Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 129924 - www-client/mozilla-firefox[-bin] 1.0.8 fixes 16 security holes
Summary: www-client/mozilla-firefox[-bin] 1.0.8 fixes 16 security holes
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/projects/secur...
Whiteboard: A2 [glsa] koon
Keywords:
: 121363 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-04-14 03:41 UTC by ollonois
Modified: 2006-10-15 04:25 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ollonois 2006-04-14 03:41:40 UTC
Fixed in Firefox 1.0.8
MFSA 2006-25 Privilege escalation through Print Preview
MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest
MFSA 2006-23 File stealing by changing input type
MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability
MFSA 2006-19 Cross-site scripting using .valueOf.call()
MFSA 2006-18 Mozilla Firefox Tag Order Vulnerability
MFSA 2006-17 cross-site scripting through window.controllers
MFSA 2006-16 Accessing XBL compilation scope via valueOf.call()
MFSA 2006-15 Privilege escalation using a JavaScript function's cloned parent
MFSA 2006-14 Privilege escalation via XBL.method.eval
MFSA 2006-13 Downloading executables with "Save Image As..."
MFSA 2006-12 Secure-site spoof (requires security warning dialog)
MFSA 2006-11 Crashes with evidence of memory corruption (rv:1.8)
MFSA 2006-10 JavaScript garbage-collection hazard audit
MFSA 2006-09 Cross-site JavaScript injection using event handlers
MFSA 2006-05 Localstore.rdf XML injection through XULDocument.persist()
MFSA 2006-03 Long document title causes startup denial of Service
MFSA 2006-01 JavaScript garbage-collection hazards
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2006-04-14 04:18:35 UTC
mozilla team, please provide updated ebuilds
Comment 2 Patrizio Bassi 2006-04-14 05:04:30 UTC
maybe it's time to mark 1.5 stable and discard old 1.0.x series
Comment 3 Carsten Lohrke (RETIRED) gentoo-dev 2006-04-14 05:08:31 UTC
Firefox 1.5.0.2 and Seamonkey 1.0.1 fix several issues as well. Is the classic Mozilla still supported upstream, security-wise? Otherwise it should be masked/removed from the tree.
Comment 4 Patrizio Bassi 2006-04-14 05:21:05 UTC
if i remember good they told they'll will support mozilla 1.7 for all security problems will be found

maybe it will be released some days later..maybe it's not afftect (i doubt), should be checked and asked.
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-14 06:29:53 UTC
hi,

it's 	CVE-2006-1724
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1724


are concerned :
www-client/mozilla-firefox[-bin] <1.5.0.2  and <1.0.8
mail-client/mozilla-thunderbird[-bin] <1.5.0.2 and <1.0.8
www-client/mozilla[-bin] <1.7.13
www-client/seamonkey (masked) <1.0.1 

status/severity: A2/major (or maybe B2/normal)

Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-14 06:39:40 UTC
> it's    CVE-2006-1724

sorry, it's all entries from CVE-2006-1724 until CVE-2006-1736 and 1739 to 1742.

CVE-2006-1737 and 1738 are not public yet.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2006-04-14 08:22:17 UTC
(In reply to comment #2)
> maybe it's time to mark 1.5 stable and discard old 1.0.x series

No it's not. Secruity updates are a bad time to rush stability tests.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-04-14 08:24:27 UTC
*** Bug 121363 has been marked as a duplicate of this bug. ***
Comment 9 Jory A. Pratt 2006-04-14 14:14:41 UTC
mozilla suite can not be removed from tree until seamonkey is ported in as dep instead of mozilla itself. I will get 1.0.8 in the tree a little later tonight first 1.5.0.2 which should be tested by all archs and stablized in case that are possible IMHO.
Comment 10 Jory A. Pratt 2006-04-14 16:40:45 UTC
As most are aware I am the only active mozilla dev we have at the moment. I will provide the ebuild for 1.0.8 as soon as possible. I have to first redo the entire patch tarball as most have been applied upstream. Those who can please stablize 1.5.0.2, I am working with upstream on sparc issue which is only known arch at this time with problems, other then alpha which has mixed output at this time.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2006-04-15 06:00:07 UTC
Jory: good luck, Jim
Comment 12 Jory A. Pratt 2006-04-15 08:06:44 UTC
Alright 1.5.0.2 source and binary are in the tree. If at all possible mark 1.5.0.2 source stable and binary. If for some reason your unconfortable please mark 1.0.8 binary stable for x86 and amd64 only, soon as I am done with 1.0.8 source is done those who need or wish to continue to hold back 1.5.x branch mark 1.0.8 stable. It will be in tree within the next 3 hours ( 1.0.8 source ). Will add rest of archs when 1.0.8 source is in the tree.
Comment 13 Matthias Langer 2006-04-15 08:16:17 UTC
I'm using mozilla-firefox-1.5.0.2 [-debug +gnome +ipv6 +java -mozdevelop -xinerama -xprint] almost since it has been commtited to the tree on x86. Everthing seems to work fine so far ...

Portage 2.0.54 (default-linux/x86/2006.0, gcc-3.4.5, glibc-2.3.5-r3, 2.6.15-gentoo-r5 i686)
=================================================================
System uname: 2.6.15-gentoo-r5 i686 AMD Athlon(tm) XP 2400+
Gentoo Base System version 1.6.14
dev-lang/python:     2.3.5-r2, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-xp -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=athlon-xp -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://gentoo.inode.at/ "
LANG="en_US.utf8"
LC_ALL="en_US.utf8"
LINGUAS="en de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://192.168.0.1/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aalib alsa apm audiofile avi berkdb bitmap-fonts bonobo bzip2 bzlib cairo cdr cli crypt css ctype cups curl dba dbus divx4linux dri dts dv dvd dvdr dvdread emboss encode evo exif expat fam fame fastbuild ffmpeg firefox flac foomaticdb force-cgi-redirect fortran ftp gd gdbm gif glut gmp gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile hal idn imagemagick imlib ipv6 isdnlog java jpeg junit lcms libg++ libwww mad memlimit mhash mikmod mmx mmxext mng motif mp3 mpeg nautilus ncurses nls nptl nsplugin nvidia ogg oggvorbis openal opengl pam pcre pdflib perl plotutils png posix pppd python quicktime readline real ruby sdl session simplexml slang soap sockets speex spell spl sqlite sse ssl subtitles svga tcltk tcpd tetex theora tiff tokenizer truetype truetype-fonts type1-fonts udev unicode usb vcd video_cards_nvidia vorbis win32codecs wma xine xml xml2 xmms xsl xv xvid zlib linguas_en linguas_de userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, INSTALL_MASK, LDFLAGS
Comment 14 Jory A. Pratt 2006-04-15 11:13:50 UTC
1.0.8 is in the tree, reminder to mark 1.5.0.2 stable if possible. Any questions find me on irc and I will reply as soon as possible.
Comment 15 Matti Bickel (RETIRED) gentoo-dev 2006-04-15 14:35:02 UTC
Firefox-1.5.0.2 and nss-3.11-r1 stable by nixnut
Comment 16 Jason Wever (RETIRED) gentoo-dev 2006-04-15 14:59:40 UTC
SPARC'd 1.0.8 (1.5.x series is still crash-happy on SPARC).
Comment 17 Mark Loeser (RETIRED) gentoo-dev 2006-04-15 17:09:07 UTC
1.0.8 is stable on x86.  We'll look at 1.5.x sometime in the near future.
Comment 18 Thomas Cort (RETIRED) gentoo-dev 2006-04-16 07:13:35 UTC
I tested this on alpha. When I first started firefox I got the following warnings...


tcort@topcat ~ $ firefox
No running windows found
Extension System Warning: Failed to set up default extensions files probably because you do not have write privileges to this location. While you can run Firefox like this, it is recommended that you run it at least once with privileges that allow it to generate these initial files to improve start performance. Running from a disk image on MacOS X is not recommended.*** nsExtensionManager::_disableObsoleteExtensions - failure, catching exception so finalize window can close
*** loading the extensions datasource
Extension System Warning: Failed to set up default extensions files probably because you do not have write privileges to this location. While you can run Firefox like this, it is recommended that you run it at least once with privileges that allow it to generate these initial files to improve start performance. Running from a disk image on MacOS X is not recommended.Extension System Warning: Failed to set up default extensions files probably because you do not have write privileges to this location. While you can run Firefox like this, it is recommended that you run it at least once with privileges that allow it to generate these initial files to improve start performance. Running from a disk image on MacOS X is not recommended.*** loading the extensions datasource


The above message kept repeating itself until I killed firefox-bin. I then re-ran it as root. It worked, but I got the following warnings...


topcat ~ # firefox
No running windows found
*** nsExtensionManager::_disableObsoleteExtensions - failure, catching exception so finalize window can close
*** loading the extensions datasource
*** loading the extensions datasource


After running it as root I tried it again with a regular user and it worked, but I got the following warnings...


tcort@topcat ~ $ firefox
No running windows found
*** loading the extensions datasource
*** ExtensionManager:_updateManifests: no access privileges to application directory, skipping.
*** loading the extensions datasource
*** ExtensionManager:_updateManifests: no access privileges to application directory, skipping.

Besides that, everything works. I've been surfing for a while, checking gmail, etc without any problems. I had 1.5.0.2 on this box previously for testing, but before running firefox 1.0.8 I did do an "rm -rf ~/.mozilla".

www-client/mozilla-firefox-1.0.8  USE="gnome ipv6 truetype -debug -mozcalendar -mozdevelop -moznoxft -mozsvg -xinerama -xprint"

topcat ~ # emerge --info
Portage 2.1_pre7-r5 (default-linux/alpha/no-nptl/2.4, gcc-3.4.6, glibc-2.3.6-r3, 2.4.32 alpha)
=================================================================
System uname: 2.4.32 alpha EV56
Gentoo Base System version 1.12.0_pre16
dev-lang/python:     2.3.5, 2.4.2-r1
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r2
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.4.26-r1
ACCEPT_KEYWORDS="alpha ~alpha"
AUTOCLEAN="yes"
CBUILD="alpha-unknown-linux-gnu"
CFLAGS="-mieee -pipe -O2 -mcpu=ev56"
CHOST="alpha-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/env.d"
CXXFLAGS="-mieee -pipe -O2 -mcpu=ev56"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfperms strict test"
GENTOO_MIRRORS="http://gentoo.mirrored.ca/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/java-experimental"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="alpha X aac aalib aim alsa apache2 artworkextra async audacious audiofile bash-completion berkdb binfilter bitmap-fonts bittorrent bl bonjour c++ cairo calendar cdinstall cdparanoia cdr cdrom chroot cli config_wizard cracklib crypt cscope csv ctype cups curl curlwrappers cvs cvsgraph dba dhcp dillo dri editor eds elf encode epiphany escreen esd ethereal expat extraicons extras fastbuild ffmpeg fftw figlet firefox flac force-cgi-redirect ftp gd gdb gdbm gif glep gnome gnutls gpm grammar gsl gstreamer gtalk gtk gtk2 gtkspell gvim gzip html icq id3 imlib ipv6 jabber javascript jpeg justify ladspa lame libg++ libsexy libwww lite lj logrotate lua mad mapeditor md5sum memlimit mikmod motif moznoirc moznomail moznoroaming mozsha1 mp3 mpeg mpeg2 mplayer msn msnextras music ncurses net nethack nls offensive ogg oggvorbis opengl openssh openssl oscar oss pam pcre pdflib perl png posix python quicktime quotes readline recode reiserfs scp screen sdl session sftp simplexml skins sndfile soap sockets sounds sox speech spell spl ssl subversion symlink syslog tcpd threads tokenizer truetype truetype-fonts type1-fonts userlocales vcd videos vim vim-with-x vorbis wma wma123 xml xml2 xmlreader xmms xsl xv xvid yahoo zip zlib elibc_glibc kernel_linux userland_GNU"
Unset:  ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS
Comment 19 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2006-04-16 14:55:41 UTC
Hi,

seamonkey-1.0.1 builds and works fine on ~x86.
I had to drop two patches from seamonkey-1.0-patches-0.4.tar.bz2 which are

065_firefox-1.5-nsStackFrameUnix.patch.bz2
066_firefox-1.5-nsStackFrameUnix.patch.bz2

all other patches applied without any errors.

@ Jory:
I have created an ebuild for seamonkey-1.0.1
You can find it here:
http://polynomial-c.homelinux.net/pub/gentoo/portage/www-client/seamonkey/

Cheers
Poly-C
Comment 20 Guy Martin (RETIRED) gentoo-dev 2006-04-17 09:12:53 UTC
Okay, I was about to work on this for HPPA but guess what, all the HPPA specific patches were removed from the mozilla-firefox ebuild. That makes a non working firefox since january on hppa...

Anarchy, please fix your breakage until I do anything.
Comment 21 Jory A. Pratt 2006-04-18 15:43:47 UTC
(In reply to comment #20)
> Okay, I was about to work on this for HPPA but guess what, all the HPPA
> specific patches were removed from the mozilla-firefox ebuild. That makes a non
> working firefox since january on hppa...
> 
> Anarchy, please fix your breakage until I do anything.
> 

Patches might have been drop'd from 1.5 branch but 1.0.8 bump is based off of az work. Do NOT cc me on a bug report related to mozilla I am already emailed via alias.
Comment 22 Jory A. Pratt 2006-04-18 19:25:48 UTC
(In reply to comment #20)
> Okay, I was about to work on this for HPPA but guess what, all the HPPA
> specific patches were removed from the mozilla-firefox ebuild. That makes a non
> working firefox since january on hppa...
> 
> Anarchy, please fix your breakage until I do anything.
> 
I have done a bit of digging the hppa patch has already been applied upstream in 1.5.x branch if it compiles and runs stable mark it stable. I will check the 1.0.8 branch tomorrow after I get home from work but I imagine it has been applied as well.
Comment 23 Jory A. Pratt 2006-04-18 19:35:01 UTC
Stable on AMD64
Comment 24 Jory A. Pratt 2006-04-19 14:59:41 UTC
(In reply to comment #20)
> Okay, I was about to work on this for HPPA but guess what, all the HPPA
> specific patches were removed from the mozilla-firefox ebuild. That makes a non
> working firefox since january on hppa...
> 
> Anarchy, please fix your breakage until I do anything.
> 

Patch is already been applied upstream as well for 1.0.8 for hppa, I would suggest ya test before you open mouth and insert foot!!
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2006-04-21 09:53:46 UTC
x86, hppa, ia64: please test and mark 1.5.0.2 stable or explain why you can't
x86: don't forget the -bin version
Comment 26 Chris Gianelloni (RETIRED) gentoo-dev 2006-04-21 11:53:38 UTC
1.5.x isn't needed for this bug.  We've already marked 1.0.8 stable.  Removing x86.
Comment 27 Thomas Cort (RETIRED) gentoo-dev 2006-04-21 12:36:38 UTC
(In reply to comment #18)
The problems I was having were due to downgrading from 1.5.0.2. After fixing the permissions firefox-1.0.8 works fine for me. It works well for ferdy too.

alpha stable.
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2006-04-21 13:33:39 UTC
x86 was already done, sorry for the noise
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2006-04-22 03:03:48 UTC
Waiting on hppa for GLSA release.
Comment 30 Guy Martin (RETIRED) gentoo-dev 2006-04-22 10:05:11 UTC
Stable on hppa. Sorry Anarchy for this missunderstanding.
Comment 31 Thierry Carrez (RETIRED) gentoo-dev 2006-04-22 10:59:49 UTC
Ready for GLSA
Comment 32 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-23 13:02:26 UTC
GLSA 200604-12
Comment 33 Matt McHenry 2006-04-23 15:00:37 UTC
I was searching through the bug database to see if I could find any explanation for why firefox 1.5 hasn't been marked stable on x86 so long after it's release, and this bug and bug 121363 were the only ones I could find.

So along the lines of bug 121363 comment 23, I'll just make a note of my experience w/ 1.5: I have been using firefox 1.5.0.1 on my system for about two weeks with no problems (emerge'd on Apr 6).  It seems very stable.  Let me know if you need more info about my system, or if there is somewhere else that this information should be reported other than this bug.