| Summary: | <=www-client/mozilla-firefox{,-bin}-3.0.10, <=www-client/seamonkey{,-bin}-1.1.16, <=mail-client/mozilla-thunderbird{,-bin}-2.0.0.21 Multiple vulnerabilities (CVE-2009-{1392,1828,1832,1833,1834,1835,1836,1837,1838,1839,1840,1841,2043,2044,2061,2065,2210}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Stefan Behte (RETIRED) <craig> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | anders, basic, rogerx.oss |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B1 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Stefan Behte (RETIRED)
2009-06-12 20:56:19 UTC
CVE-2009-1832 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1832): Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors involving "double frame construction." CVE-2009-1833 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1833): The JavaScript engine in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) js_LeaveSharpObject, (2) ParseXMLSource, and (3) a certain assertion in jsinterp.c; and other vectors. CVE-2009-1834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1834): Visual truncation vulnerability in netwerk/dns/src/nsIDNService.cpp in Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 allows remote attackers to spoof the location bar via an IDN with invalid Unicode characters that are displayed as whitespace, as demonstrated by the \u115A through \u115E characters. CVE-2009-1835 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1835): Mozilla Firefox before 3.0.11 and SeaMonkey before 1.1.17 associate local documents with external domain names located after the file:// substring in a URL, which allows user-assisted remote attackers to read arbitrary cookies via a crafted HTML document, as demonstrated by a URL with file://example.com/C:/ at the beginning. CVE-2009-1836 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1836): Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 use the HTTP Host header to determine the context of a document provided in a non-200 CONNECT response from a proxy server, which allows man-in-the-middle attackers to execute arbitrary web script by modifying this CONNECT response, aka an "SSL tampering" attack. CVE-2009-1837 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1837): Race condition in the NPObjWrapper_NewResolve function in modules/plugin/base/src/nsJSNPRuntime.cpp in xul.dll in Mozilla Firefox 3 before 3.0.11 might allow remote attackers to execute arbitrary code via a page transition during Java applet loading, related to a use-after-free vulnerability for memory associated with a destroyed Java object. CVE-2009-1838 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1838): The garbage-collection implementation in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 sets an element's owner document to null in unspecified circumstances, which allows remote attackers to execute arbitrary JavaScript with chrome privileges via a crafted event handler, related to an incorrect context for this event handler. CVE-2009-1839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1839): Mozilla Firefox 3 before 3.0.11 associates an incorrect principal with a file: URL loaded through the location bar, which allows user-assisted remote attackers to bypass intended access restrictions and read files via a crafted HTML document, aka a "file-URL-to-file-URL scripting" attack. CVE-2009-1840 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1840): Mozilla Firefox before 3.0.11, Thunderbird, and SeaMonkey do not check content policy before loading a script file into a XUL document, which allows remote attackers to bypass intended access restrictions via a crafted HTML document, as demonstrated by a "web bug" in an e-mail message, or web script or an advertisement in a web page. CVE-2009-1841 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1841): js/src/xpconnect/src/xpcwrappedjsclass.cpp in Mozilla Firefox before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to execute arbitrary web script with the privileges of a chrome object, as demonstrated by the browser sidebar and the FeedWriter. CVE-2009-2043 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2043): nsViewManager.cpp in Mozilla Firefox 3.0.2 through 3.0.10 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to interaction with TinyMCE. CVE-2009-2044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2044): Mozilla Firefox 3.0.10 and earlier on Linux allows remote attackers to cause a denial of service (application crash) via a URI for a large GIF image in the BACKGROUND attribute of a BODY element. Please bump Firefox to 3.0.11, Thunderbird 2.0.0.22 and SeaMonkey 1.1.17 are not yet available. =www-client/mozilla-firefox-3.0.11 =www-client/mozilla-firefox-bin-3.0.11 =net-libs/xulrunner-1.9.0.11 in the tree Thunderbird should be out on 18 jun and seamonkey probably around the same date, or before. The distfiles arrent on the mirrors yet. is this a bug, or just the dist mirrors that sync slower than the rsync mirrors? (In reply to comment #4) > The distfiles arrent on the mirrors yet. is this a bug, or just the dist > mirrors that sync slower than the rsync mirrors? rsync 30 min, distfiles 4hours. But releases.mozilla.org is a geoip resolver, so no worries. CVE-2009-1392 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1392): The browser engine in Mozilla Firefox 3 before 3.0.11, Thunderbird before 2.0.0.22, and SeaMonkey before 1.1.17 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to (1) nsEventStateManager::GetContentState and nsNativeTheme::CheckBooleanAttr; (2) UnhookTextRunFromFrames and ClearAllTextRunReferences; (3) nsTextFrame::ClearTextRun; (4) IsPercentageAware; (5) PL_DHashTableFinish; (6) nsListBoxBodyFrame::GetNextItemBox; (7) AtomTableClearEntry, related to the atom table, DOM mutation events, and Unicode surrogates; (8) nsHTMLEditor::HideResizers; and (9) nsWindow::SetCursor, related to changing the cursor; and other vectors. Arches, please test and mark stable: =www-client/mozilla-firefox-3.0.11 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" (In reply to comment #3) > =www-client/mozilla-firefox-3.0.11 > =www-client/mozilla-firefox-bin-3.0.11 > =net-libs/xulrunner-1.9.0.11 > in the tree I am sure those are the candidates for stabilisation.... With all USE flags disabled: package www-client/mozilla-firefox-3.0.11 NOT merged * * Detected file collision(s): * * /usr/lib/mozilla-firefox/defaults/autoconfig/prefcalls.js * /usr/lib/mozilla-firefox/defaults/autoconfig/platform.js * * Searching all installed packages for file collisions... * * Press Ctrl-C to Stop * * net-libs/xulrunner-1.9.0.11 * /usr/lib/mozilla-firefox/defaults/autoconfig/platform.js * /usr/lib/mozilla-firefox/defaults/autoconfig/prefcalls.js * (In reply to comment #9) > With all USE flags disabled: > > package www-client/mozilla-firefox-3.0.11 NOT merged > * > * Detected file collision(s): > * > * /usr/lib/mozilla-firefox/defaults/autoconfig/prefcalls.js > * /usr/lib/mozilla-firefox/defaults/autoconfig/platform.js > * > * Searching all installed packages for file collisions... > * > * Press Ctrl-C to Stop > * > * net-libs/xulrunner-1.9.0.11 > * /usr/lib/mozilla-firefox/defaults/autoconfig/platform.js > * /usr/lib/mozilla-firefox/defaults/autoconfig/prefcalls.js > * > Not a regression , please go ahead xulrunner and firefox stable for HPPA. Please readd us when seamonkey is due. :) x86 stable alpha/arm/ia64/sparc stable CVE-2009-2061 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2061): Mozilla Firefox before 3.0.10 processes a 3xx HTTP CONNECT response before a successful SSL handshake, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying this CONNECT response to specify a 302 redirect to an arbitrary https web site. ppc64 done ppc done CVE-2009-2065 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2065): Mozilla Firefox 3.0.10, and possibly other versions, detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying an http page to include an https iframe that references a script file on an http site, related to "HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages." www-client/seamonkey{,-bin}-1.1.17 has been released.
http://www.seamonkey-project.org/releases/seamonkey1.1.17/changelog
=mail-client/mozilla-thunderbird-2.0.0.22 (requires =x11-plugins/enigmail-0.95.6-r5) =mail-client/mozilla-thunderbird-bin-2.0.0.22 =www-client/seamonkey-1.1.17 =www-client/seamonkey-bin-1.1.17 Have fun Arches, please test and mark stable: =mail-client/mozilla-thunderbird-2.0.0.22 Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86" Arches, please test and mark stable: =www-client/seamonkey-1.1.17 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" Arches, please test and mark stable: =mail-client/mozilla-thunderbird-bin-2.0.0.22 =www-client/seamonkey-bin-1.1.17 Target keywords : "amd64 x86" The mirror is unable to fetch mozilla-thunderbird-2.0.0.22-patches-0.1.tar.bz2 as shown in the failure report: http://dev.gentoo.org/~zmedico/infra/distfiles/failure.xml Stable for HPPA: www-client/seamonkey-1.1.17 (In reply to comment #23) > The mirror is unable to fetch mozilla-thunderbird-2.0.0.22-patches-0.1.tar.bz2 > as shown in the failure report: > http://dev.gentoo.org/~zmedico/infra/distfiles/failure.xml It has been fixed some minutes ago already. x86 stable > =www-client/mozilla-firefox-3.0.11
> =net-libs/xulrunner-1.9.0.11
amd64 stable for these
waiting until patches are mirrored before stabilizing thunderbird
(In reply to comment #27) > waiting until patches are mirrored before stabilizing thunderbird > There's no patches to be mirrored. Sync your tree and you shouldn't have any issue ppc64 done ppc done =mail-client/mozilla-thunderbird-2.0.0.22 =x11-plugins/enigmail-0.95.7-r5 amd64 stable amd64 stable CVE-2009-2210 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2210): Mozilla Thunderbird before 2.0.0.22 and SeaMonkey before 1.1.17 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a multipart/alternative e-mail message containing a text/enhanced part that triggers access to an incorrect object type. alpha/arm/ia64/sparc stable amd64 is missing www-client/mozilla-firefox-bin-3.0.11 amd64 stable, all arches done. Added to pending glsa draft. Just returned to =www-client/seamonkey-1.1.18 and find it's much faster & more robust then Firefox. Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore. This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle). |
