Ubuntu
gjs package

[jammy] Update gjs to 1.74 using mozjs102

Bug #1993214 reported by Jeremy Bícha
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gjs (Ubuntu)
Fix Released
Undecided
Unassigned
Jammy
Incomplete
Undecided
Unassigned

Bug Description

Impact
------
GNOME Shell uses the SpiderMonkey JavaScript engine from Firefox ESR (mozjs). Firefox 92 ESR has reached end of life; therefore, we should switch to the 102 ESR series for security updates for the next year.

This requires updating gjs from 1.72 to 1.74 from GNOME 43, as packaged in Ubuntu 22.10.

This will be done as a Security Update.

Updating mozjs in stable Ubuntu releases was recommended when Ubuntu first switched back to GNOME, but this is the first time it's been done.

Security Impact
---------------
I looked through
https://github.com/mozilla/gecko-dev/commits/esr102/js
and searched for referenced bug numbers in
https://www.mozilla.org/en-US/security/advisories/
for Firefox ESR releases since Ubuntu's 91.10

and found one CVE. Also, there's the vague Mozilla Bug 1771084 (no CVE issued) mentioned at

https://www.mozilla.org/en-US/security/advisories/mfsa2022-24/

Uploaded Packages
-----------------
We will introduce mozjs102, a new source package for Ubuntu 22.04 LTS, being careful to publish it in main, not universe.
And we'll update gjs.
No other packages need to be updated for this change.
mozjs91 will remain in Ubuntu 22.04 LTS (source package removals are generally not possible), but nothing else in Ubuntu uses it.

Test Case
---------
https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs

Security Sponsoring
-------------------
sudo apt install git-buildpackage
gbp clone https://salsa.debian.org/gnome-team/gjs
cd gjs
git checkout ubuntu/jammy
gbp buildpackage --git-builder="debuild -S -nc"

Initial Testing Done
--------------------
I built the packages in my PPA.
I installed the packages on Ubuntu 22.04 LTS and successfully completed the Test Case.

See original description
Jeremy Bícha (jbicha)
summary: - Update gjs to 1.74 using mozjs102 102.3
+ [jammy] Update gjs to 1.74 using mozjs102 102.3
description: updated
Jeremy Bícha (jbicha)
description: updated
Jeremy Bícha (jbicha)
description: updated
Jeremy Bícha (jbicha)
description: updated
Jeremy Bícha (jbicha)
description: updated
Changed in mozjs102 (Ubuntu):
status: New → Confirmed
Changed in gjs (Ubuntu):
status: New → Confirmed
Jeremy Bícha (jbicha)
description: updated
Revision history for this message
Marc Deslauriers (mdeslaur) wrote : Re: [jammy] Update gjs to 1.74 using mozjs102 102.3

Looks like a few more CVEs have been published between 102.3 in karmic and 102.5 in lunar:

102.4 CVE-2022-42928 bug 1791520
102.5 CVE-2022-45406 bug 1791975
102.5 CVE-2022-45409 bug 1796901

Perhaps we should move to 102.5?

I have to admit, bumping to a new major release of mozjs sounds risky. What are the plans to test all the arbitrary gnome-shell plugins that could be installed in user environments? How well does gnome-shell handle a plugin that could crash on startup if there is an incompatibility with a newer mozjs version?

Revision history for this message
Jeremy Bícha (jbicha) wrote :

Marc, 102.6 was officially released today, so I've gone ahead and updated my jammy mozjs branch for it. I added the CVEs you mentioned and found one more I found from 102.4. I don't see any new ones for 102.6

I've also created a ubuntu/102/kinetic branch for mozjs102 for kinetic. Since it doesn't have the gjs major update issue, I believe it could be pushed sooner than jammy.

For Jammy, I think the general plan is for this update to be built in security-proposed and then published/copied to jammy-proposed for wider testing before being pushed to jammy-security.

My understanding is that the Ubuntu Desktop and Ubuntu SRU teams have come to an agreement that we will test all the gnome-shell extensions that are available in the official Ubuntu repositories (for 22.04 LTS and later). Extensions installed outside of the official Ubuntu repositories are unsupported, just like anything that is user-installed outside of Ubuntu. However, we aren't aware of any likely breakage for any GNOME Shell extensions caused by this proposed update.

There is no formal API for GNOME Shell extensions which allows extensions to have tremendous power but it's easily possible for an extension to break GNOME Shell so that it's not possible for GNOME Shell to run correctly or even start.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

mozjs102 and gjs packages have been uploaded for jammy, and mozjs102 for kinetic, into the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Once they are finished building, they can be pocket-copied by an archive admin into the -proposed pocket for more testing.

Thanks!

Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Jeremy, or anyone else affected,

Accepted mozjs102 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mozjs102/102.6.0-0ubuntu0.22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in mozjs102 (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-jammy
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Jeremy, or anyone else affected,

Accepted gjs into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/gjs/1.74.0-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in gjs (Ubuntu Jammy):
status: New → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Jeremy, or anyone else affected,

Accepted mozjs102 into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/mozjs102/102.6.0-0ubuntu0.22.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in mozjs102 (Ubuntu Kinetic):
status: New → Fix Committed
tags: added: verification-needed-kinetic
Jeremy Bícha (jbicha)
Changed in mozjs102 (Ubuntu):
status: Confirmed → Fix Released
Changed in gjs (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Jeremy Bícha (jbicha) wrote : Re: [jammy] Update gjs to 1.74 using mozjs102 102.3

I installed gjs 1.74.0-0ubuntu1 (which pulled in libmozjs-102-0) on Ubuntu 22.04 LTS and successfully completed Test Case 1 and Test Case 2 from https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs

I installed libmozjs-102-0 102.6.0-0ubuntu0.22.10.1 on Ubuntu 22.10 and successfully completed Test Case 1 and Test Case 2 from https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs

tags: added: verification-done verification-done-jammy verification-done-kinetic
removed: verification-needed verification-needed-jammy verification-needed-kinetic
Revision history for this message
Daniel van Vugt (vanvugt) wrote (last edit ):

I think bug 1994010 should be fixed before this proceeds. It's the top gnome-shell crash on kinetic by a long way and looks likely to spread to jammy if gjs and mozjs get upgraded. And of course, jammy is where the most users are.

https://errors.ubuntu.com/?release=Ubuntu%2022.10&package=gnome-shell&period=week

I mentioned this on Mattermost a week ago but it seems nobody saw the message.

tags: added: verification-needed verification-needed-jammy
removed: verification-done verification-done-jammy
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Apparently since we switched to mozjs102, the jammy image builds FTBFS because mozjs102 is in universe. I see it's in main for all the other series so after a few checks I'll promote it to main in jammy.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The image builds are pulling in -proposed?

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

@mdeslaur yes, basically all stable-series daily builds always build with -proposed enabled. The reason for that is that we want people to be able to test proposed updates in images in case its needed for validation. We always enable -proposed for those as one of the steps *after* we release an LTS version. Devel series dailies however always build with -proposed *disabled*.

Anyway, please give me a sign when this update is good to go. Can I safely release kinetic at least? Should this go to -security?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

We are not going to release these yet, we are blocked on comment #8.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Given comment #12, I'm adding a block-proposed tag to this bug. Is this something we could use to improve the test plan of this package by any chance? Since it seems to have introduced crashes on kinetic.

tags: added: block-proposed-jammy
tags: added: block-proposed-kinetic
Revision history for this message
Jeremy Bícha (jbicha) wrote :

I am dropping block-proposed-kinetic because Kinetic already has the increased crash rate.

tags: removed: block-proposed-kinetic
Revision history for this message
Steve Langasek (vorlon) wrote : Proposed package removed from archive

The version of gjs in the proposed pocket of Jammy that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.

tags: removed: verification-needed-jammy
Changed in gjs (Ubuntu Jammy):
status: Fix Committed → Confirmed
tags: removed: verification-needed
Revision history for this message
Steve Langasek (vorlon) wrote : Re: [jammy] Update gjs to 1.74 using mozjs102 102.3

This appears to be covered by the GNOME SRU exception. However, the bug description does not reference this exception, and also does not follow the template at <https://wiki.ubuntu.com/StableReleaseUpdates#SRU_Bug_Template>. Please update accordingly.

Changed in gjs (Ubuntu Jammy):
status: Confirmed → Incomplete
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

Per comment #8, I think this should still be blocked on bug 1994010 or else we risk jammy getting flooded with that crash like kinetic still is: https://errors.ubuntu.com/?release=Ubuntu%2022.10&package=gnome-shell&period=week

Jeremy Bícha (jbicha)
no longer affects: mozjs102 (Ubuntu)
no longer affects: mozjs102 (Ubuntu Jammy)
no longer affects: mozjs102 (Ubuntu Kinetic)
summary: - [jammy] Update gjs to 1.74 using mozjs102 102.3
+ [jammy] Update gjs to 1.74 using mozjs102
description: updated
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

Removing `block-proposed-jammy` given that there's no 1.74 in jammy proposed and otherwise we'd block the landing of 1.72.4-0ubuntu0.22.04.1

tags: removed: block-proposed-jammy
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.