It appears that www-client/seamonkey-2.38 bundles graphite 1.2.4 which is vulnerable to CVE-2016-1523 and others.
2.39 is also affected so no stable candidate. I gonna check seamonkey-2.40_pre4
The following patches will upgrade graphite-1.2.4 to 1.3.5: https://hg.mozilla.org/mozilla-central/rev/fc9a4891714b https://hg.mozilla.org/mozilla-central/rev/5e3c7c4b6089 https://hg.mozilla.org/mozilla-central/rev/ca6aca737830 https://hg.mozilla.org/mozilla-central/rev/1af5f68be39a https://hg.mozilla.org/mozilla-central/rev/ddee99fa6c97 https://hg.mozilla.org/mozilla-central/rev/37722da27765 https://hg.mozilla.org/mozilla-central/rev/ef2ee7ebb250 https://hg.mozilla.org/mozilla-central/rev/938a12a856b3 I have built seamonkey-2.39 with these patches and it appears to be running fine so far.
commit 9a303064ac8267030c490c5a6efaac6a93756e9a Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sun Mar 6 14:18:03 2016 www-client/seamonkey: Bump to version 2.40_pre4 (with additional graphite2 fix) Package-Manager: portage-2.2.27 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> Unfortunately seamonkey upstream seems to have severe problems with their release process so I decided to go with their latest release candidate and added the graphite2 fix on to.
@maintainer(s), is this ready for stable?
@arches, please stabilize: =www-client/seamonkey-2.40 New GLSA request filed.
CVE-2016-1526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1526): The TtfUtil:LocaLookup function in TtfUtil.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, incorrectly validates a size value, which allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a crafted Graphite smart font. CVE-2016-1523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1523): The SillMap::readFace function in FeatureMap.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, mishandles a return value, which allows remote attackers to cause a denial of service (missing initialization, NULL pointer dereference, and application crash) via a crafted Graphite smart font. CVE-2016-1522 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1522): Code.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, does not consider recursive load calls during a size check, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via a crafted Graphite smart font. CVE-2016-1521 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1521): The directrun function in directmachine.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, does not validate a certain skip operation, which allows remote attackers to execute arbitrary code, obtain sensitive information, or cause a denial of service (out-of-bounds read and application crash) via a crafted Graphite smart font.
amd64 stable
x86 stable. Maintainer(s), please cleanup.
Shall we include seamonkey-bin?
@maintainer(s), what is the situation with -bin ? How would you like to proceed?
seamonkey-bin-2.40 can go stable an time, but it's vulnerable to everything that Firefox-43-45.1 is vulnerable to. I just bumped an unofficial 2.44 release, if that can be evaluated as ok enough for arch teams then I'm ok for it to go stable so these others can be dropped.
(In reply to Ian Stakenvicius from comment #11) > seamonkey-bin-2.40 can go stable an time, but it's vulnerable to everything > that Firefox-43-45.1 is vulnerable to. > > I just bumped an unofficial 2.44 release, if that can be evaluated as ok > enough for arch teams then I'm ok for it to go stable so these others can be > dropped. Ok, we will hold off then.
Any updates on -bin here? 2.44_pre20160608 seems to be the latest version without this vulnerability.
(In reply to Aaron Bauman from comment #13) > Any updates on -bin here? 2.44_pre20160608 seems to be the latest version > without this vulnerability. Upstream still hasn't done an official release, and the unofficial release builder ran into issuesa while back; I'll check to see if they're back up and running again. For the most vulnerability-free seamonkey experience, it would likely be best to use the www-client/seamonkey-2.42.x series as I'm using the latest released ESR tarballs (45.x currently) for their source code (again, no releases upstream so we have to get creative with the source tarballs too).
Upstream is preparing 2.46 release. See https://archive.mozilla.org/pub/seamonkey/candidates/2.46-candidates/
(In reply to Lars Wendler (Polynomial-C) from comment #15) > Upstream is preparing 2.46 release. See > https://archive.mozilla.org/pub/seamonkey/candidates/2.46-candidates/ Can -bin be bumped yet to at least 2.40?
This issue was resolved and addressed in GLSA 201701-35 at https://security.gentoo.org/glsa/201701-35 by GLSA coordinator Aaron Bauman (b-man).
