Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 639854 (CVE-2017-7843, CVE-2017-7844, MFSA2017-27) - <www-client/firefox{,-bin}-{52.5.2,57.0.1}: Multiple vulnerabilities
Summary: <www-client/firefox{,-bin}-{52.5.2,57.0.1}: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-7843, CVE-2017-7844, MFSA2017-27
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: B4 [glsa+ cve glsa+ blocked]
Keywords:
: 640486 (view as bug list)
Depends on: CVE-2018-5091, MFSA-2018-03
Blocks:
  Show dependency tree
 
Reported: 2017-12-04 22:18 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2018-02-20 00:59 UTC (History)
2 users (show)

See Also:
Package list:
=www-client/firefox-52.5.2 =www-client/firefox-bin-52.5.2 amd64 x86
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-12-04 22:18:29 UTC
From ${URL}:
Security vulnerabilities fixed in Firefox 57.0.1

#CVE-2017-7843: Web worker in Private Browsing mode can write IndexedDB data

Reporter
    Konark
Impact
    high

Description

When Private Browsing mode is used, it is possible for a web worker to write persistent data to IndexedDB and fingerprint a user uniquely. IndexedDB should not be available in Private Browsing mode and this stored data will persist across multiple private browsing mode sessions because it is not cleared when exiting.


CVE-2017-7844: Visited history information leak through SVG image

Reporter
    Daniel Jackson
Impact
    high

Description

A combination of an external SVG image referenced on a page and the coloring of anchor links stored within this image can be used to determine which pages a user has in their history. This can allow a malicious website to query user history.
Note: This issue only affects Firefox 57. Earlier releases are not affected.

##
The note of not affecting earlier versions seems related to the 2nd issue only in the advisory, so we might have vulnerability in stable version as well.
Comment 1 Jory A. Pratt gentoo-dev 2017-12-05 03:18:15 UTC
ebuilds are in the tree.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-12-10 20:11:21 UTC
*** Bug 640486 has been marked as a duplicate of this bug. ***
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-12-10 20:12:56 UTC
@Maintainers CVE-2017-7843 affects firefox 52 too. Please bump 52.5.2 which is fixed if we are going to keep it in tree.

Thank you
Comment 4 Jory A. Pratt gentoo-dev 2017-12-11 04:12:22 UTC
(In reply to Christopher Díaz Riveros from comment #3)
> @Maintainers CVE-2017-7843 affects firefox 52 too. Please bump 52.5.2 which
> is fixed if we are going to keep it in tree.
> 
> Thank you

ebuilds are in tree.
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-12 18:49:33 UTC
@ Arches,

please test and mark stable: =www-client/firefox-52.5.2
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-12 19:19:02 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-12-14 20:27:43 UTC
amd64 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-26 18:31:46 UTC
Superseded by bug 645510.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2018-02-20 00:59:15 UTC
This issue was resolved and addressed in
 GLSA 201802-03 at https://security.gentoo.org/glsa/201802-03
by GLSA coordinator Thomas Deutschmann (whissi).