Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 460818 (CVE-2013-0787) - <mail-client/thunderbird{,-bin}-17.0.4, <www-client/firefox{,-bin}-17.0.4, <www-client/seamonkey{,-bin}-2.16.2 : use-after-free in nsHTMLEditor when using execCommand() (CVE-2013-0787)
Summary: <mail-client/thunderbird{,-bin}-17.0.4, <www-client/firefox{,-bin}-17.0.4, <w...
Status: RESOLVED FIXED
Alias: CVE-2013-0787
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/security/anno...
Whiteboard: A2 [glsa]
Keywords:
Depends on: 464226
Blocks: CVE-2013-0783
  Show dependency tree
 
Reported: 2013-03-08 19:26 UTC by Alex Xu (Hello71)
Modified: 2013-09-30 00:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Xu (Hello71) 2013-03-08 19:26:41 UTC
See summary, URL.
Comment 1 Alex Xu (Hello71) 2013-03-08 19:31:38 UTC
Sorry about the spam.
Comment 2 Ian Stakenvicius gentoo-dev 2013-03-08 21:56:59 UTC
Bumped ebuilds in the tree for thunderbird{,-bin}{,esr} and firefox{,-bin}{,esr}, except for firefox-19.0.2 as there is an arm patch i'm trying to test build and I want to get that in place before committing; that will be delayed 6 to 12 hours.

Seamonkey ebuilds will come soon (tho not by me); seamonkey-bin-16.0.1 doesn't seem to be available upstream yet.

CCing arches, please stabilize as below:

=www-client/firefox-17.0.4
Target KEYWORDS: "alpha amd64 arm ia64 ppc ppc64 x86"

=www-client/firefox-bin-17.0.4
Target KEYWORDS: "amd64 x86"

=mail-client/thunderbird-17.0.4
Target KEYWORDS: "amd64 arm ppc ppc64 x86"

=mail-client/thunderbird-bin-17.0.4
Target KEYWORDS: "amd64 x86"


(Note some of these stabilizations are continuations from bug 450940)
Comment 3 Alex Xu (Hello71) 2013-03-11 15:42:33 UTC
It's been more than 6 to 12 hours.
Comment 4 Ian Stakenvicius gentoo-dev 2013-03-11 17:04:46 UTC
*firefox-19.0.2 (11 Mar 2013)

  11 Mar 2013; Ian Stakenvicius <axs@gentoo.org> +firefox-19.0.2.ebuild,
  -firefox-19.0.ebuild:
  version bump 19.x for security bug 460818, remove old
Comment 5 Alex Xu (Hello71) 2013-03-11 23:59:41 UTC
=mail-client/thunderbird-17.0.4
Target KEYWORDS: "amd64 arm ppc ppc64 x86 ~x86-fbsd ~amd64-linux ~x86-linux"

=mail-client/thunderbird-bin-17.0.4
Target KEYWORDS: "amd64 x86"

=www-client/firefox-17.0.4
Target KEYWORDS: "alpha amd64 arm ia64 ppc ppc64 x86 ~amd64-linux ~x86-linux"

=www-client/firefox-bin-17.0.4
Target KEYWORDS: "amd64 x86"

=www-client/seamonkey-2.16.1
Target KEYWORDS: "amd64 ~arm ~ppc ~ppc64 x86"

=www-client/seamonkey-bin-2.16.1
Target KEYWORDS: "amd64 x86"

(from bug 458390)
Comment 6 Lars Wendler (Polynomial-C) gentoo-dev 2013-03-13 10:37:59 UTC
seamonkey{,-bin}-2.16.2 comitted.
Comment 7 Agostino Sarubbo gentoo-dev 2013-03-13 10:44:01 UTC
=mail-client/thunderbird-17.0.4
Target KEYWORDS: "amd64 arm ppc ppc64 x86"

=mail-client/thunderbird-bin-17.0.4
Target KEYWORDS: "amd64 x86"

=www-client/firefox-17.0.4
Target KEYWORDS: "alpha amd64 arm ia64 ppc ppc64 x86"

=www-client/firefox-bin-17.0.4
Target KEYWORDS: "amd64 x86"

=www-client/seamonkey-2.16.2
Target KEYWORDS: "amd64 x86"

=www-client/seamonkey-bin-2.16.2
Target KEYWORDS: "amd64 x86"
Comment 8 Agostino Sarubbo gentoo-dev 2013-03-13 17:02:01 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-03-13 17:04:04 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-03-14 07:16:57 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-03-14 15:08:30 UTC
ppc stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-03-14 15:12:41 UTC
ppc64 stable
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2013-03-21 18:45:29 UTC
CVE-2013-0787 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0787):
  Use-after-free vulnerability in the nsEditor::IsPreformatted function in
  editor/libeditor/base/nsEditor.cpp in Mozilla Firefox before 19.0.2, Firefox
  ESR 17.x before 17.0.4, Thunderbird before 17.0.4, Thunderbird ESR 17.x
  before 17.0.4, and SeaMonkey before 2.16.1 allows remote attackers to
  execute arbitrary code via vectors involving an execCommand call.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2013-09-30 00:29:09 UTC
This issue was resolved and addressed in
 GLSA 201309-23 at http://security.gentoo.org/glsa/glsa-201309-23.xml
by GLSA coordinator Chris Reffett (creffett).