Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 154434 - www-client/mozilla-firefox[-bin]: security bump to 1.5.0.8
Summary: www-client/mozilla-firefox[-bin]: security bump to 1.5.0.8
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/security/annou...
Whiteboard: A2 [glsa]
Keywords:
: 154732 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-11-08 01:12 UTC by Dax
Modified: 2019-12-30 12:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Dax 2006-11-08 01:12:46 UTC
3 vulnerabilities fixed in firefox 1.5.0.8


http://www.mozilla.org/security/announce/2006/mfsa2006-67.html
Mozilla Foundation Security Advisory 2006-67
Title: Running Script can be recompiled
Impact: Critical
Announced: November 7, 2006
Reporter: shutdown
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 1.5.0.8
  Thunderbird 1.5.0.8
  SeaMonkey 1.0.6
Description
shutdown demonstrated that it was possible to modify a Script object while it was executing, potentially leading to the execution of arbitrary JavaScript bytecode.

Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from enabling JavaScript in mail.
Workaround
Disable JavaScript until you can upgrade to a fixed version. Do not enable JavaScript in mail clients such as Thunderbird.
http://www.mozilla.org/security/announce/2006/mfsa2006-66.html
Mozilla Foundation Security Advisory 2006-66
Title: RSA Signature Forgery (variant)
Impact: Critical
Announced: November 7, 2006
Reporter: Ulrich Kuehn
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 1.5.0.8
  Thunderbird 1.5.0.8
  SeaMonkey 1.0.6
Description
MFSA 2006-60 reported that RSA digital signatures with a low exponent (typically 3) could be forged. This flaw was corrected in the Mozilla Network Security Services (NSS) library version 3.11.3 used by Firefox 2.0 and current development versions of Mozilla clients.

Ulrich Kuehn reported that Firefox 1.5.0.7, which incorporated NSS version 3.10.2, was incompletely patched and remained vulnerable to a variant of this attack.
Workaround
None, upgrade to a fixed version.

http://www.mozilla.org/security/announce/2006/mfsa2006-65.html

Mozilla Foundation Security Advisory 2006-64
Title: Crashes with evidence of memory corruption (rv:1.8.0.8)
Impact: Critical
Announced: November 7, 2006
Reporter: Mozilla Developers
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 1.5.0.8
  Thunderbird 1.5.0.8
  SeaMonkey 1.0.6
Description
As part of the Firefox 1.5.0.8 release we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort.

Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images or plugin data.
Workaround
Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or the mail portions of SeaMonkey.
References

Jesse Ruderman and Martijn Wargers reported crashes in the layout engine
https://bugzilla.mozilla.org/show_bug.cgi?id=307809
https://bugzilla.mozilla.org/show_bug.cgi?id=310267
https://bugzilla.mozilla.org/show_bug.cgi?id=350370
https://bugzilla.mozilla.org/show_bug.cgi?id=351328
CVE-2006-5464

shutdown demonstrated that a crash in XML.prototype.hasOwnProperty was exploitable
https://bugzilla.mozilla.org/show_bug.cgi?id=355569
CVE-2006-5747

Igor Bukanov and Jesse Ruderman reported potential memory corruption in the JavaScript engine
https://bugzilla.mozilla.org/show_bug.cgi?id=349527
https://bugzilla.mozilla.org/show_bug.cgi?id=351973
https://bugzilla.mozilla.org/show_bug.cgi?id=353165
https://bugzilla.mozilla.org/show_bug.cgi?id=354145
https://bugzilla.mozilla.org/show_bug.cgi?id=354151
https://bugzilla.mozilla.org/show_bug.cgi?id=350238
https://bugzilla.mozilla.org/show_bug.cgi?id=351116
https://bugzilla.mozilla.org/show_bug.cgi?id=352271
https://bugzilla.mozilla.org/show_bug.cgi?id=352606
https://bugzilla.mozilla.org/show_bug.cgi?id=354924
CVE-2006-5748

    * Site Map
    * Security Updates
    * Contact Us


rgds
Daxomatic
Comment 1 Wolf Giesen (RETIRED) gentoo-dev 2006-11-08 02:14:50 UTC
Total agony is upon me once more.
Comment 2 Gergan Penkov 2006-11-08 08:05:17 UTC
at least this one is not relevant for gentoo:
MFSA 2006-60 reported that RSA digital signatures with a low exponent
(typically 3) could be forged. This flaw was corrected in the Mozilla Network
Security Services (NSS) library version 3.11.3 used by Firefox 2.0 and current
development versions of Mozilla clients.

Ulrich Kuehn reported that Firefox 1.5.0.7, which incorporated NSS version
3.10.2, was incompletely patched and remained vulnerable to a variant of this
attack.
Workaround
None, upgrade to a fixed version.
:)
Comment 3 Dax 2006-11-08 10:59:35 UTC
Mozilla team, Please advice.

br Daxomatic
Comment 4 Bryan Østergaard (RETIRED) gentoo-dev 2006-11-08 13:46:14 UTC
Bumped in cvs (both source and bin).
Comment 5 Dax 2006-11-09 04:00:31 UTC
hi,
Arches, please test & mark stable.
for mozilla-firefox as well for mozilla-firefox-bin please
rgds
Daxomatic
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-09 07:34:29 UTC
ppc stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2006-11-09 10:26:32 UTC
In x86:

Works fine.

Portage 2.1.1-r1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-gentoo-r2 i686)
=================================================================
System uname: 2.6.18-gentoo-r2 i686 AMD Athlon(tm) Processor
Gentoo Base System version 1.12.6
Last Sync: Thu, 09 Nov 2006 16:50:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-tbird -mtune=athlon-tbird  -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon-tbird -mtune=athlon-tbird  -O2 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ "
LANG="en_US.ISO-8859-15"
LC_ALL="en_US.ISO-8859-15"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.belnet.be/packages/gentoo-portage"
USE="x86 X bitmap-fonts bzip2 cairo cdr cli cracklib crypt dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode fam firefox fortran gif gpm gstreamer gtk hal iconv input_devices_evdev input_devices_keyboard input_devices_mouse isdnlog jpeg kernel_linux ldap libg++ mad mikmod mp3 mpeg ncurses nptl nptlonly ogg opengl pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_vesa vorbis win32codecs xml xorg xv zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 8 Alex Maclean 2006-11-09 12:54:57 UTC
mozilla-firefox-1.5.0.8, mozilla-firefox-bin-1.5.0.8, on x86:

1) emerge fine
2) mozilla-firefox-1.5.0.8: dodoc: LEGAL does not exist
3) pass collision tests
4) work

Portage 2.1.1-r1 (default-linux/x86/2006.1, gcc-4.1.1, glibc-2.4-r4, 2.6.18-gentoo-r1 i686)
=================================================================
System uname: 2.6.18-gentoo-r1 i686 AMD Athlon(tm) MP 2400+
Gentoo Base System version 1.12.6
Last Sync: Thu, 09 Nov 2006 19:50:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-mp -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=athlon-mp -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="http://gentoo.blueyonder.co.uk"
LINGUAS="en en_GB"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d aac acpi alsa amr apache2 audacious avi bash-completion beagle berkdb bitmap-fonts bittorrent browserplugin bzip2 cairo ccache cdparanoia cdr cdrom chardet clamav clamd cli cpudetection crypt cups curl curlwrappers cursors customlog dbus dga divx dlloader dpms dri dvd dvdr dvdread dvi eds elf elibc_glibc encode esd ethereal exif expat extensions extrafilters fam fame ffmpeg finger firefox flac flash flatfile font-server fontconfig foomaticdb fortran freetts gaim gajim gd gdbm gdm geoip gif gimp gimpprint gmail gmailtimestamps gmedia gnome gnome-print gnutls gstreamer gstreamer010 gtk gtk2 gtkhtml gtkspell guile gvim hal hddtemp html httpd icons id3 imagemagick imlib imlib2 input_devices_keyboard input_devices_mouse jabber joystick jpeg kde kdm kernel_linux lame lcms libcaca libclamav libg++ libnotify libwww lighttpd linguas_en linguas_en_GB lm_sensors lzo lzw mad mikmod mjpeg mmx mmxext mng mono motif moznocompose moznoirc moznomail mozsvg mp3 mp4 mpeg mplayer msn musepack nautilus ncurses network new-login nfs nls no-old-linux no-seamonkey no-suexec nogecko-sdk nogg noplugin nptl nptlonly nsplugin nvidia offensive ogg oggvorbis openal opendoc opengl openssl opensslcrypt pam pam_chroot panel-plugin pango pcre pdflib perl png pop pppd pulseaudio python qt qt3 quicktime rar rdesktop readline real realmedia reflection rtc ruby samba sdl sensord session sftp sftplogging smtp sox speex spell spl sqlite sqlite3 sse sse-filters sse2 ssl startup-notification subversion svg svgz swat sysfs syslog taglib tagwriting tcl tcltk tcpd test tga theora threads thunar-vfs tidy tiff tk tools tos transcode truetype truetype-fonts type1-fonts udev uk_bleb uk_rt underscores unicode unzip usb userland_GNU video_cards_nv video_cards_nvidia vim vim-pager vim-with-x virus-scan vorbis win32codecs wma wmp wordperfect wv wxgtk1 wxwindows x264 xanim xchat xchattext xcomposite xext xine xinerama xinetd xml xmlreader xmlwriter xorg xosd xprint xrandr xscreensaver xsettings xv xvid xvmc zip zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2006-11-09 13:32:25 UTC
x86 is on fire
Comment 10 Christoph Mende (RETIRED) gentoo-dev 2006-11-09 15:12:15 UTC
both, firefox and firefox-bin emerge fine and work on amd64

Portage 2.1.2_rc1-r5 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-ck1-r1 x86_64)
=================================================================
System uname: 2.6.18-ck1-r1 x86_64 AMD Athlon(tm) 64 Processor 3000+
Gentoo Base System version 1.12.6
Last Sync: Thu, 09 Nov 2006 19:20:01 +0000
ccache version 2.3 [enabled]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildsyspkg ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ "
LANG="en_US.ISO-8859-15"
LC_ALL="en_US.ISO-8859-15"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/overlay"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="amd64 X a52 aac acpi alsa amr audiofile berkdb bitmap-fonts branding bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus divx dlloader dri dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox fortran gdbm gif glut gpm gstreamer gtk gtk2 hal iconv imagemagick input_devices_evdev input_devices_keyboard ipod isdnlog jpeg kernel_linux ldap libg++ lirc lirc_devices_inputlirc logrotate mad mikmod mng mp3 mpeg ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection rtc sdl session socks5 spl ssl svg symlink tcpd test tiff truetype truetype-fonts type1-fonts udev unicode userland_GNU userlocales v4l v4l2 video_cards_fglrx video_cards_radeon vim-with-x vorbis wmp xinerama xml xorg xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
Comment 11 Simon Stelling (RETIRED) gentoo-dev 2006-11-10 01:24:24 UTC
amd64 both marked stable lolz
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2006-11-10 05:04:58 UTC
sparc stable.
Comment 13 Jakub Moc (RETIRED) gentoo-dev 2006-11-10 14:07:55 UTC
*** Bug 154732 has been marked as a duplicate of this bug. ***
Comment 14 Bryan Østergaard (RETIRED) gentoo-dev 2006-11-14 13:27:55 UTC
Alpha doesn't have any 1.5 versions keyworded.
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2006-11-14 21:37:15 UTC
Stable for HPPA.
Comment 16 Jory A. Pratt 2006-11-19 06:54:52 UTC
Redhatter has been made aware and states "Hrmm... I think I'll be doing the Firefox build on the octane." Once that is complete this bug is closed :)
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2006-11-20 22:11:30 UTC
This one is ready for GLSA.
Comment 18 Vic Fryzel (shellsage) (RETIRED) gentoo-dev 2006-11-21 06:13:18 UTC
Shouldn't we also include CVE-2006-5748 and CVE-2006-5747?  They affect the same versions, and are related.
Comment 19 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-10 11:15:01 UTC
GLSA 200612-07