ffox 1.5.0.2/1.0.8 CVE-Ids, MFSAs and Bugzilla bugs

Mike Hommey mh at glandium.org
Sat Apr 15 10:02:41 UTC 2006 

On Sat, Apr 15, 2006 at 11:34:48AM +0200, Alexander Sack <asac at debian.org> wrote:
> On Fri, Apr 14, 2006 at 09:21:27PM +0200, Mike Hommey wrote:
> > On Fri, Apr 14, 2006 at 11:41:06AM +0200, Alexander Sack <asac at debian.org> wrote:
> > > 
> > > Hi,
> > > 
> > > here a list of CVE-IDs, MFSAs and bugs for todays firefox release ... 
> > > so you can properly document your upload in unstable.
> > > 
> > > Debian bugs are not listed. Please sort them into this list and
> > > communicate your findings. Thanks!
> > (...)
> > 
> > Do you know in which part of the code the "browser only" fixes apply ?
> > Are they gecko bugs or browser/ (as in source tree subdirectory) only ?
> > That is, do they also affect xulrunner ?
> 
> 
> I can't tell for sure. I have no idea which components are included by
> xulrunner and which are not.
> 
> Here what lsdiff yields for patches I have for those 'browsers only'
> advisories. Note that my patchset might still be missing a patch here and
> there. I will finalize those after requesting clarification from
> mozilla group on several issues.
> 
> ====
> 
> CVE-2006-1741 mfsa2006-09, 296514, 316589, 311024, 311619, 311892
> 
> lsdiff 200609_mfsa2006-09.patch
> a/caps/src/nsScriptSecurityManager.cpp
> a/js/src/jsfun.c
> 
>  ... xulrunner affected!?

yes

> ====
> 
> CVE-2006-1740 mfsa2006-12, 271194
> 
> lsdiff 200612_mfsa2006-12.patch
> a/js/src/js.msg
> a/js/src/jsregexp.c
> a/layout/xul/base/src/grid/nsGrid.cpp
> a/layout/xul/base/src/grid/nsGridLayout2.cpp
> a/layout/xul/base/src/grid/nsGridLayout2.h
> a/security/manager/boot/src/nsSecureBrowserUIImpl.cpp
> a/xpinstall/src/nsJSInstallTriggerGlobal.cpp
> 
>   .. xulrunner affected!?

yes

> ====
> 
> mfsa2006-13; CVE-2006-1736; 293527;
> 
> mozilla/xpfe/communicator/resources/content/nsContextMenu.js
> mozilla/browser/base/content/browser.js
> mozilla/mail/base/content/nsContextMenu.js
> 
>  -> so indeed not browser only ... xulrunner not affected?

not affected

> ====
> 
> mfsa2006-23, CVE-2006-1729, M325947, M328566
> 
> a/content/html/content/src/nsHTMLInputElement.cpp
> a/editor/composer/src/nsEditingSession.cpp
> a/layout/html/base/src/nsTextFrame.cpp
> 
>  ... xulrunner affected ??

yes

> ====
> 
> mfsa2006-29 ... 1.0.1 branch not affected, so I don't have any
> detailed information. But looking at advisory text it sounds like 
> it is indeed a bug not applicable to xulrunner ... but I might be wrong.

Without more information I can't tell ;)

> Anyway, as soon as I have finished this preparation round I will
> request clarification from mozilla devs about several things. I will
> add those xulrunner questions to my list.

Thanks

Mike

More information about the pkg-mozilla-maintainers mailing list