[jammy] Update gjs to 1.74 using mozjs102
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gjs (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
Impact
------
GNOME Shell uses the SpiderMonkey JavaScript engine from Firefox ESR (mozjs). Firefox 92 ESR has reached end of life; therefore, we should switch to the 102 ESR series for security updates for the next year.
This requires updating gjs from 1.72 to 1.74 from GNOME 43, as packaged in Ubuntu 22.10.
This will be done as a Security Update.
Updating mozjs in stable Ubuntu releases was recommended when Ubuntu first switched back to GNOME, but this is the first time it's been done.
Security Impact
---------------
I looked through
https:/
and searched for referenced bug numbers in
https:/
for Firefox ESR releases since Ubuntu's 91.10
and found one CVE. Also, there's the vague Mozilla Bug 1771084 (no CVE issued) mentioned at
https:/
Uploaded Packages
-----------------
We will introduce mozjs102, a new source package for Ubuntu 22.04 LTS, being careful to publish it in main, not universe.
And we'll update gjs.
No other packages need to be updated for this change.
mozjs91 will remain in Ubuntu 22.04 LTS (source package removals are generally not possible), but nothing else in Ubuntu uses it.
Test Case
---------
https:/
Security Sponsoring
-------------------
sudo apt install git-buildpackage
gbp clone https:/
cd gjs
git checkout ubuntu/jammy
gbp buildpackage --git-builder=
Initial Testing Done
-------
I built the packages in my PPA.
I installed the packages on Ubuntu 22.04 LTS and successfully completed the Test Case.
CVE References
summary: |
- Update gjs to 1.74 using mozjs102 102.3 + [jammy] Update gjs to 1.74 using mozjs102 102.3 |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in mozjs102 (Ubuntu): | |
status: | New → Confirmed |
Changed in gjs (Ubuntu): | |
status: | New → Confirmed |
description: | updated |
Changed in mozjs102 (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in gjs (Ubuntu): | |
status: | Confirmed → Fix Released |
no longer affects: | mozjs102 (Ubuntu) |
no longer affects: | mozjs102 (Ubuntu Jammy) |
no longer affects: | mozjs102 (Ubuntu Kinetic) |
summary: |
- [jammy] Update gjs to 1.74 using mozjs102 102.3 + [jammy] Update gjs to 1.74 using mozjs102 |
description: | updated |
Looks like a few more CVEs have been published between 102.3 in karmic and 102.5 in lunar:
102.4 CVE-2022-42928 bug 1791520
102.5 CVE-2022-45406 bug 1791975
102.5 CVE-2022-45409 bug 1796901
Perhaps we should move to 102.5?
I have to admit, bumping to a new major release of mozjs sounds risky. What are the plans to test all the arbitrary gnome-shell plugins that could be installed in user environments? How well does gnome-shell handle a plugin that could crash on startup if there is an incompatibility with a newer mozjs version?