Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 185737 - www-client/(mozilla-firefox|seamonkey)(-bin),mail-client/thunderbird(-bin),net-libs/xulrunner: Security release (CVE-2007-3089,3285,3656,3670,373[45678])
Summary: www-client/(mozilla-firefox|seamonkey)(-bin),mail-client/thunderbird(-bin),ne...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/projects/secur...
Whiteboard: A2 [glsa]
Keywords:
: 185739 186003 186005 (view as bug list)
Depends on:
Blocks: CVE-2007-3073
  Show dependency tree
 
Reported: 2007-07-18 08:28 UTC by Timo Boettcher
Modified: 2020-04-02 21:47 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Timo Boettcher 2007-07-18 08:28:31 UTC
firefox-2.0.0.5 is released, containing security-relevant fixes
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-07-18 08:28:49 UTC
*** Bug 185739 has been marked as a duplicate of this bug. ***
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2007-07-18 08:32:04 UTC
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.5

Fixed in Firefox 2.0.0.5

MFSA 2007-25 XPCNativeWrapper pollution
MFSA 2007-24 Unauthorized access to wyciwyg:// documents
MFSA 2007-23 Remote code execution by launching Firefox from Internet Explorer
MFSA 2007-22 File type confusion due to %00 in name
MFSA 2007-21 Privilege escallation using an event handler attached to an element not in the document
MFSA 2007-20 Frame spoofing while window is loading
MFSA 2007-19 XSS using addEventListener and setTimeout
MFSA 2007-18 Crashes with evidence of memory corruption
Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-18 09:21:34 UTC
thanks for the report Timo.
Mozilla, please advise and bump as necessary.
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2007-07-18 18:03:29 UTC
This affects mozilla-thunderbird and too. No idea if it affects seamonkey or xulrunner, at least the advisories doesn't say that.

I guess it affects xulrunner too, unless the bugs fixed are on the program itself and not the codebase.

mozilla-firefox[-bin]-2.0.0.5 in the tree, we'll have to wait until they release the other apps.
Comment 5 boxcars 2007-07-18 20:17:10 UTC
(In reply to comment #4)
> This affects mozilla-thunderbird and too. No idea if it affects seamonkey or
> xulrunner, at least the advisories doesn't say that.

Robert Kaiser has confirmed that some of the security issues do affect seamonkey (though MFSA 2007-23 doesn't).  The seamonkey folks were caught a bit off-guard when fx 2.0.0.5 was rushed out, and Kaiser says they'll release seamonkey 1.1.3 as soon as they can.

http://groups.google.com/group/mozilla.support.seamonkey/browse_thread/thread/0871c8f8259be11a
Comment 6 Lars Wendler (Polynomial-C) gentoo-dev 2007-07-20 10:27:35 UTC
seamonkey-1.1.3 compiles fine with the current gentoo patchset. So the bump should be no big problem...
Comment 7 Lars Wendler (Polynomial-C) gentoo-dev 2007-07-20 14:54:35 UTC
By the way:

# grep HOMEPAGE /usr/portage/www-client/seamonkey/*.ebuild
HOMEPAGE="http://www.mozilla.org"
#

This should be changed either in http://www.mozilla.org/projects/seamonkey/ or http://www.seamonkey-project.org (which redirects to the former URL).
Comment 8 Mark Trolley 2007-07-20 15:33:04 UTC
*** Bug 186005 has been marked as a duplicate of this bug. ***
Comment 9 Mark Trolley 2007-07-20 15:33:09 UTC
*** Bug 186003 has been marked as a duplicate of this bug. ***
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2007-07-20 16:54:49 UTC
mail-client/mozilla-thunderbird[-bin]-2.0.0.5 and
www-client/seamonkey[-bin]-1.1.3, in the tree.

xulrunner will have to wait
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-07-20 19:54:20 UTC
net-libs/xulrunner-1.8.1.5 in the tree
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-07-23 10:33:53 UTC
Arches please do:

mail-client/mozilla-thunderbird[-bin]-2.0.0.5
www-client/seamonkey[-bin]-1.1.3
net-libs/xulrunner-1.8.1.5
mozilla-firefox[-bin]-2.0.0.5

Thanks
Comment 13 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-24 15:45:53 UTC
sparc stable.
Comment 14 Jeroen Roovers (RETIRED) gentoo-dev 2007-07-24 18:37:49 UTC
(In reply to comment #12)
> Arches please do:
> 
> mail-client/mozilla-thunderbird[-bin]-2.0.0.5

Not keyworded for HPPA.

> www-client/seamonkey[-bin]-1.1.3
> net-libs/xulrunner-1.8.1.5
> mozilla-firefox[-bin]-2.0.0.5

All three (not www-client/seamonkey-bin) stable for HPPA, but HPPA users should take note of bug #180870 - sadly, GNOME's Epiphany (www-client/epiphany) will work built against either mozilla-firefox or xulrunner, but neither seamonkey nor mozilla-firefox will run "on their own".
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2007-07-25 05:20:10 UTC
stable on ppc64:

mail-client/mozilla-thunderbird[-bin]-2.0.0.5
www-client/seamonkey[-bin]-1.1.3
mozilla-firefox[-bin]-2.0.0.5


no stable keyword at all for ppc64:

net-libs/xulrunner-1.8.1.5
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-27 17:28:37 UTC
ppc stable.
Comment 17 Jonas Pedersen 2007-07-28 17:28:13 UTC
www-client/mozilla-firefox-bin-2.0.0.5  USE="-restrict-javascript"
www-client/mozilla-firefox-2.0.0.5  USE="ipv6 java -bindist -debug -filepicker -gnome -mozdevelop -moznopango -restrict-javascript -xforms -xinerama -xprint"

mail-client/mozilla-thunderbird-2.0.0.5  USE="crypt ipv6 -bindist -debug -gnome -ldap -mozdom -moznopango -replytolist -xinerama -xprint"
mail-client/mozilla-thunderbird-bin-2.0.0.5
x11-plugins/enigmail-0.95.1

www-client/seamonkey-bin-1.1.3 
www-client/seamonkey-1.1.3  USE="crypt ipv6 java -debug -gnome -ldap -mozdevelop -moznocompose -moznoirc -moznomail -moznopango -moznoroaming -postgres -xforms -xinerama -xprint"

1. All packages emerge on AMD64. 
2. No collisions etc. 
3. Works. 

mail-client/mozilla-thunderbird-2.0.0.5 with crypt use-flag needs x11-plugins/enigmail-0.95.1 stabilized as well. x11-plugins/enigmail-0.95.1 is stable on all other arches that have a stable enigmail. x11-plugins/enigmail-0.95.1 have been in the tree for more than a month and none of the enigmail bugs are related to 0.95.1. Suggest we mark all 7 packages stable on AMD64. 

Portage 2.1.2.9 (default-linux/amd64/2006.1/desktop, gcc-4.1.2, glibc-2.5-r4, 2.6.20-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.20-gentoo-r8 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Fri, 27 Jul 2007 21:50:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=nocona -O2 -msse3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distcc distlocks metadata-transfer multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://ftp.du.se/pub/os/gentoo http://trumpetti.atm.tut.fi/gentoo/ http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://ds.thn.htu.se/linux/gentoo"
LC_ALL="en_DK.utf8"
LINGUAS="da en"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acpi aiglx alsa amd64 arts atk berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dga directfb dri dts dvd dvdr dvdread eds emboss encode fam fbcn ffmpeg firefox fortran ftp gd gdbm gif gphoto2 gpm gstreamer gtk gtk2 hal iconv icq ieee1394 ipv6 isdnlog java jpeg kde libg++ lm_sensors mad midi mikmod mjpeg mozilla mp3 mpeg mplayer msn mudflap ncurses nls nptl nptlonly ogg oggvorbis opengl openmp pam pcre pda pdf perl png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl session spell spl sse3 ssl tcpd test threads tiff truetype truetype-fonts type1-fonts unicode vorbis xcomposite xml xorg xscreensaver xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="da en" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 18 Steve Dibb (RETIRED) gentoo-dev 2007-07-28 18:18:20 UTC
amd64 stable, thanks Jonas
Comment 19 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-07-31 07:44:11 UTC
Calling a vote despite the policy cause we also have bug 187205, and since we're already late with others glsas, maybe we should combine this one with the other bug.
Any opinions on this?
Comment 20 Matt Drew (RETIRED) gentoo-dev 2007-08-05 10:38:16 UTC
I vote yes for a combined GLSA that points people to 2.0.0.6 - no reason at this point to work with 2.0.0.5 any more.
Comment 21 Matt Drew (RETIRED) gentoo-dev 2007-08-05 10:43:28 UTC
submitted the combined request.
Comment 22 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-14 23:35:35 UTC
Combined GLSA 200708-09 with bug 187205, thanks everybody