Closed
Bug 1280043
Opened 7 years ago
Closed 7 years ago
Update bzip2 in tree to 1.0.6
Categories
(Firefox Build System :: General, defect)
Firefox Build System
General
Tracking
(firefox47 wontfix, firefox48+ fixed, firefox49+ fixed, firefox-esr38 wontfix, firefox-esr4548+ fixed, firefox50+ fixed)
People
(Reporter: dveditz, Assigned: gps)
References
Details
(Keywords: csectype-intoverflow, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main48-][adv-esr45.3-] Firefox safe in practice, other gecko apps aren't.)
Attachments
(1 file)
|
18.16 KB,
patch
|
glandium
:
review+
ritu
:
approval-mozilla-aurora+
ritu
:
approval-mozilla-beta+
ritu
:
approval-mozilla-esr45+
|
Details | Diff | Splinter Review |
Our in-tree bzip2 library is at the ancient 1.0.4 -- we need to update to the most recent version (from 6 years ago) 1.0.6 which fixes an integer overflow CVE-2010-0405 and a couple of older DOS bugs.
|
Reporter | |
Comment 1•7 years ago
|
||
gps: do you know who owns updating this library? last time we updated it it was handled as a "build config" bug.
Flags: needinfo?(gps)
|
Assignee | |
Comment 2•7 years ago
|
||
Anybody can likely update bzip2 - hopefully it is just a drop-in replacement given the minor version bump. What's the priority of this? Can it ride the trains or do you want this shipping ASAP?
Flags: needinfo?(gps) → needinfo?(dveditz)
|
||
Comment 3•7 years ago
|
||
Note that libbz2 is only used by the updater, and only after the mar signature has been validated. From a (really) quick glance at the code, it seems like the bz2 stream is what is signed, so it should be impossible to tamper with it to trigger any libbz2 bugs. Robert, could you confirm the above?
Flags: needinfo?(robert.strong.bugs)
|
||
Comment 4•7 years ago
|
||
That is correct as long as the mar file is signed and the updater is built with MOZ_VERIFY_MAR_SIGNATURE. Firefox Linux, Mac, and Windows all satisfy these conditions. Not 100% positive about other products but it appears that Thunderbird has it enabled only for Windows and SeaMonkey doesn't have it enabled for any platforms.
Flags: needinfo?(robert.strong.bugs)
|
|
||
Comment 5•7 years ago
|
||
Also looks like Windows Thunderbird 64 bit does not have MOZ_VERIFY_MAR_SIGNATURE
|
|
Reporter | |
Comment 6•7 years ago
|
||
[Tracking Requested - why for this release]: It looks like Firefox is OK in practice which is why this is rated "moderate" rather than higher, but we need this on the ESR-45 branch for Thunderbird. It'd be nice to not ride all the trains since this ought to be simple to drop in and we're still a full old-cycle-size from the next merge date
status-firefox47:
--- → wontfix
status-firefox48:
--- → affected
status-firefox49:
--- → affected
status-firefox50:
--- → affected
status-firefox-esr38:
--- → wontfix
status-firefox-esr45:
--- → affected
tracking-firefox48:
--- → ?
tracking-firefox49:
--- → +
tracking-firefox50:
--- → +
tracking-firefox-esr45:
--- → ?
Flags: needinfo?(dveditz)
Whiteboard: Firefox safe in practice, other gecko apps aren't.
|
|
Assignee | |
Comment 8•7 years ago
|
||
http://www.bzip.org/1.0.6/bzip2-1.0.6.tar.gz was uncompressed to modules/libbz2/src unmodified. Only modified files were committed. Other files from the archive not previously under version control were not added. It's worth noting that bzip.org is not available over https:// and they only publish a MD5 of the source archive. So there is no good way to verify the sources from the vendor. Out of paranoia, I obtained the source archive from Debian (https://packages.debian.org/jessie/bzip2) and verified they matched the vendor-obtained sources.
Attachment #8765077 -
Flags: review?(mh+mozilla)
|
|
||
Updated•7 years ago
|
Attachment #8765077 -
Flags: review?(mh+mozilla) → review+
|
|
Assignee | |
Comment 9•7 years ago
|
||
https://hg.mozilla.org/integration/fx-team/rev/0546e2201cab
|
||
Comment 10•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0546e2201cab
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Hello GPS, is this something that needs to be included in ESR45.3? This came up on my list of bugs affecting ESR45. Please let me know. Thanks!
Flags: needinfo?(gps)
|
|
Assignee | |
Comment 12•7 years ago
|
||
(In reply to Ritu Kothari (:ritu) from comment #11) > Hello GPS, is this something that needs to be included in ESR45.3? This came > up on my list of bugs affecting ESR45. Please let me know. Thanks! That was the wish of dveditz. I'll get the uplift request started.
Flags: needinfo?(gps)
|
|
Assignee | |
Comment 13•7 years ago
|
||
Comment on attachment 8765077 [details] [diff] [review] Upgrade bzip2 to 1.0.6 Approval Request Comment [Feature/regressing bug #]: None [User impact if declined]: Increased exposure to potential security threat [Describe test coverage new/current, TreeHerder]: [Risks and why]: Should be low [String/UUID change made/needed]: None [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: Fix Landed on Version: 50 This patch is a rubber stamp upgrade of bzip2 to the latest released version, which doesn't have disclosed security vulnerabilities. bzip2 is a pretty popular package and this released version is from 2010. Presumably there weren't any critical bugs worth fixing since or they would have released a new version. The new version we're updating to has no API changes, so it should be a drop-in replacement in Gecko. This should be a safe update.
Attachment #8765077 -
Flags: approval-mozilla-release?
Attachment #8765077 -
Flags: approval-mozilla-esr45?
Attachment #8765077 -
Flags: approval-mozilla-beta?
Attachment #8765077 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 14•7 years ago
|
||
Comment on attachment 8765077 [details] [diff] [review] Upgrade bzip2 to 1.0.6 Didn't mean to flag release.
Attachment #8765077 -
Flags: approval-mozilla-release?
Comment on attachment 8765077 [details] [diff] [review] Upgrade bzip2 to 1.0.6 This seems like a fairly safe and low impact change, Beta48+, Aurora49+, ESR45+
Attachment #8765077 -
Flags: approval‑mozilla‑b2g37_v2_2r+
Attachment #8765077 -
Flags: approval-mozilla-esr45?
Attachment #8765077 -
Flags: approval-mozilla-esr45+
Attachment #8765077 -
Flags: approval-mozilla-beta?
Attachment #8765077 -
Flags: approval-mozilla-beta+
Attachment #8765077 -
Flags: approval-mozilla-aurora?
Attachment #8765077 -
Flags: approval-mozilla-aurora+
Attachment #8765077 -
Flags: approval‑mozilla‑b2g37_v2_2r+
|
||
Updated•7 years ago
|
|
||
Updated•7 years ago
|
Whiteboard: Firefox safe in practice, other gecko apps aren't. → [post-critsmash-triage]Firefox safe in practice, other gecko apps aren't.
|
||
Updated•7 years ago
|
Whiteboard: [post-critsmash-triage]Firefox safe in practice, other gecko apps aren't. → [post-critsmash-triage][adv-main48-][adv-esr45.3-] Firefox safe in practice, other gecko apps aren't.
|
|
||
Comment 19•7 years ago
|
||
Minusing for advisories after discussions with Dveditz.
|
||
Comment 20•7 years ago
|
||
Is this a dup of bug 480372?
|
|
Assignee | |
Comment 21•7 years ago
|
||
(In reply to Tyson Smith [:tsmith] from comment #20) > Is this a dup of bug 480372? Yes. I won't mark as a dupe because I don't know what our policy of duping against security bugs is.
|
|
Reporter | |
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•6 years ago
|
Product: Core → Firefox Build System
You need to log in
before you can comment on or make changes to this bug.
Description
•