Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 341821 - net-libs/xulrunner, www-client/firefox{,-bin}, mail-client/thunderbird{,-bin}, www-client/seamonkey{,-bin}, www-client/icecat: Multiple Vulnerabilities (CVE-2010-{3170,3173,3174,3175,3176,3177,3178,3179,3180,3182,3183})
Summary: net-libs/xulrunner, www-client/firefox{,-bin}, mail-client/thunderbird{,-bin}...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/security/annou...
Whiteboard: A2 [glsa]
Keywords:
: 341823 341825 (view as bug list)
Depends on: 342323
Blocks: 342471
  Show dependency tree
 
Reported: 2010-10-19 22:19 UTC by Tim Sammut (RETIRED)
Modified: 2013-01-08 01:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-10-19 22:19:00 UTC
Mozilla has released nine advisories affecting these packages.

MFSA 2010-72 CVE-2010-3173 Low
Insecure Diffie-Hellman key exchange

MFSA 2010-71 CVE-2010-3182 Critical
Unsafe library loading vulnerabilities

MFSA 2010-70 CVE-2010-3170 Moderate
SSL wildcard certificate matching IP addresses

MFSA 2010-69 CVE-2010-3178 High
Cross-site information disclosure via modal calls

MFSA 2010-68 CVE-2010-3177 High
XSS in gopher parser when parsing hrefs

MFSA 2010-67 CVE-2010-3183 Critical
Dangling pointer vulnerability in LookupGetterOrSetter

MFSA 2010-66 CVE-2010-3180 Critical
Use-after-free error in nsBarProp

MFSA 2010-65 CVE-2010-3179 Critical
Buffer overflow and memory corruption using document.write

MFSA 2010-64 CVE-2010-3176, CVE-2010-3175, CVE-2010-3174 Critical
Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)
Comment 1 Jory A. Pratt gentoo-dev 2010-10-20 03:30:42 UTC
Lets keep all these together, one glsa will satisfy all of them. thunderbird{-bin}-3.1.5, xulrunner-1.9.2.11, firefox{-bin}-3.6.11 are all in tree, seamonkey and icecat will follow very shortly.
Comment 2 Jory A. Pratt gentoo-dev 2010-10-20 03:31:05 UTC
*** Bug 341825 has been marked as a duplicate of this bug. ***
Comment 3 Jory A. Pratt gentoo-dev 2010-10-20 03:31:22 UTC
*** Bug 341823 has been marked as a duplicate of this bug. ***
Comment 4 Lars Wendler (Polynomial-C) gentoo-dev 2010-10-20 15:23:11 UTC
seamonkey-{,-bin}-2.0.9 are now in the tree.
Comment 5 Jaak Ristioja 2010-10-21 05:54:26 UTC
(In reply to comment #1)
> Lets keep all these together, one glsa will satisfy all of them.
> thunderbird{-bin}-3.1.5, xulrunner-1.9.2.11, firefox{-bin}-3.6.11 are all in
> tree, seamonkey and icecat will follow very shortly.

Just to refrain from opening a new bug, thunderbird-3.1.5 fails to configure with the following error:

checking for sqlite3 >= 3.7.1... Requested 'sqlite3 >= 3.7.1' but version of SQLite is 3.6.23.1
configure: error: Library requirements (sqlite3 >= 3.7.1) not met; consider adjusting the PKG_CONFIG_PATH environment variable if your libraries are in a nonstandard prefix so pkg-config can find them.
configure: error: ./configure failed for mozilla

I guess the Thunderbird 3.1.5 ebuild is missing the proper >=dev-db/sqlite-3.7.1 dependency.
Comment 6 Lars Wendler (Polynomial-C) gentoo-dev 2010-10-21 07:47:35 UTC
(In reply to comment #5)
> Just to refrain from opening a new bug, thunderbird-3.1.5 fails to configure
> with the following error:
> 
> checking for sqlite3 >= 3.7.1... Requested 'sqlite3 >= 3.7.1' but version of
> SQLite is 3.6.23.1
> configure: error: Library requirements (sqlite3 >= 3.7.1) not met; consider
> adjusting the PKG_CONFIG_PATH environment variable if your libraries are in a
> nonstandard prefix so pkg-config can find them.
> configure: error: ./configure failed for mozilla
> 
> I guess the Thunderbird 3.1.5 ebuild is missing the proper
> >=dev-db/sqlite-3.7.1 dependency.

+  21 Oct 2010; Lars Wendler <polynomial-c@gentoo.org>
+  thunderbird-3.1.5.ebuild:
+  Fixed sqlite dependency (reported by Jaak Ristioja in bug #341821).
Comment 7 Jory A. Pratt gentoo-dev 2010-10-21 12:48:59 UTC
Security team feel free to bring the archs in so they can start to stabilize. Lets stabilize nss-3.12.8 at the same time.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2010-10-21 13:33:44 UTC
(In reply to comment #7)
> Security team feel free to bring the archs in so they can start to stabilize.
> Lets stabilize nss-3.12.8 at the same time.
> 

Will there be an updated icecat too?
Comment 9 Jory A. Pratt gentoo-dev 2010-10-21 13:39:50 UTC
(In reply to comment #8)
> (In reply to comment #7)
> > Security team feel free to bring the archs in so they can start to stabilize.
> > Lets stabilize nss-3.12.8 at the same time.
> > 
> 
> Will there be an updated icecat too?
> 

As soon as it is available, I will be emailed and make the bump in the tree. I can not confirm when it will be available but soon as it is the bump will happen, that is less then a 2 minute merge tho so I say get xul/ff/tb/sea all done as these are the main packages our users are using. 
Comment 10 Tim Sammut (RETIRED) gentoo-dev 2010-10-21 13:49:07 UTC
Arches, please test and mark stable:

=net-libs/xulrunner-1.9.2.11
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=mail-client/thunderbird-3.1.5
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"

=mail-client/thunderbird-bin-3.1.5
Target keywords : "amd64 x86"

=www-client/firefox-3.6.11
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=www-client/firefox-bin-3.6.11
Target keywords : "amd64 x86"

=www-client/seamonkey-2.0.9
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=www-client/seamonkey-bin-2.0.9
Target keywords : "amd64 x86"

=dev-libs/nss-3.12.8
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 11 Agostino Sarubbo gentoo-dev 2010-10-21 14:29:48 UTC
USE="system-sqlite" (thunderbird) requires >=dev-db/sqlite-3.7.1 and it is ~

How we should proceed?
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2010-10-21 19:00:22 UTC
(In reply to comment #11)
> USE="system-sqlite" (thunderbird) requires >=dev-db/sqlite-3.7.1 and it is ~
> 
> How we should proceed?

 Arfrever, Betelgeuse, any comments on this?
Comment 13 Agostino Sarubbo gentoo-dev 2010-10-21 21:49:19 UTC
(In reply to comment #11)
> USE="system-sqlite" (thunderbird) requires >=dev-db/sqlite-3.7.1 and it is ~
> 
> How we should proceed?
> 

To tell the truth, the packages that make use of the USE="system-sqlite" are: Firefox, SeaMonkey, XULRunner, and Thunderbird.
Anyway I reported the bugs about their :)
bug 342035 bug 342051 bug 342057
Comment 14 Markos Chandras (RETIRED) gentoo-dev 2010-10-21 23:42:58 UTC
I think we can ignore the ignored LDFLAGS for now since this a security issue so it gets higher priority than the QA one. However I wanted to see them fixed sooner or later. Please open a new bug about sqlite. Thanks
Comment 15 Agostino Sarubbo gentoo-dev 2010-10-21 23:48:49 UTC
(In reply to comment #14)
> I think we can ignore the ignored LDFLAGS for now since this a security issue
> so it gets higher priority than the QA one. However I wanted to see them fixed
> sooner or later. Please open a new bug about sqlite. Thanks
> 

that's for sure! I put only aware of the bugs found, even if they do not affect the stabilization :)
Comment 16 Christian Faulhammer (RETIRED) gentoo-dev 2010-10-22 06:59:46 UTC
(In reply to comment #14)
> Please open a new bug about sqlite.

 Maintainers of SQLite are already in cc of this bug here.
Comment 17 Christian Faulhammer (RETIRED) gentoo-dev 2010-10-22 17:27:55 UTC
x86 is tested and fine, as soon as there is a decision on the SQLite issue, anybody can mark x86 stable...for the case that nobody from x86 team is around.
Comment 18 Jeroen Roovers gentoo-dev 2010-10-23 06:03:12 UTC
Stable for HPPA.
Comment 19 Agostino Sarubbo gentoo-dev 2010-10-23 12:21:21 UTC
all ok on amd64 for me
Comment 20 Arfrever Frehtes Taifersar Arahesis (RETIRED) gentoo-dev 2010-10-23 15:05:38 UTC
(In reply to comment #12)
> (In reply to comment #11)
> > USE="system-sqlite" (thunderbird) requires >=dev-db/sqlite-3.7.1 and it is ~
> > 
> > How we should proceed?
> 
>  Arfrever, Betelgeuse, any comments on this?

dev-db/sqlite-3.7.2 will be stabilized in bug #342323.
Comment 21 Markos Chandras (RETIRED) gentoo-dev 2010-10-24 03:06:49 UTC
amd64 done
Comment 22 Dane Smith (RETIRED) gentoo-dev 2010-10-24 16:16:49 UTC
At the request of Anarchy, firefox-bin marked stable on x86 since it doesn't fall into the need sqlite category. Need to finish the stabilization of sqlite before the rest of these can be marked stable for x86. I will try to get to this today.
Comment 23 Christian Faulhammer (RETIRED) gentoo-dev 2010-10-24 19:39:33 UTC
Thanks c1pher.  All SQLite depending packages built fine, but I can reproduce the test failure reported on bug 342469.
Comment 24 Dane Smith (RETIRED) gentoo-dev 2010-10-24 19:56:53 UTC
(In reply to comment #23)
> Thanks c1pher.  All SQLite depending packages built fine, but I can reproduce
> the test failure reported on bug 342469.
> 

I have use flag combination tests running already. With the depending packages good to go as well (assuming I don't hit any issues outside of USE="icu") do we want to go ahead and stable it and mark these as well?
Comment 25 Christian Faulhammer (RETIRED) gentoo-dev 2010-10-25 00:34:03 UTC
x86 stable
Comment 26 Lars Wendler (Polynomial-C) gentoo-dev 2010-10-27 17:26:35 UTC
Alright, icecat-3.6.11 is in the tree. 

Target keywords are:  amd64 ppc ppc64 x86

Readded amd64 and x86 (sorry guys ;))
Comment 27 Agostino Sarubbo gentoo-dev 2010-10-27 19:39:55 UTC
(In reply to comment #26)
> Alright, icecat-3.6.11 is in the tree. 
> 
> Target keywords are:  amd64 ppc ppc64 x86
> 
> Readded amd64 and x86 (sorry guys ;))
> 

Np, amd64 well also for icecat
Comment 28 Markos Chandras (RETIRED) gentoo-dev 2010-10-28 14:49:19 UTC
amd64 done. Thanks Agostino
Comment 29 Lars Wendler (Polynomial-C) gentoo-dev 2010-10-28 18:12:10 UTC
Removing arch teams here in favor of bug #342847
Comment 30 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 23:03:55 UTC
GLSA with other mozilla bugs.
Comment 31 Jory A. Pratt gentoo-dev 2010-12-30 03:52:35 UTC
Nothing for mozilla team to handle, tree has all appropriate updates.
Comment 32 Jory A. Pratt gentoo-dev 2010-12-30 03:54:11 UTC
sorry for the noise just forgot to remove mozilla team from the bug reports.
Comment 33 GLSAMaker/CVETool Bot gentoo-dev 2012-07-21 14:30:18 UTC
CVE-2010-3183 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3183):
  The LookupGetterOrSetter function in js3250.dll in Mozilla Firefox before
  3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before
  3.1.5, and SeaMonkey before 2.0.9 does not properly support
  window.__lookupGetter__ function calls that lack arguments, which allows
  remote attackers to execute arbitrary code or cause a denial of service
  (incorrect pointer dereference and application crash) via vectors involving
  a "dangling pointer" and the JS_ValueToId function.

CVE-2010-3182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3182):
  A certain application-launch script in Mozilla Firefox before 3.5.14 and
  3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and
  SeaMonkey before 2.0.9 on Linux places a zero-length directory name in the
  LD_LIBRARY_PATH, which allows local users to gain privileges via a Trojan
  horse shared library in the current working directory.

CVE-2010-3180 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3180):
  Use-after-free vulnerability in the nsBarProp function in Mozilla Firefox
  before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x
  before 3.1.5, and SeaMonkey before 2.0.9 allows remote attackers to execute
  arbitrary code by accessing the locationbar property of a closed window.

CVE-2010-3179 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3179):
  Stack-based buffer overflow in the text-rendering functionality in Mozilla
  Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and
  3.1.x before 3.1.5, and SeaMonkey before 2.0.9 allows remote attackers to
  execute arbitrary code or cause a denial of service (memory corruption and
  application crash) via a long argument to the document.write method.

CVE-2010-3178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3178):
  Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before
  3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 do not properly
  handle certain modal calls made by javascript: URLs in circumstances related
  to opening a new window and performing cross-domain navigation, which allows
  remote attackers to bypass the Same Origin Policy via a crafted HTML
  document.

CVE-2010-3177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3177):
  Multiple cross-site scripting (XSS) vulnerabilities in the Gopher parser in
  Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, and SeaMonkey before
  2.0.9, allow remote attackers to inject arbitrary web script or HTML via a
  crafted name of a (1) file or (2) directory on a Gopher server.

CVE-2010-3176 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3176):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox 3.5.x before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before
  3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 allow remote
  attackers to cause a denial of service (memory corruption and application
  crash) or possibly execute arbitrary code via unknown vectors.

CVE-2010-3175 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3175):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox 3.6.x before 3.6.11 and Thunderbird 3.1.x before 3.1.5 allow remote
  attackers to cause a denial of service (memory corruption and application
  crash) or possibly execute arbitrary code via unknown vectors.

CVE-2010-3174 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3174):
  Unspecified vulnerability in the browser engine in Mozilla Firefox 3.5.x
  before 3.5.14, Thunderbird before 3.0.9, and SeaMonkey before 2.0.9 allows
  remote attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2010-3173 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3173):
  The SSL implementation in Mozilla Firefox before 3.5.14 and 3.6.x before
  3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey
  before 2.0.9 does not properly set the minimum key length for Diffie-Hellman
  Ephemeral (DHE) mode, which makes it easier for remote attackers to defeat
  cryptographic protection mechanisms via a brute-force attack.

CVE-2010-3170 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3170):
  Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before
  3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 recognize a
  wildcard IP address in the subject's Common Name field of an X.509
  certificate, which might allow man-in-the-middle attackers to spoof
  arbitrary SSL servers via a crafted certificate issued by a legitimate
  Certification Authority.
Comment 34 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:04:25 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).