Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 311021

Summary: ( >=www-client/firefox-3.6 <www-client/firefox-3.6.2 ), firefox-bin-3.6-r1, ( >=net-libs/xulrunner-1.9.2 <net-libs/xulrunner-1.9.2.2 ) multiple vulnerabilities (CVE-2010-{0164,0165,0166,0167,0168,0169,0170,0171,0172,0648,1028})
Product: Gentoo Security Reporter: Alexandre Rostovtsev (RETIRED) <tetromino>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: aidanamarks, jaak, nik, notordoktor
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Alexandre Rostovtsev (RETIRED) gentoo-dev 2010-03-23 23:12:21 UTC
MFSA 2010-08 : WOFF heap corruption due to integer overflow

Affects firefox-3.6 and anything else with xulrunner-1.9.2; does not affect firefox-3.5.x

Since this vulnerability has been known for over a month[1], the exploit code has been released, and it has resulted in the German government officially recommending against Firefox use[2], it would be nice to see mozilla-firefox-3.6.2 and xulrunner-1.9.2.2 in the tree soon.

At the moment, they aren't even in the mozilla overlay...

[1] http://secunia.com/advisories/38608/
[2] http://news.bbc.co.uk/2/hi/technology/8580716.stm
Comment 1 Jaak Ristioja 2010-03-24 06:06:05 UTC
This might also require a bump for www-client/icecat ?
Comment 2 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-03-24 12:53:23 UTC
I just bumped firefox & xulrunner (not firefox-bin or icecat)
Comment 3 Doktor Notor 2010-03-24 19:54:17 UTC
(In reply to comment #2)
> I just bumped firefox & xulrunner (not firefox-bin or icecat)

Why does the xulrunner thing bundle entire dev-libs/nss now? Bug 311167
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-04-01 16:57:58 UTC
CVE-2010-0164 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0164):
  Use-after-free vulnerability in the
  imgContainer::InternalAddFrameHelper function in src/imgContainer.cpp
  in libpr0n in Mozilla Firefox 3.6 before 3.6.2 allows remote
  attackers to cause a denial of service (heap memory corruption and
  application crash) or possibly execute arbitrary code via a
  multipart/x-mixed-replace animation in which the frames have
  different bits-per-pixel (bpp) values.

Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-04-01 16:59:59 UTC
CVE-2010-0165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0165):
  The TraceRecorder::traverseScopeChain function in js/src/jstracer.cpp
  in the browser engine in Mozilla Firefox 3.6 before 3.6.2 allows
  remote attackers to cause a denial of service (memory corruption and
  application crash) and possibly execute arbitrary code via vectors
  involving certain indirect calls to the JavaScript eval function.

CVE-2010-0167 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0167):
  The browser engine in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x
  before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and
  SeaMonkey before 2.0.3 allows remote attackers to cause a denial of
  service (memory corruption and application crash) and possibly
  execute arbitrary code via vectors related to (1)
  layout/generic/nsBlockFrame.cpp and (2) the _evaluate function in
  modules/plugin/base/src/nsNPAPIPlugin.cpp.

Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-04-01 17:06:01 UTC
CVE-2010-0168 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0168):
  The nsDocument::MaybePreLoadImage function in
  content/base/src/nsDocument.cpp in the image-preloading
  implementation in Mozilla Firefox 3.6 before 3.6.2 does not apply
  scheme restrictions and policy restrictions to the image's URL, which
  might allow remote attackers to cause a denial of service
  (application crash or hang) or hijack the functionality of the
  browser's add-ons via a crafted SRC attribute of an IMG element, as
  demonstrated by remote command execution through an ssh: URL in a
  configuration that supports gnome-vfs with a nonstandard
  network.gnomevfs.supported-protocols setting.

CVE-2010-0169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0169):
  The CSSLoaderImpl::DoSheetComplete function in
  layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18,
  3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2;
  and SeaMonkey before 2.0.3 changes the case of certain strings in a
  stylesheet before adding this stylesheet to the XUL cache, which
  might allow remote attackers to modify the browser's font and other
  CSS attributes, and potentially disrupt rendering of a web page, by
  forcing the browser to perform this erroneous stylesheet caching.

CVE-2010-0170 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0170):
  Mozilla Firefox 3.6 before 3.6.2 does not offer plugins the expected
  window.location protection mechanism, which might allow remote
  attackers to bypass the Same Origin Policy and conduct cross-site
  scripting (XSS) attacks via vectors that are specific to each
  affected plugin.

CVE-2010-0171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0171):
  Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x
  before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3
  allow remote attackers to perform cross-origin keystroke capture, and
  possibly conduct cross-site scripting (XSS) attacks, by using the
  addEventListener and setTimeout functions in conjunction with a
  wrapped object.  NOTE: this vulnerability exists because of an
  incomplete fix for CVE-2007-3736.

Comment 7 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-04-01 17:09:13 UTC
CVE-2010-0172 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0172):
  toolkit/components/passwordmgr/src/nsLoginManagerPrompter.js in the
  asynchronous Authorization Prompt implementation in Mozilla Firefox
  3.6 before 3.6.2 does not properly handle concurrent authorization
  requests from multiple web sites, which might allow remote web
  servers to spoof an authorization dialog and capture credentials by
  demanding HTTP authentication in opportunistic circumstances.

Comment 8 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-04-01 17:10:06 UTC
CVE-2010-1028 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1028):
  Integer overflow in the decompression functionality in the Web Open
  Fonts Format (WOFF) decoder in Mozilla Firefox 3.6 before 3.6.2 and
  3.7 before 3.7 alpha 3 allows remote attackers to execute arbitrary
  code via a crafted WOFF file that triggers a buffer overflow, as
  demonstrated by the vd_ff module in VulnDisco 9.0.

Comment 9 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:38 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:06:27 UTC
Vote: YES. Added to pending GLSA request.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2012-07-21 14:40:11 UTC
CVE-2010-0648 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0648):
  Mozilla Firefox, possibly before 3.6, allows remote attackers to discover a
  redirect's target URL, for the session of a specific user of a web site, by
  placing the site's URL in the HREF attribute of a stylesheet LINK element,
  and then reading the document.styleSheets[0].href property value, related to
  an IFRAME element.
Comment 12 David 2012-11-28 03:37:13 UTC
Can't this bug be closed since these package versions are no longer in the Portage tree?
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:45 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).