#1012275 firefox: new upstream version fixes possible RCE security holes

Package:
firefox
Source:
firefox
Description:
Mozilla Firefox web browser
Submitter:
Christoph Anton Mitterer
Date:
2022-06-10 00:39:08 UTC
Severity:
serious
Tags:
Blocked By:
Bug Title
1012197

  2

rust-cbindgen: Please package version 0.23.0

wishlist about 4 years ago

#1012275#5
Date:
2022-06-02 17:29:54 UTC
From:
To:
Hi.

Would be good to see 101 packaged ASAP, as it fixes numerous issues,
including some which are apparently thought to allow remote code
execution.


Cheers,
Chris.

#1012275#18
Date:
2022-06-03 18:48:16 UTC
From:
To:
close 1012275 101.0-1
thanks

#1012275#21
Date:
2022-06-04 12:42:02 UTC
From:
To:
 ❦  3 June 2022 20:48 +02, Salvatore Bonaccorso:

Unfortunately, Firefox is not buildable due to depending on a version of
Cargo not available in unstable.

#1012275#26
Date:
2022-06-05 21:46:25 UTC
From:
To:
Shouldn't that be reopened then?

I wouldn't be surprised if quite a number of people use the non ESR FF,
probably also DDs/DMs.

And because of rust deps, it seems to happen more often now, that
security critical upgrades cannot enter unstable. (And yes I'm well
aware, that unstable has no official security support, but still).


Cheers,
Chris.

#1012275#31
Date:
2022-06-06 13:43:29 UTC
From:
To:
reopen 1012275
tags 1012275 patch


Hi,

On Sun, 05 Jun 2022 23:46:25 +0200 Christoph Anton Mitterer <calestyo@scientia.org> wrote:

I am not sure though why the packaging requires a newer cargo version
then available from unstable and not just a newer rustc version, I
tried lowering the required version (see patch below) and it builds
just fine for me.


Cheers,
Julian


Patch:

diff -upNr a/debian/control b/debian/control
--- a/debian/control	2022-05-31 23:07:37.000000000 +0200
+++ b/debian/control	2022-06-06 13:50:48.239713566 +0200
@@ -28,7 +28,7 @@ Build-Depends: autotools-dev,
                yasm,
                nasm (>= 2.14) [amd64 i386],
                rustc (>= 1.59),
-               cargo (>= 0.60),
+               cargo (>= 0.57),
                llvm-dev,
                libclang-dev,
                clang,
diff -upNr a/debian/control.in b/debian/control.in
--- a/debian/control.in	2022-05-31 23:04:04.000000000 +0200
+++ b/debian/control.in	2022-06-06 13:51:17.093109680 +0200
@@ -51,9 +51,9 @@ Build-Depends: autotools-dev,
                rustc (>= 1.59),
 %endif
 %if DIST == bullseye || DIST == buster || DIST == stretch
-               cargo-mozilla (>= 0.60),
+               cargo-mozilla (>= 0.57),
 %else
-               cargo (>= 0.60),
+               cargo (>= 0.57),
 %endif
 %if DIST == stretch
                gcc-mozilla (>= 7.1),
diff -upNr a/debian/patches/debian-hacks/Lower-cargo-version.patch b/debian/patches/debian-hacks/Lower-cargo-version.patch
--- a/debian/patches/debian-hacks/Lower-cargo-version.patch	1970-01-01 01:00:00.000000000 +0100
+++ b/debian/patches/debian-hacks/Lower-cargo-version.patch	2022-06-06 14:13:11.030629556 +0200
@@ -0,0 +1,13 @@
+diff --git a/python/mozboot/mozboot/util.py b/python/mozboot/mozboot/util.py
+index 86720993d0..fdbf48f3ed 100644
+--- a/python/mozboot/mozboot/util.py
++++ b/python/mozboot/mozboot/util.py
+@@ -23,7 +23,7 @@ if sys.version_info < (3,):
+ else:
+     from urllib.request import urlopen
+
+-MINIMUM_RUST_VERSION = "1.59.0"
++MINIMUM_RUST_VERSION = "1.56.0"
+
+
+ def get_tools_dir(srcdir=False):
diff -upNr a/debian/patches/series b/debian/patches/series
--- a/debian/patches/series	2022-05-31 22:51:42.000000000 +0200
+++ b/debian/patches/series	2022-06-06 14:13:27.027350785 +0200
@@ -17,3 +17,4 @@ debian-hacks/Avoid-using-vmrs-vmsr-on-ar
 debian-hacks/Use-build-id-as-langpack-version-for-reproducibility.patch
 debian-hacks/Allow-to-build-with-older-versions-of-nodejs-10.patch
 debian-hacks/Fix-math_private.h-for-i386-FTBFS.patch
+debian-hacks/Lower-cargo-version.patch

#1012275#42
Date:
2022-06-09 11:59:36 UTC
From:
To:
Could someone then possibly rebuild this with Julian’s patch, ASAP?

Over a week with a likely remote code exploit hole in the browser of
any Debian (non-ESR) FF user, seems not so ideal,

Thanks,
Chris.

#1012275#47
Date:
2022-06-09 20:09:48 UTC
From:
To:
There's a 101.0.1 on the way.
#1012275#52
Date:
2022-06-09 21:35:12 UTC
From:
To:
I assume you mean "being built for Debian"?

Anyway... thanks for taking care. :-)

Cheers,
Chris.