Re: [Bug-gnuzilla] IceCat 31.8.0-gnu2 release

[Mark H Weaver]

Rubén Rodríguez <address@hidden> writes:

> == Changes since v31.8.0 ==
>
>  * Applied patch for CVE-2015-4473 CVE-2015-4482 CVE-2015-4488
> CVE-2015-4489 CVE-2015-4491 CVE-2015-4492 CVE-2015-4495 from Guix

As the author of the backported patches from GNU Guix included in this
release, I feel compelled to warn users that I was not able to backport
all of the patches from Mozilla's ESR 38 branch.  Specifically, the
following vulnerabilities might not be addressed by 31.8.0-gnu2:

* Miscellaneous memory safety hazards
  Impact: Critical (CVE-2015-4473)
  (only partially addressed in 31.8.0-gnu2)
  https://www.mozilla.org/en-US/security/advisories/mfsa2015-79/

* Buffer overflows in bundled libvpx when decoding WebM video
  Impact: Critical (CVE-2015-4485, CVE-2015-4486)
  https://www.mozilla.org/en-US/security/advisories/mfsa2015-89/

* Overflow issues in libstagefright
  Impact: Critical, but only affects Android
  (CVE-2015-4479, CVE-2015-4480, CVE-2015-4493)
  https://www.mozilla.org/en-US/security/advisories/mfsa2015-83/

* Vulnerabilities found through code inspection
  Impact: High (CVE-2015-4487)
  https://www.mozilla.org/en-US/security/advisories/mfsa2015-90/

* Redefinition of non-configurable JavaScript object properties
  Impact: High (CVE-2015-4478)
  https://www.mozilla.org/en-US/security/advisories/mfsa2015-82/

* Out-of-bounds read with malformed MP3 file
  Impact: High (CVE-2015-4475)
  https://www.mozilla.org/en-US/security/advisories/mfsa2015-80/

* Arbitrary file overwriting through Mozilla Maintenance Service
  with hard links
  Impact: High, but only affects Windows systems (CVE-2015-4481)
  https://www.mozilla.org/en-US/security/advisories/mfsa2015-84/

* Crash when using shared memory in JavaScript
  Impact: Moderate (CVE-2015-4484)
  https://www.mozilla.org/en-US/security/advisories/mfsa2015-87/

Therefore, we still have an urgent need for GNU IceCat 38.2.

      Mark