Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 479968 (CVE-2013-1701)

Summary: <mail-client/thunderbird{,-bin}-17.0.8, <www-client/firefox{,-bin}-17.0.8, <www-client/seamonkey-2.20, <www-client/seamonkey-bin-2.20-r1 : Multiple vulnerabilities (CVE-2013-{1701,1702,1704,1705,1707,1708,1709,1710,1711,1712,1713,1714,1717})
Product: Gentoo Security Reporter: Alex Xu (Hello71) <alex_y_xu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: mozilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.mozilla.org/security/announce/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Alex Xu (Hello71) 2013-08-06 19:35:04 UTC 
Let's get this started...

Fixed in Firefox 17.0.8, Thunderbird 17.0.8
MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-71 Further Privilege escalation through Mozilla Updater
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

Fixed in SeaMonkey 2.20
MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-70 Bypass of XrayWrappers using XBL Scopes
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-67 Crash during WAV audio file decoding
MFSA 2013-65 Buffer underflow when generating CRMF requests
MFSA 2013-64 Use after free mutating DOM during SetBody
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2013-08-07 08:19:46 UTC 
+*seamonkey-2.20 (07 Aug 2013)
+
+  07 Aug 2013; Lars Wendler <polynomial-c@gentoo.org> +seamonkey-2.20.ebuild:
+  Security bump (bug #479968).
+
Comment 2 Jory A. Pratt gentoo-dev 2013-08-07 22:40:35 UTC 
Feel free to proceed, we will need to ensure nss-3.15, Please stabilize 3.15.1 which will require the stabilization of nspr-4.10 at same time.
Comment 3 Alex Xu (Hello71) 2013-08-10 02:43:49 UTC 
Since the devs seem to have forgotten about the bug...


*firefox-17.0.8 (07 Aug 2013)
*firefox-23.0 (07 Aug 2013)

  07 Aug 2013;  <anarchy@gentoo.org> +firefox-17.0.8.ebuild,
  +firefox-23.0.ebuild, -firefox-21.0.ebuild, -firefox-22.0.ebuild:
  Security bump, bug #479968

*firefox-bin-23.0 (07 Aug 2013)

  07 Aug 2013;  <anarchy@gentoo.org> +firefox-bin-23.0.ebuild,
  -firefox-bin-20.0.1.ebuild, -firefox-bin-21.0.ebuild,
  -firefox-bin-22.0.ebuild:
  version bump for security bug #479968

*firefox-bin-17.0.8 (07 Aug 2013)

  07 Aug 2013; Ian Stakenvicius <axs@gentoo.org> +firefox-bin-17.0.8.ebuild:
  version bump for security bug #479968

  27 Jun 2013; Agostino Sarubbo <ago@gentoo.org> firefox-bin-17.0.7.ebuild:
  Stable for x86, wrt bug #474758

*thunderbird-17.0.8 (07 Aug 2013)

  07 Aug 2013;  <anarchy@gentoo.org> +thunderbird-17.0.8.ebuild:
  Security bump, bug #479968

*thunderbird-bin-17.0.8 (07 Aug 2013)

  07 Aug 2013; Ian Stakenvicius <axs@gentoo.org> +thunderbird-bin-17.0.8.ebuild:
  version bump for security bug #479968


Unless I'm wrong, seamonkey-bin-2.20 is still missing. It is, however, not relevant to the stabilization. CCing arches, KEYWORDS should be as follows:


=www-client/firefox-17.0.7:
Target KEYWORDS="amd64 arm ppc ppc64 x86"

=www-client/firefox-bin-17.0.7:
Target KEYWORDS="amd64 x86"

=mail-client/thunderbird-17.0.7:
Target KEYWORDS="amd64 arm ppc ppc64 x86"

=mail-client/thunderbird-bin-17.0.7:
Target KEYWORDS="amd64 x86"


Hopefully I'm not making too much of an idiot of myself.
Comment 4 Jory A. Pratt gentoo-dev 2013-08-10 02:52:22 UTC 
(In reply to Alex Xu from comment #3)
 
> Unless I'm wrong, seamonkey-bin-2.20 is still missing. It is, however, not
> relevant to the stabilization. CCing arches, KEYWORDS should be as follows:
> 

You are wrong here. Seamonkey-bin-2.20 will need to be stabilized at the same time. Arch teams please stand by before you begin your work. I will update bug with correct info soon as seamonkey-bin-2.20 is added to tree.
Comment 5 Alex Xu (Hello71) 2013-08-10 02:55:18 UTC 
Oh, I have still made an idiot of myself.

anarchy@gentoo.org says nss-3.15.1 and nspr-4.10 are needed, so...


=dev-libs/nss-3.15.1:
Target KEYWORDS="amd64 arm ppc ppc64 x86"

=dev-libs/nspr-4.10:
Target KEYWORDS="amd64 arm ppc ppc64 x86"


Or perhaps they need to both be "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86", as those are the existing KEYWORDS... /me is confused again


(In reply to Jory A. Pratt from comment #4)
> (In reply to Alex Xu from comment #3)
>  
> > Unless I'm wrong, seamonkey-bin-2.20 is still missing. It is, however, not
> > relevant to the stabilization. CCing arches, KEYWORDS should be as follows:
> > 
> 
> You are wrong here. Seamonkey-bin-2.20 will need to be stabilized at the
> same time. Arch teams please stand by before you begin your work. I will
> update bug with correct info soon as seamonkey-bin-2.20 is added to tree.

But seamonkey-bin-2.19 is not amd64 x86 stable, and it has critical security issues (according to Mozilla anyways, https://www.mozilla.org/security/known-vulnerabilities/seamonkey.html) too... /me is further confused
Comment 6 Agostino Sarubbo gentoo-dev 2013-08-10 10:06:04 UTC 
@mozilla team

Please give the full list in an ordered comment.
Comment 7 Jory A. Pratt gentoo-dev 2013-08-12 16:13:45 UTC 
=dev-libs/nss-3.15.1-r1:
Target KEYWORDS="amd64 arm ppc ppc64 x86"

=dev-libs/nspr-4.10:
Target KEYWORDS="amd64 arm ppc ppc64 x86"

=www-client/firefox-17.0.8:
Target KEYWORDS="amd64 arm ppc ppc64 x86"

=www-client/firefox-bin-17.0.9:
Target KEYWORDS="amd64 x86"

=mail-client/thunderbird-17.0.8:
Target KEYWORDS="amd64 arm ppc ppc64 x86"

=mail-client/thunderbird-bin-17.0.8:
Target KEYWORDS="amd64 x86"

=www-client/seamonkey{-bin}-2.20:
Target KEYWORDS="amd64 x86"
Comment 8 Agostino Sarubbo gentoo-dev 2013-08-12 19:04:07 UTC 
(In reply to Jory A. Pratt from comment #7)
> =www-client/firefox-bin-17.0.9:
typo?
Comment 9 Jory A. Pratt gentoo-dev 2013-08-12 19:28:45 UTC 
(In reply to Agostino Sarubbo from comment #8)
> (In reply to Jory A. Pratt from comment #7)
> > =www-client/firefox-bin-17.0.9:
> typo?

Sorry, it is a type should be firefox-bin-17.0.8
Comment 10 Agostino Sarubbo gentoo-dev 2013-08-12 22:14:33 UTC 
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-08-12 22:20:42 UTC 
x86 stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-08-24 12:34:14 UTC 
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-08-24 15:54:33 UTC 
arm stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-08-26 16:59:29 UTC 
ppc stable
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 02:40:46 UTC 
CVE-2013-1717 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1717):
  Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird
  before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20
  do not properly restrict local-filesystem access by Java applets, which
  allows user-assisted remote attackers to read arbitrary files by leveraging
  a download to a fixed pathname or other predictable pathname.

CVE-2013-1714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1714):
  The Web Workers implementation in Mozilla Firefox before 23.0, Firefox ESR
  17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before
  17.0.8, and SeaMonkey before 2.20 does not properly restrict XMLHttpRequest
  calls, which allows remote attackers to bypass the Same Origin Policy and
  conduct cross-site scripting (XSS) attacks via unspecified vectors.

CVE-2013-1713 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1713):
  Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird
  before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20
  use an incorrect URI within unspecified comparisons during enforcement of
  the Same Origin Policy, which allows remote attackers to conduct cross-site
  scripting (XSS) attacks or install arbitrary add-ons via a crafted web site.

CVE-2013-1712 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1712):
  Multiple untrusted search path vulnerabilities in updater.exe in Mozilla
  Updater in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8,
  Thunderbird before 17.0.8, and Thunderbird ESR 17.x before 17.0.8 on Windows
  7, Windows Server 2008 R2, Windows 8, and Windows Server 2012 allow local
  users to gain privileges via a Trojan horse DLL in (1) the update directory
  or (2) the current working directory.

CVE-2013-1710 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1710):
  The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0,
  Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR
  17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to
  execute arbitrary JavaScript code or conduct cross-site scripting (XSS)
  attacks via vectors related to Certificate Request Message Format (CRMF)
  request generation.

CVE-2013-1709 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1709):
  Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird
  before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20
  do not properly handle the interaction between FRAME elements and history,
  which allows remote attackers to conduct cross-site scripting (XSS) attacks
  via vectors involving spoofing a relative location in a previously visited
  document.

CVE-2013-1707 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1707):
  Stack-based buffer overflow in Mozilla Updater in Mozilla Firefox before
  23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, and
  Thunderbird ESR 17.x before 17.0.8 allows local users to gain privileges via
  a long pathname on the command line to the Mozilla Maintenance Service.

CVE-2013-1701 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1701):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before
  17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allow
  remote attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via unknown vectors.
Comment 16 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-27 02:41:14 UTC 
GLSA request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-08-27 21:26:07 UTC 
CVE-2013-1711 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1711):
  The XrayWrapper implementation in Mozilla Firefox before 23.0 and SeaMonkey
  before 2.20 does not properly address the possibility of an XBL scope bypass
  resulting from non-native arguments in XBL function calls, which makes it
  easier for remote attackers to conduct cross-site scripting (XSS) attacks by
  leveraging access to an unprivileged object.

CVE-2013-1708 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1708):
  Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers
  to cause a denial of service (application crash) via a crafted WAV file that
  is not properly handled by the nsCString::CharAt function.

CVE-2013-1705 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1705):
  Heap-based buffer underflow in the cryptojs_interpret_key_gen_type function
  in Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote
  attackers to execute arbitrary code or cause a denial of service
  (application crash) via a crafted Certificate Request Message Format (CRMF)
  request.

CVE-2013-1704 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1704):
  Use-after-free vulnerability in the nsINode::GetParentNode function in
  Mozilla Firefox before 23.0 and SeaMonkey before 2.20 allows remote
  attackers to execute arbitrary code or cause a denial of service (heap
  memory corruption and application crash) via vectors involving a DOM
  modification at the time of a SetBody mutation event.

CVE-2013-1702 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1702):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 23.0 and SeaMonkey before 2.20 allow remote attackers to
  cause a denial of service (memory corruption and application crash) or
  possibly execute arbitrary code via unknown vectors.
Comment 18 Chris Reffett (RETIRED) gentoo-dev Security 2013-08-27 21:26:33 UTC 
I think that's all of the relevant CVEs. Please disregard 
CVE-2013-1712, it is Windows-only.
Comment 19 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 01:24:32 UTC 
@maintainers: please clean affected versions.
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2013-09-30 00:29:36 UTC 
This issue was resolved and addressed in
 GLSA 201309-23 at http://security.gentoo.org/glsa/glsa-201309-23.xml
by GLSA coordinator Chris Reffett (creffett).