Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 365323 (CVE-2011-0065) - <net-libs/xulrunner-1.9.2.17, <www-client/firefox{,-bin}-3.6.17, <mail-client/thunderbird{,-bin}-3.1.10, <www-client/seamonkey{,-bin}-2.0.14: multiple vulnerabilities (CVE-2011-{00{65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81},1202})
Summary: <net-libs/xulrunner-1.9.2.17, <www-client/firefox{,-bin}-3.6.17, <mail-client...
Status: RESOLVED FIXED
Alias: CVE-2011-0065
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/security/known...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-04-29 16:19 UTC by Lars Wendler (Polynomial-C)
Modified: 2013-01-08 01:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) gentoo-dev 2011-04-29 16:19:13 UTC
MFSA 2011-18 XSLT generate-id() function heap address leak
MFSA 2011-17 WebGLES vulnerabilities
MFSA 2011-16 Directory traversal in resource: protocol
MFSA 2011-15 Escalation of privilege through Java Embedding Plugin
MFSA 2011-14 Information stealing via form history
MFSA 2011-13 Multiple dangling pointer vulnerabilities
MFSA 2011-12 Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19)


Although not listed in the summary, ~net-libs/xulrunner-2.0 and ~www-client/firefox-4.0 are affected as well.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-04-29 16:55:45 UTC
Thanks for the bug, and for getting ebuilds committed so quickly. Are we ready to call arches? We can always readd them when icecat is ready.

Just to facilitate searching, here is the list of CVEs as we normally list them.
CVE-2011-{0065,0066,0067,0068,0069,0070,0071,0072,0073,0074,0075,0076,0077,0078,0079,0080,0081,1202}
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2011-04-29 19:04:05 UTC
(In reply to comment #1)
> Thanks for the bug, and for getting ebuilds committed so quickly. Are we ready
> to call arches? We can always readd them when icecat is ready.

I have no objections against letting arches do their work now. Looking at the severity some of these bugs have I think the faster the better :)


> Just to facilitate searching, here is the list of CVEs as we normally list
> them.
> CVE-2011-{0065,0066,0067,0068,0069,0070,0071,0072,0073,0074,0075,0076,0077,0078,0079,0080,0081,1202}

Heh, I tried to make up the summary like this but the input field didn't allow a summary being that long ;)
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2011-04-29 19:22:06 UTC
Great, thanks.

Arches, please test and mark stable:
=www-client/firefox-3.6.17
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=www-client/firefox-bin-3.6.17
Target keywords : "amd64 x86"

=www-client/seamonkey-2.0.14
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=www-client/seamonkey-bin-2.0.14
Target keywords : "amd64 x86"

=mail-client/thunderbird-3.1.10
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"

=mail-client/thunderbird-bin-3.1.10
Target keywords : "amd64 x86"

=net-libs/xulrunner-1.9.2.17
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2011-04-30 18:47:17 UTC
amd64 done
Comment 5 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-01 12:06:33 UTC
ppc/ppc64 stable
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-01 16:54:07 UTC
x86 stable
Comment 7 Jeroen Roovers gentoo-dev 2011-05-02 15:39:09 UTC
Stable for HPPA.
Comment 8 Lars Wendler (Polynomial-C) gentoo-dev 2011-05-03 09:28:16 UTC
+*icecat-3.6.16-r1 (03 May 2011)
+
+  03 May 2011; Lars Wendler <polynomial-c@gentoo.org> +icecat-3.6.16-r1.ebuild:
+  Security bump. This revision contains the same fixes firefox-3.6.17 has.
+

I cannot add "<www-client/icecat-3.6.16-r1" to the summary as it only allows a limited number of chars.

It seems like icecat upstream won't release a 3.6.17 version so I created a patch containing the changes between firefox-3.6.16 and -3.6.17 and applied that to icecat-3.6.16. 
I gonna write an email to icecat upstream requesting a 3.6.17 version once I return home from work today. In case they do such a release I will add the real 3.6.17 version to the tree with the same mix of stable/unstable KEYWORDS 3.6.16-r1 has at that point.


So arches please test and mark stable in addition to the packages listed in the summary:

=www-client/icecat-3.6.16-r1
Target keywords: amd64 ppc ppc64 x86

And sorry for readding exactly those four arches which already did their job here :)
Comment 9 Agostino Sarubbo gentoo-dev 2011-05-03 13:13:26 UTC
icecat works.
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-05-04 17:48:03 UTC
icecat-3.6.16-r1 x86 stable
Comment 11 Markos Chandras (RETIRED) gentoo-dev 2011-05-04 20:22:53 UTC
amd64 done. Thanks Agostino
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2011-05-07 18:26:08 UTC
alpha/arm/ia64/sparc stable, i haven't done xulrunner/firefox .17 because it sigbuses, like always...
Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-05-14 08:14:01 UTC
ppc/ppc64 stable, last arch done
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-05-14 14:57:49 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 15 Alex Buell 2011-06-03 20:58:32 UTC
(In reply to comment #12)
> alpha/arm/ia64/sparc stable, i haven't done xulrunner/firefox .17 because it
> sigbuses, like always...

Not always, I've found that if I remove the sparc specific kludge from the ebuild it works for me, but you have to catch the browser before it loads the page and all will be well.
Comment 16 Jory A. Pratt gentoo-dev 2011-12-12 17:03:10 UTC
re-add if needed later.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:04:50 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).