Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 401701 - <www-client/firefox{,-bin}-10.0 , <mail-client/thunderbird-{,bin-}-10.0 , <www-client/seamonkey{,-bin}-2.7 <www-client/icecat-10.0 : Multiple vulnerabilities
Summary: <www-client/firefox{,-bin}-10.0 , <mail-client/thunderbird-{,bin-}-10.0 , <ww...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa]
Keywords:
Depends on: CVE-2012-0452
Blocks:
  Show dependency tree
 
Reported: 2012-01-31 21:38 UTC by Agostino Sarubbo
Modified: 2013-01-08 01:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 KinG-InFeT 2012-02-02 20:40:31 UTC
you can update the ebuild of firefox from 9.0 to 10.0? otherwise the test as you can do?
Comment 2 Nirbheek Chauhan (RETIRED) gentoo-dev 2012-02-02 21:19:52 UTC
All these will be added once the mozlinguas.eclass RFC on gentoo-dev ML is complete. Should be just 24 hrs from now.

In the meantime, they can be found in the mozilla overlay.
Comment 3 Jory A. Pratt gentoo-dev 2012-02-06 04:49:20 UTC
ebuilds are in the tree, please add archs, also lets stabilize nss-3.13.1-r2 at the same time. This will resolve alot of problems with people using ca certs in mozilla products.
Comment 4 Agostino Sarubbo gentoo-dev 2012-02-06 10:41:21 UTC
(In reply to comment #3)
> ebuilds are in the tree, please add archs, also lets stabilize nss-3.13.1-r2 at
> the same time. This will resolve alot of problems with people using ca certs in
> mozilla products.

Missing still:

=mail-client/thunderbird-10
=www-client/seamonkey-2.7

Missing also icecat but is not your fault, upstream has not yet relased
Comment 5 Jory A. Pratt gentoo-dev 2012-02-06 13:45:33 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > ebuilds are in the tree, please add archs, also lets stabilize nss-3.13.1-r2 at
> > the same time. This will resolve alot of problems with people using ca certs in
> > mozilla products.
> 
> Missing still:
> 
> =mail-client/thunderbird-10
> =www-client/seamonkey-2.7
> 
> Missing also icecat but is not your fault, upstream has not yet relased

tb-10, is avaliable, seamonkey will be a bit as we are having to work out a few major regressions, icecat will follow as soon as an official release is made, if one is not made soon will p.mask for removal.
Comment 6 Agostino Sarubbo gentoo-dev 2012-02-06 13:54:28 UTC
Arches, please stabilize:

=www-client/firefox-10.0
Target keywords : "alpha amd64 arm ia64 ppc x86"

=www-client/firefox-bin-10.0
Target keywords : "amd64 x86"

=mail-client/thunderbird-10.0
Target keywords : "alpha amd64 x86"

=mail-client/thunderbird-bin-10.0
Target keywords : "amd64 x86"

=dev-libs/nss-3.13.1-r2
Target KEYWORDS : "alpha amd64 arm ia64 ppc x86"
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2012-02-06 14:13:31 UTC
x86 result:
firefox{-bin)-10.0: ok
thunderbird unknown (I tested now)
Comment 8 KinG-InFeT 2012-02-06 22:06:57 UTC
(In reply to comment #6)
> Arches, please stabilize:
> 
> =www-client/firefox-10.0
> Target keywords : "alpha amd64 arm ia64 ppc x86"
> 
> =www-client/firefox-bin-10.0
> Target keywords : "amd64 x86"
> 
> =mail-client/thunderbird-10.0
> Target keywords : "alpha amd64 x86"
> 
> =mail-client/thunderbird-bin-10.0
> Target keywords : "amd64 x86"
> 
> =dev-libs/nss-3.13.1-r2
> Target KEYWORDS : "alpha amd64 arm ia64 ppc x86"

dev-libs/nss-3.13.1-r2: x86 stable

www-client/firefox-10.0: x86 stable

mail-client/thunderbird-10.0: x86 stable
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2012-02-06 23:25:41 UTC
(In reply to comment #6)
> Arches, please stabilize:
> 
> =www-client/firefox-10.0
> Target keywords : "alpha amd64 arm ia64 ppc x86"

amd64 ok.

> =www-client/firefox-bin-10.0
> Target keywords : "amd64 x86"

amd64 ok.

> =dev-libs/nss-3.13.1-r2
> Target KEYWORDS : "alpha amd64 arm ia64 ppc x86"

amd64 ok.
Comment 10 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2012-02-06 23:55:25 UTC
(In reply to comment #6)
> Arches, please stabilize:
> 
> =mail-client/thunderbird-10.0
> Target keywords : "alpha amd64 x86"

amd64 ok.

> =mail-client/thunderbird-bin-10.0
> Target keywords : "amd64 x86"

amd64 ok.
Comment 11 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-02-07 05:07:38 UTC
amd64: =www-client/firefox-bin-10.0 pass
Comment 12 Maurizio Camisaschi (amd64 AT) 2012-02-07 18:44:52 UTC
Bug 391889 is still present
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2012-02-07 21:36:26 UTC
Maurizio, that applies to thunderbird 9.0, yes?
Comment 14 Maurizio Camisaschi (amd64 AT) 2012-02-07 22:41:10 UTC
@Aaron Bauman

it's the same problem since version 8.0, and it's still present in version 10.0
Comment 15 Maurizio Camisaschi (amd64 AT) 2012-02-07 22:46:21 UTC
and it's still present also Bug 398389 thunderbird fail to compile with use debug enabled. just to inform, I know that this kind of problem won't block a stabilization for security bugs ;)
Comment 16 Maurizio Camisaschi (amd64 AT) 2012-02-08 00:12:59 UTC
(In reply to comment #6)
> Arches, please stabilize:
> 
> =www-client/firefox-10.0
> Target keywords : "alpha amd64 arm ia64 ppc x86"
> 
> =www-client/firefox-bin-10.0
> Target keywords : "amd64 x86"
> 
> =mail-client/thunderbird-10.0
> Target keywords : "alpha amd64 x86"
> 
> =mail-client/thunderbird-bin-10.0
> Target keywords : "amd64 x86"
> 
> =dev-libs/nss-3.13.1-r2
> Target KEYWORDS : "alpha amd64 arm ia64 ppc x86"

apart the two little problem reported above, for everything else amd64 is ok for all
Comment 17 Agostino Sarubbo gentoo-dev 2012-02-08 00:59:00 UTC
Icecat released.
Comment 18 Agostino Sarubbo gentoo-dev 2012-02-08 15:22:03 UTC
arches, this is a complete list:

=www-client/firefox-10.0
Target keywords : "alpha amd64 arm ia64 ppc x86"

=www-client/firefox-bin-10.0
Target keywords : "amd64 x86"

=mail-client/thunderbird-10.0
Target keywords : "alpha amd64 x86"

=mail-client/thunderbird-bin-10.0
Target keywords : "amd64 x86"

=dev-libs/nss-3.13.1-r2
Target KEYWORDS : "alpha amd64 arm ia64 ppc x86"

=www-client/seamonkey-2.7
Target keywords : "alpha amd64 arm ppc x86"

=www-client/seamonkey-bin-2.7
Target keywords : "amd64 x86"

=media-libs/libvpx-0.9.7-r1
Target keywords : "alpha amd64 arm ia64 ppc x86"

=www-client/icecat-10.0
Target keywords : "amd64 ppc x86"
Comment 19 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2012-02-08 22:12:52 UTC
(In reply to comment #18)

> =www-client/icecat-10.0
> Target keywords : "amd64 ppc x86"

amd64 ok.
Comment 20 Jory A. Pratt gentoo-dev 2012-02-08 23:29:22 UTC
hold the stabilizations, we are rolling 10.0.1 which will address security issues.
Comment 21 Agostino Sarubbo gentoo-dev 2012-02-11 15:52:52 UTC
Arches, we will continue in bug 403183
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 04:19:07 UTC
CVE-2012-0449 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0449):
  Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18
  and 5.0 through 9.0, and SeaMonkey before 2.7 allow remote attackers to
  cause a denial of service (memory corruption and application crash) or
  possibly execute arbitrary code via a malformed XSLT stylesheet that is
  embedded in a document.

CVE-2012-0446 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0446):
  Multiple cross-site scripting (XSS) vulnerabilities in Mozilla Firefox 4.x
  through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 allow
  remote attackers to inject arbitrary web script or HTML via a (1) web page
  or (2) Firefox extension, related to improper enforcement of XPConnect
  security restrictions for frame scripts that call untrusted objects.

CVE-2012-0445 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0445):
  Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey
  before 2.7 allow remote attackers to bypass the HTML5 frame-navigation
  policy and replace arbitrary sub-frames by creating a form submission target
  with a sub-frame's name attribute.

CVE-2012-0444 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0444):
  Mozilla Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18
  and 5.0 through 9.0, and SeaMonkey before 2.7 do not properly initialize
  nsChildView data structures, which allows remote attackers to cause a denial
  of service (memory corruption and application crash) or possibly execute
  arbitrary code via a crafted Ogg Vorbis file.

CVE-2012-0443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0443):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before
  2.7 allow remote attackers to cause a denial of service (memory corruption
  and application crash) or possibly execute arbitrary code via unknown
  vectors.

CVE-2011-3659 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3659):
  Use-after-free vulnerability in Mozilla Firefox before 3.6.26 and 4.x
  through 9.0, Thunderbird before 3.1.18 and 5.0 through 9.0, and SeaMonkey
  before 2.7 might allow remote attackers to execute arbitrary code via
  vectors related to incorrect AttributeChildRemoved notifications that affect
  access to removed nsDOMAttribute child nodes.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2012-02-26 22:55:34 UTC
CVE-2012-0450 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0450):
  Mozilla Firefox 4.x through 9.0 and SeaMonkey before 2.7 on Linux and Mac OS
  X set weak permissions for Firefox Recovery Key.html, which might allow
  local users to read a Firefox Sync key via standard filesystem operations.
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2012-02-26 22:56:22 UTC
CVE-2012-0442 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0442):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 3.6.26 and 4.x through 9.0, Thunderbird before 3.1.18 and 5.0
  through 9.0, and SeaMonkey before 2.7 allow remote attackers to cause a
  denial of service (memory corruption and application crash) or possibly
  execute arbitrary code via unknown vectors.
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:05:09 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).