Bug 220607

Summary:	www/libxul: Update to 52.2.0, Multiple (23) security (CVE) vulnerabilities
Product:	Ports & Packages	Reporter:	Andrew Marks <amracks>
Component:	Individual Port(s)	Assignee:	freebsd-gecko (Nobody) <gecko>
Status:	Closed Overcome By Events
Severity:	Affects Many People	CC:	jkim, ports-secteam, rene
Priority:	---	Keywords:	security
Version:	Latest	Flags:	bugzilla: maintainer-feedback? (gecko)
Hardware:	Any
OS:	Any
See Also:	https://bugzilla.mozilla.org/show_bug.cgi?id=1221724

Description Andrew Marks 2017-07-10 17:56:54 UTC

I've been told these are all applicable, but have not yet done any independent research.

CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
CVE-2017-7749: Use-after-free during docshell reloading
CVE-2017-7750: Use-after-free with track elements
CVE-2017-7751: Use-after-free with content viewer listeners
CVE-2017-7752: Use-after-free with IME input
CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files
CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
CVE-2017-7757: Use-after-free in IndexedDB
CVE-2017-7778: Vulnerabilities in the Graphite 2 library
CVE-2017-7758: Out-of-bounds read in Opus encoder
CVE-2017-7759: Android intent URLs can cause navigation to local file system
CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service
CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application
CVE-2017-7762: Addressbar spoofing in Reader mode
CVE-2017-7763: Mac fonts render some unicode characters as spaces
CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
CVE-2017-7765: Mark of the Web bypass when saving executable files
CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service
CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service
CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service
CVE-2017-5471: Memory safety bugs fixed in Firefox 54
CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2

Comment 1 Jan Beich freebsd_committer

2017-07-10 18:07:39 UTC

The port cannot be updated, see
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220607

Comment 2 Jan Beich freebsd_committer

2017-07-10 18:07:54 UTC

https://bugzilla.mozilla.org/show_bug.cgi?id=1221724

Comment 3 Andrew Marks 2017-07-11 15:13:49 UTC

The only thing I use that requires www/libxul is java/icedtea-web.

I'm trying to figure out if its actually needed by icedtea-web because its not listed explicitly as a dependency in the Makefile, but that is a separate issue.

What course of action is there to address these vulnerabilities? remove www/libxul from ports?

Comment 4 Jung-uk Kim freebsd_committer

2017-07-11 19:40:10 UTC

(In reply to Andrew Marks from comment #3)
It IS actually needed for building NPAPI plugins.  I guess the only way to work around this problem is adding a slave port only to install *.h and *.pc files.

Comment 5 Andrew Marks 2017-07-12 02:37:11 UTC

(In reply to Jung-uk Kim from comment #4)

My problems are solved for now thanks to:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220648

I can remove www/libxul after building java/icedtea-web, which was the only thing I needed www/libxul for.

Comment 6 Jan Beich freebsd_committer

2017-11-19 03:09:51 UTC

Maybe someone can check how many vulnerabilities (since 45.9) are fixed by
https://github.com/classilla/tenfourfox

Comment 7 commit-hook freebsd_committer

2017-11-22 06:26:16 UTC

A commit references this bug:

Author: jbeich
Date: Wed Nov 22 06:25:47 UTC 2017
New revision: 454674
URL: https://svnweb.freebsd.org/changeset/ports/454674

Log:
  www/libxul: expire after ESR59 but before 2018Q3

  Non-Flash plugins aren't supported past FF52 and Gnash doesn't work in FF57.
  XUL consumers (e.g., Conkeror) may still be able to use "firefox -app".

  PR:		220607

Changes:
  head/www/libxul/Makefile

Comment 8 Rene Ladan freebsd_committer

2018-06-22 22:36:02 UTC

Expired port removed.