Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 813498 (CVE-2021-38491)

Summary: <www-client/firefox-{78.15.0,93.0} <www-client/firefox-bin-{78.15.0,93.0}: multiple vulnerabilities
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: mattemod, mozilla
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 814605    
Bug Blocks: 813495    

Comment 1 Aditya Som 2021-09-24 08:20:28 UTC
What is happening? Why is this CVE not tended to after so long? I don't understand why Firefox is treated as a second class citizen when it comes to CVE related stabilization in Gentoo. Also, the 91.x ebuilds are not updated aligned with upstream. And it has been released for over a month, and yet is not bumped as a stable candidate along with 78.x (till it reaches EOL next month)
Comment 2 Esteve Varela Colominas 2021-09-24 13:37:25 UTC
I don't get the feeling firefox CVEs are second-class citizens when they usually take three days up to a week at worst to be stabilized. That said, CVEs are fixed with literally every new release, so it's not completely unwarranted to snooze on the hundredth batch of bugs for one time.

As for the next ESR, this happens every year - maintaining firefox ebuilds is a ton of work, and the maintainers prefer avoiding having to juggle two ESRs. So it's usually delayed until the last ESR goes EOL and/or all of the dependent packages are stabilized. Sometimes it even takes a tiny bit longer.

Please practice some patience, and consider manually unmasking the packages if the security issues really concern you.
Comment 3 John Helmert III gentoo-dev Security 2021-09-24 14:24:20 UTC
So, with security bugs we can usually wait until all fixed branches of a software are in the tree before stabilizing, but we also don't aggressively check older bugs for situations like these due to the high amount of manual checking involved/manpower/tooling etc. Maintainers usually have fixed versions in the tree quicker than this, but in this case I'll go ahead and file a stablereq for 78.14 (without moving anything around in this bug since we're still waiting on the other branch).

Sorry about this.
Comment 4 John Helmert III gentoo-dev Security 2021-10-06 18:47:10 UTC
Now need bumps to 78.15, 91.2, and 93. Holding off on assigning CVEs to this bug since Thunderbird advisories usually share CVEs and come out later.

https://www.mozilla.org/en-US/security/advisories/mfsa2021-43/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-44/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-45/
Comment 5 Larry the Git Cow gentoo-dev 2021-10-07 11:15:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=373735ff5114385dbb5ebee7d0116bd5ab2dabce

commit 373735ff5114385dbb5ebee7d0116bd5ab2dabce
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-10-07 11:13:18 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-10-07 11:13:18 +0000

    www-client/firefox-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/813498
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-client/firefox-bin/Manifest                   | 582 ----------------------
 www-client/firefox-bin/firefox-bin-78.13.0.ebuild | 418 ----------------
 www-client/firefox-bin/firefox-bin-78.14.0.ebuild | 418 ----------------
 www-client/firefox-bin/firefox-bin-91.0.1.ebuild  | 384 --------------
 www-client/firefox-bin/firefox-bin-91.0.2.ebuild  | 384 --------------
 www-client/firefox-bin/firefox-bin-92.0-r1.ebuild | 383 --------------
 www-client/firefox-bin/firefox-bin-92.0.1.ebuild  | 383 --------------
 7 files changed, 2952 deletions(-)
Comment 6 Larry the Git Cow gentoo-dev 2021-10-09 07:10:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=18170dab3692674737a3643bb2f7907321272291

commit 18170dab3692674737a3643bb2f7907321272291
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-10-09 07:09:08 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-10-09 07:09:59 +0000

    www-client/firefox: security cleanup
    
    Bug: https://bugs.gentoo.org/813498
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-client/firefox/Manifest               |  589 --------------
 www-client/firefox/firefox-78.13.0.ebuild | 1187 -----------------------------
 www-client/firefox/firefox-78.14.0.ebuild | 1187 -----------------------------
 www-client/firefox/firefox-91.0.1.ebuild  | 1149 ----------------------------
 www-client/firefox/firefox-91.0.2.ebuild  | 1149 ----------------------------
 www-client/firefox/firefox-92.0.1.ebuild  | 1148 ----------------------------
 www-client/firefox/firefox-92.0.ebuild    | 1148 ----------------------------
 7 files changed, 7557 deletions(-)
Comment 7 Benn Snyder 2021-10-09 15:30:34 UTC
But... I specifically stayed on 0/91 so I could have a smooth upgrade path to esr91 when it arrives.  Now I would have to either

- downgrade to esr78 then back up to esr91
- upgrade to 0/93 then back down to esr91

Neither of these sounds particularly good.  Why remove 0/91 when it's going to be the next ESR?
Comment 8 Joonas Niilola gentoo-dev 2021-10-09 17:48:47 UTC
My understanding is that 91-non-ESR and 91-ESR have diverged their development paths already before release. So in that regard they should be as compatible as 93 -> 91esr will be.
Comment 9 John Helmert III gentoo-dev Security 2021-10-09 19:53:39 UTC
Thanks juippis!
Comment 10 Benn Snyder 2021-10-10 20:48:43 UTC
(In reply to Joonas Niilola from comment #8)
> My understanding is that 91-non-ESR and 91-ESR have diverged their
> development paths already before release. So in that regard they should be
> as compatible as 93 -> 91esr will be.

Thanks for the explanation - I will move to 93 until the next ESR arrives.
Comment 11 Joonas Niilola gentoo-dev 2021-12-13 06:36:18 UTC
These have been cleaned, but newer security bugs are open.
Comment 12 Larry the Git Cow gentoo-dev 2022-02-21 23:03:23 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=57effa1a78ecfa61900fdedbc9401d0948141e99

commit 57effa1a78ecfa61900fdedbc9401d0948141e99
Author:     John Helmert III <ajak@gentoo.org>
AuthorDate: 2022-02-21 22:59:29 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-02-21 22:59:29 +0000

    [ GLSA 202202-03 ] Mozilla Firefox: Multiple vulnerabilities
    
    Bug: https://bugs.gentoo.org/802768
    Bug: https://bugs.gentoo.org/807947
    Bug: https://bugs.gentoo.org/813498
    Bug: https://bugs.gentoo.org/821385
    Bug: https://bugs.gentoo.org/828538
    Bug: https://bugs.gentoo.org/831039
    Bug: https://bugs.gentoo.org/832992
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202202-03.xml | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 141 insertions(+)
Comment 13 John Helmert III gentoo-dev Security 2022-02-21 23:05:42 UTC
GLSA released, all done!