Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 251322 (CVE-2008-5500)

Summary: Mozilla Firefox, Thunderbird, Seamonkey, Xulrunner: ".19" fixes (CVE-2008-{5500,5501,5502,5503,5504,5505,5506,5507,5508,5510,5511,5512,5513},CVE-2009-2535)
Product: Gentoo Security Reporter: stupendoussteve
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: basic, Manfred.Knick
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://developer.mozilla.org/devnews/index.php/2008/12/16/firefox-305-and-20019-security-updates-now-available-for-download/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 251307    
Bug Blocks:    

Description stupendoussteve 2008-12-17 16:03:14 UTC
Numerous Security vulnerabilities have been fixed in just released Firefox 3.0.5, Firefox 2.0.0.19 and Seamonkey 1.1.14. Thunderbird has not been modified at this time:

MFSA 2008-69  XSS vulnerabilities in SessionStore
MFSA 2008-68 XSS and JavaScript privilege escalation
MFSA 2008-67 Escaped null characters ignored by CSS parser
MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
MFSA 2008-65 Cross-domain data theft via script redirect error message
MFSA 2008-64 XMLHttpRequest 302 response disclosure
MFSA 2008-63  User tracking via XUL persist attribute
MFSA 2008-62 Additional XSS attack vectors in feed preview
MFSA 2008-61 Information stealing via loadBindingDocument
MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)

Ref: http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.5
http://www.mozilla.org/security/known-vulnerabilities/firefox20.html#firefox2.0.0.19

As an aside, this was also in the announcement: Mozilla is not planning any further security & stability updates for Firefox 2, and recommends that you upgrade to Firefox 3 as soon as possible. It’s free, and your settings and bookmarks will be preserved.

Reproducible: Always
Comment 1 stupendoussteve 2008-12-17 16:14:14 UTC
Multiple MFSAs reference an issue being fixed in Thunderbird 2.0.0.19, so I would also expect to see a new version forthcoming.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-12-18 16:34:00 UTC
CVE-2008-5500 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5500):
  The layout engine in Mozilla Firefox 3.x before 3.0.5 and 2.x before
  2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before
  1.1.14 allows remote attackers to cause a denial of service (crash)
  and possibly trigger memory corruption via vectors related to (1) a
  reahable assertion or (2) an integer overflow.

CVE-2008-5501 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5501):
  The layout engine in Mozilla Firefox 3.x before 3.0.5, Thunderbird
  2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote
  attackers to cause a denial of service via vectors that trigger an
  assertion failure.

CVE-2008-5502 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5502):
  The layout engine in Mozilla Firefox 3.x before 3.0.5, Thunderbird
  2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote
  attackers to cause a denial of service (crash) via vectors that
  trigger memory corruption, related to the GetXMLEntity and
  FastAppendChar functions.

CVE-2008-5503 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5503):
  The loadBindingDocument function in Mozilla Firefox 2.x before
  2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before
  1.1.14 does not perform any security checks related to the
  same-domain policy, which allows remote attackers to read or access
  data from other domains via crafted XBL bindings.

CVE-2008-5504 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5504):
  Mozilla Firefox 2.x before 2.0.0.19 allows remote attackers to run
  arbitrary JavaScript with chrome privileges via vectors related to
  the feed preview, a different vulnerability than CVE-2008-3836.

CVE-2008-5505 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5505):
  Mozilla Firefox 3.x before 3.0.5 allows remote attackers to bypass
  intended privacy restrictions by using the persist attribute in an
  XUL element to create and access data entities that are similar to
  cookies.

CVE-2008-5506 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5506):
  Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird
  2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote
  attackers to bypass the same origin policy by causing the browser to
  issue an XMLHttpRequest to an attacker-controlled resource that uses
  a 302 redirect to a resource in a different domain, then reading
  content from the response, aka "response disclosure."

CVE-2008-5507 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5507):
  Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird
  2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote
  attackers to bypass the same origin policy and access portions of
  data from another domain via a JavaScript URL that redirects to the
  target resource, which generates an error if the target data does not
  have JavaScript syntax, which can be accessed using the
  window.onerror DOM API.

CVE-2008-5508 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5508):
  Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird
  2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 does not
  properly parse URLs with leading whitespace or control characters,
  which might allow remote attackers to misrepresent URLs and simplify
  phishing attacks.

CVE-2008-5510 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5510):
  The CSS parser in Mozilla Firefox 3.x before 3.0.5 and 2.x before
  2.0.0.19, Thunderbird 2.x before 2.0.0.19, and SeaMonkey 1.x before
  1.1.14 ignores the '\0' escaped null character, which might allow
  remote attackers to bypass protection mechanisms such as sanitization
  routines.

CVE-2008-5511 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5511):
  Mozilla Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19, Thunderbird
  2.x before 2.0.0.19, and SeaMonkey 1.x before 1.1.14 allows remote
  attackers to bypass the same origin policy and conduct cross-site
  scripting (XSS) attacks via an XBL binding to an "unloaded document."

CVE-2008-5512 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5512):
  Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before
  3.0.5 and 2.x before 2.0.0.19, Thunderbird 2.x before 2.0.0.19, and
  SeaMonkey 1.x before 1.1.14 allow remote attackers to run arbitrary
  JavaScript with chrome privileges via unknown vectors in which "page
  content can pollute XPCNativeWrappers."

CVE-2008-5513 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5513):
  Unspecified vulnerability in the session-restore feature in Mozilla
  Firefox 3.x before 3.0.5 and 2.x before 2.0.0.19 allows remote
  attackers to bypass the same origin policy, inject content into
  documents associated with other domains, and conduct cross-site
  scripting (XSS) attacks via unknown vectors related to restoration of
  SessionStore data.

Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2008-12-18 18:16:26 UTC
www-client/mozilla-firefox-2.0.0.19:
Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86
www-client/mozilla-firefox-bin-2.0.0.19:
Arches: amd64 x86

www-client/seamonkey-1.1.14:
Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86
www-client/seamonkey-bin-1.1.14:
Arches: amd64 x86

net-libs/xulrunner-1.8.1.19:
Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86
net-libs/xulrunner-bin-1.8.1.19:
Arches: amd64 x86

All in the tree, thunderbird will be out on 5th january
Comment 4 Brent Baude (RETIRED) gentoo-dev 2008-12-19 15:53:12 UTC
hey raul, I have committed keywords for those ebuilds on ppc64.  how do you want to handle tbird, i'm thinking I drop the ppc64 and you add us back in when you commit the tbird ebuild.  fair enough?
Comment 5 Jeroen Roovers gentoo-dev 2008-12-20 17:43:01 UTC
Stable for HPPA.
Comment 6 Markus Meier gentoo-dev 2008-12-20 21:17:34 UTC
amd64/x86 stable
Comment 7 Frank Schmitt 2008-12-21 09:53:41 UTC
firefox-2.0.0.20 has released a few days after 2.0.0.19
Comment 8 szmytson 2008-12-21 15:16:38 UTC
(In reply to comment #7)
> firefox-2.0.0.20 has released a few days after 2.0.0.19
> 

From firefox 2.0.0.20 release notes:

"Firefox 2.0.0.20 includes an additional security fix over Firefox 2.0.0.19 for users of the Windows platform.(...)"
Comment 9 Brent Baude (RETIRED) gentoo-dev 2008-12-21 17:35:30 UTC
ppc done
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2008-12-22 15:38:20 UTC
alpha/arm/ia64/sparc stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2008-12-31 15:31:55 UTC
Hi, please do:
=mail-client/mozilla-thunderbird-2.0.0.19
Arches: alpha amd64 ia64 ppc ppc64 sparc x86
=x11-plugins/enigmail-0.95.7-r3
Arches: alpha amd64 ia64 ppc ppc64 sparc x86
=mail-client/mozilla-thunderbird-bin-2.0.0.19
Arches: amd64 x86

Thanks
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2009-01-01 17:06:12 UTC
alpha/ia64/sparc/x86 stable :P
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2009-01-01 20:23:22 UTC
amd64 stable
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2009-01-02 21:22:11 UTC
ppc stable
Comment 15 Brent Baude (RETIRED) gentoo-dev 2009-01-05 13:32:12 UTC
ppc64 done
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2009-01-05 15:32:10 UTC
GLSA together with .18 and .17 fixes.
Comment 17 Manfred Knick 2009-10-31 09:58:35 UTC
(In reply to comment #13)

> amd64 stable
 
Todays upgrade demanded xulrunner-1.9.1.4.
That's what I get afterwards:

$ firefox
Could not find compatible GRE between version 1.9.1.3 and 1.9.1.3.  <-- ".3" ?


[I--] [ ~] net-libs/xulrunner-1.9.1.4 (1.9)

[I--] [ ~] www-client/mozilla-firefox-3.5.4 (0)
Comment 18 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-10-31 10:03:19 UTC
(In reply to comment #17)
> (In reply to comment #13)
> 
> > amd64 stable
> 
> Todays upgrade demanded xulrunner-1.9.1.4.
> That's what I get afterwards:
> 

This is the wrong bug for this. See bug 280393

> $ firefox
> Could not find compatible GRE between version 1.9.1.3 and 1.9.1.3.  <-- ".3" ?
> 

You need to rebuild firefox with the new version of xulrunner
Comment 19 Manfred Knick 2009-10-31 10:11:37 UTC
(In reply to comment #18)

> This is the wrong bug for this. See bug 280393

Sorry - too many tab's open while searching - picked the wrong one ;( 

> You need to rebuild firefox with the new version of xulrunner

Thanks!

Do you see a possibility to demand this being done as a Post-condition
after upgrading GRE = xulrunner ?
Comment 20 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-29 13:49:47 UTC
CVE-2009-2535 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2535):
  Mozilla Firefox before 2.0.0.19 and 3.x before 3.0.5, SeaMonkey, and
  Thunderbird allow remote attackers to cause a denial of service
  (memory consumption and application crash) via a large integer value
  for the length property of a Select object, a related issue to
  CVE-2009-1692.

Comment 21 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:35:49 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:02:52 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).