LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Slackware 13 and the recent Firefox vulnerability (http://www.linuxquestions.org/questions/slackware-14/slackware-13-and-the-recent-firefox-vulnerability-797658/)

Maestro485 03-24-2010 07:03 PM

Slackware 13 and the recent Firefox vulnerability
 
As you might have heard, a recent critical vulnerability was discovered in Firefox 3.6.

Any word on a Slackware patch coming soon?

I'd prefer to use a Slackware package rather than the actual Mozilla release, but I also don't like browsing the web with a remote code execution bug in my browser.

Or is Slackware unaffected by this? Please correct me if I'm wrong.

Thanks,
Matt

onebuck 03-24-2010 08:01 PM

Hi,

There is a security fix for Slackware 12.2 but that was for FF 3.05.

Quote:

Here are the details from the Slackware 12.2 ChangeLog:
+--------------------------+
Sat Mar 6 18:57:32 UTC 2010
patches/packages/mozilla-firefox-3.0.18-i686-1.tgz: Upgraded.
Upgraded to firefox-3.0.18.
This fixes some security issues.
For more information, see:
http://www.mozilla.org/security/know...firefox30.html
(* Security fix *)
+--------------------------+


You can look at ;http://www.mozilla.org/security/know...firefox36.html

I'm not aware of a FF security fix for 13 or -current.
:hattip:

EDIT: I don't see a 'remote code execution bug' at http://www.mozilla.org/security/know...firefox36.html

EDIT2: WOFF heap corruption due to integer overflow is the bug the OP is speaking of.

GazL 03-24-2010 08:12 PM

It's this one Gary:

http://www.mozilla.org/security/anno...sa2010-08.html

And yes, it's quite nasty and has been out there for about a month.

The bug is in the parser for downloadable fonts, so I believe that going into about:config and changing gfx.downloadable_fonts.enable to false will help mitigate the risk until the team have had time to put a new package together.

I downloaded the sources and built my own 3.6.2 package yesterday as I didn't want to wait.

onebuck 03-24-2010 08:19 PM

Hi,

Thanks!

I wasn't aware of it. I just looked at the changelogs but did not notice a problem.

Again thanks for the link, heads up and temporary fix.

:hattip:

Maestro485 03-24-2010 08:32 PM

Thanks a lot for the suggestions! Hopefully they can get a patch out soon.

MannyNix 03-24-2010 11:09 PM

Quote:

Originally Posted by GazL (Post 3911122)
I downloaded the sources and built my own 3.6.2 package yesterday as I didn't want to wait.

This type of freedom and simplicity is why I like Slackware so much.

slowpoke 03-25-2010 12:14 AM

Where would I find a Slackbuild for FireFox?

astrogeek 03-25-2010 12:21 AM

Quote:

Originally Posted by slowpoke (Post 3911306)
Where would I find a Slackbuild for FireFox?

source/xap/mozilla-firefox/mozilla-firefox.SlackBuild

slowpoke 03-25-2010 12:27 AM

Thanks!

MannyNix 03-25-2010 12:34 AM

Quote:

Originally Posted by slowpoke (Post 3911306)
Where would I find a Slackbuild for FireFox?

On almost any Slackware mirror on the /source/xap/mozilla-firefox/ dir

Depending on your Slackware version, here's a starting point

(Your mileage may vary, I'm running -current and it runs great, but it's up to you make sure it will work with the version you're running. You should have at least a minimal understanding of the way a Slackbuild works. Sbo is a different proyect (No support for this particular unofficial customization) but their How-To may help getting started using slackbuilds.
Good luck!

slowpoke 03-25-2010 08:56 AM

Found it.
Thanks!

mutexe 03-31-2010 06:39 AM

Sorry to hijack thread, but:
Code:

ARCH=${ARCH:-i686}
Does this mean the slackbuild wont work on my 32 bit machine? Could i just change the numbers? Also, do slackbuilds effectively do the compiling and installing for you? I wanna have go at compiling something, just a bit nervous.

Once again sorry for the hijack, but i am trying to get FF 3.6.2 and this seems like a very relevant thread.

Cheers,
Tom

brianL 03-31-2010 06:44 AM

It should work. What processor have you got? Post the results of uname -a.

mutexe 03-31-2010 06:57 AM

Super fast reply. Cheers, i'll post output when i get home from work tonight!

Thanks again,
Tom

Lufbery 03-31-2010 11:49 AM

Hi all,

While it is possible (and frankly easy) to roll my own updated Firefox using a new source file and the SlackBuild script in the sources, it would be nice to have an official update.

Has anyone had any word?

Regards,


All times are GMT -5. The time now is 12:18 AM.