Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 500320 (CVE-2014-1477)

Summary: <mail-client/thunderbird{,-bin}-24.3.0, <www-client/firefox{,-bin}-24.3.0, <www-client/seamonkey{,-bin}-2.24: Multiple vulnerabilities (CVE-2014-{1477,1478,1479,1480,1481,1482,1483,1485,1486,1487,1488,1489,1490,1491})
Product: Gentoo Security Reporter: Alex Xu (Hello71) <alex_y_xu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: alexander, blackst0ne.ru, infoman1985, kroemmelbein, mozilla, mstomich
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.mozilla.org/security/announce/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Alex Xu (Hello71) 2014-02-05 01:19:21 UTC
MFSA 2014-13 Inconsistent JavaScript handling of access to Window objects
MFSA 2014-12 NSS ticket handling issues
MFSA 2014-11 Crash when using web workers with asm.js
MFSA 2014-10 Firefox default start page UI content invokable by script
MFSA 2014-09 Cross-origin information leak through web workers
MFSA 2014-08 Use-after-free with imgRequestProxy and image proccessing
MFSA 2014-07 XSLT stylesheets treated as styles in Content Security Policy
MFSA 2014-06 Profile path leaks to Android system log
MFSA 2014-05 Information disclosure with *FromPoint on iframes
MFSA 2014-04 Incorrect use of discarded images by RasterImage
MFSA 2014-03 UI selection timeout missing on download prompts
MFSA 2014-02 Clone protected content with XBL scopes
MFSA 2014-01 Miscellaneous memory safety hazards (rv:27.0 / rv:24.3)
Comment 1 Alex Xu (Hello71) 2014-02-05 16:07:44 UTC
*** Bug 500384 has been marked as a duplicate of this bug. ***
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2014-02-06 12:59:13 UTC
+*seamonkey-2.24 (06 Feb 2014)
+
+  06 Feb 2014; Lars Wendler <polynomial-c@gentoo.org> +seamonkey-2.24.ebuild:
+  Security bump (bug #500320).
+
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2014-02-07 14:12:05 UTC
+*seamonkey-bin-2.24 (07 Feb 2014)
+
+  07 Feb 2014; Lars Wendler <polynomial-c@gentoo.org>
+  -seamonkey-bin-2.21.ebuild, +seamonkey-bin-2.24.ebuild:
+  Security bump (bug #500320). Removed old.
+

+*firefox-bin-27.0 (07 Feb 2014)
+*firefox-bin-24.3.0 (07 Feb 2014)
+
+  07 Feb 2014; Lars Wendler <polynomial-c@gentoo.org>
+  +firefox-bin-24.3.0.ebuild, -firefox-bin-25.0.ebuild,
+  +firefox-bin-27.0.ebuild:
+  Security bump (bug #500320). Removed old.
+

+*thunderbird-bin-24.3.0 (07 Feb 2014)
+
+  07 Feb 2014; Lars Wendler <polynomial-c@gentoo.org>
+  +thunderbird-bin-24.3.0.ebuild:
+  Security bump (bug #500320).
+
Comment 4 Lars Wendler (Polynomial-C) gentoo-dev 2014-02-07 15:24:13 UTC
+  07 Feb 2014; Lars Wendler <polynomial-c@gentoo.org> -pdnsd-1.2.8-r4.ebuild,
+  -files/pdnsd.online.1, -files/pdnsd.rc6.1, files/pdnsd.rc7:
+  Fixed pidfile location in init script. Removed old.
+
Comment 5 Lars Wendler (Polynomial-C) gentoo-dev 2014-02-07 15:25:26 UTC
Oh dear... too much on the radar lately...

Sorry for the useless/wrong comment :-(


+*thunderbird-24.3.0 (07 Feb 2014)
+
+  07 Feb 2014; Lars Wendler <polynomial-c@gentoo.org>
+  +thunderbird-24.3.0.ebuild:
+  Security bump (bug #500320).
+
Comment 6 Lars Wendler (Polynomial-C) gentoo-dev 2014-02-09 10:47:27 UTC
+*firefox-27.0 (09 Feb 2014)
+*firefox-24.3.0 (09 Feb 2014)
+
+  09 Feb 2014; Lars Wendler <polynomial-c@gentoo.org> +firefox-24.3.0.ebuild,
+  +firefox-27.0.ebuild:
+  Security bump (bug #500320).
+
Comment 7 Agostino Sarubbo gentoo-dev 2014-02-09 12:38:29 UTC
*** Bug 500770 has been marked as a duplicate of this bug. ***
Comment 8 Agostino Sarubbo gentoo-dev 2014-02-09 12:47:57 UTC
Arches please test and mark stable:

=mail-client/thunderbird-24.3.0
Target KEYWORDS : amd64 arm ppc ppc64 x86

=www-client/firefox-24.3.0
Target KEYWORDS : amd64 arm hppa ppc ppc64 x86

=www-client/seamonkey-2.24
=mail-client/thunderbird-bin-24.3.0
=www-client/firefox-bin-24.3.0
=www-client/seamonkey-bin-2.24
Target KEYWORDS : amd64 x86
Comment 9 Jeroen Roovers gentoo-dev 2014-02-10 00:15:54 UTC
Stable for HPPA.
Comment 10 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2014-02-12 06:05:08 UTC
x86 stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2014-02-12 12:08:51 UTC
CVE-2014-1477 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1477):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3,
  and SeaMonkey before 2.24 allow remote attackers to cause a denial of
  service (memory corruption and application crash) or possibly execute
  arbitrary code via unknown vectors.
Comment 12 Alex Xu (Hello71) 2014-02-12 15:58:26 UTC
Did someone make an oops? I'm pretty sure there's more than one CVE in here.
Comment 13 Ian Stakenvicius gentoo-dev 2014-02-12 17:05:29 UTC
Ayup -- there's definitely more CVEs:

CVE-2014-1481: firefox/seamonkey and not a definite exploit
CVE-2014-1490: applies to NSS <=3.15.3 (so just the *-bin's i guess)
CVE-2014-1491: applies to NSS <=3.15.3 (so just the *-bin's i guess)
CVE-2014-1488: firefox/seamonkey, and is a crash which may be potentially exploitable
CVE-2014-1489: firefox/seamonkey(?), malicious scripts could potentially cause havoc with current session and mess up end-user experience
CVE-2014-1487: breach of same-origin policy, potential for auth tokens to be grabbable from 3rd party scripts/sites.
CVE-2014-1486: use-after-free, possible remote code execution vuln
CVE-2014-1485: CSP treated as styles instead of scripts, so if styles policy less restrictive than scripts policy there is a potential for script execution to occur when it shouldn't
CVE-2014-1484: android-only, not applicable here
CVE-2014-1483: another cross-origin information leak possibility
CVE-2014-1482: RasterImage could write to unowned memory, potential for exploitable crash.
CVE-2014-1480: clickjacking possibility on Save dialog
CVE-2014-1479: XUL issue - an XBL could clone protected XUL data and make it web-accessible.  Unsure if this is actually a vulnerability of our mozilla packages.
CVE-2014-1477: misc memory safety hazards
CVE-2014-1478: more misc memory safety hazards, firefox/seamonkey(?) only

1477 is already listed, so the rest applicable to our packages would be:

CVE-2014-{1478,1480,1481,1482,1483,1485,1486,1487,1488,1489,1490,1491}

Note CVE-2014-{1490,1491} only applies to *-bin and NSS since we use system NSS for our source builds, and NSS was bumped already for another CVE in bug 498172
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-02-13 14:50:47 UTC
CVE-2014-1489 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1489):
  Mozilla Firefox before 27.0 does not properly restrict access to about:home
  buttons by script on other pages, which allows user-assisted remote
  attackers to cause a denial of service (session restore) via a crafted web
  site.

CVE-2014-1488 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1488):
  The Web workers implementation in Mozilla Firefox before 27.0 and SeaMonkey
  before 2.24 allows remote attackers to execute arbitrary code via vectors
  involving termination of a worker process that has performed a cross-thread
  object-passing operation in conjunction with use of asm.js.

CVE-2014-1487 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1487):
  The Web workers implementation in Mozilla Firefox before 27.0, Firefox ESR
  24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 allows
  remote attackers to bypass the Same Origin Policy and obtain sensitive
  authentication information via vectors involving error messages.

CVE-2014-1486 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1486):
  Use-after-free vulnerability in the imgRequestProxy function in Mozilla
  Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3,
  and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code
  via vectors involving unspecified Content-Type values for image data.

CVE-2014-1485 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1485):
  The Content Security Policy (CSP) implementation in Mozilla Firefox before
  27.0 and SeaMonkey before 2.24 operates on XSLT stylesheets according to
  style-src directives instead of script-src directives, which might allow
  remote attackers to execute arbitrary XSLT code by leveraging insufficient
  style-src restrictions.

CVE-2014-1483 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1483):
  Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers
  to bypass the Same Origin Policy and obtain sensitive information by using
  an IFRAME element in conjunction with certain timing measurements involving
  the document.caretPositionFromPoint and document.elementFromPoint functions.

CVE-2014-1482 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1482):
  RasterImage.cpp in Mozilla Firefox before 27.0, Firefox ESR 24.x before
  24.3, Thunderbird before 24.3, and SeaMonkey before 2.24 does not prevent
  access to discarded data, which allows remote attackers to execute arbitrary
  code or cause a denial of service (incorrect write operations) via crafted
  image data, as demonstrated by Goo Create.

CVE-2014-1481 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1481):
  Mozilla Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird
  before 24.3, and SeaMonkey before 2.24 allow remote attackers to bypass
  intended restrictions on window objects by leveraging inconsistency in
  native getter methods across different JavaScript engines.

CVE-2014-1480 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1480):
  The file-download implementation in Mozilla Firefox before 27.0 and
  SeaMonkey before 2.24 does not properly restrict the timing of button
  selections, which allows remote attackers to conduct clickjacking attacks,
  and trigger unintended launching of a downloaded file, via a crafted web
  site.

CVE-2014-1479 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1479):
  The System Only Wrapper (SOW) implementation in Mozilla Firefox before 27.0,
  Firefox ESR 24.x before 24.3, Thunderbird before 24.3, and SeaMonkey before
  2.24 does not prevent certain cloning operations, which allows remote
  attackers to bypass intended restrictions on XUL content via vectors
  involving XBL content scopes.

CVE-2014-1478 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1478):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to
  cause a denial of service (memory corruption and application crash) or
  possibly execute arbitrary code via vectors related to the MPostWriteBarrier
  class in js/src/jit/MIR.h and stack alignment in js/src/jit/AsmJS.cpp in
  OdinMonkey, and unknown other vectors.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-02-13 14:51:23 UTC
CVE-2014-1491 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1491):
  Mozilla Network Security Services (NSS) before 3.15.4, as used in Mozilla
  Firefox before 27.0, Firefox ESR 24.x before 24.3, Thunderbird before 24.3,
  SeaMonkey before 2.24, and other products, does not properly restrict public
  values in Diffie-Hellman key exchanges, which makes it easier for remote
  attackers to bypass cryptographic protection mechanisms in ticket handling
  by leveraging use of a certain value.

CVE-2014-1490 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1490):
  Race condition in libssl in Mozilla Network Security Services (NSS) before
  3.15.4, as used in Mozilla Firefox before 27.0, Firefox ESR 24.x before
  24.3, Thunderbird before 24.3, SeaMonkey before 2.24, and other products,
  allows remote attackers to cause a denial of service (use-after-free) or
  possibly have unspecified other impact via vectors involving a resumption
  handshake that triggers incorrect replacement of a session ticket.
Comment 16 Agostino Sarubbo gentoo-dev 2014-02-15 06:03:48 UTC
amd64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2014-02-20 14:26:08 UTC
ppc stable
Comment 18 Agostino Sarubbo gentoo-dev 2014-02-22 07:31:29 UTC
arm stable
Comment 19 Agostino Sarubbo gentoo-dev 2014-02-22 07:38:52 UTC
ppc64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 20 Lars Wendler (Polynomial-C) gentoo-dev 2014-02-22 08:49:36 UTC
+  22 Feb 2014; Lars Wendler <polynomial-c@gentoo.org> -seamonkey-2.22.1.ebuild,
+  -seamonkey-2.23.ebuild, -files/seamonkey-freetype251.patch:
+  Removed vulnerable versions.
+

+  22 Feb 2014; Lars Wendler <polynomial-c@gentoo.org>
+  -seamonkey-bin-2.22.1.ebuild, -seamonkey-bin-2.23.ebuild:
+  Removed vulnerable versions.
+

+  22 Feb 2014; Lars Wendler <polynomial-c@gentoo.org> -firefox-24.1.1.ebuild,
+  -firefox-24.2.0.ebuild, -firefox-26.0.ebuild:
+  Removed vulnerable versions.
+

+  22 Feb 2014; Lars Wendler <polynomial-c@gentoo.org>
+  -firefox-bin-24.1.1.ebuild, -firefox-bin-24.2.0.ebuild,
+  -firefox-bin-26.0.ebuild:
+  Removed vulnerable versions.
+

+  22 Feb 2014; Lars Wendler <polynomial-c@gentoo.org>
+  -thunderbird-24.1.1.ebuild, -thunderbird-24.2.0.ebuild:
+  Removed vulnerable versions.
+

+  22 Feb 2014; Lars Wendler <polynomial-c@gentoo.org>
+  -thunderbird-bin-24.1.1.ebuild:
+  Removed vulnerable versions.
+
Comment 21 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-21 03:09:11 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2015-04-07 10:18:07 UTC
This issue was resolved and addressed in
 GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01
by GLSA coordinator Kristian Fiskerstrand (K_F).