First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 84074
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Thierry Carrez (RETIRED) <koon@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 84074 depends on: Show dependency tree
Bug 84074 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2005-03-04 04:41 0000 
Those will be fixed in upcoming Mozilla 1.7.6 release:

MFSA 2005-29 Internationalized Domain Name (IDN) homograph spoofing (Gentoo bug 81113)
MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files (Gentoo bug 81011)
MFSA 2005-27 Plugins can be used to load privileged content (CAN-2005-0527) (Gentoo bug 81307)
MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab (Gentoo bug 81307)
MFSA 2005-25 Image drag and drop executable spoofing (Gentoo bug 81307)
MFSA 2005-24 HTTP auth prompt tab spoofing
MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts
MFSA 2005-18 Memory overwrite in string library (CAN-2005-0255)
MFSA 2005-17 Install source spoofing with user:pass@host
MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion
MFSA 2005-14 SSL "secure site" indicator spoofing
MFSA 2005-13 Window Injection Spoofing (CAN-2004-1156) (Gentoo bug 73870)

------- Comment #1 From Thierry Carrez (RETIRED) 2005-03-22 00:38:56 0000 ------- 
Fixed in 1.7.6:
MFSA 2005-29  Internationalized Domain Name (IDN) homograph spoofing
MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files
MFSA 2005-27 Plugins can be used to load privileged content
MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab
MFSA 2005-25 Image drag and drop executable spoofing
MFSA 2005-24 HTTP auth prompt tab spoofing
MFSA 2005-23 Download dialog source spoofing
MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts
MFSA 2005-18 Memory overwrite in string library
MFSA 2005-17 Install source spoofing with user:pass@host
MFSA 2005-16 Spoofing download and security dialogs with overlapping windows
MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion
MFSA 2005-14 SSL "secure site" indicator spoofing
MFSA 2005-13 Window Injection Spoofing

Mozilla team, please bump

------- Comment #2 From Thierry Carrez (RETIRED) 2005-03-23 06:23:41 0000 ------- 
net-www/mozilla bumped to 1.7.6 thanks to brad, mozilla-bin still needed.
CC-ing seemant so that he keeps us posted in case mozilla changes category.

------- Comment #3 From Thierry Carrez (RETIRED) 2005-03-23 06:26:52 0000 ------- 
Arches: please test and mark mozilla-1.7.6 stable...

------- Comment #4 From Brad Laue (RETIRED) 2005-03-23 06:32:33 0000 ------- 
mozilla-bin updated and bumped to stable.

------- Comment #5 From Brad Laue (RETIRED) 2005-03-23 06:32:56 0000 ------- 
Err, on x86.

------- Comment #6 From Michael Hanselmann (hansmi) (RETIRED) 2005-03-23 11:22:47 0000 ------- 
The new ebuilds fails for me (ppc, USE includes ldap) on libldap50.so:

======= making ./libldap50.so
ld -shared -Wl,-soname -Wl,libldap50.so    -o libldap50.so ./abandon.o ./add.o ./bind.o ./cache.o ./charray.o ./charset.o ./compare.o ./compat.o ./control.o ./countvalues.o ./delete.o ./disptmpl.o ./dsparse.o ./error.o ./extendop.o ./free.o ./freevalues.o ./friendly.o ./getattr.o ./getdn.o ./getdxbyname.o ./getentry.o ./getfilter.o ./getoption.o ./getvalues.o ./memcache.o ./message.o ./modify.o ./open.o ./os-ip.o ./proxyauthctrl.o ./psearch.o ./referral.o ./regex.o ./rename.o ./request.o ./reslist.o ./result.o ./saslbind.o ./sbind.o ./search.o ./setoption.o ./sort.o ./sortctrl.o ./srchpref.o ./tmplout.o ./ufn.o ./unbind.o ./unescape.o ./url.o ./utf8.o ./vlistctrl.o  -L/var/tmp/portage/mozilla-1.7.6/work/mozilla/dist/lib -llber50
ld: unrecognized option '-Wl,-soname'
ld: use the --help option for usage information
gmake[5]: *** [libldap50.so] Error 1
gmake[5]: *** Waiting for unfinished jobs....

------- Comment #7 From Serge 2005-03-23 13:36:49 0000 ------- 
The new ebuilds fails for me (x86, USE="nptl -kde -qt cdr tcltk -ipv6" with
ldap installed) on libldap50.so:

======= making ./libldap50.so
ld -shared -Wl,-soname -Wl,libldap50.so    -o libldap50.so ./abandon.o ./add.o
./bind.o ./cache.o ./charray.o ./charset.o ./compare.o ./compat.o ./control.o
./countvalues.o ./delete.o ./disptmpl.o ./dsparse.o ./error.o ./extendop.o
./free.o ./freevalues.o ./friendly.o ./getattr.o ./getdn.o ./getdxbyname.o
./getentry.o ./getfilter.o ./getoption.o ./getvalues.o ./memcache.o ./message.o
./modify.o ./open.o ./os-ip.o ./proxyauthctrl.o ./psearch.o ./referral.o
./regex.o ./rename.o ./request.o ./reslist.o ./result.o ./saslbind.o ./sbind.o
./search.o ./setoption.o ./sort.o ./sortctrl.o ./srchpref.o ./tmplout.o ./ufn.o
./unbind.o ./unescape.o ./url.o ./utf8.o ./vlistctrl.o 
-L/var/tmp/portage/mozilla-1.7.6/work/mozilla/dist/lib -llber50
ld: unrecognized option '-Wl,-soname'
ld: use the --help option for usage information
gmake[5]: *** [libldap50.so] Error 1
gmake[5]: *** Waiting for unfinished jobs....

------- Comment #8 From Aron Griffis (RETIRED) 2005-03-23 14:41:54 0000 ------- 
Ok, I fixed the ldap issue, I believe.  Please update and test

------- Comment #9 From Jason Wever (RETIRED) 2005-03-23 20:33:48 0000 ------- 
SPARCtastic

------- Comment #10 From Thierry Carrez (RETIRED) 2005-03-24 01:37:13 0000 ------- 
Arches, please test and mark stable:

mozilla-1.7.6-r1: alpha amd64 hppa ia64 ppc

------- Comment #11 From Michael Hanselmann (hansmi) (RETIRED) 2005-03-24 11:44:39 0000 ------- 
Stable on ppc.

------- Comment #12 From Thierry Carrez (RETIRED) 2005-03-25 00:41:38 0000 ------- 
alpha and ia64 are done

------- Comment #13 From Serge 2005-03-25 03:46:34 0000 ------- 
on x86 the libldap50.so error is corrected
Thanks.

------- Comment #14 From Simon Stelling (RETIRED) 2005-03-25 03:52:27 0000 ------- 
all stable on amd64

------- Comment #15 From Thierry Carrez (RETIRED) 2005-03-25 05:01:26 0000 ------- 
GLSA 200503-30
hppa sould mark stable to benefit from GLSA

------- Comment #16 From René Nussbaumer 2005-06-26 06:29:44 0000 ------- 
ebuild no longer in portage
First Last Prev Next    No search results available      Search page      Enter new bug