Update mozjs102 to 102.15.1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mozjs102 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Lunar |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Impact
------
mozjs102 is the SpiderMonkey JavaScript engine from Firefox ESR. It is used by gjs to power GNOME Shell and some GNOME apps.
102.15.1 is the final Firefox 102 ESR release as the 102 ESR series reaches End of Life next week.
https:/
Security Impact
---------------
I looked through
https:/
and searched for referenced bug numbers in
https:/
and found only one CVE
CVE-2023-4046: Incorrect value used during WASM compilation
In fact, this was the only commit since 102.13.0 which is already in stable Ubuntu.
Test Case
---------
https:/
Additionally, mozjs102 has build tests. mozjs102 does not have autopkgtests of its own but it triggers the gjs autopkgtests.
Security Sponsoring
-------------------
sudo apt install git-buildpackage
mkdir tarballs; cd ../tarballs
pull-lp-source mozjs102 mantic
# That avoids needing to recreate the original tarball from pristine-tar which takes a while. Also, running lintian takes a while.
cd ..
gbp clone https:/
cd mozjs
git checkout ubuntu/102/lunar
gbp buildpackage --git-builder=
git checkout ubuntu/102/jammy
gbp buildpackage --git-builder=
Initial Testing Done
-------
I built the package locally.
I installed the library package on Ubuntu 23.04 and successfully completed the Test Case.
Other Info
----------
It is believed that the only thing using mozjs102 in Ubuntu 22.04 LTS is actually cjs in Linux Mint 21.2 It was proposed to switch Ubuntu's gjs to use it there also but that is currently on hold (benefit/risk analysis). See LP: #1993214
Ubuntu 23.10 is likely to switch to mozjs115 for gjs (and keep mozjs102 for cjs).
CVE References
Changed in mozjs102 (Ubuntu Jammy): | |
status: | New → Confirmed |
Changed in mozjs102 (Ubuntu Lunar): | |
status: | New → Confirmed |
information type: | Public → Public Security |
This bug was fixed in the package mozjs102 - 102.15. 1-0ubuntu0. 23.04.1
--------------- 1-0ubuntu0. 23.04.1) lunar-security; urgency=medium
mozjs102 (102.15.
* New upstream release (LP: #2036634)
- CVE-2023-4046: Incorrect value used during WASM compilation
-- Jeremy Bícha <email address hidden> Tue, 19 Sep 2023 15:50:00 -0400