Bugzilla Bug 141842

new version

http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox1.5.0.5
vulnerabilities fixed:

MFSA 2006-56  chrome: scheme loading remote content
MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5)
MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...)
MFSA 2006-53 UniversalBrowserRead privilege escalation
MFSA 2006-52 PAC privilege escalation using Function.prototype.call
MFSA 2006-51 Privilege escalation using named-functions and redefined "new
Object()"
MFSA 2006-50 JavaScript engine vulnerabilities
MFSA 2006-48 JavaScript new Function race condition
MFSA 2006-47 Native DOM methods can be hijacked across domains
MFSA 2006-46 Memory corruption with simultaneous events
MFSA 2006-45 Javascript navigator Object Vulnerability
MFSA 2006-44 Code execution through deleted frame reference

A USE flag for spatial navigation would be appreciated.

http://www.mozilla.org/access/keyboard/snav/

Judging from the bugs security might want to grab this one...

The other products have been updates too, of course.

Mozilla, would you please provide new ebuilds for firefox/thunderbird-1.5.0.5
and seamonkey-1.0.3, respectively?

(and bear with me should I mess this one up, not comfortable with this yet .-)

I don't want to be rude, but is the Mozilla Team highly short-staffed? This
seems a long response time for an incremental update which fixes 'Highly
Critical' security issues, according to Secunia.

You might want to hurry up with this one. Someone just posted working exploit
code for one of the security holes:

http://browserfun.blogspot.com/2006/07/mobb-28-mozilla-navigator-object.html

seems to be a new trend to make PoCs for gentoo systems ... not sure if i like
or hate that

Seamonkey-1.0.3 is in cvs now. Thunderbird and firefox should follow soon.

Thunderbird and firefox bumped in cvs as well.

Don't forget:
www-client/mozilla-firefox-bin
mail-client/mozilla-thunderbird-bin

-bin packages bumped.

Calling arches with a plea to make this urgent. Thank you!

To recap, this a collection of

www-client/seamonkey
www-client/mozilla-firefox
www-client/mozilla-firefox-bin
mail-client/mozilla-thunderbird
mail-client/mozilla-thunderbird-bin

As discussed in Bug 142064 (which probably should me merged with this one), the
language packs for firefox-1.5.0.5 found on gentoo mirrors only contain the
output of wget downloading the language packs, *not* the actual language packs
:) Building the new firefox with something in LINGUAS thus won't work.

*** Bug 142064 has been marked as a duplicate of this bug. ***

Sorry guys (about the xpi screwup) - it's fixed in cvs now.

ppc stable

x86

www-client/mozilla-firefox: emerged cleanly with lingua ES
www-client/seamonkey: emerged cleanly (not tried crypt)
mail-client/mozilla-thunderbird: emerged cleanly (not tried crypt)

Later I'll test the bin versions. I tried to emerge the bin versions
(--pretend) without removing the nobin ones and I didn't get any block. Should
not this be disallowed?

Info Regression:
Windows MediaPlayer plugin stopped working on specific website with FF 1.5.0.5
(mms)
(FF/SM)
http://groups.google.com/group/mozilla.dev.apps.seamonkey/browse_thread/thread/ab95c20c9f1239fc/90bc682fdadfd209#90bc682fdadfd209
https://bugzilla.mozilla.org/show_bug.cgi?id=346167
There will be Version FF 1.5.0.6 and SM 1.0.4 next week.

So my computer has its Firefox weeks...only compiling one app 24/7!

After some hours :) I am able to write this entry with the Firefox to be
stabled.

1) emerges fine so far 
dodoc: LEGAL does not exist

2) passes collision test
3) works fine so far (have not tested streaming) with some sites with a lot of
scripting...

Thunderbird and Seamonkey, plus the two bin versions will follow...

Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4,
2.6.17-gentoo-r4 i686)
=================================================================
System uname: 2.6.17-gentoo-r4 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.6.15
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash
/etc/terminfo"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer
parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 alsa arts artworkextra asf audiofile avi
bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo
cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus
dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss
encode esd evo exif expat fam fat fbcon fdftk ffmpeg firefox foomaticdb fortran
ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn
imagemagick imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k ldap leim
libg++ libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng
mono motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nptl
nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf pdflib perl plotutils pmu
png ppds pppd preview-latex print python qt qt3 qt4 quicktime readline
reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib
tcltk tcpd theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb
vcd videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib
elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de
userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS

You wanted Thunderbird, you will get it...

1) emerges fine
2) passes collision test
3) fetched email, sent email, encrypted email, decrypted email, only POP/SMTP

seamonkey is hit by bug #139704 on my system...I will test some USE flag
combinations, but that will take some time. USE="mozcalendar" has no effect up
to now.

firefox-bin

1) emerges fine so far, but lib-compat as dependency is upset by its
emerge...it states that it should not be used.
2) passes collision test
3) works (currently are writing this report with it)

thunderbird-bin

1) emerges fine (though lib-compat complains again)
2) passes collision test
3) works fine

I've got my O2 building firefox-1.5.0.5 as I type this.  I'll let you all know
how it goes.  This said, it's only recently that Firefox gained a ~mips
keyword, so it may be some time before we can reasonably mark any release
stable.

A heads-up... this release (1.5.0.5) seems to have broken handling of mms://
and rm:// streams with external plugins, which may affect plugins such as
Mozplugger & MPlayer that provide a Windows Media Player implementation on
Linux.

There's a patch already applied upstream that fixes this, and I've put this
patch into the set for 1.5.0.5, but it's not presently in the ebuilds yet. 
Apparently, 1.5.0.6 is due out in the next fortnight or so to fix this (and
probably other) issue, so I'm at two minds whether to push this fix now, or
whether to wait and see.

The updated patchset is already in distfiles-local on woodpecker, and I'll
update the ebuild appropriately if the issue arises. :-)

seamonkey builds without USE="crypt" perfectly fine, so I add the corresponding
bug as a dependency.  Also an old bug marked as WORKSFORME for version 1.0.1
(so maintainers have more data) is added, this problem seems to persist since
long and should be no blocker for this security stabilisation.

1.0.3 passes collision test and works fine for me, tested web, mail, IRC and
composer

Galeon 2.0.1-r2 (unstable) emerged fine on seamonkey.

firefox and thunderbird are stable on SPARC.  seamonkey 1.0.3 is unfortunately
still quite crash happy.

>>> checking firefox-en-GB-1.5.0.5.xpi
!!! Digest verification failed:
!!! /usr/portage/distfiles/firefox-en-GB-1.5.0.5.xpi
!!! Reason: Failed on MD5 verification
!!! Got: 9477ebb359db57e77ca75422dc50dc65
!!! Expected: 6ef752816f72918a8b3fec432c4f7dbb

I tried the file from a couple of mirrors, including distfiles.gentoo.org.

firefox and thunderbird are marked stable on amd64
seamonkey, firefox-bin and thunderbird-bin remain

It fails on spanish translation on AMD64, too:
--------
>>> Emerging (1 of 3) www-client/mozilla-firefox-1.5.0.5 to /
>>> checking ebuild checksums ;-)
>>> checking auxfile checksums ;-)
>>> checking miscfile checksums ;-)
>>> checking firefox-1.5.0.5-source.tar.bz2 ;-)
>>> checking mozilla-firefox-1.5.0.5-patches-0.1.tar.bz2 ;-)
>>> checking firefox-es-ES-1.5.0.5.xpi
!!! Digest verification failed:
!!! /usr/portage/distfiles/firefox-es-ES-1.5.0.5.xpi
!!! Reason: Failed on MD5 verification
!!! Got: 65b06d6db94fe449c51d47fb80a79274
!!! Expected: ed94386b270ab386f5b845084de1199
---------------------

(In reply to comment #26)
> The updated patchset is already in distfiles-local on woodpecker, and I'll
> update the ebuild appropriately if the issue arises. :-)

Please update the ebuild, as there's no way we can wait up to 14 days with
regards to the release.  Thanks...

stable on hppa

x86

I tested today thunderbird and seamonkey with the crypt flag enabled without
any problem. I send an encrypted mail with both.

I am not able to reproduce Bug 135646 nor Bug 139704

BTW and again, shouldn't the bin version be blocked but the normal ones and the
same in the other way?

(In reply to comment #34)
> BTW and again, shouldn't the bin version be blocked but the normal ones and the
> same in the other way?

Why?  They can both be installed on the same system quite safely.  It's not
like they provide the same files, as the source-based versions install to /usr
and the bin install to /opt...

seamonkey-1.0.3 stable on alpha. firefox and thunderbird remain in
default-linux/alpha/package.mask, see Bug #128777 and Bug #131359.

firefox and thunderbird are all done on x86, I've not gotten to seamonkey yet
though I'll try to get to it tonight.

So far we whats seems to be left is

firefox:         arm i64 x86
firefox-bin:     x86
thunderbird:     i64 (sparc) x86  (sparc said ready, not seeing it yet)
thunderbird-bin: x86
seamonkey:       alpha amd64 x86

The vulnerability shows about half of the bugs not affecting the 1.0 branch of
ff/tb; the other half has no mention about that (mfsa2006-50/51/52/53/55/56),
which makes me wonder whether we should mask 1.0.x out this time (unfortunately
leaving Alpha with only Seamonkey). Rest of SecTeam, comments?

I'm also a little irritated - my understandig was we switched from mozilla to
seamonkey (anarchy's last work, as it seems) because of sec problems with
mozilla, but it's still there. Are we still building gnome against the
vulnerable mozilla, then?

As a last note, I seem to remember a (short) glorious time when new firefox
builds would not overwrite my searchplugins that I painstakingly have to put
there again and again now ... could we bring those golden days back sometime?

After failing to compile seamonkey twice with USE="crypt", I successfully build
it without it.  After that I could not reproduce the error anymore....I hate
that.  So, _everything_ works for me now.

(In reply to comment #38)
> So far we whats seems to be left is
> 
> firefox:         arm i64 x86
> firefox-bin:     x86
> thunderbird:     i64 (sparc) x86  (sparc said ready, not seeing it yet)
> thunderbird-bin: x86
> seamonkey:       alpha amd64 x86
> 
> The vulnerability shows about half of the bugs not affecting the 1.0 branch of
> ff/tb; the other half has no mention about that (mfsa2006-50/51/52/53/55/56),
> which makes me wonder whether we should mask 1.0.x out this time (unfortunately
> leaving Alpha with only Seamonkey). Rest of SecTeam, comments?
> 
> I'm also a little irritated - my understandig was we switched from mozilla to
> seamonkey (anarchy's last work, as it seems) because of sec problems with
> mozilla, but it's still there. Are we still building gnome against the
> vulnerable mozilla, then?
> 

Don't forget that seamonkey fails pretty quickly on sparc; Please review Bug
137198 and especially Comments 4, 22 on that bug, as well as the accompanying
strace of the failure.  Note also Weeve's Comment #28 on this bug.

Thus, on sparc at least, seamonkey in its current state cannot be a mozilla
replacement.

> As a last note, I seem to remember a (short) glorious time when new firefox
> builds would not overwrite my searchplugins that I painstakingly have to put
> there again and again now ... could we bring those golden days back sometime?
> 

(In reply to comment #38)
> So far we whats seems to be left is
> seamonkey:       alpha amd64 x86

Alpha has 1.0.3 stable. See comment #36. Is their more we have to do?

> which makes me wonder whether we should mask 1.0.x out this time
> (unfortunately leaving Alpha with only Seamonkey).

alpha already has only Seamonkey. We've had firefox masked in
default-linux/alpha/package.mask since June 5th. Don't let us hold you up from
removing 1.0.x.

Unfortunately I obviously lag behind with packages.g.o

New grid of 'open' things from what I see:

seamonkey:       amd64 x86
firefox:         arm i64
thunderbird:     ia64 [sparc]

sparc said ready on tb, still not seeing it yet
ia64: your opinion about masking 1.0 branch? That would leave you without
seamonkey and an (IMHO) vulnerable mozilla only.

Starting to look good ...

Seamonkey complete on x86.  Thanks to the x86 AT's for testing.

Forgive me guys, for being so penetrant, but given the assumed number of
installed mozilla packages we feel this is a little pressing.

We still need some feedback from amd64 [seamonkey], ia64 [ff, tb] and arm [ff].

Sparc, your thunderbird still does not show up as stable on p.g.o for me, can
you recheck?

Thanks for your patience bearing with me!

seamonkey-1.0.3 on amd64 compiles fine and seems to be working ok...

emerge --info
Portage 2.1-r1 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.3.6-r4,
2.6.17-suspend2-r3-Dudebox-Edition x86_64)
=================================================================
System uname: 2.6.17-suspend2-r3-Dudebox-Edition x86_64 unknown
Gentoo Base System version 1.6.15
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe -msse3"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe -msse3"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer
multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv
usersandbox"
GENTOO_MIRRORS="ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo
ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/
ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/"
LINGUAS="de"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://server/gentoo-portage"
USE="amd64 X alsa arts avi berkdb bitmap-fonts cli crypt cups dlloader dri eds
emboss encode foomaticdb fortran gif gnome gpm gstreamer gtk gtk2 imlib ipv6
isdnlog jpeg kde kdeenablefinal lzw lzw-tiff mp3 mpeg ncurses nls nptl opengl
pam pcre pdflib perl png pppd python qt qt3 qt4 quicktime readline reflection
sdl session spell spl ssl tcpd tiff truetype-fonts type1-fonts unicode usb
userlocales xorg xpm xv zlib elibc_glibc input_devices_keyboard
input_devices_mouse input_devices_evdev kernel_linux linguas_de userland_GNU
video_cards_dummy"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

thanks, amd64 is done here

seamonkey, tb-bin and ff-bin are ready for GLSA
thunderbird is still missing sparc keyword

thunderbird sparc stable.

Ready for GLSA.

New versions for Firefox (1.5.0.6) and Seamonkey(1.0.4) have been released
today. :-)

(In reply to comment #26)
> Apparently, 1.5.0.6 is due out in the next fortnight or so to fix this (and

I've been watching this bug and I find it kind of comical that this was ALMOST
pushed out before the new version came out.. 1.5.0.6 is out now. See:
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/releases/1.5.0.6/

Just FYI and keep up the good work! =)

1.5.0.6 / 1.0.4 do not fix security related bugs, though, just the regression
mentioned in #20.

seamonkey done in GLSA 200608-02 

firefox done as GLSA 200608-03

and TB as GLSA 200608-04

Thanks everyone for enduring the pain.

Does not affect current (2008.0) release. Removing release.