulrunner as soon as we get the chance (webkit?). 2 weeks now and no fixed version available, even though it's a high-profile exploit (winning entry on a public cracking contest).

Note: See TracTickets for help on using tickets.