Bug 168375 - mozilla, galeon, epiphany - CAN-2005-2871 security hole in IDN handling
mozilla, galeon, epiphany - CAN-2005-2871 security hole in IDN handling
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: mozilla (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
1,2, rh90, rh73
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-09-15 10:53 EDT by Michal Jaegermann
Modified: 2007-04-18 13:31 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-09 20:17:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Mozilla bug cross-reference table (12.46 KB, text/html)
2005-10-03 22:01 EDT, David Eisenstein
no flags Details

  None (edit)
Description Michal Jaegermann 2005-09-15 10:53:12 EDT
Description of problem:

A new vulnerability, deemed "critical", showed up identified as CAN-2005-2871.
See, for example, https://rhn.redhat.com/errata/RHSA-2005-769.html.
One more additional patch, named firefox-307259-branch.patch in
mozilla-1.7.10-1.1.3.2.src.rpm, is needed to close that hole.  This patch
applies in a straightforward manner to current legacy updates based on 1.7.10

The same patch is also used in mozilla-1.7.10-1.3.2.src.rpm from FC3 updates
and mozilla recompiles after adding it without any issues (at least on an RH7.3
installation).  Resulting binaries work or you are not reading that. :-)

Another way to temporary step around the issue is to follow an advisory from
Mozilla and set to false 'network.enableIDN' on 'about:config' screen of
unpatched browsers. The same can be done, separately, both for mozilla and
galeon (and more precisely - the patch affects libraries which are used
by galeon too so there is no galeon specific change and it is not clear
to me what is required by epiphany).

Version-Release number of selected component (if applicable):
mozilla-1.7.10-0.<distro_tag>
Comment 1 John Dalbec 2005-09-21 10:33:47 EDT
The SANS @RISK digest says:

05.37.18 CVE: CAN-2005-2871
Platform: Cross Platform
Title: Mozilla/Netscape/Firefox Browsers Domain Name Remote Buffer
Overflow
Description: Mozilla, Netscape and Firefox are Web browsers that are
based on the Gecko engine. They are reported prone to a remote buffer
overflow vulnerability caused when an affected browser handles a
malformed URI containing a domain name consisting of "-" characters.
Firefox versions 1.0.6 and 1.5 Beta 1 are vulnerable to this issue.
Mozilla version 1.7.11, Netscape versions 8.0.3.3 and 7.2 are affected
as well.
Ref: http://www.securityfocus.com/bid/14784

(1) CRITICAL: Gecko based browsers IDN URI Domain Name Buffer Overflow

Affected:
FireFox 1.0.6 and prior
FireFox 1.5 Beta 1(Deer Park Alpha 2)
Netscape 7.x and 8.x
Mozilla Suite 1.7.11 and prior

Description: International Domain Names' (IDN) are domain names, or web
addresses, represented by local language characters, utilizing non-ASCII
characters. Browsers like FireFox, Netscape, i.e Gecko (web browser
layout engine) based browsers are vulnerable to a heap based buffer
overflow when parsing certain IDN encoded URI's. An attacker could
entice a user to view an HTML document with a malformed hyperlink,
containing a long string of ONLY Unicode "soft hyphens" (U+00AD or hex
AD) as the domain name in the URI and thus cause a DoS or execute
arbitrary code on the affected system.

Status: Mozilla Foundation has issued a patch and also has a quick fix
by manually configuring the browser to disable IDN.

Council Site Actions: The reporting council sites using the affected
software plan to distribute the patch during their next regularly
scheduled system update process or remove Netscape 7.x from their
desktops since they recently implemented an ActiveX filtering solution
and no longer need an alternate browser on their desktop.

References:
Discovered by Tom Ferris 
http://www.security-protocols.com/advisory/sp-x17-advisory.txt

SecurityFocus BID
http://www.securityfocus.com/bid/14784

Fix for IDN Buffer Overflow
https://addons.mozilla.org/messages/307259.html

CERT Advisory
http://www.kb.cert.org/vuls/id/573857

Secunia Advisories
http://secunia.com/advisories/16764
http://secunia.com/advisories/16766
Comment 2 Pekka Savola 2005-09-22 07:31:35 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
FWIW, here are mozilla SRPM and RPMs for RHL9.  I just took the latest
mozilla version we shipped and upgraded to 1.7.12.
 
Available at http://staff.csc.fi/psavola/fl/
 
42aad8d3abe35d751944dc0c4bdc7cf29b4bf3aa  mozilla-1.7.12-0.90.1.legacy.i386.rpm
0716783ed2e9c0884111e977197080b2bbc85b38  mozilla-chat-1.7.12-0.90.1.legacy.i386.rpm
c5a41314508370bd87046f62b845222de8c79957 
mozilla-debuginfo-1.7.12-0.90.1.legacy.i386.rpm
856619a7e8f90e032f17a6572bff82e5e30c423a 
mozilla-devel-1.7.12-0.90.1.legacy.i386.rpm
aca288cb2caafc4660d254185dc5003b5ca06a4e 
mozilla-dom-inspector-1.7.12-0.90.1.legacy.i386.rpm
d680dacdb9919f96c16eb084c4825f4ca5be26af 
mozilla-js-debugger-1.7.12-0.90.1.legacy.i386.rpm
a672656db30986cd76be16c00a3457a500b5db1f  mozilla-mail-1.7.12-0.90.1.legacy.i386.rpm
7d37ca754f63a8c188c6900bdd1f5f1c44b4aeaa  mozilla-nspr-1.7.12-0.90.1.legacy.i386.rpm
e3bfb52e6f24f20b5eb676551014a4d6005d9c0e 
mozilla-nspr-devel-1.7.12-0.90.1.legacy.i386.rpm
6d8f3d4c4a5b551b25c8b3ecc43f6de43bfc60bf  mozilla-nss-1.7.12-0.90.1.legacy.i386.rpm
5e06059d327b3ad57b1bc46d152ad84dc06fb4fb 
mozilla-nss-devel-1.7.12-0.90.1.legacy.i386.rpm
e891a035896b5550e92af244fb1c8e27ed7d969b  mozilla-1.7.12-0.90.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDMpZKGHbTkzxSL7QRAh0GAJwMaXgLPmTHrPBfwcA2K8OtCeiXuQCgwTt8
UFPrMvDgtL7d6jIvedFleqI=
=MZcz
-----END PGP SIGNATURE-----
Comment 3 John Dalbec 2005-09-23 15:29:17 EDT
05.38.16 CVE: CAN-2005-2968
Platform: Cross Platform
Title: Mozilla Browser/Firefox Command Execution
Description: Mozilla Browser/Firefox is vulnerable to an arbitrary
command execution issue due to a startup shell script supplied with
the application that does not employ sanitization of user-supplied
data passed through a URL. Mozilla Firefox version 1.0.6 and Mozilla
Browser version 1.7.x are reported to be vulnerable.
Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=307185 
http://www.mozilla.org/products/firefox/releases/1.0.7.html    

(2) HIGH: FireFox, Mozilla and Thunderbird Remote Command Injection
Affected:
On UNIX platforms:
Mozilla Firefox 1.0.6 and prior
Mozilla Suite 1.7.11 and prior
Thunderbird 1.0.6 and prior

Description: This vulnerability in Mozilla/FireFox browsers and
Thunderbird email client can be exploited to execute arbitrary commands
on UNIX systems. The problem occurs when a URL containing "backtick" is
passed as an argument to Mozilla, Firefox or Thunderbird. For instance,
issuing a command "firefox http://local\`ls`\" will result in the
execution of the 'ls' command. Systems using Mozilla/Firefox as default
browsers and Thunderbird as default email client are at a higher risk
as visiting a malicious webpage may result in the execution of attacker
specified commands.

Status: Updates have been released to address this issue for Mozilla and Firefox.

Council Site Actions:  The affected software and/or configuration are
not in production or widespread use, or are not officially supported at
any of the council sites. Most reported that no action was necessary. A
few sites have advised the users to upgrade to the latest version. One
site plans to distribute patches during their next regularly scheduled
system update process.

References:
Mozilla Bugzilla Entry
https://bugzilla.mozilla.org/show_bug.cgi?id=307185
Secunia Advisory (discovered by Peter Zelezny)
http://secunia.com/advisories/16869 
SecurityFocus BID
http://www.securityfocus.com/bid/14888 
Comment 4 Michal Jaegermann 2005-09-23 16:09:26 EDT
There is an advisory for RHEL, entitled "Critical: mozilla security update"
https://rhn.redhat.com/errata/RHSA-2005-789.html

mozilla-1.7.12 is used as a base for those updates.
Comment 5 Pekka Savola 2005-09-24 05:06:13 EDT
The issue mentioned in comment 3 AFAICT does not affect RHL mozilla, as the
packages ship with RHL's own mozilla script.

I'll check the diffs between RHEL's mozilla update and the one I built.
Comment 6 Pekka Savola 2005-09-26 02:07:24 EDT
Yeah, my mozilla package (above) seems to be sufficient..

There are obviously tons of other packages to fix [all the other OS versions,
and packages depending on mozilla :-(].  I don't have build systems for those,
but if anyone wants to push them out, I'm more than willing to do PUBLISH QA.
Comment 7 Michal Jaegermann 2005-09-26 21:27:48 EDT
I ended up doing on RH7.3 roughly the same as Pekka in comment #2; but I did
a cross between just released mozilla-1.7.12-1.3.1 from FC3 updates an older 
Legacy packages.  That, in particular, means that pathches 103,104,105 and 107
from FC3 sources were applied too.  Resulting binaries do work just fine.
Comment 8 John Dalbec 2005-09-30 09:49:12 EDT
I believe all of these are fixed in 1.7.12, but FYI:

05.39.17 CVE: CAN-2005-2704
Platform: Cross Platform
Title: Mozilla Browser/Firefox DOM Objects Spoofing Vulnerability
Description: Mozilla and Firefox are prone to a DOM object spoofing
issue that is exposed through an XBL control that uses <implement> for
an internal interface. A remote attacker could potentially exploit
this issue to gain elevated privileges. Please refer the link below
for a list of vulnerable versions.
Ref: http://www.securityfocus.com/bid/14921/info 
______________________________________________________________________

05.39.18 CVE: CAN-2005-2703
Platform: Cross Platform
Title: Mozilla Browser/Firefox XMLHttp Header Spoofing
Description: Mozilla and Firefox browsers are vulnerable to XMLHttp
header spoofing due to insufficient santization of user-supplied input
to the headers of the XMLHttpRequest. Firefox versions 1.0.6, Mozilla
Suite versions 1.7.11 and earlier are reported to be vulnerable.
Ref: http://www.mozilla.org/security/announce/mfsa2005-58.html 
______________________________________________________________________

05.39.19 CVE: Not Available
Platform: Cross Platform
Title: Multiple Browser Proxy Auto-Config Script Handling Remote
Denial of Service
Description: Multiple browsers are affected by a remote denial of
service vulnerability due to a design error in the browser processing
a proxy auto-config (PAC) script containing an "eval()" statement.
Firefox versions 1.0.6 and earlier, Netscape Browser versions 8.0.3.3,
and Mozilla versions 1.7.11 and earlier are affected by this issue.
Ref: http://www.securityfocus.com/bid/14924 
______________________________________________________________________

05.39.20 CVE: CAN-2005-0215
Platform: Cross Platform
Title: Mozilla Browser/ Firefox XBM Image Processing Heap Overflow
Description: Mozilla and Firefox web browsers are vulnerable to a heap
overflow issue when processing malformed XBM images with a space
character as the terminator. Firefox versions 1.0.6 and Mozilla
versions 1.7.11 and earlier are vulnerable.
Ref: http://www.mozilla.org/security/announce/mfsa2005-58.html 
______________________________________________________________________

05.39.21 CVE: CAN-2005-2705
Platform: Cross Platform
Title: Mozilla Browser/Firefox Unspecified JavaScript Engine Integer
Overflow
Description: Mozilla and Firefox are affected by an unspecified
integer overflow vulnerability in their JavaScript engine due to
insufficient boundary checking prior to copying user-supplied data
into sensitive process buffers. Netscape versions 7.2, Netscape
Browser versions 8.0.3.3, Mozilla Firefox versions 1.0.6 and earlier
are affected.
Ref: http://www.securityfocus.com/bid/14917 
______________________________________________________________________

05.39.22 CVE: CAN-2005-2702
Platform: Cross Platform
Title: Mozilla Browser/Firefox Zero-Width Non-Joiner Stack Corruption
Description: Mozilla and Firefox are prone to a stack corruption
vulnerability. This issue occurs when Unicode sequences are used with
zero-width non-joiner characters. Successful exploitation could result
in arbitrary code execution in the security context of the user
running the browser.
Ref: http://www.securityfocus.com/bid/14918/references 
______________________________________________________________________

05.39.23 CVE: CAN-2005-2707
Platform: Cross Platform
Title: Mozilla Browser/Firefox Chrome Window Spoofing
Description: Mozilla and Firefox browsers are prone to a window
spoofing vulnerability. An error in the creation of windows can be
exploited by opening a window from a reference to a closed window to
create a blank "chrome" canvas. The resulting window is missing
certain security mechanisms designed to protect against phishing
attacks, such as the address bar and the status bar. Mozilla Firefox
versions 1.0.6 and earlier and Mozilla Browser versions 1.7.11 and
earlier are affected.
Ref: http://www.mozilla.org/security/announce/mfsa2005-58.html 
______________________________________________________________________

05.39.24 CVE: CAN-2005-2706
Platform: Cross Platform
Title: Mozilla Browser/Firefox Chrome Page Loading Restriction Bypass
Description: Mozilla Browser/Firefox are prone to a potential
arbitrary code execution weakness. This issue allows an attacker to
bypass restrictions associated with loading privileged "chrome" pages.
Ref: http://www.securityfocus.com/bid/14920 

(1) HIGH: Mozilla, Firefox, Netscape Browsers Multiple Vulnerabilities
Affected:
Firefox versions 1.0.6 and prior
Mozilla versions 1.7.11 and prior
Netscape version 8.x

Description: Mozilla, Firefox and Netscape browsers contain the
following vulnerabilities that can be exploited by a malicious webpage
to compromise a user's system. (a) The function that processes XBM
(X-Bitmap) images contains a heap-based overflow that can be triggered
by an XBM image ending with a "space" character rather than the end tag.
According to the discoverer, the flaw can be exploited to execute
arbitrary code. (b) Unicode processing of certain sequences leads to a
stack-based overflow that can be exploited to execute arbitrary code.
(c) The JavaScript Engine contains an integer overflow that can be
exploited to execute arbitrary code. (d) The unprivileged "about:" page
can load a privileged "chrome:" page under certain conditions. This flaw
combined with another cross-zone flaw could result in the execution of
arbitrary code. The Mozilla bugzilla contains technical details required
to leverage these flaws.

Status: Mozilla Foundation has released version 1.0.7 for Firefox and
1.7.12 for Mozilla browsers. In addition to the above mentioned high
severity bugs, the newer versions also fix certain spoofing bugs. No
updates are available for Netscape.

Council Site Actions: Most of the council sites responded that they do
not officially support these browsers however they are in use at their
sites. Most of these sites feel their users are clue-full enough to keep
up-to-date with the patches or they have notified the known users.  One
of the reporting council sites updated most of their systems earlier
this week and will rely on the remaining systems to be updated by the
users.  Another council site has posted the updated versions on its
software mirror.

References:
Mozilla Advisory
http://www.mozilla.org/security/announce/mfsa2005-58.html 
SecurityFocus BIDs
http://www.securityfocus.com/bid/14916 
http://www.securityfocus.com/bid/14917  
http://www.securityfocus.com/bid/14918 
http://www.securityfocus.com/bid/14920 
http://www.securityfocus.com/bid/14919 
http://www.securityfocus.com/bid/14923 
http://www.securityfocus.com/bid/14921 
Comment 9 David Eisenstein 2005-10-03 22:01:33 EDT
Created attachment 119574 [details]
Mozilla bug cross-reference table

This issue has so many doggone different bugs, my eyes were crossing trying to
figure them all out.  So I created this handy-dandy little table with all rele-

vant information on each of the security issues, presented in the same order
that
they were introduced in this bug report.  Has hyperlinks everywhere for more
info, and links to all .src.rpm packages Red Hat produced.  Hope this helps.
Comment 10 Pekka Savola 2005-10-05 02:12:46 EDT
Thanks for putting all the info down in a concise form.  We'd now just need work
on the packages.. which seems to be the hard part for all the distros :-/
Comment 11 David Eisenstein 2005-10-05 06:33:37 EDT
You're welcome.

Speaking of working on packages, has anyone noticed when building Mozilla that
it comes up with a lot of compiler warnings?  (No errors, though?)  Also, after
building, do you find that the source tree with all the .o, .a and .so files
takes up like 1.3 gigs of disk space?

Michal, regarding Comment #7:  Why don't you post your RH7.3 .src.rpm package
so we can do QA on it?  Thanks!

Since RH9's and RH7.3's galeon depends on Mozilla, will those .src.rpm's also
need to be submitted for QA?  It looks like Marc submitted these for source
QA last time:

7.3:
7.3/mozilla-1.7.10-0.73.1.legacy.src.rpm
7.3/galeon-1.2.14-0.73.4.legacy.src.rpm

9:
  9/mozilla-1.7.10-0.90.1.legacy.src.rpm
  9/galeon-1.2.14-0.90.4.legacy.src.rpm

fc1:
  1/mozilla-1.7.10-1.1.1.legacy.src.rpm
  1/epiphany-1.0.8-1.fc1.4.legacy.src.rpm

fc2:
  2/mozilla-1.7.10-1.2.1.legacy.src.rpm
  2/devhelp-0.9.1-0.2.8.legacy.src.rpm
  2/epiphany-1.2.10-0.2.5.legacy.src.rpm

I hope to have FC1 .src.rpm packages for QA within a day or two...  Will do 
mozilla and epiphany packages for your QA'ing pleasure.  :-)
Comment 12 Pekka Savola 2005-10-05 07:10:22 EDT
I couldn't find 7.3/galeon-1.2.14-0.73.4.legacy.src.rpm.. for some reason, it
wasn't in the updates directory..

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
FYI, I've also recompiled mozilla .src.rpm for RHL73, as well as galeon for
both RHL73 and RHL9 as well, at:
 
http://staff.csc.fi/psavola/fl/
 
I can do the rest [for FC1 and FC2] if folks want as well EXCEPT for epiphany
.src.rpm's because the patch may need adjusting to fit, I fear.
 
d06ceeb8db688c3a5f2699a2be0ac2a06fc8b39f  galeon-1.2.14-0.73.4.legacy.src.rpm
87fa74b6765d1caa3d2a968208b2645c2688653a  galeon-1.2.14-0.90.5.legacy.src.rpm
d1a266f9df4aeb8b1965664975af8f275fa0804c  mozilla-1.7.12-0.73.1.legacy.src.rpm
e891a035896b5550e92af244fb1c8e27ed7d969b  mozilla-1.7.12-0.90.1.legacy.src.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDQ7ThGHbTkzxSL7QRAkTyAJkBa6BlYXFJ73jCZQh1HZHnD40m0gCgpFLI
W6j6DYa37BH0GjO8WbLscrY=
=m4hk
-----END PGP SIGNATURE-----
Comment 13 David Eisenstein 2005-10-05 07:35:58 EDT
galeon-1.2.14-0.73.4.legacy.src.rpm can be found:

http://download.fedoralegacy.org/redhat/7.3/updates/i386/galeon-1.2.14-0.73.4.legacy.src.rpm

It was mis-filed.
Comment 14 Michal Jaegermann 2005-10-05 11:41:34 EDT
In comment #11 David Eisenstein wrote:
> Michal, regarding Comment #7:  Why don't you post your RH7.3 .src.rpm package
> so we can do QA on it?  Thanks!

I cannot guarantee that a system on which I compiled that had only "standard 7.3"
libraries although binaries definitely do work for me somewhere else too.
Packages are also not signed.   If that is really desired I can make those
packages available but only in few days.  I will note that in a comment then.
Comment 15 David Eisenstein 2005-10-05 22:50:32 EDT
(In reply to comment #12 by Pekka)
> <snip>
> I can do the rest [for FC1 and FC2] if folks want as well EXCEPT for epiphany
> .src.rpm's because the patch may need adjusting to fit, I fear.

I already have a FC1 mozilla .src.rpm and have built the .i386.rpm's.  I
can do epiphany also for FC1.  Am just taking a little time to check that
everything is okay with the new packages (I would like to install and run
it a least a few hours, perhaps check a few vulnerabilities) before
submitting the .src.rpm's here for QA.

If you want to do create FC2 .src.rpm(s), that would be cool!

Thanks, Pekka!  :)
Comment 16 David Eisenstein 2005-10-05 23:07:57 EDT
In Comment #14 Michal Jaegermann wrote:
> In comment #11 David Eisenstein wrote:
> > Michal, regarding Comment #7:  Why don't you post your RH7.3 .src.rpm
> > package so we can do QA on it?  Thanks!

> I cannot guarantee that a system on which I compiled that had only
> "standard 7.3" libraries although binaries definitely do work for me
> somewhere else too. Packages are also not signed.  If that is really
> desired I can make those packages available but only in few days.  I
> will note that in a comment then.

My understanding is that at this stage of QA, only the .src.rpm's need be
made available for QA.  One can also make the binary rpm's available as well,
as a convenience for people who want to download & try them pre-updates-testing,
but it's not strictly necessary.

Since Pekka has already stepped up to propose 7.3 .src.rpm's, I guess what will
be needed more is QA on the packages he submitted.  Would you be willing to do
that in a few days instead, at least on the RH7.3 .src.rpm's?  That would be
great help!
Comment 17 Pekka Savola 2005-10-06 03:26:04 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
OK, here are packages for FC2; epiphany patch update was done with pure
luck, so I hope it works (I didn't even test recompilation, I hope someone
else will)..
 
At: http://staff.csc.fi/psavola/fl/
 
d09afc781a7244ecc8a04303cca84a2c21e7bdb0  devhelp-0.9.1-0.2.9.legacy.src.rpm
4bb39a9ec03dbe0f625a8d0c70265d234d82ba45  epiphany-1.2.10-0.2.6.legacy.src.rpm
b8370aa81f86996536a30b04c77b875db69bb6b6  mozilla-1.7.12-1.2.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDRNHjGHbTkzxSL7QRAifnAJ9mxHYmG1fwf0W4vSKMueC3GWRSSACfdDbV
uGcL+/m+gF+45I3te0wzOUs=
=nkok
-----END PGP SIGNATURE-----
Comment 18 David Eisenstein 2005-10-09 07:21:19 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

1)  QA for RH9 mozilla:

e891a035896b5550e92af244fb1c8e27ed7d969b  mozilla-1.7.12-0.90.1.legacy.src.rpm

   *  tarball mozilla-1.7.12-source.tar.bz2 has a good pgp signature from
      upstream mozilla downloading site.
   *  No changes to patches from mozilla-1.7.10-0.90.1.legacy.src.rpm.
   *  mozilla.spec changes very minimal.


2)  QA for RH9 galeon:

87fa74b6765d1caa3d2a968208b2645c2688653a  galeon-1.2.14-0.90.5.legacy.src.rpm

   *  tarball galeon-1.2.14.tar.gz same as in 1.2.4-0.90.4.legacy
   *  Patches are the same
   *  galeon.spec changes minimal
   *  RHEL2.1 distro uses same version & has same patches and very similar
      spec-file.

  PUBLISH++ RH9  mozilla, galeon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDSPwYxou1V/j9XZwRAvThAJ0TPZ9+A5WIWgmOlOUymxpPtTPU4ACfd3J5
JslkIGS3xLRcHvSc8N/i1T0=
=8F4O
-----END PGP SIGNATURE-----
Comment 19 David Eisenstein 2005-10-12 21:07:47 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are mozilla, epiphany packages for FC1 to QA.

Download from http://fedoralegacy.org/contrib/mozilla/

FC1 source rpms:

b28552deea9601f08b79f982045a8aa956853be7  mozilla-1.7.12-1.1.1.legacy.src.rpm
cdf38ab812243ade2efb419b8253f18a5d738fb3  epiphany-1.0.8-1.fc1.5.legacy.src.rpm

FC1 binary rpms:

a955af18305d1373a9718e6ae2c7cf2df89f27ed  mozilla-1.7.12-1.1.1.legacy.i386.rpm
8135739f7519cf8d14eac07199460b4d91e86e02
		mozilla-chat-1.7.12-1.1.1.legacy.i386.rpm
665ad443de1213ceb2ced410b138b822bb242085
		mozilla-devel-1.7.12-1.1.1.legacy.i386.rpm
23907c1fc90f4a24efe295514149f34e74f8bb21
		mozilla-dom-inspector-1.7.12-1.1.1.legacy.i386.rpm
c3f8edd3801393ec06f0129d806afa08166d7ce6
		mozilla-js-debugger-1.7.12-1.1.1.legacy.i386.rpm
b95820e4ba8af9daabbde50ddfbb062454d0599d
		mozilla-mail-1.7.12-1.1.1.legacy.i386.rpm
646789efd7a1700fe631e89956ab983b7eb54fd9
		mozilla-nspr-1.7.12-1.1.1.legacy.i386.rpm
9eab7131fc3a4398266f1592ba6b84f70bfea3a8
		mozilla-nspr-devel-1.7.12-1.1.1.legacy.i386.rpm
8fde4afeb7fa05f43738cf032529969eee7d955b
		mozilla-nss-1.7.12-1.1.1.legacy.i386.rpm
37841810651be7666efc4afdc18a9af36dd3a628
		mozilla-nss-devel-1.7.12-1.1.1.legacy.i386.rpm
b6cc5397d41fd81774045c69ffa96a9634f02107
		epiphany-1.0.8-1.fc1.5.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDTbOkxou1V/j9XZwRAmPHAKDKvKxiBfrvG32wAZybrLbASHYz7gCgnggQ
uvmaYLeRtfmMHjl1rQxTBiY=
=qIuV
-----END PGP SIGNATURE-----
Comment 20 Michal Jaegermann 2005-10-13 23:22:42 EDT
Apologies that it took so long.
ftp://ftp.harddata.com/pub/Legacy_srpms/mozilla-1.7.12-0.73.1.legacy.src.rpm
ftp://ftp.harddata.com/pub/Legacy_srpms/galeon-1.2.14-0.73.5.legacy.src.rpm
are at this moment packages I am using on RH7.3.  In 'pub/Legacy_srpms/i386'
one can find recompiled i386 binaries.  Not signed in any way.
Comment 21 David Eisenstein 2005-10-19 12:10:57 EDT
FYI, in the FC1 mozilla .src.rpm submitted for QA in comment 19, I took the
mozilla-1.7.12-source.tar.bz2 tarball from the RHEL 3 .src.rpm.  It is not
exactly the same as the mozilla-1.7.12-source.tar.bz2 published at mozilla's
download site.  But I assume if it's good enough for RHEL 3, it certainly is
good enough for our needs!  :-)

The RHEL 3 .src.rpm from which I extracted the source tarball is at:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/mozilla-1.7.12-1.1.3.2.src.rpm

or any of its fine mirrors.

Also, the epiphany-1.0.8 I built works *mostly* on my machine.  However, there
is a segfault very shortly after clicking on the dialog box that pops up when
clicking on a link that the browser doesn't know how to handle, that prompts to
<Open>, <Cancel> or <Save to Disk>.  (The segfault happens after choosing a 
file to save it to after clicking the <Save to Disk> button.)  

I suspect that the underlying Mozilla API changed in some recent version of
Mozilla.  I haven't gotten far yet with the onerous process of trying to run
epiphany in the gdb debugger with Mozilla and epiphany debug packages installed.
(I'm needing to upgrade my computer's memory, because I think Mozilla's symbol
tables in gdb eat up all the core.)

This bug may well have existed in the epiphany-1.0.8 that shipped with our
release of Mozilla-1.7.10 in August.  I haven't tried downgrading to that
version to test that theory, however.

Have been in touch with Christopher Aillon of RedHat for his take on the matter,
and his suggestion was to touch base with the Epiphany developers through
irc.gimp.org on channel #epiphany.  (Chris, I hope you don't mind if I add you
to the cc on this issue.)

In the meantime, the workaround I use is if I click on a link the browser
doesn't know how to handle, upon restart of the epiphany browser, I right-click
and select "Save to disk" from the right-click menu.  That works without killing
epiphany.

If anyone has any ideas or further insight on this matter, I'm game.
Comment 22 Marc Deslauriers 2005-10-19 18:27:24 EDT
The epiphany 1.0.8 problem could have come from the ugly patch I added to make
it work with Mozilla 1.7.x a while ago. Could you test an earlier legacy release
to see if it has been broken for a long time?
Comment 23 Pekka Savola 2005-10-20 04:05:40 EDT
Yeah, if it was broken before, I think the only thing we could (reasonably) do
is try upgrading epiphany..
Comment 24 Marc Deslauriers 2005-10-21 19:07:25 EDT
We can't upgrade epiphany. Newer versions have newer library requirements.

We could just fix the patch I made. :)
Comment 25 David Eisenstein 2005-11-02 14:48:00 EST
Marc, did you ask me in comment 22 if I would test a previous FL release of
mozilla to see if the same epiphany bug in FC1 exists in a previous version?

I can do that, and could report on whether or not epiphany segfaults in the
same way on a previous version of Mozilla, but I am not sure how that would
help?  Let me know if you really need me to do this, because it is a pain for
me to downgrade Mozilla as I only have one computer available to me with one
installation of Fedora, which I use all the time, using Mozilla.

This bug ticket ought to be completed and put to bed soon, since it has been
open for so long and it has some issues deemed critical, if I recall correct-
ly.  I don't want to be responsible for holding up completion of this bug
ticket.

Suggestion:  If we cannot resolve the FC1 epiphany issue within, say, a cou-
ple of more weeks, my inclination is to let it slide with a statement that
"this is a known bug" and/or with a statement that we (of necessity) are hav-
ing to decommit support for epiphany for FC1, as fixing this old version of
epiphany would be too time-consuming when we have many other pressing issues 
to tend to, suggesting that users use Mozilla instead....

In the meantime, to progress, we still need:
   * publish QA for RH7.3 (submitted in comment 12)
   * publish QA for FC2   (submitted in comment 17)
   * publish QA for FC1   (submitted in comment 19 -- along with our dec-
     ision what to do/to not do with Epiphany for FC1).

Michal, would you be willing to do publish QA the RH7.3 submission, especially
since you have your own sources to compare it to?
Comment 26 Marc Deslauriers 2005-11-02 18:02:12 EST
We shouldn't hold this up because of epiphany. If someone uses it enough to
care, they should open a separate bug and I'll handle it there.
Comment 27 Pekka Savola 2005-11-13 12:47:29 EST
OK.. I can't do publishes except for FC1 so here goes..

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for FC1 w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches OK

+PUBLISH FC1

b28552deea9601f08b79f982045a8aa956853be7  mozilla-1.7.12-1.1.1.legacy.src.rpm
cdf38ab812243ade2efb419b8253f18a5d738fb3  epiphany-1.0.8-1.fc1.5.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFDd3y5GHbTkzxSL7QRAu1YAJ4+KMtF6X1nDKlcZT+fIRFuxv5kwgCgsv/I
zLitjfndd6VZhvUf+7E8LO8=
=iEaH
-----END PGP SIGNATURE-----
Comment 28 David Eisenstein 2005-11-25 03:33:54 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

1)  QA for RH7.3 mozilla:

d1a266f9df4aeb8b1965664975af8f275fa0804c  mozilla-1.7.12-0.73.1.legacy.src.rpm

   *  tarball mozilla-1.7.12-source.tar.bz2 has a good pgp signature from
      upstream mozilla downloading site.
   *  No changes to patches from mozilla-1.7.10-0.73.1.legacy.src.rpm.
   *  mozilla.spec changes very minimal.


2)  QA for RH7.3 galeon:

d06ceeb8db688c3a5f2699a2be0ac2a06fc8b39f  galeon-1.2.14-0.73.4.legacy.src.rpm

   *  This source tarball should have been named galeon-1.2.14-0.73.5, but this
      can be taken care of at build time.
   *  tarball galeon-1.2.14.tar.gz same as in (the original) 
      galeon-1.2.14-0.73.4.legacy.src.rpm
   *  Patches are the same
   *  galeon.spec changes minimal; however, the rpm-build-compare output shows 
      a couple of lines missing from the original 1.2.14-0.73.4.legacy
      published on Jul 27th.

 %changelog
- -* Wed Jul 27 2005 Marc Deslauriers <marcdeslauriers@videotron.ca> 
   1.2.14-0.73.4.legacy
- -- Rebuild against mozilla 1.7.10
+* Wed Oct  5 2005 Pekka Savola <pekkas@netcore.fi> 1.2.14-0.73.4.legacy
+- Rebuild against mozilla 1.7.12

      This is understandable since you couldn't find the original, and,
      again, this can be taken care of at build time.

   *  RHEL2.1 distro uses same version & has same patches and very similar
      spec-file.

  PUBLISH++ RH7.3  mozilla, galeon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDhsztxou1V/j9XZwRAmChAKCIVQjQQZsGHwSX9wr5IykBFHTisQCgoJfW
vBrlosnA6fRbo1XCFNiAcv8=
=RezI
-----END PGP SIGNATURE-----
Comment 29 Pekka Savola 2005-11-25 03:43:30 EST
Thanks!
Comment 30 David Eisenstein 2005-11-25 04:28:55 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

1)  QA for FC2 devhelp:

d09afc781a7244ecc8a04303cca84a2c21e7bdb0  devhelp-0.9.1-0.2.9.legacy.src.rpm

   * all files the same as in the previous version
   * spec-files changes minimal


2)  QA for FC2 mozilla:

b8370aa81f86996536a30b04c77b875db69bb6b6  mozilla-1.7.12-1.2.1.legacy.src.rpm

   *  tarball mozilla-1.7.12-source.tar.bz2 has a good pgp signature from
      upstream mozilla downloading site.  Source integrity good.
   *  No changes to patches from mozilla-1.7.10-0.73.1.legacy.src.rpm.
   *  mozilla.spec changes very minimal.


3)  QA for FC2 epiphany:

   *  Uses same source files and patches, except for one patch to bump the
      version of mozilla this epiphany is to depend on.
   *  The epiphany-1.2.10-moz1712.patch looks reasonable.
   *  spec-file changes minimal.


  PUBLISH++ FC2 devhelp, mozilla, epiphany

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDhtK2xou1V/j9XZwRAkLaAJ9DC+CSRoZLtD58eXgSq+tIrUMSoQCfWHhf
K5g77pqcCFp7013w674j0zs=
=6idT
-----END PGP SIGNATURE-----
Comment 31 Pekka Savola 2005-11-25 04:32:04 EST
Great!
Comment 32 David Eisenstein 2005-11-25 04:41:52 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The QA for FC2 epiphany above should have had my calculated sha1sum for the
package.  

4bb39a9ec03dbe0f625a8d0c70265d234d82ba45  epiphany-1.2.10-0.2.6.legacy.src.rpm

PUBLISH++ FC2 epiphany

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDhtw4xou1V/j9XZwRAlJpAKCUZwE/eJxlEFS+N9PEMwoFDhR2EACgiI2k
vzimX0mA/CuEmYEYPqDksLU=
=dTbk
-----END PGP SIGNATURE-----
Comment 33 Marc Deslauriers 2005-12-06 23:07:56 EST
Packages were pushed to updates-testing
Comment 34 Pekka Savola 2005-12-08 02:04:57 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9.  Signatures OK.  Basic browsing seems to work fine.
Java applets also continue to work fine.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDl9u3GHbTkzxSL7QRAmVbAJ9QnPi0wA1dZnwdRmDe7EKnIOgBJACdF43+
LLqzZgWxp1nfoSGpqwi3/8A=
=3pUK
-----END PGP SIGNATURE-----

Timeout in 4 weeks.
Comment 35 Pekka Savola 2006-01-07 03:09:42 EST
Timeout over.
Comment 36 Marc Deslauriers 2006-01-09 20:17:19 EST
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.