Let's do a 0-day bump... but we shall be a bit helpful too: it seems that the following patches from firefox-7.0-patches-0.5 tarball were applied upstream: 5005 5006 5007 5008 5009 5011 5014 5017 5018; while problem of patch 5012 was solved in a different way. After filtering out those, old ebuild works...well, at least it seems so for the moment.
*** Bug 390031 has been marked as a duplicate of this bug. ***
I would be glad to test some experimental ebuilds of firefox 8 to help. Or anything else that could help.
Renaming the thunderbird-bin-6.0 ebuild to 8.0 works for me.
(In reply to comment #2) > I would be glad to test some experimental ebuilds of firefox 8 to help. Or > anything else that could help. fx-8 is in the mozilla overlay at the moment, soon as I finish the tb changes I will move it to the tree.
*** Bug 390095 has been marked as a duplicate of this bug. ***
Is TB 8.0 still 'in progress'? I just noticed an ebuild in mozilla-overlay, but the packaged (useflagged) plugins 'timezone definitions' and the 'provider for google calendar' are too old and incompatible with TB 8.0. Lightning is also not the newest version, but appears to work.
*** Bug 390099 has been marked as a duplicate of this bug. ***
(In reply to comment #6) > Is TB 8.0 still 'in progress'? > I just noticed an ebuild in mozilla-overlay, but the packaged (useflagged) > plugins 'timezone definitions' and the 'provider for google calendar' are too > old and incompatible with TB 8.0. Lightning is also not the newest version, but > appears to work. version is all the same, it was just a version.txt bump not to worried about, what I am concerned about is how the profile is breaking the extensions, a clean profile will show ya exactly what I mean.
(In reply to comment #8) > (In reply to comment #6) > > Is TB 8.0 still 'in progress'? > > I just noticed an ebuild in mozilla-overlay, but the packaged (useflagged) > > plugins 'timezone definitions' and the 'provider for google calendar' are too > > old and incompatible with TB 8.0. Lightning is also not the newest version, but > > appears to work. > > version is all the same, it was just a version.txt bump not to worried about, > what I am concerned about is how the profile is breaking the extensions, a > clean profile will show ya exactly what I mean. Thanks for the answer, ok then. I can not reproduce the breakage here (on x86_64, if you need further info, please ask): 1) Created a fresh profile with ProfileManager. 2) Created a bogus account. 3) Tried to enable bundled extensions (Lightning works as expected). 4) Installed a random extension from AddOn-Manager (works as expected). Maybe I am missing something, if so, just take your time fixing it. Thanks a lot for your work! (my next answer might be a bit delayed due to high workload in real life)
(In reply to comment #9) > (In reply to comment #8) > > (In reply to comment #6) > > > Is TB 8.0 still 'in progress'? > > > I just noticed an ebuild in mozilla-overlay, but the packaged (useflagged) > > > plugins 'timezone definitions' and the 'provider for google calendar' are too > > > old and incompatible with TB 8.0. Lightning is also not the newest version, but > > > appears to work. > > > > version is all the same, it was just a version.txt bump not to worried about, > > what I am concerned about is how the profile is breaking the extensions, a > > clean profile will show ya exactly what I mean. > Thanks for the answer, ok then. > I can not reproduce the breakage here (on x86_64, if you need further info, > please ask): > 1) Created a fresh profile with ProfileManager. > 2) Created a bogus account. > 3) Tried to enable bundled extensions (Lightning works as expected). > 4) Installed a random extension from AddOn-Manager (works as expected). > Maybe I am missing something, if so, just take your time fixing it. > Thanks a lot for your work! > (my next answer might be a bit delayed due to high workload in real life) I was refering to google calender and timezone definitions being broken. I have double and triple checked and everything is working as it should be with a fresh profile, the problem is first launch with 8.0 will cause extensions.sqlite to fail to update properly. This is what is causing reports of the plugin being disabled. I have gone ahead and commited both fx/tb-8.0 source build to tree for further testing.
*** Bug 390243 has been marked as a duplicate of this bug. ***
Renaming the firefox-bin-7.0.1 ebuild to 8.0 works for me on x86
*** Bug 390485 has been marked as a duplicate of this bug. ***
*** Bug 390487 has been marked as a duplicate of this bug. ***
*** Bug 390707 has been marked as a duplicate of this bug. ***
*** Bug 390705 has been marked as a duplicate of this bug. ***
Feel free to bring the archs in, I believe we have resolved all major issues.
CVE-2011-3655 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3655): Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform access control without checking for use of the NoWaiverWrapper wrapper, which allows remote attackers to gain privileges via a crafted web site. CVE-2011-3654 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3654): The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0 does not properly handle links from SVG mpath elements to non-SVG elements, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. CVE-2011-3653 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3653): Mozilla Firefox before 8.0 and Thunderbird before 8.0 on Mac OS X do not properly interact with the GPU memory behavior of a certain driver for Intel integrated GPUs, which allows remote attackers to bypass the Same Origin Policy and read image data via vectors related to WebGL textures. CVE-2011-3652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3652): The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0 does not properly allocate memory, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. CVE-2011-3651 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3651): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 7.0 and Thunderbird 7.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2011-3650 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3650): Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug. CVE-2011-3649 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3649): Mozilla Firefox 7.0 and Thunderbird 7.0, when the Direct2D (aka D2D) API is used on Windows in conjunction with the Azure graphics back-end, allow remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas. NOTE: this issue exists because of a CVE-2011-2986 regression. CVE-2011-3648 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3648): Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding.
(In reply to comment #17) > Feel free to bring the archs in, I believe we have resolved all major issues. Thanks Jory and mozilla team. As you know there is a problem for other arches, so many of those have not still at least ~ keyword, and there are also pending stablereq for 3.x series. So since ppc has keyword, can we call also it here?
Arches, please test and mark stable: =www-client/firefox-8.0 =www-client/firefox-bin-8.0 =mail-client/thunderbird-8.0-r1 =mail-client/thunderbird-bin-8.0 Target keywords : "amd64 x86" In the meantime we "wrangle" and edit whiteboard of various old firefox security bugs.
amd64 ok
amd64: =www-client/firefox-8.0 pass
amd64: =www-client/firefox-bin-8.0 pass as well
amd64 =mail-client/thunderbird-8.0-r1 blocker ** when adding USE="debug" * ERROR: mail-client/thunderbird-8.0-r1 failed (compile phase): * make enigmail failed * * Call stack: * ebuild.sh, line 56: Called src_compile * environment, line 6317: Called die * The specific snippet of code: * emake -C /mailnews/extensions/enigmail || die make enigmail failed; * * If you need support, post the output of 'emerge --info =mail-client/thunderbird-8.0-r1', * the complete build log and the output of 'emerge -pqv =mail-client/thunderbird-8.0-r1'. * The complete build log is located at '/var/tmp/portage/portage/mail-client/thunderbird-8.0-r1/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/portage/mail-client/thunderbird-8.0-r1/temp/environment'. * S: '/var/tmp/portage/portage/mail-client/thunderbird-8.0-r1/work/comm-release' * * The following package has failed to build or install: When attempting to emerge enigmail separately I get: [ebuild N ] x11-plugins/enigmail-1.1.2-r2 [blocks B ] x11-plugins/enigmail ("x11-plugins/enigmail" is blocking mail-client/thunderbird-8.0-r1)
Ditto Elijah =www-client/firefox-bin-8.0 amd64 ok
=www-client/firefox-bin-8.0 amd64 ok
Please ignore comment 26 as it should be =www-client/firefox-8.0 amd64 ok
www-client/firefox-8.0 mail-client/thunderbird-bin-8.0 Ok from user point of view on my machine (I have these keyworded), thunderbird-8.0 did build on my machine, but I did not do usual AT QA checks [yet].
+ 29 Nov 2011; Tony Vroon <chainsaw@gentoo.org> firefox-8.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo, + Elijah "Armageddon" El Lazkani, Michael "n0idx80" Harrison & Tomáš "Mepho" + Pružina in security bug #389923. + 29 Nov 2011; Tony Vroon <chainsaw@gentoo.org> firefox-bin-8.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo, + Elijah "Armageddon" El Lazkani, Michael "n0idx80" Harrison & Tomáš "Mepho" + Pružina in security bug #389923. + 29 Nov 2011; Tony Vroon <chainsaw@gentoo.org> thunderbird-8.0-r1.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo, + Elijah "Armageddon" El Lazkani, Michael "n0idx80" Harrison & Tomáš "Mepho" + Pružina in security bug #389923. + 29 Nov 2011; Tony Vroon <chainsaw@gentoo.org> thunderbird-bin-8.0.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo, + Elijah "Armageddon" El Lazkani, Michael "n0idx80" Harrison & Tomáš "Mepho" + Pružina in security bug #389923.
x86 stable
re-add if needed.
Added to existing GLSA request.
Too old for GLSA, closing as fixed
