Description of problem: A new vulnerability, deemed "critical", showed up identified as CAN-2005-2871. See, for example, https://rhn.redhat.com/errata/RHSA-2005-769.html. One more additional patch, named firefox-307259-branch.patch in mozilla-1.7.10-1.1.3.2.src.rpm, is needed to close that hole. This patch applies in a straightforward manner to current legacy updates based on 1.7.10 The same patch is also used in mozilla-1.7.10-1.3.2.src.rpm from FC3 updates and mozilla recompiles after adding it without any issues (at least on an RH7.3 installation). Resulting binaries work or you are not reading that. :-) Another way to temporary step around the issue is to follow an advisory from Mozilla and set to false 'network.enableIDN' on 'about:config' screen of unpatched browsers. The same can be done, separately, both for mozilla and galeon (and more precisely - the patch affects libraries which are used by galeon too so there is no galeon specific change and it is not clear to me what is required by epiphany). Version-Release number of selected component (if applicable): mozilla-1.7.10-0.<distro_tag>
The SANS @RISK digest says: 05.37.18 CVE: CAN-2005-2871 Platform: Cross Platform Title: Mozilla/Netscape/Firefox Browsers Domain Name Remote Buffer Overflow Description: Mozilla, Netscape and Firefox are Web browsers that are based on the Gecko engine. They are reported prone to a remote buffer overflow vulnerability caused when an affected browser handles a malformed URI containing a domain name consisting of "-" characters. Firefox versions 1.0.6 and 1.5 Beta 1 are vulnerable to this issue. Mozilla version 1.7.11, Netscape versions 8.0.3.3 and 7.2 are affected as well. Ref: http://www.securityfocus.com/bid/14784 (1) CRITICAL: Gecko based browsers IDN URI Domain Name Buffer Overflow Affected: FireFox 1.0.6 and prior FireFox 1.5 Beta 1(Deer Park Alpha 2) Netscape 7.x and 8.x Mozilla Suite 1.7.11 and prior Description: International Domain Names' (IDN) are domain names, or web addresses, represented by local language characters, utilizing non-ASCII characters. Browsers like FireFox, Netscape, i.e Gecko (web browser layout engine) based browsers are vulnerable to a heap based buffer overflow when parsing certain IDN encoded URI's. An attacker could entice a user to view an HTML document with a malformed hyperlink, containing a long string of ONLY Unicode "soft hyphens" (U+00AD or hex AD) as the domain name in the URI and thus cause a DoS or execute arbitrary code on the affected system. Status: Mozilla Foundation has issued a patch and also has a quick fix by manually configuring the browser to disable IDN. Council Site Actions: The reporting council sites using the affected software plan to distribute the patch during their next regularly scheduled system update process or remove Netscape 7.x from their desktops since they recently implemented an ActiveX filtering solution and no longer need an alternate browser on their desktop. References: Discovered by Tom Ferris http://www.security-protocols.com/advisory/sp-x17-advisory.txt SecurityFocus BID http://www.securityfocus.com/bid/14784 Fix for IDN Buffer Overflow https://addons.mozilla.org/messages/307259.html CERT Advisory http://www.kb.cert.org/vuls/id/573857 Secunia Advisories http://secunia.com/advisories/16764 http://secunia.com/advisories/16766
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FWIW, here are mozilla SRPM and RPMs for RHL9. I just took the latest mozilla version we shipped and upgraded to 1.7.12. Available at http://staff.csc.fi/psavola/fl/ 42aad8d3abe35d751944dc0c4bdc7cf29b4bf3aa mozilla-1.7.12-0.90.1.legacy.i386.rpm 0716783ed2e9c0884111e977197080b2bbc85b38 mozilla-chat-1.7.12-0.90.1.legacy.i386.rpm c5a41314508370bd87046f62b845222de8c79957 mozilla-debuginfo-1.7.12-0.90.1.legacy.i386.rpm 856619a7e8f90e032f17a6572bff82e5e30c423a mozilla-devel-1.7.12-0.90.1.legacy.i386.rpm aca288cb2caafc4660d254185dc5003b5ca06a4e mozilla-dom-inspector-1.7.12-0.90.1.legacy.i386.rpm d680dacdb9919f96c16eb084c4825f4ca5be26af mozilla-js-debugger-1.7.12-0.90.1.legacy.i386.rpm a672656db30986cd76be16c00a3457a500b5db1f mozilla-mail-1.7.12-0.90.1.legacy.i386.rpm 7d37ca754f63a8c188c6900bdd1f5f1c44b4aeaa mozilla-nspr-1.7.12-0.90.1.legacy.i386.rpm e3bfb52e6f24f20b5eb676551014a4d6005d9c0e mozilla-nspr-devel-1.7.12-0.90.1.legacy.i386.rpm 6d8f3d4c4a5b551b25c8b3ecc43f6de43bfc60bf mozilla-nss-1.7.12-0.90.1.legacy.i386.rpm 5e06059d327b3ad57b1bc46d152ad84dc06fb4fb mozilla-nss-devel-1.7.12-0.90.1.legacy.i386.rpm e891a035896b5550e92af244fb1c8e27ed7d969b mozilla-1.7.12-0.90.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDMpZKGHbTkzxSL7QRAh0GAJwMaXgLPmTHrPBfwcA2K8OtCeiXuQCgwTt8 UFPrMvDgtL7d6jIvedFleqI= =MZcz -----END PGP SIGNATURE-----
05.38.16 CVE: CAN-2005-2968 Platform: Cross Platform Title: Mozilla Browser/Firefox Command Execution Description: Mozilla Browser/Firefox is vulnerable to an arbitrary command execution issue due to a startup shell script supplied with the application that does not employ sanitization of user-supplied data passed through a URL. Mozilla Firefox version 1.0.6 and Mozilla Browser version 1.7.x are reported to be vulnerable. Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=307185 http://www.mozilla.org/products/firefox/releases/1.0.7.html (2) HIGH: FireFox, Mozilla and Thunderbird Remote Command Injection Affected: On UNIX platforms: Mozilla Firefox 1.0.6 and prior Mozilla Suite 1.7.11 and prior Thunderbird 1.0.6 and prior Description: This vulnerability in Mozilla/FireFox browsers and Thunderbird email client can be exploited to execute arbitrary commands on UNIX systems. The problem occurs when a URL containing "backtick" is passed as an argument to Mozilla, Firefox or Thunderbird. For instance, issuing a command "firefox http://local\`ls`\" will result in the execution of the 'ls' command. Systems using Mozilla/Firefox as default browsers and Thunderbird as default email client are at a higher risk as visiting a malicious webpage may result in the execution of attacker specified commands. Status: Updates have been released to address this issue for Mozilla and Firefox. Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. Most reported that no action was necessary. A few sites have advised the users to upgrade to the latest version. One site plans to distribute patches during their next regularly scheduled system update process. References: Mozilla Bugzilla Entry https://bugzilla.mozilla.org/show_bug.cgi?id=307185 Secunia Advisory (discovered by Peter Zelezny) http://secunia.com/advisories/16869 SecurityFocus BID http://www.securityfocus.com/bid/14888
There is an advisory for RHEL, entitled "Critical: mozilla security update" https://rhn.redhat.com/errata/RHSA-2005-789.html mozilla-1.7.12 is used as a base for those updates.
The issue mentioned in comment 3 AFAICT does not affect RHL mozilla, as the packages ship with RHL's own mozilla script. I'll check the diffs between RHEL's mozilla update and the one I built.
Yeah, my mozilla package (above) seems to be sufficient.. There are obviously tons of other packages to fix [all the other OS versions, and packages depending on mozilla :-(]. I don't have build systems for those, but if anyone wants to push them out, I'm more than willing to do PUBLISH QA.
I ended up doing on RH7.3 roughly the same as Pekka in comment #2; but I did a cross between just released mozilla-1.7.12-1.3.1 from FC3 updates an older Legacy packages. That, in particular, means that pathches 103,104,105 and 107 from FC3 sources were applied too. Resulting binaries do work just fine.
I believe all of these are fixed in 1.7.12, but FYI: 05.39.17 CVE: CAN-2005-2704 Platform: Cross Platform Title: Mozilla Browser/Firefox DOM Objects Spoofing Vulnerability Description: Mozilla and Firefox are prone to a DOM object spoofing issue that is exposed through an XBL control that uses <implement> for an internal interface. A remote attacker could potentially exploit this issue to gain elevated privileges. Please refer the link below for a list of vulnerable versions. Ref: http://www.securityfocus.com/bid/14921/info ______________________________________________________________________ 05.39.18 CVE: CAN-2005-2703 Platform: Cross Platform Title: Mozilla Browser/Firefox XMLHttp Header Spoofing Description: Mozilla and Firefox browsers are vulnerable to XMLHttp header spoofing due to insufficient santization of user-supplied input to the headers of the XMLHttpRequest. Firefox versions 1.0.6, Mozilla Suite versions 1.7.11 and earlier are reported to be vulnerable. Ref: http://www.mozilla.org/security/announce/mfsa2005-58.html ______________________________________________________________________ 05.39.19 CVE: Not Available Platform: Cross Platform Title: Multiple Browser Proxy Auto-Config Script Handling Remote Denial of Service Description: Multiple browsers are affected by a remote denial of service vulnerability due to a design error in the browser processing a proxy auto-config (PAC) script containing an "eval()" statement. Firefox versions 1.0.6 and earlier, Netscape Browser versions 8.0.3.3, and Mozilla versions 1.7.11 and earlier are affected by this issue. Ref: http://www.securityfocus.com/bid/14924 ______________________________________________________________________ 05.39.20 CVE: CAN-2005-0215 Platform: Cross Platform Title: Mozilla Browser/ Firefox XBM Image Processing Heap Overflow Description: Mozilla and Firefox web browsers are vulnerable to a heap overflow issue when processing malformed XBM images with a space character as the terminator. Firefox versions 1.0.6 and Mozilla versions 1.7.11 and earlier are vulnerable. Ref: http://www.mozilla.org/security/announce/mfsa2005-58.html ______________________________________________________________________ 05.39.21 CVE: CAN-2005-2705 Platform: Cross Platform Title: Mozilla Browser/Firefox Unspecified JavaScript Engine Integer Overflow Description: Mozilla and Firefox are affected by an unspecified integer overflow vulnerability in their JavaScript engine due to insufficient boundary checking prior to copying user-supplied data into sensitive process buffers. Netscape versions 7.2, Netscape Browser versions 8.0.3.3, Mozilla Firefox versions 1.0.6 and earlier are affected. Ref: http://www.securityfocus.com/bid/14917 ______________________________________________________________________ 05.39.22 CVE: CAN-2005-2702 Platform: Cross Platform Title: Mozilla Browser/Firefox Zero-Width Non-Joiner Stack Corruption Description: Mozilla and Firefox are prone to a stack corruption vulnerability. This issue occurs when Unicode sequences are used with zero-width non-joiner characters. Successful exploitation could result in arbitrary code execution in the security context of the user running the browser. Ref: http://www.securityfocus.com/bid/14918/references ______________________________________________________________________ 05.39.23 CVE: CAN-2005-2707 Platform: Cross Platform Title: Mozilla Browser/Firefox Chrome Window Spoofing Description: Mozilla and Firefox browsers are prone to a window spoofing vulnerability. An error in the creation of windows can be exploited by opening a window from a reference to a closed window to create a blank "chrome" canvas. The resulting window is missing certain security mechanisms designed to protect against phishing attacks, such as the address bar and the status bar. Mozilla Firefox versions 1.0.6 and earlier and Mozilla Browser versions 1.7.11 and earlier are affected. Ref: http://www.mozilla.org/security/announce/mfsa2005-58.html ______________________________________________________________________ 05.39.24 CVE: CAN-2005-2706 Platform: Cross Platform Title: Mozilla Browser/Firefox Chrome Page Loading Restriction Bypass Description: Mozilla Browser/Firefox are prone to a potential arbitrary code execution weakness. This issue allows an attacker to bypass restrictions associated with loading privileged "chrome" pages. Ref: http://www.securityfocus.com/bid/14920 (1) HIGH: Mozilla, Firefox, Netscape Browsers Multiple Vulnerabilities Affected: Firefox versions 1.0.6 and prior Mozilla versions 1.7.11 and prior Netscape version 8.x Description: Mozilla, Firefox and Netscape browsers contain the following vulnerabilities that can be exploited by a malicious webpage to compromise a user's system. (a) The function that processes XBM (X-Bitmap) images contains a heap-based overflow that can be triggered by an XBM image ending with a "space" character rather than the end tag. According to the discoverer, the flaw can be exploited to execute arbitrary code. (b) Unicode processing of certain sequences leads to a stack-based overflow that can be exploited to execute arbitrary code. (c) The JavaScript Engine contains an integer overflow that can be exploited to execute arbitrary code. (d) The unprivileged "about:" page can load a privileged "chrome:" page under certain conditions. This flaw combined with another cross-zone flaw could result in the execution of arbitrary code. The Mozilla bugzilla contains technical details required to leverage these flaws. Status: Mozilla Foundation has released version 1.0.7 for Firefox and 1.7.12 for Mozilla browsers. In addition to the above mentioned high severity bugs, the newer versions also fix certain spoofing bugs. No updates are available for Netscape. Council Site Actions: Most of the council sites responded that they do not officially support these browsers however they are in use at their sites. Most of these sites feel their users are clue-full enough to keep up-to-date with the patches or they have notified the known users. One of the reporting council sites updated most of their systems earlier this week and will rely on the remaining systems to be updated by the users. Another council site has posted the updated versions on its software mirror. References: Mozilla Advisory http://www.mozilla.org/security/announce/mfsa2005-58.html SecurityFocus BIDs http://www.securityfocus.com/bid/14916 http://www.securityfocus.com/bid/14917 http://www.securityfocus.com/bid/14918 http://www.securityfocus.com/bid/14920 http://www.securityfocus.com/bid/14919 http://www.securityfocus.com/bid/14923 http://www.securityfocus.com/bid/14921
Created attachment 119574 [details] Mozilla bug cross-reference table This issue has so many doggone different bugs, my eyes were crossing trying to figure them all out. So I created this handy-dandy little table with all rele- vant information on each of the security issues, presented in the same order that they were introduced in this bug report. Has hyperlinks everywhere for more info, and links to all .src.rpm packages Red Hat produced. Hope this helps.
Thanks for putting all the info down in a concise form. We'd now just need work on the packages.. which seems to be the hard part for all the distros :-/
You're welcome. Speaking of working on packages, has anyone noticed when building Mozilla that it comes up with a lot of compiler warnings? (No errors, though?) Also, after building, do you find that the source tree with all the .o, .a and .so files takes up like 1.3 gigs of disk space? Michal, regarding Comment #7: Why don't you post your RH7.3 .src.rpm package so we can do QA on it? Thanks! Since RH9's and RH7.3's galeon depends on Mozilla, will those .src.rpm's also need to be submitted for QA? It looks like Marc submitted these for source QA last time: 7.3: 7.3/mozilla-1.7.10-0.73.1.legacy.src.rpm 7.3/galeon-1.2.14-0.73.4.legacy.src.rpm 9: 9/mozilla-1.7.10-0.90.1.legacy.src.rpm 9/galeon-1.2.14-0.90.4.legacy.src.rpm fc1: 1/mozilla-1.7.10-1.1.1.legacy.src.rpm 1/epiphany-1.0.8-1.fc1.4.legacy.src.rpm fc2: 2/mozilla-1.7.10-1.2.1.legacy.src.rpm 2/devhelp-0.9.1-0.2.8.legacy.src.rpm 2/epiphany-1.2.10-0.2.5.legacy.src.rpm I hope to have FC1 .src.rpm packages for QA within a day or two... Will do mozilla and epiphany packages for your QA'ing pleasure. :-)
I couldn't find 7.3/galeon-1.2.14-0.73.4.legacy.src.rpm.. for some reason, it wasn't in the updates directory.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FYI, I've also recompiled mozilla .src.rpm for RHL73, as well as galeon for both RHL73 and RHL9 as well, at: http://staff.csc.fi/psavola/fl/ I can do the rest [for FC1 and FC2] if folks want as well EXCEPT for epiphany .src.rpm's because the patch may need adjusting to fit, I fear. d06ceeb8db688c3a5f2699a2be0ac2a06fc8b39f galeon-1.2.14-0.73.4.legacy.src.rpm 87fa74b6765d1caa3d2a968208b2645c2688653a galeon-1.2.14-0.90.5.legacy.src.rpm d1a266f9df4aeb8b1965664975af8f275fa0804c mozilla-1.7.12-0.73.1.legacy.src.rpm e891a035896b5550e92af244fb1c8e27ed7d969b mozilla-1.7.12-0.90.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDQ7ThGHbTkzxSL7QRAkTyAJkBa6BlYXFJ73jCZQh1HZHnD40m0gCgpFLI W6j6DYa37BH0GjO8WbLscrY= =m4hk -----END PGP SIGNATURE-----
galeon-1.2.14-0.73.4.legacy.src.rpm can be found: http://download.fedoralegacy.org/redhat/7.3/updates/i386/galeon-1.2.14-0.73.4.legacy.src.rpm It was mis-filed.
In comment #11 David Eisenstein wrote: > Michal, regarding Comment #7: Why don't you post your RH7.3 .src.rpm package > so we can do QA on it? Thanks! I cannot guarantee that a system on which I compiled that had only "standard 7.3" libraries although binaries definitely do work for me somewhere else too. Packages are also not signed. If that is really desired I can make those packages available but only in few days. I will note that in a comment then.
(In reply to comment #12 by Pekka) > <snip> > I can do the rest [for FC1 and FC2] if folks want as well EXCEPT for epiphany > .src.rpm's because the patch may need adjusting to fit, I fear. I already have a FC1 mozilla .src.rpm and have built the .i386.rpm's. I can do epiphany also for FC1. Am just taking a little time to check that everything is okay with the new packages (I would like to install and run it a least a few hours, perhaps check a few vulnerabilities) before submitting the .src.rpm's here for QA. If you want to do create FC2 .src.rpm(s), that would be cool! Thanks, Pekka! :)
In Comment #14 Michal Jaegermann wrote: > In comment #11 David Eisenstein wrote: > > Michal, regarding Comment #7: Why don't you post your RH7.3 .src.rpm > > package so we can do QA on it? Thanks! > I cannot guarantee that a system on which I compiled that had only > "standard 7.3" libraries although binaries definitely do work for me > somewhere else too. Packages are also not signed. If that is really > desired I can make those packages available but only in few days. I > will note that in a comment then. My understanding is that at this stage of QA, only the .src.rpm's need be made available for QA. One can also make the binary rpm's available as well, as a convenience for people who want to download & try them pre-updates-testing, but it's not strictly necessary. Since Pekka has already stepped up to propose 7.3 .src.rpm's, I guess what will be needed more is QA on the packages he submitted. Would you be willing to do that in a few days instead, at least on the RH7.3 .src.rpm's? That would be great help!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OK, here are packages for FC2; epiphany patch update was done with pure luck, so I hope it works (I didn't even test recompilation, I hope someone else will).. At: http://staff.csc.fi/psavola/fl/ d09afc781a7244ecc8a04303cca84a2c21e7bdb0 devhelp-0.9.1-0.2.9.legacy.src.rpm 4bb39a9ec03dbe0f625a8d0c70265d234d82ba45 epiphany-1.2.10-0.2.6.legacy.src.rpm b8370aa81f86996536a30b04c77b875db69bb6b6 mozilla-1.7.12-1.2.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDRNHjGHbTkzxSL7QRAifnAJ9mxHYmG1fwf0W4vSKMueC3GWRSSACfdDbV uGcL+/m+gF+45I3te0wzOUs= =nkok -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1) QA for RH9 mozilla: e891a035896b5550e92af244fb1c8e27ed7d969b mozilla-1.7.12-0.90.1.legacy.src.rpm * tarball mozilla-1.7.12-source.tar.bz2 has a good pgp signature from upstream mozilla downloading site. * No changes to patches from mozilla-1.7.10-0.90.1.legacy.src.rpm. * mozilla.spec changes very minimal. 2) QA for RH9 galeon: 87fa74b6765d1caa3d2a968208b2645c2688653a galeon-1.2.14-0.90.5.legacy.src.rpm * tarball galeon-1.2.14.tar.gz same as in 1.2.4-0.90.4.legacy * Patches are the same * galeon.spec changes minimal * RHEL2.1 distro uses same version & has same patches and very similar spec-file. PUBLISH++ RH9 mozilla, galeon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDSPwYxou1V/j9XZwRAvThAJ0TPZ9+A5WIWgmOlOUymxpPtTPU4ACfd3J5 JslkIGS3xLRcHvSc8N/i1T0= =8F4O -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are mozilla, epiphany packages for FC1 to QA. Download from http://fedoralegacy.org/contrib/mozilla/ FC1 source rpms: b28552deea9601f08b79f982045a8aa956853be7 mozilla-1.7.12-1.1.1.legacy.src.rpm cdf38ab812243ade2efb419b8253f18a5d738fb3 epiphany-1.0.8-1.fc1.5.legacy.src.rpm FC1 binary rpms: a955af18305d1373a9718e6ae2c7cf2df89f27ed mozilla-1.7.12-1.1.1.legacy.i386.rpm 8135739f7519cf8d14eac07199460b4d91e86e02 mozilla-chat-1.7.12-1.1.1.legacy.i386.rpm 665ad443de1213ceb2ced410b138b822bb242085 mozilla-devel-1.7.12-1.1.1.legacy.i386.rpm 23907c1fc90f4a24efe295514149f34e74f8bb21 mozilla-dom-inspector-1.7.12-1.1.1.legacy.i386.rpm c3f8edd3801393ec06f0129d806afa08166d7ce6 mozilla-js-debugger-1.7.12-1.1.1.legacy.i386.rpm b95820e4ba8af9daabbde50ddfbb062454d0599d mozilla-mail-1.7.12-1.1.1.legacy.i386.rpm 646789efd7a1700fe631e89956ab983b7eb54fd9 mozilla-nspr-1.7.12-1.1.1.legacy.i386.rpm 9eab7131fc3a4398266f1592ba6b84f70bfea3a8 mozilla-nspr-devel-1.7.12-1.1.1.legacy.i386.rpm 8fde4afeb7fa05f43738cf032529969eee7d955b mozilla-nss-1.7.12-1.1.1.legacy.i386.rpm 37841810651be7666efc4afdc18a9af36dd3a628 mozilla-nss-devel-1.7.12-1.1.1.legacy.i386.rpm b6cc5397d41fd81774045c69ffa96a9634f02107 epiphany-1.0.8-1.fc1.5.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDTbOkxou1V/j9XZwRAmPHAKDKvKxiBfrvG32wAZybrLbASHYz7gCgnggQ uvmaYLeRtfmMHjl1rQxTBiY= =qIuV -----END PGP SIGNATURE-----
Apologies that it took so long. ftp://ftp.harddata.com/pub/Legacy_srpms/mozilla-1.7.12-0.73.1.legacy.src.rpm ftp://ftp.harddata.com/pub/Legacy_srpms/galeon-1.2.14-0.73.5.legacy.src.rpm are at this moment packages I am using on RH7.3. In 'pub/Legacy_srpms/i386' one can find recompiled i386 binaries. Not signed in any way.
FYI, in the FC1 mozilla .src.rpm submitted for QA in comment 19, I took the mozilla-1.7.12-source.tar.bz2 tarball from the RHEL 3 .src.rpm. It is not exactly the same as the mozilla-1.7.12-source.tar.bz2 published at mozilla's download site. But I assume if it's good enough for RHEL 3, it certainly is good enough for our needs! :-) The RHEL 3 .src.rpm from which I extracted the source tarball is at: ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/mozilla-1.7.12-1.1.3.2.src.rpm or any of its fine mirrors. Also, the epiphany-1.0.8 I built works *mostly* on my machine. However, there is a segfault very shortly after clicking on the dialog box that pops up when clicking on a link that the browser doesn't know how to handle, that prompts to <Open>, <Cancel> or <Save to Disk>. (The segfault happens after choosing a file to save it to after clicking the <Save to Disk> button.) I suspect that the underlying Mozilla API changed in some recent version of Mozilla. I haven't gotten far yet with the onerous process of trying to run epiphany in the gdb debugger with Mozilla and epiphany debug packages installed. (I'm needing to upgrade my computer's memory, because I think Mozilla's symbol tables in gdb eat up all the core.) This bug may well have existed in the epiphany-1.0.8 that shipped with our release of Mozilla-1.7.10 in August. I haven't tried downgrading to that version to test that theory, however. Have been in touch with Christopher Aillon of RedHat for his take on the matter, and his suggestion was to touch base with the Epiphany developers through irc.gimp.org on channel #epiphany. (Chris, I hope you don't mind if I add you to the cc on this issue.) In the meantime, the workaround I use is if I click on a link the browser doesn't know how to handle, upon restart of the epiphany browser, I right-click and select "Save to disk" from the right-click menu. That works without killing epiphany. If anyone has any ideas or further insight on this matter, I'm game.
The epiphany 1.0.8 problem could have come from the ugly patch I added to make it work with Mozilla 1.7.x a while ago. Could you test an earlier legacy release to see if it has been broken for a long time?
Yeah, if it was broken before, I think the only thing we could (reasonably) do is try upgrading epiphany..
We can't upgrade epiphany. Newer versions have newer library requirements. We could just fix the patch I made. :)
Marc, did you ask me in comment 22 if I would test a previous FL release of mozilla to see if the same epiphany bug in FC1 exists in a previous version? I can do that, and could report on whether or not epiphany segfaults in the same way on a previous version of Mozilla, but I am not sure how that would help? Let me know if you really need me to do this, because it is a pain for me to downgrade Mozilla as I only have one computer available to me with one installation of Fedora, which I use all the time, using Mozilla. This bug ticket ought to be completed and put to bed soon, since it has been open for so long and it has some issues deemed critical, if I recall correct- ly. I don't want to be responsible for holding up completion of this bug ticket. Suggestion: If we cannot resolve the FC1 epiphany issue within, say, a cou- ple of more weeks, my inclination is to let it slide with a statement that "this is a known bug" and/or with a statement that we (of necessity) are hav- ing to decommit support for epiphany for FC1, as fixing this old version of epiphany would be too time-consuming when we have many other pressing issues to tend to, suggesting that users use Mozilla instead.... In the meantime, to progress, we still need: * publish QA for RH7.3 (submitted in comment 12) * publish QA for FC2 (submitted in comment 17) * publish QA for FC1 (submitted in comment 19 -- along with our dec- ision what to do/to not do with Epiphany for FC1). Michal, would you be willing to do publish QA the RH7.3 submission, especially since you have your own sources to compare it to?
We shouldn't hold this up because of epiphany. If someone uses it enough to care, they should open a separate bug and I'll handle it there.
OK.. I can't do publishes except for FC1 so here goes.. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for FC1 w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches OK +PUBLISH FC1 b28552deea9601f08b79f982045a8aa956853be7 mozilla-1.7.12-1.1.1.legacy.src.rpm cdf38ab812243ade2efb419b8253f18a5d738fb3 epiphany-1.0.8-1.fc1.5.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDd3y5GHbTkzxSL7QRAu1YAJ4+KMtF6X1nDKlcZT+fIRFuxv5kwgCgsv/I zLitjfndd6VZhvUf+7E8LO8= =iEaH -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1) QA for RH7.3 mozilla: d1a266f9df4aeb8b1965664975af8f275fa0804c mozilla-1.7.12-0.73.1.legacy.src.rpm * tarball mozilla-1.7.12-source.tar.bz2 has a good pgp signature from upstream mozilla downloading site. * No changes to patches from mozilla-1.7.10-0.73.1.legacy.src.rpm. * mozilla.spec changes very minimal. 2) QA for RH7.3 galeon: d06ceeb8db688c3a5f2699a2be0ac2a06fc8b39f galeon-1.2.14-0.73.4.legacy.src.rpm * This source tarball should have been named galeon-1.2.14-0.73.5, but this can be taken care of at build time. * tarball galeon-1.2.14.tar.gz same as in (the original) galeon-1.2.14-0.73.4.legacy.src.rpm * Patches are the same * galeon.spec changes minimal; however, the rpm-build-compare output shows a couple of lines missing from the original 1.2.14-0.73.4.legacy published on Jul 27th. %changelog - -* Wed Jul 27 2005 Marc Deslauriers <marcdeslauriers> 1.2.14-0.73.4.legacy - -- Rebuild against mozilla 1.7.10 +* Wed Oct 5 2005 Pekka Savola <pekkas> 1.2.14-0.73.4.legacy +- Rebuild against mozilla 1.7.12 This is understandable since you couldn't find the original, and, again, this can be taken care of at build time. * RHEL2.1 distro uses same version & has same patches and very similar spec-file. PUBLISH++ RH7.3 mozilla, galeon -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDhsztxou1V/j9XZwRAmChAKCIVQjQQZsGHwSX9wr5IykBFHTisQCgoJfW vBrlosnA6fRbo1XCFNiAcv8= =RezI -----END PGP SIGNATURE-----
Thanks!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1) QA for FC2 devhelp: d09afc781a7244ecc8a04303cca84a2c21e7bdb0 devhelp-0.9.1-0.2.9.legacy.src.rpm * all files the same as in the previous version * spec-files changes minimal 2) QA for FC2 mozilla: b8370aa81f86996536a30b04c77b875db69bb6b6 mozilla-1.7.12-1.2.1.legacy.src.rpm * tarball mozilla-1.7.12-source.tar.bz2 has a good pgp signature from upstream mozilla downloading site. Source integrity good. * No changes to patches from mozilla-1.7.10-0.73.1.legacy.src.rpm. * mozilla.spec changes very minimal. 3) QA for FC2 epiphany: * Uses same source files and patches, except for one patch to bump the version of mozilla this epiphany is to depend on. * The epiphany-1.2.10-moz1712.patch looks reasonable. * spec-file changes minimal. PUBLISH++ FC2 devhelp, mozilla, epiphany -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDhtK2xou1V/j9XZwRAkLaAJ9DC+CSRoZLtD58eXgSq+tIrUMSoQCfWHhf K5g77pqcCFp7013w674j0zs= =6idT -----END PGP SIGNATURE-----
Great!
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The QA for FC2 epiphany above should have had my calculated sha1sum for the package. 4bb39a9ec03dbe0f625a8d0c70265d234d82ba45 epiphany-1.2.10-0.2.6.legacy.src.rpm PUBLISH++ FC2 epiphany -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFDhtw4xou1V/j9XZwRAlJpAKCUZwE/eJxlEFS+N9PEMwoFDhR2EACgiI2k vzimX0mA/CuEmYEYPqDksLU= =dTbk -----END PGP SIGNATURE-----
Packages were pushed to updates-testing
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL9. Signatures OK. Basic browsing seems to work fine. Java applets also continue to work fine. +VERIFY RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDl9u3GHbTkzxSL7QRAmVbAJ9QnPi0wA1dZnwdRmDe7EKnIOgBJACdF43+ LLqzZgWxp1nfoSGpqwi3/8A= =3pUK -----END PGP SIGNATURE----- Timeout in 4 weeks.
Timeout over.
Packages were released to updates.