Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 404437

Summary: <www-client/firefox-bin-10.0.2 , <mail-client/thunderbird-bin-10.0.2 , <www-client/seamonkey-bin-2.7.2 : libpng integer overflow (CVE-2011-3026)
Product: Gentoo Security Reporter: KinG-InFeT <king.infet>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: ainsaar, pacho
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3026
See Also: http://bugs.gentoo.org/show_bug.cgi?id=404197
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
QA Notices none

Description KinG-InFeT 2012-02-18 18:49:14 UTC
https://www.mozilla.org/security/announce/2012/mfsa2012-11.html

Fixed in: Firefox 10.0.2
  Firefox ESR 10.0.2
  Firefox 3.6.27
  Thunderbird 10.0.2
  Thunderbird ESR 10.0.2
  Thunderbird 3.1.19
  SeaMonkey 2.7.2

i use firefox-bin-10.0.2 x86 stable

Reproducible: Always
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-02-18 21:39:35 UTC
Mozilla, is this bug valid for Gentoo, or do we always use the system libpng? We have bug 404197 for libpng itself. Thanks.
Comment 2 Jory A. Pratt gentoo-dev 2012-02-20 05:59:35 UTC
-bin packages are only effected, we use system png in source builds.
Comment 3 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-21 05:43:21 UTC
All the relevant -bin packages are in the tree. Should we work on getting them stabilised and turn this into a STABLEREQ bug?
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-02-21 05:47:36 UTC
(In reply to comment #3)
> All the relevant -bin packages are in the tree. Should we work on getting them
> stabilised and turn this into a STABLEREQ bug?

Yep, thank you.

Arches, please test and mark stable:
=www-client/firefox-bin-10.0.2
Target keywords : "amd64 x86"

=mail-client/thunderbird-bin-10.0.2
Target keywords : "amd64 x86"

=www-client/seamonkey-bin-2.7.2
Target keywords : "amd64 x86"
Comment 5 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-02-21 07:11:17 UTC
Created attachment 302671 [details]
QA Notices
Comment 6 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-02-21 07:13:51 UTC
amd64:

Attached above are the QA notices for all three packages. Can those be fixed on the fly ?

Other than that, packages pass.
Comment 7 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-21 07:18:17 UTC
x86 stable
Comment 8 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-21 07:19:39 UTC
(In reply to comment #6)
> amd64:
> 
> Attached above are the QA notices for all three packages. Can those be fixed on
> the fly ?
> 
> Other than that, packages pass.

Since they're built by Mozilla and not any Gentoo team, AFAIK, they can't be fixed.
Comment 9 Pacho Ramos gentoo-dev 2012-02-21 11:45:01 UTC
(In reply to comment #8)
> (In reply to comment #6)
> > amd64:
> > 
> > Attached above are the QA notices for all three packages. Can those be fixed on
> > the fly ?
> > 
> > Other than that, packages pass.
> 
> Since they're built by Mozilla and not any Gentoo team, AFAIK, they can't be
> fixed.

You should be able to skip that warning setting QA_FLAGS_IGNORED variable (as I can read in "man 5 ebuild")
Comment 10 Agostino Sarubbo gentoo-dev 2012-02-21 11:49:04 UTC
those QA warnings should be 'hidden' in mozilla-bin ebuild with QA_DT_HASH
Comment 11 Maurizio Camisaschi (amd64 AT) 2012-02-21 11:55:50 UTC
amd64 ok
Comment 12 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-22 02:01:22 UTC
QA warnings fixed.
Comment 13 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-02-22 04:05:49 UTC
amd64: pass
Comment 14 Lars Wendler (Polynomial-C) gentoo-dev 2012-02-22 09:48:15 UTC
amd64 stable
Comment 15 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-22 09:56:20 UTC
old (vulnerable) versions removed from the tree
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2012-02-22 15:41:46 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 17 David 2012-11-28 03:36:29 UTC
Can't this bug be closed since these package versions are no longer in the Portage tree?
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:05:14 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).