Fixed in Firefox ESR 17.0.9 MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object MFSA 2013-90 Memory corruption involving scrolling MFSA 2013-89 Buffer overflow with multi-column, lists, and floats MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9) MFSA 2013-65 Buffer underflow when generating CRMF requests Fixed in Thunderbird ESR 17.0.9 MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object MFSA 2013-90 Memory corruption involving scrolling MFSA 2013-89 Buffer overflow with multi-column, lists, and floats MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9) Fixed in SeaMonkey 2.21 MFSA 2013-92 GC hazard with default compartments and frame chain restoration MFSA 2013-91 User-defined properties on DOM proxies get the wrong "this" object MFSA 2013-90 Memory corruption involving scrolling MFSA 2013-89 Buffer overflow with multi-column, lists, and floats MFSA 2013-88 compartment mismatch re-attaching XBL-backed nodes MFSA 2013-85 Uninitialized data in IonMonkey MFSA 2013-83 Mozilla Updater does not lock MAR file after signature verification MFSA 2013-82 Calling scope for new Javascript objects can lead to memory corruption MFSA 2013-81 Use-after-free with select element MFSA 2013-80 NativeKey continues handling key messages after widget is destroyed MFSA 2013-79 Use-after-free in Animation Manager during stylesheet cloning MFSA 2013-78 Integer overflow in ANGLE library MFSA 2013-77 Improper state in HTML5 Tree Builder with templates MFSA 2013-76 Miscellaneous memory safety hazards (rv:24.0 / rv:17.0.9)
Got a MFSA->CVE mapping available? Memory issues sounds like DoS, calling this A3 from a quick glance. Could be A2/A1 if there's code execution.
+*seamonkey-2.21 (18 Sep 2013) + + 18 Sep 2013; Lars Wendler <polynomial-c@gentoo.org> +seamonkey-2.21.ebuild, + metadata.xml: + Security bump (bug #485258). +
(In reply to Lars Wendler (Polynomial-C) from comment #2) > +*seamonkey-2.21 (18 Sep 2013) > + > + 18 Sep 2013; Lars Wendler <polynomial-c@gentoo.org> > +seamonkey-2.21.ebuild, > + metadata.xml: > + Security bump (bug #485258). > + Good. Please tell us when it would be ready for stabilization
Err, misread the Summary, please ignore my previous comment. Still waiting for ebuilds...
(In reply to Chris Reffett from comment #1) > Got a MFSA->CVE mapping available? Memory issues sounds like DoS, calling > this A3 from a quick glance. Could be A2/A1 if there's code execution. I'm on it...
_axs_ is working on a CVE mapping now, but he's found at least one that leads to arbitrary code execution. Re-classifying as A1.
+*firefox-17.0.9 (18 Sep 2013) + + 18 Sep 2013; Lars Wendler <polynomial-c@gentoo.org> -firefox-17.0.5.ebuild, + -firefox-17.0.6.ebuild, -firefox-17.0.7.ebuild, +firefox-17.0.9.ebuild: + Security bump (bug #485258). Removed old. + +*seamonkey-bin-2.21 (18 Sep 2013) + + 18 Sep 2013; Lars Wendler <polynomial-c@gentoo.org> + +seamonkey-bin-2.21.ebuild: + Security bump (bug #485258). + +*firefox-bin-24.0 (18 Sep 2013) +*firefox-bin-17.0.9 (18 Sep 2013) + + 18 Sep 2013; Lars Wendler <polynomial-c@gentoo.org> + -firefox-bin-17.0.5-r1.ebuild, -firefox-bin-17.0.6.ebuild, + -firefox-bin-17.0.7.ebuild, +firefox-bin-17.0.9.ebuild, + +firefox-bin-24.0.ebuild: + Security bump (bug #485258). Removed old. + +*thunderbird-17.0.9 (18 Sep 2013) + + 18 Sep 2013; Lars Wendler <polynomial-c@gentoo.org> + -thunderbird-17.0.5.ebuild, -thunderbird-17.0.6.ebuild, + -thunderbird-17.0.7.ebuild, -thunderbird-17.0.7-r1.ebuild, + +thunderbird-17.0.9.ebuild: + Security bump (bug #485258). Removed old. + +*thunderbird-bin-17.0.9 (18 Sep 2013) + + 18 Sep 2013; Lars Wendler <polynomial-c@gentoo.org> + -thunderbird-bin-17.0.5.ebuild, -thunderbird-bin-17.0.6.ebuild, + -thunderbird-bin-17.0.7.ebuild, +thunderbird-bin-17.0.9.ebuild: + Security bump (bug #485258). Removed old. +
Fixed in Firefox ESR 17.0.9: CVE-2013-17{05,18,22,25,26,30,32,35,36,37} Fixed in Thunderbird ESR 17.0.9: CVE-2013-17{18,22,25,26,30,32,35,36,37} Fixed in SeaMonkey 2.21 CVE-2013-17{18,19,20,21,22,23,24,25,26,28,30,32,35,36,37,38} Note - CVE-2003-1721 only effects windows ----- Note for when mozilla-24 goes stable, since it is the next ESR -- don't know how you want to handle this though (split to new bug, later, maybe?) Fixed Additionally in Firefox 24.0: CVE-2013-17{19,20,23,24,38} Fixed Additionally in Thunderbird 24.0: CVE-2013-17{19,20,23,24,38}
Thank you Ian. @maintainers: are we good to stable the newly bumped packages?
CVE-2013-1738 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1738): Use-after-free vulnerability in the JS_GetGlobalForScopeChain function in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code by leveraging incorrect garbage collection in situations involving default compartments and frame-chain restoration. CVE-2013-1737 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1737): Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 do not properly identify the "this" object during use of user-defined getter methods on DOM proxies, which might allow remote attackers to bypass intended access restrictions via vectors involving an expando object. CVE-2013-1736 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1736): The nsGfxScrollFrameInner::IsLTR function in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to improperly establishing parent-child relationships of range-request nodes. CVE-2013-1735 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1735): Use-after-free vulnerability in the mozilla::layout::ScrollbarActivity function in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code via vectors related to image-document scrolling. CVE-2013-1732 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1732): Buffer overflow in the nsFloatManager::GetFlowArea function in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code via crafted use of lists and floats within a multi-column layout. CVE-2013-1730 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1730): Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 do not properly handle movement of XBL-backed nodes between documents, which allows remote attackers to execute arbitrary code or cause a denial of service (JavaScript compartment mismatch, or assertion failure and application exit) via a crafted web site. CVE-2013-1728 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1728): The IonMonkey JavaScript engine in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21, when Valgrind mode is used, does not properly initialize memory, which makes it easier for remote attackers to obtain sensitive information via unspecified vectors. CVE-2013-1726 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1726): Mozilla Updater in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 does not ensure exclusive access to a MAR file, which allows local users to gain privileges by creating a Trojan horse file after MAR signature verification but before MAR use. CVE-2013-1725 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1725): Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 do not ensure that initialization occurs for JavaScript objects with compartments, which allows remote attackers to execute arbitrary code by leveraging incorrect scope handling. CVE-2013-1724 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1724): Use-after-free vulnerability in the mozilla::dom::HTMLFormElement::IsDefaultSubmitElement function in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving a destroyed SELECT element. CVE-2013-1723 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1723): The NativeKey widget in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 processes key messages after destruction by a dispatched event listener, which allows remote attackers to cause a denial of service (application crash) by leveraging incorrect event usage after widget-memory reallocation. CVE-2013-1722 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1722): Use-after-free vulnerability in the nsAnimationManager::BuildAnimations function in the Animation Manager in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via vectors involving stylesheet cloning. CVE-2013-1720 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1720): The nsHtml5TreeBuilder::resetTheInsertionMode function in the HTML5 Tree Builder in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 does not properly maintain the state of the insertion-mode stack for template elements, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer over-read) by triggering use of this stack in its empty state. CVE-2013-1719 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1719): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 24.0, Thunderbird before 24.0, and SeaMonkey before 2.21 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2013-1718 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1718): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 24.0, Firefox ESR 17.x before 17.0.9, Thunderbird before 24.0, Thunderbird ESR 17.x before 17.0.9, and SeaMonkey before 2.21 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
ACK from anarchy. Arch teams, please test and mark stable: =www-client/firefox-17.0.9 Target arches: amd64 arm ppc ppc64 x86 =mail-client/thunderbird-17.0.9 Target arches: amd64 arm ppc ppc64 x86 =www-client/seamonkey-2.21 Target arches: amd64 x86 =www-client/firefox-bin-17.0.9 Target arches: amd64 x86 =mail-client/thunderbird-bin-17.0.9 Target arches: amd64 x86 =www-client/seamonkey-bin-2.21 Target arches: amd64 x86
amd64 stable
x86 stable
arm stable
ppc stable
ppc64 stable
Added to existing GLSA draft.
This issue was resolved and addressed in GLSA 201309-23 at http://security.gentoo.org/glsa/glsa-201309-23.xml by GLSA coordinator Chris Reffett (creffett).
