Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 559186 (CVE-2015-4498)

Summary: <www-client/firefox-{38.2.1,40.0.3}: Add-on notification bypass through data URLs
Product: Gentoo Security Reporter: Randy Barlow <randy>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.mozilla.org/en-US/security/advisories/mfsa2015-95/
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---

Description Randy Barlow 2015-08-30 18:32:31 UTC
The current stable version of Firefox in the portage tree is vulnerable to CVE-2015-4498:

https://www.mozilla.org/en-US/security/advisories/mfsa2015-95/

Reproducible: Always

Steps to Reproduce:
1. On a system configured for stable packages only with Firefox installed, you will have www-client/firefox-38.2.0


Expected Results:  
38.2.1 should be stabilized.
Comment 1 Randy Barlow 2015-08-30 21:14:06 UTC
There is another security flaw that is more serious (listed as critical) that these same versions of Firefox fix:

CVE-2015-4497: Use-after-free when resizing canvas element during restyling

https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/

Should I adjust this bug's CVE Alias and name to reflect the more serious of the two vulnerabilities since they both have the same fix (update to 38.2.1 and 40.0.3), or is this note sufficient, or should I file another bug about the other CVE? Sorry, I'm not very familiar with the Gentoo policies about this.

Should we raise the importance on the bug to reflect the severity of the other issue?
Comment 2 Jory A. Pratt gentoo-dev 2015-08-31 02:51:55 UTC
*** Bug 559090 has been marked as a duplicate of this bug. ***
Comment 3 Ian Stakenvicius gentoo-dev 2015-09-02 22:01:56 UTC
firefox{,-bin}-38.2.1 and firefox{,-bin}-40.0.3 are in the tree now.

ATs, Please stabilize 38.2.1 at your leisure.


www-client/firefox-38.2.0: Stable KEYWORDS="amd64 hppa ppc ppc64 x86"

www-client/firefox-bin-38.2.0: Stable KEYWORDS="amd64 x86"
Comment 4 Ian Stakenvicius gentoo-dev 2015-09-02 22:02:58 UTC
Err, sorry -- s/38.2.0/38.2.1/ (In reply to Ian Stakenvicius from comment #3)
> firefox{,-bin}-38.2.1 and firefox{,-bin}-40.0.3 are in the tree now.
> 
> ATs, Please stabilize 38.2.1 at your leisure.
> 
> 
> www-client/firefox-38.2.0: Stable KEYWORDS="amd64 hppa ppc ppc64 x86"
> 
> www-client/firefox-bin-38.2.0: Stable KEYWORDS="amd64 x86"

Err, sorry -- s/38.2.0/38.2.1/
Comment 5 Agostino Sarubbo gentoo-dev 2015-09-03 08:24:53 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-09-03 08:26:34 UTC
x86 stable
Comment 7 Jeroen Roovers gentoo-dev 2015-09-06 10:14:32 UTC
Stable for HPPA PPC64.
Comment 8 Agostino Sarubbo gentoo-dev 2015-11-04 14:43:13 UTC
38.3.0 was done in 561246
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-31 02:36:55 UTC
Added to an existing GLSA Request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-05-31 05:54:07 UTC
This issue was resolved and addressed in
 GLSA 201605-06 at https://security.gentoo.org/glsa/201605-06
by GLSA coordinator Yury German (BlueKnight).