Re: Security update of firefox-esr for Wheezy

To: Emilio Pozuelo Monfort <pochu@debian.org>
Cc: Raphael Hertzog <hertzog@debian.org>, Mike Hommey <mh@glandium.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Security update of firefox-esr for Wheezy
From: Guido Günther <agx@sigxcpu.org>
Date: Fri, 30 Sep 2016 12:21:41 +0200
Message-id: <[🔎] 20160930102141.zvtn7gulqclvqnun@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@sigxcpu.org>, Emilio Pozuelo Monfort <pochu@debian.org>, Raphael Hertzog <hertzog@debian.org>, Mike Hommey <mh@glandium.org>, Debian LTS <debian-lts@lists.debian.org>
In-reply-to: <[🔎] a3da515a-c642-4abe-d7a8-f1258a700cd5@debian.org>
References: <20160804175028.GA4692@bogon.m.sigxcpu.org> <20160804210229.nzrxjuwmzqpwaskq@glandium.org> <9e42f70e-8b89-9053-95aa-d2bccaefd186@debian.org> <20160807105024.GA7538@bogon.m.sigxcpu.org> <20160807201709.GB25889@home.ouaza.com> <d56bd132-f268-3c53-97ef-61f587ab8ebd@debian.org> <20160808082013.GA3220@home.ouaza.com> <[🔎] dff175c3-267a-a4ce-232b-9f949201625e@debian.org> <[🔎] 20160902063920.pxmsnxxvwxpxgxry@bogon.m.sigxcpu.org> <[🔎] a3da515a-c642-4abe-d7a8-f1258a700cd5@debian.org>

Hi Emilio,
On Sat, Sep 03, 2016 at 12:12:55PM +0200, Emilio Pozuelo Monfort wrote:
> On 02/09/16 08:39, Guido Günther wrote:
> > On Fri, Sep 02, 2016 at 01:26:05AM +0200, Emilio Pozuelo Monfort wrote:
> >> On 08/08/16 10:20, Raphael Hertzog wrote:
> >>> On Mon, 08 Aug 2016, Emilio Pozuelo Monfort wrote:
> >>>>> Shall we mark gcc-4.8 as unsupported in wheezy, explaining that its only
> >>>>> purpose is to enable build of other packages?
> >>>>
> >>>> That would make sense.
> >>>>
> >>>> I'll see if I can take a look at this.
> >>>
> >>> The problematic part is likely libstdc++. I would expect the new gcc to
> >>> assume that you have the corresponding libstdc++.
> >>>
> >>> Mike once told that Firefox has special code to avoid the increased
> >>> dependency but that might not be the case of other packages that we might
> >>> want to build with a newer gcc.
> >>
> >> I had a look at this. Matthias pointed me to gcc-mozilla from Ubuntu, which is
> >> GCC 4.8.4 shipped in one package. I built that for Wheezy, then built
> >> firefox_49.0~b1-1 using that. I had to disable PIE, but other than that it built
> >> fine and seems to work well. So I think we could go this route.
> >>
> >> For GCC at least we need to drop the gfdl bits, and we may want to update to
> >> 4.8.5, but in general it seems to work well. I was hitting a build failure that
> >> I could workaround by using an interactive shell. No idea if it's a pbuilder
> >> problem or what. That would need a little investigation.
> >>
> >> For Firefox, I didn't look much at the PIE issue. I just saw that it fails on a
> >> simple configure test when enabled, at the linker stage. With pie disabled,
> >> everything went well.
> > 
> > That sounds great. Did you put the packages somewhere? I don't think we'll
> > run into any extra issues with Icedove but it might be worth checking
> > this out before the current ESR versions go EOL.
> 
> Packages are at https://people.debian.org/~pochu/lts/gcc/
> 
> gcc-mozilla is the one from [1], but putting it here for convenience (you can't
> dget from launchpad). Let me know if it works for you or if you have any issues.

I checked with current icedove and it builds a well when disabling
PIE. So with your proposed changed (disabling gfdl, updating to the
latest 4.8 version) we should be good. Are you going to look into this?

Cheers,
 -- Guido

Reply to:

References:
- Re: Security update of firefox-esr for Wheezy
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Re: Security update of firefox-esr for Wheezy
  - From: Guido Günther <agx@sigxcpu.org>
- Re: Security update of firefox-esr for Wheezy
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Re: wheezy update for libav
Next by Date: Re: Bug#839226: [PATCH] cups : SSL is vulnerable to POODLE
Previous by thread: Re: Security update of firefox-esr for Wheezy
Next by thread: qemu: CVE-2016-7116
Index(es):
- Date
- Thread