| 2023-07-05 17:35:05 |
Jeremy Bícha |
bug |
|
|
added bug |
| 2023-07-06 11:19:33 |
Jeremy Bícha |
cve linked |
|
2023-37202 |
|
| 2023-07-06 11:19:55 |
Jeremy Bícha |
description |
Impact
------
mozjs102 is the SpiderMonkey JavaScript engine from Firefox ESR. It is used by gjs to power GNOME Shell and some GNOME apps.
There are new Firefox 102 ESR releases monthly until the end of August.
https://whattrainisitnow.com/calendar/
Security Impact
---------------
I looked through
https://github.com/mozilla/gecko-dev/commits/esr102/js
and searched for referenced bug numbers in
https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/
and found two CVEs
CVE-2023-37202: Potential use-after-free from compartment mismatch in SpiderMonkey
CVE-2023-37211
Test Case
---------
https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs
Additionally, mozjs102 has build tests. mozjs102 does not have autopkgtests of its own but it triggers the gjs autopkgtests.
Security Sponsoring
-------------------
sudo apt install git-buildpackage
mkdir tarballs; cd ../tarballs
pull-lp-source mozjs102 mantic
# That avoids needing to recreate the original tarball from pristine-tar which takes a while. Also, running lintian takes a while.
cd ..
gbp clone https://salsa.debian.org/gnome-team/mozjs
cd mozjs
git checkout ubuntu/102/lunar
gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs
git checkout ubuntu/102/kinetic
gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs
git checkout ubuntu/102/jammy
gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs
Initial Testing Done
--------------------
I built the package locally.
I installed the library package on Ubuntu 23.04 and successfully completed the Test Case.
Other Info
----------
It is believed that the only thing using mozjs102 in Ubuntu 22.04 LTS is actually cjs in Linux Mint 21.2 (in Beta testing). It has been proposed to switch Ubuntu's gjs to use it there also but that is currently on hold (benefit/risk analysis). See LP: #1993214 |
Impact
------
mozjs102 is the SpiderMonkey JavaScript engine from Firefox ESR. It is used by gjs to power GNOME Shell and some GNOME apps.
There are new Firefox 102 ESR releases monthly until the end of August.
https://whattrainisitnow.com/calendar/
Security Impact
---------------
I looked through
https://github.com/mozilla/gecko-dev/commits/esr102/js
and searched for referenced bug numbers in
https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/
and found two CVEs
CVE-2023-37202: Potential use-after-free from compartment mismatch in SpiderMonkey
CVE-2023-37211: Memory safety bugs
Test Case
---------
https://wiki.ubuntu.com/DesktopTeam/TestPlans/gjs
Additionally, mozjs102 has build tests. mozjs102 does not have autopkgtests of its own but it triggers the gjs autopkgtests.
Security Sponsoring
-------------------
sudo apt install git-buildpackage
mkdir tarballs; cd ../tarballs
pull-lp-source mozjs102 mantic
# That avoids needing to recreate the original tarball from pristine-tar which takes a while. Also, running lintian takes a while.
cd ..
gbp clone https://salsa.debian.org/gnome-team/mozjs
cd mozjs
git checkout ubuntu/102/lunar
gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs
git checkout ubuntu/102/kinetic
gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs
git checkout ubuntu/102/jammy
gbp buildpackage --git-builder="debuild --no-lintian -S -nc" --git-tarball-dir=../tarballs
Initial Testing Done
--------------------
I built the package locally.
I installed the library package on Ubuntu 23.04 and successfully completed the Test Case.
Other Info
----------
It is believed that the only thing using mozjs102 in Ubuntu 22.04 LTS is actually cjs in Linux Mint 21.2 (in Beta testing). It has been proposed to switch Ubuntu's gjs to use it there also but that is currently on hold (benefit/risk analysis). See LP: #1993214 |
|
| 2023-07-06 11:19:59 |
Jeremy Bícha |
cve linked |
|
2023-37211 |
|
| 2023-07-06 11:20:45 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Jammy |
|
| 2023-07-06 11:20:45 |
Jeremy Bícha |
bug task added |
|
mozjs102 (Ubuntu Jammy) |
|
| 2023-07-06 11:20:45 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Kinetic |
|
| 2023-07-06 11:20:45 |
Jeremy Bícha |
bug task added |
|
mozjs102 (Ubuntu Kinetic) |
|
| 2023-07-06 11:20:45 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Lunar |
|
| 2023-07-06 11:20:45 |
Jeremy Bícha |
bug task added |
|
mozjs102 (Ubuntu Lunar) |
|
| 2023-07-06 11:20:49 |
Jeremy Bícha |
mozjs102 (Ubuntu Jammy): status |
New |
Confirmed |
|
| 2023-07-06 11:20:51 |
Jeremy Bícha |
mozjs102 (Ubuntu Kinetic): status |
New |
Confirmed |
|
| 2023-07-06 11:20:53 |
Jeremy Bícha |
mozjs102 (Ubuntu Lunar): status |
New |
Confirmed |
|
| 2023-07-06 11:21:05 |
Jeremy Bícha |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
| 2023-07-07 10:05:39 |
Launchpad Janitor |
mozjs102 (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2023-07-07 11:00:52 |
Marc Deslauriers |
mozjs102 (Ubuntu Jammy): status |
Confirmed |
In Progress |
|
| 2023-07-07 11:00:54 |
Marc Deslauriers |
mozjs102 (Ubuntu Kinetic): status |
Confirmed |
In Progress |
|
| 2023-07-07 11:00:56 |
Marc Deslauriers |
mozjs102 (Ubuntu Lunar): status |
Confirmed |
In Progress |
|
| 2023-07-07 11:00:58 |
Marc Deslauriers |
mozjs102 (Ubuntu Jammy): assignee |
|
Marc Deslauriers (mdeslaur) |
|
| 2023-07-07 11:01:01 |
Marc Deslauriers |
mozjs102 (Ubuntu Kinetic): assignee |
|
Marc Deslauriers (mdeslaur) |
|
| 2023-07-07 11:01:03 |
Marc Deslauriers |
mozjs102 (Ubuntu Lunar): assignee |
|
Marc Deslauriers (mdeslaur) |
|
| 2023-07-13 12:16:31 |
Launchpad Janitor |
mozjs102 (Ubuntu Lunar): status |
In Progress |
Fix Released |
|
| 2023-07-13 12:16:34 |
Launchpad Janitor |
mozjs102 (Ubuntu Kinetic): status |
In Progress |
Fix Released |
|
| 2023-07-13 12:16:38 |
Launchpad Janitor |
mozjs102 (Ubuntu Jammy): status |
In Progress |
Fix Released |
|
