[asac@debian.org: Re: ffox 1.5.0.2/1.0.8 CVE-Ids, MFSAs and Bugzilla bugs]

Alexander Sack asac at debian.org
Sat Apr 15 17:11:57 UTC 2006 

Hi,

OK, you can get it (read below) from my people.debian.org account:

    http://people.debian.org/~asac/aviary1.0.8a.tar.gz

attached you find a patch that is needed to get InstallTrigger code
changes apply cleanly. Just apply it before anything else.

...

----- Forwarded message from Alexander Sack <asac at debian.org> -----

From: Alexander Sack <asac at debian.org>
To: Eric Dorland <eric at debian.org>
Cc: Debian Mozilla Maintainers <pkg-mozilla-maintainers at lists.alioth.debian.org>,
	Debian Security Team <team at security.debian.org>
Subject: Re: ffox 1.5.0.2/1.0.8 CVE-Ids, MFSAs and Bugzilla bugs

On Fri, Apr 14, 2006 at 04:52:41PM -0400, Eric Dorland wrote:
> 
> Thanks for creating this list. Are you working on backporting the
> security fixes to the sarge mozilla-firefox package? Should we
> coordinate and split up the work? 


Yes, I am extracting them from cvs. Attached you find a tarball
containing all checkins already documented to some extent. 
Those in top level folder are directly linked with a mfsa. It should 
be pretty easy for you to figure which mfsa and cve-id they belong 
to by searching for bug numbers in the advisory list sent to this list.

Patches/Checkins in __nomfsa/ *need attention*! Those bugs are
security related, but I couldn't find a security announcement
associated.

We should start to run test builds now. Not all patches will apply
cleanly. Please report your problems and we can figure them
out - hopefully :). Anyway, please take care that you keep the sorting 
by name of the patch files when applying them. If you apply main
patches AND those in __nomfsa, copy them to one directory first. If 
you have issues applying hunks please resolve them manually and sent 
back cleaned patches.

For test builds we should assume that checkins in __nomfsa are indeed
security checkins. So please apply them anyway. I will try to sort 
this mess out with upstream asap.


----- End forwarded message -----

 - Alexander

-- 
 GPG messages preferred.    |  .''`.  ** Debian GNU/Linux **
 Alexander Sack             | : :' :      The  universal
 asac at debian.org            | `. `'      Operating System
 http://www.asoftsite.org/  |   `-    http://www.debian.org/
-------------- next part --------------
Index: mozilla/xpinstall/src/nsJSInstallTriggerGlobal.cpp
diff -u mozilla/xpinstall/src/nsJSInstallTriggerGlobal.cpp:1.35.6.4.2.5 mozilla/xpinstall/src/nsJSInstallTriggerGlobal.cpp:1.35.6.4.2.6
--- mozilla/xpinstall/src/nsJSInstallTriggerGlobal.cpp:1.35.6.4.2.5	Wed Jul  6 01:29:00 2005
+++ mozilla/xpinstall/src/nsJSInstallTriggerGlobal.cpp	Mon Sep 12 23:27:19 2005
@@ -206,9 +206,7 @@
 InstallTriggerGlobalUpdateEnabled(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
 {
   nsIDOMInstallTriggerGlobal *nativeThis = (nsIDOMInstallTriggerGlobal*)
-    JS_GetInstancePrivate(cx, obj, &InstallTriggerGlobalClass, argv);
-  if (!nativeThis)
-    return JS_FALSE;
+    JS_GetInstancePrivate(cx, obj, &InstallTriggerGlobalClass, 0);
 
   *rval = JSVAL_FALSE;
 
@@ -235,9 +233,7 @@
 InstallTriggerGlobalInstall(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
 { 
   nsIDOMInstallTriggerGlobal *nativeThis = (nsIDOMInstallTriggerGlobal*)
-    JS_GetInstancePrivate(cx, obj, &InstallTriggerGlobalClass, argv);
-  if (!nativeThis)
-    return JS_FALSE;
+    JS_GetInstancePrivate(cx, obj, &InstallTriggerGlobalClass, 0);
 
   *rval = JSVAL_FALSE;
 
@@ -412,9 +408,7 @@
 InstallTriggerGlobalInstallChrome(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
 {
   nsIDOMInstallTriggerGlobal *nativeThis = (nsIDOMInstallTriggerGlobal*)
-    JS_GetInstancePrivate(cx, obj, &InstallTriggerGlobalClass, argv);
-  if (!nativeThis)
-    return JS_FALSE;
+    JS_GetInstancePrivate(cx, obj, &InstallTriggerGlobalClass, 0);
 
   uint32       chromeType = NOT_CHROME;
   nsAutoString sourceURL;
@@ -505,9 +499,7 @@
 InstallTriggerGlobalStartSoftwareUpdate(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
 {
   nsIDOMInstallTriggerGlobal *nativeThis = (nsIDOMInstallTriggerGlobal*)
-    JS_GetInstancePrivate(cx, obj, &InstallTriggerGlobalClass, argv);
-  if (!nativeThis)
-    return JS_FALSE;
+    JS_GetInstancePrivate(cx, obj, &InstallTriggerGlobalClass, 0);
 
   PRBool       nativeRet;
   PRInt32      flags = 0;
@@ -595,9 +587,7 @@
 InstallTriggerGlobalCompareVersion(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
 {
   nsIDOMInstallTriggerGlobal *nativeThis = (nsIDOMInstallTriggerGlobal*)
-    JS_GetInstancePrivate(cx, obj, &InstallTriggerGlobalClass, argv);
-  if (!nativeThis)
-    return JS_FALSE;
+    JS_GetInstancePrivate(cx, obj, &InstallTriggerGlobalClass, 0);
 
   nsAutoString regname;
   nsAutoString version;
@@ -698,9 +688,7 @@
 InstallTriggerGlobalGetVersion(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval)
 {
   nsIDOMInstallTriggerGlobal *nativeThis = (nsIDOMInstallTriggerGlobal*)
-    JS_GetInstancePrivate(cx, obj, &InstallTriggerGlobalClass, argv);
-  if (!nativeThis)
-    return JS_FALSE;
+    JS_GetInstancePrivate(cx, obj, &InstallTriggerGlobalClass, 0);
 
   nsAutoString regname;
   nsAutoString version;

More information about the pkg-mozilla-maintainers mailing list