Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 273918 (CVE-2009-1828) - <=www-client/mozilla-firefox{,-bin}-3.0.10, <=www-client/seamonkey{,-bin}-1.1.16, <=mail-client/mozilla-thunderbird{,-bin}-2.0.0.21 Multiple vulnerabilities (CVE-2009-{1392,1828,1832,1833,1834,1835,1836,1837,1838,1839,1840,1841,2043,2044,2061,2065,2210})
Summary: <=www-client/mozilla-firefox{,-bin}-3.0.10, <=www-client/seamonkey{,-bin}-1.1...
Status: RESOLVED FIXED
Alias: CVE-2009-1828
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-12 20:56 UTC by Stefan Behte (RETIRED)
Modified: 2013-01-08 01:03 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-06-12 20:56:19 UTC
CVE-2009-1828 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1828):
  Mozilla Firefox 3.0.10 allows remote attackers to cause a denial of
  service (infinite loop, application hang, and memory consumption) via
  a KEYGEN element in conjunction with (1) a META element specifying
  automatic page refresh or (2) a JavaScript onLoad event handler for a
  BODY element.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-13 09:20:12 UTC
CVE-2009-1832 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1832):
  Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and
  SeaMonkey before 1.1.17 allow remote attackers to cause a denial of
  service (memory corruption and application crash) or possibly execute
  arbitrary code via vectors involving "double frame construction."

CVE-2009-1833 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1833):
  The JavaScript engine in Mozilla Firefox before 3.0.11, Thunderbird
  before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers
  to cause a denial of service (memory corruption and application
  crash) or possibly execute arbitrary code via vectors related to (1)
  js_LeaveSharpObject, (2) ParseXMLSource, and (3) a certain assertion
  in jsinterp.c; and other vectors.

CVE-2009-1834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1834):
  Visual truncation vulnerability in netwerk/dns/src/nsIDNService.cpp
  in Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 allows
  remote attackers to spoof the location bar via an IDN with invalid
  Unicode characters that are displayed as whitespace, as demonstrated
  by the \u115A through \u115E characters.

CVE-2009-1835 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1835):
  Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 associate
  local documents with external domain names located after the file://
  substring in a URL, which allows user-assisted remote attackers to
  read arbitrary cookies via a crafted HTML document, as demonstrated
  by a URL with file://example.com/C:/ at the beginning.

CVE-2009-1836 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1836):
  Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and
  SeaMonkey before 1.1.17 use the HTTP Host header to determine the
  context of a document provided in a non-200 CONNECT response from a
  proxy server, which allows man-in-the-middle attackers to execute
  arbitrary web script by modifying this CONNECT response, aka an "SSL
  tampering" attack.

CVE-2009-1837 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1837):
  Race condition in the NPObjWrapper_NewResolve function in
  modules/plugin/base/src/nsJSNPRuntime.cpp in xul.dll in Mozilla
  Firefox 3 before 3.0.11 might allow remote attackers to execute
  arbitrary code via a page transition during Java applet loading,
  related to a use-after-free vulnerability for memory associated with
  a destroyed Java object.

CVE-2009-1838 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1838):
  The garbage-collection implementation in Mozilla Firefox before
  3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 sets
  an element's owner document to null in unspecified circumstances,
  which allows remote attackers to execute arbitrary JavaScript with
  chrome privileges via a crafted event handler, related to an
  incorrect context for this event handler.

CVE-2009-1839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1839):
  Mozilla Firefox 3 before 3.0.11 associates an incorrect principal
  with a file: URL loaded through the location bar, which allows
  user-assisted remote attackers to bypass intended access restrictions
  and read files via a crafted HTML document, aka a
  "file-URL-to-file-URL scripting" attack.

CVE-2009-1840 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1840):
  Mozilla Firefox before 3.0.11, Thunderbird, and SeaMonkey do not
  check content policy before loading a script file into a XUL
  document, which allows remote attackers to bypass intended access
  restrictions via a crafted HTML document, as demonstrated by a "web
  bug" in an e-mail message, or web script or an advertisement in a web
  page.

CVE-2009-1841 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1841):
  js/src/xpconnect/src/xpcwrappedjsclass.cpp in Mozilla Firefox before
  3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17
  allows remote attackers to execute arbitrary web script with the
  privileges of a chrome object, as demonstrated by the browser sidebar
  and the FeedWriter.

CVE-2009-2043 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2043):
  nsViewManager.cpp in Mozilla Firefox 3.0.2 through 3.0.10 allows
  remote attackers to cause a denial of service (NULL pointer
  dereference and application crash) via vectors related to interaction
  with TinyMCE.

CVE-2009-2044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2044):
  Mozilla Firefox 3.0.10 and earlier on Linux allows remote attackers
  to cause a denial of service (application crash) via a URI for a
  large GIF image in the BACKGROUND attribute of a BODY element.

Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-13 09:24:15 UTC
Please bump Firefox to 3.0.11, Thunderbird 2.0.0.22 and SeaMonkey 1.1.17 are not yet available.
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2009-06-13 11:12:08 UTC
=www-client/mozilla-firefox-3.0.11
=www-client/mozilla-firefox-bin-3.0.11
=net-libs/xulrunner-1.9.0.11
in the tree

Thunderbird should be out on 18 jun and seamonkey probably around the same date, or before.
Comment 4 Anders Kreinøe 2009-06-13 13:17:35 UTC
The distfiles arrent on the mirrors yet. is this a bug, or just the dist mirrors that sync slower than the rsync mirrors?
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-06-13 13:26:30 UTC
(In reply to comment #4)
> The distfiles arrent on the mirrors yet. is this a bug, or just the dist
> mirrors that sync slower than the rsync mirrors?

rsync 30 min, distfiles 4hours. But releases.mozilla.org is a geoip resolver, so no worries.
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-15 06:19:51 UTC
CVE-2009-1392 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1392):
  The browser engine in Mozilla Firefox 3 before 3.0.11, Thunderbird
  before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers
  to cause a denial of service (memory corruption and application
  crash) or possibly execute arbitrary code via vectors related to (1)
  nsEventStateManager::GetContentState and
  nsNativeTheme::CheckBooleanAttr; (2) UnhookTextRunFromFrames and
  ClearAllTextRunReferences; (3) nsTextFrame::ClearTextRun; (4)
  IsPercentageAware; (5) PL_DHashTableFinish; (6)
  nsListBoxBodyFrame::GetNextItemBox; (7) AtomTableClearEntry, related
  to the atom table, DOM mutation events, and Unicode surrogates; (8)
  nsHTMLEditor::HideResizers; and (9) nsWindow::SetCursor, related to
  changing the cursor; and other vectors.

Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-15 08:52:39 UTC
Arches, please test and mark stable:
=www-client/mozilla-firefox-3.0.11
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-15 20:59:49 UTC
(In reply to comment #3)
> =www-client/mozilla-firefox-3.0.11
> =www-client/mozilla-firefox-bin-3.0.11
> =net-libs/xulrunner-1.9.0.11
> in the tree

 I am sure those are the candidates for stabilisation....
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-15 22:03:29 UTC
With all USE flags disabled:

package www-client/mozilla-firefox-3.0.11 NOT merged
 * 
 * Detected file collision(s):
 * 
 *      /usr/lib/mozilla-firefox/defaults/autoconfig/prefcalls.js
 *      /usr/lib/mozilla-firefox/defaults/autoconfig/platform.js
 * 
 * Searching all installed packages for file collisions...
 * 
 * Press Ctrl-C to Stop
 * 
 * net-libs/xulrunner-1.9.0.11
 *      /usr/lib/mozilla-firefox/defaults/autoconfig/platform.js
 *      /usr/lib/mozilla-firefox/defaults/autoconfig/prefcalls.js
 * 
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-06-16 13:17:58 UTC
(In reply to comment #9)
> With all USE flags disabled:
> 
> package www-client/mozilla-firefox-3.0.11 NOT merged
>  * 
>  * Detected file collision(s):
>  * 
>  *      /usr/lib/mozilla-firefox/defaults/autoconfig/prefcalls.js
>  *      /usr/lib/mozilla-firefox/defaults/autoconfig/platform.js
>  * 
>  * Searching all installed packages for file collisions...
>  * 
>  * Press Ctrl-C to Stop
>  * 
>  * net-libs/xulrunner-1.9.0.11
>  *      /usr/lib/mozilla-firefox/defaults/autoconfig/platform.js
>  *      /usr/lib/mozilla-firefox/defaults/autoconfig/prefcalls.js
>  * 
> 

Not a regression , please go ahead
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2009-06-16 15:03:11 UTC
xulrunner and firefox stable for HPPA. Please readd us when seamonkey is due. :)
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-16 16:22:55 UTC
x86 stable
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2009-06-16 18:29:32 UTC
alpha/arm/ia64/sparc stable
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-17 10:18:30 UTC
CVE-2009-2061 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2061):
  Mozilla Firefox before 3.0.10 processes a 3xx HTTP CONNECT response
  before a successful SSL handshake, which allows man-in-the-middle
  attackers to execute arbitrary web script, in an https site's
  context, by modifying this CONNECT response to specify a 302 redirect
  to an arbitrary https web site.

Comment 15 Brent Baude (RETIRED) gentoo-dev 2009-06-18 01:41:05 UTC
ppc64 done
Comment 16 Brent Baude (RETIRED) gentoo-dev 2009-06-18 01:41:11 UTC
ppc done
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-18 12:38:47 UTC
CVE-2009-2065 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2065):
  Mozilla Firefox 3.0.10, and possibly other versions, detects http
  content in https web pages only when the top-level frame uses https,
  which allows man-in-the-middle attackers to execute arbitrary web
  script, in an https site's context, by modifying an http page to
  include an https iframe that references a script file on an http
  site, related to "HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages."
Comment 18 Jeroen Roovers (RETIRED) gentoo-dev 2009-06-23 15:38:38 UTC
www-client/seamonkey{,-bin}-1.1.17 has been released.

http://www.seamonkey-project.org/releases/seamonkey1.1.17/changelog
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2009-06-24 15:48:30 UTC
=mail-client/mozilla-thunderbird-2.0.0.22 (requires =x11-plugins/enigmail-0.95.6-r5)
=mail-client/mozilla-thunderbird-bin-2.0.0.22
=www-client/seamonkey-1.1.17
=www-client/seamonkey-bin-1.1.17

Have fun
Comment 20 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-24 19:24:27 UTC
Arches, please test and mark stable:
=mail-client/mozilla-thunderbird-2.0.0.22
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"

Comment 21 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-24 19:26:36 UTC
Arches, please test and mark stable:
=www-client/seamonkey-1.1.17
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 22 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-24 19:29:42 UTC
Arches, please test and mark stable:
=mail-client/mozilla-thunderbird-bin-2.0.0.22
=www-client/seamonkey-bin-1.1.17
Target keywords : "amd64 x86"


Comment 23 Andrew Roberts 2009-06-25 13:40:06 UTC
The mirror is unable to fetch mozilla-thunderbird-2.0.0.22-patches-0.1.tar.bz2 	as shown in the failure report:
http://dev.gentoo.org/~zmedico/infra/distfiles/failure.xml
Comment 24 Jeroen Roovers (RETIRED) gentoo-dev 2009-06-25 13:41:12 UTC
Stable for HPPA: www-client/seamonkey-1.1.17
Comment 25 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-25 14:03:40 UTC
(In reply to comment #23)
> The mirror is unable to fetch mozilla-thunderbird-2.0.0.22-patches-0.1.tar.bz2 
> as shown in the failure report:
> http://dev.gentoo.org/~zmedico/infra/distfiles/failure.xml

 It has been fixed some minutes ago already.

Comment 26 Christian Faulhammer (RETIRED) gentoo-dev 2009-06-25 15:41:21 UTC
x86 stable
Comment 27 Richard Freeman gentoo-dev 2009-06-26 00:24:48 UTC
> =www-client/mozilla-firefox-3.0.11
> =net-libs/xulrunner-1.9.0.11

amd64 stable for these

waiting until patches are mirrored before stabilizing thunderbird
Comment 28 Raúl Porcel (RETIRED) gentoo-dev 2009-06-26 12:52:16 UTC
(In reply to comment #27)
> waiting until patches are mirrored before stabilizing thunderbird
> 

There's no patches to be mirrored. Sync your tree and you shouldn't have any issue
Comment 29 Brent Baude (RETIRED) gentoo-dev 2009-06-27 14:15:55 UTC
ppc64 done
Comment 30 Brent Baude (RETIRED) gentoo-dev 2009-06-27 14:16:01 UTC
ppc done
Comment 31 Richard Freeman gentoo-dev 2009-06-27 20:06:02 UTC
=mail-client/mozilla-thunderbird-2.0.0.22
=x11-plugins/enigmail-0.95.7-r5

amd64 stable
Comment 32 Markus Meier gentoo-dev 2009-06-28 11:55:51 UTC
amd64 stable
Comment 33 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-28 21:06:23 UTC
CVE-2009-2210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2210):
  Mozilla Thunderbird before 2.0.0.22 and SeaMonkey before 1.1.17 allow
  remote attackers to cause a denial of service (application crash) or
  possibly execute arbitrary code via a multipart/alternative e-mail
  message containing a text/enhanced part that triggers access to an
  incorrect object type.

Comment 34 Raúl Porcel (RETIRED) gentoo-dev 2009-06-29 18:43:13 UTC
alpha/arm/ia64/sparc stable
Comment 35 Raúl Porcel (RETIRED) gentoo-dev 2009-06-30 15:27:56 UTC
amd64 is missing www-client/mozilla-firefox-bin-3.0.11
Comment 36 Markus Meier gentoo-dev 2009-07-01 20:20:15 UTC
amd64 stable, all arches done.
Comment 37 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-01 22:02:18 UTC
Added to pending glsa draft.
Comment 38 Roger 2009-12-29 19:04:31 UTC
Just returned to =www-client/seamonkey-1.1.18 and find it's much faster & more robust then Firefox.
Comment 39 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:35:56 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 40 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:17 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).