Bug 750446 (CVE-2020-15683, MFSA-2020-45, MFSA-2020-46, MFSA-2020-47)

Summary:	<www-client/{firefox,thunderbird}{,-bin}-{78.4.0, 82.0}: Multiple vulnerabilities (MFSA-2020-{45,46,47})
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	mozilla
Priority:	Normal	Keywords:	CC-ARCHES
Version:	unspecified	Flags:	nattka: sanity-check+
Hardware:	All
OS:	Linux
URL:	https://www.mozilla.org/en-US/security/advisories/mfsa2020-46/
Whiteboard:	A2 [glsa+ cve]
Package list:	www-client/firefox-78.4.0	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	750743

Description Sam James archtester

2020-10-20 17:20:13 UTC

* CVE-2020-15969

A use-after-free bug in the usersctp library was reported upstream. We assume this could have led to memory corruption and a potentially exploitable crash.
References

* CVE-2020-15683

Mozilla developers and community members Jason Kratzer, Simon Giesecke, Philipp, and Christian Holler reported memory safety bugs present in Firefox 81 and Firefox ESR 78.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

----
As ever, there's also https://www.mozilla.org/en-US/security/advisories/mfsa2020-45/ for Firefox 82, but they're getting handled in this bug anyway and aren't eligible for GLSA (not in stable version).

Comment 1 Larry the Git Cow gentoo-dev

2020-10-21 22:49:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=10f540c3334dbe5bd0a1413f890b9762ba59bca6

commit 10f540c3334dbe5bd0a1413f890b9762ba59bca6
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-21 22:49:05 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-10-21 22:49:05 +0000

    www-client/firefox: amd64 & x86 stable
    
    Bug: https://bugs.gentoo.org/750446
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-client/firefox/firefox-78.4.0.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 2 Sam James archtester

2020-10-23 00:31:39 UTC

arm64 done

all arches done

Comment 3 Larry the Git Cow gentoo-dev

2020-10-23 00:53:20 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=23bdbb5707dd557ded7e596f4946136252016d7d

commit 23bdbb5707dd557ded7e596f4946136252016d7d
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-23 00:52:39 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-10-23 00:52:39 +0000

    mail-client/thunderbird-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/750446
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/thunderbird-bin/Manifest               | 132 -------
 .../thunderbird-bin/thunderbird-bin-78.3.2.ebuild  | 370 --------------------
 .../thunderbird-bin/thunderbird-bin-78.3.3.ebuild  | 378 ---------------------
 3 files changed, 880 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ae4d0bfd7bf7fd323c2d43778f4908fba59fbd48

commit ae4d0bfd7bf7fd323c2d43778f4908fba59fbd48
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-23 00:52:15 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-10-23 00:52:15 +0000

    mail-client/thunderbird: security cleanup
    
    Bug: https://bugs.gentoo.org/750446
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 mail-client/thunderbird/Manifest                  |  131 ---
 mail-client/thunderbird/thunderbird-78.3.2.ebuild | 1016 --------------------
 mail-client/thunderbird/thunderbird-78.3.3.ebuild | 1035 ---------------------
 3 files changed, 2182 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9b47149e2061daccf2dea26ada458ee2014d51da

commit 9b47149e2061daccf2dea26ada458ee2014d51da
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-23 00:51:06 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-10-23 00:51:06 +0000

    www-client/firefox-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/750446
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-client/firefox-bin/Manifest                    | 291 ---------------
 .../firefox-bin/firefox-bin-78.3.1-r1.ebuild       | 403 ---------------------
 .../firefox-bin/firefox-bin-81.0.1-r1.ebuild       | 403 ---------------------
 www-client/firefox-bin/firefox-bin-81.0.2.ebuild   | 403 ---------------------
 4 files changed, 1500 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4befbbed6fe0ac47b7276c672153b259251d140e

commit 4befbbed6fe0ac47b7276c672153b259251d140e
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-23 00:49:39 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-10-23 00:49:39 +0000

    www-client/firefox: security cleanup
    
    Bug: https://bugs.gentoo.org/750446
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-client/firefox/Manifest                        |  291 ------
 ...-hwaccel-prefs.js-1 => gentoo-hwaccel-prefs.js} |    0
 www-client/firefox/firefox-78.3.1.ebuild           | 1098 --------------------
 www-client/firefox/firefox-78.4.0.ebuild           |    2 +-
 www-client/firefox/firefox-81.0.1-r1.ebuild        | 1098 --------------------
 www-client/firefox/firefox-81.0.1.ebuild           | 1066 -------------------
 www-client/firefox/firefox-81.0.2.ebuild           | 1098 --------------------
 www-client/firefox/firefox-82.0.ebuild             |    2 +-
 8 files changed, 2 insertions(+), 4653 deletions(-)

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2020-10-28 00:36:54 UTC

This issue was resolved and addressed in
 GLSA 202010-08 at https://security.gentoo.org/glsa/202010-08
by GLSA coordinator Sam James (sam_c).