Bug 365323 (CVE-2011-0065)

Summary:	<net-libs/xulrunner-1.9.2.17, <www-client/firefox{,-bin}-3.6.17, <mail-client/thunderbird{,-bin}-3.1.10, <www-client/seamonkey{,-bin}-2.0.14: multiple vulnerabilities (CVE-2011-{00{65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81},1202})
Product:	Gentoo Security	Reporter:	Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	alexanderyt
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.mozilla.org/security/known-vulnerabilities/firefox36.html#firefox3.6.17
Whiteboard:	A2 [glsa]
Package list:		Runtime testing required:	---

Description Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2011-04-29 16:19:13 UTC

MFSA 2011-18 XSLT generate-id() function heap address leak
MFSA 2011-17 WebGLES vulnerabilities
MFSA 2011-16 Directory traversal in resource: protocol
MFSA 2011-15 Escalation of privilege through Java Embedding Plugin
MFSA 2011-14 Information stealing via form history
MFSA 2011-13 Multiple dangling pointer vulnerabilities
MFSA 2011-12 Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19)


Although not listed in the summary, ~net-libs/xulrunner-2.0 and ~www-client/firefox-4.0 are affected as well.

Comment 1 Tim Sammut (RETIRED) gentoo-dev

2011-04-29 16:55:45 UTC

Thanks for the bug, and for getting ebuilds committed so quickly. Are we ready to call arches? We can always readd them when icecat is ready.

Just to facilitate searching, here is the list of CVEs as we normally list them.
CVE-2011-{0065,0066,0067,0068,0069,0070,0071,0072,0073,0074,0075,0076,0077,0078,0079,0080,0081,1202}

Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2011-04-29 19:04:05 UTC

(In reply to comment #1)
> Thanks for the bug, and for getting ebuilds committed so quickly. Are we ready
> to call arches? We can always readd them when icecat is ready.

I have no objections against letting arches do their work now. Looking at the severity some of these bugs have I think the faster the better :)


> Just to facilitate searching, here is the list of CVEs as we normally list
> them.
> CVE-2011-{0065,0066,0067,0068,0069,0070,0071,0072,0073,0074,0075,0076,0077,0078,0079,0080,0081,1202}

Heh, I tried to make up the summary like this but the input field didn't allow a summary being that long ;)

Comment 3 Tim Sammut (RETIRED) gentoo-dev

2011-04-29 19:22:06 UTC

Great, thanks.

Arches, please test and mark stable:
=www-client/firefox-3.6.17
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=www-client/firefox-bin-3.6.17
Target keywords : "amd64 x86"

=www-client/seamonkey-2.0.14
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=www-client/seamonkey-bin-2.0.14
Target keywords : "amd64 x86"

=mail-client/thunderbird-3.1.10
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"

=mail-client/thunderbird-bin-3.1.10
Target keywords : "amd64 x86"

=net-libs/xulrunner-1.9.2.17
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Comment 4 Markos Chandras (RETIRED) gentoo-dev

2011-04-30 18:47:17 UTC

amd64 done

Comment 5 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-05-01 12:06:33 UTC

ppc/ppc64 stable

Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-05-01 16:54:07 UTC

x86 stable

Comment 7 Jeroen Roovers (RETIRED) gentoo-dev

2011-05-02 15:39:09 UTC

Stable for HPPA.

Comment 8 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2011-05-03 09:28:16 UTC

+*icecat-3.6.16-r1 (03 May 2011)
+
+  03 May 2011; Lars Wendler <polynomial-c@gentoo.org> +icecat-3.6.16-r1.ebuild:
+  Security bump. This revision contains the same fixes firefox-3.6.17 has.
+

I cannot add "<www-client/icecat-3.6.16-r1" to the summary as it only allows a limited number of chars.

It seems like icecat upstream won't release a 3.6.17 version so I created a patch containing the changes between firefox-3.6.16 and -3.6.17 and applied that to icecat-3.6.16. 
I gonna write an email to icecat upstream requesting a 3.6.17 version once I return home from work today. In case they do such a release I will add the real 3.6.17 version to the tree with the same mix of stable/unstable KEYWORDS 3.6.16-r1 has at that point.


So arches please test and mark stable in addition to the packages listed in the summary:

=www-client/icecat-3.6.16-r1
Target keywords: amd64 ppc ppc64 x86

And sorry for readding exactly those four arches which already did their job here :)

Comment 9 Agostino Sarubbo gentoo-dev

2011-05-03 13:13:26 UTC

icecat works.

Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev

2011-05-04 17:48:03 UTC

icecat-3.6.16-r1 x86 stable

Comment 11 Markos Chandras (RETIRED) gentoo-dev

2011-05-04 20:22:53 UTC

amd64 done. Thanks Agostino

Comment 12 Raúl Porcel (RETIRED) gentoo-dev

2011-05-07 18:26:08 UTC

alpha/arm/ia64/sparc stable, i haven't done xulrunner/firefox .17 because it sigbuses, like always...

Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev

2011-05-14 08:14:01 UTC

ppc/ppc64 stable, last arch done

Comment 14 Tim Sammut (RETIRED) gentoo-dev

2011-05-14 14:57:49 UTC

Thanks, everyone. Added to existing GLSA request.

Comment 15 Alex Buell 2011-06-03 20:58:32 UTC

(In reply to comment #12)
> alpha/arm/ia64/sparc stable, i haven't done xulrunner/firefox .17 because it
> sigbuses, like always...

Not always, I've found that if I remove the sparc specific kludge from the ebuild it works for me, but you have to catch the browser before it loads the page and all will be well.

Comment 16 Jory A. Pratt gentoo-dev

2011-12-12 17:03:10 UTC

re-add if needed later.

Comment 17 GLSAMaker/CVETool Bot gentoo-dev

2013-01-08 01:04:50 UTC

This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).