Update mozjs102 to 102.11.0
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| mozjs102 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
| Kinetic |
Fix Released
|
Undecided
|
Unassigned | ||
| Lunar |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
Impact
------
mozjs102 is the SpiderMonkey JavaScript engine from Firefox ESR. It is used by gjs to power GNOME Shell and some GNOME apps.
There are new Firefox 102 ESR releases monthly until the end of August.
https:/
This bug tracks updating Ubuntu 23.04 from 102.10.0 to 102.11.0,
Ubuntu 22.10 from 102.3.0 to 102.11.0,
and backporting this package to Ubuntu 22.04 LTS.
Security Impact
---------------
I looked through
https:/
and searched for referenced bug numbers in
https:/
and found two CVEs for Ubuntu 23.04
Ubuntu 22.10 wasn't updated recently, so I listed 7 more CVEs there from previous Mozilla Advisories.
Also, note that there are 4 more CVEs from 102.6.0-
Test Case
---------
https:/
Security Sponsoring
-------------------
sudo apt install git-buildpackage
mkdir ../tarballs; cd ../tarballs
pull-lp-source mozjs102 mantic
# That avoids needing to recreate the original tarball from pristine-tar which takes a while. Also, running lintian takes a while.
cd ..
gbp clone https:/
cd mozjs
git checkout ubuntu/102/lunar
gbp buildpackage --git-builder=
git checkout ubuntu/102/kinetic
gbp buildpackage --git-builder=
git checkout ubuntu/102/jammy
gbp buildpackage --git-builder=
Initial Testing Done
-------
I built the package locally.
I installed the library package on Ubuntu 23.04 and successfully completed the Test Case.
Other Info
----------
I think it would be helpful to also push this update to Ubuntu 22.04 LTS even though we don't have any packages there using mozjs102 yet, since it is still a goal to update gjs there to use mozjs102. See LP: #1993214
It needs to go into `main` for Ubuntu 22.04 LTS but I think this will happen automatically since there is already a version in jammy-proposed in main.
| Changed in mozjs102 (Ubuntu): | |
| status: | New → Incomplete |
| description: | updated |
| Changed in mozjs102 (Ubuntu): | |
| importance: | Wishlist → Undecided |
| Changed in mozjs102 (Ubuntu Jammy): | |
| status: | New → Incomplete |
| Changed in mozjs102 (Ubuntu Kinetic): | |
| status: | New → Incomplete |
| Changed in mozjs102 (Ubuntu Lunar): | |
| status: | New → Incomplete |
| description: | updated |
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in mozjs102 (Ubuntu): | |
| status: | Incomplete → Fix Released |
| description: | updated |
| description: | updated |
| Changed in mozjs102 (Ubuntu Jammy): | |
| status: | Incomplete → Confirmed |
| Changed in mozjs102 (Ubuntu Kinetic): | |
| status: | Incomplete → Confirmed |
| Changed in mozjs102 (Ubuntu Lunar): | |
| status: | Incomplete → Confirmed |
| information type: | Public → Public Security |
| description: | updated |
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in mozjs102 (Ubuntu Lunar): | |
| status: | Confirmed → Fix Released |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in mozjs102 (Ubuntu Jammy): | |
| status: | Confirmed → Fix Released |
| Launchpad Janitor (janitor) wrote | #4 |
| Changed in mozjs102 (Ubuntu Kinetic): | |
| status: | Confirmed → Fix Released |
This bug was fixed in the package mozjs102 - 102.11.0-1
---------------
mozjs102 (102.11.0-1) unstable; urgency=high
* New upstream release (LP: #2018905)
- CVE-2023-32205: Browser prompts could have been obscured by popups
- CVE-2023-32206: Crash in RLBox Expat driver
- CVE-2023-32207: Potential permissions request bypass via clickjacking
- CVE-2023-32211: Content process crash due to invalid wasm code
- CVE-2023-32212: Potential spoof due to obscured address bar
- CVE-2023-32213: Potential memory corruption in FileReader:
- CVE-2023-32214: Potential DoS via exposed protocol handlers
- CVE-2023-32215: Memory safety bugs
-- Jeremy Bícha <email address hidden> Mon, 08 May 2023 11:59:12 -0400