Update mozjs102 to 102.12.0
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mozjs102 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned | ||
Lunar |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Impact
------
mozjs102 is the SpiderMonkey JavaScript engine from Firefox ESR. It is used by gjs to power GNOME Shell and some GNOME apps.
There are new Firefox 102 ESR releases monthly until the end of August.
https:/
Security Impact
---------------
I looked through
https:/
and searched for referenced bug numbers in
https:/
and found one CVE, 2023-34416
Test Case
---------
https:/
Additionally, mozjs102 has build tests. mozjs102 does not have autopkgtests of its own but it triggers the gjs autopkgtests.
Security Sponsoring
-------------------
sudo apt install git-buildpackage
mkdir tarballs; cd ../tarballs
pull-lp-source mozjs102 mantic
# That avoids needing to recreate the original tarball from pristine-tar which takes a while. Also, running lintian takes a while.
cd ..
gbp clone https:/
cd mozjs
git checkout ubuntu/102/lunar
gbp buildpackage --git-builder=
git checkout ubuntu/102/kinetic
gbp buildpackage --git-builder=
git checkout ubuntu/102/jammy
gbp buildpackage --git-builder=
Initial Testing Done
-------
I built the package locally.
I installed the library package on Ubuntu 23.04 and successfully completed the Test Case.
Other Info
----------
Ubuntu 22.04 LTS currently has no packages using it yet, but it is still a goal to update gjs there to use mozjs102. See LP: #1993214
Also, it's believed that Linux Mint will switch their cjs packages to use mozjs102 in 2023.
CVE References
description: | updated |
Changed in mozjs102 (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in mozjs102 (Ubuntu Jammy): | |
status: | New → Confirmed |
Changed in mozjs102 (Ubuntu Kinetic): | |
status: | New → Confirmed |
Changed in mozjs102 (Ubuntu Lunar): | |
status: | New → Confirmed |
description: | updated |
description: | updated |
This bug was fixed in the package mozjs102 - 102.12.0-1
---------------
mozjs102 (102.12.0-1) unstable; urgency=high
* New upstream release (LP: #2023047) (Closes: #1037158) upstream/ signing- key.asc per upstream rotation
- CVE-2023-34416: Memory safety bugs
* Update debian/
-- Jeremy Bícha <email address hidden> Tue, 06 Jun 2023 11:20:22 -0400