Slackware 13 and the recent Firefox vulnerability
 

As you might have heard, a recent critical vulnerability was discovered in Firefox 3.6.

Any word on a Slackware patch coming soon?

I'd prefer to use a Slackware package rather than the actual Mozilla release, but I also don't like browsing the web with a remote code execution bug in my browser.

Or is Slackware unaffected by this? Please correct me if I'm wrong.

Thanks,
Matt

Hi,

There is a security fix for Slackware 12.2 but that was for FF 3.05.

You can look at ;http://www.mozilla.org/security/know...firefox36.html

I'm not aware of a FF security fix for 13 or -current.
:hattip:

EDIT: I don't see a 'remote code execution bug' at http://www.mozilla.org/security/know...firefox36.html

EDIT2: WOFF heap corruption due to integer overflow is the bug the OP is speaking of.

It's this one Gary:

http://www.mozilla.org/security/anno...sa2010-08.html

And yes, it's quite nasty and has been out there for about a month.

The bug is in the parser for downloadable fonts, so I believe that going into about:config and changing gfx.downloadable_fonts.enable to false will help mitigate the risk until the team have had time to put a new package together.

I downloaded the sources and built my own 3.6.2 package yesterday as I didn't want to wait.

Hi,

Thanks!

I wasn't aware of it. I just looked at the changelogs but did not notice a problem.

Again thanks for the link, heads up and temporary fix.

:hattip:

Thanks a lot for the suggestions! Hopefully they can get a patch out soon.

This type of freedom and simplicity is why I like Slackware so much.

Where would I find a Slackbuild for FireFox?

source/xap/mozilla-firefox/mozilla-firefox.SlackBuild

Thanks!

On almost any Slackware mirror on the /source/xap/mozilla-firefox/ dir

Depending on your Slackware version, here's a starting point

(Your mileage may vary, I'm running -current and it runs great, but it's up to you make sure it will work with the version you're running. You should have at least a minimal understanding of the way a Slackbuild works. Sbo is a different proyect (No support for this particular unofficial customization) but their How-To may help getting started using slackbuilds.
Good luck!

Found it.
Thanks!

Sorry to hijack thread, but:
Does this mean the slackbuild wont work on my 32 bit machine? Could i just change the numbers? Also, do slackbuilds effectively do the compiling and installing for you? I wanna have go at compiling something, just a bit nervous.

Once again sorry for the hijack, but i am trying to get FF 3.6.2 and this seems like a very relevant thread.

Cheers,
Tom

It should work. What processor have you got? Post the results of uname -a.

Super fast reply. Cheers, i'll post output when i get home from work tonight!

Thanks again,
Tom

Hi all,

While it is possible (and frankly easy) to roll my own updated Firefox using a new source file and the SlackBuild script in the sources, it would be nice to have an official update.

Has anyone had any word?

Regards,

I haven't no, but I haven't checked Slackpkg update yet for today (I assume you have checked something like this, or your last post would be different :p).. Maybe something could be gleaned from lurking in the IRC channel? I'm not big on IRC so I for one will wait patiently.

Sasha

Yeah, lurking on IRC may be the way to go. I'm mostly just curious as security updates tend to come out pretty quickly most of the time.

Regards,

Last I checked, the average Slackbuild takes into account i486, i686, or x86_64 depending on your $ARCH setting; if no preconfigured $ARCH on your system (i.e. you haven't defined it) it should default to i486 which is for 32bit generic builds.

And, the Slackbuild will do everything *except* install the finished package.

It will terminate with something like:

after which you just do:
Sasha

The changelog hasn't moved since the 16th. I must admit I'm a little surprised that a bug fix as important as this one hasn't be fixed yet, but I guess this is just one of the drawbacks of running a distro that relies on just one man. Maybe Pat's taking a few weeks off or something.

Check the ChangeLog.txt in a few minutes, Firefox update will be in there as well as some other niceties.

Eric

Not yet...patience :)

The number of hits on the changelog's server is probably preventing update at this point!

The sync out to the mirrors is not yet complete, it will take a while to become visible I guess.

Eric

OK now. ChangeLogs changed. Your patience has been rewarded. :)

Spoke too soon. Not on mirrors yet. :redface:

Updated on my mirror is complete!

And mine (tds).

Hello,

Am I the only one, but when I check Changelog for -current 32-bits on slackware site, there is no mention of any change since 16th March?

ftp://ftp.osuosl.org/pub/slackware/s.../ChangeLog.txt

Says 31st March here. Try force refreshing the page. (shift-refresh or ctrl-F5 in firefox)

Strange, I emptied my cache in Firefox and also force refresh and still no update from "official" slackware changelog.

However I can see the updated changelogs on some random mirrors:

ftp://ftp.slackware.org.uk/slackware.../ChangeLog.txt
ftp://ftp.slackware.pl/pub/slackware.../ChangeLog.txt
ftp://sunsite.icm.edu.pl/pub/Linux/s.../ChangeLog.txt

I also came upon mirrors in the process of being updated (at time of writing this post) or for which mirroring was aborted (extra/ is updated on 31st March but other files/directories are not).

ftp://mirrors.blueyonder.co.uk/sites/ftp.slackware.com
ftp://mirror.switch.ch/mirror/slackw...kware-current/

Maybe it's just that mirroring takes some time. But I'm still wondering why I can't see the "official" updated Changelog file.

Most ISPs implement a transparent web-proxy/cache these days and they can sometimes deliver out of date information. The osuosl one has definitely been updated, so if it's still delivering the old one to you even after you've cleared your browser cache, then it's probably your ISPs fault. Alternatively, osuosl could be using some sort of round-robin cluster and not all nodes have been updated yet.

Thanks GazL for the explanation.

I will check tonight when I'm back home if my usual mirror is updated and if not I'll switch to one where I can see the update.

I'm all up-to-date again! :D

<deleted for use in new thread as it seems more appropriate.>

I wondered if, once Firefox was updated, Seamonkey would need an update too. Well, tonight I got a notice from Seamonkey has an update available:

http://www.mozilla.org/security/know...amonkey20.html

Version 2.04 is now available.

After upgrading 13.0 today, Firefox is at 3.6.2 but Mozilla Firefox 3.6 Release Notes say "Firefox 3.6.3 fixes a critical security issue ... bug 555109" so we are not in the clear yet. Bug 555109 is not visible even after logging in to Mozilla's Bugzilla so it's not possible to assess the risk or consider workarounds.

The source for 3.6.3 was released today...

Well, darn. So now we start waiting for Firefox 3.6.3 . . .

For those that celebrate it, I hope everyone had a very nice Easter holiday. I certainly did not expect a lot of development/packaging to happen this weekend. :)

Updated to FF 3.6.3 (and the rest) from tds mirror now.

tds mirror?

This one, in the US:
http://slackware.mirrors.tds.net/pub/slackware/

I used to use a UK mirror, but they were always 2 days behind with updates.

I use mirrorservice.org which is uk based. They sync daily.

That was the one I used to use. Strange, they always seemed to be 2 to 3 days behind some of the other mirrors. Maybe things have improved.

Time zone can be a factor. If Pat posts updates early morning US time then they might be too late for the daily sync and not turn up till the following day. I've never had to wait more than 1 day though.

My ISP virignmedia have their own mirror, but I've found that one highly unreliable.

I might give mirrorservice another try for the next updates.

If it stops working then I'm going to blame you! ;)

I'm used to getting blame for everything, so that's OK. :)