Warning: signed add-ons crash Pale Moon

Pale Moon releases and site news
(read-only)
User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24238
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Warning: signed add-ons crash Pale Moon

Unread post by Moonchild » 2015-04-25, 08:38

Warning: Mozilla has started pushing out signed add-ons through addons.mozilla.org that will crash Pale Moon when you attempt to install them.

Research so far indicates that this is caused by corrupt extension archives, most likely caused by Mozilla's server-side signing procedure introducing errors in the JAR archives that extensions are packed in. These corrupted archive packages will trigger a crash in Pale Moon (and older Firefox versions alike) that are sensitive to this type of signed archive corruption. Manually signed extension packages have always been just fine, so as far as we can tell it is Mozilla's server-side signing procedure that introduces the error.

We are working on halting these updates server-side for the time being, but until someone can reconfigure our add-ons server to temporarily halt these updates, it may result in the current crashes.
UPDATE: We have now successfully halted the automatic faulty updates being served through our add-ons server, so the steps below have become optional (although still required if you are using an older version of Pale Moon).

Once again, to be clear: This is a direct result of a problem in Firefox extension packages as served by Mozilla. It is not caused by a Pale Moon update or otherwise an error in the browser (just being a little less robust when encountering corrupted signed installation files).

What to do if you experience sudden crashes:
  1. Go to Add-Ons (add-on manager) in the menu (or press Ctrl+Shift+A)
  2. Click the gear at the top
  3. Uncheck "Update add-ons automatically"
This will prevent the browser from checking for updates and pulling down extension packages that may crash your browser.
City of Heroes public server: https://www.moonshard.org/ -- Vote for it on cohservers.com

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24238
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Warning: signed add-ons crash Pale Moon

Unread post by Moonchild » 2015-04-25, 13:58

An update to this announcement:

We have completely analyzed the problem and it is two-fold:
  1. Mozilla's server-side signing produces a manifest file that has an improper file ending, which is what is causing the immediate crash. A point release of Pale Moon will be built and released as soon as possible to prevent the crashes seen upon installing an extension with this kind of signature problem. Expect 25.3.2 very soon.
  2. Mozilla's server-side signing, additionally, creates signature files that are empty and do not list the files to check. This means that even though the extensions have checksums in the meta data that has been added, they are not actually tied to the included Mozilla certificate and will not be checked for authenticity at all, even in current Firefox versions. This, first assumed to be the root cause of the crash, likely does not affect the crashes seen, but obviously will not provide any authenticity check of the signed files inside the extension either (since the files are not checked against mozilla's certificate)
Both of these problems are a direct result of the incorrect server-side signing of extensions that have started yesterday. A bug has been opened to address this at Mozilla, bug #1158467, and as a stopgap measure we have temporarily stopped the checks for extension updates to addons.mozilla.org.

Versions affected:
Pale Moon for desktop (all current versions on all operating systems)
Pale Moon for Android (all versions)

What happens next?
  • We are working on releasing a point release of Pale Moon on all platforms to stop the crash from occurring on bogus data.
  • Once this point release is published, it and any future versions of Pale Moon will resume checking and updating extensions as normal. No action is required to make this happen, unless you manually switched update checking off.
  • Older versions of the browser (25.3.1 and older) will remain blocked from updating extensions this way (because they are still prone to crashing) until such time as Mozilla fixes their signatures in their Firefox extensions.
Please note that this server-side signing is being done retroactively - and you may not be able to currently get new installations of extensions that are not signed (even older versions are being put through the signing process). This also affects all Firefox versions prior to Australis -- they will crash.
City of Heroes public server: https://www.moonshard.org/ -- Vote for it on cohservers.com

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

Locked