Summary: | <www-client/firefox{,-bin}-78.3.0: Multiple vulnerabilities (MFSA-2020-43) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | dharding, fcolloret, filip.ambroz, Manfred.Knick, mozilla, redneb |
Priority: | Normal | Keywords: | CC-ARCHES, STABLEREQ |
Version: | unspecified | Flags: | nattka:
sanity-check+
|
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.mozilla.org/en-US/security/advisories/mfsa2020-43/ | ||
Whiteboard: | A2 [glsa+ cve] | ||
Package list: |
www-client/firefox-78.3.1
|
Runtime testing required: | --- |
Bug Depends on: | 746152, 746155 | ||
Bug Blocks: | 745426 |
Description
Sam James
2020-09-23 03:50:59 UTC
*** Bug 744709 has been marked as a duplicate of this bug. *** FYI: The reason for the slight delay has been rewriting the whole shebang to drop Python 2.x and other long-standing cleanups due. It should be here soon. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed273ce18a8de3340424291814e8376b4e787792 commit ed273ce18a8de3340424291814e8376b4e787792 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-09-29 23:29:43 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-09-29 23:39:33 +0000 www-client/firefox: bump to v81.0 Bug: https://bugs.gentoo.org/698978 Bug: https://bugs.gentoo.org/744208 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-client/firefox/Manifest | 97 ++ www-client/firefox/files/gentoo-default-prefs.js | 13 + www-client/firefox/files/gentoo-hwaccel-prefs.js-1 | 1 + www-client/firefox/files/icon/firefox-symbolic.svg | 64 ++ www-client/firefox/firefox-81.0.ebuild | 1028 ++++++++++++++++++++ 5 files changed, 1203 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eaf416cbcda53918cbd9250877bf1bd76ed5f5c1 commit eaf416cbcda53918cbd9250877bf1bd76ed5f5c1 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-09-30 01:02:06 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-09-30 01:05:11 +0000 www-client/firefox: bump to v78.3.0 Closes: https://bugs.gentoo.org/698978 Closes: https://bugs.gentoo.org/734924 Bug: https://bugs.gentoo.org/744208 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-client/firefox/Manifest | 97 +++ www-client/firefox/firefox-78.3.0.ebuild | 1028 ++++++++++++++++++++++++++++++ 2 files changed, 1125 insertions(+) Sanity check failed:
> www-client/firefox-78.3.0
> depend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >=media-libs/harfbuzz-2.6.8:0=
> >=media-libs/libvpx-1.8.2:0=[postproc]
> media-video/pipewire:0/0.3
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> >=media-libs/harfbuzz-2.6.8:0=
> >=media-libs/libvpx-1.8.2:0=[postproc]
> media-video/pipewire:0/0.3
> rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >=media-libs/harfbuzz-2.6.8:0=
> >=media-libs/libvpx-1.8.2:0=[postproc]
> media-video/pipewire:0/0.3
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> >=media-libs/harfbuzz-2.6.8:0=
> >=media-libs/libvpx-1.8.2:0=[postproc]
> media-video/pipewire:0/0.3
> depend arm64 stable profile default/linux/arm64/17.0 (9 total)
> >=media-libs/harfbuzz-2.6.8:0=
> >=media-libs/libvpx-1.8.2:0=[postproc]
> rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
> >=media-libs/harfbuzz-2.6.8:0=
> >=media-libs/libvpx-1.8.2:0=[postproc]
*** Bug 745927 has been marked as a duplicate of this bug. *** Unable to check for sanity:
> no match for package: www-client/firefox-78.3.0
Unable to check for sanity:
> no match for package: www-client/firefox-78.3.0-r1
Sanity check failed:
> www-client/firefox-78.3.1
> depend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >=media-libs/harfbuzz-2.6.8:0=
> >=media-libs/libvpx-1.8.2:0=[postproc]
> media-video/pipewire:0/0.3
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> >=media-libs/harfbuzz-2.6.8:0=
> >=media-libs/libvpx-1.8.2:0=[postproc]
> media-video/pipewire:0/0.3
> rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >=media-libs/harfbuzz-2.6.8:0=
> >=media-libs/libvpx-1.8.2:0=[postproc]
> media-video/pipewire:0/0.3
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> >=media-libs/harfbuzz-2.6.8:0=
> >=media-libs/libvpx-1.8.2:0=[postproc]
> media-video/pipewire:0/0.3
> depend arm64 stable profile default/linux/arm64/17.0 (9 total)
> >=media-libs/harfbuzz-2.6.8:0=
> >=media-libs/libvpx-1.8.2:0=[postproc]
> rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
> >=media-libs/harfbuzz-2.6.8:0=
> >=media-libs/libvpx-1.8.2:0=[postproc]
*** Bug 746104 has been marked as a duplicate of this bug. *** Sanity check failed:
> www-client/firefox-78.3.1
> depend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >=media-libs/harfbuzz-2.6.8:0=
> media-video/pipewire:0/0.3
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> >=media-libs/harfbuzz-2.6.8:0=
> media-video/pipewire:0/0.3
> rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
> >=media-libs/harfbuzz-2.6.8:0=
> media-video/pipewire:0/0.3
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> >=media-libs/harfbuzz-2.6.8:0=
> media-video/pipewire:0/0.3
> depend arm64 stable profile default/linux/arm64/17.0 (9 total)
> >=media-libs/harfbuzz-2.6.8:0=
> rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
> >=media-libs/harfbuzz-2.6.8:0=
Sanity check failed:
> www-client/firefox-78.3.1
> depend amd64 stable profile default/linux/amd64/17.0 (39 total)
> media-video/pipewire:0/0.3
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> media-video/pipewire:0/0.3
> rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
> media-video/pipewire:0/0.3
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> media-video/pipewire:0/0.3
Sanity check failed:
> www-client/firefox-78.3.1
> depend amd64 stable profile default/linux/amd64/17.0 (39 total)
> media-video/pipewire:0/0.3
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> media-video/pipewire:0/0.3
> rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
> media-video/pipewire:0/0.3
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> media-video/pipewire:0/0.3
There should be a p.use.stable.mask for USE=screencast since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f64d43b3a0af5c8730ddff9b13c84cfdecb2f467 Sanity check failed:
> www-client/firefox-78.3.1
> depend amd64 stable profile default/linux/amd64/17.0 (39 total)
> media-video/pipewire:0/0.3
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> media-video/pipewire:0/0.3
> rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
> media-video/pipewire:0/0.3
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> media-video/pipewire:0/0.3
2nd attempt, https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19f9b22e442231e79c4607ecae8ca731dd27d397 Sanity check failed:
> www-client/firefox-78.3.1
> depend amd64 stable profile default/linux/amd64/17.0 (28 total)
> >=media-libs/libvpx-1.8.2:0=[postproc]
> depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> >=media-libs/libvpx-1.8.2:0=[postproc]
> rdepend amd64 stable profile default/linux/amd64/17.0 (28 total)
> >=media-libs/libvpx-1.8.2:0=[postproc]
> rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
> >=media-libs/libvpx-1.8.2:0=[postproc]
amd64 done Sanity check failed:
> www-client/firefox-78.3.1
> depend x86 stable profile default/linux/x86/17.0 (11 total)
> >=media-libs/libvpx-1.8.2:0=[postproc]
> rdepend x86 stable profile default/linux/x86/17.0 (11 total)
> >=media-libs/libvpx-1.8.2:0=[postproc]
All sanity-check issues have been resolved arm64 done x86 done all arches done Please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7552dbbb8d915123b39915e935f5342ed5a742ca commit 7552dbbb8d915123b39915e935f5342ed5a742ca Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-10-10 16:48:32 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-10-10 17:40:15 +0000 www-client/firefox-bin: security cleanup Bug: https://bugs.gentoo.org/744208 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-client/firefox-bin/Manifest | 279 ------------------- www-client/firefox-bin/files/10firefox-bin | 1 - www-client/firefox-bin/files/all-gentoo-3.js | 22 -- .../firefox-bin/files/firefox-bin-r1.desktop | 230 ---------------- www-client/firefox-bin/files/local-settings.js | 2 - www-client/firefox-bin/firefox-bin-68.12.0.ebuild | 280 ------------------- www-client/firefox-bin/firefox-bin-80.0.1.ebuild | 296 --------------------- www-client/firefox-bin/firefox-bin-80.0.ebuild | 296 --------------------- 8 files changed, 1406 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28c2356835ff57d2495c1f31b8dbd11c10ab961d commit 28c2356835ff57d2495c1f31b8dbd11c10ab961d Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-10-10 16:44:49 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-10-10 17:40:15 +0000 www-client/firefox: security cleanup Bug: https://bugs.gentoo.org/744208 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> profiles/arch/alpha/package.use.mask | 1 - profiles/default/linux/hppa/package.use.mask | 4 - www-client/firefox/Manifest | 279 ------ www-client/firefox/files/gentoo-default-prefs.js-3 | 19 - www-client/firefox/files/icon/firefox-r1.desktop | 230 ----- www-client/firefox/files/icon/firefox.desktop | 10 - www-client/firefox/firefox-68.12.0.ebuild | 935 --------------------- www-client/firefox/firefox-80.0.1-r1.ebuild | 933 -------------------- www-client/firefox/firefox-80.0.1.ebuild | 933 -------------------- www-client/firefox/firefox-80.0.ebuild | 927 -------------------- www-client/firefox/metadata.xml | 9 - 11 files changed, 4280 deletions(-) This issue was resolved and addressed in GLSA 202010-02 at https://security.gentoo.org/glsa/202010-02 by GLSA coordinator Sam James (sam_c). |