xulrunner 2.0 in rawhide (F15) bundles several system libs
Kevin Kofler
kevin.kofler at chello.at
Fri Oct 1 23:01:20 UTC 2010
Gregory Maxwell wrote:
> I yelled pretty loudly when Fedora first packaged libvpx because
> fedora took a _known vulnerable_ version which Mozilla and opera were
> patching around but where the upstream hadn't yet merged the fixes.
>
> Things are more mature now but there are still somewhat scary fixes
> happening, at least with the platform dependant code:
> https://review.webmproject.org/#change,603
>
>
> Mozilla being a vector for the widescale exploitation would be
> terrible for their image— and also terrible for Fedora's, we really
> don't want to create our own version of the debian openssl rng bug.
If libvpx is vulnerable, this MUST be fixed in our system version, otherwise
ALL THE OTHER SOFTWARE WE SHIP using libvpx can be exploited! Fixing only
the Mozilla stack does NOT solve the problem. Fixing the system library
does, for EVERYONE, INCLUDING Firefox.
> There really is a common interest here and the folks on the Mozilla
> side are better informed about the risks.
There is NO common interest. Our interest is to have ONE copy of the library
(for the ENTIRE distribution) in which to apply security fixes.
> The patches mozilla is carrying are visible as files in the respective
> directories here:
> http://mxr.mozilla.org/mozilla-central/source/media/
>
> I'd suggest that fedora folks interested in the bundling help by
> making sure that the applicable fixes make it upstream. Even if Fedora
> were to ditch the trademarks you couldn't escape doing this work.
Sure we could. We'd just apply the patches to our libvpx package. That's
what SRPMs are for.
Kevin Kofler
More information about the devel
mailing list