Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 218065

Summary: www-client/mozilla-firefox < www-client/seamonkey<1.1.9-r1 Crash in JavaScript garbage collector (CVE-2008-1380)
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: mozilla, polynomial-c
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 230567    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2008-04-17 08:47:59 UTC
Cite advisory from
"Fixes for security problems in the JavaScript engine described in MFSA 2008-15 (CVE-2008-1237) introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past."
Comment 1 Raúl Porcel (RETIRED) gentoo-dev 2008-04-17 12:25:29 UTC

In the tree

seamonkey-1.1.10 is not released yet, and thunderbird either
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-04-18 00:06:37 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"

Target keywords : "amd64 release x86"

Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2008-04-18 03:04:18 UTC
Both stable for HPPA. Probably need to stay on board for seamonkey (if not please tell).
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2008-04-18 10:59:01 UTC
alpha/ia64/sparc/x86 stable
Comment 5 Markus Meier gentoo-dev 2008-04-19 13:51:28 UTC
amd64 stable
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2008-04-19 15:42:00 UTC
ppc64 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-04-21 16:13:46 UTC
No seamonkey-1.1.10 yet?
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2008-04-22 16:12:59 UTC
ppc stable, ready for glsa.
Comment 9 Peter Volkov (RETIRED) gentoo-dev 2008-04-23 20:25:26 UTC
Fixed in release snapshot.
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2008-05-17 11:49:01 UTC
According to this blog entry, Seamonkey upstream has decided not to release 1.1.10 anytime soon:

Raul has committed the patch to fix this vulnerability in www-client/seamonkey-1.1.9-r1. There are no updates to www-client/seamonkey-bin due to the nature of being upstream builds.
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2008-05-17 11:49:29 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2008-05-17 19:11:04 UTC
alpha/ia64/sparc stable
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-18 08:26:18 UTC
x86 stable
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2008-05-18 14:29:48 UTC
ppc64 stable
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2008-05-18 15:34:25 UTC
amd64 stable
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2008-05-18 15:56:40 UTC
Stable for HPPA.
Comment 17 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-20 16:32:50 UTC
ppc stable
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-05-20 21:22:10 UTC
GLSA 200805-18, but we will have to leave this open until it is fixed for seamonkey-bin.
Comment 19 Peter Volkov (RETIRED) gentoo-dev 2008-05-21 09:36:58 UTC
Fixed in release snapshot.
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2008-07-30 19:53:46 UTC
Fixed via bug 230567
Comment 21 Robert Buchholz (RETIRED) gentoo-dev 2008-08-06 00:43:23 UTC
GLSA 200808-03