Summary: | <www-client/firefox{,-bin}-3.6.15, <mail-client/thunderbird{,-bin}-3.1.9, <www-client/seamonkey{,-bin}-2.0.12, <www-client/icecat-3.6.15, <net-libs/xulrunner-1.9.2.15: Multiple Vulnerabilities... (CVE-2010-1585,CVE-2011-{0051,0053,0054,0055,0056,0057}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | alecm_88, bart, dark.knight.ita, fcolloret |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.mozilla.org/security/announce/ | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tim Sammut (RETIRED)
2011-03-02 06:38:10 UTC
*** Bug 357119 has been marked as a duplicate of this bug. *** *** This bug has been marked as a duplicate of bug 357117 *** err dup'd wrong bug. *** Bug 357117 has been marked as a duplicate of this bug. *** *** Bug 357263 has been marked as a duplicate of this bug. *** We will not proceed with this version, a new releases is being rolled that will be out friday, there are too many issues with this releases to land it in the tree. *** Bug 357551 has been marked as a duplicate of this bug. *** thunderbird{-bin}-3.1.9, xulrunner-1.9.2.15, firefox{-bin}-3.6.15 , seamonkey{-bin}-2.0.12, and icecat-3.6.15 are all in the tree, feel free to bring archs in to stabilize. Arches, please test and mark stable: =mail-client/thunderbird-3.1.9 Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86" =mail-client/thunderbird-bin-3.1.9 Target keywords : "amd64 x86" =www-client/firefox-3.6.15 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =www-client/firefox-bin-3.6.15 Target keywords : "amd64 x86" =www-client/seamonkey-2.0.12 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =www-client/seamonkey-bin-2.0.12 Target keywords : "amd64 x86" =net-libs/xulrunner-1.9.2.15 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" =www-client/icecat-3.6.15 Target keywords : "amd64 ppc ppc64 x86" when i open all programs i see: $PROGRAM could not install this item because "install.rdf" (provided by the item) is not well-formed or does not exist. Please contact the author about this problem. but they run. This warning can be dangerous? Tested on SPARC, both firefox-3.6.15 and xulrunner-1.9.2.15 still exhibit crashes, cannot stabilise at all. I know I've been told that someone needs to debug the program on SPARC, but the fact that the same software works on x86 and PPC makes me wonder if there's some kind of miscompilation going on within GCC. Tested on SPARC, both firefox-3.6.15 and xulrunner-1.9.2.15 still exhibit crashes, cannot stabilise at all. I know I've been told that someone needs to debug the program on SPARC, but the fact that the same software works on x86 and PPC makes me wonder if there's some kind of miscompilation going on within GCC. amd64 done The original summary for this bug was longer than 255 characters, and so it was truncated when Bugzilla was upgraded. The original summary was: <www-client/firefox{,-bin}-3.6.15, <mail-client/thunderbird{,-bin}-3.1.9, <www-client/seamonkey{,-bin}-2.0.12, <www-client/icecat-3.6.15, <net-libs/xulrunner-1.9.2.15: Multiple Vulnerabilities (CVE-2010-1585, CVE-2011-{0051,0053,0054,0055,0056,0057,0058,0059,0061,0062}) Stable for HPPA. ppc/ppc64 stable x86 done. Thanks fellows. arm stable alpha/ia64/sparc done, sparc will pass on xulrunner and firefox since it sigbuses(so does 3.6.13) Thank you, everyone. Added to existing GLSA request. nothing for mozilla team here. remove mozilla from cc, if needed add us back. CVE-2010-1585 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1585): The nsIScriptableUnescapeHTML.parseFragment method in the ParanoidFragmentSink protection mechanism in Mozilla Firefox before 3.5.17 and 3.6.x before 3.6.14, Thunderbird before 3.1.8, and SeaMonkey before 2.0.12 does not properly sanitize HTML in a chrome document, which makes it easier for remote attackers to execute arbitrary JavaScript with chrome privileges via a javascript: URI in input to an extension, as demonstrated by a javascript:alert sequence in (1) the HREF attribute of an A element or (2) the ACTION attribute of a FORM element. This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle). |