Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 559186 (CVE-2015-4498)

Summary: <www-client/firefox-{38.2.1,40.0.3}: Add-on notification bypass through data URLs
Product: Gentoo Security Reporter: Randy Barlow <randy>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.mozilla.org/en-US/security/advisories/mfsa2015-95/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Randy Barlow 2015-08-30 18:32:31 UTC 
The current stable version of Firefox in the portage tree is vulnerable to CVE-2015-4498:

https://www.mozilla.org/en-US/security/advisories/mfsa2015-95/

Reproducible: Always

Steps to Reproduce:
1. On a system configured for stable packages only with Firefox installed, you will have www-client/firefox-38.2.0


Expected Results:  
38.2.1 should be stabilized.
Comment 1 Randy Barlow 2015-08-30 21:14:06 UTC 
There is another security flaw that is more serious (listed as critical) that these same versions of Firefox fix:

CVE-2015-4497: Use-after-free when resizing canvas element during restyling

https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/

Should I adjust this bug's CVE Alias and name to reflect the more serious of the two vulnerabilities since they both have the same fix (update to 38.2.1 and 40.0.3), or is this note sufficient, or should I file another bug about the other CVE? Sorry, I'm not very familiar with the Gentoo policies about this.

Should we raise the importance on the bug to reflect the severity of the other issue?
Comment 2 Jory A. Pratt gentoo-dev 2015-08-31 02:51:55 UTC 
*** Bug 559090 has been marked as a duplicate of this bug. ***
Comment 3 Ian Stakenvicius (RETIRED) gentoo-dev 2015-09-02 22:01:56 UTC 
firefox{,-bin}-38.2.1 and firefox{,-bin}-40.0.3 are in the tree now.

ATs, Please stabilize 38.2.1 at your leisure.


www-client/firefox-38.2.0: Stable KEYWORDS="amd64 hppa ppc ppc64 x86"

www-client/firefox-bin-38.2.0: Stable KEYWORDS="amd64 x86"
Comment 4 Ian Stakenvicius (RETIRED) gentoo-dev 2015-09-02 22:02:58 UTC 
Err, sorry -- s/38.2.0/38.2.1/ (In reply to Ian Stakenvicius from comment #3)
> firefox{,-bin}-38.2.1 and firefox{,-bin}-40.0.3 are in the tree now.
> 
> ATs, Please stabilize 38.2.1 at your leisure.
> 
> 
> www-client/firefox-38.2.0: Stable KEYWORDS="amd64 hppa ppc ppc64 x86"
> 
> www-client/firefox-bin-38.2.0: Stable KEYWORDS="amd64 x86"

Err, sorry -- s/38.2.0/38.2.1/
Comment 5 Agostino Sarubbo gentoo-dev 2015-09-03 08:24:53 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-09-03 08:26:34 UTC 
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-09-06 10:14:32 UTC 
Stable for HPPA PPC64.
Comment 8 Agostino Sarubbo gentoo-dev 2015-11-04 14:43:13 UTC 
38.3.0 was done in 561246
Comment 9 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 02:36:55 UTC 
Added to an existing GLSA Request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-05-31 05:54:07 UTC 
This issue was resolved and addressed in
 GLSA 201605-06 at https://security.gentoo.org/glsa/201605-06
by GLSA coordinator Yury German (BlueKnight).