Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 329279 - <net-libs/xulrunner-1.9.2.8 <www-client/firefox{,-bin}-3.6.8 <www-client/seamonkey{,-bin}-2.0.6 <www-client/icecat-3.6.8 <mail-client/thunderbird{,-bin}-3.1.1: Multiple vulnerabilities
Summary: <net-libs/xulrunner-1.9.2.8 <www-client/firefox{,-bin}-3.6.8 <www-client/seam...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-21 13:48 UTC by Lars Wendler (Polynomial-C) (RETIRED)
Modified: 2013-01-08 01:04 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2010-07-21 13:48:41 UTC
And another bunch of mozilla packages which fix new found security flaws.

Target keywords for thunderbird-bin/firefox-bin/seamonkey-bin are:
  amd64 x86

Target keywords for xulrunner/mozilla-firefox/seamonkey are:
  alpha amd64 arm hppa ia64 ppc ppc64 sparc x86


List of vulnerabilities concerning xulrunner/firefox and descendants:
http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.7

As of this writing seamonkey still had no list about fixed vulnerabilites but I will deliver those in addition.

www-client/icecat is lagging behind (as usual). As soon as they catch up with mozilla I will notify you in this bug.

Thunderbird is affected as well. Anarchy wants to do some cleanups in the ebuild before it will be added to this bug.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2010-07-21 13:50:58 UTC
Ignore target keywords for thunderbird-bin until Anarchy did the bump. Classical cut'n'paste error from me :-/
Comment 2 Jacob Godserv 2010-07-21 15:45:28 UTC
My, you guys are fast. :)
Comment 3 Jory A. Pratt gentoo-dev 2010-07-21 22:22:07 UTC
http://www.seamonkey-project.org/news#2010-07-20

list of seamonkey vuln.
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-21 22:47:03 UTC
x86 is stable for 

net-libs/xulrunner-1.9.2.7
www-client/mozilla-firefox-3.6.7
www-client/firefox-bin-3.6.7
www-client/seamonkey-2.0.6
www-client/seamonkey-bin-2.0.6

we will stay here for thunderbird and icecat.
Comment 5 Jory A. Pratt gentoo-dev 2010-07-22 01:16:29 UTC
thunderbird-3.1.1. and thunderbird-bin-3.1.1 are in the tree make sure you mark enigmail-1.1.2-r1 as the same time please.
Comment 6 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2010-07-22 07:55:55 UTC
Target keywords for icecat are:
  amd64 ppc ppc64 x86

Target keywords for thunderbird-bin are:
  amd64 x86

Target keywords for thunderbird are:
  alpha amd64 arm ia64 ppc ppc64 sparc x86 ~x86-fbsd ~amd64-linux ~x86-linux

Target keywords for enigmail are:
  alpha amd64 arm ia64 ppc ppc64 sparc x86 ~x86-fbsd


List of vulnerabilities concerning thunderbird:
http://www.mozilla.org/security/known-vulnerabilities/thunderbird31#thunderbird3.1.1

List of vulnerabilities concerning seamonkey:
http://www.mozilla.org/security/known-vulnerabilities/seamonkey20.html#seamonkey2.0.6
Comment 7 Thomas Kahle (RETIRED) gentoo-dev 2010-07-23 07:13:20 UTC
I archtested thunderbird-bin-3.1.1, thunderbird-3.1.1, enigmail-1.1.2-r1 on x86. No issues.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-23 10:38:57 UTC
Icecat yields:

Could not find compatible GRE between version 1.9.2.7 and 1.9.2.7.

Remerge did not help. Firefox reports 1.9.2.7 fine.
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-23 12:35:02 UTC
Thanks Thomas for testing, so apart from  icecat, x86 stabled all packages.
Comment 10 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2010-07-23 12:48:35 UTC
+*xulrunner-1.9.2.7-r1 (23 Jul 2010)
+
+  23 Jul 2010; Lars Wendler <polynomial-c@gentoo.org>
+  -xulrunner-1.9.2.7.ebuild, +xulrunner-1.9.2.7-r1.ebuild:
+  Increased revision to fix GRE issues caused by bug #329529 and requested
+  in bug #329563.
+

fauli please test icecat with -r1. I left the keywords from -r0 intact so no need to stabilize -r1 again.
Comment 11 Amit Prakash Ambasta 2010-07-23 14:43:48 UTC
on emerge ff-3.6.7 and xulrunner-3.6.7
Could not find compatible GRE between version 1.9.2.7 and 1.9.2.7.


emerge --info

Portage 2.2_rc67 (default/linux/x86/10.0/desktop, gcc-4.4.4, glibc-2.11.2-r0, 2.6.33-gentoo-r1 i686)
=================================================================
System uname: Linux-2.6.33-gentoo-r1-i686-Intel-R-_Core-TM-2_Duo_CPU_T7250_@_2.00GHz-with-gentoo-2.0.1
Timestamp of tree: Fri, 23 Jul 2010 04:30:12 +0000
ccache version 2.4 [disabled]
app-shells/bash:     4.1_p7
dev-java/java-config: 2.1.11
dev-lang/python:     2.6.5-r3, 3.1.2-r4
dev-util/ccache:     2.4-r8
dev-util/cmake:      2.8.1-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.1-r1
sys-apps/sandbox:    2.2
sys-devel/autoconf:  2.13, 2.65-r1
sys-devel/automake:  1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20.1-r1
sys-devel/gcc:       4.4.4-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.10
virtual/os-headers:  2.6.34
ACCEPT_KEYWORDS="x86 ~x86"
ACCEPT_LICENSE="* -@EULA dlj-1.1 skype-eula Q3AEULA AdobeFlash-10.1"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=core2 -mtune=core2 -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo"
CXXFLAGS="-march=core2 -mtune=core2 -O2 -pipe -fomit-frame-pointer"
DISTDIR="/data/tmp/"
FEATURES="assume-digests collision-protect distlocks fixpackages news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.osuosl.org/ ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://distro.ibiblio.org/pub/linux/distributions/gentoo/ http://ftp.ucsb.edu/pub/mirrors/linux/gentoo/ http://gentoo.mirrors.pair.com/ http://www.gtlib.gatech.edu/pub/gentoo http://gentoo.llarian.net/ http://gentoo.j-schmitz.net/mirror/"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1"
LINGUAS="en_US"
MAKEOPTS="-j3"
PKGDIR="/data/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/data/temp/"
PORTDIR="/data/portage/"
PORTDIR_OVERLAY="/usr/local/portage/layman/desktop-effects /usr/local/portage/layman/x11 /usr/local/portage/layman/gnome /usr/local/portage/layman/mozilla /usr/local/portage/layman/qting-edge /usr/local/portage/layman/kde /usr/local/portage/layman/enlightenment /usr/local/portage/custom /usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa berkdb bluetooth branding bzip2 cairo cdr cjk cli consolekit cracklib crypt cxx dbus dri dts dvd dvdr emboss encode exif fam flac fortran gdbm gif gpm gtk hal iconv ipv6 jpeg lcms libnotify lm_sensors mad mikmod mng modules mp3 mp4 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pango pcre pdf perl png policykit ppds pppd pulseaudio python qt3support qt4 readline reflection sdl session spell spl ssl startup-notification svg sysfs tcpd tiff truetype unicode usb vorbis wifi x264 x86 xcb xml xorg xulrunner xv xvid xvmc zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US" LIRC_DEVICES="irman usb_uirt_raw" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-23 14:45:51 UTC
(In reply to comment #11)
> on emerge ff-3.6.7 and xulrunner-3.6.7
> Could not find compatible GRE between version 1.9.2.7 and 1.9.2.7.

 Emerge xulrunner 1.9.2.7-r1 (resync before) and Firefox again.  See above comments.
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-23 15:03:18 UTC
x86 finally done.  Bye.
Comment 14 Peter Weilbacher 2010-07-24 10:55:31 UTC
Firefox 3.6.8 is already out, fixing another critical vulnerability:
http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.8
Comment 15 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2010-07-24 11:59:03 UTC
Readding x86 for xulrunner-1.9.2.8/firefox{,-bin}-3.6.8 stabilization.

@ ppc team: Please stabilize this version as well.

This time blame mozilla upstream for the inconveniences ;)

No idea if icecat will release 3.6.8 as well...
Comment 16 Christian Faulhammer (RETIRED) gentoo-dev 2010-07-25 09:28:50 UTC
stable x86, did I ever mention that I hate compiling XULRunner
Comment 17 Jeroen Roovers (RETIRED) gentoo-dev 2010-07-25 13:50:38 UTC
Stable for HPPA PPC:
net-libs/xulrunner-1.9.2.8
www-client/mozilla-firefox-3.6.8
www-client/seamonkey-2.0.6

Stable for PPC:
=mail-client/thunderbird-3.1.1
=x11-plugins/enigmail-1.1.2-r1
=www-client/icecat-3.6.7
Comment 18 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2010-07-25 15:44:01 UTC
+*icecat-3.6.7-r1 (25 Jul 2010)
+
+  25 Jul 2010; Lars Wendler <polynomial-c@gentoo.org>
+  +files/mozilla-1.9.2.8.diff, -icecat-3.6.7.ebuild,
+  +icecat-3.6.7-r1.ebuild:
+  Added the fixes from firefox-3.6.8 to icecat-3.6.7. It's now technically
+  icecat-3.6.8 which still wasn't released at the time of this change.
+

Please keep on stabilizing icecat.
Comment 19 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-07-25 19:23:26 UTC
Please note that a www-client/mozilla-firefox -> www-client/firefox pkgmove was just done.
Comment 20 Markus Meier gentoo-dev 2010-07-26 19:30:22 UTC
amd64 stable
Comment 21 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2010-07-31 23:24:39 UTC
+*icecat-3.6.8 (31 Jul 2010)
+
+  31 Jul 2010; Lars Wendler <polynomial-c@gentoo.org>
+  -files/mozilla-1.9.2.8.diff, -icecat-3.6.7-r1.ebuild,
+  +icecat-3.6.8.ebuild:
+  Version bump to stay in sync with xulrunner. Committed straight to stable
+  as it's identical to 3.6.7-r1 code-wise.
Comment 22 Raúl Porcel (RETIRED) gentoo-dev 2010-08-01 16:24:49 UTC
alpha/arm/ia64/sparc stable
Comment 23 Brent Baude (RETIRED) gentoo-dev 2010-08-10 15:56:44 UTC
ppc64 done
Comment 24 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:53 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 25 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 23:05:59 UTC
Bug added to existing GLSA request.
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2012-07-21 14:34:26 UTC
CVE-2010-2755 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2755):
  layout/generic/nsObjectFrame.cpp in Mozilla Firefox 3.6.7 does not properly
  free memory in the parameter array of a plugin instance, which allows remote
  attackers to cause a denial of service (memory corruption) or possibly
  execute arbitrary code via a crafted HTML document, related to the DATA and
  SRC attributes of an OBJECT element. NOTE: this vulnerability exists because
  of an incorrect fix for CVE-2010-1214.

CVE-2010-2754 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2754):
  dom/base/nsJSEnvironment.cpp in Mozilla Firefox 3.5.x before 3.5.11 and
  3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1,
  and SeaMonkey before 2.0.6 does not properly suppress a script's URL in
  certain circumstances involving a redirect and an error message, which
  allows remote attackers to obtain sensitive information about script
  parameters via a crafted HTML document, related to the window.onerror
  handler.

CVE-2010-2753 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2753):
  Integer overflow in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before
  3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey
  before 2.0.6 allows remote attackers to execute arbitrary code via a large
  selection attribute in a XUL tree element, which triggers a use-after-free.

CVE-2010-2752 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2752):
  Integer overflow in an array class in Mozilla Firefox 3.5.x before 3.5.11
  and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before
  3.1.1, and SeaMonkey before 2.0.6 allows remote attackers to execute
  arbitrary code by placing many Cascading Style Sheets (CSS) values in an
  array, related to references to external font resources and an inconsistency
  between 16-bit and 32-bit integers.

CVE-2010-2751 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2751):
  The nsDocShell::OnRedirectStateChange function in
  docshell/base/nsDocShell.cpp in Mozilla Firefox 3.5.x before 3.5.11 and
  3.6.x before 3.6.7, and SeaMonkey before 2.0.6, allows remote attackers to
  spoof the SSL security status of a document via vectors involving multiple
  requests, a redirect, and the history.back and history.forward JavaScript
  functions.

CVE-2010-1215 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1215):
  Mozilla Firefox 3.6.x before 3.6.7 and Thunderbird 3.1.x before 3.1.1 do not
  properly implement access to a content object through a SafeJSObjectWrapper
  (aka SJOW) wrapper, which allows remote attackers to execute arbitrary
  JavaScript code with chrome privileges by leveraging "access to an object
  from the chrome scope."

CVE-2010-1214 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1214):
  Integer overflow in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before
  3.6.7, and SeaMonkey before 2.0.6, allows remote attackers to execute
  arbitrary code via plugin content with many parameter elements.

CVE-2010-1213 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1213):
  The importScripts Web Worker method in Mozilla Firefox 3.5.x before 3.5.11
  and 3.6.x before 3.6.7, Thunderbird 3.0.x before 3.0.6 and 3.1.x before
  3.1.1, and SeaMonkey before 2.0.6 does not verify that content is valid
  JavaScript code, which allows remote attackers to bypass the Same Origin
  Policy and obtain sensitive information via a crafted HTML document.

CVE-2010-1212 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1212):
  js/src/jstracer.cpp in the browser engine in Mozilla Firefox 3.6.x before
  3.6.7 and Thunderbird 3.1.x before 3.1.1 allows remote attackers to cause a
  denial of service (memory corruption and application crash) or possibly
  execute arbitrary code via vectors related to (1) propagation of deep aborts
  in the TraceRecorder::record_JSOP_BINDNAME function, (2) depth handling in
  the TraceRecorder::record_JSOP_GETELEM function, and (3) tracing of
  out-of-range arguments in the TraceRecorder::record_JSOP_ARGSUB function.

CVE-2010-1211 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1211):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird 3.0.x before
  3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 allow remote
  attackers to cause a denial of service (memory corruption and application
  crash) or possibly execute arbitrary code via unknown vectors.

CVE-2010-1210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1210):
  intl/uconv/util/nsUnicodeDecodeHelper.cpp in Mozilla Firefox before 3.6.7
  and Thunderbird before 3.1.1 inserts a U+FFFD sequence into text in certain
  circumstances involving undefined positions, which might make it easier for
  remote attackers to conduct cross-site scripting (XSS) attacks via crafted
  8-bit text.

CVE-2010-1209 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1209):
  Use-after-free vulnerability in the NodeIterator implementation in Mozilla
  Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before
  2.0.6, allows remote attackers to execute arbitrary code via a crafted
  NodeFilter that detaches DOM nodes, related to the NodeIterator interface
  and a javascript callback.

CVE-2010-1208 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1208):
  Use-after-free vulnerability in the attribute-cloning functionality in the
  DOM implementation in Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before
  3.6.7, and SeaMonkey before 2.0.6, allows remote attackers to execute
  arbitrary code via vectors related to deletion of an event attribute node
  with a nonzero reference count.

CVE-2010-1207 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1207):
  Mozilla Firefox before 3.6.7 and Thunderbird before 3.1.1 do not properly
  implement read restrictions for CANVAS elements, which allows remote
  attackers to obtain sensitive cross-origin information via vectors involving
  reference retention and node deletion.

CVE-2010-0654 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0654):
  Mozilla Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, Thunderbird
  3.0.x before 3.0.6 and 3.1.x before 3.1.1, and SeaMonkey before 2.0.6 permit
  cross-origin loading of CSS stylesheets even when the stylesheet download
  has an incorrect MIME type and the stylesheet document is malformed, which
  allows remote attackers to obtain sensitive information via a crafted
  document.
Comment 27 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:04:21 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).