CVE-2011-2368 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2368): The WebGL implementation in Mozilla Firefox 4.x through 4.0.1 does not properly restrict write operations, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. CVE-2011-2367 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2367): The WebGL implementation in Mozilla Firefox 4.x through 4.0.1 does not properly restrict read operations, which allows remote attackers to obtain sensitive information from GPU memory associated with an arbitrary process, or cause a denial of service (application crash), via unspecified vectors. CVE-2011-2366 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2366): Mozilla Gecko before 5.0, as used in Firefox before 5.0 and Thunderbird before 5.0, does not block use of a cross-domain image as a WebGL texture, which allows remote attackers to obtain approximate copies of arbitrary images via a timing attack involving a crafted WebGL fragment shader.
You all can go ahead and stabilize fx{-bin}-5.0 and tb{-bin}-5.0
@Jory or another mozilla team: Can you specify the target(s) and version(s)? (e.g. for firefox there is only 5.0.r2, np for me but new member of arch teams should have confusion) TIA :)
I have added bug 374711 as a block, If you believe that is can be skipped because is security bug, feel free to drop; anyway take a look also at bug 374707
(In reply to comment #3) > I have added bug 374711 as a block, If you believe that is can be skipped > because is security bug, feel free to drop; anyway take a look also at bug > 374707 Both bugs will not block a security bug.
Wow it seems like we are gonna have some problem here. This version of firefox requires >=sys-devel/gcc-4.5 and a newest libpng. Whilst there is already a stabilization bug for libpng, I can't see one for gcc
Do these issues affect FF or TB 3.x? It does not look like they do, which means that we don't need stabilization of 5.x at this time...
(In reply to comment #6) > Do these issues affect FF or TB 3.x? It does not look like they do, which means > that we don't need stabilization of 5.x at this time... Tim either way {fx,tb}-5 will be going stable for amd64/x86, what you as a security dev does not understand is that 3.x is at end of life, there will be no more updates, {fx,tb}-6 is due to be released in a month so no point in stalling any longer.
Should gcc-4.5 stabilization process be started then? (I am not sure about gcc-4.6 being ready to stable :S)
(In reply to comment #8) > Should gcc-4.5 stabilization process be started then? (I am not sure about > gcc-4.6 being ready to stable :S) Let me get with toolchain first, I do not see why it shouldn't be but that is ultimately their decision.
(In reply to comment #7) > (In reply to comment #6) > > Do these issues affect FF or TB 3.x? It does not look like they do, which means > > that we don't need stabilization of 5.x at this time... > > Tim either way {fx,tb}-5 will be going stable for amd64/x86, what you as a > security dev does not understand is that 3.x is at end of life, there will be > no more updates, {fx,tb}-6 is due to be released in a month so no point in > stalling any longer. Knock yourself out. We security devs are done with this bug; please don't do stabilization for us. Noglsa.
(In reply to comment #10) > (In reply to comment #7) > > (In reply to comment #6) > > > Do these issues affect FF or TB 3.x? It does not look like they do, which means > > > that we don't need stabilization of 5.x at this time... > > > > Tim either way {fx,tb}-5 will be going stable for amd64/x86, what you as a > > security dev does not understand is that 3.x is at end of life, there will be > > no more updates, {fx,tb}-6 is due to be released in a month so no point in > > stalling any longer. > > Knock yourself out. We security devs are done with this bug; please don't do > stabilization for us. Noglsa. I don't quite understand. Are you saying that the security team will no longer care about security bugs for mozilla products? May I ask the reason for this? We've already made Firefox stabilization easier by merging xulrunner back into Firefox so that no other packages block stabilization anymore. Even if the security stabilization will happen more frequently, it'll be *much* easier to do.
(In reply to comment #11) > (In reply to comment #10) > > > > Knock yourself out. We security devs are done with this bug; please don't do > > stabilization for us. Noglsa. > > I don't quite understand. Are you saying that the security team will no longer > care about security bugs for mozilla products? May I ask the reason for this? > Hi, Nirbheek. No, sorry, that is not what I meant. If these issues only affected ~arch versions of firefox and thunderbird then the security team only needs fixed versions added to the tree as ~arch, which I believe we have. Since these issues do not affect stable versions of these packages, then we don't need to push for stabilization via a security bug. Does that help? The security team process would have us close this bug since fixed packages are in the tree. But if the Mozilla team would like to use it to continue the conversation and stabilize these packages that is ok with me.
Arch teams are needed still? If you want remove us from CC and re-add when the stabilization is ready ;)
(In reply to comment #12) > > I don't quite understand. Are you saying that the security team will no longer > > care about security bugs for mozilla products? May I ask the reason for this? > > > > Hi, Nirbheek. > > No, sorry, that is not what I meant. If these issues only affected ~arch > versions of firefox and thunderbird then the security team only needs fixed > versions added to the tree as ~arch, which I believe we have. > I think ppc64 is lagging in this regard due to a bug. > Since these issues do not affect stable versions of these packages, then we > don't need to push for stabilization via a security bug. > Jory's comment meant that 3.6.x are abandoned, and will not receive any kind of security treatment by upstream. The fact that these vulns are WebGL-related means that they don't affect 3.6.x, but we can't be sure about future vulnerabilities that will be found. Hence, this bug can be closed but future vulns will have to be handled with care. Thanks for the clarification!
Removing arches from CC
@mozilla sorry for another spam, anyway i think that there shouldn't be problem to stabilize now {firefox,thunderbird}-bin they haven't issue (imho) Same thing for thunderbird non-bin, there is a bug about prestripped files and -g added by buildsystem, but i think that are less important that security bug. No discuss for firefox that needed gcc-4.5 .
re-add if needed.
These issues did not affect the stable tree at the time, closing noglsa.