** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-37202
** Description changed: Impact ------ mozjs102 is the SpiderMonkey JavaScript engine from Firefox ESR. It is used by gjs to power GNOME Shell and some GNOME apps. There are new Firefox 102 ESR releases monthly until the end of August. https://whattrainisitnow.com/calendar/ Security Impact --------------- I looked through https://github.com/mozilla/gecko-dev/commits/esr102/js and searched for referenced bug numbers in https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/ and found two CVEs CVE-2023-37202: Potential use-after-free from compartment mismatch in SpiderMonkey - CVE-2023-37211 + CVE-2023-37211: Memory safety bugs Test Case --------- https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs Additionally, mozjs102 has build tests. mozjs102 does not have autopkgtests of its own but it triggers the gjs autopkgtests. Security Sponsoring ------------------- sudo apt install git-buildpackage mkdir tarballs; cd ../tarballs pull-lp-source mozjs102 mantic # That avoids needing to recreate the original tarball from pristine-tar which takes a while. Also, running lintian takes a while. cd .. gbp clone https://salsa.debian.org/gnome-team/mozjs cd mozjs git checkout ubuntu/102/lunar gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs git checkout ubuntu/102/kinetic gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs git checkout ubuntu/102/jammy gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs Initial Testing Done -------------------- I built the package locally. I installed the library package on Ubuntu 23.04 and successfully completed the Test Case. Other Info ---------- It is believed that the only thing using mozjs102 in Ubuntu 22.04 LTS is actually cjs in Linux Mint 21.2 (in Beta testing). It has been proposed to switch Ubuntu's gjs to use it there also but that is currently on hold (benefit/risk analysis). See LP: #1993214 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-37211 ** Also affects: mozjs102 (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: mozjs102 (Ubuntu Kinetic) Importance: Undecided Status: New ** Also affects: mozjs102 (Ubuntu Lunar) Importance: Undecided Status: New ** Changed in: mozjs102 (Ubuntu Jammy) Status: New => Confirmed ** Changed in: mozjs102 (Ubuntu Kinetic) Status: New => Confirmed ** Changed in: mozjs102 (Ubuntu Lunar) Status: New => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to mozjs102 in Ubuntu. https://bugs.launchpad.net/bugs/2026197 Title: Update mozjs102 to 102.13.0 Status in mozjs102 package in Ubuntu: Fix Committed Status in mozjs102 source package in Jammy: Confirmed Status in mozjs102 source package in Kinetic: Confirmed Status in mozjs102 source package in Lunar: Confirmed Bug description: Impact ------ mozjs102 is the SpiderMonkey JavaScript engine from Firefox ESR. It is used by gjs to power GNOME Shell and some GNOME apps. There are new Firefox 102 ESR releases monthly until the end of August. https://whattrainisitnow.com/calendar/ Security Impact --------------- I looked through https://github.com/mozilla/gecko-dev/commits/esr102/js and searched for referenced bug numbers in https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/ and found two CVEs CVE-2023-37202: Potential use-after-free from compartment mismatch in SpiderMonkey CVE-2023-37211: Memory safety bugs Test Case --------- https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs Additionally, mozjs102 has build tests. mozjs102 does not have autopkgtests of its own but it triggers the gjs autopkgtests. Security Sponsoring ------------------- sudo apt install git-buildpackage mkdir tarballs; cd ../tarballs pull-lp-source mozjs102 mantic # That avoids needing to recreate the original tarball from pristine-tar which takes a while. Also, running lintian takes a while. cd .. gbp clone https://salsa.debian.org/gnome-team/mozjs cd mozjs git checkout ubuntu/102/lunar gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs git checkout ubuntu/102/kinetic gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs git checkout ubuntu/102/jammy gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs Initial Testing Done -------------------- I built the package locally. I installed the library package on Ubuntu 23.04 and successfully completed the Test Case. Other Info ---------- It is believed that the only thing using mozjs102 in Ubuntu 22.04 LTS is actually cjs in Linux Mint 21.2 (in Beta testing). It has been proposed to switch Ubuntu's gjs to use it there also but that is currently on hold (benefit/risk analysis). See LP: #1993214 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mozjs102/+bug/2026197/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
