Bug 802768 (CVE-2021-29972, CVE-2021-29974, CVE-2021-29975, CVE-2021-29977)

Summary:	<www-client/firefox{-bin,}-{78.12.0,90.0}: multiple vulnerabilities (CVE-2021-{29972,29974,29975,29977})
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	mozilla
Priority:	Normal	Flags:	nattka: sanity-check-
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A2 [glsa]
Package list:	www-client/firefox-78.12.0	Runtime testing required:	---
Bug Depends on:
Bug Blocks:	802756

Description John Helmert III archtester

2021-07-18 16:22:26 UTC

CVE-2021-29972: Use of out-of-date library included use-after-free vulnerability

A user-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. Updating the library resolved the issue, and may have remediated other, unknown security vulnerabilities as well.

CVE-2021-29974: HSTS errors could be overridden when network partitioning was enabled

When network partitioning was enabled, e.g. as a result of Enhanced Tracking Protection settings, a TLS error page would allow the user to override an error on a domain which had specified HTTP Strict Transport Security (which implies that the error should not be override-able.) This issue did not affect the network connections, and they were correctly upgraded to HTTPS automatically.

CVE-2021-29975: Text message could be overlaid on top of another website

Through a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly shown in the address bar) resulting in possible user confusion.

CVE-2021-29977: Memory safety bugs fixed in Firefox 90

Mozilla developers Andrew McCreight, Tyson Smith, Christian Holler, and Gabriele Svelto reported memory safety bugs present in Firefox 89. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.


Need to stabilize 78.12.0.

Comment 1 Larry the Git Cow gentoo-dev

2021-07-22 05:33:55 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=57b2b525563f1f8ad9a15e963cae3565e2ab4332

commit 57b2b525563f1f8ad9a15e963cae3565e2ab4332
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-22 05:32:08 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-22 05:33:48 +0000

    www-client/firefox-bin: drop vulnerable versions
    
     - drop 78.11.0, 89.0, 89.0.1, 89.0.2, 90.0
    
    Bug: https://bugs.gentoo.org/802768
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-client/firefox-bin/Manifest                   | 485 ----------------------
 www-client/firefox-bin/firefox-bin-78.11.0.ebuild | 411 ------------------
 www-client/firefox-bin/firefox-bin-89.0.1.ebuild  | 411 ------------------
 www-client/firefox-bin/firefox-bin-89.0.2.ebuild  | 411 ------------------
 www-client/firefox-bin/firefox-bin-89.0.ebuild    | 411 ------------------
 www-client/firefox-bin/firefox-bin-90.0.ebuild    | 417 -------------------
 6 files changed, 2546 deletions(-)

Comment 2 Sam James archtester

2021-07-23 17:56:46 UTC

x86 done

Comment 3 Sam James archtester

2021-07-23 17:58:07 UTC

amd64 done

Comment 4 Sam James archtester

2021-07-26 00:30:42 UTC

arm64 done

all arches done

Comment 5 Sam James archtester

2021-07-26 00:33:21 UTC

Please cleanup, thanks!

Comment 6 Larry the Git Cow gentoo-dev

2021-07-26 05:23:37 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e8c0b609a7a5247b6b75b63e1845aa50757c628

commit 5e8c0b609a7a5247b6b75b63e1845aa50757c628
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-26 05:22:28 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-26 05:23:30 +0000

    www-client/firefox: security cleanup
    
     - drop 78.11.0, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1
    
    Bug: https://bugs.gentoo.org/802768
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-client/firefox/Manifest               |  584 --------------
 www-client/firefox/firefox-78.11.0.ebuild | 1183 -----------------------------
 www-client/firefox/firefox-89.0.1.ebuild  | 1179 ----------------------------
 www-client/firefox/firefox-89.0.2.ebuild  | 1179 ----------------------------
 www-client/firefox/firefox-89.0.ebuild    | 1179 ----------------------------
 www-client/firefox/firefox-90.0.1.ebuild  | 1182 ----------------------------
 www-client/firefox/firefox-90.0.ebuild    | 1182 ----------------------------
 7 files changed, 7668 deletions(-)

Comment 7 NATTkA bot gentoo-dev

2021-08-24 13:20:31 UTC

Unable to check for sanity:

> no match for package: www-client/firefox-78.12.0

Comment 8 Joonas Niilola gentoo-dev

2021-12-13 06:37:12 UTC

These have been cleaned, but newer security bugs are open.

Comment 9 Larry the Git Cow gentoo-dev

2022-02-21 23:03:18 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=57effa1a78ecfa61900fdedbc9401d0948141e99

commit 57effa1a78ecfa61900fdedbc9401d0948141e99
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-02-21 22:59:29 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-02-21 22:59:29 +0000

    [ GLSA 202202-03 ] Mozilla Firefox: Multiple vulnerabilities
    
    Bug: https://bugs.gentoo.org/802768
    Bug: https://bugs.gentoo.org/807947
    Bug: https://bugs.gentoo.org/813498
    Bug: https://bugs.gentoo.org/821385
    Bug: https://bugs.gentoo.org/828538
    Bug: https://bugs.gentoo.org/831039
    Bug: https://bugs.gentoo.org/832992
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202202-03.xml | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 141 insertions(+)

Comment 10 John Helmert III archtester

2022-02-21 23:05:41 UTC

GLSA released, all done!