| Summary: | <www-client/firefox{,-bin}-{31.6.0,37.0.2}, <mail-client/thunderbird{,-bin}-31.6.0: Multiple vulnerabilities (CVE-2015-{0798,0799,0801,0802,0803,0804,0805,0806,0807,0808,0810,0811,0812,0813,0814,0815,0816,2706,2808}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | alexander, email, infoman1985, mozilla |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | A2 [glsa cve] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Agostino Sarubbo
2015-04-01 14:05:23 UTC
Why www-client/firefox-bin was updated but www-client/firefox wasn't? (In reply to Denis Misiurca from comment #1) > Why www-client/firefox-bin was updated but www-client/firefox wasn't? Same for thunderbird-bin / thunderbird. The *-bin's are practically trivial to bump, the source ones not so much. I'm also personally without reliable internet access at the moment and that's holding me back a fair bit in terms of getting these packages bumped. (In reply to charles17 from comment #2) > (In reply to Denis Misiurca from comment #1) > > Why www-client/firefox-bin was updated but www-client/firefox wasn't? > > Same for thunderbird-bin / thunderbird. +*firefox-31.6.0 (05 Apr 2015) + + 05 Apr 2015; Lars Wendler <polynomial-c@g.o> -firefox-31.4.0.ebuild, + -firefox-31.5.0.ebuild, +firefox-31.6.0.ebuild: + Version bump. Removed old. +*thunderbird-31.6.0 (06 Apr 2015) + + 06 Apr 2015; Lars Wendler <polynomial-c@g.o> + -thunderbird-31.3.0.ebuild, +thunderbird-31.6.0.ebuild: + Version bump. Removed old. firefox{,-bin} and thunderbird{,-bin} in tree for over two weeks now. Can we stabilize?
(In reply to Stephan Hartmann from comment #5) > firefox{,-bin} and thunderbird{,-bin} in tree for over two weeks now. Can we > stabilize? Absolutely -- please stabilize 31.6.0 versions. In fact, as soon as the ESR versions hit the tree they can be stabilized for security, as far as I am concerned. www-client/firefox-bin-31.6.0 Target KEYWORDS="amd64 x86" www-client/firefox-31.6.0 Target KEYWORDS="amd64 arm hppa ppc ppc64 x86" mail-client/thunderbird-bin-31.6.0 Target KEYWORDS="amd64 x86" mail-client/thunderbird-31.6.0 Target KEYWORDS="amd64 ppc ppc64 x86" Note that a new seamonkey release is afaik still pending from upstream, to resolve the firefox MFSAs within that codebase. CC'ing arches. This is the CVE table and the versions: During Cleanup we will have to drop <37.0.2 in the version:37.X Thunderbird / Firefox - 31.6 2015-30 = CVE-2015-0815, CVE-2015-0814 2015-31 = CVE-2015-0813 2015-33 = CVE-2015-0816 2015-37 = CVE-2015-0807 2015-40 = CVE-2015-0801 Firefox 37.0.2 2015-45 = CVE-2015-2706 Firefox 37.0.1 2015-43 = CVE-2015-0798 2015-44 = CVE-2015-0799 Firefox 37 2015-30 = CVE-2015-0814,0815 2015-31 = CVE-2015-0813 2015-32 = CVE-2015-0812 2015-33 = CVE-2015-0816 2015-34 = CVE-2015-0811 2015-35 = CVE-2015-0810 2015-36 = CVE-2015-0808 2015-37 = CVE-2015-0807 2015-38 = CVE-2015-0805,0806 2015-39 = CVE-2015-0803,0804 2015-40 = CVE-2015-0801 2015-41 = CVE-2015-0800,2808 2015-42 = CVE-2015-0802 Stable for HPPA. amd64 stable x86 stable Stable for PPC64. ppc stable Can we either stabilize firefox for "arm" arch, we have not had a stable version for it for a long time. (In reply to Yury German from comment #14) > Can we either stabilize firefox for "arm" arch, we have not had a stable > version for it for a long time. If you stabilize arm you will be required to keep up with latest esr, we will not support anything older. Currently 24.3.0 is the only stable version which is from 2013 and has a very long list of vulnerabilities. So we either need to make it stable or drop it to ~arm and clean up the vulnerable versions. (In reply to Yury German from comment #16) > Currently 24.3.0 is the only stable version which is from 2013 and has a > very long list of vulnerabilities. So we either need to make it stable or > drop it to ~arm and clean up the vulnerable versions. Agreed, we should drop stable arm keywords on all three major mozilla packages in the tree. CVE-2015-0816 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0816): Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js. CVE-2015-0815 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0815): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2015-0814 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0814): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 37.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2015-0812 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0812): Mozilla Firefox before 37.0 does not require an HTTPS session for lightweight theme add-on installations, which allows man-in-the-middle attackers to bypass an intended user-confirmation requirement by deploying a crafted web site and conducting a DNS spoofing attack against a mozilla.org subdomain. CVE-2015-0811 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0811): The QCMS implementation in Mozilla Firefox before 37.0 allows remote attackers to obtain sensitive information from process heap memory or cause a denial of service (out-of-bounds read) via an image that is improperly handled during transformation. CVE-2015-0808 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0808): The webrtc::VPMContentAnalysis::Release function in the WebRTC implementation in Mozilla Firefox before 37.0 uses incompatible approaches to the deallocation of memory for simple-type arrays, which might allow remote attackers to cause a denial of service (memory corruption) via unspecified vectors. CVE-2015-0807 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0807): The navigator.sendBeacon implementation in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 processes HTTP 30x status codes for redirects after a preflight request has occurred, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site, a similar issue to CVE-2014-8638. CVE-2015-0806 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0806): The Off Main Thread Compositing (OMTC) implementation in Mozilla Firefox before 37.0 attempts to use memset for a memory region of negative length during interaction with the mozilla::layers::BufferTextureClient::AllocateForSurface function, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors that trigger rendering of 2D graphics content. CVE-2015-0805 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0805): The Off Main Thread Compositing (OMTC) implementation in Mozilla Firefox before 37.0 makes an incorrect memset call during interaction with the mozilla::layers::BufferTextureClient::AllocateForSurface function, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via vectors that trigger rendering of 2D graphics content. CVE-2015-0804 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0804): The HTMLSourceElement::BindToTree function in Mozilla Firefox before 37.0 does not properly constrain a data type after omitting namespace validation during certain tree-binding operations, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via a crafted HTML document containing a SOURCE element. CVE-2015-0803 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0803): The HTMLSourceElement::AfterSetAttr function in Mozilla Firefox before 37.0 does not properly constrain the original data type of a casted value during the setting of a SOURCE element's attributes, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via a crafted HTML document. CVE-2015-0802 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0802): Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via certain content navigation that leverages the reachability of a privileged window with an unintended persistence of access to restricted internal methods. CVE-2015-0801 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0801): Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to bypass the Same Origin Policy and execute arbitrary JavaScript code with chrome privileges via vectors involving anchor navigation, a similar issue to CVE-2015-0818. CVE-2015-0799 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0799): The HTTP Alternative Services feature in Mozilla Firefox before 37.0.1 allows man-in-the-middle attackers to bypass an intended X.509 certificate-verification step for an SSL server by specifying that server in the uri-host field of an Alt-Svc HTTP/2 response header. CVE-2015-2706 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2706): Race condition in the AsyncPaintWaitEvent::AsyncPaintWaitEvent function in Mozilla Firefox before 37.0.2 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via a crafted plugin that does not properly complete initialization. CVE-2015-8002 appears to have been a typo. It has been agreed by the maintainer and the arm team that the Mozilla based packages should be moved in to the unstable arch for arm, and keyworded appropriately. (~arm). This has been done already. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s). Firefox is no longer in tree, Thunderbird is still there. This issue was resolved and addressed in GLSA 201512-10 at https://security.gentoo.org/glsa/201512-10 by GLSA coordinator Yury German (BlueKnight). |
