SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
A flaw was discovered in Firefox that permits the violation of same origin policy and injection of script into a non-privileged part
of the built-in PDF viewer. This allows an attacker to read and steal sensitive local files on a victim's computer. (CVE-2015-4495)
Mozilla has received numerous reports of active exploitation in the wild.
Recommendation: Slackware users should upgrade to Firefox 39.0.3, asap.
Note: Slackware 14.1 ships FF ESR 31 which has EOL'd in favor of FF ESR 38. Slackware 14.1 users who wish to remain on the
ESR track should upgrade to ESR 38.1.1 to address this flaw. Alternatively, they can use ruario's script (see earlier posts for
instructions) to install Mozilla's build of 39.0.3.
I've just built and upgraded to 38.1.1esr. Be aware that there are changes in how this firefox handles profiles. I highly recommend backing up the .mozilla folder before starting the newly installed firefox. I've already needed the back up for restoring some of my preferences.
Regarding the Firefox flaw (CVE-2015-4495) I report above, Mozilla published a blog entry that briefly describes one exploit found in
the wild that uses this vulnerability to steal files from Windows and Linux systems and uploads them to what appears to be a machine
in Ukraine.
They recommend changing passwords/keys in certain files targeted by that particular exploit. I would err on the side of caution and
expand the recommendation to include all password/keys accessible by the Firefox process.
Distribution: Slackware64-current with "True Multilib" and KDE4Town.
Posts: 9,097
Rep:
Quote:
Originally Posted by mancha
Update
Regarding the Firefox flaw (CVE-2015-4495) I report above, Mozilla published a blog entry that briefly describes one exploit found in
the wild that uses this vulnerability to steal files from Windows and Linux systems and uploads them to what appears to be a machine
in Ukraine.
They recommend changing passwords/keys in certain files targeted by that particular exploit. I would err on the side of caution and
expand the recommendation to include all password/keys accessible by the Firefox process.
--mancha
Mancha,
Where does that leave users of SeaMonkey, which hasn't been updated since March?
Thanks.
it blocks process access to the user's config directories for gpg, kwallet, gnome keyring, and a few other things. You can add your own directories to block, and although it uses a blacklist system, it works. Firejail tutorial for Firefox here.
it blocks process access to the user's config directories for gpg, kwallet, gnome keyring, and a few other things. You can add your own directories to block, and although it uses a blacklist system, it works. Firejail tutorial for Firefox here.
drgibbon, thanks for the heads-up about firejail! It is most useful in this day and age where every application and its cousin has to have some kind of access to the Internet.
EDIT: the version in the SlackBuild is a bit old, but substituting the newer version (0.9.28) in the script, it builds without errors.
POST EDIT: running a simple instance of
Code:
firejail firefox
right now. I need to read up more about and utilize firejail's options, but initial impression is that it doesn't break anything yet and I hardly notice it there. Thanks for the pointer to this, drgibbon.
LAST EDIT: I noticed that if you try to start firefox jailed by firejail and you already have an instance of firefox running unjailed, firejail will close and the new firefox is attaching (this is a guess) to the existing firefox process. If you ensure that the first firefox is firejail'd, then it seems that new firefox windows get immediated jailed (another guess, will try to debug to be sure). The dev for firejail seems to be very active and very responsive, so I am encouraged about this.
For some reason that didn't work for me, I had to explicitly load the Firefox profile from the command line as above. I tested it by adding:
Code:
blacklist {HOME}/documents
to /etc/firejail/firefox.profile and it was only when supplying the profile to the firejail call that access to ~/documents was denied (by Ctrl-O and browsing to ~/documents in Firefox), but YMMV.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.