Re: [suse-security-announce] SUSE Security Announcement: Mozilla Firefox,Thunderbird, Seamonkey (SUSE-SA:2006:054)
Hi Marcus On Fri, Sep 22, 2006 at 03:02:16PM +0200, Marcus Meissner wrote:
x86 Platform: SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-1.5.0.7-1.1.i586.rpm 746a56a6aa9402287d7c0f054989689c
is there some debugging enabled in this browser version? Many messages written to stdout/stderr. There where none when using MozillaFirefox-1.5.0.6-1.4. -- Stefan Tichy ( s.list at pi4tel dot de )
On Sunday 24 September 2006 11:41, Stefan Tichy wrote:
Hi Marcus
On Fri, Sep 22, 2006 at 03:02:16PM +0200, Marcus Meissner wrote:
x86 Platform: SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-1.5.0 .7-1.1.i586.rpm 746a56a6aa9402287d7c0f054989689c
is there some debugging enabled in this browser version?
Many messages written to stdout/stderr. There where none when using MozillaFirefox-1.5.0.6-1.4.
I second this assessment. First launch following this update on 10.1 didn't appear on my desktop. Had to kill it manually. Second launch from a shell generated a profuse number of feedback sprinkled with errors... Carl
On Sun, Sep 24, 2006 at 11:44:44AM -0400, Carl Hartung wrote:
On Sunday 24 September 2006 11:41, Stefan Tichy wrote:
Hi Marcus
On Fri, Sep 22, 2006 at 03:02:16PM +0200, Marcus Meissner wrote:
x86 Platform: SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-1.5.0 .7-1.1.i586.rpm 746a56a6aa9402287d7c0f054989689c
is there some debugging enabled in this browser version?
Many messages written to stdout/stderr. There where none when using MozillaFirefox-1.5.0.6-1.4.
I second this assessment. First launch following this update on 10.1 didn't appear on my desktop. Had to kill it manually. Second launch from a shell generated a profuse number of feedback sprinkled with errors...
We apparently left in debuginformation, which will be corrected with the next security update (knowing Mozilla in around 4 - 5 weeks). This should (must) however not harm regular functioning of the browser. Ciao, Marcus
Am Sonntag, 24. September 2006 19:16 schrieb Marcus Meissner:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaF irefox-1.5.0 .7-1.1.i586.rpm 746a56a6aa9402287d7c0f054989689c
is there some debugging enabled in this browser version?
I second this assessment. First launch following this update on 10.1 didn't appear on my desktop. Had to kill it manually. Second launch from a shell generated a profuse number of feedback sprinkled with errors...
We apparently left in debuginformation, which will be corrected with the next security update (knowing Mozilla in around 4 - 5 weeks).
This should (must) however not harm regular functioning of the browser.
does the error message "no space left on device" ring any bell for you guys? Why are you so intent on filling our (the users) harddisks with debug output? There's zmd in 10.1 which easily produces a logfile of at least 30 megabytes only by starting, and now this. bye, MH -- gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C -- gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
On Sunday 24 September 2006 09:16, Marcus Meissner wrote:
I second this assessment. First launch following this update on 10.1 didn't appear on my desktop. Had to kill it manually. Second launch from a shell generated a profuse number of feedback sprinkled with errors...
We apparently left in debuginformation, which will be corrected with the next security update (knowing Mozilla in around 4 - 5 weeks).
This should (must) however not harm regular functioning of the browser.
Ciao, Marcus
Why do you need 4 or 5 weeks to update YOUR error, and why does it depend on what Mozilla does? -- _____________________________________ John Andersen
Hi John. Well if you can't wait that long, try doing the following: 1. Uninstall the RPM version of Firefox. 2. Go to the Firefox website and download the latest version: firefox-1.5.0.7.tar.gz http://www.mozilla.com/firefox/all.html Unpack the firefox-1.5.0.7.tar.gz file. to install it firefox, just run ./firefox, in the firefox directory tar created when you unpacked it. If you run Firefox as the user that installed it, you can activate Firefox's automatic update feature. This appears under Help->Check for updates. If you are running Firefox as another person that did not install it, eg installed by root, and you are running as a normal user, this 'Help->Check for updates' feature will not be visible. I prefer the automatic update feature of Firefox. This gets the updates 'in the background' as soon as they are released on the mozilla site. If you look under 'Edit->Preferences->Advanced-Update' you can set the automatic updates for Firefox from there. You can create an icon in the menu editor, and for the command, just put, 'path/to/tar/unpacked/firefox/firefox' Regards Keith On Sun, 24 Sep 2006, John Andersen wrote:
...
Why do you need 4 or 5 weeks to update YOUR error, and why does it depend on what Mozilla does?
-- _____________________________________ John Andersen
------------------------------------------------------------ http://www.karsites.net http://www.raised-from-the-dead.org.uk This email address is challenge-response protected with http://www.tmda.net ------------------------------------------------------------
You could even install the tar.gz version alongside the rpm version, just to make sure your'e happy with the tar.gz version, then remove the rpm version later. Keith On Sun, 24 Sep 2006, Keith Roberts wrote:
To: suse-security@suse.com From: Keith Roberts <keith@karsites.net> Subject: Re: [suse-security] Re: [suse-security-announce] SUSE Security Announcement: Mozilla Firefox, Thunderbird, Seamonkey (SUSE-SA:2006:054)
Hi John. Well if you can't wait that long, try doing the following:
1. Uninstall the RPM version of Firefox.
2. Go to the Firefox website and download the latest version: firefox-1.5.0.7.tar.gz
http://www.mozilla.com/firefox/all.html
Unpack the firefox-1.5.0.7.tar.gz file.
to install it firefox, just run ./firefox, in the firefox directory tar created when you unpacked it.
If you run Firefox as the user that installed it, you can activate Firefox's automatic update feature. This appears under Help->Check for updates. If you are running Firefox as another person that did not install it, eg installed by root, and you are running as a normal user, this 'Help->Check for updates' feature will not be visible.
I prefer the automatic update feature of Firefox. This gets the updates 'in the background' as soon as they are released on the mozilla site. If you look under 'Edit->Preferences->Advanced-Update' you can set the automatic updates for Firefox from there.
You can create an icon in the menu editor, and for the command, just put,
'path/to/tar/unpacked/firefox/firefox'
Regards
Keith
On Sun, 24 Sep 2006, John Andersen wrote:
...
Why do you need 4 or 5 weeks to update YOUR error, and why does it depend on what Mozilla does?
-- _____________________________________ John Andersen
------------------------------------------------------------ http://www.karsites.net http://www.raised-from-the-dead.org.uk
This email address is challenge-response protected with http://www.tmda.net ------------------------------------------------------------
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Sunday 24 September 2006 14:28, Keith Roberts wrote:
I prefer the automatic update feature of Firefox. This gets the updates 'in the background' as soon as they are released on the mozilla site. If you look under 'Edit->Preferences->Advanced-Update' you can set the automatic updates for Firefox from there.
Hmmmm, that has all the appeal of a camel's nose under the tent flap. Seriously... Lets take this to the logical extreme and have every package perform its own upgrades. Just how soon will it be before someone exploits that, and "out-windows" Microsoft? I'm not expressing any particular distrust of the firefox group, just the idea in general. -- _____________________________________ John Andersen
John Andersen schrieb:
On Sunday 24 September 2006 14:28, Keith Roberts wrote:
I prefer the automatic update feature of Firefox. This gets the updates 'in the background' as soon as they are released on the mozilla site. If you look under 'Edit->Preferences->Advanced-Update' you can set the automatic updates for Firefox from there.
Hmmmm, that has all the appeal of a camel's nose under the tent flap.
Seriously... Lets take this to the logical extreme and have every package perform its own upgrades. Just how soon will it be before someone exploits that, and "out-windows" Microsoft?
I'm not expressing any particular distrust of the firefox group, just the idea in general.
especially since this only works if you run firefox as root (or any other user with write permissions to the installation directory). Seems that this guy does. bad idea. bye, MH -- Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und §823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt!
On Sun, Sep 24, 2006 at 01:09:56PM -0800, John Andersen wrote:
On Sunday 24 September 2006 09:16, Marcus Meissner wrote:
I second this assessment. First launch following this update on 10.1 didn't appear on my desktop. Had to kill it manually. Second launch from a shell generated a profuse number of feedback sprinkled with errors...
We apparently left in debuginformation, which will be corrected with the next security update (knowing Mozilla in around 4 - 5 weeks).
This should (must) however not harm regular functioning of the browser.
Ciao, Marcus
Why do you need 4 or 5 weeks to update YOUR error, and why does it depend on what Mozilla does?
Actually I see what I can do. Ciao, Marcus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-09-25 at 06:26 +0200, Marcus Meissner wrote:
Why do you need 4 or 5 weeks to update YOUR error, and why does it depend on what Mozilla does?
Actually I see what I can do.
Ciao, Marcus
But... but the output text is only seen if you open Mozilla from inside a terminal, isn't it? I don't find that a problem: when I open Mozilla in such a way is because I want to see the messages. Or is it dumped to some file instead? There are a few programs that act in such a way. For instance, Nautilus is continuously dummping messages. See: (gedit:23328): GLib-GObject-WARNING **: value "134896816" of type `gint' is invalid or out of range for property `sort-type' of type `gint' ** Message: don't know how to handle video/x-xvid, framerate=(fraction)25/1, width=(int)624, height=(int)352 ** Message: don't know how to handle audio/mpeg, mpegversion=(int)1, layer=(int)3, rate=(int)48000, channels=(int)2, codec_data=(buffer)010002000000830101000000 ** Message: don't know how to handle video/x-xvid, framerate=(fraction)25/1, width=(int)624, height=(int)352 I have perhaps hundreds of them, even if I try to redirect to /dev/null, becasue they come on the error file thing. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFF7gCtTMYHG2NR9URAjt1AJ4yjbs6or57NEdY8JgcepwyH/A6SACgh01N Q42SncnMOpEQyXDNwnSk/Wc= =e5Da -----END PGP SIGNATURE-----
On Sep 25, Carlos E. R. <robin.listas@telefonica.net> wrote:
But... but the output text is only seen if you open Mozilla from inside a terminal, isn't it? I don't find that a problem: when I open Mozilla in such a way is because I want to see the messages. Or is it dumped to some file instead?
You find all those messages in ~/.xsession-errors
I have perhaps hundreds of them, even if I try to redirect to /dev/null, becasue they come on the error file thing.
use &>/dev/null to redirect all channels there. Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-09-25 at 13:24 +0200, Markus Gaugusch wrote:
But... but the output text is only seen if you open Mozilla from inside a terminal, isn't it? I don't find that a problem: when I open Mozilla in such a way is because I want to see the messages. Or is it dumped to some file instead?
You find all those messages in ~/.xsession-errors
Ah, right, I forgot. I have 21 megs there at the moment.
I have perhaps hundreds of them, even if I try to redirect to /dev/null, becasue they come on the error file thing.
use &>/dev/null to redirect all channels there.
I always forget that... - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFF8m/tTMYHG2NR9URAtFkAJ4squovXriIrnKmd72B6KJ1SrzimACfSvXa FmSDBohklcbaDGkG8cfRwhE= =I/BK -----END PGP SIGNATURE-----
Carlos, On Monday 25 September 2006 05:21, Carlos E. R. wrote:
...
I have perhaps hundreds of them, even if I try to redirect to /dev/null, becasue they come on the error file thing.
use &>/dev/null to redirect all channels there.
I always forget that...
And keep in mind that BASH and ZSH have a different redirection syntax than csh / tcsh. The one Markus gave is for BASH and ZSH. Furthermore, order matters, so this: % OutAndErrCommand >outFile 2>&1 redirects the standard output to outFile and then merges standard error onto that stream so the standard output and standard error both go to outFile. On the other hand, this: % OutAndErrCommand 2>&1 >outFile is no different than this: % OutAndErrCommand >outFile because merging err onto the standard output descriptor before redirecting standard output is redirected to a file has no effect.
-- Cheers, Carlos E. R.
Randall Schulz
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-09-25 at 05:44 -0700, Randall R Schulz wrote:
And keep in mind that BASH and ZSH have a different redirection syntax than csh / tcsh. The one Markus gave is for BASH and ZSH.
No problem, I only use bash.
Furthermore, order matters, so this:
% OutAndErrCommand >outFile 2>&1
redirects the standard output to outFile and then merges standard error onto that stream so the standard output and standard error both go to outFile.
I'll save this mail for the next time I forget. I'm aware of the possibilities, but I can't remember then when I need those redirections, nor do I remember a man page that explains them. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFGGK1tTMYHG2NR9URAhZsAJ4yHuUQJ6ZzmbdUQhqHFlN8UJHA7QCdES1z +S0NYsLj9vliPK+yUEgV5iw= =Qm6S -----END PGP SIGNATURE-----
Marcus Meissner schrieb:
On Sun, Sep 24, 2006 at 11:44:44AM -0400, Carl Hartung wrote:
On Sunday 24 September 2006 11:41, Stefan Tichy wrote:
Hi Marcus
On Fri, Sep 22, 2006 at 03:02:16PM +0200, Marcus Meissner wrote:
x86 Platform: SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-1.5.0 .7-1.1.i586.rpm 746a56a6aa9402287d7c0f054989689c is there some debugging enabled in this browser version?
This should (must) however not harm regular functioning of the browser.
Ciao, Marcus
There is a more serious problem with the update on amd64. firefox fails while loading the shared library libaoss.so, strace shows a bus error. One user couldn't start firefox while others just could not start external programs like acroread. Easy workaround is to disable the LD_PRELOAD of libaoss.so in the script /usr/bin/firefox, but I haven't checked yet what this does to sound output. Holger.
On Mon, Sep 25, 2006 at 07:10:55PM +0200, Holger Hellmuth wrote:
Marcus Meissner schrieb:
On Sun, Sep 24, 2006 at 11:44:44AM -0400, Carl Hartung wrote:
On Sunday 24 September 2006 11:41, Stefan Tichy wrote:
Hi Marcus
On Fri, Sep 22, 2006 at 03:02:16PM +0200, Marcus Meissner wrote:
x86 Platform: SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-1.5.0 .7-1.1.i586.rpm 746a56a6aa9402287d7c0f054989689c is there some debugging enabled in this browser version?
This should (must) however not harm regular functioning of the browser.
Ciao, Marcus
There is a more serious problem with the update on amd64. firefox fails while loading the shared library libaoss.so, strace shows a bus error. One user couldn't start firefox while others just could not start external programs like acroread.
Easy workaround is to disable the LD_PRELOAD of libaoss.so in the script /usr/bin/firefox, but I haven't checked yet what this does to sound output.
Which distribution? Ciao, Marcus
Marcus Meissner schrieb:
There is a more serious problem with the update on amd64. firefox fails while loading the shared library libaoss.so, strace shows a bus error. One user couldn't start firefox while others just could not start external programs like acroread.
Easy workaround is to disable the LD_PRELOAD of libaoss.so in the script /usr/bin/firefox, but I haven't checked yet what this does to sound output.
Which distribution?
It seems only on 9.3 and amd64 (checked on two machines), one machine with 10.0 and x86 didn't have the problem. Couldn't check on the others because they don't have the (weekly) update yet and I don't want to haste it ;-). Holger.
On Mon, Sep 25, 2006 at 07:49:44PM +0200, Holger Hellmuth wrote:
Marcus Meissner schrieb:
There is a more serious problem with the update on amd64. firefox fails while loading the shared library libaoss.so, strace shows a bus error. One user couldn't start firefox while others just could not start external programs like acroread.
Easy workaround is to disable the LD_PRELOAD of libaoss.so in the script /usr/bin/firefox, but I haven't checked yet what this does to sound output.
Which distribution?
It seems only on 9.3 and amd64 (checked on two machines), one machine with 10.0 and x86 didn't have the problem. Couldn't check on the others because they don't have the (weekly) update yet and I don't want to haste it ;-).
I tried 9.3-x86_64 and it worked fine on my machine :/ Ciao, Marcus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marcus Meissner schrieb am 24.09.2006 19:16:
On Sun, Sep 24, 2006 at 11:44:44AM -0400, Carl Hartung wrote:
On Sunday 24 September 2006 11:41, Stefan Tichy wrote:
Hi Marcus
On Fri, Sep 22, 2006 at 03:02:16PM +0200, Marcus Meissner wrote:
x86 Platform: SUSE LINUX 9.3:
ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/MozillaFirefox-1.5.0 .7-1.1.i586.rpm 746a56a6aa9402287d7c0f054989689c is there some debugging enabled in this browser version?
Many messages written to stdout/stderr. There where none when using MozillaFirefox-1.5.0.6-1.4. I second this assessment. First launch following this update on 10.1 didn't appear on my desktop. Had to kill it manually. Second launch from a shell generated a profuse number of feedback sprinkled with errors...
We apparently left in debuginformation, which will be corrected with the next security update (knowing Mozilla in around 4 - 5 weeks).
This should (must) however not harm regular functioning of the browser.
Ciao, Marcus
Marcus, maybe the debugging causes Firefox to beep now and then - when loading a page, when AdBlock plus is trying to hide a non-wanted picture and so on? With 10.1/i586, I had to disable HTML Validator, it just does not work - with 10.0/x86_64 it still runs. Cheers Werner - -- Werner Flamme, Abt. WKDV UFZ Umweltforschungszentrum Leipzig-Halle GmbH, Permoserstr. 15 - 04318 Leipzig Tel.: (0341) 235-3921 - Fax (0341) 235-453921 http://www.ufz.de - eMail: werner.flamme@ufz.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD4DBQFFGOA1k33Krq8b42MRAmMpAJ4tkF5OgPgJHlWWiqGr7ZTcsaC7SgCWLaIR yx+5EmYT7Ac2HSkZ+G0YoA== =8opz -----END PGP SIGNATURE-----
participants (11)
-
Carl Hartung -
Carlos E. R. -
Holger Hellmuth -
John Andersen -
Keith Roberts -
Marcus Meissner -
Markus Gaugusch -
Mathias Homann -
Randall R Schulz -
Stefan Tichy -
Werner Flamme