Bug 152883

Summary:	Multiple Mozilla vulnerabilities
Product:	[Retired] Fedora Legacy	Reporter:	rob <rob.myers>
Component:	mozilla	Assignee:	Fedora Legacy Bugs <bugs>
Status:	CLOSED ERRATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	botsch, deisenst, jpdalbec, marc.deslauriers, michal, mschout, pekkas
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
URL:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1316
Whiteboard:	1, LEGACY, rh73, rh90, 2
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2005-05-18 20:50:45 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:30:53 UTC

see also:
https://rhn.redhat.com/errata/RHSA-2005-038.html

------- Additional Comments From deisenst 2005-01-13 18:22:20 ----

Hey Rob - do you think we can tack this on to the end of Bug 2214 instead of
creating a new Bugzilla entry? -David

------- Additional Comments From deisenst 2005-01-13 21:15:18 ----

I suggested previously that we tack this bug onto bug 2214, but it might make
more sense to keep this bug and forward 2214 to here. I think we can do
something with this bug with the sources from RHEL, plus a couple of the
bugs mentioned in 2214.

For example, we can't do anything about these right now, because there are
no upstream patches available:
* Bug 2214#0 or
* Bug 2214#4 (CAN-2004-1156)
* or the second half of Bug 2214#5 (CAN-2004-1200)

But we likely *can* do something about

* Bug 2214#3 (by grabbing code from Mozilla's bugzilla #272381,
Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=272381), and

* the first half of Bug 2214#5 (CAN-2004-0909) (by grabbing code from
Mozilla's bugzilla #253942,
Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=253942).

Thoughts?

(ps: Hope you all don't mind my adding your names to the CC: list, since
you're already on the list for bug 2214.)

------- Additional Comments From rob.myers.edu 2005-01-14 02:14:44 ----

oops. i didn't notice 2214 when i created this one. we could move the info
there and mark this one as a duplicate if you want. anyone have a preference?

i guess it doesn't matter where we track it as long as the bugs get fixed.

------- Additional Comments From pekkas 2005-01-14 03:03:07 ----

The fewer bug #'s, the better.

------- Additional Comments From michal 2005-01-24 10:43:35 ----

Source rpm for mozilla-1.4.3-2.1.5, as given in RHSA-2005-038 for RHEL2.1,
recompile on RH7.3 without any changes (beyond a release string and a changelog
entry in specs). Yes, you would need a matching galeon but galeon-1.2.13-5.2.1
from 2004-Sep-29 is still fine.

------- Additional Comments From pekkas 2005-02-26 21:06:25 ----

The key question at this point is -- do we want to create an interim mozilla
update by re-spinning the RHEL packages from January 12 or so? (our last version
is from October -- this only includes the fix for the NNTP issue).

My hunch is that we don't. If not, we're probably going to have to wait (quite)
a while. There's a growing pile of Mozilla CAN numbers at least... (there were
a couple of earlier ones listed in the bug #2214). At least most of these are
already tracked by RHEL, so we'll probably want to follow their lead unless we'd
want to update to 1.7.5..

CAN-2004-1380 Firefox before 1.0 and Mozilla before 1.7.5 allows inactive
(background) tabs to launch dialog boxes, which can allow remote attackers to
spoof the dialog boxes from web sites in other windows and facilitate phishing
attacks, aka the "Dialog Box Spoofing Vulnerability."

CAN-2004-1381 Firefox before 1.0 and Mozilla before 1.7.5 allow inactive
(background) tabs to focus on input being entered in the active tab, as
originally reported using form fields, which allows remote attackers to steal
sensitive data that is intended for other sites, which could facilitate phishing
attacks.

CAN-2004-1449 Mozilla before 1.7, Firefox before 0.9, and Thunderbird before
0.7 allows remote attackers to determine the location of files on a user's hard
drive by obscuring a file upload control and tricking the user into dragging
text into that control.

CAN-2004-1450 Unknown vulnerability in LiveConnect in Mozilla 1.7 beta allows
remote attackers to read arbitrary files in known locations.

CAN-2004-1451 Mozilla before 1.6 does not display the entire URL in the status
bar when a link contains %00, which could allow remote attackers to trick users
into clicking on unknown or untrusted sites and facilitate phishing attacks.

CAN-2004-1613 Mozilla allows remote attackers to cause a denial of service
(application crash from null dereference or infinite loop) via a web page that
contains a (1) TEXTAREA, (2) INPUT, (3) FRAMESET or (4) IMG tag followed by a
null character and some trailing characters, as demonstrated by mangleme.

CAN-2004-1614 Mozilla allows remote attackers to cause a denial of service
(application crash from invalid memory access) via an "unusual combination of
visual elements," including several large MARQUEE tags with large height
parameters, as demonstrated by mangleme.

CAN-2004-1639 Mozilla Firefox before 0.10, Mozilla 5.0, and Gecko 20040913
allows remote attackers to cause a denial of service (application crash or
memory consumption) via a large binary file with a .html extension.
[????]

CAN-2005-0141 Firefox before 1.0 and Mozilla before 1.7.5 allow remote
attackers to load local files via links "with a custom getter and toString
method" that are middle-clicked by the user to be opened in a new tab.

CAN-2005-0142 [Mozilla 1.7 before 1.7.5]

CAN-2005-0143 Firefox before 1.0 and Mozilla before 1.7.5 display the SSL lock
icon when an insecure page loads a binary file from a trusted site, which could
facilitate phishing attacks.

CAN-2005-0144 Firefox before 1.0 and Mozilla before 1.7.5 display the secure
site lock icon when a view-source: URL references a secure SSL site while an
insecure page is being loaded, which could facilitate phishing attacks.

CAN-2005-0146 Firefox before 1.0 and Mozilla before 1.7.5 allow remote
attackers to obtain sensitive data from the clipboard via Javascript that
generates a middle-click event on systems for which a middle-click performs a
paste operation.

CAN-2005-0147 Firefox before 1.0 and Mozilla before 1.7.5, when configured to
use a proxy, respond to 407 proxy auth requests from arbitrary servers, which
allows remote attackers to steal NTLM or SPNEGO credentials.

CAN-2005-0149 [Mozilla 1.7 through 1.7.3]

CAN-2005-0215 Mozilla 1.6 and possibly other versions allows remote attackers
to cause a denial of service (application crash) via a XBM (X BitMap) file with
a large (1) height or (2) width value.

CAN-2005-0233 The International Domain Name (IDN) support in Firefox 1.0,
Camino .8.5, and Mozilla 1.6 allows remote attackers to spoof domain names using
punycode encoded domain names that are decoded in URLs and SSL certificates in a
way that uses homograph characters from other character sets, which facilitates
phishing attacks.

------- Additional Comments From pekkas 2005-03-01 06:01:57 ----

*** Bug 2214 has been marked as a duplicate of this bug. ***

------- Additional Comments From dwb7.edu 2005-03-04 06:43:46 ----

I would vote on just respinning the RHEL 2.1 packages for rh7.3. They compile
and run just fine. We were actually looking at doing this for vulnerabilities
last October. But, I think someone then backported the packages, so that was not
necessary.

I'm rebuilding the rhel2.1 packages for us, here. And, I can post them if folk
would like (altho, some more CANs have just come out, so, I would expect more
pacakges from redhat, soon).

Mozilla, like the kernel, may be a constant moving target.

------- Additional Comments From pekkas 2005-03-04 08:13:26 ----

Sure.. but RHEL's current update only covers _one_ issue, with NNTP urls. There
are many more on the way. They already pushed out a firefox update for RHEL4;
I'd guess we could expect a new Mozilla update within a week or two. That
update could be much more extensive that one rebuilt now.

------- Additional Comments From marcdeslauriers 2005-03-05 10:34:24 ----

CAN-2005-0255:
Daniel de Wildt discovered a memory handling flaw in Mozilla string classes
that could overwrite memory at a fixed location if reallocation fails during
string growth. This could theoretically lead to arbitrary code execution.
Creating the exact conditions for exploitation--including running out of memory
at just the right moment--is unlikely.

http://www.idefense.com/application/poi/display?id=200&type=vulnerabilities&flashstatus=true
http://www.mozilla.org/security/announce/mfsa2005-18.html

------- Additional Comments From jpdalbec 2005-03-11 03:53:21 ----

05.10.25 CVE: CAN-2005-0584
Platform: Cross Platform
Title: Mozilla Suite/Firefox HTTP Authentication Dialogs Tab Focus
Description: Mozilla Suite and Mozilla Firefox are affected by a
vulnerability that may result in the loss of authentication
credentials. Firefox versions 1.0.1 and earlier and Mozilla Suite
versions 1.7.6 and earlier are known to be vulnerable.
Ref: http://www.mozilla.org/security/announce/mfsa2005-24.html

------- Additional Comments From deisenst 2005-03-11 18:22:51 ----

FYI- On March 4th, Red Hat has issued RHSA-2005:277-10 : (for RHEL 4)
<http://rhn.redhat.com/errata/RHSA-2005-277.html>, also
<http://www.redhat.com/archives/enterprise-watch-list/2005-March/msg00007.html>.

It presents mozilla-1.7.3-19.EL4.src.rpm.
------------------------------------------------

"Critical: mozilla security update
CVEs (cve.mitre.org): CAN-2005-0255

"Details:

"Updated mozilla packages that fix a buffer overflow issue are now available.

"This update has been rated as having critical security impact by the Red
Hat Security Response Team. ...

"A bug was found in the Mozilla string handling functions. If a malicious
website is able to exhaust a system's memory, it becomes possible to
execute arbitrary code. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0255 to this issue.

"Please note that other security issues have been found that affect Mozilla.
These other issues have a lower severity, and are therefore planned to be
released as additional security updates in the future.

"Users of Mozilla should upgrade to these updated packages, which contain a
backported patch and are not vulnerable to these issues."

Red Hat Bugzilla:
150124 - CAN-2005-0255 Memory overwrite in string library
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=150124>.

------- Additional Comments From jpdalbec 2005-03-18 05:15:07 ----

05.11.12 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Status Bar Spoofing
Description: Mozilla is vulnerable to a URI spoofing weakness due to a
"Save Link As.." function working with nested anchor tags in a table
tag. Mozilla verions 1.7.x are vulnerable.
Ref: http://secunia.com/advisories/14568/

------- Additional Comments From marcdeslauriers 2005-03-23 13:23:38 ----

Red Hat's new updated mozilla we can use:

https://rhn.redhat.com/errata/RHSA-2005-323.html

------- Bug moved to this database by dkl 2005-03-30 18:30 -------

This bug previously known as bug 2380 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2380
Originally filed under the Fedora Legacy product and General component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
This bug either had no qa contact or an invalid one.

Comment 1 Marc Deslauriers 2005-03-31 01:49:52 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are new mozilla, galeon and epiphany packages to QA:

Changelog 7.3:
* Wed Mar 23 2005 Marc Deslauriers <marcdeslauriers>
37:1.4.4-0.73.1.legacy
- - Rebuild as a Fedora Legacy update for Red Hat Linux 7.3
- - Fix missing icons in desktop files

* Fri Mar 18 2005 Christopher Aillon <caillon> 37:1.4.4-1.2.3
- - Rebuild to fix lock icon not working

Changelog 9:
* Thu Mar 24 2005 Marc Deslauriers <marcdeslauriers>
37:1.4.4-0.90.1.legacy
- - Update to security release 1.4.4 based on RHEL3 update 37:1.4.4-1.3.5
- - Fix for fireflash issue (CAN-2005-0232)
- - Fix for GIF overflow issue

* Sun Oct 03 2004 Marc Deslauriers <marcdeslauriers>
37:1.4.3-0.9.1.legacy
- - Added backported security fixes from mozilla 1.7.3

Changelog fc1:
* Wed Mar 23 2005 Marc Deslauriers <marcdeslauriers>
37:1.4.4-1.fc1.1.legacy
- - Rebuilt as Fedora Legacy update for Fedora Core 1
- - Changed useragent vendor tag to Fedora

* Fri Mar 18 2005 Christopher Aillon <caillon> 37:1.4.4-1.3.5
- - Rebuild to fix lock icon not working


7.3:
7b48ada2d2e579bcd1ba95ccb44212b54e4c843c  mozilla-1.4.4-0.73.1.legacy.i386.rpm
6816cfeecc3a6eb97336514004e498dc4be5f385  mozilla-1.4.4-0.73.1.legacy.src.rpm
60b60db43d7ea40d029245a41231536208c7593d  mozilla-chat-1.4.4-0.73.1.legacy.i386.rpm
5797fd94739a736ee205592b1ac780bd93df8920  mozilla-devel-1.4.4-0.73.1.legacy.i386.rpm
6b704a5577f6a11a7e793f3eef7a6faf7dcb7961 
mozilla-dom-inspector-1.4.4-0.73.1.legacy.i386.rpm
eaba6043edd3ec7d9f69b3bda87473d26ea0b20b 
mozilla-js-debugger-1.4.4-0.73.1.legacy.i386.rpm
645c6971452e18abf0dcad98e1d09544a62479ae  mozilla-mail-1.4.4-0.73.1.legacy.i386.rpm
4e508f7629a113f292acb0ee18bfe74b05cf4383  mozilla-nspr-1.4.4-0.73.1.legacy.i386.rpm
21caca91914365d6a531980a03db1477557c12fc 
mozilla-nspr-devel-1.4.4-0.73.1.legacy.i386.rpm
3c4db702961b595b7b047b9f96e388ab3ae10049  mozilla-nss-1.4.4-0.73.1.legacy.i386.rpm
f77656fcfd49c2826f5019a9b49f92e50c0215ee 
mozilla-nss-devel-1.4.4-0.73.1.legacy.i386.rpm
588edf2a52874ea1fccc06e2dd41e91d2e8fdb5c  galeon-1.2.13-0.7.2.legacy.i386.rpm
86388a0658e18291cf6a59c2e5ef67247f994d81  galeon-1.2.13-0.7.2.legacy.src.rpm

9:
93260feba0e5fdb7a444cd762cb473d210dcd4a8  mozilla-1.4.4-0.90.1.legacy.i386.rpm
a243d01772bf7def88471705f2cc1c58c6d20c2e  mozilla-1.4.4-0.90.1.legacy.src.rpm
3de0c40456c314dc021c9a951f735e7a80ab64ac  mozilla-chat-1.4.4-0.90.1.legacy.i386.rpm
f67c216fecc8dd65a9718ab2bbe0fb9d14dc8bb4  mozilla-devel-1.4.4-0.90.1.legacy.i386.rpm
767bb0e9aecb98871be367c02c18818dd9c21cc2 
mozilla-dom-inspector-1.4.4-0.90.1.legacy.i386.rpm
f972f59053f17baf7bb658f6266d050c463e56d4 
mozilla-js-debugger-1.4.4-0.90.1.legacy.i386.rpm
4eb9ab7dbe979a48358d005eec4934e12058f984  mozilla-mail-1.4.4-0.90.1.legacy.i386.rpm
2f767c5c9a25033b17f82eae164bc3aa4541a157  mozilla-nspr-1.4.4-0.90.1.legacy.i386.rpm
c753102ca29403036e7ccc449121055e4b893c27 
mozilla-nspr-devel-1.4.4-0.90.1.legacy.i386.rpm
d455e5d2a73a4a39e11d181e8fa2b4eaebdb33fe  mozilla-nss-1.4.4-0.90.1.legacy.i386.rpm
af00c138f6a4eef08cb9f98aee8d4aabcc1aa969 
mozilla-nss-devel-1.4.4-0.90.1.legacy.i386.rpm
9d475ecb0d0192b60412448c7b9aaeb563f91db2  galeon-1.2.13-0.9.3.legacy.i386.rpm
225f6f50356f10748b6b82cf0c9103810a959e0e  galeon-1.2.13-0.9.3.legacy.src.rpm

1:
fbf4b577547ae68a3c01a3be8d4af6f0828c90cc  mozilla-1.4.4-1.fc1.1.legacy.i386.rpm
5646f0f389348c15dfd219ad167ca8970ae96f2a  mozilla-1.4.4-1.fc1.1.legacy.src.rpm
fc36694f288512bfef88e38c4b5c0021c3fc435a  mozilla-chat-1.4.4-1.fc1.1.legacy.i386.rpm
d5cfd910c36cba717b399262d56ec620ce3b82ed 
mozilla-devel-1.4.4-1.fc1.1.legacy.i386.rpm
da88d2a2941573b7257a494d338c96fd4bc49642 
mozilla-dom-inspector-1.4.4-1.fc1.1.legacy.i386.rpm
6b7f0f43884e3fc76138e5e40cf6594b9ac0219c 
mozilla-js-debugger-1.4.4-1.fc1.1.legacy.i386.rpm
696131eb5047aad057cdd10c1dd8cdf95a56cf03  mozilla-mail-1.4.4-1.fc1.1.legacy.i386.rpm
056b579a19678c5cc4a7cc285929daf6a49ed6b2  mozilla-nspr-1.4.4-1.fc1.1.legacy.i386.rpm
0413ab531a48aeed1bc9531dba13ff9d166a205f 
mozilla-nspr-devel-1.4.4-1.fc1.1.legacy.i386.rpm
4491207ea507edbb027a16bc39b657a9952a015d  mozilla-nss-1.4.4-1.fc1.1.legacy.i386.rpm
2d351abcaea5df03bdbed723143ef6842e06e607 
mozilla-nss-devel-1.4.4-1.fc1.1.legacy.i386.rpm
459b4f8dcea8ecf11e181c2f7b06ef95b3e3c5dc  epiphany-1.0.4-2.5.legacy.i386.rpm
9261a3f6aab392be4fb84940ea9f82676fd43395  epiphany-1.0.4-2.5.legacy.src.rpm

Source Packages (binaries are in same directory):
http://www.infostrategique.com/linuxrpms/legacy/7.3/galeon-1.2.13-0.7.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mozilla-1.4.4-0.73.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/galeon-1.2.13-0.9.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mozilla-1.4.4-0.90.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/epiphany-1.0.4-2.5.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mozilla-1.4.4-1.fc1.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCS1bKLMAs/0C4zNoRAlx0AJ9nv7zpGltfyBQsUT0oohdnu6APHwCggZfd
sWXVX8//1yVbQc2Wo9p2lI4=
=R2ji
-----END PGP SIGNATURE-----

Comment 2 John Dalbec 2005-04-25 19:09:42 UTC

05.16.29 CVE: CAN-2005-0752
Platform: Cross Platform
Title: Mozilla Code Execution, Cross-Site Scripting and Policy Bypass
Vulnerabilities
Description: Multiple vulnerabilities have been reported in Mozilla
Suite, which can be exploited by attackers to conduct cross-site
scripting attacks, bypass certain security restrictions, and
compromise a user's system. Please check the link below for details on
all the issues.
Ref: http://www.mozilla.org/security/announce/mfsa2005-35.html 
http://www.mozilla.org/security/announce/mfsa2005-36.html  
http://www.mozilla.org/security/announce/mfsa2005-37.html 
http://www.mozilla.org/security/announce/mfsa2005-38.html 
http://www.mozilla.org/security/announce/mfsa2005-40.html 
http://www.mozilla.org/security/announce/mfsa2005-41.html 

05.16.33 CVE: CAN-2005-1156, CAN-2005-1157
Platform: Cross Platform
Title: Mozilla Firefox Search Plug-In Remote Script Code Execution
Vulnerability
Description: Mozilla Suite and Firefox are reported to be vulnerable
to a remote script code execution issue due to failure of the
application to provide secure access validation prior to implementing
search plug-ins. Mozilla Browser 1.7.6 and earlier as well as Firefox
1.0.2 and earlier are reported to be vulnerable.
Ref: http://www.securityfocus.com/bid/13211 

05.16.34 CVE: CAN-2005-1155
Platform: Cross Platform
Title: Mozllia Favicon Link Tag Remote Script Code Execution
Description: Mozilla Suite and Mozilla Firefox are vulnerable to a
remote script code execution. The application will execute arbitrary
javascript with a "<LINK rel="icon">" tag due to failing to deny
remote unauthorized access to trusted local interfaces. Firefox
versions 1.0.3 and Mozilla Suite versions 1.7.7 are not vulnerable.
Ref: http://www.mikx.de/firelinking/ 

05.16.38 CVE: CAN-2005-1153
Platform: Cross Platform
Title: Mozilla Suite/Firefox Blocked Pop-Up Window Remote Script Code
Execution
Description: Mozilla Suite is affected by a remote script code
execution vulnerability. Mozilla Browser versions 1.7.6 and earlier,
Firefox versions 1.0.2 and earlier and Netscape versions 7.2 and
earlier are known to be vulnerable.
Ref: http://www.mozilla.org/security/announce/mfsa2005-35.html 

05.16.39 CVE: CAN-2005-1154
Platform: Cross Platform
Title: Mozilla Suite And Firefox Global Scope Pollution Cross-Site
Scripting
Description: A remote cross-site scripting vulnerability affects
Mozilla Suite and Mozilla Firefox. An attacker may exploit this issue
to execute arbitrary script code in the context of a page that is
currently being viewed. This may facilitate the theft of cookie based
authentication credentials as well a other attacks.
Ref: http://www.mozilla.org/security/announce/mfsa2005-36.html 

05.16.41 CVE: CAN-2005-1160
Platform: Cross Platform
Title: Mozilla Suite DOM Code Execution
Description: Both the Mozilla Suite and Firefox are vulnerable to code
execution issue due to the application neglecting to properly verify
Document Object Model property values. Firefox version 1.0.3 and
Mozilla Suite version 1.7.7 are not vulnerable.
Ref: http://www.mozilla.org/security/announce/mfsa2005-41.html

Comment 3 Marc Deslauriers 2005-05-01 05:49:00 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated mozilla packages to QA for rh73, rh9, fc1 and fc2:

rh7.3 Changelog:
* Thu Apr 28 2005 Marc Deslauriers <marcdeslauriers>
37:1.7.7-0.73.1.legacy
- - Rebuild as a Fedora Legacy update for Red Hat Linux 7.3
- - Fix missing icons in desktop files

* Fri Apr 15 2005 Christopher Aillon <caillon> 37:1.7.7-1.1.2.1
- - Update to upstream 1.7.7 security release

rh9 Changelog:
* Fri Apr 29 2005 Marc Deslauriers <marcdeslauriers>
37:1.7.7-0.90.1.legacy
- - Rebuilt as a Fedora Legacy update for Red Hat Linux 9
- - Disabled desktop-file-utils
- - Disabled gtk2
- - Added missing BuildRequires
- - Force build with gcc296 to remain compatible with plugins
- - Added xft font preferences and patch back in
- - Removed mozilla-compose.desktop

* Wed Apr 27 2005 Christopher Aillon <caillon> 37:1.7.7-1.1.3.4
- - Fix issues with segfaulting on s390x

fc1 Changelog:
* Sat Apr 30 2005 Marc Deslauriers <marcdeslauriers>
37:1.7.7-1.1.1.legacy
- - Rebuilt as Fedora Legacy update for Fedora Core 1
- - Changed useragent vendor tag to Fedora
- - Removed Network category from mozilla.desktop

* Wed Apr 27 2005 Christopher Aillon <caillon> 37:1.7.7-1.1.3.4
- - Fix issues with segfaulting on s390x

fc2 Changelog:
* Sat Apr 30 2005 Marc Deslauriers <marcdeslauriers>
37:1.7.7-1.2.1.legacy
- - Rebuilt as a Fedora Legacy update to Fedora Core 2
- - Reverted to desktop-file-utils 0.4
- - Removed desktop-update-database
- - Disabled pango support

* Sat Apr 16 2005 Christopher Aillon <caillon> 37:1.7.7-1.3.1
- - Update to 1.7.7
- - Add nspr-config 64 bit patch from rstrode
- - Fix for some more cursor issues in textareas (149991, 150002, 152089)
- - Spec file cleanup

7.3:
70a22a90d8099b703b13893c3ce75f4b79c90ec6  mozilla-1.7.7-0.73.1.legacy.src.rpm
a8039d5a24af23ad294f3e028e9c349886f20d31  galeon-1.2.14-0.73.1.legacy.src.rpm

9:
52d5a72cf69854e8ed44656f16f5eab377ba1649  mozilla-1.7.7-0.90.1.src.rpm
ba5c286326ac87dd7e24501fb7017c8778eab73c  galeon-1.2.14-0.90.1.legacy.src.rpm

fc1:
1b823514d94c4ea6e7ae2c06ac59a26c003d60a6  mozilla-1.7.7-1.1.1.legacy.src.rpm
57bcb48d4907dba0ef0d3c22b17eac5e4320abc3  epiphany-1.0.8-1.fc1.1.legacy.src.rpm

fc2:
03320b935a35d0b408540403fd0ca672ff70c86a  mozilla-1.7.7-1.2.1.legacy.src.rpm
2493d87b7ddaa86f5d288233b3878d36946ef91d  epiphany-1.2.10-0.2.2.legacy.src.rpm
edcc763e24cd6dd58fc205e0e33aacf4a67fda4c  devhelp-0.9.1-0.2.6.legacy.src.rpm

7.3:
http://www.infostrategique.com/linuxrpms/legacy/7.3/mozilla-1.7.7-0.73.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/galeon-1.2.14-0.73.1.legacy.src.rpm
Binaries: http://www.infostrategique.com/linuxrpms/legacy/7.3/

9:
http://www.infostrategique.com/linuxrpms/legacy/9/mozilla-1.7.7-0.90.1.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/galeon-1.2.14-0.90.1.legacy.src.rpm
Binaries: http://www.infostrategique.com/linuxrpms/legacy/9/

fc1:
http://www.infostrategique.com/linuxrpms/legacy/1/mozilla-1.7.7-1.1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/epiphany-1.0.8-1.fc1.1.legacy.src.rpm
Binaries: http://www.infostrategique.com/linuxrpms/legacy/1/

fc2:
http://www.infostrategique.com/linuxrpms/legacy/2/mozilla-1.7.7-1.2.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/epiphany-1.2.10-0.2.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/devhelp-0.9.1-0.2.6.legacy.src.rpm
Binaries: http://www.infostrategique.com/linuxrpms/legacy/2/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCdG1GLMAs/0C4zNoRArSNAKC00XVQjDBC6Pwtj3VtuqY7lz9PqwCgsWAa
Symaged0iwMrG0YODtiYGKg=
=OVhg
-----END PGP SIGNATURE-----

Comment 4 Pekka Savola 2005-05-01 15:20:59 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:

Issues noted:
 - mozilla-source-1.7.7.tar.bz2 in FC1 package has wrong SHA1 checksum, it
   appears that this file has been corrupted. OK if replaced with
   checksum c660db518add97ed54e30a901c1e4e60dbafab3a; otherwise source
   integrity OK.

 - Spec file changes are major, and something is probably going to break. 
   But regardless of this, I think this is the only way to go forward -- make
   the packages as uniform with RHEL as possible, because we don't have
   resources to do otherwise. OK.  "If it's good enough for RHEL, it should
   be good enough for us."

 - Changes and patches are mainly OK.  Two issues:

  * in previous version of RHL9 and in RHEL3 there is
    mozilla-compose.desktop, but it's removed from here.  This has been done on
    purpose but I can't see why? 

  * I couldn't figure out how to verify the mozilla-1.7.7 patch in epiphany
    1.0.8.  How was it created/where does it come from?  Would updating to
    epiphany 1.2.10 be feasible?

 - Naming has one forgotten legacy tag and non-incremental numbering (if we
   want to care about FC<->RHEL or RHL<->RHEL updates; I don't know if that's
   the case):

RHL73 mozilla-1.7.7-0.73.1.legacy.src.rpm
RHL9  mozilla-1.7.7-0.90.1.src.rpm        <== note, missing ".legacy" !!
FC1   mozilla-1.7.7-1.1.1.legacy.src.rpm
RHEL2 mozilla-1.7.7-1.1.2.1.src.rpm
RHEL3 mozilla-1.7.7-1.1.3.4.src.rpm
FC2   mozilla-1.7.7-1.2.1.legacy.src.rpm
FC3   mozilla-1.7.7-1.3.1.src.rpm

All in all, I'd give +PUBLISH for all the mozilla, galeon and devhelp
packages (provided that FC1 mozilla .tar.bz2 file is changed to match the
abovementioned checksum), but I'd have to understand the epiphany patch more
to give publishing it a go..

70a22a90d8099b703b13893c3ce75f4b79c90ec6  mozilla-1.7.7-0.73.1.legacy.src.rpm
52d5a72cf69854e8ed44656f16f5eab377ba1649  mozilla-1.7.7-0.90.1.src.rpm
1b823514d94c4ea6e7ae2c06ac59a26c003d60a6  mozilla-1.7.7-1.1.1.legacy.src.rpm
03320b935a35d0b408540403fd0ca672ff70c86a  mozilla-1.7.7-1.2.1.legacy.src.rpm
57bcb48d4907dba0ef0d3c22b17eac5e4320abc3  epiphany-1.0.8-1.fc1.1.legacy.src.rpm
2493d87b7ddaa86f5d288233b3878d36946ef91d  epiphany-1.2.10-0.2.2.legacy.src.rpm
edcc763e24cd6dd58fc205e0e33aacf4a67fda4c  devhelp-0.9.1-0.2.6.legacy.src.rpm
a8039d5a24af23ad294f3e028e9c349886f20d31  galeon-1.2.14-0.73.1.legacy.src.rpm
ba5c286326ac87dd7e24501fb7017c8778eab73c  galeon-1.2.14-0.90.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCdPObGHbTkzxSL7QRAghXAJ9MVH9HXBd9J9AYanvqKoB7PaumpwCgq4ot
fV+/bOduL8mpbRKfZ1DS4eI=
=I1p6
-----END PGP SIGNATURE-----

Comment 5 Marc Deslauriers 2005-05-01 16:05:21 UTC

Could your download have been corrupted? I re-downloaded the src rpm from the
ftp site where I put it and the sha1sum of the mozilla tarball is
c660db518add97ed54e30a901c1e4e60dbafab3a. Could you double-check please?

mozilla-compose.desktop was removed as the mozilla tarball itself had a "compose
mail" desktop file in it. The icon to create a new mail was appearing twice in
the menus.

I made the epiphany 1.0.8 patch. It was made by looking at the mozilla API,
galeon source code, and newer epiphany source code. AFAICT, no other distro has
made a patch for epiphany to make it compatible with mozilla-1.7.7, so there's
no way to verify it besides try and use epiphany. It quickly tested epiphany
after making the patch, and It looks ok...but someone who actually uses epiphany
will have to check it out thoroughly as I may have screwed something up. (This
can be done once it's built for updates-testing though)

Whoops...we'll add the missing legacy tag to the packages when we build them in
mach. We usually don't look at the Fedora-RHEL upgrade path as even RH doesn't
respect it most of the time. So the actual releases would be:

RHL73 mozilla-1.7.7-0.73.1.legacy.src.rpm
RHL9  mozilla-1.7.7-0.90.1.src.rpm        <== note, missing ".legacy" !!
FC1   mozilla-1.7.7-1.1.1.legacy.src.rpm
FC2   mozilla-1.7.7-1.2.1.legacy.src.rpm
FC3   mozilla-1.7.7-1.3.1.src.rpm

Comment 6 Pekka Savola 2005-05-01 17:43:09 UTC

You're correct; my download must have been bad because it verifies OK now.

I wonder about mozilla-compose, because I don't understand why RHEL3 ships it
then; maybe they have double icons then, but that's not our problem so it's OK.

I'd really like to find alternative solutions to the epiphany issue.  From a
quick look, epiphany 1.0.x was designed for gnome 2.4 while epiphany 1.2.x was
for gnome 2.6, but I haven't tested; would it be possible to rebuild newer
epiphany for FC1?

Packages like epiphany are certainly going to cause a lot of maintenance
headaches unless we have a better way of dealing with the issues. 
(Unfortunately this is a more generic issue, because we don't have RHEL versions
to use as guidance for FC1/FC2..)

That said, if there is no other option, I can give a PUBLISH for all RHL73,
RHL9, FC1, and FC2, but I'd really want to avoid having to write our own patches
(and hope they work).

Comment 7 Marc Deslauriers 2005-05-01 18:31:20 UTC

I removed mozilla-compose because there was an error in the spec file. They
removed the icon and the source file, but they forget to remove it from the list
of files that is under the conditional include when you don't use
desktop-file-utils (which is the case with rh9).

I tried rebuilding epiphany 1.2.x, but it uses a bunch of stuff from Gnome 2.6.
Unfortunately, the easiest solution was to hack epiphany 1.0.x. FC1 looks to be
the only distro that uses epiphant 1.0.x and an updated mozilla, so we can't
rely on anyone else to help with this.

I don't see any other option...unless someone comes up with something (besides
drop epiphany altogether...)

Comment 8 Pekka Savola 2005-05-01 18:35:36 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, let's hope folks will give epiphany an extra try at VEFIFY.

+PUBLISH RHL73,RHL9,FC1,FC2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD4DBQFCdSFMGHbTkzxSL7QRAuEzAJ0QiLgA+aLxz1rMN9FlOGVcPE3ZfQCYs53W
3aP27V1Pw5OHOkg41U3SSQ==
=hvC9
-----END PGP SIGNATURE-----

Comment 9 Marc Deslauriers 2005-05-06 02:09:58 UTC

Packages were pushed to updates-testing.

Comment 10 Pekka Savola 2005-05-06 16:03:46 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA on RHL9:
 
I upgraded mozilla, -mail, -nspr, and -nss; all the the basic things appears
to be working OK.  The GPG signature is also good.
 
+VERIFY RHL9
 
 
 
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCe5UYGHbTkzxSL7QRAuMTAKC0beoJ5LgG/ljlMVlPj7dUpQ5L2wCgkmCT
U2JvWEnsZSbB7ptnfC0/+Gc=
=wHnx
-----END PGP SIGNATURE-----

Comment 11 David Curry 2005-05-08 05:52:39 UTC

I haven't figured out how to sign one of these reports with a pgp signature
(that I have created), so that signature is not presented here.

All Mozilla test updates for FC2 were downloaded, signatures checked, and
installed on my system without any problems.  Composer was opened and closed. 
Mail and Browser have been used for two days with no apparent problems. 
(Neither plugins nore Java are installed.) A mix of more than 40 retail outlet,
opensource, and Commercial computer support provider sites were visited without
observing any behaviors that differed from the previous version of Mozilla
installed on this FC2 system.

FC2 + verify

Comment 12 Pekka Savola 2005-05-08 06:09:52 UTC

The wiki is down, unfortunately, it'd have told you to sign using 'gpg
--clearsign'.  Please also also send a "self-introduction" on the list if you
haven't already.  There are a couple of examples of this in the list archives.

Comment 13 mschout 2005-05-10 20:54:13 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

7.3 Verify:

sha1:
9acd3892e1ec3b272274ed250f630e316e72334c  mozilla-1.7.7-0.73.2.legacy.i386.rpm
bdf6c767bd8d8a1dc74138e8da7c1672b1934764  mozilla-chat-1.7.7-0.73.2.legacy.i386.rpm
7168b5bfcd5a090b62464f8b7d82d20bff365ba5  mozilla-devel-1.7.7-0.73.2.legacy.i386.rpm
6baa66d77ecbaf4aefcd99e42dbc81dee8b5533b 
mozilla-dom-inspector-1.7.7-0.73.2.legacy.i386.rpm
c8fd69f3e6e3a63554382ec412208f74a48ba8fe 
mozilla-js-debugger-1.7.7-0.73.2.legacy.i386.rpm
83a181ed9ecade3c9cb3cd3f64ac7cdd5add9057  mozilla-mail-1.7.7-0.73.2.legacy.i386.rpm
904dd59f1b4d5e4426232549848b83a9e407e2ba  mozilla-nspr-1.7.7-0.73.2.legacy.i386.rpm
3513150062f0d54dfa14f3d4fc320114b72a95ad 
mozilla-nspr-devel-1.7.7-0.73.2.legacy.i386.rpm
f56ac87aae05c1530cfc49844f59410ac3db82d9  mozilla-nss-1.7.7-0.73.2.legacy.i386.rpm
d4a42d185260a6778133dc51beb0098b637306c5 
mozilla-nss-devel-1.7.7-0.73.2.legacy.i386.rpm
265ca0a31dd9a66b3de6364b1a8e0bab108ebedc  galeon-1.2.14-0.73.2.legacy.i386.rpm

signatures:
mozilla-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-chat-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-devel-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-dom-inspector-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-js-debugger-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-mail-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-nspr-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-nspr-devel-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-nss-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
mozilla-nss-devel-1.7.7-0.73.2.legacy.i386.rpm: md5 gpg OK
galeon-1.2.14-0.73.2.legacy.i386.rpm: md5 gpg OK

"yum update mozilla\* galeon" completes without errors or warnings.

Mozilla appears to be functioning normally.  I opened it up and used it to look
at several sites to test.

+VERIFY RHL7.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCgR9M+CqvSzp9LOwRAmN1AKCshhxQ0XNT2fzOyBUkOppS7WlCYACeIVdf
9r2WVI/o/TDd/7D32zMEIbM=
=rJzn
-----END PGP SIGNATURE-----

Comment 14 mschout 2005-05-11 03:31:12 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FC1 verify

sha1:
57100cb971334d7af508b63786aa08605515ca1c
mozilla-1.7.7-1.1.2.legacy.i386.rpm

7132f5a85829789980a6d3e99dcb8b693c2ca2f5
mozilla-mail-1.7.7-1.1.2.legacy.i386.rpm

97fc2ebf5fac4a9db7515d6ce040f69800d4b76f
mozilla-nspr-1.7.7-1.1.2.legacy.i386.rpm

013b70581b5719c09d31a3cd642c9508326ee785
mozilla-nss-1.7.7-1.1.2.legacy.i386.rpm

signatures:
mozilla-1.7.7-1.1.2.legacy.i386.rpm:
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (d1bbf4e9d78b295b96385e983dabf2db5f869e1f)
    MD5 digest: OK (42f884a800b87773b0e8502cd9363c2b)
    V3 DSA signature: OK, key ID 731002fa
mozilla-mail-1.7.7-1.1.2.legacy.i386.rpm:
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (eae34a99527f5317bcbf68b0caa7cb7110ee64cf)
    MD5 digest: OK (0fff34c271173859d1e9a101cf36065c)
    V3 DSA signature: OK, key ID 731002fa
mozilla-nspr-1.7.7-1.1.2.legacy.i386.rpm:
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (d0af7b1972a82c707c7ca1371d0ee1009780edc0)
    MD5 digest: OK (862ab8a90ad75c647308a3f4a766053f)
    V3 DSA signature: OK, key ID 731002fa
mozilla-nss-1.7.7-1.1.2.legacy.i386.rpm:
    Header V3 DSA signature: OK, key ID 731002fa
    Header SHA1 digest: OK (5bb9d19ce62c040397b9ebefb9d25a9084f04faa)
    MD5 digest: OK (e7bcab3724ee92b10d85de3a4542e577)
    V3 DSA signature: OK, key ID 731002fa

packages install with out any errors or warnings.

opened mozilla, browsed a few sites.  Everything seems normal.

Opened mozilla -mail, read some messages in my IMAP account, verified that I
can send and delete messages.  Everything seems fine.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCgXxM+CqvSzp9LOwRArnYAKDHv/Je+KceQj1EHb2kC6BaHsefeACgjCJ4
8S5Yp9BkeEhqenp22/XNBaw=
=MM87
-----END PGP SIGNATURE-----

Comment 15 Michal Jaegermann 2005-05-17 02:51:45 UTC

There are three vulnerabilities fixed by 1.7.8 mozilla release.  Namely

MFSA 2005-44  Privilege escalation via non-DOM property overrides
MFSA 2005-43 "Wrapped" javascript: urls bypass security checks
MFSA 2005-42 Code execution via javascript: IconURL

The first two are marked on 
http://www.mozilla.org/projects/security/known-vulnerabilities.html
as "critical" and the third "high".

It does not look like a bit step-up from 1.7.7 with note that
source rpm for mozilla-1.7.8-1.3.1 from FC3 has more specs cleanups
than predecessor.

To enable there pango one need pangp >= 1.5 and this is not satisfied
below FC3 so it should not be enabled.

Comment 16 Marc Deslauriers 2005-05-18 20:50:45 UTC

These packages were officially released.

Please open a new bug for the new issues.