Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 389923 (CVE-2011-3648) - <www-client/firefox{,-bin}-8.0, <mail-client/thunderbird-{8.0-r1,bin-8.0}: Multiple vulnerabilities (CVE-2011-{3648,3649,3650,3651,3652,3653,3654,3655})
Summary: <www-client/firefox{,-bin}-8.0, <mail-client/thunderbird-{8.0-r1,bin-8.0}: Mu...
Status: RESOLVED FIXED
Alias: CVE-2011-3648
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46773/
Whiteboard: B2 [glsa]
Keywords:
: 390031 390095 390099 390243 390485 390487 390705 390707 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-11-09 03:34 UTC by Rafał Mużyło
Modified: 2013-09-27 08:46 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rafał Mużyło 2011-11-09 03:34:21 UTC
Let's do a 0-day bump...

but we shall be a bit helpful too:

it seems that the following patches from firefox-7.0-patches-0.5 tarball were applied upstream:
5005 5006 5007 5008 5009 5011 5014 5017 5018;
while problem of patch 5012 was solved in a different way.

After filtering out those, old ebuild works...well, at least it seems so for the moment.
Comment 1 Jeremy Olexa (darkside) (RETIRED) archtester gentoo-dev Security 2011-11-09 22:34:18 UTC
*** Bug 390031 has been marked as a duplicate of this bug. ***
Comment 2 elvis4526 2011-11-09 23:24:48 UTC
I would be glad to test some experimental ebuilds of firefox 8 to help. Or anything else that could help.
Comment 3 Joel 2011-11-09 23:45:03 UTC
Renaming the thunderbird-bin-6.0 ebuild to 8.0 works for me.
Comment 4 Jory A. Pratt gentoo-dev 2011-11-10 04:14:41 UTC
(In reply to comment #2)
> I would be glad to test some experimental ebuilds of firefox 8 to help. Or
> anything else that could help.

fx-8 is in the mozilla overlay at the moment, soon as I finish the tb changes I will move it to the tree.
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-11-10 15:18:27 UTC
*** Bug 390095 has been marked as a duplicate of this bug. ***
Comment 6 Oliver Freyermuth 2011-11-10 16:14:34 UTC
Is TB 8.0 still 'in progress'? 
I just noticed an ebuild in mozilla-overlay, but the packaged (useflagged) plugins 'timezone definitions' and the 'provider for google calendar' are too old and incompatible with TB 8.0. Lightning is also not the newest version, but appears to work.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-11-10 16:49:28 UTC
*** Bug 390099 has been marked as a duplicate of this bug. ***
Comment 8 Jory A. Pratt gentoo-dev 2011-11-10 20:18:36 UTC
(In reply to comment #6)
> Is TB 8.0 still 'in progress'? 
> I just noticed an ebuild in mozilla-overlay, but the packaged (useflagged)
> plugins 'timezone definitions' and the 'provider for google calendar' are too
> old and incompatible with TB 8.0. Lightning is also not the newest version, but
> appears to work.

version is all the same, it was just a version.txt bump not to worried about, what I am concerned about is how the profile is breaking the extensions, a clean profile will show ya exactly what I mean.
Comment 9 Oliver Freyermuth 2011-11-11 00:59:02 UTC
(In reply to comment #8)
> (In reply to comment #6)
> > Is TB 8.0 still 'in progress'? 
> > I just noticed an ebuild in mozilla-overlay, but the packaged (useflagged)
> > plugins 'timezone definitions' and the 'provider for google calendar' are too
> > old and incompatible with TB 8.0. Lightning is also not the newest version, but
> > appears to work.
> 
> version is all the same, it was just a version.txt bump not to worried about,
> what I am concerned about is how the profile is breaking the extensions, a
> clean profile will show ya exactly what I mean.
Thanks for the answer, ok then. 
I can not reproduce the breakage here (on x86_64, if you need further info, please ask): 
1) Created a fresh profile with ProfileManager. 
2) Created a bogus account. 
3) Tried to enable bundled extensions (Lightning works as expected). 
4) Installed a random extension from AddOn-Manager (works as expected). 
Maybe I am missing something, if so, just take your time fixing it. 
Thanks a lot for your work! 
(my next answer might be a bit delayed due to high workload in real life)
Comment 10 Jory A. Pratt gentoo-dev 2011-11-11 01:50:22 UTC
(In reply to comment #9)
> (In reply to comment #8)
> > (In reply to comment #6)
> > > Is TB 8.0 still 'in progress'? 
> > > I just noticed an ebuild in mozilla-overlay, but the packaged (useflagged)
> > > plugins 'timezone definitions' and the 'provider for google calendar' are too
> > > old and incompatible with TB 8.0. Lightning is also not the newest version, but
> > > appears to work.
> > 
> > version is all the same, it was just a version.txt bump not to worried about,
> > what I am concerned about is how the profile is breaking the extensions, a
> > clean profile will show ya exactly what I mean.
> Thanks for the answer, ok then. 
> I can not reproduce the breakage here (on x86_64, if you need further info,
> please ask): 
> 1) Created a fresh profile with ProfileManager. 
> 2) Created a bogus account. 
> 3) Tried to enable bundled extensions (Lightning works as expected). 
> 4) Installed a random extension from AddOn-Manager (works as expected). 
> Maybe I am missing something, if so, just take your time fixing it. 
> Thanks a lot for your work! 
> (my next answer might be a bit delayed due to high workload in real life)

I was refering to google calender and timezone definitions being broken. I have double and triple checked and everything is working as it should be with a fresh profile, the problem is first launch with 8.0 will cause extensions.sqlite to fail to update properly. This is what is causing reports of the plugin being disabled. I have gone ahead and commited both fx/tb-8.0 source build to tree for further testing.
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-11-12 10:16:42 UTC
*** Bug 390243 has been marked as a duplicate of this bug. ***
Comment 12 Philipp Psurek 2011-11-12 11:01:10 UTC
Renaming the firefox-bin-7.0.1 ebuild to 8.0 works for me on x86
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-11-14 06:40:43 UTC
*** Bug 390485 has been marked as a duplicate of this bug. ***
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-11-14 06:40:47 UTC
*** Bug 390487 has been marked as a duplicate of this bug. ***
Comment 15 Agostino Sarubbo gentoo-dev 2011-11-16 11:45:53 UTC
*** Bug 390707 has been marked as a duplicate of this bug. ***
Comment 16 Agostino Sarubbo gentoo-dev 2011-11-16 11:46:08 UTC
*** Bug 390705 has been marked as a duplicate of this bug. ***
Comment 17 Jory A. Pratt gentoo-dev 2011-11-16 14:56:31 UTC
Feel free to bring the archs in, I believe we have resolved all major issues.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2011-11-16 23:32:56 UTC
CVE-2011-3655 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3655):
  Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform
  access control without checking for use of the NoWaiverWrapper wrapper,
  which allows remote attackers to gain privileges via a crafted web site.

CVE-2011-3654 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3654):
  The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0
  does not properly handle links from SVG mpath elements to non-SVG elements,
  which allows remote attackers to cause a denial of service (memory
  corruption and application crash) or possibly execute arbitrary code via
  unspecified vectors.

CVE-2011-3653 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3653):
  Mozilla Firefox before 8.0 and Thunderbird before 8.0 on Mac OS X do not
  properly interact with the GPU memory behavior of a certain driver for Intel
  integrated GPUs, which allows remote attackers to bypass the Same Origin
  Policy and read image data via vectors related to WebGL textures.

CVE-2011-3652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3652):
  The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0
  does not properly allocate memory, which allows remote attackers to cause a
  denial of service (memory corruption and application crash) or possibly
  execute arbitrary code via unspecified vectors.

CVE-2011-3651 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3651):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox 7.0 and Thunderbird 7.0 allow remote attackers to cause a denial of
  service (memory corruption and application crash) or possibly execute
  arbitrary code via unknown vectors.

CVE-2011-3650 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3650):
  Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before
  3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that
  contain many functions, which allows user-assisted remote attackers to cause
  a denial of service (memory corruption and application crash) or possibly
  have unspecified other impact via a crafted file that is accessed by
  debugging APIs, as demonstrated by Firebug.

CVE-2011-3649 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3649):
  Mozilla Firefox 7.0 and Thunderbird 7.0, when the Direct2D (aka D2D) API is
  used on Windows in conjunction with the Azure graphics back-end, allow
  remote attackers to bypass the Same Origin Policy, and obtain sensitive
  image data from a different domain, by inserting this data into a canvas. 
  NOTE: this issue exists because of a CVE-2011-2986 regression.

CVE-2011-3648 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3648):
  Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24
  and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows
  remote attackers to inject arbitrary web script or HTML via crafted text
  with Shift JIS encoding.
Comment 19 Agostino Sarubbo gentoo-dev 2011-11-17 16:58:28 UTC
(In reply to comment #17)
> Feel free to bring the archs in, I believe we have resolved all major issues.

Thanks Jory and mozilla team.

As you know there is a problem for other arches, so many of those have not still at least ~ keyword, and there are also pending stablereq for 3.x series. So since ppc has keyword, can we call also it here?
Comment 20 Agostino Sarubbo gentoo-dev 2011-11-21 15:29:36 UTC
Arches, please test and mark stable:
=www-client/firefox-8.0
=www-client/firefox-bin-8.0
=mail-client/thunderbird-8.0-r1
=mail-client/thunderbird-bin-8.0

Target keywords : "amd64 x86"

In the meantime we "wrangle" and edit whiteboard of various old firefox security bugs.
Comment 21 Agostino Sarubbo gentoo-dev 2011-11-21 18:48:45 UTC
amd64 ok
Comment 22 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-11-24 01:32:40 UTC
amd64: =www-client/firefox-8.0 pass
Comment 23 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-11-25 04:46:39 UTC
amd64: =www-client/firefox-bin-8.0 pass as well
Comment 24 Michael Harrison 2011-11-25 13:05:57 UTC
amd64 
=mail-client/thunderbird-8.0-r1
blocker ** when adding USE="debug"
* ERROR: mail-client/thunderbird-8.0-r1 failed (compile phase):
 *   make enigmail failed
 * 
 * Call stack:
 *     ebuild.sh, line  56:  Called src_compile
 *   environment, line 6317:  Called die
 * The specific snippet of code:
 *           emake -C /mailnews/extensions/enigmail || die make enigmail failed;
 * 
 * If you need support, post the output of 'emerge --info =mail-client/thunderbird-8.0-r1',
 * the complete build log and the output of 'emerge -pqv =mail-client/thunderbird-8.0-r1'.
 * The complete build log is located at '/var/tmp/portage/portage/mail-client/thunderbird-8.0-r1/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/portage/mail-client/thunderbird-8.0-r1/temp/environment'.
 * S: '/var/tmp/portage/portage/mail-client/thunderbird-8.0-r1/work/comm-release'
 * 
 * The following package has failed to build or install:


When attempting to emerge enigmail separately I get:
[ebuild  N     ] x11-plugins/enigmail-1.1.2-r2  
                                                                                                                                
[blocks B      ] x11-plugins/enigmail ("x11-plugins/enigmail" is blocking mail-client/thunderbird-8.0-r1)
Comment 25 Michael Harrison 2011-11-25 13:41:05 UTC
Ditto Elijah
=www-client/firefox-bin-8.0 amd64 ok
Comment 26 Michael Harrison 2011-11-25 20:51:33 UTC
=www-client/firefox-bin-8.0 amd64 ok
Comment 27 Michael Harrison 2011-11-25 20:54:36 UTC
Please ignore comment 26 as it should be =www-client/firefox-8.0 amd64 ok
Comment 28 Tomáš "tpruzina" Pružina (amd64 [ex]AT) 2011-11-29 16:16:34 UTC
www-client/firefox-8.0
mail-client/thunderbird-bin-8.0

Ok from user point of view on my machine (I have these keyworded), 
thunderbird-8.0 did build on my machine, but I did not do usual AT QA checks [yet].
Comment 29 Tony Vroon (RETIRED) gentoo-dev 2011-11-29 22:57:41 UTC
+  29 Nov 2011; Tony Vroon <chainsaw@gentoo.org> firefox-8.0.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo,
+  Elijah "Armageddon" El Lazkani, Michael "n0idx80" Harrison & Tomáš "Mepho"
+  Pružina in security bug #389923.

+  29 Nov 2011; Tony Vroon <chainsaw@gentoo.org> firefox-bin-8.0.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo,
+  Elijah "Armageddon" El Lazkani, Michael "n0idx80" Harrison & Tomáš "Mepho"
+  Pružina in security bug #389923.

+  29 Nov 2011; Tony Vroon <chainsaw@gentoo.org> thunderbird-8.0-r1.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo,
+  Elijah "Armageddon" El Lazkani, Michael "n0idx80" Harrison & Tomáš "Mepho"
+  Pružina in security bug #389923.

+  29 Nov 2011; Tony Vroon <chainsaw@gentoo.org> thunderbird-bin-8.0.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo,
+  Elijah "Armageddon" El Lazkani, Michael "n0idx80" Harrison & Tomáš "Mepho"
+  Pružina in security bug #389923.
Comment 30 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-12-08 14:48:43 UTC
x86 stable
Comment 31 Jory A. Pratt gentoo-dev 2011-12-12 17:05:09 UTC
re-add if needed.
Comment 32 Tim Sammut (RETIRED) gentoo-dev 2011-12-21 00:39:53 UTC
Added to existing GLSA request.
Comment 33 Sergey Popov (RETIRED) gentoo-dev 2013-09-27 08:46:24 UTC
Too old for GLSA, closing as fixed