Your message dated Sat, 06 Jan 2007 21:17:21 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#405062: fixed in xulrunner 1.8.0.9-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libnspr4-0d
Version: 1.8.0.8-1
Severity: grave
Tags: security
A vulnerability has been found in libnspr. From [1] :
"NSPR logging is controlled with a couple of environment variables,
one to enable it, and a second to control the name of the log file.
This appears to all work in "optimized" (non-debug) builds.
So, if any setuid root program is linked with NSPR, any user can clobber
any file on the system (any root writable file) by setting NSPR's
environment variables to log to that file, and then running a setuid root
program linked with NSPR."
I couldn't find any setuid binary in Debian that links against libnspr but
there is "camel-lock-helper-1.2" in evolution-data-server which is setgid mail.
AFAICS the above argument works also with setgid binaries. So this might allow
to overwrite other people's mail if evolution-data-server is installed.
The fix in [1] seems to only fix the setuid case.
I am not sure whether this bug should be RC. Feel free to downgrade if you don't
think so.
[1] https://bugzilla.mozilla.org/show_bug.cgi?id=351470
--- End Message ---
--- Begin Message ---
Source: xulrunner
Source-Version: 1.8.0.9-1
We believe that the bug you reported is fixed in the latest version of
xulrunner, which is due to be installed in the Debian FTP archive:
libmozillainterfaces-java_1.8.0.9-1_all.deb
to pool/main/x/xulrunner/libmozillainterfaces-java_1.8.0.9-1_all.deb
libmozjs-dev_1.8.0.9-1_all.deb
to pool/main/x/xulrunner/libmozjs-dev_1.8.0.9-1_all.deb
libmozjs0d-dbg_1.8.0.9-1_i386.deb
to pool/main/x/xulrunner/libmozjs0d-dbg_1.8.0.9-1_i386.deb
libmozjs0d_1.8.0.9-1_i386.deb
to pool/main/x/xulrunner/libmozjs0d_1.8.0.9-1_i386.deb
libnspr4-0d-dbg_1.8.0.9-1_i386.deb
to pool/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.9-1_i386.deb
libnspr4-0d_1.8.0.9-1_i386.deb
to pool/main/x/xulrunner/libnspr4-0d_1.8.0.9-1_i386.deb
libnspr4-dev_1.8.0.9-1_all.deb
to pool/main/x/xulrunner/libnspr4-dev_1.8.0.9-1_all.deb
libnss3-0d-dbg_1.8.0.9-1_i386.deb
to pool/main/x/xulrunner/libnss3-0d-dbg_1.8.0.9-1_i386.deb
libnss3-0d_1.8.0.9-1_i386.deb
to pool/main/x/xulrunner/libnss3-0d_1.8.0.9-1_i386.deb
libnss3-dev_1.8.0.9-1_all.deb
to pool/main/x/xulrunner/libnss3-dev_1.8.0.9-1_all.deb
libnss3-tools_1.8.0.9-1_i386.deb
to pool/main/x/xulrunner/libnss3-tools_1.8.0.9-1_i386.deb
libsmjs-dev_1.8.0.9-1_all.deb
to pool/main/x/xulrunner/libsmjs-dev_1.8.0.9-1_all.deb
libsmjs1_1.8.0.9-1_all.deb
to pool/main/x/xulrunner/libsmjs1_1.8.0.9-1_all.deb
libxul-common_1.8.0.9-1_all.deb
to pool/main/x/xulrunner/libxul-common_1.8.0.9-1_all.deb
libxul-dev_1.8.0.9-1_all.deb
to pool/main/x/xulrunner/libxul-dev_1.8.0.9-1_all.deb
libxul0d-dbg_1.8.0.9-1_i386.deb
to pool/main/x/xulrunner/libxul0d-dbg_1.8.0.9-1_i386.deb
libxul0d_1.8.0.9-1_i386.deb
to pool/main/x/xulrunner/libxul0d_1.8.0.9-1_i386.deb
python-xpcom_1.8.0.9-1_i386.deb
to pool/main/x/xulrunner/python-xpcom_1.8.0.9-1_i386.deb
spidermonkey-bin_1.8.0.9-1_i386.deb
to pool/main/x/xulrunner/spidermonkey-bin_1.8.0.9-1_i386.deb
xulrunner-gnome-support_1.8.0.9-1_i386.deb
to pool/main/x/xulrunner/xulrunner-gnome-support_1.8.0.9-1_i386.deb
xulrunner_1.8.0.9-1.diff.gz
to pool/main/x/xulrunner/xulrunner_1.8.0.9-1.diff.gz
xulrunner_1.8.0.9-1.dsc
to pool/main/x/xulrunner/xulrunner_1.8.0.9-1.dsc
xulrunner_1.8.0.9-1_i386.deb
to pool/main/x/xulrunner/xulrunner_1.8.0.9-1_i386.deb
xulrunner_1.8.0.9.orig.tar.gz
to pool/main/x/xulrunner/xulrunner_1.8.0.9.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Hommey <[EMAIL PROTECTED]> (supplier of updated xulrunner package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 6 Jan 2007 17:51:16 +0100
Source: xulrunner
Binary: libmozjs0d-dbg libnspr4-0d-dbg libxul0d-dbg xulrunner libnspr4-dev
libxul0d libnss3-tools xulrunner-gnome-support libnspr4-0d libsmjs-dev
libnss3-0d libmozjs0d libmozjs-dev python-xpcom libnss3-0d-dbg libxul-common
libmozillainterfaces-java spidermonkey-bin libnss3-dev libxul-dev libsmjs1
Architecture: source all i386
Version: 1.8.0.9-1
Distribution: unstable
Urgency: low
Maintainer: Mike Hommey <[EMAIL PROTECTED]>
Changed-By: Mike Hommey <[EMAIL PROTECTED]>
Description:
libmozillainterfaces-java - XPCOM bindings for Java
libmozjs-dev - Development files for the Mozilla SpiderMonkey JavaScript
library
libmozjs0d - The Mozilla SpiderMonkey JavaScript library
libmozjs0d-dbg - Development files for the Mozilla SpiderMonkey JavaScript
library
libnspr4-0d - NetScape Portable Runtime Library
libnspr4-0d-dbg - Development files for the NetScape Portable Runtime library
libnspr4-dev - Development files for the NetScape Portable Runtime library
libnss3-0d - Network Security Service libraries
libnss3-0d-dbg - Development files for the Network Security Service libraries
libnss3-dev - Development files for the Network Security Service libraries
libnss3-tools - Network Security Service tools
libsmjs-dev - Migration package for the Mozilla SpiderMonkey JavaScript library
libsmjs1 - Migration package for the Mozilla SpiderMonkey JavaScript library
libxul-common - Gecko engine library - common files
libxul-dev - Development files for the Gecko engine library
libxul0d - Gecko engine library
libxul0d-dbg - Development files for the Gecko engine library
python-xpcom - XPCOM bindings for Python
spidermonkey-bin - The SpiderMonkey Interpreter
xulrunner - XUL + XPCOM application runner
xulrunner-gnome-support - Support for Gnome in xulrunner applications
Closes: 368779 388475 393422 393440 401784 402011 402846 405062 405681
Changes:
xulrunner (1.8.0.9-1) unstable; urgency=low
.
* New upstream release (taken from upstream CVS)
* Fixes mfsa-2006-{68-73} also known as
CVE-2006-6497, CVE-2006-6498, CVE-2006-6499, CVE-2006-6500,
CVE-2006-6501, CVE-2006-6502, CVE-2006-6503, CVE-2006-6504.
* Removed non-free and sourceless binaries from source package
with the script from the gnuzilla project, with 2 additional removals of
IETF files. Closes: #393422.
You can find this modified script for reference in debian/remove.nonfree.
Note this script also removes useless CVS files.
* debian/patches/80_uname.dpatch: Fix OS_TARGET so that it is correctly set
to Linux for things that expect this value instead of linux-gnu (such as
the extensions manager)
* debian/libxul0d.links: Added a link for libgtkembedmoz in
/usr/lib/xulrunner. Closes: #393440.
* debian/patches/15_passwdmgr.dpatch: Adapted to changes in upstream. Thanks
to Andreas Metzler.
* debian/patches/35_crash_focus.dpatch: Removed: applied upstream.
* debian/patches/15_nspr_setuid.dpatch: Patches from bz#351470 and bz#365703
to fix privilege escalation issues with setuid/setgid program linked
against libnspr and some other boundaries issue. Closes: #405062.
* debian/patches/18_m68k_xpcom.dpatch: Apply changes provided by Roman
Zippel to fix FTBFS of third party software on m68k. Closes: #402011.
Renamed as 68_m68k_xpcom.dpatch, since it needs to be sent upstream.
* debian/libnss3-dev.links: Add nss.pc symlink to xulrunner-nss.pc.
Closes: #402846.
* debian/patches/38_kbsd.dpatch, debian/patches/38_mips64_build.dpatch,
debian/patches/80_uname.dpatch, debian/patches/18_kbsd_nspr.dpatch:
Applied patch from Petr Salinger to build on GNU/kFreeBSD.
Closes: #388475.
* debian/patches/00list: Updated accordingly.
* debian/patches/99_configure.dpatch: Updated with autoconf.
* debian/patches/81_soname.dpatch: Updated to fit changes to Linux2.6.mk in
38_kbsd.dpatch.
* debian/patches/65_native_uconv.dpatch:
- Reworked so that UTF-16 is used internally instead of UCS-2, and
improved to better handle corner cases.
- Allow claimed iso-8859-1 actually encoded as windows-1252 to be
converted flawlessly. Closes: #368779, #401784, #405681
Files:
8d2388bd09ab360532f26e7c4ba74f50 1300 devel optional xulrunner_1.8.0.9-1.dsc
1866e5faa2eea56c5704651c59a0cf03 40709226 devel optional
xulrunner_1.8.0.9.orig.tar.gz
659d5f9f005187397ec2d174ca168f10 138170 devel optional
xulrunner_1.8.0.9-1.diff.gz
cf7da656f680e6aa5e6570efc4e581a2 204666 libdevel optional
libnspr4-dev_1.8.0.9-1_all.deb
3132afabedd055830f8a01332944436d 171702 libdevel optional
libmozjs-dev_1.8.0.9-1_all.deb
1762d612437994c1ef19de67a59ff6e9 33360 libs optional libsmjs1_1.8.0.9-1_all.deb
68d3d2d61b84ab77753408e59f34aac0 33394 libdevel optional
libsmjs-dev_1.8.0.9-1_all.deb
4bca81aee02f21d29dfc9c01813955b8 1045330 libs optional
libxul-common_1.8.0.9-1_all.deb
8ddb3b7c6ced5eb02bab27c67d429692 2622804 libdevel optional
libxul-dev_1.8.0.9-1_all.deb
6f0b8bf371c837199be22f3b44988f0b 218862 libdevel optional
libnss3-dev_1.8.0.9-1_all.deb
7058d1c830cfe466c89f2e31a8eb9e7a 1021302 libdevel extra
libmozillainterfaces-java_1.8.0.9-1_all.deb
bf8e79bdda997a3e978a8306386fdeeb 263290 devel optional
xulrunner_1.8.0.9-1_i386.deb
eaf75c85b40f3d156da0bc2c982c2ee4 60362 devel optional
xulrunner-gnome-support_1.8.0.9-1_i386.deb
535f0502d2c7e048d1b5ae713418f7fb 136222 libs optional
libnspr4-0d_1.8.0.9-1_i386.deb
d32095f845659361f0e4a7a155a10f4a 291364 libdevel extra
libnspr4-0d-dbg_1.8.0.9-1_i386.deb
a0016c3cac4cc7b64c7ae13c871686c1 332962 libs optional
libmozjs0d_1.8.0.9-1_i386.deb
2ef49a92d0e50819e500ab8d4814e863 706290 libdevel extra
libmozjs0d-dbg_1.8.0.9-1_i386.deb
21f887c34b7c49afab8724fb8b909c7b 48326 interpreters optional
spidermonkey-bin_1.8.0.9-1_i386.deb
48a46ed4b9c971e6065ce518f2a7b221 5345044 libs optional
libxul0d_1.8.0.9-1_i386.deb
d526cc1fbb90d46a1469f54feb485738 44267086 libdevel extra
libxul0d-dbg_1.8.0.9-1_i386.deb
7126117e684a26fb4abe2bbf9e8f834d 695194 libs optional
libnss3-0d_1.8.0.9-1_i386.deb
cb29d72083139084bc0e528eb66b6c3c 698732 admin optional
libnss3-tools_1.8.0.9-1_i386.deb
49a9ef477cb2549ea991dc536e0fee8c 2941440 libdevel extra
libnss3-0d-dbg_1.8.0.9-1_i386.deb
bd70f3faff8130ff1e1336c54097a840 115004 python extra
python-xpcom_1.8.0.9-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFoAe23kvaLFT9KlgRAiyUAJ9qBXHj50zpxnaDtrCYatiSC+UwNgCeNrIK
X0oLvxAm/hO2XCesW9ngmHE=
=1pYS
-----END PGP SIGNATURE-----
--- End Message ---
