Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 305689

Summary: <www-client/firefox-bin-3.5.8, www-client/firefox, <net-libs/xulrunner-1.9.1.8, < www-client/icecat-3.5.7 (CVE-2009-{1571,3988},CVE-2010-{0159,0160,0162,0167,0169,0171})
Product: Gentoo Security Reporter: Jory A. Pratt <anarchy>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: ab4bd, fauli, sebastian_ml
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Jory A. Pratt gentoo-dev 2010-02-18 02:47:37 UTC 
MFSA 2010-05  XSS hazard using SVG document and binary Content-Type
MFSA 2010-04 XSS due to window.dialogArguments being readable cross-domain
MFSA 2010-03 Use-after-free crash in HTML parser
MFSA 2010-02 Web Worker Array Handling Heap Corruption Vulnerability
MFSA 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)

AMD and X86 please go ahead with firefox-bin stabilization, I will work on getting xulrunner-1.9.1.8/firefox-3.5.8 in the tree just as fast as possible.
Comment 1 Jory A. Pratt gentoo-dev 2010-02-18 03:18:56 UTC 
Security team :

    I have added source if you want to bring the archs in and have them stabilize would be appreciated.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2010-02-18 18:59:11 UTC 
Thanks, Jory.

Arches, please test and mark stable:

=www-client/mozilla-firefox-3.5.8
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=www-client/firefox-bin-3.5.8
Target keywords : "amd64 x86"

=net-libs/xulrunner-1.9.1.8
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Christian Faulhammer (RETIRED) gentoo-dev 2010-02-21 22:24:38 UTC 
x86 stable
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2010-02-22 08:22:11 UTC 
Please bump icecat to 3.5.7
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2010-02-22 18:28:54 UTC 
Stable for HPPA.
Comment 6 Joe Jezak (RETIRED) gentoo-dev 2010-02-23 10:48:01 UTC 
Marked firefox and xulrunner ppc/ppc64 stable. Please re-add us when icecat has been bumped. Thanks!
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2010-02-25 19:49:56 UTC 
alpha/arm/ia64/sparc stable
Comment 8 Sebastian 2010-02-27 07:38:02 UTC 
Hello all,

can we get a bump for amd64 as well please?

Regards
Sebastian
Comment 9 Sebastian 2010-03-02 19:44:32 UTC 
Hi all,

here's quote from http://www.gentoo.org/security/en/vulnerability-policy.xml:

"Timeframe and escalation procedures

In order to meet the target delay for vulnerability resolution, a number of escalation procedures have been defined. These include:

...
    * if testing and marking stable takes too much time (stable+ status), the security team will shout on IRC channels and gentoo-dev list to get more testers. It will either mark the ebuild stable by itself or, in the event this cannot be done due to stability issues, mask it (see security masking approval policy above)"

This is marked as "A3", according to the link provided above the target delay is 10 days once ebuilds are available. The ebuilds are available since 2010-02-18, so we're 2 days behind already.

Regards
Sebastian
Comment 10 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-02 20:27:23 UTC 
amd64 stable.

Sebastian, we're sorry about the delay, but we try to do our best in our free time. We already have a huge backlog and lack manpower. It appears to me that you might be interested in helping the security team. If this is the case, please drop us a mail. :-)
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:19:30 UTC 
CVE-2009-1571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1571):
  Use-after-free vulnerability in the HTML parser in Mozilla Firefox
  3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2,
  and SeaMonkey before 2.0.3 allows remote attackers to execute
  arbitrary code via unspecified method calls that attempt to access
  freed objects in low-memory situations.
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:49:52 UTC 
CVE-2009-3988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3988):
  Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and
  SeaMonkey before 2.0.3, does not properly restrict read access to
  object properties in showModalDialog, which allows remote attackers
  to bypass the Same Origin Policy and conduct cross-site scripting
  (XSS) attacks via crafted dialogArguments values.
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:51:26 UTC 
CVE-2010-0159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0159):
  The browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x
  before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3
  allows remote attackers to cause a denial of service (memory
  corruption and application crash) or possibly execute arbitrary code
  via vectors related to the nsBlockFrame::StealFrame function in
  layout/generic/nsBlockFrame.cpp, and unspecified other vectors.
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:52:09 UTC 
CVE-2010-0160 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0160):
  The Web Worker functionality in Mozilla Firefox 3.0.x before 3.0.18
  and 3.5.x before 3.5.8, and SeaMonkey before 2.0.3, does not properly
  handle array data types for posted messages, which allows remote
  attackers to cause a denial of service (heap memory corruption and
  application crash) or possibly execute arbitrary code via unspecified
  vectors.
Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:53:09 UTC 
CVE-2010-0162 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0162):
  Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x before 3.5.8, and
  SeaMonkey before 2.0.3, does not properly support the
  application/octet-stream content type as a protection mechanism
  against execution of web script in certain circumstances involving
  SVG and the EMBED element, which allows remote attackers to bypass
  the Same Origin Policy and conduct cross-site scripting (XSS) attacks
  via an embedded SVG document.
Comment 16 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:59:51 UTC 
CVE-2010-0167 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0167):
  The browser engine in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x
  before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and
  SeaMonkey before 2.0.3 allows remote attackers to cause a denial of
  service (memory corruption and application crash) and possibly
  execute arbitrary code via vectors related to (1)
  layout/generic/nsBlockFrame.cpp and (2) the _evaluate function in
  modules/plugin/base/src/nsNPAPIPlugin.cpp.
Comment 17 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 17:05:29 UTC 
CVE-2010-0169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0169):
  The CSSLoaderImpl::DoSheetComplete function in
  layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18,
  3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2;
  and SeaMonkey before 2.0.3 changes the case of certain strings in a
  stylesheet before adding this stylesheet to the XUL cache, which
  might allow remote attackers to modify the browser's font and other
  CSS attributes, and potentially disrupt rendering of a web page, by
  forcing the browser to perform this erroneous stylesheet caching.

CVE-2010-0171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0171):
  Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x
  before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3
  allow remote attackers to perform cross-origin keystroke capture, and
  possibly conduct cross-site scripting (XSS) attacks, by using the
  addEventListener and setTimeout functions in conjunction with a
  wrapped object.  NOTE: this vulnerability exists because of an
  incomplete fix for CVE-2007-3736.
Comment 18 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:33 UTC 
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 19 Tim Sammut (RETIRED) gentoo-dev 2010-11-26 22:44:18 UTC 
Added to outstanding GLSA request.
Comment 20 David 2012-11-28 03:34:20 UTC 
Can't this bug be closed since these package versions are no longer in the Portage tree?
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:41 UTC 
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).