Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 439960 (CVE-2012-4194) - <mail-client/thunderbird{,-bin}-10.0.10 , <www-client/firefox{,-bin}-10.0.10 , <www-client/seamonkey{-bin}-2.13.2 : location object issues (CVE-2012-{4194,4195,4196})
Summary: <mail-client/thunderbird{,-bin}-10.0.10 , <www-client/firefox{,-bin}-10.0.10 ...
Status: RESOLVED FIXED
Alias: CVE-2012-4194
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.mozilla.org/show_bug...
Whiteboard: A2 [glsa]
Keywords:
: 442704 (view as bug list)
Depends on: 444318
Blocks: CVE-2012-3982
  Show dependency tree
 
Reported: 2012-10-28 12:54 UTC by sphakka
Modified: 2013-01-08 01:05 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description sphakka 2012-10-28 12:54:25 UTC
SeaMonkey-2.13.1 has broken functionality for editing address book contacts. See upstream: <https://bugzilla.mozilla.org/show_bug.cgi?id=801615>

Please consider putting version 2.13.2 in test tree, ASAP.
Comment 1 Jory A. Pratt gentoo-dev 2012-10-29 14:36:11 UTC
We are gonna highjack this for security issues as well, both issues are just as important.

MFSA 2012-90 Fixes for Location object issues
MFSA 2012-67 Installer will launch incorrect executable following new installation
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-10-30 00:02:37 UTC
CVE-2012-4196 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4196):
  Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird
  before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before
  2.13.2 allow remote attackers to bypass the Same Origin Policy and read the
  Location object via a prototype property-injection attack that defeats
  certain protection mechanisms for this object.

CVE-2012-4195 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4195):
  The nsLocation::CheckURL function in Mozilla Firefox before 16.0.2, Firefox
  ESR 10.x before 10.0.10, Thunderbird before 16.0.2, Thunderbird ESR 10.x
  before 10.0.10, and SeaMonkey before 2.13.2 does not properly determine the
  calling document and principal in its return value, which makes it easier
  for remote attackers to conduct cross-site scripting (XSS) attacks via a
  crafted web site, and makes it easier for remote attackers to execute
  arbitrary JavaScript code by leveraging certain add-on behavior.

CVE-2012-4194 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4194):
  Mozilla Firefox before 16.0.2, Firefox ESR 10.x before 10.0.10, Thunderbird
  before 16.0.2, Thunderbird ESR 10.x before 10.0.10, and SeaMonkey before
  2.13.2 do not prevent use of the valueOf method to shadow the location
  object (aka window.location), which makes it easier for remote attackers to
  conduct cross-site scripting (XSS) attacks via vectors involving a plugin.
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2012-10-30 08:10:11 UTC
Unfortunately I cannot update seamonkey before November 11th because my dev machine doesn't have internet before that date.
Comment 4 Lars Wendler (Polynomial-C) gentoo-dev 2012-10-30 15:25:04 UTC
Correction: November 9th (not 11th) does my ISP finally set up internet at my new home :-/
Comment 5 Ian Stakenvicius gentoo-dev 2012-10-30 18:59:18 UTC
I just committed bumps to the ESR source versions: www-client/firefox-10.0.10 and mail-client/thunderbird-10.0.10
Comment 6 Ian Stakenvicius gentoo-dev 2012-10-31 19:47:49 UTC
Ebuilds for all versions but seamonkey-2.13.2 are now in the tree (I have to leave that one to when PolyC returns).

Arches, please test and mark stable:

=www-client/firefox-10.0.10
Target keywords : "alpha amd64 arm ia64 ppc ppc64 x86"

=www-client/firefox-bin-10.0.10
Target keywords : "amd64 x86"

=mail-client/thunderbird-10.0.10
Target keywords : "amd64 ppc ppc64 x86"

=mail-client/thunderbird-bin-10.0.10
Target keywords : "amd64 x86"

=www-client/seamonkey-bin-2.13.2
Target keywords : "amd64 x86"
Comment 7 Jory A. Pratt gentoo-dev 2012-11-01 01:17:58 UTC
(In reply to comment #6)
> Ebuilds for all versions but seamonkey-2.13.2 are now in the tree (I have to
> leave that one to when PolyC returns).
> 
> Arches, please test and mark stable:
> 
> =www-client/firefox-10.0.10
> Target keywords : "alpha amd64 arm ia64 ppc ppc64 x86"
> 
> =www-client/firefox-bin-10.0.10
> Target keywords : "amd64 x86"
> 
> =mail-client/thunderbird-10.0.10
> Target keywords : "amd64 ppc ppc64 x86"
> 
> =mail-client/thunderbird-bin-10.0.10
> Target keywords : "amd64 x86"
> 
> =www-client/seamonkey-bin-2.13.2
> Target keywords : "amd64 x86"

Seamonkey-2.13.2 will be added tomorrow evening, I will step up and make the bump for polynomial until his return.
Comment 8 Jory A. Pratt gentoo-dev 2012-11-01 13:43:53 UTC
seamonkey-2.13.2 has been committed to tree.
Comment 9 Agostino Sarubbo gentoo-dev 2012-11-01 14:28:39 UTC
Complete and updated list:

=www-client/firefox-10.0.10
Target keywords : "alpha amd64 arm ia64 ppc ppc64 x86"

=www-client/firefox-bin-10.0.10
Target keywords : "amd64 x86"

=mail-client/thunderbird-10.0.10
Target keywords : "amd64 ppc ppc64 x86"

=mail-client/thunderbird-bin-10.0.10
Target keywords : "amd64 x86"

=www-client/seamonkey-2.13.2
Target keywords : "amd64 x86"

=www-client/seamonkey-bin-2.13.2
Target keywords : "amd64 x86"

=dev-libs/nspr-4.9.2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
(amd64, hppa, and x86 are already stable)

=dev-libs/nss-3.13.6
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
(amd64, hppa, and x86 are already stable)
Comment 10 cyberbat 2012-11-01 20:21:39 UTC
amd64: 
have successfully compiled
www-client/firefox-10.0.10  USE="alsa dbus ipc libnotify minimal startup-notification webm"

and

mail-client/thunderbird-10.0.10  USE="alsa crypt dbus ipc libnotify lightning minimal startup-notification webm"

Have successfully tested FF on acid3 tests and thunderbird on my mail boxes.

emerge --info:
 emerge --info                                                                                                                            
Portage 2.1.11.9 (default/linux/amd64/10.0/desktop/kde, gcc-4.5.4, glibc-2.15-r3, 3.4.9-gentoo x86_64)                                                        
=================================================================                                                                                             
System uname: Linux-3.4.9-gentoo-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9505_@_2.83GHz-with-gentoo-2.1                                                           
Timestamp of tree: Thu, 01 Nov 2012 18:15:01 +0000                                                                                                            
ccache version 3.1.7 [enabled]                                                                                                                                
app-shells/bash:          4.2_p37                                                                                                                             
dev-java/java-config:     2.1.11-r3                                                                                                                           
dev-lang/python:          2.7.3-r2                                                                                                                            
dev-util/ccache:          3.1.7                                                                                                                               
dev-util/pkgconfig:       0.27.1                                                                                                                              
sys-apps/baselayout:      2.1-r1                                                                                                                              
sys-apps/openrc:          0.9.8.4
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.11.6
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.4
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.4-r2 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo x-unklay
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA AdobeFlash-10.3 Q3AEULA PUEL LOKI-EULA skype-4.0.0.7-copyright"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/themes/oxygen-gtk/gtk-2.0 /usr/share/vlc/lua/http/.hosts"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=core2 -O2 -pipe"
DISTDIR="/home/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg ccache config-protect-if-modified distlocks ebuild-locks fixlafiles news parallel-fetch parse-eapi-ebuild-head protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="ftp://gentoo.bloodhost.ru/ ftp://mirror.yandex.ru/gentoo-distfiles/"
LANG="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="ru en ru_RU"
MAKEOPTS="-j5"
PKGDIR="/home/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/unklay"
USE="X a52 aac acl acpi akonadi alsa amd64 amr audiofile bash-completion branding bzip2 cairo cdda cddb cdio cdparanoia cdr cli consolekit cracklib crypt css cups curl cxx dbus declarative device-mapper djvu dri dts dv dvd dvdr emboss encode exif ffmpeg firefox flac fontconfig fortran ftp gd geoip gif gimp gmp gnutls gphoto2 gpm graphviz gsm gstreamer gtk handbook iconv icu id3tag idn imagemagick imap imlib ios iphone ipod ipv6 jabber jbig jingle jpeg jpeg2k kde kipi kontact ladspa lame lcms libass libnotify libsamplerate libwww lm_sensors lzma lzo mac mad matroska mikmod mjpeg mmx mng modplug modules mp3 mp4 mpeg mplayer mudflap multilib musepack musicbrainz ncurses nls nptl ntfs ogg openal openexr opengl openmp pam pango pcre pdf phonon plasma png policykit ppds pppd pulseaudio qt3support qt4 quicktime rar raw rdesktop readline rss rtmp sasl scanner sdl semantic-desktop session sharedext smp sndfile socks5 speex spell sqlite sse sse2 sse3 sse4 ssl ssse3 startup-notification svg symlink syslog taglib theora threads thumbnail tiff truetype udev udisks unicode upower usb video vim-syntax vlc vorbis wavpack webkit wmf wxwidgets x264 xcb xcomposite xface xml xmp xpm xscreensaver xv xvid zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="caps lvm" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="ru en ru_RU" PHP_TARGETS="php5-3" PYTHON_TARGETS="python2_7" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

Are such my comments usefull or I'm just annoing serious guys? Gonna make same comment for my x86 boxes tomorrow.
Comment 11 Agostino Sarubbo gentoo-dev 2012-11-03 12:32:02 UTC
amd64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2012-11-11 12:15:02 UTC
*** Bug 442704 has been marked as a duplicate of this bug. ***
Comment 13 Klaus Kusche 2012-11-11 12:27:12 UTC
Why has thunderbird not been updated to 16.0.2?
Firefox has been updated, thunderbird-bin has been updated,
thunderbird-ESR has been updated, thunderbird is missing?
Comment 14 Sean Amoss gentoo-dev Security 2012-11-15 19:53:09 UTC
*** Bug 442704 has been marked as a duplicate of this bug. ***
Comment 15 Ian Stakenvicius gentoo-dev 2012-11-17 17:44:05 UTC
(In reply to comment #13)
> Why has thunderbird not been updated to 16.0.2?
> Firefox has been updated, thunderbird-bin has been updated,
> thunderbird-ESR has been updated, thunderbird is missing?

...I don't know.  Personally, I've been waiting for a fix that upstream should accept "any day now" for bug 439148 (i wanted to avoid the revbump).  But since as of now the eta for that is still unknown, I guess I'll commit something when I have access again on Monday.
Comment 16 Sean Amoss gentoo-dev Security 2012-11-26 02:04:55 UTC
Arches, please continue in bug 444318.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:05:50 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).