Closed Bug 1280043 Opened 5 years ago Closed 5 years ago

Update bzip2 in tree to 1.0.6

Categories

(Firefox Build System :: General, defect)

defect
Not set
normal

Tracking

(firefox47 wontfix, firefox48+ fixed, firefox49+ fixed, firefox-esr38 wontfix, firefox-esr4548+ fixed, firefox50+ fixed)

RESOLVED FIXED
mozilla50
Tracking Status
firefox47 --- wontfix
firefox48 + fixed
firefox49 + fixed
firefox-esr38 --- wontfix
firefox-esr45 48+ fixed
firefox50 + fixed

People

(Reporter: dveditz, Assigned: gps)

References

Details

(Keywords: csectype-intoverflow, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main48-][adv-esr45.3-] Firefox safe in practice, other gecko apps aren't.)

Attachments

(1 file)

Our in-tree bzip2 library is at the ancient 1.0.4 -- we need to update to the most recent version (from 6 years ago) 1.0.6 which fixes an integer overflow CVE-2010-0405 and a couple of older DOS bugs.
gps: do you know who owns updating this library? last time we updated it it was handled as a "build config" bug.
Flags: needinfo?(gps)
Anybody can likely update bzip2 - hopefully it is just a drop-in replacement given the minor version bump.

What's the priority of this? Can it ride the trains or do you want this shipping ASAP?
Flags: needinfo?(gps) → needinfo?(dveditz)
Note that libbz2 is only used by the updater, and only after the mar signature has been validated. From a (really) quick glance at the code, it seems like the bz2 stream is what is signed, so it should be impossible to tamper with it to trigger any libbz2 bugs.

Robert, could you confirm the above?
Flags: needinfo?(robert.strong.bugs)
That is correct as long as the mar file is signed and the updater is built with MOZ_VERIFY_MAR_SIGNATURE. Firefox Linux, Mac, and Windows all satisfy these conditions. Not 100% positive about other products but it appears that Thunderbird has it enabled only for Windows and SeaMonkey doesn't have it enabled for any platforms.
Flags: needinfo?(robert.strong.bugs)
Also looks like Windows Thunderbird 64 bit does not have MOZ_VERIFY_MAR_SIGNATURE
[Tracking Requested - why for this release]:

It looks like Firefox is OK in practice which is why this is rated "moderate" rather than higher, but we need this on the ESR-45 branch for Thunderbird. It'd be nice to not ride all the trains since this ought to be simple to drop in and we're still a full old-cycle-size from the next merge date
Flags: needinfo?(dveditz)
Whiteboard: Firefox safe in practice, other gecko apps aren't.
I'll get this landed.
Assignee: nobody → gps
Status: NEW → ASSIGNED
http://www.bzip.org/1.0.6/bzip2-1.0.6.tar.gz was uncompressed to
modules/libbz2/src unmodified. Only modified files were committed.
Other files from the archive not previously under version control
were not added.

It's worth noting that bzip.org is not available over https://
and they only publish a MD5 of the source archive. So there is
no good way to verify the sources from the vendor. Out of paranoia,
I obtained the source archive from Debian
(https://packages.debian.org/jessie/bzip2) and verified they matched
the vendor-obtained sources.
Attachment #8765077 - Flags: review?(mh+mozilla)
Attachment #8765077 - Flags: review?(mh+mozilla) → review+
https://hg.mozilla.org/mozilla-central/rev/0546e2201cab
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Hello GPS, is this something that needs to be included in ESR45.3? This came up on my list of bugs affecting ESR45. Please let me know. Thanks!
Flags: needinfo?(gps)
(In reply to Ritu Kothari (:ritu) from comment #11)
> Hello GPS, is this something that needs to be included in ESR45.3? This came
> up on my list of bugs affecting ESR45. Please let me know. Thanks!

That was the wish of dveditz. I'll get the uplift request started.
Flags: needinfo?(gps)
Comment on attachment 8765077 [details] [diff] [review]
Upgrade bzip2 to 1.0.6

Approval Request Comment
[Feature/regressing bug #]: None
[User impact if declined]: Increased exposure to potential security threat
[Describe test coverage new/current, TreeHerder]:
[Risks and why]: Should be low
[String/UUID change made/needed]: None

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
Fix Landed on Version: 50

This patch is a rubber stamp upgrade of bzip2 to the latest released version, which doesn't have disclosed security vulnerabilities. bzip2 is a pretty popular package and this released version is from 2010. Presumably there weren't any critical bugs worth fixing since or they would have released a new version. The new version we're updating to has no API changes, so it should be a drop-in replacement in Gecko. This should be a safe update.
Attachment #8765077 - Flags: approval-mozilla-release?
Attachment #8765077 - Flags: approval-mozilla-esr45?
Attachment #8765077 - Flags: approval-mozilla-beta?
Attachment #8765077 - Flags: approval-mozilla-aurora?
Comment on attachment 8765077 [details] [diff] [review]
Upgrade bzip2 to 1.0.6

Didn't mean to flag release.
Attachment #8765077 - Flags: approval-mozilla-release?
Comment on attachment 8765077 [details] [diff] [review]
Upgrade bzip2 to 1.0.6

This seems like a fairly safe and low impact change, Beta48+, Aurora49+, ESR45+
Attachment #8765077 - Flags: approval‑mozilla‑b2g37_v2_2r+
Attachment #8765077 - Flags: approval-mozilla-esr45?
Attachment #8765077 - Flags: approval-mozilla-esr45+
Attachment #8765077 - Flags: approval-mozilla-beta?
Attachment #8765077 - Flags: approval-mozilla-beta+
Attachment #8765077 - Flags: approval-mozilla-aurora?
Attachment #8765077 - Flags: approval-mozilla-aurora+
Whiteboard: Firefox safe in practice, other gecko apps aren't. → [post-critsmash-triage]Firefox safe in practice, other gecko apps aren't.
Whiteboard: [post-critsmash-triage]Firefox safe in practice, other gecko apps aren't. → [post-critsmash-triage][adv-main48-][adv-esr45.3-] Firefox safe in practice, other gecko apps aren't.
Minusing for advisories after discussions with Dveditz.
Is this a dup of bug 480372?
(In reply to Tyson Smith [:tsmith] from comment #20)
> Is this a dup of bug 480372?

Yes. I won't mark as a dupe because I don't know what our policy of duping against security bugs is.
Group: core-security-release
Duplicate of this bug: 480372
Product: Core → Firefox Build System
You need to log in before you can comment on or make changes to this bug.