198965 2007-11-12 19:54 0000 www-client/mozilla-firefox < 2.0.0.11 Multiple vulnerabilities (CVE-2007-{5947,5959,5960}) 2008-03-06 09:49:53 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/27605/ A2 [glsa] P2 major --- 1 mailingdotlist@gmail.com security@gentoo.org basic@mozdev.org mozilla@gentoo.org mailingdotlist@gmail.com 2007-11-12 19:54:30 0000 Description: A security issue has been reported in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks. The problem is that the "jar:" protocol handler does not validate the MIME type of the contents of an archive, which are then executed in the context of the site hosting the archive. This can be exploited to conduct cross-site scripting attacks on sites that allow a user to upload certain files (e.g. .zip, .png, .doc, .odt, .txt). Solution: Do not follow untrusted "jar:" links or browse untrusted websites. Provided and/or discovered by: Reported by Jesse Ruderman in a Bugzilla entry. Independently discovered by pdp. Original Advisory: Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=369814 GNUCITIZEN: http://www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues Other References: US-CERT VU#715737: http://www.kb.cert.org/vuls/id/715737 Reproducible: Always rbu@gentoo.org 2007-11-27 01:47:03 0000 CVE-2007-5959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5959): Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger memory corruption. CVE-2007-5960 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5960): Mozilla Firefox before 2.0.0.10 and SeaMonkey 1.1.7 sets the Referer header to the window or frame in which script is running, instead of the address of the content that initiated the script, which allows remote attackers to spoof HTTP Referer headers and bypass Referer-based CSRF protection schemes by setting window.location and using a modal alert dialog that causes the wrong Referer to be sent. Fixed in Firefox 2.0.0.10 MFSA 2007-39 Referer-spoofing via window.location race condition MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10) MFSA 2007-37 jar: URI scheme XSS hazard Mozilla herd, please advise. armin76@gentoo.org 2007-11-27 15:01:56 0000 2.0.0.10 contains a big regression: https://bugzilla.mozilla.org/show_bug.cgi?id=405584 I'm working on it rbu@gentoo.org 2007-11-29 21:24:35 0000 The 2.0.0.10 ebuild already contains a fix for the regression mentioned by Raul. Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.10. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86" Fixes for -bin and seamonkey will follow. jer@gentoo.org 2007-11-30 11:00:57 0000 Stable for HPPA. maekke@gentoo.org 2007-11-30 11:08:01 0000 x86 stable corsair@gentoo.org 2007-11-30 16:57:22 0000 ppc64 stable beandog@gentoo.org 2007-11-30 21:29:32 0000 (In reply to comment #3) > Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.10. amd64 stable dertobi123@gentoo.org 2007-11-30 22:31:33 0000 ppc stable sebastian_ml@gmx.net 2007-12-01 12:05:01 0000 Hi all, FF 2.0.0.11 is out: http://www.mozilla.com/en-US/products/firefox/2.0.0.11/releasenotes/ Regards Sebastian gentoo@ttuttle.net 2007-12-03 16:38:58 0000 Compiles, merges, and works on amd64. emerge --info: Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.22-gentoo-r9 x86_64) ================================================================= System uname: 2.6.22-gentoo-r9 x86_64 Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz Timestamp of tree: Mon, 03 Dec 2007 16:00:04 +0000 app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r6, 2.5.1-r4 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -fomit-frame-pointer -march=nocona" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -pipe -fomit-frame-pointer -march=nocona" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.cites.uiuc.edu/pub/gentoo/" LINGUAS="en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 berkdb bitmap-fonts cli cracklib crypt cups dri flac fortran gdbm gif gpm iconv ipv6 isdnlog jpeg midi mmx mp3 mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre perl png pppd python readline reflection session spl sse sse2 ssl tcpd test truetype-fonts type1-fonts unicode vorbis xorg xv zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="i810 vesa vga" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY armin76@gentoo.org 2007-12-03 21:00:09 0000 Security please stabilize 2.0.0.11 instead, since it corrects a very important bug rbu already knows. -bin and not-bin should be in the tree soon. rbu@gentoo.org 2007-12-04 00:53:01 0000 Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.11. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86" Already stabled : "alpha ia64 sparc x86" Missing keywords: "amd64 arm hppa mips ppc ppc64" Arches, please test and mark stable www-client/mozilla-firefox-bin-2.0.0.11. Target keywords : "amd64 x86" cla@gentoo.org 2007-12-04 02:11:38 0000 -bin stable on x86, someone else please test sources ;) armin76@gentoo.org 2007-12-04 10:53:44 0000 alpha/ia64/sparc/x86 stable armin76@gentoo.org 2007-12-04 14:46:45 0000 Please do =net-libs/xulrunner-1.8.1.11 as well, the distfile is in dev.g.o:/space/distfiles-local corsair@gentoo.org 2007-12-04 17:57:19 0000 ppc64 stable dertobi123@gentoo.org 2007-12-04 19:22:19 0000 ppc stable jer@gentoo.org 2007-12-05 00:57:54 0000 Stable for HPPA. welp@gentoo.org 2007-12-06 22:50:22 0000 Done mozilla-firefox{-bin} for amd64, xulrunner to follow in the morning (GMT) welp@gentoo.org 2007-12-07 07:09:45 0000 Ok, amd64's all done. jer@gentoo.org 2007-12-08 17:12:50 0000 Readding HPPA as xulrunner isn't done yet. jer@gentoo.org 2007-12-12 16:29:07 0000 =net-libs/xulrunner-1.8.1.11 stable for HPPA. py@gentoo.org 2007-12-12 16:48:55 0000 glsa time, we'll merge it with the seamonkey draft since it's the same CVE (bug #200909) armin76@gentoo.org 2007-12-18 14:35:16 0000 mips done rbu@gentoo.org 2007-12-29 16:13:30 0000 GLSA 200712-20, thanks everyone. pva@gentoo.org 2008-03-06 09:49:53 0000 Does not affect current (2008.0) release. Removing release.