Well, someone released a firefox 3.5 exploit.
Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=503286 This is presumably the fix: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f223409207c0
(In reply to comment #1) > Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=503286 > > This is presumably the fix: > http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f223409207c0 > This is actually gonna all be against xulrunner, mozilla team refer to upstream bug report both patches are avaliable for 1.9.0.x and 1.9.1. Once patched this bug will be fixed in stable and soon to be ~testing
Nirbheek, if you would roll a 1.9.1-r1 xulrunner, vulnerability is patched in the overlay, there are other fixes that can be moved to the tree at same time if you would please. If you do not have time to backport the 1.9.0.x fix let me know and I will handle it as well.
I also failed to make note that all -bin's are effected xulrunner and firefox.
http://www.kb.cert.org/vuls/id/443060
Also the "unicode stack overflow": http://www.packetstormsecurity.com/0907-exploits/firefox35unicode-overflow.txt
CVE-2009-2477 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2477): The Just-in-time (JIT) JavaScript compiler in Mozilla Firefox 3.5 allows remote attackers to execute arbitrary code via a crafted document containing P and FONT elements.
CVE-2009-2478 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2478): Mozilla Firefox 3.5 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via unspecified vectors, related to a "flash bug." CVE-2009-2479 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2479): Stack-based buffer overflow in Mozilla Firefox 3.5 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long Unicode string argument to the write method.
3.5.1 got released, please bump.
Does any of the vulnerabilities in this bug affect Firefox 3.0 / Xulrunner 1.9.0 ?
(In reply to comment #10) > Does any of the vulnerabilities in this bug affect Firefox 3.0 / Xulrunner > 1.9.0 ? > Yup.
Can you please elaborate? All CVE entries are worded such that only Firefox 3.5 is affected, all related upstream bug reports, advisories or original research only claim Firefox 3.5 vulnerable. Which of the vulnerabilities affects Firefox 3.0 and why?
According to heise, CVE-2009-2479 also affects 3.5.1. http://www.heise.de/newsticker/Buffer-Overflow-in-Firefox-3-5-1--/meldung/142201
(In reply to comment #13) > According to heise, CVE-2009-2479 also affects 3.5.1. > > http://www.heise.de/newsticker/Buffer-Overflow-in-Firefox-3-5-1--/meldung/142201 > This is correct. Upstream is working on the issue, soon as the patch is released I will get it added to overlay.
(In reply to comment #12) > Can you please elaborate? All CVE entries are worded such that only Firefox 3.5 > is affected, all related upstream bug reports, advisories or original research > only claim Firefox 3.5 vulnerable. Which of the vulnerabilities affects Firefox > 3.0 and why? > Unicode bug is effecting <=3.5 firefox/xulrunner. ALl other security issues are resolved. The unicode bug is a DOS of the browser, none of the code has been found to cause an exploitable security flaw, only flaw is a crashed browser. This is still being tracked down upstream but is no longer a security issue but rather an annoyance.
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Looks like the only remaining issue here was CVE-2009-2477, which only affected 3.5 (gone from tree)
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).