Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 196480 - www-client/mozilla-firefox (-bin) < 2.0.0.8, www-client/seamonkey (-bin) < 1.1.6 Multiple issues (CVE-2007-{1095,2292,4841,5334,5335,5337,5338,5339,5340})
Summary: www-client/mozilla-firefox (-bin) < 2.0.0.8, www-client/seamonkey (-bin) < 1....
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27311/
Whiteboard: A2 [glsa]
Keywords:
Depends on: 196808
Blocks:
  Show dependency tree
 
Reported: 2007-10-20 02:13 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-03 07:00 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-10-20 02:13:30 UTC
Secunia:
  Some vulnerabilities and a weakness have been reported in Mozilla
  Firefox, which can be exploited by malicious people to disclose
  sensitive information, conduct phishing attacks, manipulate certain
  data, and potentially compromise a user's system.

Fixed in Firefox >= 2.0.0.8

Identical vulnerabilities in SeaMonkey < 1.1.5
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-10-20 02:18:02 UTC
Mozilla, please advise.

seamonkey-1.1.5 is missing from the tree. Is it in the making already? Is anything holding back stabilization of any of these?
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-10-20 14:35:17 UTC
Mozilla, does this also affect XULRunner?
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2007-10-20 14:43:39 UTC
Yes, and seamonkey is already in the tree
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-10-20 23:35:41 UTC
Thanks, Raúl. Arches, please test and mark stable.

net-libs/xulrunner-1.8.1.8:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

www-client/mozilla-firefox-2.0.0.8:
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"

www-client/mozilla-firefox-bin-2.0.0.8:
Target keywords : "amd64 x86"

www-client/seamonkey-1.1.5.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 x86"

www-client/seamonkey-bin-1.1.5:
Target keywords : "amd64 x86"
Comment 5 Carsten Lohrke (RETIRED) gentoo-dev 2007-10-21 14:13:05 UTC
How about adding app-arch/unzip as build time dependency to fix bug 194977 before this version goes stable?
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2007-10-21 14:21:34 UTC
(In reply to comment #5)
> How about adding app-arch/unzip as build time dependency to fix bug 194977
> before this version goes stable?
> 

unzip is a dep inside the mozextension eclass
Comment 7 Markus Meier gentoo-dev 2007-10-21 14:23:35 UTC
x86 stable
Comment 8 GNUtoo 2007-10-21 15:19:30 UTC
(In reply to comment #7)
> x86 stable
> 

what about making a GLSA in order to inform people about this issue?
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-10-21 15:35:47 UTC
(In reply to comment #8)
> what about making a GLSA in order to inform people about this issue?

We're handling this with a high priority, a GLSA is usually the last step of this process. So stay tuned.
Comment 10 Carsten Lohrke (RETIRED) gentoo-dev 2007-10-21 20:37:47 UTC
(In reply to comment #6)
> unzip is a dep inside the mozextension eclass


Uh - sorry...

Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-10-22 14:20:47 UTC
alpha/ia64/sparc stable
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2007-10-22 16:54:24 UTC
ppc stable
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2007-10-23 17:32:46 UTC
ppc64 stable
Comment 14 Christoph Mende (RETIRED) gentoo-dev 2007-10-23 20:47:59 UTC
amd64 stable
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2007-10-24 05:34:37 UTC
Stable for HPPA.
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2007-10-24 22:27:53 UTC
GLSA request filed.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2007-11-03 12:32:29 UTC
Firefox 2.0.0.8 introduced some regressions that were fixed in the recent 2.0.0.9 upgrade:
http://developer.mozilla.org/devnews/index.php/2007/10/22/firefox-2008-update-to-be-updated/

Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.9.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"

www-client/mozilla-firefox-bin-2.0.0.9:
Target keywords : "amd64 x86"

net-libs/xulrunner-1.8.1.9:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Seamonkey will follow later.
Comment 18 Jurek Bartuszek (RETIRED) gentoo-dev 2007-11-03 14:19:25 UTC
x86 stable
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2007-11-03 15:56:01 UTC
alpha/ia64/sparc stable
Comment 20 Markus Rothe (RETIRED) gentoo-dev 2007-11-03 21:43:16 UTC
ppc64 stable
Comment 21 Peter Weller (RETIRED) gentoo-dev 2007-11-04 20:50:02 UTC
www-client/mozilla-firefox-bin-2.0.0.9 stable on amd64, still waiting on xulrunner
Comment 22 Roeland Douma 2007-11-05 14:15:06 UTC
AMD64:
I just compiled www-client/mozilla-firefox-2.0.0.9.
Compiles clean.
No collision

Browsing the web with so well it seems to work ;)

I think we are safe to let the firefox users have a nice time compiling the new version ;)

emerge --info:
Portage 2.1.3.16 (default-linux/amd64/2007.0/no-multilib, gcc-4.1.2, glibc-2.6.1-r0, 2.6.22-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r8 x86_64 AMD Turion(tm) 64 Mobile Technology MT-28
Timestamp of tree: Mon, 05 Nov 2007 02:20:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -msse3 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=k8 -msse3 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distcc distlocks metadata-transfer multilib-strict sandbox sfperms strict test unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo ftp://mirror.scarlet-internet.nl/pub/gentoo http://gentoo.tiscali.nl/ ftp://gentoo.tiscali.nl/pub/mirror/gentoo/ "
LINGUAS="en"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://godfather/gentoo-portage"
USE="X acpi alsa amd64 bash-completion bitmap-fonts bzip2 cli cracklib crypt cups dbus dri fontconfig fortran gdbm gif hal highlight history hybrid-auth iconv isdnlog jpeg jpeg2k latex midi mmx mudflap ncurses nls nowebdav nptl nptlonly nsplugin ogg opengl openmp oss pcre perl png pppd python qt3 readline reflection session spl sse sse2 ssl tcpd test tiff truetype truetype-fonts type1-fonts unicode vim-syntax vorbis xml xorg xv" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="sis"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 23 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-05 18:00:55 UTC
ppc stable
Comment 24 Jeroen Roovers (RETIRED) gentoo-dev 2007-11-06 14:56:15 UTC
Stable for HPPA.
Comment 25 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-06 19:38:29 UTC
<armin76> need to readd alpha amd64 hppa ia64 ppc ppc64 and x86 for seamonkey-1.1.6 :)
<armin76> amd64 and x86 for seamonkey-bin
Comment 26 Raúl Porcel (RETIRED) gentoo-dev 2007-11-06 20:21:28 UTC
alpha/ia64/x86 stable
Comment 27 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-07 18:38:51 UTC
seamonkey stable for ppc.
Comment 28 Markus Rothe (RETIRED) gentoo-dev 2007-11-07 21:09:45 UTC
ppc64 stable
Comment 29 Jeroen Roovers (RETIRED) gentoo-dev 2007-11-08 16:09:07 UTC
Stable for HPPA:
   www-client/seamonkey-1.1.6
Comment 30 Samuli Suominen (RETIRED) gentoo-dev 2007-11-12 16:57:30 UTC
amd64 stable for www-client/mozilla-firefox-2.0.0.9 
Comment 31 Samuli Suominen (RETIRED) gentoo-dev 2007-11-12 18:56:00 UTC
(In reply to comment #30)
> amd64 stable for www-client/mozilla-firefox-2.0.0.9 
> 

xulrunner/seamonkey/seamonkey-bin stable

amd64 done, removing CC
Comment 32 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-12 21:24:43 UTC
GLSA 200711-14