Bug 196480 - www-client/mozilla-firefox (-bin) < 2.0.0.8, www-client/seamonkey (-bin) < 1.1.6 Multiple issues (CVE-2007-{1095,2292,4841,5334,5335,5337,5338,5339,5340})
Bug#: 196480 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL:  http://secunia.com/advisories/27311/
Summary: www-client/mozilla-firefox (-bin) < 2.0.0.8, www-client/seamonkey (-bin) < 1.1.6 Multiple issues (CVE-2007-{1095,2292,4841,5334,5335,5337,5338,5339,5340})
Keywords:  
Status Whiteboard: A2 [glsa]
Opened: 2007-10-20 02:13 0000
Description:   Opened: 2007-10-20 02:13 0000 
Secunia:
  Some vulnerabilities and a weakness have been reported in Mozilla
  Firefox, which can be exploited by malicious people to disclose
  sensitive information, conduct phishing attacks, manipulate certain
  data, and potentially compromise a user's system.

Fixed in Firefox >= 2.0.0.8

Identical vulnerabilities in SeaMonkey < 1.1.5

------- Comment #1 From Robert Buchholz 2007-10-20 02:18:02 0000 ------- 
Mozilla, please advise.

seamonkey-1.1.5 is missing from the tree. Is it in the making already? Is
anything holding back stabilization of any of these?

------- Comment #2 From Robert Buchholz 2007-10-20 14:35:17 0000 ------- 
Mozilla, does this also affect XULRunner?

------- Comment #3 From Raúl Porcel 2007-10-20 14:43:39 0000 ------- 
Yes, and seamonkey is already in the tree

------- Comment #4 From Robert Buchholz 2007-10-20 23:35:41 0000 ------- 
Thanks, Raúl. Arches, please test and mark stable.

net-libs/xulrunner-1.8.1.8:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

www-client/mozilla-firefox-2.0.0.8:
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"

www-client/mozilla-firefox-bin-2.0.0.8:
Target keywords : "amd64 x86"

www-client/seamonkey-1.1.5.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 x86"

www-client/seamonkey-bin-1.1.5:
Target keywords : "amd64 x86"

------- Comment #5 From Carsten Lohrke 2007-10-21 14:13:05 0000 ------- 
How about adding app-arch/unzip as build time dependency to fix bug 194977
before this version goes stable?

------- Comment #6 From Raúl Porcel 2007-10-21 14:21:34 0000 ------- 
(In reply to comment #5)
> How about adding app-arch/unzip as build time dependency to fix bug 194977
> before this version goes stable?
> 

unzip is a dep inside the mozextension eclass

------- Comment #7 From Markus Meier 2007-10-21 14:23:35 0000 ------- 
x86 stable

------- Comment #8 From GNUtoo@no-log.org 2007-10-21 15:19:30 0000 ------- 
(In reply to comment #7)
> x86 stable
> 

what about making a GLSA in order to inform people about this issue?

------- Comment #9 From Robert Buchholz 2007-10-21 15:35:47 0000 ------- 
(In reply to comment #8)
> what about making a GLSA in order to inform people about this issue?

We're handling this with a high priority, a GLSA is usually the last step of
this process. So stay tuned.

------- Comment #10 From Carsten Lohrke 2007-10-21 20:37:47 0000 ------- 
(In reply to comment #6)
> unzip is a dep inside the mozextension eclass


Uh - sorry...

------- Comment #11 From Raúl Porcel 2007-10-22 14:20:47 0000 ------- 
alpha/ia64/sparc stable

------- Comment #12 From Tobias Scherbaum 2007-10-22 16:54:24 0000 ------- 
ppc stable

------- Comment #13 From Markus Rothe 2007-10-23 17:32:46 0000 ------- 
ppc64 stable

------- Comment #14 From Christoph Mende 2007-10-23 20:47:59 0000 ------- 
amd64 stable

------- Comment #15 From Jeroen Roovers 2007-10-24 05:34:37 0000 ------- 
Stable for HPPA.

------- Comment #16 From Robert Buchholz 2007-10-24 22:27:53 0000 ------- 
GLSA request filed.

------- Comment #17 From Robert Buchholz 2007-11-03 12:32:29 0000 ------- 
Firefox 2.0.0.8 introduced some regressions that were fixed in the recent
2.0.0.9 upgrade:
http://developer.mozilla.org/devnews/index.php/2007/10/22/firefox-2008-update-to-be-updated/

Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.9.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"

www-client/mozilla-firefox-bin-2.0.0.9:
Target keywords : "amd64 x86"

net-libs/xulrunner-1.8.1.9:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Seamonkey will follow later.

------- Comment #18 From Jurek Bartuszek 2007-11-03 14:19:25 0000 ------- 
x86 stable

------- Comment #19 From Raúl Porcel 2007-11-03 15:56:01 0000 ------- 
alpha/ia64/sparc stable

------- Comment #20 From Markus Rothe 2007-11-03 21:43:16 0000 ------- 
ppc64 stable

------- Comment #21 From Peter Weller 2007-11-04 20:50:02 0000 ------- 
www-client/mozilla-firefox-bin-2.0.0.9 stable on amd64, still waiting on
xulrunner

------- Comment #22 From Roeland Douma 2007-11-05 14:15:06 0000 ------- 
AMD64:
I just compiled www-client/mozilla-firefox-2.0.0.9.
Compiles clean.
No collision

Browsing the web with so well it seems to work ;)

I think we are safe to let the firefox users have a nice time compiling the new
version ;)

emerge --info:
Portage 2.1.3.16 (default-linux/amd64/2007.0/no-multilib, gcc-4.1.2,
glibc-2.6.1-r0, 2.6.22-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r8 x86_64 AMD Turion(tm) 64 Mobile Technology MT-28
Timestamp of tree: Mon, 05 Nov 2007 02:20:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[enabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -msse3 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf
/etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c
/etc/udev/rules.d"
CXXFLAGS="-march=k8 -msse3 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distcc distlocks metadata-transfer multilib-strict
sandbox sfperms strict test unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo
ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo
ftp://mirror.scarlet-internet.nl/pub/gentoo http://gentoo.tiscali.nl/
ftp://gentoo.tiscali.nl/pub/mirror/gentoo/ "
LINGUAS="en"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://godfather/gentoo-portage"
USE="X acpi alsa amd64 bash-completion bitmap-fonts bzip2 cli cracklib crypt
cups dbus dri fontconfig fortran gdbm gif hal highlight history hybrid-auth
iconv isdnlog jpeg jpeg2k latex midi mmx mudflap ncurses nls nowebdav nptl
nptlonly nsplugin ogg opengl openmp oss pcre perl png pppd python qt3 readline
reflection session spl sse sse2 ssl tcpd test tiff truetype truetype-fonts
type1-fonts unicode vim-syntax vorbis xml xorg xv" ALSA_CARDS="ali5451 als4000
atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968
fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx
via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop
empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi
null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard
mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780
lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU"
VIDEO_CARDS="sis"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL,
LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS,
PORTDIR_OVERLAY

------- Comment #23 From Tobias Scherbaum 2007-11-05 18:00:55 0000 ------- 
ppc stable

------- Comment #24 From Jeroen Roovers 2007-11-06 14:56:15 0000 ------- 
Stable for HPPA.

------- Comment #25 From Pierre-Yves Rofes 2007-11-06 19:38:29 0000 ------- 
<armin76> need to readd alpha amd64 hppa ia64 ppc ppc64 and x86 for
seamonkey-1.1.6 :)
<armin76> amd64 and x86 for seamonkey-bin

------- Comment #26 From Raúl Porcel 2007-11-06 20:21:28 0000 ------- 
alpha/ia64/x86 stable

------- Comment #27 From Tobias Scherbaum 2007-11-07 18:38:51 0000 ------- 
seamonkey stable for ppc.

------- Comment #28 From Markus Rothe 2007-11-07 21:09:45 0000 ------- 
ppc64 stable

------- Comment #29 From Jeroen Roovers 2007-11-08 16:09:07 0000 ------- 
Stable for HPPA:
   www-client/seamonkey-1.1.6

------- Comment #30 From Samuli Suominen 2007-11-12 16:57:30 0000 ------- 
amd64 stable for www-client/mozilla-firefox-2.0.0.9

------- Comment #31 From Samuli Suominen 2007-11-12 18:56:00 0000 ------- 
(In reply to comment #30)
> amd64 stable for www-client/mozilla-firefox-2.0.0.9 
> 

xulrunner/seamonkey/seamonkey-bin stable

amd64 done, removing CC

------- Comment #32 From Pierre-Yves Rofes 2007-11-12 21:24:43 0000 ------- 
GLSA 200711-14