Chain of mozjs related updates that might be worth to do in Fedora 44

Project Discussion
1

Hello,

I use Fedora 44 with Cinnamon DE and I’ve noticed the following.

Current version of Cinnamon in Fedora 44 is 6.6.7 and the latest version is 6.6.8. The only difference between those patch level releases is resolving following compatibility issue:

CJS in Fedora 44 is still 128.1 but in rawhide it was upgraded to 140.0 about two months ago:

CJS is Javascript Bindings for Cinnamon, like GJS is Javascript Bindings for GNOME

Both CJS and GJS use the mozjs* package as a dependency, but of different upstream versions:

  • CJS → still mozjs128 version 128.11.0-9.fc44
  • GJS → already mozjs140 version 140.6.0-4.fc44

As far as I know the mozjs140 itself is basically the JS engine taken from Firefox 140.x ESR release. And according to Directory Listing: /pub/firefox/releases/ the latest release of Firefox 140.x ESR is 140.11.0 released in May 18 this year (two weeks ago).

As you probably remember Mozilla resolved in Firefox many security vulnerabilities and stability issues in the last two months and they probably backported most of those fixes to the Firefox 140.x ESR

image
image1920×1070 129 KB

Following is the list of such fixes in Firefox 140 ESR after 140.6:

With all this in mind I think it would be a good idea to do the following chain of patch level updates in Fedora 44:

  • mozjs140 from 140.6.0 to 140.11.0
  • GJS to use the new version of the mozjs140 dependency
  • CJS from 128.1 to 140.0 with the new version of the mozjs140 dependency instead of older mozjs128
  • Maybe a few other packages that depend on mozjs
  • Cinnamon from 6.6.7 to 6.6.8 with new versions of CJS and mozjs dependencies

What are the chances that this will be done in Fedora 44?

P.S. While I’ve made a few minor fixes to some Fedora packages, this task seems too large to tackle on my own.
P.P.S For some unknown reason f44 and cinnamon tags are unavailable here, but only gnome one, so tagged with gnome only.

2

I probaby wont unless the CVE’s directly affects CJS.

The real-world risk is somewhat reduced for both because mozjs in this context is only meant to run trusted JavaScript — like GNOME Shell extensions or Cinnamon applets — not untrusted web content. Many Firefox CVEs involve browser-specific attack vectors (navigating to malicious URLs, cross-origin iframes, web APIs) that simply don’t apply when there’s no web renderer involved.

My focus has switched rawhide and addressing integration and bug fixes upstream.

Note: My copr targets 6.7.x-unstable (git releases)

3

AI has inflated the bugfix rate.

4

How can this be checked? The corresponding bug reports in Mozilla’s Bugzilla aren’t publicly viewable. However, there are numerous CVEs related to the JavaScript engine, each specifying the type of issue. For example, there are many “use-after-free” CVEs and several other types of CVEs related to JavaScript.

5

I have update mozjs128 to the latest version.

https://bodhi.fedoraproject.org/updates/FEDORA-2026-ef3d9a07c8

6

It’s hard to imagine how a Firefox CVE would be relevant to cjs. In Firefox, you run untrusted JavaScript that has highly limited permissions; if it’s able to gain code execution or even just leak info from other websites, that’s a major vulnerability. Whereas in cjs, you let the JavaScript execute whatever code it wants. It doesn’t really matter if there are security issues that would allow the script to compromise the interpreter, because the script can already do whatever it wants regardless.

7

Thank you very much!

8

IMHO Firefox CVEs could still be relevant to cjs from the stability point of view. I just thought that if mozjs140 is already in Fedora 44 and already in use by conceptually similar gjs, it would be safe to switch cjs from mozjs128 to mozjs140 as well and to upgrade the mozjs140 itself to its latest version. Especially if Cinnamon upstream already supports this officially in their latest 6.6.8 patch level update.

9

I don’t consider switching from girepository-1.0 to version 2.0 an acceptable change for a stable fedora release.