GNU bug report logs -
#39766
Security-Problems, probably known
Previous Next
To reply to this bug, email your comments to 39766 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnuzilla <at> gnu.org:
bug#39766; Package
gnuzilla.
(Mon, 24 Feb 2020 15:28:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Arne Wichmann <aw <at> old-forest.org>:
New bug report received and forwarded. Copy sent to
bug-gnuzilla <at> gnu.org.
(Mon, 24 Feb 2020 15:28:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Good day tou you!
I see here some security problems referenced for Firefox, which are
probably applicable to Icecat, too:
CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
FallibleStoreElement
CVE-2019-17017 - Type Confusion in XPCVariant.cpp
More less critical ones are referenced, too.
Are there plans to adress these?
cu
AW
--
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw <at> saar.de)
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-gnuzilla <at> gnu.org:
bug#39766; Package
gnuzilla.
(Mon, 24 Feb 2020 18:15:02 GMT)
Full text and
rfc822 format available.
Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello,
I was also really wondering about this as the current version of IceCat
is a version of Firefox that was affected.
On 24-02-2020 12:09, Arne Wichmann wrote:
> Good day tou you!
>
> I see here some security problems referenced for Firefox, which are
> probably applicable to Icecat, too:
>
> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
> FallibleStoreElement
> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
>
> More less critical ones are referenced, too.
>
> Are there plans to adress these?
>
> cu
>
> AW
>
Information forwarded
to
bug-gnuzilla <at> gnu.org:
bug#39766; Package
gnuzilla.
(Tue, 10 Mar 2020 14:29:01 GMT)
Full text and
rfc822 format available.
Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):
Hello,
It seems no one has replied to this. I think IceCat should no longer be
recommended to users until this issue is resolved especially since
IceCat is advertised as a browser with "Privacy protection features".
Suffice to say such protection features are no good if the browser
itself is vulnerable to the types of vulnerabilities as eluded to before.
I understand that there aren't sufficient developers to maintain IceCat
but that does not mean the GNU website should offer the browser without
at least clearly addressing it's potential vulnerabilities on the
appropriate webpages.
As of now, users might download, install and subsequently use IceCat
with the understanding that they have downloaded a browser with enhanced
privacy protection features while not being aware that it is potentially
susceptible to recently discovered vulnerabilities.
This is precisely the sort of situation that free software, and free and
open information should prevent.
I hope we can resolve this quickly.
Kind regards,
Corne
On 2/24/20 7:05 PM, info <at> dantalion.nl wrote:
> Hello,
>
> I was also really wondering about this as the current version of IceCat
> is a version of Firefox that was affected.
>
> On 24-02-2020 12:09, Arne Wichmann wrote:
>> Good day tou you!
>>
>> I see here some security problems referenced for Firefox, which are
>> probably applicable to Icecat, too:
>>
>> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
>> FallibleStoreElement
>> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
>>
>> More less critical ones are referenced, too.
>>
>> Are there plans to adress these?
>>
>> cu
>>
>> AW
>>
>
>
>
Information forwarded
to
bug-gnuzilla <at> gnu.org:
bug#39766; Package
gnuzilla.
(Tue, 10 Mar 2020 17:28:01 GMT)
Full text and
rfc822 format available.
Message #14 received at 39766 <at> debbugs.gnu.org (full text, mbox):
Current binary release is 60.7.0 which is vulnerable and that is the
problem, see: https://ftp.gnu.org/gnu/gnuzilla/?C=M;O=D
On 3/10/20 6:24 PM, Antonio Trande wrote:
> These issues have been fixed with Firefox ESR 68.4.1; current IceCat
> release on 68 branch is the 68.6.0. So, what's the problem?
>
> On 10/03/20 10:29, info <at> dantalion.nl wrote:
>> Hello,
>>
>> It seems no one has replied to this. I think IceCat should no longer be
>> recommended to users until this issue is resolved especially since
>> IceCat is advertised as a browser with "Privacy protection features".
>> Suffice to say such protection features are no good if the browser
>> itself is vulnerable to the types of vulnerabilities as eluded to before.
>>
>> I understand that there aren't sufficient developers to maintain IceCat
>> but that does not mean the GNU website should offer the browser without
>> at least clearly addressing it's potential vulnerabilities on the
>> appropriate webpages.
>>
>> As of now, users might download, install and subsequently use IceCat
>> with the understanding that they have downloaded a browser with enhanced
>> privacy protection features while not being aware that it is potentially
>> susceptible to recently discovered vulnerabilities.
>>
>> This is precisely the sort of situation that free software, and free and
>> open information should prevent.
>>
>> I hope we can resolve this quickly.
>>
>> Kind regards,
>> Corne
>>
>> On 2/24/20 7:05 PM, info <at> dantalion.nl wrote:
>>> Hello,
>>>
>>> I was also really wondering about this as the current version of IceCat
>>> is a version of Firefox that was affected.
>>>
>>> On 24-02-2020 12:09, Arne Wichmann wrote:
>>>> Good day tou you!
>>>>
>>>> I see here some security problems referenced for Firefox, which are
>>>> probably applicable to Icecat, too:
>>>>
>>>> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
>>>> FallibleStoreElement
>>>> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
>>>>
>>>> More less critical ones are referenced, too.
>>>>
>>>> Are there plans to adress these?
>>>>
>>>> cu
>>>>
>>>> AW
>>>>
>
>
Information forwarded
to
bug-gnuzilla <at> gnu.org:
bug#39766; Package
gnuzilla.
(Tue, 10 Mar 2020 17:28:02 GMT)
Full text and
rfc822 format available.
Message #17 received at 39766 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
These issues have been fixed with Firefox ESR 68.4.1; current IceCat
release on 68 branch is the 68.6.0. So, what's the problem?
On 10/03/20 10:29, info <at> dantalion.nl wrote:
> Hello,
>
> It seems no one has replied to this. I think IceCat should no longer be
> recommended to users until this issue is resolved especially since
> IceCat is advertised as a browser with "Privacy protection features".
> Suffice to say such protection features are no good if the browser
> itself is vulnerable to the types of vulnerabilities as eluded to before.
>
> I understand that there aren't sufficient developers to maintain IceCat
> but that does not mean the GNU website should offer the browser without
> at least clearly addressing it's potential vulnerabilities on the
> appropriate webpages.
>
> As of now, users might download, install and subsequently use IceCat
> with the understanding that they have downloaded a browser with enhanced
> privacy protection features while not being aware that it is potentially
> susceptible to recently discovered vulnerabilities.
>
> This is precisely the sort of situation that free software, and free and
> open information should prevent.
>
> I hope we can resolve this quickly.
>
> Kind regards,
> Corne
>
> On 2/24/20 7:05 PM, info <at> dantalion.nl wrote:
>> Hello,
>>
>> I was also really wondering about this as the current version of IceCat
>> is a version of Firefox that was affected.
>>
>> On 24-02-2020 12:09, Arne Wichmann wrote:
>>> Good day tou you!
>>>
>>> I see here some security problems referenced for Firefox, which are
>>> probably applicable to Icecat, too:
>>>
>>> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
>>> FallibleStoreElement
>>> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
>>>
>>> More less critical ones are referenced, too.
>>>
>>> Are there plans to adress these?
>>>
>>> cu
>>>
>>> AW
>>>
--
---
Antonio Trande
Fedora Project
mailto 'sagitter at fedoraproject dot org'
GPG key: 0x7B30EE04E576AA84
GPG key server: https://keys.openpgp.org/
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to
bug-gnuzilla <at> gnu.org:
bug#39766; Package
gnuzilla.
(Tue, 10 Mar 2020 18:04:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 39766 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
@Mark,
do you why the binary releases are not spread?
On 10/03/20 18:31, info <at> dantalion.nl wrote:
> Current binary release is 60.7.0 which is vulnerable and that is the
> problem, see: https://ftp.gnu.org/gnu/gnuzilla/?C=M;O=D
>
> On 3/10/20 6:24 PM, Antonio Trande wrote:
>> These issues have been fixed with Firefox ESR 68.4.1; current IceCat
>> release on 68 branch is the 68.6.0. So, what's the problem?
>>
>> On 10/03/20 10:29, info <at> dantalion.nl wrote:
>>> Hello,
>>>
>>> It seems no one has replied to this. I think IceCat should no longer be
>>> recommended to users until this issue is resolved especially since
>>> IceCat is advertised as a browser with "Privacy protection features".
>>> Suffice to say such protection features are no good if the browser
>>> itself is vulnerable to the types of vulnerabilities as eluded to before.
>>>
>>> I understand that there aren't sufficient developers to maintain IceCat
>>> but that does not mean the GNU website should offer the browser without
>>> at least clearly addressing it's potential vulnerabilities on the
>>> appropriate webpages.
>>>
>>> As of now, users might download, install and subsequently use IceCat
>>> with the understanding that they have downloaded a browser with enhanced
>>> privacy protection features while not being aware that it is potentially
>>> susceptible to recently discovered vulnerabilities.
>>>
>>> This is precisely the sort of situation that free software, and free and
>>> open information should prevent.
>>>
>>> I hope we can resolve this quickly.
>>>
>>> Kind regards,
>>> Corne
>>>
>>> On 2/24/20 7:05 PM, info <at> dantalion.nl wrote:
>>>> Hello,
>>>>
>>>> I was also really wondering about this as the current version of IceCat
>>>> is a version of Firefox that was affected.
>>>>
>>>> On 24-02-2020 12:09, Arne Wichmann wrote:
>>>>> Good day tou you!
>>>>>
>>>>> I see here some security problems referenced for Firefox, which are
>>>>> probably applicable to Icecat, too:
>>>>>
>>>>> CVE-2019-17026 - IonMonkey type confusion with StoreElementHole and
>>>>> FallibleStoreElement
>>>>> CVE-2019-17017 - Type Confusion in XPCVariant.cpp
>>>>>
>>>>> More less critical ones are referenced, too.
>>>>>
>>>>> Are there plans to adress these?
>>>>>
>>>>> cu
>>>>>
>>>>> AW
>>>>>
>>
>>
--
---
Antonio Trande
Fedora Project
mailto 'sagitter at fedoraproject dot org'
GPG key: 0x7B30EE04E576AA84
GPG key server: https://keys.openpgp.org/
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to
bug-gnuzilla <at> gnu.org:
bug#39766; Package
gnuzilla.
(Wed, 11 Mar 2020 21:08:01 GMT)
Full text and
rfc822 format available.
Message #23 received at 39766 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Good day!
begin quotation from Antonio Trande (in <68eba345-dd0b-39a7-bb7e-190d6265a159 <at> fedoraproject.org>):
> These issues have been fixed with Firefox ESR 68.4.1; current IceCat
> release on 68 branch is the 68.6.0. So, what's the problem?
So, first a success report - I was able to compile Icecat using the version
from the 68 branch. And it seems to work.
Second: what are the reasons why this is not yet merged back into master
and released? Can I possibly help with that?
cu
AW
--
[...] If you don't want to be restricted, don't agree to it. If you are
coerced, comply as much as you must to protect yourself, just don't support
it. Noone can free you but yourself. (crag, on Debian Planet)
Arne Wichmann (aw <at> saar.de)
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 5 years and 96 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.