Summary: | <www-client/mozilla-firefox-3.0.6, <mail-client/mozilla-thunderbird-2.0.0.21, <www-client/seamonkey-1.1.5 memory corruption (CVE-2009-{0352,0353,0354,0355,0356,0357,0358,2535}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | basic, gengor |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.mozilla.org/security/known-vulnerabilities/firefox30.html | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 223363, 255234, 256131 |
Description
Stefan Behte (RETIRED)
2009-02-04 09:52:24 UTC
Firefox 3.0.6 is available, please provide an ebuild, also because of 255687, 255234 and 256131. *** Bug 257630 has been marked as a duplicate of this bug. *** www-client/mozilla-firefox-3.0.6: Arches: alpha arm amd64 hppa ia64 ppc ppc64 x86 www-client/mozilla-firefox-bin-3.0.6: Arches: amd64 x86 net-libs/xulrunner-1.9.0.6: Arches: alpha arm amd64 hppa ia64 ppc ppc64 x86 This also needs =dev-libs/nss-3.12.2 stable. I don't see planed a seamonkey release and thunderbird will come out on March. Proceed as you wish. CVE-2009-0352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0352): Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the layout engine and destruction of arbitrary layout objects by the nsViewManager::Composite function. CVE-2009-0353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0353): Unspecified vulnerability in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the JavaScript engine. CVE-2009-0354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0354): Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval function. CVE-2009-0355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0355): components/sessionstore/src/nsSessionStore.js in Mozilla Firefox before 3.0.6 does not block changes of INPUT elements to type="file" during tab restoration, which allows user-assisted remote attackers to read arbitrary files on a client machine via a crafted INPUT element. CVE-2009-0356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0356): Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582. CVE-2009-0357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0357): Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. CVE-2009-0358 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0358): Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim's browser, as demonstrated by reading the response page of an https POST request. Is there a reason arch teams aren't cc'ed? It's a week now... http://bugs.gentoo.org/show_activity.cgi?id=257577 The mozilla herd was cc'ed from the beginning. Carsten: I didn't add them, because I'm very short on time currently and didn't look. And why did I read herd? I'm confused. Anyways, what is this place?! :D Formal request to arches: Arches, please test and mark stable: =www-client/mozilla-firefox-3.0.6 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" I didn't imply anything, Craig. ;) There's always the chance there's a reason not stated in the bug report. I consider it to be the package maintainer responsibility to cc the arch teams anyways. It's a (hopefully) maintained package having to go through the security process, not the other way around, after all. (In reply to comment #8) > Arches, please test and mark stable: > =www-client/mozilla-firefox-3.0.6 > Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" And also the ebuilds stated in comment three. Stable for HPPA. ppc64 and ppc done Good morning! (In reply to comment #12) > Good morning! > While I personally like such ironic comments, the (lack of) man power remains the same. Getting your hands dirty makes the difference. amd64/x86 stable alpha/arm/ia64 stable Arches, please test and mark stable: =www-client/seamonkey-1.1.16 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" And =www-client/seamonkey-bin-1.1.16 Target keywords : "amd64 x86" amd64 done alpha/arm/ia64/sparc/x86 stable nirbheek, can you say something about the status of xulrunner-bin? We need to dump the 1.8 versions and get one based on 1.9.0.8 in the tree and stable shortly. Stable for HPPA. ppc and ppc64 done (In reply to comment #20) > nirbheek, can you say something about the status of xulrunner-bin? We need to > dump the 1.8 versions and get one based on 1.9.0.8 in the tree and stable > shortly. ping, nirbheek / mozilla herd? (In reply to comment #23) > (In reply to comment #20) > > nirbheek, can you say something about the status of xulrunner-bin? We need to > > dump the 1.8 versions and get one based on 1.9.0.8 in the tree and stable > > shortly. > > ping, nirbheek / mozilla herd? > Bad nirbheek. We can't remove xulrunner-bin-1.8* because it contains libgtkembedmoz, which xul-1.9 doesn't have. The only user of xulrunner-bin AFAIK is acroread, so ask the maintainers :) Still, that would be a shortliving package :P CVE-2009-2535 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2535): Mozilla Firefox before 2.0.0.19 and 3.x before 3.0.5, SeaMonkey, and Thunderbird allow remote attackers to cause a denial of service (memory consumption and application crash) via a large integer value for the length property of a Select object, a related issue to CVE-2009-1692. Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore. GLSA with other mozilla bugs. This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle). |