Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 277752 (CVE-2009-2477) - <=www-client/mozilla-firefox-3.5 Multiple vulnerabilities (CVE-2009-{2477,2478,2479})
Summary: <=www-client/mozilla-firefox-3.5 Multiple vulnerabilities (CVE-2009-{2477,247...
Status: RESOLVED FIXED
Alias: CVE-2009-2477
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.milw0rm.com/exploits/9137
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-14 07:24 UTC by Stefan Behte (RETIRED)
Modified: 2013-01-08 01:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-07-14 07:24:04 UTC
Well, someone released a firefox 3.5 exploit.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-14 13:57:05 UTC
Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=503286

This is presumably the fix: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f223409207c0
Comment 2 Jory A. Pratt gentoo-dev 2009-07-14 14:14:07 UTC
(In reply to comment #1)
> Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=503286
> 
> This is presumably the fix:
> http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f223409207c0
> 

This is actually gonna all be against xulrunner, mozilla team refer to upstream bug report both patches are avaliable for 1.9.0.x and 1.9.1. Once patched this bug will be fixed in stable and soon to be ~testing
Comment 3 Jory A. Pratt gentoo-dev 2009-07-14 14:28:06 UTC
Nirbheek, if you would roll a 1.9.1-r1 xulrunner, vulnerability is patched in the overlay, there are other fixes that can be moved to the tree at same time if you would please.

If you do not have time to backport the 1.9.0.x fix let me know and I will handle it as well.
Comment 4 Jory A. Pratt gentoo-dev 2009-07-14 14:31:38 UTC
I also failed to make note that all -bin's are effected xulrunner and firefox.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-07-14 22:13:32 UTC
http://www.kb.cert.org/vuls/id/443060
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-15 18:47:47 UTC
Also the "unicode stack overflow": http://www.packetstormsecurity.com/0907-exploits/firefox35unicode-overflow.txt
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-15 19:21:54 UTC
CVE-2009-2477 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2477):
  The Just-in-time (JIT) JavaScript compiler in Mozilla Firefox 3.5
  allows remote attackers to execute arbitrary code via a crafted
  document containing P and FONT elements.

Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-16 16:24:36 UTC
CVE-2009-2478 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2478):
  Mozilla Firefox 3.5 allows remote attackers to cause a denial of
  service (NULL pointer dereference and application crash) via
  unspecified vectors, related to a "flash bug."

CVE-2009-2479 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2479):
  Stack-based buffer overflow in Mozilla Firefox 3.5 allows remote
  attackers to cause a denial of service (application crash) or
  possibly have unspecified other impact via a long Unicode string
  argument to the write method.

Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-17 08:22:45 UTC
3.5.1 got released, please bump.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2009-07-17 08:38:26 UTC
Does any of the vulnerabilities in this bug affect Firefox 3.0 / Xulrunner 1.9.0 ?
Comment 11 Jory A. Pratt gentoo-dev 2009-07-17 12:40:07 UTC
(In reply to comment #10)
> Does any of the vulnerabilities in this bug affect Firefox 3.0 / Xulrunner
> 1.9.0 ?
> 

Yup.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2009-07-17 13:49:53 UTC
Can you please elaborate? All CVE entries are worded such that only Firefox 3.5 is affected, all related upstream bug reports, advisories or original research only claim Firefox 3.5 vulnerable. Which of the vulnerabilities affects Firefox 3.0 and why?
Comment 13 Hanno Böck gentoo-dev 2009-07-19 11:06:07 UTC
According to heise, CVE-2009-2479 also affects 3.5.1.

http://www.heise.de/newsticker/Buffer-Overflow-in-Firefox-3-5-1--/meldung/142201
Comment 14 Jory A. Pratt gentoo-dev 2009-07-19 14:47:54 UTC
(In reply to comment #13)
> According to heise, CVE-2009-2479 also affects 3.5.1.
> 
> http://www.heise.de/newsticker/Buffer-Overflow-in-Firefox-3-5-1--/meldung/142201
> 

This is correct. Upstream is working on the issue, soon as the patch is released I will get it added to overlay.
Comment 15 Jory A. Pratt gentoo-dev 2009-07-21 00:40:23 UTC
(In reply to comment #12)
> Can you please elaborate? All CVE entries are worded such that only Firefox 3.5
> is affected, all related upstream bug reports, advisories or original research
> only claim Firefox 3.5 vulnerable. Which of the vulnerabilities affects Firefox
> 3.0 and why?
> 

Unicode bug is effecting <=3.5 firefox/xulrunner. ALl other security issues are resolved. The unicode bug is a DOS of the browser, none of the code has been found to cause an exploitable security flaw, only flaw is a crashed browser. This is still being tracked down upstream but is no longer a security issue but rather an annoyance.
Comment 16 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:00 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 17 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-29 20:59:38 UTC
Looks like the only remaining issue here was CVE-2009-2477, which only affected 3.5 (gone from tree)
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:19 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).