Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
View Bug Activity | Format For Printing | XML | Clone This Bug
There is an interesting vulnerability in the default behavior of Firefox built-in popup blocker. This vulnerability, coupled with an additional trick, allows the attacker to read arbitrary user-accessible files on the system, and thus steal some fairly sensitive information. Reproducible: Didn't try http://www.securiteam.com/securitynews/5JP051FKKE.html
Thanks. AFAIK, there is no upstream fixed version yet.
*** Bug 166945 has been marked as a duplicate of this bug. ***
http://www.mozilla.org/security/announce/ As usual, the CVE and vulnerable packages on the mozilla site are not exact and a little work must be done to sort the vulns. The following packages have just been released and fixes the vulnerabilities Firefox 2.0.0.2 Firefox 1.5.0.10 SeaMonkey 1.0.8 Thunderbird 1.5.0.10 NSS 3.11.5 CVE-2006-6077 mfsa2007-02 FF SM CVE-2007-0008 mfsa2007-06(FF SM TB)NSS CVE-2007-0009 mfsa2007-06(FF SM TB)NSS CVE-2007-0775 mfsa2007-01 FF SM TB CVE-2007-0776 mfsa2007-01 FF SM TB CVE-2007-0777 mfsa2007-01 FF SM TB CVE-2007-0778 mfsa2007-03 FF SM CVE-2007-0779 mfsa2007-04 FF SM CVE-2007-0780 mfsa2007-05 FF SM CVE-2007-0800 mfsa2007-05 FF SM CVE-2007-0801 mfsa2007-05 FF SM CVE-2007-0981 mfsa2007-07 FF SM CVE-2007-0995 mfsa2007-02 FF SM You can note that CVE-2007-0801 is not covered by the mozilla announcement whereas it is fixed in mfsa2007-05 according to its text. Similarly, mfsa2007-06.html doesn't mention Thunderbird as vulnerable whereas it is. I don't know if CVE-2007-1004 has been fixed, that's unclear. The most severe vulns belong to NSS, SVG processing in FF2.0, and potential memory corruption in javascript.
www-client/mozillafirefox[-bin]-{1.5.0.10,2.0.0.2} in the tree.
Thanks Raul. Hi, arches, please could you test and mark stable if appropriate : www-client/mozilla-firefox-1.5.0.10 for all arches except Alpha; www-client/mozilla-firefox-2.0.0.2 for all arches except Mips; www-client/mozilla-firefox-bin-1.5.0.10 for amd64 and x86 www-client/mozilla-firefox-bin-2.0.0.2 for amd64 and x86 thanks
ppc64 stable
x86 stable
tested: mozilla-firefox-1.5.0.10 mozilla-firefox-2.0.0.2 mozilla-firefox-bin-1.5.0.10 mozilla-firefox-bin-2.0.0.2 everything emerges fine and works Portage 2.1.2-r9 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.20-ck1 x86_64) ================================================================= System uname: 2.6.20-ck1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ Gentoo Base System release 1.12.9 Timestamp of tree: Sun, 25 Feb 2007 12:50:01 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.31 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig builysyspkg ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.ISO-8859-15" LC_ALL="en_US.ISO-8859-15" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa amd64 audiofile berkdb bitmap-fonts branding bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus divx dri dvd dvdr dvdread eds emboss encode fam ffmpeg firefox fortran gdbm gif gpm gstreamer gtk gtk2 hal iconv imagemagick ipod jpeg ldap libg++ lirc logrotate mad midi mikmod mp3 mpeg ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection rtc sdl session socks5 spl ssl svg symlink tcpd tiff truetype truetype-fonts type1-fonts unicode v4l v4l2 vim-with-x vorbis wmp xinerama xorg xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="inputlirc" USERLAND="GNU" VIDEO_CARDS="fglrx radeon" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
(In reply to comment #5) > www-client/mozilla-firefox-1.5.0.10 for all arches except Alpha; > www-client/mozilla-firefox-2.0.0.2 for all arches except Mips; Stable for HPPA.
Stable on SPARC
amd64 stable, thanks Christoph
Hum, still have to do seamonkey{,-bin} on amd64.
update of the vulnerability list: http://www.mozilla.org/security/announce/2007/mfsa2007-08.html CVE-2007-1092 affects FF and SM. (memory corruption)
(In reply to comment #12) > Hum, still have to do seamonkey{,-bin} on amd64. > Well i don't know if samonkey-1.1 is affected or not. It's rather old (>1 month ago) but it is not referenced in the MFSA. CVE entries are still closed, only FF is released, we have no news for seamonkey-1.0.8 and TB-1.5.0.10 and 2.0.0.2, ... but some other distributions have issued updates for seamonkey and thunderbird, i don't know how!
SeaMonkey 1.0.8 and 1.1.1 have been released... (http://www.mozilla.org/projects/seamonkey/releases/)
ppc stable
Hi again arches, seamonkey[-bin] has just been put into portage. -1.0.8 and -1.1.1 fix all the known vulnerabilities. Please could you test and mark stable if appropriate: seamonkey-1.1.1 in preference (1.0.8 otherwise) seamonkey-bin-1.1.1 (there is no 1.0.8 in the tree) for AMD64+X86 and we're still waiting for alpha on mozilla-firefox, but don't worry since the GLSA is not ready yet :)
seamonkey[-bin] x86 stable
seamonkey{,-bin} emerge and work fine on amd64 Portage 2.1.2-r9 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.20-ck1 x86_64) ================================================================= System uname: 2.6.20-ck1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ Gentoo Base System release 1.12.9 Timestamp of tree: Wed, 28 Feb 2007 20:20:01 +0000 ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.31 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r1 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildsyspkg ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.ISO-8859-15" LC_ALL="en_US.ISO-8859-15" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acpi alsa amd64 audiofile berkdb bitmap-fonts branding bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus divx dri dvd dvdr dvdread eds emboss encode fam ffmpeg firefox fortran gdbm gif gpm gstreamer gtk gtk2 hal iconv imagemagick ipod jpeg ldap libg++ lirc logrotate mad midi mikmod mp3 mpeg ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection rtc sdl session socks5 spl ssl svg symlink tcpd test tiff truetype truetype-fonts type1-fonts unicode v4l v4l2 vim-with-x vorbis wmp xinerama xorg xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="inputlirc" USERLAND="GNU" VIDEO_CARDS="fglrx radeon" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
mozilla-firefox-2.0.0.2 is stable on alpha. Working on seamonkey now.
could you please bump Enigmail as well? "11/01/2007 Enigmail v0.94.2 has been released. A crash bug that could affect security has been fixed."
amd64 stable
(In reply to comment #21) > could you please bump Enigmail as well? "11/01/2007 Enigmail v0.94.2 has been > released. A crash bug that could affect security has been fixed." > Already bumped 2 weeks ago, see bug 166932. (and it is not the right place) Since it's a client-side DoS, without any further information, we won't handle it as a security issue. Feel free to reopen bug 166932 if you can bring clue of code injection or so.
well, i see enigmail 0.94.2 is in portage, but SeaMonkey's 1.1.1 ebuild still uses 0.94.1 (with USE="crypt").
Stable for HPPA: =www-client/mozilla-firefox-1.5.0.10 =www-client/mozilla-firefox-2.0.0.2 =www-client/seamonkey-1.1.1 (killerfox) Anything else?
Readding amd64, sparc and x86, as ebuild is ready and Falco busy torturing new recruits. mozilla-thunderbird[-bin]-15.0.10 needs to go stable, too.
x86 stable! See you when nss is released...
seamonkey also ppc stable
(In reply to comment #26) > Readding amd64, sparc and x86, as ebuild is ready and Falco busy torturing new > recruits. > > mozilla-thunderbird[-bin]-15.0.10 needs to go stable, too. > amd64 done
seamonkey-1.1.1 stable on alpha. working on thunderbird
Firefox -> GLSA 200703-04
Wake me up for NSS.
thunderbird stable on alpha. See you in the next round.
thunderbird sparc stable.
Hello again arches. Please stabilize =dev-libs/nss-3.11.5. Please note that YOU NEED to stabilize =dev-libs/nspr-4.6.5-r1 first -> bug 169751 And this will be the last one :) Thanks! x86 stable
ppc64 stable (nss-3.11.5)
sparc stable.
(In reply to comment #35) > Hello again arches. > > Please stabilize =dev-libs/nss-3.11.5. Please note that YOU NEED to stabilize > =dev-libs/nspr-4.6.5-r1 first -> bug 169751 > > And this will be the last one :) > > Thanks! amd64 stable
"06/03/2007 Important Security fix for Enigmail. A security bug detected by Core Security Technologies has been fixed in Enigmail v0.94.3." Maybe now it's time to update SeaMonkey's ebuild, and bump EMVER to "0.94.3"?
=dev-libs/nss-3.11.5 stable for HPPA.
(In reply to comment #40) > "06/03/2007 Important Security fix for Enigmail. A security bug detected by > Core Security Technologies has been fixed in Enigmail v0.94.3." > Maybe now it's time to update SeaMonkey's ebuild, and bump EMVER to "0.94.3"? Our security team is working on that. And SeaMonkey will not get other version of Enigmail unless Enigmail standalone have the same keywords as SeaMonkey. Anyway, this bug is not related to that security issue.
SeaMonkey -> GLSA 200703-08, thanks everybody
Alpha + IA64 all done.
CCing back Alpha for stabilizing NSS-3.11.5, thanks. Seamonkey and NSS GLSA in the draft pool.
(In reply to comment #45) > CCing back Alpha for stabilizing NSS-3.11.5, thanks. > > Seamonkey and NSS GLSA in the draft pool. > Alpha and IA64 were stable, but i put it back to ~arch by mistake. Fixed now :)
thunderbird -> GLSA 200701-18
ppc, you need to stabilize mozilla-thunderbird-1.5.0.10. Thanks.
(In reply to comment #48) > ppc, you need to stabilize mozilla-thunderbird-1.5.0.10. > > Thanks. > ppc stable
GLSA 200703-22
