Bug 214816 - mozilla-firefox <2.0.0.13, mozilla-thunderbird <2.0.0.14, seamonkey <1.1.9, xulrunner <1.8.1.13 Multiple vulnerabilites (CVE-2007-4879, CVE-2008-{1233,1234,1235,1236,1237,1238,1240,1241})
Bug#: 214816 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL:  http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.13
Summary: mozilla-firefox <2.0.0.13, mozilla-thunderbird <2.0.0.14, seamonkey <1.1.9, xulrunner <1.8.1.13 Multiple vulnerabilites (CVE-2007-4879, CVE-2008-{1233,1234,1235,1236,1237,1238,1240,1241})
Keywords:  
Status Whiteboard: A2 [glsa]
Opened: 2008-03-26 01:51 0000
Description:   Opened: 2008-03-26 01:51 0000 
Firefox 2.0.0.13 is out, security fixes as usual.

------- Comment #1 From Michael Schachtebeck 2008-03-26 09:36:30 0000 ------- 
2.0.0.13 fixes (among others) 2 critical vulnerabilities, see
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.13.

------- Comment #2 From Raúl Porcel 2008-03-26 13:54:30 0000 ------- 
=www-client/mozilla-firefox[-bin]-2.0.0.13
=net-libs/xulrunner-1.8.1.13
=www-client/seamonkey[-bin]-1.1.9

in the tree

------- Comment #3 From Robert Buchholz 2008-03-26 20:49:56 0000 ------- 
Arches, please test and mark stable:
=www-client/mozilla-firefox-2.0.0.13
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"

=www-client/mozilla-firefox-bin-2.0.0.13
Target keywords : "amd64 release x86"

=www-client/seamonkey-1.1.9
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"

=www-client/seamonkey-bin-1.1.9
Target keywords : "amd64 release x86"

=net-libs/xulrunner-1.8.1.13
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"

------- Comment #4 From Robert Buchholz 2008-03-26 20:51:53 0000 ------- 
Raul, please note that as long as it's not p.masked, xulrunner-bin also needs
to be upgraded.

------- Comment #5 From Markus Meier 2008-03-27 00:03:23 0000 ------- 
amd64/x86 stable

------- Comment #6 From Robert Buchholz 2008-03-27 02:12:05 0000 ------- 
(In reply to comment #4)
> Raul, please note that as long as it's not p.masked, xulrunner-bin also needs
> to be upgraded.

*xulrunner-bin-1.8.1.13 (26 Mar 2008)

  26 Mar 2008; Raúl Porcel <armin76@gentoo.org>
  xulrunner-bin-1.8.1.12.ebuild, +xulrunner-bin-1.8.1.13.ebuild:
  Version bump

------- Comment #7 From Raúl Porcel 2008-03-27 12:26:22 0000 ------- 
alpha/ia64/sparc stable

------- Comment #8 From Brent Baude 2008-03-27 16:42:07 0000 ------- 
ppc and ppc64 done

------- Comment #9 From Robert Buchholz 2008-03-27 20:46:18 0000 ------- 
Description:
CVE-2008-1233 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1233):
  Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird
  before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to
  execute arbitrary code via "XPCNativeWrapper pollution."

CVE-2008-1234 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1234):
  Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0.0.13,
  Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote
  attackers to inject arbitrary web script or HTML via event handlers, aka
  "Universal XSS using event handlers."

CVE-2008-1235 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1235):
  Unspecified vulnerability in Mozilla Firefox before 2.0.0.13, Thunderbird
  before 2.0.0.13, and SeaMonkey before 1.1.9 allows remote attackers to
  execute arbitrary code via unknown vectors that cause JavaaScript to execute
  with the wrong principal, aka "Privilege escalation via incorrect
principals."

CVE-2008-1236 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1236):
  Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13,
  Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote
  attackers to cause a denial of service (crash) and possibly execute arbitrary
  code via unknown vectors related to the layout engine.

CVE-2008-1237 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1237):
  Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.13,
  Thunderbird before 2.0.0.13, and SeaMonkey before 1.1.9 allow remote
  attackers to cause a denial of service (crash) and possibly execute arbitrary
  code via unknown vectors related to the JavaScript engine.

CVE-2008-1238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1238):
  Mozilla Firefox before 2.0.0.13 and SeaMonkey before 1.1.9, when generating
  the HTTP Referer header, does not list the entire URL when it contains Basic
  Authentication credentials without a username, which makes it easier for
  remote attackers to bypass application protection mechanisms that rely on
  Referer headers, such as with some Cross-Site Request Forgery (CSRF)
  mechanisms.

CVE-2008-1241 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1241):
  GUI overlay vulnerability in Mozilla Firefox before 2.0.0.13 and SeaMonkey
  before 1.1.9 allows remote attackers to spoof form elements and redirect user
  inputs via a borderless XUL pop-up window from a background tab.

------- Comment #10 From Jeroen Roovers 2008-03-28 05:03:21 0000 ------- 
Marked stable for HPPA:
  =www-client/mozilla-firefox-2.0.0.13
  =net-libs/xulrunner-1.8.1.13
  =www-client/seamonkey-1.1.9

None of these passes the Acid3 test, btw. ;-)

------- Comment #11 From Peter Volkov 2008-03-28 08:09:28 0000 ------- 
Fixed in release snapshot.

------- Comment #12 From Robert Buchholz 2008-03-29 19:48:52 0000 ------- 
GLSA is filed, waiting for Thunderbird :-/

------- Comment #13 From Vlastimil Babka (Caster) 2008-05-01 23:07:25 0000 ------- 
*** Bug 219983 has been marked as a duplicate of this bug. ***

------- Comment #14 From Robert Buchholz 2008-05-02 09:36:13 0000 ------- 
As pointed out in the duplicate (see comment 13), Thunderbird 2.0.0.14 has been
released.

------- Comment #15 From Raúl Porcel 2008-05-02 14:28:43 0000 ------- 
mail-client/mozilla-thunderbird[-bin]-2.0.0.14 in the tree

------- Comment #16 From Tobias Heinlein 2008-05-03 10:47:10 0000 ------- 
Arches, please test and mark stable:
=mozilla-thunderbird-2.0.0.14
Target keywords: "alpha amd64 ia64 ppc ppc64 release sparc x86"

=mozilla-thunderbird-bin-2.0.0.14
Target keywords: "amd64 release x86"

------- Comment #17 From Hanno Boeck 2008-05-03 23:30:21 0000 ------- 
CC-in archs for thunderbird stabilization.

------- Comment #18 From Markus Meier 2008-05-04 13:30:12 0000 ------- 
amd64/x86 stable

------- Comment #19 From Raúl Porcel 2008-05-04 13:44:16 0000 ------- 
alpha/ia64/sparc stable

------- Comment #20 From Markus Rothe 2008-05-05 11:48:50 0000 ------- 
ppc64 stable

------- Comment #21 From Brent Baude 2008-05-05 14:08:11 0000 ------- 
ppc done

------- Comment #22 From Robert Buchholz 2008-05-20 21:20:14 0000 ------- 
GLSA 200805-18, sorry for the delay