Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 437780 (CVE-2012-3982)

Summary: <mail-client/thunderbird{,-bin}-10.0.9, <www-client/firefox{,-bin}-10.0.9, <www-client/seamonkey{,-bin}-2.13.1: Multiple vulnerabilities (CVE-2012-{3982,3983,3984,3985,3986,3987,3988,3989,3990,3991,3992,3993,3994,3995,4179,4180,4181,4182,4183,4184,...})
Product: Gentoo Security Reporter: Alex Xu (Hello71) <alex_y_xu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: alexander, gentoo, mattemod, mozilla, nathan0n5ire, nikoli, ua_gentoo_bugzilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.mozilla.org/security/announce/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 439960    
Bug Blocks: 433383    

Description Alex Xu (Hello71) 2012-10-10 00:51:26 UTC

    
Comment 1 Rafał Mużyło 2012-10-10 02:09:09 UTC
Patience is strongly advised...

However, a little note regarding mozilla overlay:
unless that's a little autoconf 2.13 quirk, shouldn't the line in the ebuild go:
mozconfig_annotate '' --build="${CBUILD:-${CHOST}}"
?

Also, perhaps it's a change in the eclass not yet in the main tree, but the ebuild started to produce following QA warnings:
 * QA Notice: Unrecognized configure options:
 * 
 *      configure: WARNING: unrecognized options: --enable-application, --enab
le-optimize, --with-system-jpeg, --with-system-zlib, --enable-pango, --enable-
svg, --enable-system-cairo, --disable-installer, --disable-pedantic, --disable
-updater, --disable-strip, --disable-strip-libs, --disable-install-strip, --en
able-single-profile, --disable-profilesharing, --disable-profilelocking, --ena
ble-elf-dynstr-gc, --enable-default-toolkit, --enable-official-branding, --ena
ble-ogg, --enable-wave, --enable-dbus, --disable-tests, --disable-debugger-inf
o-modules, --enable-ipc, --enable-libnotify, --enable-startup-notification, --
enable-system-sqlite, --with-sqlite-prefix, --disable-necko-wifi, --enable-webm, --with-system-libvpx, --enable-tracejit, --with-system-nspr, --with-nspr-prefix, --with-system-nss, --with-nss-prefix, --with-system-libevent, --enable-system-hunspell, --disable-gnomevfs, --disable-gnomeui, --enable-gio, --disable-crashreporter, --enable-storage, --enable-places, --enable-places_bookmarks, --enable-oji, --enable-mathml, --disable-mochitest, --disable-gconf, --disable-mailnews, --enable-canvas, --enable-safe-browsing, --with-system-png, --enable-system-ffi, --with-default-mozilla-five-home, --enable-gstreamer, --enable-system-sqlite, --enable-methodjit, --enable-tracejit, --enable-extensions
 *      configure: WARNING: unrecognized options: --enable-application, --enable-optimize, --with-system-jpeg, --with-system-zlib, --enable-pango, --enable-svg, --enable-system-cairo, --disable-installer, --disable-pedantic, --disable-updater, --disable-strip, --disable-strip-libs, --disable-install-strip, --enable-single-profile, --disable-profilesharing, --disable-profilelocking, --enable-elf-dynstr-gc, --enable-default-toolkit, --enable-official-branding, --enable-ogg, --enable-wave, --enable-dbus, --disable-tests, --disable-debugger-info-modules, --enable-ipc, --enable-libnotify, --enable-startup-notification, --enable-system-sqlite, --with-sqlite-prefix, --disable-necko-wifi, --enable-webm, --with-system-libvpx, --enable-tracejit, --with-system-nspr, --with-nspr-prefix, --with-system-nss, --with-nss-prefix, --with-system-libevent, --enable-system-hunspell, --disable-gnomevfs, --disable-gnomeui, --enable-gio, --disable-crashreporter, --enable-storage, --enable-places, --enable-places_bookmarks, --enable-oji, --enable-mathml, --disable-mochitest, --disable-gconf, --disable-mailnews, --enable-canvas, --enable-safe-browsing, --with-system-png, --enable-system-ffi, --with-default-mozilla-five-home, --enable-gstreamer, --enable-system-sqlite, --enable-methodjit, --enable-tracejit, --enable-extensions

P.S.: while it wont matter for ~arch (and if stabilization is fast enough, it won't matter much for stable either), but media-libs/libpng dep needs to be bumped to 1.5.11.
Comment 2 Sean Amoss gentoo-dev Security 2012-10-11 14:17:07 UTC
Upstream security announcements are at $URL. 

MFSA to CVE line-up:

MFSA 2012-74	CVE-2012-{3982,3983}
MFSA 2012-75	CVE-2012-{3984,5354}
MFSA 2012-76	CVE-2012-3985
MFSA 2012-77	CVE-2012-3986
MFSA 2012-78	CVE-2012-3987
MFSA 2012-79	CVE-2012-3988
MFSA 2012-80	CVE-2012-3989
MFSA 2012-81	CVE-2012-3991
MFSA 2012-82	CVE-2012-3994
MFSA 2012-83	CVE-2012-{3993,4184}
MFSA 2012-84	CVE-2012-3992
MFSA 2012-85	CVE-2012-{3995,4179,4180,4181,4182,4183}
MFSA 2012-86	CVE-2012-{4185,4186,4187,4188}
MFSA 2012-87	CVE-2012-3990
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-10-11 14:17:58 UTC
CVE-2012-5354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5354):
  Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before
  2.13 do not properly handle navigation away from a web page that has
  multiple menus of SELECT elements active, which allows remote attackers to
  conduct clickjacking attacks via vectors involving an XPI file, the
  window.open method, and the Geolocation API, a different vulnerability than
  CVE-2012-3984.

CVE-2012-4188 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4188):
  Heap-based buffer overflow in the Convolve3x3 function in Mozilla Firefox
  before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0,
  Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote
  attackers to execute arbitrary code via unspecified vectors.

CVE-2012-4187 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4187):
  Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird
  before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13
  do not properly manage a certain insPos variable, which allows remote
  attackers to execute arbitrary code or cause a denial of service (heap
  memory corruption and assertion failure) via unspecified vectors.

CVE-2012-4186 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4186):
  Heap-based buffer overflow in the nsWaveReader::DecodeAudioData function in
  Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird
  before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13
  allows remote attackers to execute arbitrary code via unspecified vectors.

CVE-2012-4185 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4185):
  Buffer overflow in the nsCharTraits::length function in Mozilla Firefox
  before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0,
  Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allows remote
  attackers to execute arbitrary code or cause a denial of service (heap
  memory corruption) via unspecified vectors.

CVE-2012-4184 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4184):
  The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before
  16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird
  ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not prevent access to
  properties of a prototype for a standard class, which allows remote
  attackers to execute arbitrary JavaScript code with chrome privileges via a
  crafted web site.

CVE-2012-4183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4183):
  Use-after-free vulnerability in the DOMSVGTests::GetRequiredFeatures
  function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8,
  Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey
  before 2.13 allows remote attackers to execute arbitrary code or cause a
  denial of service (heap memory corruption) via unspecified vectors.

CVE-2012-4182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4182):
  Use-after-free vulnerability in the nsTextEditRules::WillInsert function in
  Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird
  before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13
  allows remote attackers to execute arbitrary code or cause a denial of
  service (heap memory corruption) via unspecified vectors.

CVE-2012-4181 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4181):
  Use-after-free vulnerability in the nsSMILAnimationController::DoSample
  function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8,
  Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey
  before 2.13 allows remote attackers to execute arbitrary code or cause a
  denial of service (heap memory corruption) via unspecified vectors.

CVE-2012-4180 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4180):
  Heap-based buffer overflow in the nsHTMLEditor::IsPrevCharInNodeWhitespace
  function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8,
  Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey
  before 2.13 allows remote attackers to execute arbitrary code via
  unspecified vectors.

CVE-2012-4179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4179):
  Use-after-free vulnerability in the nsHTMLCSSUtils::CreateCSSPropertyTxn
  function in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8,
  Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey
  before 2.13 allows remote attackers to execute arbitrary code or cause a
  denial of service (heap memory corruption) via unspecified vectors.

CVE-2012-3995 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3995):
  The IsCSSWordSpacingSpace function in Mozilla Firefox before 16.0, Firefox
  ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before
  10.0.8, and SeaMonkey before 2.13 allows remote attackers to execute
  arbitrary code or cause a denial of service (out-of-bounds read) via
  unspecified vectors.

CVE-2012-3994 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3994):
  Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird
  before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13
  allow remote attackers to conduct cross-site scripting (XSS) attacks via a
  binary plugin that uses Object.defineProperty to shadow the top object, and
  leverages the relationship between top.location and the location property.

CVE-2012-3993 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3993):
  The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before
  16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird
  ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not properly interact
  with failures of InstallTrigger methods, which allows remote attackers to
  execute arbitrary JavaScript code with chrome privileges via a crafted web
  site, related to an "XrayWrapper pollution" issue.

CVE-2012-3992 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3992):
  Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird
  before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13
  do not properly manage history data, which allows remote attackers to
  conduct cross-site scripting (XSS) attacks or obtain sensitive POST content
  via vectors involving a location.hash write operation and history navigation
  that triggers the loading of a URL into the history object.

CVE-2012-3991 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3991):
  Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird
  before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13
  do not properly restrict JSAPI access to the GetProperty function, which
  allows remote attackers to bypass the Same Origin Policy and possibly have
  unspecified other impact via a crafted web site.

CVE-2012-3990 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3990):
  Use-after-free vulnerability in the IME State Manager implementation in
  Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird
  before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13
  allows remote attackers to execute arbitrary code via unspecified vectors,
  related to the nsIContent::GetNameSpaceID function.

CVE-2012-3989 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3989):
  Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before
  2.13 do not properly perform a cast of an unspecified variable during use of
  the instanceof operator on a JavaScript object, which allows remote
  attackers to execute arbitrary code or cause a denial of service (assertion
  failure) via a crafted web site.

CVE-2012-3988 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3988):
  Use-after-free vulnerability in Mozilla Firefox before 16.0, Firefox ESR
  10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before
  10.0.8, and SeaMonkey before 2.13 might allow user-assisted remote attackers
  to execute arbitrary code via vectors involving use of mozRequestFullScreen
  to enter full-screen mode, and use of the history.back method for backwards
  history navigation.

CVE-2012-3987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3987):
  Mozilla Firefox before 16.0 on Android assigns chrome privileges to Reader
  Mode pages, which allows user-assisted remote attackers to bypass intended
  access restrictions via a crafted web site.

CVE-2012-3986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3986):
  Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird
  before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13
  do not properly restrict calls to DOMWindowUtils (aka nsDOMWindowUtils)
  methods, which allows remote attackers to bypass intended access
  restrictions via crafted JavaScript code.

CVE-2012-3985 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3985):
  Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before
  2.13 do not properly implement the HTML5 Same Origin Policy, which allows
  remote attackers to conduct cross-site scripting (XSS) attacks by leveraging
  initial-origin access after document.domain has been set.

CVE-2012-3984 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3984):
  Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before
  2.13 do not properly handle navigation away from a web page that has a
  SELECT element's menu active, which allows remote attackers to spoof page
  content via vectors involving absolute positioning and scrolling.

CVE-2012-3983 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3983):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13
  allow remote attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2012-3982 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3982):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before
  16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 allow
  remote attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via unknown vectors.
Comment 4 Sean Amoss gentoo-dev Security 2012-10-12 19:37:18 UTC
*** Bug 438078 has been marked as a duplicate of this bug. ***
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-10-12 19:38:27 UTC
CVE-2012-4193 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4193):
  Mozilla Firefox before 16.0.1, Firefox ESR 10.x before 10.0.9, Thunderbird
  before 16.0.1, Thunderbird ESR 10.x before 10.0.9, and SeaMonkey before
  2.13.1 omit a security check in the defaultValue function during the
  unwrapping of security wrappers, which allows remote attackers to bypass the
  Same Origin Policy and read the properties of a Location object, or execute
  arbitrary JavaScript code, via a crafted web site.

CVE-2012-4192 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4192):
  Mozilla Firefox 16.0, Thunderbird 16.0, and SeaMonkey 2.13 allow remote
  attackers to bypass the Same Origin Policy and read the properties of a
  Location object via a crafted web site, a related issue to CVE-2012-4193.

CVE-2012-4191 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4191):
  The mozilla::net::FailDelayManager::Lookup function in the WebSockets
  implementation in Mozilla Firefox before 16.0.1, Thunderbird before 16.0.1,
  and SeaMonkey before 2.13.1 allows remote attackers to cause a denial of
  service (memory corruption and application crash) or possibly execute
  arbitrary code via unspecified vectors.

CVE-2012-4190 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4190):
  The FT2FontEntry::CreateFontEntry function in FreeType, as used in the
  Android build of Mozilla Firefox before 16.0.1 on CyanogenMod 10, allows
  remote attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via unspecified
  vectors.
Comment 6 Jeroen Roovers gentoo-dev 2012-10-16 00:52:42 UTC
*** Bug 438528 has been marked as a duplicate of this bug. ***
Comment 7 Matthias Dahl 2012-10-16 09:38:38 UTC
Is there any reason why both Thunderbird and Firefox have not been up'ed to their respective current version which have all known CVEs fixed? (not nagging, just a serious question) IMHO this should really have been done by now.
Comment 8 Jory A. Pratt gentoo-dev 2012-10-16 20:25:23 UTC
(In reply to comment #7)
> Is there any reason why both Thunderbird and Firefox have not been up'ed to
> their respective current version which have all known CVEs fixed? (not
> nagging, just a serious question) IMHO this should really have been done by
> now.

I am currently away from my computer for next few weeks, only esr are marked stable and need to be bumped first and for most. I am sure someone from the herd will get these bumped just as soon as possible.
Comment 9 Alex Xu (Hello71) 2012-10-18 20:58:44 UTC
Tick, tock...

Even ESR haven't been bumped yet.
Comment 10 Fabian Köster 2012-10-19 08:34:07 UTC
For the impatient ones: Simply renaming the 10.0.7 ebuild to 10.0.9 worked for me.
Comment 11 Matthias Dahl 2012-10-20 13:48:05 UTC
Well... this is kind of worrying that neither firefox nor thunderbird have been bumped yet. Actually that is all there is to it: bumping. The patches apply cleanly and both work just fine and stable. And the vulnerabilities in all prior versions are very worrisome.

[OFF-TOPIC]
If there is a lack of manpower with the mozilla herd, I'd gladly join and help out. I was in the process of becoming a gentoo dev several (!) month back but had to refocus on different things in my life. Since I'm a self-employed computer scientist, my time is somewhat limited but since not too many releases happen and the time required is manageable and I've been using Gentoo for longer than I can remember and know my way around ebuilds and the system, I have no problem taking both quizzes and getting my hands dirty [no more 'ands' :P]. :-)
[/OFF-TOPIC]
Comment 12 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-10-20 15:03:30 UTC
All the -bin Mozilla packages have been bumped. I'm not bumping the source packages because i've never worked on them and i'd rather not test them with my current hardware setup.
Comment 13 Alex Xu (Hello71) 2012-10-20 22:32:48 UTC
Can we at least get the 16.0.1 for source packages out masked for testing?
Comment 14 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-10-21 00:14:59 UTC
(In reply to comment #13)
> Can we at least get the 16.0.1 for source packages out masked for testing?

Not from me, sorry. Maybe another member of the Gentoo Mozilla team will pop in and do it. If I was to bump any of the source packages, i'd bump the ESR versions as at least I have confirmation that they work with no ebuild modifications and i know they'll have no different dependencies.
Comment 15 Alex Xu (Hello71) 2012-10-21 00:19:06 UTC
I would test, but I have a slow internet connection and can't really download all those XPIs for the manifest so Portage doesn't complain.
Comment 16 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-10-21 01:06:17 UTC
(In reply to comment #15)
> I would test, but I have a slow internet connection and can't really
> download all those XPIs for the manifest so Portage doesn't complain.

(This is kind of off-topic for the bug). Just remove all the locales from the top bit of the ebuild. The fact that all of them exist, THAT I have no problem testing.
Comment 17 Matthias Dahl 2012-10-21 07:27:29 UTC
Like I said earlier, all patches apply cleanly and everything works very stable. I had a look over the patches and none are too intrusive, even though I have some initial doubts about the jmalloc one... but that is a different story.

If you take the thunderbird and firefox beta ebuilds from mozilla overlay, bump them to 16.0.1 and the rest is smooth sailing... at least in this case.

It should be noted: I am only talking about the non-ESR releases here and I've not checked if they bumped any of the dependencies to a higher version. But that can be done rather quickly before bumping the ebuilds. Also, I tested everything on a up2date ~amd64 system.
Comment 18 Jory A. Pratt gentoo-dev 2012-10-21 13:44:57 UTC
The bumps will happen today, I have access to my machine remotely. I will try to complete the bumps in next few hours but connection is slow as hell right now.
Comment 19 Jory A. Pratt gentoo-dev 2012-10-21 16:58:16 UTC
Security team feel free to bring in the archs, we are going with firefox/thunderbird{-bin}-10.0.9 seamonkey{-bin}-2.13
Comment 20 Sean Amoss gentoo-dev Security 2012-10-21 17:29:48 UTC
(In reply to comment #19)
> Security team feel free to bring in the archs, we are going with
> firefox/thunderbird{-bin}-10.0.9 seamonkey{-bin}-2.13

Thanks, Jory!

Arches, please test and mark stable:

=www-client/firefox-10.0.9
Target keywords : "alpha amd64 arm ia64 ppc ppc64 x86"

=www-client/firefox-bin-10.0.9
Target keywords : "amd64 x86"

=dev-libs/nspr-4.9.2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
(amd64, hppa, and x86 are already stable)

=dev-libs/nss-3.13.6
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
(amd64, hppa, and x86 are already stable)

=mail-client/thunderbird-10.0.9
Target keywords : "amd64 ppc ppc64 x86"

=mail-client/thunderbird-bin-10.0.9
Target keywords : "amd64 x86"

=www-client/seamonkey-2.13.1
Target keywords : "amd64 arm ppc ppc64 x86"

=www-client/seamonkey-bin-2.13.1
Target keywords : "amd64 x86"

Arches, we are already past the target delay so please stabilize as soon as possible.
Comment 21 Alex Xu (Hello71) 2012-10-23 00:06:46 UTC
mail-client/thunderbird-16.0.1, www-client/firefox-16.0.1, www-client/seamonkey-2.13.1 have apparently been put in (bump from last unstable).

Thanks!
Comment 22 Agostino Sarubbo gentoo-dev 2012-10-23 15:58:23 UTC
amd64 stable
Comment 23 cyberbat 2012-10-28 15:29:57 UTC
About x86.
Have tried emerging www-client/firefox-10.0.9 on the (as BINHOST)

emerge --info
Portage 2.1.11.9 (default/linux/x86/10.0/desktop/kde, gcc-4.5.4, glibc-2.15-r3, 3.4.9-gentoo i686)
=================================================================
System uname: Linux-3.4.9-gentoo-i686-Intel-R-_Core-TM-_i7-3930K_CPU_@_3.20GHz-with-gentoo-2.1
Timestamp of tree: Sun, 28 Oct 2012 14:15:01 +0000
app-shells/bash:          4.2_p37
dev-lang/python:          2.7.3-r2
dev-util/cmake:           2.8.9
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.9.8.4
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.11.6
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.4
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.4 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=core2 -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=core2 -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage-distfiles"
FCFLAGS="-O2 -march=i686 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news nodoc noinfo noman parallel-fetch parse-eapi-ebuild-head protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -march=i686 -pipe"
GENTOO_MIRRORS="ftp://gentoo.bloodhost.ru/ ftp://mirror.yandex.ru/gentoo-distfiles/"
LANG="ru_RU.UTF8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="ru en"
MAKEOPTS="-j13"
PKGDIR="/usr/portage-local/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://gentoo.bloodhost.ru/gentoo-portage"
USE="X a52 aac acl acpi bluetooth bluray branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cxx dbus declarative device-mapper dirac dri dts dvb dvd dvdr emboss encode exif fam firefox flac fmpeg fortran gif gnutls gpm gtk iconv icu idn ios ipod jpeg jpeg2k kde kipi lcms libass libnotify libsamplerate lzma mad matroska mms mmx mng modules mp3 mp4 mpeg mtp mudflap musepack ncurses networkmanager nls nptl ogg opengl openmp pam pango pcre pdf phonon plasma png policykit ppds pppd pulseaudio qt3support qt4 readline schroedinger session speex sse sse2 sse3 ssl ssse3 startup-notification svg taglib theora threads tiff truetype udev udisks unicode upower usb v4l vlc vorbis wavpack wxwidgets x264 x86 xcb xcomposite xinerama xml xscreensaver xv xvid zlib" ALSA_CARDS="hda-intel usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="caps lvm" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="ru en" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon r600" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

and after that it successfully run (acid3 test and random youtube video) on
emerge --info
Portage 2.1.11.9 (default/linux/x86/10.0/desktop/kde, gcc-4.5.4, glibc-2.15-r3, 3.4.9-gentoo i686)
=================================================================
System uname: Linux-3.4.9-gentoo-i686-Intel-R-_Core-TM-2_Duo_CPU_T5450_@_1.66GHz-with-gentoo-2.1
Timestamp of tree: Sun, 28 Oct 2012 10:45:01 +0000
app-shells/bash:          4.2_p37
dev-lang/python:          2.7.3-r2
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.9.8.4
sys-apps/sandbox:         2.5
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.4
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.4 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=core2 -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=core2 -O2 -pipe -fomit-frame-pointer"
DISTDIR="/home/portage/distfiles"
FCFLAGS="-O2 -march=i686 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles news nodoc noinfo noman parallel-fetch parse-eapi-ebuild-head protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -march=i686 -pipe"
GENTOO_MIRRORS="ftp://gentoo.bloodhost.ru/ ftp://mirror.yandex.ru/gentoo-distfiles/"
LANG="ru_RU.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="ru en"
MAKEOPTS="-j3"
PKGDIR="/home/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
USE="X a52 aac acl acpi bluetooth bluray branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cxx dbus declarative device-mapper dirac dri dts dvb dvd dvdr emboss encode exif fam firefox flac fmpeg fortran gif gnutls gpm gtk iconv icu idn ios ipod jpeg jpeg2k kde kipi lcms libass libnotify libsamplerate lzma mad matroska mms mmx mng modules mp3 mp4 mpeg mtp mudflap musepack ncurses networkmanager nls nptl ogg opengl openmp pam pango pcre pdf phonon plasma png policykit ppds pppd pulseaudio qt3support qt4 readline schroedinger session speex sse sse2 sse3 ssl ssse3 startup-notification svg taglib theora threads tiff truetype udev udisks unicode upower usb v4l vlc vorbis wavpack wxwidgets x264 x86 xcb xcomposite xinerama xml xscreensaver xv xvid zlib" ALSA_CARDS="hda-intel usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="caps lvm" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="ru en" PHP_TARGETS="php5-3" PYTHON_TARGETS="python3_2 python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon r600" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 24 Agostino Sarubbo gentoo-dev 2012-11-01 14:24:07 UTC
@ alpha, arm, ia64, ppc64, ppc, sparc, x86: please continue in bug 439960
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:05:45 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).