issues with mozilla

Michal Jaegermann michal at harddata.com
Sat Mar 20 19:08:49 UTC 2004 

On March 18th RHSA-2004:112-01 advisory showed up about multiple
security vulnerabilities in Mozilla.  New release fixes the following:

CAN-2003-0564     ASN.1 troubles with S/MIME
CAN-2003-0594     cookie mishandling with a possibilty of execution
                  of a malicious code on a browsing machine
CAN-2004-0191     cross-site scripting issues

More details about these bugs can be found on http://cve.mitre.org/.

As for fixes I found some patch for the last problem trawling through
bugzilla.mozilla.org but the other two were fixed by switching to a
version of Mozilla with these bugs fixed and
mozilla-1.4.2-0.9.0.src.rpm does not include _any_ explicit patches.
I tried to look around if somewhere else there is something I could
adapt to mozilla-1.0.2-2.7.3 but I drew blank.  One would have
to be intimately familiar with mozilla sources to risk backporting
security fixes to older versions and a time expenditure for something
of that sort would likely be enourmous without any guarantees that
things are indeed correct.  Look at this source size.

Instead I decided that recompiling mozilla-1.4.2 will be more
productive.  I modified mozilla.spec for the later to be similar to
what was used with mozilla-1.0.2-2.7.3 and it worked on the first
try. :-)  As galeon is tied up to a mozilla (libraries) I did the
same thing with the later.  So far things seem to work just fine.

I attach diffs, minus '%changelog' entries, for spec files used to
recompile RH9 updates on RH7.3.  There is no bugzilla entry for
now (but if somebody feels like doing that... :-)

Despite of a general policy of not changing versions this seems
to me a correct thing to do here.  Comments?

  Michal
-------------- next part --------------
--- SPECS/mozilla.spec~	Mon Mar  8 12:45:27 2004
+++ SPECS/mozilla.spec	Fri Mar 19 17:14:12 2004
@@ -2,13 +2,14 @@
 %define desktop_file_utils_version 0.2.93
 
 %define _unpackaged_files_terminate_build 0
-%define toolkit_options --disable-freetype2 --enable-xft
+# %define toolkit_options --disable-freetype2 --enable-xft
+%define toolkit_options --disable-freetype2 --enable-old-abi-compat-wrappers
 %define builddir %{_builddir}/mozilla
 
 Name:        mozilla
 Summary:     Web browser and mail reader
 Version:     1.4.2
-Release:     0.9.0
+Release:     0.7x.legacy
 Epoch:       37
 License:     MPL/NPL/GPL/LGPL
 Source0:     mozilla-source-1.4.2.tar.bz2
@@ -54,7 +55,7 @@ Buildroot:   %{_tmppath}/%{name}-root
 Prefix:      /usr
 Group:       Applications/Internet
 Provides:    webclient
-BuildPrereq: libpng-devel, libjpeg-devel, zlib-devel, zip, perl, indexhtml, libIDL-devel, glib2-devel, gtk2-devel, autoconf213
+BuildPrereq: libpng-devel, libjpeg-devel, zlib-devel, zip, perl, indexhtml, ORBit-devel, glib2-devel, gtk2-devel, autoconf
 Prereq:      fileutils perl
 Prereq:      /usr/bin/killall
 Requires:    mozilla-nspr = %{epoch}:%{version}-%{release}
@@ -247,7 +248,7 @@ if test "x$CPUS" = "x" -o "x$CPUS" = "x0
 fi
 
 %ifarch i386
-CC=gcc296 CXX=g++296 \
+CC=gcc CXX=g++ \
 CFLAGS=-g CXXFLAGS=-g XCFLAGS=-g \
 %endif
 BUILD_OFFICIAL=1 MOZILLA_OFFICIAL=1 \
-------------- next part --------------
--- SPECS/galeon.spec~	Tue Mar  9 09:49:28 2004
+++ SPECS/galeon.spec	Sat Mar 20 11:17:07 2004
@@ -1,7 +1,7 @@
 # Note that this is NOT a relocatable package
 # DON'T FORGET TO UPDATE THE MOZILLA DEPENDENCY
 %define ver      1.2.13
-%define rel 0.9.0
+%define rel 0.7x.legacy
 %define prefix   /usr
 %define sysconfdir	/etc
 %define moz_required 1.4.2
@@ -63,8 +63,8 @@ Galeon was written to do just one thing 
 #autoconf
 
 export DONT_BUILD_NAUTILUS_VIEW=1
-export CC=gcc296
-export CXX=g++296
+# export CC=gcc296
+# export CXX=g++296
 
 # if you set the DONT_BUILD_NAUTILUS_VIEW environment variable to something 
 # else than "" the view won't be built. Otherwise, it will e built if

More information about the fedora-legacy-list mailing list