Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 433383 (CVE-2012-1956)

Summary: <mail-client/thunderbird{,-bin}-10.0.7, <www-client/firefox{,-bin}-10.0.7, <www-client/seamonkey{,-bin}-2.12.1: Multiple vulnerabilities (CVE-2012-{1956,1970,1971,1972,1973,1974,1975,1976,3956,3957,3958,3959,3960,3961,3962,3963,3964,3965,3966,3967,...})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: klaus.kusche, mozilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 434100, 437780    
Bug Blocks: 427224    

Description GLSAMaker/CVETool Bot gentoo-dev 2012-08-29 23:57:36 UTC
CVE-2012-3963 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3963):
  Use-after-free vulnerability in the js::gc::MapAllocToTraceKind function in
  Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird
  before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12
  allows remote attackers to execute arbitrary code via unspecified vectors.

CVE-2012-3962 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3962):
  Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird
  before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12
  do not properly iterate through the characters in a text run, which allows
  remote attackers to execute arbitrary code via a crafted document.

CVE-2012-3961 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3961):
  Use-after-free vulnerability in the RangeData implementation in Mozilla
  Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before
  15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows
  remote attackers to execute arbitrary code or cause a denial of service
  (heap memory corruption) via unspecified vectors.

CVE-2012-3960 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3960):
  Use-after-free vulnerability in the mozSpellChecker::SetCurrentDictionary
  function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7,
  Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey
  before 2.12 allows remote attackers to execute arbitrary code or cause a
  denial of service (heap memory corruption) via unspecified vectors.

CVE-2012-3959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3959):
  Use-after-free vulnerability in the nsRangeUpdater::SelAdjDeleteNode
  function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7,
  Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey
  before 2.12 allows remote attackers to execute arbitrary code or cause a
  denial of service (heap memory corruption) via unspecified vectors.

CVE-2012-3958 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3958):
  Use-after-free vulnerability in the nsHTMLEditRules::DeleteNonTableElements
  function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7,
  Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey
  before 2.12 allows remote attackers to execute arbitrary code or cause a
  denial of service (heap memory corruption) via unspecified vectors.

CVE-2012-3957 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3957):
  Heap-based buffer overflow in the nsBlockFrame::MarkLineDirty function in
  Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird
  before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12
  allows remote attackers to execute arbitrary code via unspecified vectors.

CVE-2012-3956 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3956):
  Use-after-free vulnerability in the MediaStreamGraphThreadRunnable::Run
  function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7,
  Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey
  before 2.12 allows remote attackers to execute arbitrary code or cause a
  denial of service (heap memory corruption) via unspecified vectors.

CVE-2012-1976 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1976):
  Use-after-free vulnerability in the nsHTMLSelectElement::SubmitNamesValues
  function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7,
  Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey
  before 2.12 allows remote attackers to execute arbitrary code or cause a
  denial of service (heap memory corruption) via unspecified vectors.

CVE-2012-1975 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1975):
  Use-after-free vulnerability in the PresShell::CompleteMove function in
  Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird
  before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12
  allows remote attackers to execute arbitrary code or cause a denial of
  service (heap memory corruption) via unspecified vectors.

CVE-2012-1974 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1974):
  Use-after-free vulnerability in the gfxTextRun::CanBreakLineBefore function
  in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird
  before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12
  allows remote attackers to execute arbitrary code or cause a denial of
  service (heap memory corruption) via unspecified vectors.

CVE-2012-1973 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1973):
  Use-after-free vulnerability in the nsObjectLoadingContent::LoadObject
  function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7,
  Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey
  before 2.12 allows remote attackers to execute arbitrary code or cause a
  denial of service (heap memory corruption) via unspecified vectors.

CVE-2012-1972 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1972):
  Use-after-free vulnerability in the nsHTMLEditor::CollapseAdjacentTextNodes
  function in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7,
  Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey
  before 2.12 allows remote attackers to execute arbitrary code or cause a
  denial of service (heap memory corruption) via unspecified vectors.

CVE-2012-1971 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1971):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12
  allow remote attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via vectors related to
  garbage collection after certain MethodJIT execution, and unknown other
  vectors.

CVE-2012-1970 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1970):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before
  15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allow
  remote attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2012-1956 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1956):
  Mozilla Firefox before 15.0, Thunderbird before 15.0, and SeaMonkey before
  2.12 do not prevent use of the Object.defineProperty method to shadow the
  location object (aka window.location), which makes it easier for remote
  attackers to conduct cross-site scripting (XSS) attacks via vectors
  involving a plugin.
Comment 1 Sean Amoss gentoo-dev Security 2012-08-31 11:34:55 UTC
*** Bug 433525 has been marked as a duplicate of this bug. ***
Comment 2 Jory A. Pratt gentoo-dev 2012-09-03 15:01:44 UTC
Feel free to bring in teams, everything is in the tree, we are looking to stabilize seamonkey{-bin}-2.12, firefox/thunderbird{-bin}-10.0.7, you will also need to stabilize nss-3.13.6 along with nspr-4.9.2.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-09-03 23:02:28 UTC
CVE-2012-3980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3980):
  The web console in Mozilla Firefox before 15.0, Firefox ESR 10.x before
  10.0.7, Thunderbird before 15.0, and Thunderbird ESR 10.x before 10.0.7
  allows user-assisted remote attackers to execute arbitrary JavaScript code
  with chrome privileges via a crafted web site that injects this code and
  triggers an eval operation.

CVE-2012-3978 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3978):
  The nsLocation::CheckURL function in Mozilla Firefox before 15.0, Firefox
  ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before
  10.0.7, and SeaMonkey before 2.12 does not properly follow the security
  model of the location object, which allows remote attackers to bypass
  intended content-loading restrictions or possibly have unspecified other
  impact via vectors involving chrome code.

CVE-2012-3976 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3976):
  Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, and SeaMonkey
  before 2.12 do not properly handle onLocationChange events during navigation
  between different https sites, which allows remote attackers to spoof the
  X.509 certificate information in the address bar via a crafted web page.

CVE-2012-3975 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3975):
  The DOMParser component in Mozilla Firefox before 15.0, Thunderbird before
  15.0, and SeaMonkey before 2.12 loads subresources during parsing of
  text/html data within an extension, which allows remote attackers to obtain
  sensitive information by providing crafted data to privileged extension
  code.

CVE-2012-3973 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3973):
  The debugger in the developer-tools subsystem in Mozilla Firefox before
  15.0, when remote debugging is disabled, does not properly restrict access
  to the remote-debugging service, which allows remote attackers to execute
  arbitrary code by leveraging the presence of the HTTPMonitor extension and
  connecting to that service through the HTTPMonitor port.

CVE-2012-3972 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3972):
  The format-number functionality in the XSLT implementation in Mozilla
  Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before
  15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows
  remote attackers to obtain sensitive information via unspecified vectors
  that trigger a heap-based buffer over-read.

CVE-2012-3971 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3971):
  Summer Institute of Linguistics (SIL) Graphite 2, as used in Mozilla Firefox
  before 15.0, Thunderbird before 15.0, and SeaMonkey before 2.12, allows
  remote attackers to execute arbitrary code or cause a denial of service
  (memory corruption) via vectors related to the (1) Silf::readClassMap and
  (2) Pass::readPass functions.

CVE-2012-3970 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3970):
  Use-after-free vulnerability in the nsTArray_base::Length function in
  Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird
  before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12
  allows remote attackers to execute arbitrary code or cause a denial of
  service (heap memory corruption) via vectors involving movement of a
  requiredFeatures attribute from one SVG document to another.

CVE-2012-3969 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3969):
  Integer overflow in the nsSVGFEMorphologyElement::Filter function in Mozilla
  Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before
  15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows
  remote attackers to execute arbitrary code via a crafted SVG filter that
  triggers an incorrect sum calculation, leading to a heap-based buffer
  overflow.

CVE-2012-3968 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3968):
  Use-after-free vulnerability in the WebGL implementation in Mozilla Firefox
  before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0,
  Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote
  attackers to execute arbitrary code via vectors related to deletion of a
  fragment shader by its accessor.

CVE-2012-3967 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3967):
  The WebGL implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x
  before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7,
  and SeaMonkey before 2.12 on Linux, when a large number of sampler uniforms
  are used, does not properly interact with Mesa drivers, which allows remote
  attackers to execute arbitrary code or cause a denial of service (stack
  memory corruption) via a crafted web site.

CVE-2012-3966 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3966):
  Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird
  before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12
  allow remote attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via a negative height value in a BMP image
  within a .ICO file, related to (1) improper handling of the transparency
  bitmask by the nsICODecoder component and (2) improper processing of the
  alpha channel by the nsBMPDecoder component.

CVE-2012-3965 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3965):
  Mozilla Firefox before 15.0 does not properly restrict navigation to the
  about:newtab page, which allows remote attackers to execute arbitrary
  JavaScript code with chrome privileges via a crafted web site that triggers
  creation of a new tab and then a new window.

CVE-2012-3964 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3964):
  Use-after-free vulnerability in the gfxTextRun::GetUserData function in
  Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird
  before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12
  allows remote attackers to execute arbitrary code or cause a denial of
  service (heap memory corruption) via unspecified vectors.
Comment 4 Sean Amoss gentoo-dev Security 2012-09-03 23:07:09 UTC
(In reply to comment #2)
> Feel free to bring in teams, everything is in the tree, we are looking to
> stabilize seamonkey{-bin}-2.12, firefox/thunderbird{-bin}-10.0.7, you will
> also need to stabilize nss-3.13.6 along with nspr-4.9.2.

Great, thank you.

Arches, please test and mark stable:

=www-client/firefox-10.0.7
Target keywords : "alpha amd64 arm ia64 ppc ppc64 x86"

=www-client/firefox-bin-10.0.7
Target keywords : "amd64 x86"

=dev-libs/nspr-4.9.2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=dev-libs/nss-3.13.6
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=mail-client/thunderbird-10.0.7
Target keywords : "amd64 ppc ppc64 x86"

=mail-client/thunderbird-bin-10.0.7
Target keywords : "amd64 x86"

=www-client/seamonkey-2.12
Target keywords : "amd64 arm ppc ppc64 x86"

=www-client/seamonkey-bin-2.12
Target keywords : "amd64 x86"
Comment 5 Jeroen Roovers gentoo-dev 2012-09-04 17:50:33 UTC
Stable for HPPA.
Comment 6 Agostino Sarubbo gentoo-dev 2012-09-08 12:34:46 UTC
amd64 stable
Comment 7 Lars Wendler (Polynomial-C) gentoo-dev 2012-09-10 07:58:15 UTC
I've bumped www-client/seamonkey-2.12 to 2.12.1 as it has a privacy relevant fix which slipped into the ff-15.0/sm-2.12 release as regression.
I bumped the version straight to stable for amd64 (the only arch that already stabled 2.12) and removed the 2.12 version.
Comment 8 Andreas Schürch gentoo-dev 2012-09-15 12:28:16 UTC
x86 done, but I've seen a little minor regression in seamonkey! 
It fails with USE="custom-cflags -gstreamer".
Comment 9 Sean Amoss gentoo-dev Security 2012-10-21 17:31:11 UTC
Remaining arches will continue in bug 437780.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:05:42 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).