Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 257577 (CVE-2009-0352) - <www-client/mozilla-firefox-3.0.6, <mail-client/mozilla-thunderbird-2.0.0.21, <www-client/seamonkey-1.1.5 memory corruption (CVE-2009-{0352,0353,0354,0355,0356,0357,0358,2535})
Summary: <www-client/mozilla-firefox-3.0.6, <mail-client/mozilla-thunderbird-2.0.0.21,...
Status: RESOLVED FIXED
Alias: CVE-2009-0352
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/security/known...
Whiteboard: A2 [glsa]
Keywords:
: 257630 (view as bug list)
Depends on:
Blocks: CVE-2008-2419 CVE-2009-0071 CVE-2009-0253
  Show dependency tree
 
Reported: 2009-02-04 09:52 UTC by Stefan Behte (RETIRED)
Modified: 2013-01-08 01:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-02-04 09:52:24 UTC
From the advisory

Title: Crashes with evidence of memory corruption (rv:1.9.0.6)
Impact: Critical
Announced: February 3, 2009
Reporter: Mozilla developers
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.0.6
  Thunderbird 2.0.0.21
  SeaMonkey 1.1.15

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-04 09:53:48 UTC
Firefox 3.0.6 is available, please provide an ebuild, also because of 255687, 255234 and 256131.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-02-04 16:11:43 UTC
*** Bug 257630 has been marked as a duplicate of this bug. ***
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2009-02-04 19:51:17 UTC
www-client/mozilla-firefox-3.0.6:
Arches: alpha arm amd64 hppa ia64 ppc ppc64 x86
www-client/mozilla-firefox-bin-3.0.6:
Arches: amd64 x86

net-libs/xulrunner-1.9.0.6:
Arches: alpha arm amd64 hppa ia64 ppc ppc64 x86

This also needs =dev-libs/nss-3.12.2 stable.

I don't see planed a seamonkey release and thunderbird will come out on March. Proceed as you wish.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-04 22:19:44 UTC
CVE-2009-0352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0352):
  Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before
  3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allow
  remote attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via vectors
  related to the layout engine and destruction of arbitrary layout
  objects by the nsViewManager::Composite function.

CVE-2009-0353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0353):
  Unspecified vulnerability in Mozilla Firefox 3.x before 3.0.6,
  Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows
  remote attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via vectors
  related to the JavaScript engine.

CVE-2009-0354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0354):
  Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x
  before 3.0.6 allows remote attackers to bypass the Same Origin
  Policy, and access the properties of an arbitrary window and conduct
  cross-site scripting (XSS) attacks, via vectors involving a chrome
  XBL method and the window.eval function.

CVE-2009-0355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0355):
  components/sessionstore/src/nsSessionStore.js in Mozilla Firefox
  before 3.0.6 does not block changes of INPUT elements to type="file"
  during tab restoration, which allows user-assisted remote attackers
  to read arbitrary files on a client machine via a crafted INPUT
  element.

CVE-2009-0356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0356):
  Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the
  (1) about:plugins and (2) about:config URIs from .desktop files,
  which allows user-assisted remote attackers to bypass the Same Origin
  Policy and execute arbitrary code with chrome privileges via vectors
  involving the URL field in a Desktop Entry section of a .desktop
  file, related to representation of about: URIs as jar:file:// URIs. 
  NOTE: this issue exists because of an incomplete fix for
  CVE-2008-4582.

CVE-2009-0357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0357):
  Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not
  properly restrict access from web pages to the (1) Set-Cookie and (2)
  Set-Cookie2 HTTP response headers, which allows remote attackers to
  obtain sensitive information from cookies via XMLHttpRequest calls,
  related to the HTTPOnly protection mechanism.

CVE-2009-0358 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0358):
  Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1)
  no-store and (2) no-cache Cache-Control directives, which allows
  local users to obtain sensitive information by using the (a) back
  button or (b) history list of the victim's browser, as demonstrated
  by reading the response page of an https POST request.

Comment 5 Carsten Lohrke (RETIRED) gentoo-dev 2009-02-11 20:43:22 UTC
Is there a reason arch teams aren't cc'ed? It's a week now...
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-11 23:21:41 UTC
http://bugs.gentoo.org/show_activity.cgi?id=257577
The mozilla herd was cc'ed from the beginning.
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-11 23:38:20 UTC
Carsten: I didn't add them, because I'm very short on time currently and didn't look.

And why did I read herd? I'm confused. Anyways, what is this place?! :D
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2009-02-11 23:41:49 UTC
Formal request to arches:

Arches, please test and mark stable:
=www-client/mozilla-firefox-3.0.6
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 9 Carsten Lohrke (RETIRED) gentoo-dev 2009-02-11 23:49:33 UTC
I didn't imply anything, Craig. ;) There's always the chance there's a reason not stated in the bug report. I consider it to be the package maintainer responsibility to cc the arch teams anyways. It's a (hopefully) maintained package having to go through the security process, not the other way around, after all.

(In reply to comment #8)
> Arches, please test and mark stable:
> =www-client/mozilla-firefox-3.0.6
> Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

And also the ebuilds stated in comment three.

Comment 10 Jeroen Roovers gentoo-dev 2009-02-12 03:46:29 UTC
Stable for HPPA.
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-02-12 19:36:26 UTC
ppc64 and ppc done
Comment 12 Sebastian 2009-02-14 17:09:23 UTC
Good morning!
Comment 13 Carsten Lohrke (RETIRED) gentoo-dev 2009-02-14 20:28:04 UTC
(In reply to comment #12)
> Good morning!
>

While I personally like such ironic comments, the (lack of) man power remains the same. Getting your hands dirty makes the difference.
Comment 14 Markus Meier gentoo-dev 2009-02-14 21:47:52 UTC
amd64/x86 stable
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2009-02-15 11:36:05 UTC
alpha/arm/ia64 stable
Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2009-04-09 20:09:34 UTC
Arches, please test and mark stable:
=www-client/seamonkey-1.1.16
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2009-04-09 21:09:40 UTC
And
=www-client/seamonkey-bin-1.1.16
Target keywords : "amd64 x86"
Comment 18 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-09 22:38:42 UTC
amd64 done
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2009-04-10 13:26:15 UTC
alpha/arm/ia64/sparc/x86 stable
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2009-04-10 17:57:57 UTC
nirbheek, can you say something about the status of xulrunner-bin? We need to dump the 1.8 versions and get one based on 1.9.0.8 in the tree and stable shortly.
Comment 21 Jeroen Roovers gentoo-dev 2009-04-11 03:22:26 UTC
Stable for HPPA.
Comment 22 Brent Baude (RETIRED) gentoo-dev 2009-04-12 13:14:14 UTC
ppc and ppc64 done
Comment 23 Robert Buchholz (RETIRED) gentoo-dev 2009-04-16 22:39:20 UTC
(In reply to comment #20)
> nirbheek, can you say something about the status of xulrunner-bin? We need to
> dump the 1.8 versions and get one based on 1.9.0.8 in the tree and stable
> shortly.

ping, nirbheek / mozilla herd?
Comment 24 Raúl Porcel (RETIRED) gentoo-dev 2009-04-23 09:56:41 UTC
(In reply to comment #23)
> (In reply to comment #20)
> > nirbheek, can you say something about the status of xulrunner-bin? We need to
> > dump the 1.8 versions and get one based on 1.9.0.8 in the tree and stable
> > shortly.
> 
> ping, nirbheek / mozilla herd?
> 
Bad nirbheek. We can't remove xulrunner-bin-1.8* because it contains libgtkembedmoz, which xul-1.9 doesn't have. The only user of xulrunner-bin AFAIK is acroread, so ask the maintainers :) Still, that would be a shortliving package :P
Comment 25 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-29 13:54:10 UTC
CVE-2009-2535 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2535):
  Mozilla Firefox before 2.0.0.19 and 3.x before 3.0.5, SeaMonkey, and
  Thunderbird allow remote attackers to cause a denial of service
  (memory consumption and application crash) via a large integer value
  for the length property of a Select object, a related issue to
  CVE-2009-1692.

Comment 26 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:20:14 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 27 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 23:29:20 UTC
GLSA with other mozilla bugs.
Comment 28 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:02:59 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).