Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 165555 - www-client/(mozilla-firefox|seamonkey)-(bin)?,mail-client/thunderbird(-bin)?,dev-libs/nss: Security release (CVE-2006-6077,2007-000[89],077[5-9],0780,080[01],0981,0995,1004,1092)
Summary: www-client/(mozilla-firefox|seamonkey)-(bin)?,mail-client/thunderbird(-bin)?,...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.securiteam.com/securitynew...
Whiteboard: A2 [glsa] Falco
Keywords:
: 166945 (view as bug list)
Depends on:
Blocks:
 
Reported: 2007-02-06 03:01 UTC by Executioner
Modified: 2007-06-24 23:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Executioner 2007-02-06 03:01:12 UTC
There is an interesting vulnerability in the default behavior of Firefox built-in popup blocker. This vulnerability, coupled with an additional trick, allows the attacker to read arbitrary user-accessible files on the system, and thus steal some fairly sensitive information.

Reproducible: Didn't try




http://www.securiteam.com/securitynews/5JP051FKKE.html
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-10 22:09:38 UTC
Thanks. AFAIK, there is no upstream fixed version yet.
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-23 15:49:48 UTC
*** Bug 166945 has been marked as a duplicate of this bug. ***
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-23 20:06:35 UTC
http://www.mozilla.org/security/announce/

As usual, the CVE and vulnerable packages on the mozilla site are not exact and a little work must be done to sort the vulns.

The following packages have just been released and fixes the vulnerabilities

Firefox 2.0.0.2
Firefox 1.5.0.10
SeaMonkey 1.0.8
Thunderbird 1.5.0.10
NSS 3.11.5

CVE-2006-6077 mfsa2007-02 FF SM
CVE-2007-0008 mfsa2007-06(FF SM TB)NSS
CVE-2007-0009 mfsa2007-06(FF SM TB)NSS
CVE-2007-0775 mfsa2007-01 FF SM TB
CVE-2007-0776 mfsa2007-01 FF SM TB
CVE-2007-0777 mfsa2007-01 FF SM TB
CVE-2007-0778 mfsa2007-03 FF SM
CVE-2007-0779 mfsa2007-04 FF SM
CVE-2007-0780 mfsa2007-05 FF SM
CVE-2007-0800 mfsa2007-05 FF SM
CVE-2007-0801 mfsa2007-05 FF SM
CVE-2007-0981 mfsa2007-07 FF SM
CVE-2007-0995 mfsa2007-02 FF SM

You can note that CVE-2007-0801 is not covered by the mozilla announcement whereas it is fixed in mfsa2007-05 according to its text. Similarly, mfsa2007-06.html doesn't mention Thunderbird as vulnerable whereas it is.

I don't know if CVE-2007-1004 has been fixed, that's unclear.

The most severe vulns belong to NSS, SVG processing in FF2.0, and potential memory corruption in javascript.
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2007-02-24 00:22:58 UTC
www-client/mozillafirefox[-bin]-{1.5.0.10,2.0.0.2} in the tree.
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-24 08:57:01 UTC
Thanks Raul.

Hi, arches, please could you test and mark stable if appropriate :

www-client/mozilla-firefox-1.5.0.10 for all arches except Alpha;
www-client/mozilla-firefox-2.0.0.2 for all arches except Mips;

www-client/mozilla-firefox-bin-1.5.0.10 for amd64 and x86
www-client/mozilla-firefox-bin-2.0.0.2 for amd64 and x86

thanks
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-02-24 11:12:07 UTC
ppc64 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2007-02-24 11:19:41 UTC
x86 stable
Comment 8 Christoph Mende (RETIRED) gentoo-dev 2007-02-25 17:08:12 UTC
tested:
mozilla-firefox-1.5.0.10
mozilla-firefox-2.0.0.2
mozilla-firefox-bin-1.5.0.10
mozilla-firefox-bin-2.0.0.2

everything emerges fine and works

Portage 2.1.2-r9 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.20-ck1 x86_64)
=================================================================
System uname: 2.6.20-ck1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+
Gentoo Base System release 1.12.9
Timestamp of tree: Sun, 25 Feb 2007 12:50:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe -msse3"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe -msse3"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig builysyspkg ccache distlocks metadata-transfer parallel-fetch sandbox sfperms strict"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ "
LANG="en_US.ISO-8859-15"
LC_ALL="en_US.ISO-8859-15"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/overlay"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa amd64 audiofile berkdb bitmap-fonts branding bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus divx dri dvd dvdr dvdread eds emboss encode fam ffmpeg firefox fortran gdbm gif gpm gstreamer gtk gtk2 hal iconv imagemagick ipod jpeg ldap libg++ lirc logrotate mad midi mikmod mp3 mpeg ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection rtc sdl session socks5 spl ssl svg symlink tcpd tiff truetype truetype-fonts type1-fonts unicode v4l v4l2 vim-with-x vorbis wmp xinerama xorg xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="inputlirc" USERLAND="GNU" VIDEO_CARDS="fglrx radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
Comment 9 Jeroen Roovers gentoo-dev 2007-02-26 15:37:43 UTC
(In reply to comment #5)
> www-client/mozilla-firefox-1.5.0.10 for all arches except Alpha;
> www-client/mozilla-firefox-2.0.0.2 for all arches except Mips;

Stable for HPPA.
Comment 10 Jason Wever (RETIRED) gentoo-dev 2007-02-27 02:32:22 UTC
Stable on SPARC
Comment 11 Simon Stelling (RETIRED) gentoo-dev 2007-02-27 12:45:20 UTC
amd64 stable, thanks Christoph
Comment 12 Simon Stelling (RETIRED) gentoo-dev 2007-02-27 12:46:28 UTC
Hum, still have to do seamonkey{,-bin} on amd64.
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-27 13:45:02 UTC
update of the vulnerability list:

http://www.mozilla.org/security/announce/2007/mfsa2007-08.html
CVE-2007-1092 affects FF and SM.
(memory corruption)
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-27 13:48:37 UTC
(In reply to comment #12)
> Hum, still have to do seamonkey{,-bin} on amd64.
> 

Well i don't know if samonkey-1.1  is affected or not. It's rather old (>1 month ago) but it is not referenced in the MFSA.

CVE entries are still closed, only FF is released, we have no news for seamonkey-1.0.8 and TB-1.5.0.10 and 2.0.0.2, ... but some other distributions have issued updates for seamonkey and thunderbird, i don't know how!
Comment 15 Dawid Stawiarski 2007-02-28 12:47:09 UTC
SeaMonkey 1.0.8 and 1.1.1 have been released... (http://www.mozilla.org/projects/seamonkey/releases/)
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2007-02-28 19:45:35 UTC
ppc stable
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-02-28 20:26:01 UTC
Hi again arches, 

seamonkey[-bin] has just been put into portage.

-1.0.8 and -1.1.1 fix all the known vulnerabilities.

Please could you test and mark stable if appropriate:

seamonkey-1.1.1 in preference (1.0.8 otherwise)
seamonkey-bin-1.1.1 (there is no 1.0.8 in the tree) for AMD64+X86


and we're still waiting for alpha on mozilla-firefox, but don't worry since the GLSA is not ready yet :)
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2007-02-28 21:16:50 UTC
seamonkey[-bin] x86 stable
Comment 19 Christoph Mende (RETIRED) gentoo-dev 2007-02-28 21:22:17 UTC
seamonkey{,-bin} emerge and work fine on amd64

Portage 2.1.2-r9 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.20-ck1 x86_64)
=================================================================
System uname: 2.6.20-ck1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+
Gentoo Base System release 1.12.9
Timestamp of tree: Wed, 28 Feb 2007 20:20:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe -msse3"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe -msse3"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildsyspkg ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ "
LANG="en_US.ISO-8859-15"
LC_ALL="en_US.ISO-8859-15"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/overlay"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa amd64 audiofile berkdb bitmap-fonts branding bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus divx dri dvd dvdr dvdread eds emboss encode fam ffmpeg firefox fortran gdbm gif gpm gstreamer gtk gtk2 hal iconv imagemagick ipod jpeg ldap libg++ lirc logrotate mad midi mikmod mp3 mpeg ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection rtc sdl session socks5 spl ssl svg symlink tcpd test tiff truetype truetype-fonts type1-fonts unicode v4l v4l2 vim-with-x vorbis wmp xinerama xorg xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="inputlirc" USERLAND="GNU" VIDEO_CARDS="fglrx radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS
Comment 20 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-02-28 23:13:35 UTC
mozilla-firefox-2.0.0.2 is stable on alpha.

Working on seamonkey now.
Comment 21 Dawid Stawiarski 2007-03-01 10:11:40 UTC
could you please bump Enigmail as well? "11/01/2007 Enigmail v0.94.2 has been released. A crash bug that could affect security has been fixed."
Comment 22 Simon Stelling (RETIRED) gentoo-dev 2007-03-01 12:46:43 UTC
amd64 stable
Comment 23 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-01 15:25:41 UTC
(In reply to comment #21)
> could you please bump Enigmail as well? "11/01/2007 Enigmail v0.94.2 has been
> released. A crash bug that could affect security has been fixed."
> 

Already bumped 2 weeks ago, see bug 166932. (and it is not the right place)

Since it's a client-side DoS, without any further information, we won't handle it as a security issue. Feel free to reopen bug 166932 if you can bring clue of code injection or so.
Comment 24 Dawid Stawiarski 2007-03-01 22:38:19 UTC
well, i see enigmail 0.94.2 is in portage, but SeaMonkey's 1.1.1 ebuild still uses 0.94.1 (with USE="crypt").
Comment 25 Jeroen Roovers gentoo-dev 2007-03-02 04:50:24 UTC
Stable for HPPA:
   =www-client/mozilla-firefox-1.5.0.10
   =www-client/mozilla-firefox-2.0.0.2
   =www-client/seamonkey-1.1.1 (killerfox)

Anything else?
Comment 26 Christian Faulhammer (RETIRED) gentoo-dev 2007-03-02 22:33:02 UTC
Readding amd64, sparc and x86, as ebuild is ready and Falco busy torturing new recruits.

mozilla-thunderbird[-bin]-15.0.10 needs to go stable, too.
Comment 27 Raúl Porcel (RETIRED) gentoo-dev 2007-03-02 22:40:09 UTC
x86 stable!

See you when nss is released...
Comment 28 Tobias Scherbaum (RETIRED) gentoo-dev 2007-03-03 12:43:31 UTC
seamonkey also ppc stable
Comment 29 Steve Dibb (RETIRED) gentoo-dev 2007-03-03 15:59:23 UTC
(In reply to comment #26)
> Readding amd64, sparc and x86, as ebuild is ready and Falco busy torturing new
> recruits.
> 
> mozilla-thunderbird[-bin]-15.0.10 needs to go stable, too.
> 

amd64 done
Comment 30 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-03-03 18:47:43 UTC
seamonkey-1.1.1 stable on alpha. 

working on thunderbird
Comment 31 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-04 00:30:58 UTC
Firefox -> GLSA 200703-04
Comment 32 Jeroen Roovers gentoo-dev 2007-03-04 01:26:51 UTC
Wake me up for NSS.
Comment 33 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-03-05 21:00:22 UTC
thunderbird stable on alpha.

See you in the next round.

Comment 34 Gustavo Zacarias (RETIRED) gentoo-dev 2007-03-06 13:55:14 UTC
thunderbird sparc stable.
Comment 35 Raúl Porcel (RETIRED) gentoo-dev 2007-03-07 21:37:52 UTC
Hello again arches.

Please stabilize =dev-libs/nss-3.11.5. Please note that YOU NEED to stabilize =dev-libs/nspr-4.6.5-r1 first -> bug 169751

And this will be the last one :)

Thanks!

x86 stable
Comment 36 Markus Rothe (RETIRED) gentoo-dev 2007-03-08 08:14:23 UTC
ppc64 stable (nss-3.11.5)
Comment 37 Gustavo Zacarias (RETIRED) gentoo-dev 2007-03-08 14:07:47 UTC
sparc stable.
Comment 38 Tobias Scherbaum (RETIRED) gentoo-dev 2007-03-08 17:38:14 UTC
ppc stable
Comment 39 Steve Dibb (RETIRED) gentoo-dev 2007-03-08 22:16:12 UTC
(In reply to comment #35)
> Hello again arches.
> 
> Please stabilize =dev-libs/nss-3.11.5. Please note that YOU NEED to stabilize
> =dev-libs/nspr-4.6.5-r1 first -> bug 169751
> 
> And this will be the last one :)
> 
> Thanks!

amd64 stable

Comment 40 Dawid Stawiarski 2007-03-08 22:48:26 UTC
"06/03/2007 Important Security fix for Enigmail. A security bug detected by Core Security Technologies has been fixed in Enigmail v0.94.3."
Maybe now it's time to update SeaMonkey's ebuild, and bump EMVER to "0.94.3"?
Comment 41 Jeroen Roovers gentoo-dev 2007-03-09 02:28:15 UTC
=dev-libs/nss-3.11.5 stable for HPPA.
Comment 42 Raúl Porcel (RETIRED) gentoo-dev 2007-03-09 11:52:35 UTC
(In reply to comment #40)
> "06/03/2007 Important Security fix for Enigmail. A security bug detected by
> Core Security Technologies has been fixed in Enigmail v0.94.3."
> Maybe now it's time to update SeaMonkey's ebuild, and bump EMVER to "0.94.3"?
Our security team is working on that. 

And SeaMonkey will not get other version of Enigmail unless Enigmail standalone have the same keywords as SeaMonkey.

Anyway, this bug is not related to that security issue.

Comment 43 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-10 16:37:42 UTC
SeaMonkey -> GLSA 200703-08, thanks everybody
Comment 44 Bryan Østergaard (RETIRED) gentoo-dev 2007-03-11 01:01:00 UTC
Alpha + IA64 all done.
Comment 45 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-13 23:18:15 UTC
CCing back Alpha for stabilizing NSS-3.11.5, thanks.

Seamonkey and NSS GLSA in the draft pool.
Comment 46 Raúl Porcel (RETIRED) gentoo-dev 2007-03-14 11:43:31 UTC
(In reply to comment #45)
> CCing back Alpha for stabilizing NSS-3.11.5, thanks.
> 
> Seamonkey and NSS GLSA in the draft pool.
> 

Alpha and IA64 were stable, but i put it back to ~arch by mistake. Fixed now :)
Comment 47 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-18 22:03:25 UTC
thunderbird -> GLSA 200701-18
Comment 48 Raúl Porcel (RETIRED) gentoo-dev 2007-03-21 18:46:04 UTC
ppc, you need to stabilize mozilla-thunderbird-1.5.0.10.

Thanks.
Comment 49 Tobias Scherbaum (RETIRED) gentoo-dev 2007-03-23 16:15:17 UTC
(In reply to comment #48)
> ppc, you need to stabilize mozilla-thunderbird-1.5.0.10.
> 
> Thanks.
> 

ppc stable
Comment 50 Sune Kloppenborg Jeppesen gentoo-dev 2007-03-25 07:50:54 UTC
GLSA 200703-22