Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 404437 - <www-client/firefox-bin-10.0.2 , <mail-client/thunderbird-bin-10.0.2 , <www-client/seamonkey-bin-2.7.2 : libpng integer overflow (CVE-2011-3026)
Summary: <www-client/firefox-bin-10.0.2 , <mail-client/thunderbird-bin-10.0.2 , <www-c...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://cve.mitre.org/cgi-bin/cvename....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-18 18:49 UTC by KinG-InFeT
Modified: 2013-01-08 01:05 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
QA Notices (QA_Notices,2.90 KB, text/plain)
2012-02-21 07:11 UTC, Elijah "Armageddon" El Lazkani (amd64 AT)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description KinG-InFeT 2012-02-18 18:49:14 UTC
https://www.mozilla.org/security/announce/2012/mfsa2012-11.html

Fixed in: Firefox 10.0.2
  Firefox ESR 10.0.2
  Firefox 3.6.27
  Thunderbird 10.0.2
  Thunderbird ESR 10.0.2
  Thunderbird 3.1.19
  SeaMonkey 2.7.2

i use firefox-bin-10.0.2 x86 stable

Reproducible: Always
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-02-18 21:39:35 UTC
Mozilla, is this bug valid for Gentoo, or do we always use the system libpng? We have bug 404197 for libpng itself. Thanks.
Comment 2 Jory A. Pratt gentoo-dev 2012-02-20 05:59:35 UTC
-bin packages are only effected, we use system png in source builds.
Comment 3 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-21 05:43:21 UTC
All the relevant -bin packages are in the tree. Should we work on getting them stabilised and turn this into a STABLEREQ bug?
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-02-21 05:47:36 UTC
(In reply to comment #3)
> All the relevant -bin packages are in the tree. Should we work on getting them
> stabilised and turn this into a STABLEREQ bug?

Yep, thank you.

Arches, please test and mark stable:
=www-client/firefox-bin-10.0.2
Target keywords : "amd64 x86"

=mail-client/thunderbird-bin-10.0.2
Target keywords : "amd64 x86"

=www-client/seamonkey-bin-2.7.2
Target keywords : "amd64 x86"
Comment 5 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-02-21 07:11:17 UTC
Created attachment 302671 [details]
QA Notices
Comment 6 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-02-21 07:13:51 UTC
amd64:

Attached above are the QA notices for all three packages. Can those be fixed on the fly ?

Other than that, packages pass.
Comment 7 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-21 07:18:17 UTC
x86 stable
Comment 8 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-21 07:19:39 UTC
(In reply to comment #6)
> amd64:
> 
> Attached above are the QA notices for all three packages. Can those be fixed on
> the fly ?
> 
> Other than that, packages pass.

Since they're built by Mozilla and not any Gentoo team, AFAIK, they can't be fixed.
Comment 9 Pacho Ramos gentoo-dev 2012-02-21 11:45:01 UTC
(In reply to comment #8)
> (In reply to comment #6)
> > amd64:
> > 
> > Attached above are the QA notices for all three packages. Can those be fixed on
> > the fly ?
> > 
> > Other than that, packages pass.
> 
> Since they're built by Mozilla and not any Gentoo team, AFAIK, they can't be
> fixed.

You should be able to skip that warning setting QA_FLAGS_IGNORED variable (as I can read in "man 5 ebuild")
Comment 10 Agostino Sarubbo gentoo-dev 2012-02-21 11:49:04 UTC
those QA warnings should be 'hidden' in mozilla-bin ebuild with QA_DT_HASH
Comment 11 Maurizio Camisaschi (amd64 AT) 2012-02-21 11:55:50 UTC
amd64 ok
Comment 12 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-22 02:01:22 UTC
QA warnings fixed.
Comment 13 Elijah "Armageddon" El Lazkani (amd64 AT) 2012-02-22 04:05:49 UTC
amd64: pass
Comment 14 Lars Wendler (Polynomial-C) gentoo-dev 2012-02-22 09:48:15 UTC
amd64 stable
Comment 15 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-02-22 09:56:20 UTC
old (vulnerable) versions removed from the tree
Comment 16 Tim Sammut (RETIRED) gentoo-dev 2012-02-22 15:41:46 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 17 David 2012-11-28 03:36:29 UTC
Can't this bug be closed since these package versions are no longer in the Portage tree?
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:05:14 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).