Use final Firefox 38 ESR tarball to build mozjs38
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| mozjs38 (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Bug Description
Impact
------
SpiderMonkey (or mozjs) is Firefox's JavaScript engine. It is not well-supported by Mozilla. Generally, someone at Mozilla makes only one tarball release per Firefox ESR. For 38, this was done around 38.2. Fedora and Arch Linux build their mozjs38 using the final Firefox ESR tarball (38.8) which has 7 more months of high-priority bugfixes included.
https:/
A quick review of the git log showed that there are multiple high-priority security fixes in this update.
Test Case
---------
Install the update.
Reboot
Log into GNOME Shell. Does it seem to work ok?
Regression Potential
-------
The gjs maintainer has so far only tested with the original release tarball, but the risk is mitigated by being used by Fedora. Mozilla does tend to be cautious about updating its ESR branch.
Other Info
----------
The Firefox tarball is very slow and difficult to work with since it has so many files. It was too big for the new debian/copyright Files-Excluded repack ( https:/
With the repack, I lost the INSTALL, LICENSE and README files which are not included in the Firefox tarball since I didn't know how to use the repack script to inject a copy of those files. It did not seem important enough to use a quilt patch to restore them since they aren't shipped in the resulting binary packages.
js/src/
Here's a visual diff of the new tarball:
https:/
And here's a git log (the original mozjs38 tarball is from mid-September 2015)
https:/
mozjs38 is only packaged in Ubuntu 17.04 "zesty"
More Justification
------------------
https:/
And change the version number from 38.3.0, 38.4.0 up to 38.8.0. The only change not "Various security fixes" is 38.5.0's https:/
The Release Notes link to https:/
Many of those vulnerabilities don't affect the SpiderMonkey JavaScript engine though.
Testing Done
------------
I have tested that this package builds and that GNOME Shell runs with the built package.
Sponsoring
----------
I pushed my work to a temporary git repo because I think it should be fairly easy to sponsor from there:
https:/
There is a mozjs38 SRU accepted April 18 that enables build tests. It would be nice if that could either be released into -updates first or that update rolled into this update.
| description: | updated |
| Changed in mozjs38 (Ubuntu): | |
| status: | New → Confirmed |
| tags: | added: zesty |
| description: | updated |
| description: | updated |
| description: | updated |
| Changed in mozjs38 (Ubuntu): | |
| importance: | Undecided → High |
| description: | updated |
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in mozjs38 (Ubuntu): | |
| status: | Confirmed → Fix Released |
| Changed in mozjs38 (Ubuntu): | |
| status: | Fix Released → Confirmed |
| Tyler Hicks (tyhicks) wrote | #2 |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in mozjs38 (Ubuntu): | |
| status: | Confirmed → Fix Released |
This bug was fixed in the package mozjs38 - 38.8.0~
---------------
mozjs38 (38.8.0~
* SECURITY UPDATE: Build from final Firefox 38 ESR tarball to fix
numerous security vulnerabilities (LP: #1683103)
- Use debian/repack* scripts to drop the extra files not shipped
in the mozjs release tarballs.
- CVE-2015-4513, CVE-2016-1930, CVE-2016-1952,
CVE-
* Update package description
* Use gnome-pkg-tools (for sponsorship by Debian GNOME)
-- Jeremy Bicha <email address hidden> Sun, 16 Apr 2017 14:45:59 -0400