* Ludwig Nussel
Wolfgang Rosenauer wrote:
Am 15.01.2014 22:03, schrieb Guido Berhoerster:
* Wolfgang Rosenauer
[2014-01-15 11:51]: I've just created a submitrequest to Factory for the source package mozjs24 (Mozilla JS engine version 24).
This is basically an update for mozjs17 and not a real new package. mozjs17 has to stay though until all consumers have been changed to use mozjs24. mozjs17 is unmaintained from a security perspective so depending projects should look into migrating to use mozjs24 instead.
What does that mean for 13.1, will you backport security fixes for its and subsequently Evergreen's lifetime? Just wondering because there is this steaming pile called PolicyKit which currently depends on libmozjs-17 and only supports either 17.0 or 18.5...
Security fixes will be backported on a best effort base I'd say because there are not many choices.
Security fixes in the Javascript engine are not much of relevance for policykit anyways as policykit only executes Javascript code that the admin provides.
While the js code comes from trusted sources (package or admin) polkit passes bunch of input from the system, some of which user-controllable (e.g. pkexec commandline), to the js engine, so if that can be used to trigger a bug in mozjs (e.g. memory corruption) which affects the evaluation or returned results it could potentially be exploited to bypass access restrictions. -- Guido Berhoerster -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org