Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 802768 (CVE-2021-29972, CVE-2021-29974, CVE-2021-29975, CVE-2021-29977)

Summary: <www-client/firefox{-bin,}-{78.12.0,90.0}: multiple vulnerabilities (CVE-2021-{29972,29974,29975,29977})
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: mozilla
Priority: Normal Flags: nattka: sanity-check-
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
www-client/firefox-78.12.0
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 802756    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-07-18 16:22:26 UTC
CVE-2021-29972: Use of out-of-date library included use-after-free vulnerability

A user-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. Updating the library resolved the issue, and may have remediated other, unknown security vulnerabilities as well.

CVE-2021-29974: HSTS errors could be overridden when network partitioning was enabled

When network partitioning was enabled, e.g. as a result of Enhanced Tracking Protection settings, a TLS error page would allow the user to override an error on a domain which had specified HTTP Strict Transport Security (which implies that the error should not be override-able.) This issue did not affect the network connections, and they were correctly upgraded to HTTPS automatically.

CVE-2021-29975: Text message could be overlaid on top of another website

Through a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly shown in the address bar) resulting in possible user confusion.

CVE-2021-29977: Memory safety bugs fixed in Firefox 90

Mozilla developers Andrew McCreight, Tyson Smith, Christian Holler, and Gabriele Svelto reported memory safety bugs present in Firefox 89. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.


Need to stabilize 78.12.0.
Comment 1 Larry the Git Cow gentoo-dev 2021-07-22 05:33:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=57b2b525563f1f8ad9a15e963cae3565e2ab4332

commit 57b2b525563f1f8ad9a15e963cae3565e2ab4332
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-22 05:32:08 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-22 05:33:48 +0000

    www-client/firefox-bin: drop vulnerable versions
    
     - drop 78.11.0, 89.0, 89.0.1, 89.0.2, 90.0
    
    Bug: https://bugs.gentoo.org/802768
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-client/firefox-bin/Manifest                   | 485 ----------------------
 www-client/firefox-bin/firefox-bin-78.11.0.ebuild | 411 ------------------
 www-client/firefox-bin/firefox-bin-89.0.1.ebuild  | 411 ------------------
 www-client/firefox-bin/firefox-bin-89.0.2.ebuild  | 411 ------------------
 www-client/firefox-bin/firefox-bin-89.0.ebuild    | 411 ------------------
 www-client/firefox-bin/firefox-bin-90.0.ebuild    | 417 -------------------
 6 files changed, 2546 deletions(-)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-23 17:56:46 UTC
x86 done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-23 17:58:07 UTC
amd64 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-26 00:30:42 UTC
arm64 done

all arches done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-07-26 00:33:21 UTC
Please cleanup, thanks!
Comment 6 Larry the Git Cow gentoo-dev 2021-07-26 05:23:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e8c0b609a7a5247b6b75b63e1845aa50757c628

commit 5e8c0b609a7a5247b6b75b63e1845aa50757c628
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-26 05:22:28 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-26 05:23:30 +0000

    www-client/firefox: security cleanup
    
     - drop 78.11.0, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1
    
    Bug: https://bugs.gentoo.org/802768
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-client/firefox/Manifest               |  584 --------------
 www-client/firefox/firefox-78.11.0.ebuild | 1183 -----------------------------
 www-client/firefox/firefox-89.0.1.ebuild  | 1179 ----------------------------
 www-client/firefox/firefox-89.0.2.ebuild  | 1179 ----------------------------
 www-client/firefox/firefox-89.0.ebuild    | 1179 ----------------------------
 www-client/firefox/firefox-90.0.1.ebuild  | 1182 ----------------------------
 www-client/firefox/firefox-90.0.ebuild    | 1182 ----------------------------
 7 files changed, 7668 deletions(-)
Comment 7 NATTkA bot gentoo-dev 2021-08-24 13:20:31 UTC
Unable to check for sanity:

> no match for package: www-client/firefox-78.12.0
Comment 8 Joonas Niilola gentoo-dev 2021-12-13 06:37:12 UTC
These have been cleaned, but newer security bugs are open.
Comment 9 Larry the Git Cow gentoo-dev 2022-02-21 23:03:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=57effa1a78ecfa61900fdedbc9401d0948141e99

commit 57effa1a78ecfa61900fdedbc9401d0948141e99
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-02-21 22:59:29 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-02-21 22:59:29 +0000

    [ GLSA 202202-03 ] Mozilla Firefox: Multiple vulnerabilities
    
    Bug: https://bugs.gentoo.org/802768
    Bug: https://bugs.gentoo.org/807947
    Bug: https://bugs.gentoo.org/813498
    Bug: https://bugs.gentoo.org/821385
    Bug: https://bugs.gentoo.org/828538
    Bug: https://bugs.gentoo.org/831039
    Bug: https://bugs.gentoo.org/832992
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202202-03.xml | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 141 insertions(+)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-02-21 23:05:41 UTC
GLSA released, all done!