|Summary:||net-www/mozilla, mozilla-firefox : 1.7.2 and 0.9.3 release fixes security vulns|
|Product:||Gentoo Security||Reporter:||ChazeFroy <chazefroy>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||major||CC:||amd64, carlo, gnome, hanno, mozilla, polynomial-c, rajiv, rizzo, will|
|Package list:||Runtime testing required:||---|
Description ChazeFroy 2004-08-04 10:22:07 UTC
Comment 1 Thierry Carrez (RETIRED) 2004-08-04 10:35:15 UTC
Mozilla team : please bump to 1.7.2 and 0.9.3.
Comment 2 Aron Griffis (RETIRED) 2004-08-04 11:16:56 UTC
Ok, I'm working on this
Comment 3 Aron Griffis (RETIRED) 2004-08-04 17:04:47 UTC
thunderbird is finished. mozilla and firefox are still in the works. In the case of mozilla enough things have changed that it wasn't a simple bump (at least one patch of ours no longer applies). In the case of firefox it doesn't even build out of the box; they apparently left some files out of the distribution. Stay tuned...
Comment 4 Aron Griffis (RETIRED) 2004-08-04 17:05:32 UTC
thunderbird is finished. mozilla and firefox are still in the works. In the case of mozilla enough things have changed that it wasn't a simple bump (at least one patch of ours no longer applies). And thanks to the haste of our friends at mozilla.org, neither moz nor ff builds out of the box! :-( Stay tuned...
Comment 5 ChazeFroy 2004-08-04 17:39:53 UTC
I simply copied the 0.9.1 ebuild to 0.9.3, and it compiled fine on x86.
Comment 6 ChazeFroy 2004-08-04 17:44:00 UTC
I simply copied the 0.9.1 ebuild to 0.9.3, and firefox compiled fine on x86.
Comment 7 Aron Griffis (RETIRED) 2004-08-04 19:20:17 UTC
mozilla-1.7.2 source package is incomplete http://bugzilla.mozilla.org/show_bug.cgi?id=254346
Comment 8 Aron Griffis (RETIRED) 2004-08-04 19:23:43 UTC
Thanks Chaze, I'll try that now. My updated ebuild had some modifications, but nothing that I thought would cause the build to fail. It might depend on USE flags. Stay tuned...
Comment 9 Aron Griffis (RETIRED) 2004-08-04 19:24:06 UTC
*** Bug 59439 has been marked as a duplicate of this bug. ***
Comment 10 Aron Griffis (RETIRED) 2004-08-05 04:50:31 UTC
*** Bug 59437 has been marked as a duplicate of this bug. ***
Comment 11 Aron Griffis (RETIRED) 2004-08-05 04:54:56 UTC
mozilla-firefox-0.9.3 mozilla-firefox-bin-0.9.3 mozilla-thunderbird-0.7.3 mozilla-thunderbird-bin-0.7.3 mozilla-bin-1.7.2 These are all in portage now, marked ~arch for the moment. It's still impossible to build mozilla-1.7.2 from source so we're waiting on upstream for that.
Comment 12 Thierry Carrez (RETIRED) 2004-08-05 04:58:29 UTC
*** Bug 57380 has been marked as a duplicate of this bug. ***
Comment 13 Aron Griffis (RETIRED) 2004-08-05 04:59:01 UTC
*** Bug 59420 has been marked as a duplicate of this bug. ***
Comment 14 Thierry Carrez (RETIRED) 2004-08-05 05:17:09 UTC
agriffis: From CVSweb it looks like you bumped mozilla-firefox-0.9.3 directly with the 0.9.1 keywords, i.e. stable on most arches... I don't think it was your intention ?
Comment 15 Thierry Carrez (RETIRED) 2004-08-05 05:43:10 UTC
Here are the target keywords : mozilla-firefox-0.9.3 : "x86 ppc sparc alpha amd64 ia64" mozilla-firefox-bin-0.9.3 : "x86 amd64" mozilla-thunderbird-0.7.3 : "x86 ~ppc sparc ~alpha amd64 ia64" mozilla-thunderbird-bin-0.7.3 : "~x86" (done) mozilla-bin-1.7.2 : (none, new package) mozilla-1.7.2 (when available) : "x86 ppc sparc alpha amd64 ia64" Please test and mark stable for the moment : x86 : mozilla-firefox-bin-0.9.3 mozilla-thunderbird-0.7.3 ppc : mozilla-firefox-0.9.3 sparc : mozilla-firefox-0.9.3 mozilla-thunderbird-0.7.3 alpha : mozilla-firefox-0.9.3 amd64 : mozilla-firefox-0.9.3 mozilla-firefox-bin-0.9.3 mozilla-thunderbird-0.7.3 ia64 : mozilla-firefox-0.9.3 mozilla-thunderbird-0.7.3
Comment 16 Olivier Crete (RETIRED) 2004-08-05 07:15:00 UTC
firefox-bin stable on x86.. two more comments on that ebuild: virtual/x11 is twice in RDEPEND and virtual/libc is in DEPEND but is missing from RDEPEND...
Comment 17 Tom Martin (RETIRED) 2004-08-05 13:00:10 UTC
mozilla-thunderbird-0.7.3 fails with: gmake: Entering directory `/var/tmp/portage/mozilla-thunderbird-0.7.3/work/mozilla/other-licenses/libart_lgpl' gmake: *** No rule to make target `export'. Stop. gmake: Leaving directory `/var/tmp/portage/mozilla-thunderbird-0.7.3/work/mozilla/other-licenses/libart_lgpl' gmake: *** [tier_1] Error 2 This happened to anyone else? Revelant USE: "+crypt -debug -gtk2 +java -ldap -moznoxft +mozsvg -xinerama -xprint" /var/tmp/portage/mozilla-thunderbird-0.7.3/work/mozilla/other-licenses/libart-lgpl is empty for me.
Comment 18 Tom Martin (RETIRED) 2004-08-05 13:10:10 UTC
mozilla-firefox and mozilla-firefox-bin 0.9.3 now stable on amd64.. Thunderbird can wait till I find out what happened with the error up <a href="http://bugs.gentoo.org/show_bug.cgi?id=59419#c17">here</a>.
Comment 19 Gustavo Zacarias (RETIRED) 2004-08-05 13:32:12 UTC
mozilla-firefox-0.9.3 sparc stable. mozilla-thunderbird-0.7.3 sparc stable thanks to squash. now waiting for moz 1.7.2.
Comment 20 Joe Jezak (RETIRED) 2004-08-05 13:52:53 UTC
Same result as Comment #17 on ppc with gcc-3.4.1.
Comment 21 Aron Griffis (RETIRED) 2004-08-05 19:29:42 UTC
Slarti, the thunderbird problem you mentioned was bug 59521. It's fixed now.
Comment 22 Dan Margolis (RETIRED) 2004-08-05 22:11:11 UTC
Comment 23 Thierry Carrez (RETIRED) 2004-08-06 02:18:56 UTC
Back to upstream status waiting for a fix in the 1.7.2 sources bug : http://bugzilla.mozilla.org/show_bug.cgi?id=254346
Comment 24 Thierry Carrez (RETIRED) 2004-08-06 02:26:08 UTC
Link to security fixes, for reference : http://www.mozilla.org/projects/security/known-vulnerabilities.html
Comment 25 Tom Martin (RETIRED) 2004-08-06 04:06:11 UTC
mozilla-thunderbird-0.7.3 now stable on amd64, that's amd64 done for now.
Comment 26 firstname.lastname@example.org 2004-08-07 10:00:19 UTC
Getting odd errors when clicking on links for files (non-web pages) causes an odd 'Gecko' titled error dialogs: XML Parsing Error: not well-formed Location: chrome://mozapps/content/downloads/unknownContentType.xul Line Number 1, Column 1: (2 blank lines) ^ (the carat is red, and like it should point to some code, but is blank) Sorry if this is in the wrong place.
Comment 27 Oliver Schoett 2004-08-08 01:15:51 UTC
The 1.7.2 Mozilla sources have been fixed upstream (Bug http://bugzilla.mozilla.org/show_bug.cgi?id=254346 has been closed).
Comment 28 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-08 12:13:04 UTC
Upstream fixed tarballs for Mozilla 1.7.2 back to stable.
Comment 29 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-08 12:28:39 UTC
Sorry back to ebuild. Still no mozilla ebuild.
Comment 30 Aron Griffis (RETIRED) 2004-08-08 12:58:14 UTC
mozilla-1.7.2 is now in portage
Comment 31 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-08 13:15:43 UTC
Now we have a ebuild for mozilla-1.7.2 to mark stable.
Comment 32 Tom Martin (RETIRED) 2004-08-08 16:58:02 UTC
Stable on amd64.
Comment 33 Jason Wever (RETIRED) 2004-08-09 05:27:44 UTC
Stable on sparc.
Comment 34 Gustavo Zacarias (RETIRED) 2004-08-09 07:02:04 UTC
Please note that at least for sparc epiphany-1.2.7 was bumped to stable since 1.2.6 didn't build against mozilla-1.7.2.
Comment 35 Tim Leslie 2004-08-10 16:17:45 UTC
Epiphany and other variant packages should be updated to reflect new version to allow proper emerges of those packages (they currently break).
Comment 36 Pieter Van den Abeele (RETIRED) 2004-08-12 13:01:09 UTC
stable on ppc
Comment 37 Bryan Østergaard (RETIRED) 2004-08-13 02:45:33 UTC
Stable on alpha.
Comment 38 Robert Davis 2004-08-13 14:39:09 UTC
I am getting nsIJVMManager.h: No such file or directory now trying to build galeon. Is that another file missing from Mozilla?
Comment 39 Robert Davis 2004-08-13 15:12:03 UTC
Hmm. My bad. Somehow I don't have USE="java". Either I lost it or now the oji stuff isn't loaded if you don't have it.
Comment 40 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-14 11:54:14 UTC
ppc x86 please mark mozilla-1.7.2 stable asap.
Comment 41 Pieter Van den Abeele (RETIRED) 2004-08-14 12:00:24 UTC
stable on ppc
Comment 42 Tim Yamin (RETIRED) 2004-08-14 15:11:33 UTC
Stable on x86.
Comment 43 Dan Margolis (RETIRED) 2004-08-16 10:57:11 UTC
It appears Epiphany and Galeon (and any other gecko-based browsers?) may also be vulnerable to some of these issues (see http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.667659, https://rhn.redhat.com/errata/RHSA-2004-421.html). Mozilla herd: can you confirm that this bug affects these packages? If so, can you fix the RDEPEND so that they build against the new patched versions of Mozilla?
Comment 44 Aron Griffis (RETIRED) 2004-08-18 12:52:47 UTC
You're right, galeon and epiphany would be affected. However the mozilla team doesn't touch those packages. The gnome team should update the depends.
Comment 45 foser (RETIRED) 2004-08-18 13:59:17 UTC
we'll fix epiphany-1.2.7 to dep hard on moz-1.7.2, needs a bump because it's already stable on an arch. I'll let you know in a second when epiphany-1.2.7-r1 gets added. Galeon is maintained by hanno, CC-ing
Comment 46 foser (RETIRED) 2004-08-18 14:05:58 UTC
epiphany-1.2.7-r1 added & stable on x86 + sparc hanno on CC for fixing galeon
Comment 47 Pieter Van den Abeele (RETIRED) 2004-08-18 18:22:50 UTC
epiphany stable on ppc. please add ppc again when galeon needs testing.
Comment 48 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-23 06:44:01 UTC
GLSA 200408-22 hanno please fix galeon
Comment 49 Joshua J. Berry (CondorDes) (RETIRED) 2004-08-24 11:41:33 UTC
I recommend we strip the relevant bullet point from the GLSA, but do not reissue. ---------- Subject: [Full-Disclosure] RE: [ GLSA 200408-22 ] Mozilla, Firefox, Thunderbird: New releases fix vulnerabilities Date: Tuesday 24 August 2004 11:04 From: Gervase Markham <email@example.com> To: firstname.lastname@example.org Cc: email@example.com;, firstname.lastname@example.org;, email@example.com As has been pointed out to the author of the relevant "advisory" several times, Mozilla has neither a "local zone" nor "predictable cache file locations". The author assumed that the random string generated for his cache file location was the same as everyone else's. I wonder how Gentoo can have fixed, QAed and tested the fix for a vulnerability which doesn't exist? (Note: none of the referenced CVE numbers in the advisory refer to this "issue".) Gerv
Comment 50 Joshua J. Berry (CondorDes) (RETIRED) 2004-08-24 11:43:22 UTC
ooh. I forgot to mention that when I went back and looked, I couldn't find any reference to the file cache vulnerabilities referenced in the GLSA, either on Mozilla's website or in any of the CVEs. So I think it's fairly safe to assume he's right and the vulnerability doesn't exist.
Comment 51 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-24 12:27:48 UTC
GLSA updated and not reissued.
Comment 52 Hanno Böck 2004-08-24 13:45:20 UTC
galeon-1.3.17 added and depends on >=mozilla-1.7.2-r1
Comment 53 Danny van Dyk (RETIRED) 2004-08-25 13:24:35 UTC
Removing firstname.lastname@example.org from cc
Comment 54 Bryan Østergaard (RETIRED) 2004-08-25 16:50:38 UTC
Galeon stable on alpha.
Comment 55 Sune Kloppenborg Jeppesen (RETIRED) 2004-08-28 15:56:43 UTC
Arches please mark Galeon 1.3.17 stable.
Comment 56 Pieter Van den Abeele (RETIRED) 2004-08-28 16:31:12 UTC
stable on ppc
Comment 57 Gustavo Zacarias (RETIRED) 2004-08-31 14:17:45 UTC
sparc was done but not removed, removing...
Comment 58 Thierry Carrez (RETIRED) 2004-09-02 06:44:39 UTC
amd64: please mark galeon-1.3.17 stable
Comment 59 Danny van Dyk (RETIRED) 2004-09-02 13:15:27 UTC
galeon-1.3.17 marked stable on amd64.
Comment 60 Thierry Carrez (RETIRED) 2004-09-02 13:39:49 UTC
Ready for a Galeon/Epiphany GLSA... Or an update of the other one
Comment 61 Sune Kloppenborg Jeppesen (RETIRED) 2004-09-03 02:52:02 UTC
Thx everybody. GLSA 200408-22 updated and reissued
Comment 62 Danny van Dyk (RETIRED) 2006-05-31 07:52:30 UTC
GLSA 200408-22 contains format bug: <package name="net-www/epiphany" auto="yes" arch="*"> <unaffected range="ge">1.2.7-r1</unaffected> <vulnerable range="lt"> 1.2.7-r1</vulnerable> </package> Please remove the space before the version-spec in vulnerable tag.
Comment 63 Stefan Cornelius (RETIRED) 2006-05-31 07:58:00 UTC
Thanks, fixed in CVS
Comment 64 Thierry Carrez (RETIRED) 2006-05-31 10:17:14 UTC
and closed again