On Sun, 01 Oct 2017 at 23:36:52 +0200, Michael Biebl wrote: > >> The remaining problem seems to be a big-endian issue (mips, s390x, > >> hppa, powerpc, sparc64). ppc64 fails in a slightly different > >> manner, might just be it's failing earlier for a different reason > >> but would also suffer from this bug.
Here is some work-in-progress on this: https://anonscm.debian.org/git/users/smcv/mozjs52.git I've made it regenerate the data file on both endiannesses in the hope that this will make us more likely to catch errors. The generated file on little-endian is not the same as the pregenerated one :-( This is only build-tested on x86_64 at this point, not runtime-tested. I'm a little concerned that when mips(el) are dropped from Debian in favour of mips64el (which I believe is the mips porters' long term plan?), s390x will be the only big-endian release architecture, which doesn't seem particularly sustainable - few DDs understand that architecture, and given its category of hardware, probably none will ever own one. > > [17:18:15] <mbiebl> a local js engine does not have the same attach vector > > as a browser > > [17:18:52] <bunk> So passing untrusted contents to mozjs will be a CVE in > > GNOME? GNOME applications that want a web engine capable of interpreting normal HTML/CSS/JS from the Internet use WebKit, not mozjs52. The major user of mozjs52 is gjs. Passing untrusted JavaScript to gjs would definitely be CVE-worthy, regardless of mozjs' code quality, because gjs has full user privileges and can call arbitrary GObject-Introspection APIs: passing untrusted JavaScript to it would be equivalent to passing untrusted Python, Perl, Ruby or shell script to their respective interpreters. gjs is used by GNOME Shell (and its extensions), GNOME Sushi and Polari, which are all trusted apps that happen to be partially or entirely written in JS: JS as programming language, rather than JS as web content. polkit (PolicyKit) in experimental currently uses mozjs 1.8.5, but should eventually move to mozjs52. Again, this is entirely trusted: the ability to install polkit rules is equivalent to the ability to install sudoers.d fragments, and it would already be a serious security vulnerability if a non-root-equivalent user could edit or install those rules. libproxy has a plugin to interpret PAC (proxy auto-config) using mozjs, currently mozjs 1.8.5. This is at a security boundary, so it might well be relying on mozjs to be able to interpret untrusted JS safely; but mozjs52 presumably can't be any worse than mozjs 1.8.5 in that respect? gxine, mediatomb and oolite also use mozjs 1.8.5 and should probably move to a newer version eventually. I don't know what they use it for, but again, mozjs52 surely can't be any worse than mozjs 1.8.5... smcv