Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 297532 - <www-client/{icecat,mozilla-firefox,mozilla-firefox-bin}-3.5.6: Multiple vulnerabilities (CVE-2009-{3388,3389,3979,3982,3983,3984,3985,3986,3987})
Summary: <www-client/{icecat,mozilla-firefox,mozilla-firefox-bin}-3.5.6: Multiple vuln...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/security/known...
Whiteboard: B2 [glsa]
Keywords:
: 297395 (view as bug list)
Depends on: 297658 300145
Blocks:
  Show dependency tree
 
Reported: 2009-12-19 15:48 UTC by Gordon Pettey
Modified: 2013-01-08 01:03 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gordon Pettey 2009-12-19 15:48:52 UTC
Firefox 3.5.6 released December 16 2009, with 7 security fixes.

http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.6

Reproducible: Always

Steps to Reproduce:
Comment 1 Tomáš Chvátal (RETIRED) gentoo-dev 2009-12-19 17:31:39 UTC
3.5.6 in main tree.
Archies please proceed:

=net-libs/xulrunner-1.9.1.6
=www-client/mozilla-firefox-3.5.6
Comment 2 Jory A. Pratt gentoo-dev 2009-12-19 18:10:09 UTC
Icecat will be updated in a bit.
Comment 3 Torsten Kaiser 2009-12-20 09:59:17 UTC
Bug 297395 seems to be duplicate of this bug.

The security bugs are also in www-client/seamonkey-2.0 and fixed in seamonkey-2.0.1
Comment 4 Brent Baude (RETIRED) gentoo-dev 2009-12-20 14:42:37 UTC
ppc64 done. Had to drag sqlite with this bug too.  Please add us back on if you need seamonkey or else done.
Comment 5 Petteri Räty (RETIRED) gentoo-dev 2009-12-20 14:48:47 UTC
(In reply to comment #4)
> ppc64 done. Had to drag sqlite with this bug too.  Please add us back on if you
> need seamonkey or else done.
> 

Added a dependency bug for sqlite Go with 3.6.20-r1
Comment 6 Malte Starostik 2009-12-21 17:48:21 UTC
*** Bug 297395 has been marked as a duplicate of this bug. ***
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-22 16:00:20 UTC
Stable for HPPA.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-22 21:26:32 UTC
Stable for PPC.
Comment 9 Pacho Ramos gentoo-dev 2009-12-23 18:32:49 UTC
(In reply to comment #1)
> 3.5.6 in main tree.
> Archies please proceed:
> 
> =net-libs/xulrunner-1.9.1.6
> =www-client/mozilla-firefox-3.5.6
> 

Both stable on amd64, if you want also icecat, readd us

Regards
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-27 22:21:59 UTC
amd64, you forgot mozilla-firefox-bin and you should do icecat in my eyes....or can you stand being less cool than x86 which has icecat stable?
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-27 22:49:08 UTC
x86 stable
Comment 12 Pacho Ramos gentoo-dev 2009-12-27 23:48:28 UTC
If I don't misremember, when I marked firefox and xulrunner stable on amd64, firefox-bin was still missing from main tree and, about icecat, I didn't stable it since there were no stable version and HPPA and PPC teams didn't stable it also

I will look at them tomorrow if possible
Comment 13 Jory A. Pratt gentoo-dev 2009-12-28 00:45:22 UTC
(In reply to comment #12)
> If I don't misremember, when I marked firefox and xulrunner stable on amd64,
> firefox-bin was still missing from main tree and, about icecat, I didn't stable
> it since there were no stable version and HPPA and PPC teams didn't stable it
> also
> 
> I will look at them tomorrow if possible
> 

There is no need to rush icecat to stable. Any arch that has stable keywords will need to, all others can ignore icecat. There are other bugs mozilla herd has to work out in icecat.
Comment 14 Pacho Ramos gentoo-dev 2009-12-28 18:48:52 UTC
remaining ones stable on amd64
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2010-01-02 18:31:51 UTC
alpha/arm/ia64/sparc stable
Comment 16 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 15:59:08 UTC
CVE-2009-3388 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3388):
  liboggplay in Mozilla Firefox 3.5.x before 3.5.6 and SeaMonkey before
  2.0.1 might allow context-dependent attackers to cause a denial of
  service (application crash) or execute arbitrary code via unspecified
  vectors, related to "memory safety issues."

Comment 17 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:02:25 UTC
CVE-2009-3389 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3389):
  Integer overflow in libtheora in Xiph.Org Theora before 1.1, as used
  in Mozilla Firefox 3.5 before 3.5.6 and SeaMonkey before 2.0.1,
  allows remote attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via a video with large
  dimensions.

Comment 18 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:04:54 UTC
CVE-2009-3979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3979):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 3.0.16 and 3.5.x before 3.5.6, SeaMonkey before 2.0.1,
  and Thunderbird allow remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute
  arbitrary code via unknown vectors.

Comment 19 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:44:45 UTC
CVE-2009-3982 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3982):
  Multiple unspecified vulnerabilities in the JavaScript engine in
  Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and
  Thunderbird allow remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute
  arbitrary code via unknown vectors.

CVE-2009-3983 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3983):
  Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey
  before 2.0.1, allows remote attackers to send authenticated requests
  to arbitrary applications by replaying the NTLM credentials of a
  browser user.

Comment 20 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:46:45 UTC
CVE-2009-3984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3984):
  Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey
  before 2.0.1, allows remote attackers to spoof an SSL indicator for
  an http URL or a file URL by setting document.location to an https
  URL corresponding to a site that responds with a No Content (aka 204)
  status code and an empty body.

Comment 21 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:47:41 UTC
CVE-2009-3985 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3985):
  Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey
  before 2.0.1, allows remote attackers to associate spoofed content
  with an invalid URL by setting document.location to this URL, and
  then writing arbitrary web script or HTML to the associated blank
  document, a related issue to CVE-2009-2654.

Comment 22 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:48:28 UTC
CVE-2009-3986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3986):
  Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey
  before 2.0.1, allows remote attackers to execute arbitrary JavaScript
  with chrome privileges by leveraging a reference to a chrome window
  from a content window, related to the window.opener property.

Comment 23 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:49:09 UTC
CVE-2009-3987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3987):
  The GeckoActiveXObject function in Mozilla Firefox before 3.0.16 and
  3.5.x before 3.5.6, and SeaMonkey before 2.0.1, generates different
  exception messages depending on whether the referenced COM object is
  listed in the registry, which allows remote attackers to obtain
  potentially sensitive information about installed software by making
  multiple calls that specify the ProgID values of different COM
  objects.

Comment 24 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:30 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 25 David 2012-11-28 03:37:43 UTC
Can't this bug be closed since these package versions are no longer in the Portage tree?
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:39 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).