Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 262704 (CVE-2009-1044)

Summary: <www-client/mozilla-firefox-3.0.8: Multiple vulnerabilities (CVE-2009-{1044,1169})
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://developer.mozilla.org/devnews/index.php/2009/03/27/firefox-308-security-release-now-available/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-16 20:02:57 UTC 
From milw0rm:

Mozilla Firefox 3.0.7 OnbeforeUnLoad DesignMode Dereference Crash
(see URL for PoC code)
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-16 20:07:33 UTC 
Exploit crashed non-bin Fx 3.0.7 here on amd64.

Mozilla people, I'm sure you know the upstream bugzie better than I do, maybe you find an upstream bug or feel like opening one. ;)
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-28 10:26:32 UTC 
CVE-2009-1044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1044):
  Unspecified vulnerability in Mozilla Firefox 3.0.7 on Windows 7
  allows remote attackers to execute arbitrary code via unknown vectors
  triggered by clicking on a link, as demonstrated by Nils during a
  PWN2OWN competition at CanSecWest 2009.

CVE-2009-1169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1169):
  The txMozillaXSLTProcessor::TransformToDoc function in Mozilla
  Firefox 3.0.7 and earlier allows remote attackers to cause a denial
  of service (crash) via an XML file with a crafted XSLT transform.
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2009-03-28 17:01:22 UTC 
Arches, please test and mark stable:
=net-libs/xulrunner-1.9.0.8
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 x86"
=www-client/mozilla-firefox-3.0.8
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 x86"
=www-client/mozilla-firefox-bin-3.0.8
Target keywords : "amd64 x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-29 14:37:03 UTC 
Stable for HPPA.
Comment 5 nixnut (RETIRED) gentoo-dev 2009-03-29 17:04:29 UTC 
ppc stable
Comment 6 Richard Freeman gentoo-dev 2009-03-29 17:21:28 UTC 
=net-libs/xulrunner-1.9.0.8
=www-client/mozilla-firefox-3.0.8

stable on amd64 (-bin still remains)
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-03-29 22:47:39 UTC 
ppc64 done
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2009-03-30 15:12:28 UTC 
alpha/arm/ia64/x86 stable, sparc has nothing to do here
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 08:11:47 UTC 
ping, amd64
Comment 10 Olivier Crete (RETIRED) gentoo-dev 2009-04-02 14:26:44 UTC 
rich0 made is amd64 stable 3 days ago.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2009-04-02 14:31:23 UTC 
(In reply to comment #10)
> rich0 made is amd64 stable 3 days ago.
> 

not mozilla-firefox-bin
Comment 12 Olivier Crete (RETIRED) gentoo-dev 2009-04-02 14:38:06 UTC 
-bin done
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-04 15:06:16 UTC 
Alright, already handled in glsamaker.
Comment 14 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-05-01 21:03:46 UTC 
All done?
Comment 15 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:22:35 UTC 
Nothing for mozilla team to do here, none of the affected versions are in-tree anymore.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:13 UTC 
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).