mozilla security patches and prebuilt package

Alexander Sack asac at debian.org
Tue Sep 27 15:11:00 UTC 2005


Hi,

attached the mozilla patcheset for the 1.7.10-1.7.12 transition sorted by
single issues. 

I introduced a mfsa2005-56a.debian for regression issues not
documented in a mfsa. 

Everything else is similar to the patches I sent for firefox. The
structure has been changed a bit. Now all patches reside inside the 
same directory tree. Excluded patches are now in a subfolder __reason
(e.g. __nosec).

You can get a prebuilt mozilla package from
http://people.debian.org/~asac/security/. The package version is
1.7.8-1sarge3.

I attached the changes file, so maybe you can push i386 without
rebuilding it.

BTW, I did a test run an verified that:
  + mozilla-enigmail works (as a binary extension in the archive)
  + galeon, kazehakase work
  + locale packages are still valid and apply without any problem.

-- 
 GPG messages preferred. |  .''`.  ** Debian GNU/Linux **
 Alexander Sack          | : :' :      The  universal
 asac at debian.org         | `. `'      Operating System
 http://www.jwsdot.com/  |   `-    http://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mozilla_1.7.10-1.7.12-2.tar.gz
Type: application/octet-stream
Size: 23266 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20050927/196b27c1/mozilla_1.7.10-1.7.12-2.tar-0001.obj
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 27 Sep 2005 13:00:00 +0100
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-dom-inspector libnspr4 mozilla-js-debugger mozilla-browser libnss3 libnspr-dev mozilla-chatzilla mozilla-psm mozilla-mailnews libnss-dev mozilla-dev
Architecture: source i386
Version: 2:1.7.8-1sarge3
Distribution: stable-security
Urgency: critical
Maintainer: Takuo KITAME <kitame at debian.org>
Changed-By: Alexander Sack <asac at debian.org>
Description: 
 libnspr-dev - Netscape Portable Runtime library - development files
 libnspr4   - Netscape Portable Runtime Library
 libnss-dev - Network Security Service Libraries - development
 libnss3    - Network Security Service Libraries - runtime
 mozilla    - The Mozilla Internet application suite - meta package
 mozilla-browser - The Mozilla Internet application suite - core and browser
 mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
 mozilla-chatzilla - Mozilla Web Browser - irc client
 mozilla-dev - The Mozilla Internet application suite - development files
 mozilla-dom-inspector - A tool for inspecting the DOM of pages in Mozilla.
 mozilla-js-debugger - JavaScript debugger for use with Mozilla
 mozilla-mailnews - The Mozilla Internet application suite - mail and news support
 mozilla-psm - The Mozilla Internet application suite - Personal Security Manage
Closes: 321427 327366 329778
Changes: 
 mozilla (2:1.7.8-1sarge3) stable-security; urgency=critical
 .
   * MFSA-2005-56a.debian: Regressions introduced by mozilla 1.7.9.
     Summary: Regressions introduced by mozilla 1.7.9 bugfix. There was no
 	     advisory for it (debian/patches/001_mfsa_2005-56a.patch)
     Closes: 321427
     Bugzilla: 294307 301917 300749
     Issues addressed:
       + Regressions introduced by mozilla 1.7.9 bugfix.
   * MFSA-2005-57: IDN heap overrun
     Summary: Tom Ferris reported a Firefox crash when processing a domain
 	     name consisting solely of soft-hyphen characters.
 	     (debian/patches/001_mfsa-2005-57.patch)
     Closes: 327366
     CVE-Ids: CAN-2005-2871
     Bugzilla: 307259 308281
     Issues addressed:
       + CAN-2005-2871 - IDN heap overrun
   * MFSA-2005-58: Accumulated vendor advisory for multiple vulnerabilities
     Summary: Fixes for multiple vulnerabilities with an overall severity
 	     of "critical" have been released in Mozilla Firefox 1.0.7 and
 	     the Mozilla Suite 1.7.12 (debian/patches/001_mfsa-2005-58.patch)
     Closes: 329778
     CVE-Ids: CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
 	     CAN-2005-2705 CAN-2005-2706 CAN-2005-2707
     Bugzilla: 300936 296134 297078 302263 299518 303213 304754 306261
 	      306804 291178 300853 301180 302100
     Issues addressed:
       + CAN-2005-2701 - Heap overrun in XBM image processing
       + CAN-2005-2702 - Crash on "zero-width non-joiner" sequence
       + CAN-2005-2703 - XMLHttpRequest header spoofing
       + CAN-2005-2704 - Object spoofing using XBL <implements>
       + CAN-2005-2705 - JavaScript integer overflow
       + CAN-2005-2706 - Privilege escalation using about: scheme
       + CAN-2005-2707 - Chrome window spoofing
       + Regression fixes
   * MFSA-2005-59: Command-line handling on Linux allows shell execution
     Summary: URLs passed to Linux versions of Firefox on the command-line
 	     are not correctly protected against interpretation by the
 	     shell. As a result a malicious URL can result in the execution
 	     of shell commands with the privileges of the user. If Firefox
 	     is set as the default handler for web URLs then opening a URL
 	     in another program (for example, links in a mail or chat
 	     client) can result in shell command execution.
 	     (debian/patches/001_mfsa-2005-59.patch)
     Closes: -
     CVE-Ids: CAN-2005-2968
     Bugzilla: 307185
     Issues addressed:
       + CAN-2005-2968 - Command-line handling on Linux allows shell execution
Files: 
 8bcf5da1d244d5793c6848126887cb6e 1123 web optional mozilla_1.7.8-1sarge3.dsc
 c6a4dc4aa262b71eb3e2f927ccba5be0 410904 web optional mozilla_1.7.8-1sarge3.diff.gz
 e00305ced1db4728dc26cbde13f0c875 1032 web optional mozilla_1.7.8-1sarge3_i386.deb
 d781aa4f05704110d987cd24ff60787b 10323428 web optional mozilla-browser_1.7.8-1sarge3_i386.deb
 60af02162969c248eea0960220b8c494 3591928 devel optional mozilla-dev_1.7.8-1sarge3_i386.deb
 4a576d88be7edd2557b00e0f27b475ca 1816024 mail optional mozilla-mailnews_1.7.8-1sarge3_i386.deb
 cac6b890d307df1f55f64c5ffa6aa0ec 158350 net optional mozilla-chatzilla_1.7.8-1sarge3_i386.deb
 4a5c07772c5ae39ae8567f50ddd87510 192474 web optional mozilla-psm_1.7.8-1sarge3_i386.deb
 1aac8406b1c144c534bcb59cbf2915e5 116678 web optional mozilla-dom-inspector_1.7.8-1sarge3_i386.deb
 b5b7c32fba5f1e20f7e9180888a36c86 204160 devel optional mozilla-js-debugger_1.7.8-1sarge3_i386.deb
 d0b31286d891952b68f8f96244264933 403498 misc optional mozilla-calendar_1.7.8-1sarge3_i386.deb
 371c4a5c674351727d2dafe5981ed459 131660 libs optional libnspr4_1.7.8-1sarge3_i386.deb
 3a338ed93f9999e56e8de24750380951 170348 libdevel optional libnspr-dev_1.7.8-1sarge3_i386.deb
 9a48b94605f82038226bdfae108437ad 656500 libs optional libnss3_1.7.8-1sarge3_i386.deb
 8d536c4dc957e4448d1ca923ff7504e1 187124 libdevel optional libnss-dev_1.7.8-1sarge3_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDOVbKv8pLOKgkuT8RApqoAJ9cYUhUWUJf/+F9GXU/nyRSGQoP+wCgo1FI
Aua57tXx/LHGKzqwsmVtJLs=
=vAN7
-----END PGP SIGNATURE-----


More information about the pkg-mozilla-maintainers mailing list