Summary: | <www-client/firefox{,-bin}-{38.1.1,39.0.3}: Same origin violation and local file stealing via PDF readerMozilla Foundation Security Advisory 2015-78 (CVE-2015-4495) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Louis Sautier (sbraz) <sbraz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dev, fcolloret, krinpaus, marduk, mozilla |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Louis Sautier (sbraz)
2015-08-07 12:38:35 UTC
*** Bug 556944 has been marked as a duplicate of this bug. *** *** Bug 556958 has been marked as a duplicate of this bug. *** A simple version bump (to be more precisely: just a copy of firefox-39.0.ebuild to firefox-39.0.3.ebuild) built here at ~amd64 (and runs). I didn't really check all the language packages from mozilla.org, only the ones I used plus the main tarball. Therefore I can't provide a proper Manifest file. Hope this helps anywone. I can provide it: http://sprunge.us/aFNJ It rebuilt fine for me as well on amd64. I'm doing the bumps now, it'll take a bit of time to compile-test and run-test before I can commit though. Will be done by end of day today. Does anyone here have an issue with me pushing the 38.1.1 bump direct to stable? I haven't completed a full diff yet but so far as I can tell from upstream bugzilla the only change is to the PDF.js module, so all other operational bits remain the same between 38.1.0 and 38.1.1.. 38.1.1 works fine with an ebuild bump on AMD64 here. (In reply to Ian Stakenvicius from comment #5) > Does anyone here have an issue with me pushing the 38.1.1 bump direct to > stable? I haven't completed a full diff yet but so far as I can tell from > upstream bugzilla the only change is to the PDF.js module, so all other > operational bits remain the same between 38.1.0 and 38.1.1.. Ugh, nevermind -- they added a whole ton of additions to the build system as well; i think it's all just related to mozilla's own release system but I can't say exactly for sure. Better safe than sorry. Arch Teams, please stabilize as soon as possible: www-client/firefox-bin-38.1.1: Target KEYWORDS="-* amd64 x86" www-client/firefox-38.1.1: Target KEYWORDS="amd64 hppa ppc ppc64 x86" amd64 stable x86 stable ppc stable Stable for PPC64. Hate to ruin the party just as you're getting ESR 38.1.1 out the door, but Mozilla just released 38.2. The vulnerabilities it fixes are mostly more academic than the serious PDF viewer exploit in the last one, but nonetheless, it is a security-fix release: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ Also, they say 38.2 is supposed to fix a build problem on hppa, though I don't know if Gentoo ever had that problem. (In reply to Brent Busby from comment #12) > Hate to ruin the party just as you're getting ESR 38.1.1 out the door, but > Mozilla just released 38.2. The vulnerabilities it fixes are mostly more > academic than the serious PDF viewer exploit in the last one, but > nonetheless, it is a security-fix release: > > https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/ > > Also, they say 38.2 is supposed to fix a build problem on hppa, though I > don't know if Gentoo ever had that problem. Already in the tree as per version bump bug 557532, and security bug has been filed as well, bug 557590. Gentoo-Security will handle this bug until resolution. Dependency set Stable for HPPA. Arches and Maintainer(s), Thank you for your work. Added to an existing GLSA Request. This issue was resolved and addressed in GLSA 201512-10 at https://security.gentoo.org/glsa/201512-10 by GLSA coordinator Yury German (BlueKnight). |