Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 590330 (CVE-2016-2830, CVE-2016-2835, CVE-2016-2836, CVE-2016-2837, CVE-2016-2838, CVE-2016-2839, CVE-2016-5250, CVE-2016-5251, CVE-2016-5252, CVE-2016-5253, CVE-2016-5254, CVE-2016-5255, CVE-2016-5258, CVE-2016-5259, CVE-2016-5260, CVE-2016-5261, CVE-2016-5262, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-5266, CVE-2016-5267, CVE-2016-5268)

Summary: <www-client/firefox{,-bin}-{45.3.0,48.0}, <mail-client/thunderbird{,-bin}-45.3.0: multiple vulnerabilities
Product: Gentoo Security Reporter: Nikolay Edigaryev <edigaryev>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: ab4bd, carlphilippreh, gentoo, mozilla, mstomich
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 594616    
Bug Blocks:    

Description Nikolay Edigaryev 2016-08-02 19:40:06 UTC
Comment 1 Ian Stakenvicius (RETIRED) gentoo-dev 2016-08-04 03:49:05 UTC
Ebuilds for both versions are in the gentoo repo.

I know I'm getting a little ahead of the security team, but:  ATs, please stabilize www-client/firefox-45.3.0 for Target KEYWORDS="amd64 ppc ppc64 x86"

Comment 2 Agostino Sarubbo gentoo-dev 2016-08-07 10:46:33 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-08-10 00:04:28 UTC
Stable for PPC64.
Comment 4 Ian Stakenvicius (RETIRED) gentoo-dev 2016-08-31 14:45:21 UTC
Since this bug hasn't been processed by security yet, I'd like to usurp it to add thunderbird-45.3.0 (with the same CVE list).

Arches, please also stabilize mail-client/thunderbird-45.3.0 for target
KEYWORDS="ppc ppc64 x86" (I've already done amd64)
Comment 5 Samuel Bernardo 2016-09-03 21:33:31 UTC
(In reply to Agostino Sarubbo from comment #2)
> amd64 stable

I can't compile thunderbird 45.3.0. It gives me the following error:

/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/../../../../x86_64-pc-linux-gnu/bin/ld: ../../xpcom/components/nsComponentManager.o: relocation R_X86_64_PC32 against protected symbol `end_kPStaticModules_NSModule' can not be used when making a shared object
/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/../../../../x86_64-pc-linux-gnu/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status
/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/mozilla/config/ recipe for target '' failed
make[4]: *** [] Error 1
make[4]: Leaving directory '/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/tbird/toolkit/library'
/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/mozilla/config/ recipe for target 'toolkit/library/target' failed
make[3]: *** [toolkit/library/target] Error 2
make[3]: Leaving directory '/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/tbird'
/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/mozilla/config/ recipe for target 'compile' failed
make[2]: *** [compile] Error 2
make[2]: Leaving directory '/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/tbird'
/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/mozilla/config/ recipe for target 'default' failed
make[1]: *** [default] Error 2
make[1]: Leaving directory '/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/tbird'
/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/ recipe for target 'build' failed
make: *** [build] Error 2

Compilation environment:
CFLAGS="-O2 -pipe -march=native"
CONFIG_PROTECT="/etc /etc/stunnel/stunnel.conf /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.
txt /usr/share/maven-bin-3.0/conf /usr/share/maven-bin-3.3/conf /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/ap
ache2-php5.6/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/term
info /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -march=native"
EMERGE_DEFAULT_OPTS="--quiet --jobs=20 --load-average=13.00 --keep-going=y --with-bdeps=y --buildpkg-exclude 'virtual/* sys-kernel/*-
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg ccache collision-protect compressdebug config-protect-if-modified distlocks ebuild-lock
s fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmer
ge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"

Active use flags:
crypt dbus ffmpeg gstreamer jemalloc3 jit ldap lightning minimal pulseaudio

Any help would be great, since this is also a security update to thunderbird.

Comment 6 Mark Davies 2016-09-20 13:43:08 UTC
Any chance of getting www-client/firefox-45.3.0 stable for x86. Now 45.2.0 has been removed stable falls back to 38.8 for x86.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2016-09-23 05:01:04 UTC
Further Changes in bug 594616 
CVE's will be modified for the correct version.
Comment 8 Agostino Sarubbo gentoo-dev 2016-09-29 09:07:19 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-09-29 13:08:59 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-01-03 13:02:33 UTC
This issue was resolved and addressed in
 GLSA 201701-15 at
by GLSA coordinator Thomas Deutschmann (whissi).