MFSA 2010-08 : WOFF heap corruption due to integer overflow Affects firefox-3.6 and anything else with xulrunner-1.9.2; does not affect firefox-3.5.x Since this vulnerability has been known for over a month[1], the exploit code has been released, and it has resulted in the German government officially recommending against Firefox use[2], it would be nice to see mozilla-firefox-3.6.2 and xulrunner-1.9.2.2 in the tree soon. At the moment, they aren't even in the mozilla overlay... [1] http://secunia.com/advisories/38608/ [2] http://news.bbc.co.uk/2/hi/technology/8580716.stm
This might also require a bump for www-client/icecat ?
I just bumped firefox & xulrunner (not firefox-bin or icecat)
(In reply to comment #2) > I just bumped firefox & xulrunner (not firefox-bin or icecat) Why does the xulrunner thing bundle entire dev-libs/nss now? Bug 311167
CVE-2010-0164 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0164): Use-after-free vulnerability in the imgContainer::InternalAddFrameHelper function in src/imgContainer.cpp in libpr0n in Mozilla Firefox 3.6 before 3.6.2 allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a multipart/x-mixed-replace animation in which the frames have different bits-per-pixel (bpp) values.
CVE-2010-0165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0165): The TraceRecorder::traverseScopeChain function in js/src/jstracer.cpp in the browser engine in Mozilla Firefox 3.6 before 3.6.2 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via vectors involving certain indirect calls to the JavaScript eval function. CVE-2010-0167 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0167): The browser engine in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allows remote attackers to cause a denial of service (memory corruption and application crash) and possibly execute arbitrary code via vectors related to (1) layout/generic/nsBlockFrame.cpp and (2) the _evaluate function in modules/plugin/base/src/nsNPAPIPlugin.cpp.
CVE-2010-0168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0168): The nsDocument::MaybePreLoadImage function in content/base/src/nsDocument.cpp in the image-preloading implementation in Mozilla Firefox 3.6 before 3.6.2 does not apply scheme restrictions and policy restrictions to the image's URL, which might allow remote attackers to cause a denial of service (application crash or hang) or hijack the functionality of the browser's add-ons via a crafted SRC attribute of an IMG element, as demonstrated by remote command execution through an ssh: URL in a configuration that supports gnome-vfs with a nonstandard network.gnomevfs.supported-protocols setting. CVE-2010-0169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0169): The CSSLoaderImpl::DoSheetComplete function in layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 changes the case of certain strings in a stylesheet before adding this stylesheet to the XUL cache, which might allow remote attackers to modify the browser's font and other CSS attributes, and potentially disrupt rendering of a web page, by forcing the browser to perform this erroneous stylesheet caching. CVE-2010-0170 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0170): Mozilla Firefox 3.6 before 3.6.2 does not offer plugins the expected window.location protection mechanism, which might allow remote attackers to bypass the Same Origin Policy and conduct cross-site scripting (XSS) attacks via vectors that are specific to each affected plugin. CVE-2010-0171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0171): Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3 allow remote attackers to perform cross-origin keystroke capture, and possibly conduct cross-site scripting (XSS) attacks, by using the addEventListener and setTimeout functions in conjunction with a wrapped object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2007-3736.
CVE-2010-0172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0172): toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the asynchronous Authorization Prompt implementation in Mozilla Firefox 3.6 before 3.6.2 does not properly handle concurrent authorization requests from multiple web sites, which might allow remote web servers to spoof an authorization dialog and capture credentials by demanding HTTP authentication in opportunistic circumstances.
CVE-2010-1028 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1028): Integer overflow in the decompression functionality in the Web Open Fonts Format (WOFF) decoder in Mozilla Firefox 3.6 before 3.6.2 and 3.7 before 3.7 alpha 3 allows remote attackers to execute arbitrary code via a crafted WOFF file that triggers a buffer overflow, as demonstrated by the vd_ff module in VulnDisco 9.0.
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Vote: YES. Added to pending GLSA request.
CVE-2010-0648 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0648): Mozilla Firefox, possibly before 3.6, allows remote attackers to discover a redirect's target URL, for the session of a specific user of a web site, by placing the site's URL in the HREF attribute of a stylesheet LINK element, and then reading the document.styleSheets[0].href property value, related to an IFRAME element.
Can't this bug be closed since these package versions are no longer in the Portage tree?
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).