Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 66084

Summary: net-www/mozilla-firefox: 0.10.1 security release
Product: Gentoo Security Reporter: Doug Goldstein (RETIRED) <cardoe>
Component: VulnerabilitiesAssignee: Bryan Østergaard (RETIRED) <kloeri>
Status: RESOLVED FIXED    
Severity: minor CC: basic, jay, listmail, mozilla
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.mozilla.org/press/mozilla-2004-10-01-02.html
Whiteboard: A4 [glsa?] lewk
Package list:
Runtime testing required: ---

Description Doug Goldstein (RETIRED) gentoo-dev 2004-10-01 22:00:12 UTC 
The little periodic update ran on my system and it gave me the following updates.

Critical Updates (1)
- data: Downloading fix      from ftp.mozilla.org
   You should install these updates immediately to protect your computer from attack.

Firefox 1.0 Preview Release
- Firefox 1.0 Preview Release is available. We strongly recommend that you install this upgrade as soon as possible.

Optional Components (2)
- Quality Feedback Utility
- The Document Inspector


Now it sounds like the top thing is a security issue.. However it should not tell me to install Firefox 1.0 Preview Release as I have it installed already.

Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040929 Firefox/0.10

That's from help about firefox. I have firefox-1.0_pre-r1 installed since the day it came out.
Comment 1 Doug Goldstein (RETIRED) gentoo-dev 2004-10-01 22:01:48 UTC 
Well. I've got the answer.. Preview Release has been updated to .10.1 for a security issue... URL is included above and here...

http://www.mozilla.org/press/mozilla-2004-10-01-02.html
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-10-01 22:36:13 UTC 
*** Bug 66086 has been marked as a duplicate of this bug. ***
Comment 3 Luke Macken (RETIRED) gentoo-dev 2004-10-01 22:38:53 UTC 
Mozilla guys, 
Sorry for the bug confusion, please bump to 0.10.1
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-10-02 02:00:44 UTC 
Filesystem overwrite with user rights : downgrading severity

mozilla-firefox and mozilla-firefox-bin should be upgraded.
Comment 5 Brad Laue (RETIRED) gentoo-dev 2004-10-02 09:16:54 UTC 
firefox and firefox-bin are updated to 0.10.1 and pushed to x86 stable.
Comment 6 Luke Macken (RETIRED) gentoo-dev 2004-10-02 18:58:11 UTC 
archs, please mark mozilla-firefox-1.0_pre-r2 stable.
Comment 7 SpanKY gentoo-dev 2004-10-02 21:45:01 UTC 
ia64 stable
Comment 8 Jason Wever (RETIRED) gentoo-dev 2004-10-03 07:09:45 UTC 
stable on sparc
Comment 9 Jochen Maes (RETIRED) gentoo-dev 2004-10-03 12:15:49 UTC 
stable on ppc
Comment 10 Luke Macken (RETIRED) gentoo-dev 2004-10-03 18:49:13 UTC 
Not sure we should issue a GLSA for this issue since the user must download the file [him|her]self in order to exploit this.

What does everyone else think?
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2004-10-04 00:55:52 UTC 
I would have the same opinion. Waiting for someone else to play devil's advocate...
Comment 12 Allen Ziegenfus 2004-10-04 09:45:07 UTC 
How should this update work? If I run firefox as root I can update for this fix through the firefox interface and it seems to work (about box reports 0.10.1 as the version number). However when I then run firefox as my normal app user I don't see the new version number. If I try to update running as the normal user I get an error. 

Do I need to rebuild firefox instead using the ebuild? If so, can alpha be added to this ebuild?
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2004-10-04 09:56:40 UTC 
I'm having trouble emerging this on alpha. I'll keyword alpha as soon as those problems are solved.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-10-07 01:57:55 UTC 
amd64: please mark mozilla-firefox-bin-1.0_pr-r1 stable too.
Comment 15 Simon Stelling (RETIRED) gentoo-dev 2004-10-07 06:13:53 UTC 
done
Comment 16 Dan Margolis (RETIRED) gentoo-dev 2004-10-07 09:18:48 UTC 
Limited DoS with (unlikely) user interaction. 

I'd say no GLSA>
Comment 17 Kurt Lieber (RETIRED) gentoo-dev 2004-10-07 09:22:16 UTC 
I can achieve the same result with improper use of the 'rm' command, so I vote for  no GLSA.
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2004-10-07 09:23:30 UTC 
Closing without GLSA
alpha: good luck with your testing