Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 379549 (CVE-2011-0084) - www-client/firefox{,-bin}, mail-client/thunderbird{,-bin}, www-client/seamonkey{,-bin}, net-libs/xulrunner, <www-client/icecat-3.6.16-r3: Multiple Vulnerabilities (CVE-2011-{0084,2378,2980,2981,2982,2983,2984,2985,2986,2987,2988,2989,2990,2991,2992,2993})
Summary: www-client/firefox{,-bin}, mail-client/thunderbird{,-bin}, www-client/seamonk...
Status: RESOLVED FIXED
Alias: CVE-2011-0084
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal enhancement with 1 vote (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
: 379605 379613 379619 380157 381423 (view as bug list)
Depends on: 380913 381191
Blocks: CVE-2011-0083 375197
  Show dependency tree
 
Reported: 2011-08-17 09:35 UTC by Bibär.ch
Modified: 2013-01-08 01:04 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bibär.ch 2011-08-17 09:35:42 UTC
Hi all

Mozilla has released V6.0.
It would be realy cool if Gentoo had it in the portage tree.

Regards

Steps to reproduce:
1. open http://mozilla.com/

Happens: allways
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 17:54:59 UTC
Looks like we have fixed ebuilds for firefox 3.6.20, xulrunner 1.9.2.20 and seamonkey 2.3.

Please create ebuilds for:

firefox-bin
seamonkey
seamonkey-bin
thunderbird
thunderbird-bin

Thank you.
Comment 3 Pacho Ramos gentoo-dev 2011-08-17 19:23:46 UTC
*** Bug 379613 has been marked as a duplicate of this bug. ***
Comment 4 Agostino Sarubbo gentoo-dev 2011-08-17 20:12:20 UTC
*** Bug 379605 has been marked as a duplicate of this bug. ***
Comment 5 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2011-08-17 20:53:19 UTC
+*firefox-bin-3.6.20 (17 Aug 2011)
+
+  17 Aug 2011; Lars Wendler <polynomial-c@gentoo.org>
+  +firefox-bin-3.6.20.ebuild:
+  Security bump.
+

+*icecat-3.6.16-r3 (17 Aug 2011)
+
+  17 Aug 2011; Lars Wendler <polynomial-c@gentoo.org> +icecat-3.6.16-r3.ebuild:
+  Security bump.
+

Please note that =icecat-3.6.16-r3 has the same fixes as firefox-3.6.20


(In reply to comment #2)
> Looks like we have fixed ebuilds for firefox 3.6.20, xulrunner 1.9.2.20 and
> seamonkey 2.3.
> 
> Please create ebuilds for:
> 
> firefox-bin
> seamonkey
> seamonkey-bin
> thunderbird
> thunderbird-bin
> 
> Thank you.

Tim, dunno why you listed seamonkey in that list of needed ebuilds as there's already seamonkey-2.3-r1 (which should be preferred over -r0 as it contains enigmail-1.3). There won't be any more seamonkey-2.0.x version so we don't have any other choice than stabilizing seamonkey-2.3-r1.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2011-08-17 21:00:00 UTC
(In reply to comment #5)
> +*firefox-bin-3.6.20 (17 Aug 2011)
> +*icecat-3.6.16-r3 (17 Aug 2011)
> 
> Please note that =icecat-3.6.16-r3 has the same fixes as firefox-3.6.20
> 

Great, thank you.

> 
> Tim, dunno why you listed seamonkey in that list of needed ebuilds as there's
> already seamonkey-2.3-r1 (which should be preferred over -r0 as it contains
> enigmail-1.3). There won't be any more seamonkey-2.0.x version so we don't have
> any other choice than stabilizing seamonkey-2.3-r1.

My mistake, sorry about that. Will there be a new seamonkey-bin?
Comment 7 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2011-08-17 21:11:44 UTC
(In reply to comment #6)
> 
> My mistake, sorry about that. Will there be a new seamonkey-bin?

I won't do such a big bump (2.0.x -> 2.3). I was never really interested in maintaining seamonkeay-bin and only did minor 2.0.x -> 2.0.x+1 version bumps when no other mozilla herd member was doing it on time.
IIRC Anarchy found some volunteer for seamonkey-bin but I never heard from him after his introduction.
Comment 8 Agostino Sarubbo gentoo-dev 2011-08-17 22:48:49 UTC
*** Bug 379619 has been marked as a duplicate of this bug. ***
Comment 9 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2011-08-22 07:00:04 UTC
*** Bug 380157 has been marked as a duplicate of this bug. ***
Comment 10 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2011-08-22 07:24:16 UTC
seamonkey upstream has released version 2.3.1. This will be the stable candidate for this bug. Arches should keep in mind that in order to get seamonkey-2.3.1 stable you also have to stabilize dev-libs/nss-3.12.10 and dev-libs/nspr-4.8.8
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-08-22 14:23:38 UTC
(In reply to comment #10)
> seamonkey upstream has released version 2.3.1. This will be the stable
> candidate for this bug. Arches should keep in mind that in order to get
> seamonkey-2.3.1 stable you also have to stabilize dev-libs/nss-3.12.10 and
> dev-libs/nspr-4.8.8

Ok, thanks, Lars.

@mozilla, thanks for the updated firefox-bin ebuild. I think we're only waiting on thunderbird{,-bin}-3.1.12. Will there be 3.1.12 ebuild?
Comment 12 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2011-08-28 10:20:02 UTC
+*thunderbird-3.1.12 (28 Aug 2011)
+
+  28 Aug 2011; Lars Wendler <polynomial-c@gentoo.org>
+  +thunderbird-3.1.12.ebuild:
+  Security bump.
+

+*thunderbird-bin-3.1.12 (28 Aug 2011)
+
+  28 Aug 2011; Lars Wendler <polynomial-c@gentoo.org>
+  +thunderbird-bin-3.1.12.ebuild:
+  Security bump.
+

Sorry for the long delay. I don't really feel responsible for thunderbird as I don't use it on any of my machines...
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-08-28 14:54:08 UTC
Thanks, Lars.

Arches, please test and mark stable:
=www-client/firefox-3.6.20
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=www-client/firefox-bin-3.6.20
Target keywords : "amd64 x86"

=www-client/icecat-3.6.16-r3
Target keywords : "amd64 ppc ppc64 x86"

=mail-client/thunderbird-3.1.12
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"

=mail-client/thunderbird-bin-3.1.12
Target keywords : "amd64 x86"

=www-client/seamonkey-2.3.1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=dev-libs/nss-3.12.10
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=dev-libs/nspr-4.8.8
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=net-libs/xulrunner-1.9.2.20
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

nss and nspr have already been requested in bug 380913.
Comment 14 Agostino Sarubbo gentoo-dev 2011-08-28 17:40:01 UTC
amd64. all works with default USE.

nss and nspr confirmed in bug 380913
Comment 15 Markos Chandras (RETIRED) gentoo-dev 2011-08-29 21:36:19 UTC
amd64 done. Thanks Agostino
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2011-08-31 15:45:31 UTC
firefox/xulrunner are stable for HPPA, but bug #381191 prevents compiling seamonkey, probably for other non-x86/-amd64 arches as well.
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2011-09-01 13:47:45 UTC
*** Bug 381423 has been marked as a duplicate of this bug. ***
Comment 18 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-03 08:20:27 UTC
ppc done, ppc64 done except seamonkey
Comment 19 Jory A. Pratt gentoo-dev 2011-09-03 19:21:47 UTC
(In reply to comment #18)
> ppc done, ppc64 done except seamonkey

seamonkey will need to be patched for ipc support.
Comment 20 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-09-04 00:47:19 UTC
x86 stable
Comment 21 Markus Meier gentoo-dev 2011-09-04 10:20:25 UTC
arm stable, except seamonkey
Comment 22 Raúl Porcel (RETIRED) gentoo-dev 2011-09-11 11:05:47 UTC
alpha/ia64 stable for xulrunner+firefox, alpha/ia64/sparc stable for thunderbird, and seamonkey skipped
Comment 23 Agostino Sarubbo gentoo-dev 2011-10-27 16:15:44 UTC
Arches, we continue nss stabilization in bug 388045. Thanks
Comment 24 Jeroen Roovers (RETIRED) gentoo-dev 2011-10-31 00:40:00 UTC
HPPA keywording dropped.
Comment 25 Jory A. Pratt gentoo-dev 2011-12-12 17:05:00 UTC
re-add if needed.
Comment 26 Mark Loeser (RETIRED) gentoo-dev 2011-12-26 23:02:22 UTC
dropped keywords on seamonkey for ppc64
Comment 27 GLSAMaker/CVETool Bot gentoo-dev 2012-07-21 14:27:17 UTC
CVE-2011-2991 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2991):
  The browser engine in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before
  2.3, Thunderbird before 6, and possibly other products does not properly
  implement JavaScript, which allows remote attackers to cause a denial of
  service (memory corruption and application crash) or possibly execute
  arbitrary code via unspecified vectors.

CVE-2011-2990 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2990):
  The implementation of Content Security Policy (CSP) violation reports in
  Mozilla Firefox 4.x through 5, SeaMonkey 2.x before 2.3, and possibly other
  products does not remove proxy-authorization credentials from the listed
  request headers, which allows attackers to obtain sensitive information by
  reading a report, related to incorrect host resolution that occurs with
  certain redirects.

CVE-2011-2989 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2989):
  The browser engine in Mozilla Firefox 4.x through 5, SeaMonkey 2.x before
  2.3, Thunderbird before 6, and possibly other products does not properly
  implement WebGL, which allows remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute arbitrary code
  via unspecified vectors.

CVE-2011-2988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2988):
  Buffer overflow in an unspecified string class in the WebGL shader
  implementation in Mozilla Firefox 4.x through 5, Thunderbird before 6,
  SeaMonkey 2.x before 2.3, and possibly other products allows remote
  attackers to execute arbitrary code or cause a denial of service
  (application crash) via a long source-code block for a shader.

CVE-2011-2987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2987):
  Heap-based buffer overflow in Almost Native Graphics Layer Engine (ANGLE),
  as used in the WebGL implementation in Mozilla Firefox 4.x through 5,
  Thunderbird before 6, SeaMonkey 2.x before 2.3, and possibly other products
  might allow remote attackers to execute arbitrary code via unspecified
  vectors.

CVE-2011-2986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2986):
  Mozilla Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x before
  2.3, and possibly other products, when the Direct2D (aka D2D) API is used on
  Windows, allows remote attackers to bypass the Same Origin Policy, and
  obtain sensitive image data from a different domain, by inserting this data
  into a canvas.

CVE-2011-2985 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2985):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x before 2.3, and
  possibly other products allow remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute arbitrary code
  via unknown vectors.

CVE-2011-2984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2984):
  Mozilla Firefox before 3.6.20, SeaMonkey 2.x, Thunderbird 3.x before 3.1.12,
  and possibly other products does not properly handle the dropping of a tab
  element, which allows remote attackers to execute arbitrary JavaScript code
  with chrome privileges by establishing a content area and registering for
  drop events.

CVE-2011-2983 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2983):
  Mozilla Firefox before 3.6.20, Thunderbird 2.x and 3.x before 3.1.12,
  SeaMonkey 1.x and 2.x, and possibly other products does not properly handle
  the RegExp.input property, which allows remote attackers to bypass the Same
  Origin Policy and read data from a different domain via a crafted web site,
  possibly related to a use-after-free.

CVE-2011-2982 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2982):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 3.6.20, Thunderbird 2.x and 3.x before 3.1.12, SeaMonkey 1.x
  and 2.x, and possibly other products allow remote attackers to cause a
  denial of service (memory corruption and application crash) or possibly
  execute arbitrary code via unknown vectors.

CVE-2011-2981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2981):
  The event-management implementation in Mozilla Firefox before 3.6.20,
  SeaMonkey 2.x, Thunderbird 3.x before 3.1.12, and possibly other products
  does not properly select the context for script to run in, which allows
  remote attackers to bypass the Same Origin Policy or execute arbitrary
  JavaScript code with chrome privileges via a crafted web site.

CVE-2011-2980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2980):
  Untrusted search path vulnerability in the ThinkPadSensor::Startup function
  in Mozilla Firefox before 3.6.20, Thunderbird 3.x before 3.1.12, allows
  local users to gain privileges by leveraging write access in an unspecified
  directory to place a Trojan horse DLL that is loaded into the running
  Firefox process.

CVE-2011-2378 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2378):
  The appendChild function in Mozilla Firefox before 3.6.20, Thunderbird 3.x
  before 3.1.12, SeaMonkey 2.x, and possibly other products does not properly
  handle DOM objects, which allows remote attackers to execute arbitrary code
  via unspecified vectors that lead to dereferencing of a "dangling pointer."

CVE-2011-2373 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2373):
  Use-after-free vulnerability in Mozilla Firefox before 3.6.18 and 4.x
  through 4.0.1, Thunderbird before 3.1.11, and SeaMonkey through 2.0.14, when
  JavaScript is disabled, allows remote attackers to execute arbitrary code
  via a crafted XUL document.

CVE-2011-2370 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2370):
  Mozilla Firefox before 5.0 does not properly enforce the whitelist for the
  xpinstall functionality, which allows remote attackers to trigger an
  installation dialog for a (1) add-on or (2) theme via unspecified vectors.

CVE-2011-2369 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2369):
  Cross-site scripting (XSS) vulnerability in Mozilla Firefox 4.x through
  4.0.1 allows remote attackers to inject arbitrary web script or HTML via an
  SVG element containing an HTML-encoded entity.

CVE-2011-1712 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1712):
  The txXPathNodeUtils::getXSLTId function in txMozillaXPathTreeWalker.cpp and
  txStandaloneXPathTreeWalker.cpp in Mozilla Firefox before 3.5.19, 3.6.x
  before 3.6.17, and 4.x before 4.0.1, and SeaMonkey before 2.0.14, allows
  remote attackers to obtain potentially sensitive information about heap
  memory addresses via an XML document containing a call to the XSLT
  generate-id XPath function.

CVE-2011-0084 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0084):
  The SVGTextElement.getCharNumAtPosition function in Mozilla Firefox before
  3.6.20, and 4.x through 5; Thunderbird 3.x before 3.1.12 and other versions
  before 6; SeaMonkey 2.x before 2.3; and possibly other products does not
  properly handle SVG text, which allows remote attackers to execute arbitrary
  code via unspecified vectors that lead to a "dangling pointer."

CVE-2011-0082 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0082):
  The X.509 certificate validation functionality in Mozilla Firefox 4.0.x
  through 4.0.1 does not properly implement single-session security
  exceptions, which might make it easier for user-assisted remote attackers to
  spoof an SSL server via an untrusted certificate that triggers potentially
  unwanted local caching of documents from that server.

CVE-2010-5074 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-5074):
  The layout engine in Mozilla Firefox before 4.0, Thunderbird before 3.3, and
  SeaMonkey before 2.1 executes different code for visited and unvisited links
  during the processing of Cascading Style Sheets (CSS) token sequences, which
  makes it easier for remote attackers to obtain sensitive information about
  visited web pages via a timing attack.

CVE-2010-4508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4508):
  The WebSockets implementation in Mozilla Firefox 4 through 4.0 Beta 7 does
  not properly perform proxy upgrade negotiation, which has unspecified impact
  and remote attack vectors, related to an "inherent problem" with the
  WebSocket specification.

CVE-2002-2437 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2002-2437):
  The JavaScript implementation in Mozilla Firefox before 4.0, Thunderbird
  before 3.3, and SeaMonkey before 2.1 does not properly restrict the set of
  values contained in the object returned by the getComputedStyle method,
  which allows remote attackers to obtain sensitive information about visited
  web pages by calling this method.

CVE-2002-2436 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2002-2436):
  The Cascading Style Sheets (CSS) implementation in Mozilla Firefox before
  4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 does not properly
  handle the :visited pseudo-class, which allows remote attackers to obtain
  sensitive information about visited web pages via a crafted HTML document, a
  related issue to CVE-2010-2264.
Comment 28 GLSAMaker/CVETool Bot gentoo-dev 2012-07-21 14:46:59 UTC
CVE-2011-2993 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2993):
  The implementation of digital signatures for JAR files in Mozilla Firefox
  4.x through 5, SeaMonkey 2.x before 2.3, and possibly other products does
  not prevent calls from unsigned JavaScript code to signed code, which allows
  remote attackers to bypass the Same Origin Policy and gain privileges via a
  crafted web site, a different vulnerability than CVE-2008-2801.

CVE-2011-2992 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2992):
  The Ogg reader in the browser engine in Mozilla Firefox 4.x through 5,
  SeaMonkey 2.x before 2.3, Thunderbird before 6, and possibly other products
  allows remote attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via unspecified
  vectors.
Comment 29 Agostino Sarubbo gentoo-dev 2013-01-03 20:41:52 UTC
apart arm, we have firefox-10.0.11 stable on all arches which have stable keywords, so the arch teams here have anything to do? if no, please unCC them.
Comment 30 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:04:54 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).