ffox 1.5.0.2/1.0.8 CVE-Ids, MFSAs and Bugzilla bugs
Alexander Sack
asac at debian.org
Sat Apr 15 09:34:48 UTC 2006
On Fri, Apr 14, 2006 at 09:21:27PM +0200, Mike Hommey wrote:
> On Fri, Apr 14, 2006 at 11:41:06AM +0200, Alexander Sack <asac at debian.org> wrote:
> >
> > Hi,
> >
> > here a list of CVE-IDs, MFSAs and bugs for todays firefox release ...
> > so you can properly document your upload in unstable.
> >
> > Debian bugs are not listed. Please sort them into this list and
> > communicate your findings. Thanks!
> (...)
>
> Do you know in which part of the code the "browser only" fixes apply ?
> Are they gecko bugs or browser/ (as in source tree subdirectory) only ?
> That is, do they also affect xulrunner ?
I can't tell for sure. I have no idea which components are included by
xulrunner and which are not.
Here what lsdiff yields for patches I have for those 'browsers only'
advisories. Note that my patchset might still be missing a patch here and
there. I will finalize those after requesting clarification from
mozilla group on several issues.
====
CVE-2006-1741 mfsa2006-09, 296514, 316589, 311024, 311619, 311892
lsdiff 200609_mfsa2006-09.patch
a/caps/src/nsScriptSecurityManager.cpp
a/js/src/jsfun.c
... xulrunner affected!?
====
CVE-2006-1740 mfsa2006-12, 271194
lsdiff 200612_mfsa2006-12.patch
a/js/src/js.msg
a/js/src/jsregexp.c
a/layout/xul/base/src/grid/nsGrid.cpp
a/layout/xul/base/src/grid/nsGridLayout2.cpp
a/layout/xul/base/src/grid/nsGridLayout2.h
a/security/manager/boot/src/nsSecureBrowserUIImpl.cpp
a/xpinstall/src/nsJSInstallTriggerGlobal.cpp
.. xulrunner affected!?
====
mfsa2006-13; CVE-2006-1736; 293527;
mozilla/xpfe/communicator/resources/content/nsContextMenu.js
mozilla/browser/base/content/browser.js
mozilla/mail/base/content/nsContextMenu.js
-> so indeed not browser only ... xulrunner not affected?
====
mfsa2006-23, CVE-2006-1729, M325947, M328566
a/content/html/content/src/nsHTMLInputElement.cpp
a/editor/composer/src/nsEditingSession.cpp
a/layout/html/base/src/nsTextFrame.cpp
... xulrunner affected ??
====
mfsa2006-29 ... 1.0.1 branch not affected, so I don't have any
detailed information. But looking at advisory text it sounds like
it is indeed a bug not applicable to xulrunner ... but I might be wrong.
Anyway, as soon as I have finished this preparation round I will
request clarification from mozilla devs about several things. I will
add those xulrunner questions to my list.
- Alexander
--
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
asac at jwsdot.com | `. `' Operating System
http://www.asoftsite.org | `- http://www.debian.org
More information about the pkg-mozilla-maintainers
mailing list