ffox 1.5.0.2/1.0.8 CVE-Ids, MFSAs and Bugzilla bugs

Alexander Sack asac at debian.org
Sat Apr 15 09:34:48 UTC 2006 

On Fri, Apr 14, 2006 at 09:21:27PM +0200, Mike Hommey wrote:
> On Fri, Apr 14, 2006 at 11:41:06AM +0200, Alexander Sack <asac at debian.org> wrote:
> > 
> > Hi,
> > 
> > here a list of CVE-IDs, MFSAs and bugs for todays firefox release ... 
> > so you can properly document your upload in unstable.
> > 
> > Debian bugs are not listed. Please sort them into this list and
> > communicate your findings. Thanks!
> (...)
> 
> Do you know in which part of the code the "browser only" fixes apply ?
> Are they gecko bugs or browser/ (as in source tree subdirectory) only ?
> That is, do they also affect xulrunner ?


I can't tell for sure. I have no idea which components are included by
xulrunner and which are not.

Here what lsdiff yields for patches I have for those 'browsers only'
advisories. Note that my patchset might still be missing a patch here and
there. I will finalize those after requesting clarification from
mozilla group on several issues.

====

CVE-2006-1741 mfsa2006-09, 296514, 316589, 311024, 311619, 311892

lsdiff 200609_mfsa2006-09.patch
a/caps/src/nsScriptSecurityManager.cpp
a/js/src/jsfun.c

 ... xulrunner affected!?

====

CVE-2006-1740 mfsa2006-12, 271194

lsdiff 200612_mfsa2006-12.patch
a/js/src/js.msg
a/js/src/jsregexp.c
a/layout/xul/base/src/grid/nsGrid.cpp
a/layout/xul/base/src/grid/nsGridLayout2.cpp
a/layout/xul/base/src/grid/nsGridLayout2.h
a/security/manager/boot/src/nsSecureBrowserUIImpl.cpp
a/xpinstall/src/nsJSInstallTriggerGlobal.cpp

  .. xulrunner affected!?

====

mfsa2006-13; CVE-2006-1736; 293527;

mozilla/xpfe/communicator/resources/content/nsContextMenu.js
mozilla/browser/base/content/browser.js
mozilla/mail/base/content/nsContextMenu.js

 -> so indeed not browser only ... xulrunner not affected?


====

mfsa2006-23, CVE-2006-1729, M325947, M328566

a/content/html/content/src/nsHTMLInputElement.cpp
a/editor/composer/src/nsEditingSession.cpp
a/layout/html/base/src/nsTextFrame.cpp

 ... xulrunner affected ??

====

mfsa2006-29 ... 1.0.1 branch not affected, so I don't have any
detailed information. But looking at advisory text it sounds like 
it is indeed a bug not applicable to xulrunner ... but I might be wrong.


Anyway, as soon as I have finished this preparation round I will
request clarification from mozilla devs about several things. I will
add those xulrunner questions to my list.


 - Alexander

-- 
 GPG messages preferred.   |  .''`.  ** Debian GNU/Linux **
 Alexander Sack            | : :' :      The  universal
 asac at jwsdot.com           | `. `'      Operating System
 http://www.asoftsite.org  |   `-    http://www.debian.org

More information about the pkg-mozilla-maintainers mailing list