Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 83267

Summary: net-www/mozilla-firefox*: 1.0.1 release includes security fixes
Product: Gentoo Security Reporter: Thierry Carrez (RETIRED) <koon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: aarni.honka, formula7, jaervosz, mozilla, muchar, taviso, wolf31o2
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard: A3 [glsa] koon
Package list:
Runtime testing required: ---

Description Thierry Carrez (RETIRED) gentoo-dev 2005-02-25 00:44:38 UTC
Creating this bug as a metabug for all vulnerabilities fixed in the latest Mozilla releases, we will mark other Mozilla vulnerability bugs as dupes of this one as soon as we confirm they are fixed in these.

Currently out : Firefox 1.0.1
Mozilla team : please provide ebuilds for FF 1.0.1
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-02-25 00:53:32 UTC
Bugs that /should/ be fixed are :

Bug 73870 : Window Injection Vulnerability
Bug 76616 : Download Dialog Source Spoofing
Bug 81307 : Dragging Multiple vulnerabilities
Bug 81011 : Local users can delete the files of mozilla users
Bug 81113 : IDN Spoofing Security Issue (CAN-2005-0233)

Mozilla known vulnerabilities page is still not updated.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-02-25 08:30:43 UTC
Fixed in Firefox 1.0.1 :

MFSA 2005-29 Internationalized Domain Name (IDN) homograph spoofing (Gentoo bug 81113)
MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files (Gentoo bug 81011)
MFSA 2005-27 Plugins can be used to load privileged content (CAN-2005-0527) (Gentoo bug 81307)
MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab (Gentoo bug 81307)
MFSA 2005-25 Image drag and drop executable spoofing (Gentoo bug 81307)
MFSA 2005-24 HTTP auth prompt tab spoofing
MFSA 2005-23 Download dialog source spoofing (Gentoo bug 76616)
MFSA 2005-22 Download dialog spoofing using Content-Disposition header
MFSA 2005-21 Overwrite arbitrary files downloading .lnk twice
MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts
MFSA 2005-19 Autocomplete data leak
MFSA 2005-18 Memory overwrite in string library
MFSA 2005-17 Install source spoofing with user:pass@host
MFSA 2005-16 Spoofing download and security dialogs with overlapping windows (Gentoo bug 81307)
MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion
MFSA 2005-14 SSL "secure site" indicator spoofing
MFSA 2005-13 Window Injection Spoofing (CAN-2004-1156) (Gentoo bug 73870)
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-02-25 08:31:36 UTC
*** Bug 73870 has been marked as a duplicate of this bug. ***
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-02-25 08:31:49 UTC
*** Bug 76616 has been marked as a duplicate of this bug. ***
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-02-25 08:32:06 UTC
*** Bug 81307 has been marked as a duplicate of this bug. ***
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-02-25 08:32:23 UTC
*** Bug 81011 has been marked as a duplicate of this bug. ***
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-02-25 08:32:41 UTC
*** Bug 81113 has been marked as a duplicate of this bug. ***
Comment 8 Brad Laue (RETIRED) gentoo-dev 2005-02-26 00:29:30 UTC
FF 1.0.1 now in CVS.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 03:10:50 UTC
Arches, please test and mark FireFox 1.0.1 stable
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2005-02-28 10:20:29 UTC
firefox-1.0.1 stable on sparc.
Keeping us in the bug waiting for tb 1.0.1 & moz 1.7.6 ebuilds.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 11:25:56 UTC
*** Bug 83567 has been marked as a duplicate of this bug. ***
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 11:27:36 UTC
MFSA 2005-18 is CAN-2005-0255, credit:Ga
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 11:27:36 UTC
MFSA 2005-18 is CAN-2005-0255, credit:Gaƫl Delalleau (Gentoo bug 83567)
Comment 14 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-28 14:19:00 UTC
Stable on ppc.
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-03-01 09:09:03 UTC
*** Bug 83696 has been marked as a duplicate of this bug. ***
Comment 16 Jannick Kuhr 2005-03-02 11:17:04 UTC
Shouldn't mozilla-firefox-bin be also marked stable?
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 11:49:09 UTC
Good point... I was still hoping Mozilla 1.7.6 would go out soon but we should probably go ahead anyway.

amd64, x86: please test and mark mozilla-firefox-bin-1.0.1 stable.
Comment 18 Simon Stelling (RETIRED) gentoo-dev 2005-03-02 12:28:46 UTC
firefox-bin and firefox are stable on amd64, waiting for another amd64-dev to test mozilla and thunderbird
Comment 19 Ian Leitch (RETIRED) gentoo-dev 2005-03-03 05:39:22 UTC
firefox and -bin are both stable on x86 (marked by Chris White and Brad Laue respectivley) 
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2005-03-03 06:55:34 UTC
Anyone has a clue of when Moz 1.7.6 and TB 1.0.1 will be out ? I need to know if we should release GLSA now or wait for the others...
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2005-03-04 04:38:12 UTC
Creating separate bugs for Mozilla Suite and Thunderbird issues, since they apparently won't be out very soon.
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2005-03-04 04:48:39 UTC
Extra CANs (http://secunia.com/advisories/14407/):

MFSA 2005-28 --> CAN-2005-0578
MFSA 2005-24 --> CAN-2005-0584
MFSA 2005-20 --> CAN-2005-0588
MFSA 2005-19 --> CAN-2005-0589
MFSA 2005-17 --> CAN-2005-0590
MFSA 2005-15 --> CAN-2005-0592
MFSA 2005-14 --> CAN-2005-0593
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2005-03-04 09:13:42 UTC
GLSA 200503-10
arm: please mark stable to benefit from GLSA