Fixed in Firefox 1.0.8 MFSA 2006-25 Privilege escalation through Print Preview MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest MFSA 2006-23 File stealing by changing input type MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability MFSA 2006-19 Cross-site scripting using .valueOf.call() MFSA 2006-18 Mozilla Firefox Tag Order Vulnerability MFSA 2006-17 cross-site scripting through window.controllers MFSA 2006-16 Accessing XBL compilation scope via valueOf.call() MFSA 2006-15 Privilege escalation using a JavaScript function's cloned parent MFSA 2006-14 Privilege escalation via XBL.method.eval MFSA 2006-13 Downloading executables with "Save Image As..." MFSA 2006-12 Secure-site spoof (requires security warning dialog) MFSA 2006-11 Crashes with evidence of memory corruption (rv:1.8) MFSA 2006-10 JavaScript garbage-collection hazard audit MFSA 2006-09 Cross-site JavaScript injection using event handlers MFSA 2006-05 Localstore.rdf XML injection through XULDocument.persist() MFSA 2006-03 Long document title causes startup denial of Service MFSA 2006-01 JavaScript garbage-collection hazards
mozilla team, please provide updated ebuilds
maybe it's time to mark 1.5 stable and discard old 1.0.x series
Firefox 1.5.0.2 and Seamonkey 1.0.1 fix several issues as well. Is the classic Mozilla still supported upstream, security-wise? Otherwise it should be masked/removed from the tree.
if i remember good they told they'll will support mozilla 1.7 for all security problems will be found maybe it will be released some days later..maybe it's not afftect (i doubt), should be checked and asked.
hi, it's CVE-2006-1724 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1724 are concerned : www-client/mozilla-firefox[-bin] <1.5.0.2 and <1.0.8 mail-client/mozilla-thunderbird[-bin] <1.5.0.2 and <1.0.8 www-client/mozilla[-bin] <1.7.13 www-client/seamonkey (masked) <1.0.1 status/severity: A2/major (or maybe B2/normal)
> it's CVE-2006-1724 sorry, it's all entries from CVE-2006-1724 until CVE-2006-1736 and 1739 to 1742. CVE-2006-1737 and 1738 are not public yet.
(In reply to comment #2) > maybe it's time to mark 1.5 stable and discard old 1.0.x series No it's not. Secruity updates are a bad time to rush stability tests.
*** Bug 121363 has been marked as a duplicate of this bug. ***
mozilla suite can not be removed from tree until seamonkey is ported in as dep instead of mozilla itself. I will get 1.0.8 in the tree a little later tonight first 1.5.0.2 which should be tested by all archs and stablized in case that are possible IMHO.
As most are aware I am the only active mozilla dev we have at the moment. I will provide the ebuild for 1.0.8 as soon as possible. I have to first redo the entire patch tarball as most have been applied upstream. Those who can please stablize 1.5.0.2, I am working with upstream on sparc issue which is only known arch at this time with problems, other then alpha which has mixed output at this time.
Jory: good luck, Jim
Alright 1.5.0.2 source and binary are in the tree. If at all possible mark 1.5.0.2 source stable and binary. If for some reason your unconfortable please mark 1.0.8 binary stable for x86 and amd64 only, soon as I am done with 1.0.8 source is done those who need or wish to continue to hold back 1.5.x branch mark 1.0.8 stable. It will be in tree within the next 3 hours ( 1.0.8 source ). Will add rest of archs when 1.0.8 source is in the tree.
I'm using mozilla-firefox-1.5.0.2 [-debug +gnome +ipv6 +java -mozdevelop -xinerama -xprint] almost since it has been commtited to the tree on x86. Everthing seems to work fine so far ... Portage 2.0.54 (default-linux/x86/2006.0, gcc-3.4.5, glibc-2.3.5-r3, 2.6.15-gentoo-r5 i686) ================================================================= System uname: 2.6.15-gentoo-r5 i686 AMD Athlon(tm) XP 2400+ Gentoo Base System version 1.6.14 dev-lang/python: 2.3.5-r2, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.inode.at/ " LANG="en_US.utf8" LC_ALL="en_US.utf8" LINGUAS="en de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://192.168.0.1/gentoo-portage" USE="x86 3dnow 3dnowext X a52 aalib alsa apm audiofile avi berkdb bitmap-fonts bonobo bzip2 bzlib cairo cdr cli crypt css ctype cups curl dba dbus divx4linux dri dts dv dvd dvdr dvdread emboss encode evo exif expat fam fame fastbuild ffmpeg firefox flac foomaticdb force-cgi-redirect fortran ftp gd gdbm gif glut gmp gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile hal idn imagemagick imlib ipv6 isdnlog java jpeg junit lcms libg++ libwww mad memlimit mhash mikmod mmx mmxext mng motif mp3 mpeg nautilus ncurses nls nptl nsplugin nvidia ogg oggvorbis openal opengl pam pcre pdflib perl plotutils png posix pppd python quicktime readline real ruby sdl session simplexml slang soap sockets speex spell spl sqlite sse ssl subtitles svga tcltk tcpd tetex theora tiff tokenizer truetype truetype-fonts type1-fonts udev unicode usb vcd video_cards_nvidia vorbis win32codecs wma xine xml xml2 xmms xsl xv xvid zlib linguas_en linguas_de userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, INSTALL_MASK, LDFLAGS
1.0.8 is in the tree, reminder to mark 1.5.0.2 stable if possible. Any questions find me on irc and I will reply as soon as possible.
Firefox-1.5.0.2 and nss-3.11-r1 stable by nixnut
SPARC'd 1.0.8 (1.5.x series is still crash-happy on SPARC).
1.0.8 is stable on x86. We'll look at 1.5.x sometime in the near future.
I tested this on alpha. When I first started firefox I got the following warnings... tcort@topcat ~ $ firefox No running windows found Extension System Warning: Failed to set up default extensions files probably because you do not have write privileges to this location. While you can run Firefox like this, it is recommended that you run it at least once with privileges that allow it to generate these initial files to improve start performance. Running from a disk image on MacOS X is not recommended.*** nsExtensionManager::_disableObsoleteExtensions - failure, catching exception so finalize window can close *** loading the extensions datasource Extension System Warning: Failed to set up default extensions files probably because you do not have write privileges to this location. While you can run Firefox like this, it is recommended that you run it at least once with privileges that allow it to generate these initial files to improve start performance. Running from a disk image on MacOS X is not recommended.Extension System Warning: Failed to set up default extensions files probably because you do not have write privileges to this location. While you can run Firefox like this, it is recommended that you run it at least once with privileges that allow it to generate these initial files to improve start performance. Running from a disk image on MacOS X is not recommended.*** loading the extensions datasource The above message kept repeating itself until I killed firefox-bin. I then re-ran it as root. It worked, but I got the following warnings... topcat ~ # firefox No running windows found *** nsExtensionManager::_disableObsoleteExtensions - failure, catching exception so finalize window can close *** loading the extensions datasource *** loading the extensions datasource After running it as root I tried it again with a regular user and it worked, but I got the following warnings... tcort@topcat ~ $ firefox No running windows found *** loading the extensions datasource *** ExtensionManager:_updateManifests: no access privileges to application directory, skipping. *** loading the extensions datasource *** ExtensionManager:_updateManifests: no access privileges to application directory, skipping. Besides that, everything works. I've been surfing for a while, checking gmail, etc without any problems. I had 1.5.0.2 on this box previously for testing, but before running firefox 1.0.8 I did do an "rm -rf ~/.mozilla". www-client/mozilla-firefox-1.0.8 USE="gnome ipv6 truetype -debug -mozcalendar -mozdevelop -moznoxft -mozsvg -xinerama -xprint" topcat ~ # emerge --info Portage 2.1_pre7-r5 (default-linux/alpha/no-nptl/2.4, gcc-3.4.6, glibc-2.3.6-r3, 2.4.32 alpha) ================================================================= System uname: 2.4.32 alpha EV56 Gentoo Base System version 1.12.0_pre16 dev-lang/python: 2.3.5, 2.4.2-r1 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r2 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.4.26-r1 ACCEPT_KEYWORDS="alpha ~alpha" AUTOCLEAN="yes" CBUILD="alpha-unknown-linux-gnu" CFLAGS="-mieee -pipe -O2 -mcpu=ev56" CHOST="alpha-unknown-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/env.d" CXXFLAGS="-mieee -pipe -O2 -mcpu=ev56" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfperms strict test" GENTOO_MIRRORS="http://gentoo.mirrored.ca/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/java-experimental" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="alpha X aac aalib aim alsa apache2 artworkextra async audacious audiofile bash-completion berkdb binfilter bitmap-fonts bittorrent bl bonjour c++ cairo calendar cdinstall cdparanoia cdr cdrom chroot cli config_wizard cracklib crypt cscope csv ctype cups curl curlwrappers cvs cvsgraph dba dhcp dillo dri editor eds elf encode epiphany escreen esd ethereal expat extraicons extras fastbuild ffmpeg fftw figlet firefox flac force-cgi-redirect ftp gd gdb gdbm gif glep gnome gnutls gpm grammar gsl gstreamer gtalk gtk gtk2 gtkspell gvim gzip html icq id3 imlib ipv6 jabber javascript jpeg justify ladspa lame libg++ libsexy libwww lite lj logrotate lua mad mapeditor md5sum memlimit mikmod motif moznoirc moznomail moznoroaming mozsha1 mp3 mpeg mpeg2 mplayer msn msnextras music ncurses net nethack nls offensive ogg oggvorbis opengl openssh openssl oscar oss pam pcre pdflib perl png posix python quicktime quotes readline recode reiserfs scp screen sdl session sftp simplexml skins sndfile soap sockets sounds sox speech spell spl ssl subversion symlink syslog tcpd threads tokenizer truetype truetype-fonts type1-fonts userlocales vcd videos vim vim-with-x vorbis wma wma123 xml xml2 xmlreader xmms xsl xv xvid yahoo zip zlib elibc_glibc kernel_linux userland_GNU" Unset: ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS
Hi, seamonkey-1.0.1 builds and works fine on ~x86. I had to drop two patches from seamonkey-1.0-patches-0.4.tar.bz2 which are 065_firefox-1.5-nsStackFrameUnix.patch.bz2 066_firefox-1.5-nsStackFrameUnix.patch.bz2 all other patches applied without any errors. @ Jory: I have created an ebuild for seamonkey-1.0.1 You can find it here: http://polynomial-c.homelinux.net/pub/gentoo/portage/www-client/seamonkey/ Cheers Poly-C
Okay, I was about to work on this for HPPA but guess what, all the HPPA specific patches were removed from the mozilla-firefox ebuild. That makes a non working firefox since january on hppa... Anarchy, please fix your breakage until I do anything.
(In reply to comment #20) > Okay, I was about to work on this for HPPA but guess what, all the HPPA > specific patches were removed from the mozilla-firefox ebuild. That makes a non > working firefox since january on hppa... > > Anarchy, please fix your breakage until I do anything. > Patches might have been drop'd from 1.5 branch but 1.0.8 bump is based off of az work. Do NOT cc me on a bug report related to mozilla I am already emailed via alias.
(In reply to comment #20) > Okay, I was about to work on this for HPPA but guess what, all the HPPA > specific patches were removed from the mozilla-firefox ebuild. That makes a non > working firefox since january on hppa... > > Anarchy, please fix your breakage until I do anything. > I have done a bit of digging the hppa patch has already been applied upstream in 1.5.x branch if it compiles and runs stable mark it stable. I will check the 1.0.8 branch tomorrow after I get home from work but I imagine it has been applied as well.
Stable on AMD64
(In reply to comment #20) > Okay, I was about to work on this for HPPA but guess what, all the HPPA > specific patches were removed from the mozilla-firefox ebuild. That makes a non > working firefox since january on hppa... > > Anarchy, please fix your breakage until I do anything. > Patch is already been applied upstream as well for 1.0.8 for hppa, I would suggest ya test before you open mouth and insert foot!!
x86, hppa, ia64: please test and mark 1.5.0.2 stable or explain why you can't x86: don't forget the -bin version
1.5.x isn't needed for this bug. We've already marked 1.0.8 stable. Removing x86.
(In reply to comment #18) The problems I was having were due to downgrading from 1.5.0.2. After fixing the permissions firefox-1.0.8 works fine for me. It works well for ferdy too. alpha stable.
x86 was already done, sorry for the noise
Waiting on hppa for GLSA release.
Stable on hppa. Sorry Anarchy for this missunderstanding.
Ready for GLSA
GLSA 200604-12
I was searching through the bug database to see if I could find any explanation for why firefox 1.5 hasn't been marked stable on x86 so long after it's release, and this bug and bug 121363 were the only ones I could find. So along the lines of bug 121363 comment 23, I'll just make a note of my experience w/ 1.5: I have been using firefox 1.5.0.1 on my system for about two weeks with no problems (emerge'd on Apr 6). It seems very stable. Let me know if you need more info about my system, or if there is somewhere else that this information should be reported other than this bug.