Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 509050 (CVE-2014-1492) - <www-client/firefox{,-bin}-{24.5,29}, <www-client/seamonkey{,-bin}-2.26, mail-client/thunderbird{,-bin}-24.5: multiple vulnerabilities (CVE-2014-{1492,1518,1519,1520,1522,1523,1524,1525,1526,1529,1530,1531,1532})
Summary: <www-client/firefox{,-bin}-{24.5,29}, <www-client/seamonkey{,-bin}-2.26, mail...
Status: RESOLVED FIXED
Alias: CVE-2014-1492
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: AMD64 Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa glsa]
Keywords:
: 509188 (view as bug list)
Depends on: CVE-2015-0819
Blocks:
  Show dependency tree
 
Reported: 2014-04-29 11:18 UTC by Rinaldus
Modified: 2015-04-07 10:18 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rinaldus 2014-04-29 11:18:45 UTC
Please, bump firefox-bin to version 29. Here's working ebuild: http://pastebin.com/4P2i0RAf

Reproducible: Always
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2014-04-29 11:24:03 UTC
Please attach unified diffs (diff -u) to bugzilla when you did changes to an ebuild. That would be much more handy for our devs.
Comment 2 Rinaldus 2014-04-29 11:48:45 UTC
I didn't modify ebuild, I took latest ebuild from firefox-bin-28-r1 and renamed it to firefox-bin-29-r1. It works for version 29.
Comment 3 Ian Stakenvicius gentoo-dev 2014-04-29 13:21:16 UTC
Thank you for the submission;  we're going a different way with the mozilla ebuilds and eclasses starting with version 29, however.

Version bumps will be in the tree shortly.


FYI, if all you need to do is rename the ebuild to a new version, this is called a "trivial bump", and generally you just need to state as such (that you just renamed the ebuild) rather than attaching a file.  Thank you for contributing, though; please keep it up!
Comment 4 Jory A. Pratt gentoo-dev 2014-04-30 02:45:14 UTC
Source build is in the overlay, I need to double check the deps then we can move it to the tree. you will also find tb-24.5 in the overlay, it will move to tree at same time.
Comment 5 Agostino Sarubbo gentoo-dev 2014-04-30 07:34:35 UTC
April 29, 2014

MFSA 2014-47 Debugger can bypass XrayWrappers with JavaScript
MFSA 2014-46 Use-after-free in nsHostResolve
MFSA 2014-45 Incorrect IDNA domain name matching for wildcard certificates
MFSA 2014-44 Use-after-free in imgLoader while resizing images
MFSA 2014-43 Cross-site scripting (XSS) using history navigations
MFSA 2014-42 Privilege escalation through Web Notification API
MFSA 2014-41 Out-of-bounds write in Cairo
MFSA 2014-40 Firefox for Android addressbar suppression
MFSA 2014-39 Use-after-free in the Text Track Manager for HTML video
MFSA 2014-38 Buffer overflow when using non-XBL object as XBL
MFSA 2014-37 Out of bounds read while decoding JPG images
MFSA 2014-36 Web Audio memory corruption issues
MFSA 2014-35 Privilege escalation through Mozilla Maintenance Service Installer
MFSA 2014-34 Miscellaneous memory safety hazards (rv:29.0 / rv:24.5)
Comment 6 Thomas Capricelli 2014-04-30 14:15:28 UTC
I don't understand. The bug was about bumping firefox to version 29, why was the title totally changed to security fixes for several packages ??
Comment 7 Alex Xu (Hello71) 2014-04-30 15:07:09 UTC

*** This bug has been marked as a duplicate of bug 509188 ***
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-04-30 15:37:37 UTC
*** Bug 509188 has been marked as a duplicate of this bug. ***
Comment 9 Thomas Capricelli 2014-04-30 17:32:32 UTC
509188 is not a duplicate ?? This ticket is about bumping firefox version to the recently released '29' ??
Comment 10 Ian Stakenvicius gentoo-dev 2014-04-30 19:10:16 UTC
(In reply to Thomas Capricelli from comment #9)
> 509188 is not a duplicate ?? This ticket is about bumping firefox version to
> the recently released '29' ??

This ticket was filed for version-bumping.  That's effectively what security tickets are for, too, they just have more information about things that are wrong with the older versions.  This bug *is* the one to track for firefox-29 entering the tree, and you can unsubscribe once that happens if the rest of the notices are too noisy for you.
Comment 11 Thomas Capricelli 2014-05-01 01:41:07 UTC
Ok, but how will people know ?

I for example, as a careful bugtracker user, first checked if such a bug existed and then just added myself to cc list.

Now that title is changed, people will not understand that hidden behind security stuff there's what they're looking for.
Comment 12 nE0sIghT 2014-05-01 06:20:34 UTC
(In reply to Thomas Capricelli from comment #11)
> Ok, but how will people know ?

This was no problem for me

(In reply to Jory A. Pratt from comment #4)
> Source build is in the overlay

FF & TB from mozilla-overlay builds and working fine on amd64
Comment 13 Jory A. Pratt gentoo-dev 2014-05-01 13:30:42 UTC
Everything is in the tree except seamonkey{-bin}-2.26 which has not made its final release. Soon as that happens we will be able to move forward with stabilizing.
Comment 14 Lars Wendler (Polynomial-C) gentoo-dev 2014-05-03 06:34:34 UTC
+*seamonkey-2.26 (03 May 2014)
+
+  03 May 2014; Lars Wendler <polynomial-c@gentoo.org> +seamonkey-2.26.ebuild,
+  +files/pixman-supplement.patch:
+  Security bump (bug #509050).
+

+*seamonkey-bin-2.26 (03 May 2014)
+
+  03 May 2014; Lars Wendler <polynomial-c@gentoo.org>
+  -seamonkey-bin-2.24.ebuild, +seamonkey-bin-2.26.ebuild:
+  Security bump (bug #509050). Removed old.
+
Comment 15 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-04 21:59:25 UTC
Arches, please test and mark stable:

=www-client/firefox-{24.5,29}
Target Keywords: "amd64 hppa ppc ppc64 x86"

=mail-client/thunderbird-24.5

Target Keywords: "amd64 ppc ppc64 x86"

=www-client/firefox-bin-{24.5,29}
=www-client/seamonkey-2.26
=www-client/seamonkey-bin-2.26
=mail-client/thunderbird-bin-24.5

Target Keywords : "amd64 x86"

Thank you!
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-04 22:12:39 UTC
With the Long list of bugs comes a long list of CVE's, and URL's as a reference.

CVE-2014-{1492,1518,1519,1520,1522,1523,1524,1525,1526,1527,1528,1529,1530,1531,1532}

Seamonkey URL:
http://www.mozilla.org/security/known-vulnerabilities/seamonkey.html

Thunderbird:
https://www.mozilla.org/security/known-vulnerabilities/thunderbird.html

Firefox:
https://www.mozilla.org/security/known-vulnerabilities/firefox.html
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
Comment 17 Jeroen Roovers gentoo-dev 2014-05-05 14:06:49 UTC
Stable for HPPA.
Comment 18 Agostino Sarubbo gentoo-dev 2014-05-06 08:03:02 UTC
(In reply to Yury German from comment #15)
> Arches, please test and mark stable:
> 
> =www-client/firefox-{24.5,29}
> Target Keywords: "amd64 hppa ppc ppc64 x86"
> 
> =mail-client/thunderbird-24.5
> 
> Target Keywords: "amd64 ppc ppc64 x86"
> 
> =www-client/firefox-bin-{24.5,29}
> =www-client/seamonkey-2.26
> =www-client/seamonkey-bin-2.26
> =mail-client/thunderbird-bin-24.5
> 
> Target Keywords : "amd64 x86"
> 
> Thank you!

Please be careful with the target keywords. Firefox and Thunderbird are stable on arm.
Comment 19 Agostino Sarubbo gentoo-dev 2014-05-07 15:24:35 UTC
amd64 stable
Comment 20 Agostino Sarubbo gentoo-dev 2014-05-07 15:25:26 UTC
x86 stable
Comment 21 Fabian Köster 2014-05-07 17:13:37 UTC
I am little bit surprised that you started stabilizing non-esr versions. Is there any special reason for this?
Comment 22 Lars Wendler (Polynomial-C) gentoo-dev 2014-05-07 18:10:11 UTC
(In reply to Fabian Köster from comment #21)
> I am little bit surprised that you started stabilizing non-esr versions. Is
> there any special reason for this?

Dunno. This was not authorized by mozilla team and thus I have reverted stabilization of firefox-29.
Comment 23 Lars Wendler (Polynomial-C) gentoo-dev 2014-05-07 18:27:56 UTC
Remaining arches, please test and only mark stable the versions given here:

=www-client/firefox-24.5
Target Keywords: "amd64 hppa ppc ppc64 x86"

=mail-client/thunderbird-24.5

Target Keywords: "amd64 ppc ppc64 x86"

=www-client/firefox-bin-24.5
=www-client/seamonkey{,-bin}-2.26
=mail-client/thunderbird-bin-24.5

Target Keywords : "amd64 x86"
Comment 24 Stephan Hartmann 2014-05-08 11:57:32 UTC
Without adding back amd64 and x86 you won't see much progress here ...
Comment 25 Agostino Sarubbo gentoo-dev 2014-05-08 13:23:17 UTC
There was just a misunderstanding between all.

amd64 and x86 stable.
Comment 26 Agostino Sarubbo gentoo-dev 2014-05-10 14:05:59 UTC
ppc stable
Comment 27 Agostino Sarubbo gentoo-dev 2014-05-11 08:10:21 UTC
ppc64 stable
Comment 28 Jory A. Pratt gentoo-dev 2014-05-14 23:44:33 UTC
Please ensure you are marking all ebuilds that are required at once so we do not need to add archs back please. Thunderbird-24.5.0 has not been marked stable when it is required for security reasons.
Comment 29 GLSAMaker/CVETool Bot gentoo-dev 2014-06-08 01:07:32 UTC
CVE-2014-1532 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1532):
  Use-after-free vulnerability in the
  nsHostResolver::ConditionallyRefreshRecord function in libxul.so in Mozilla
  Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5,
  and SeaMonkey before 2.26 allows remote attackers to execute arbitrary code
  or cause a denial of service (heap memory corruption) via vectors related to
  host resolution.

CVE-2014-1531 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1531):
  Use-after-free vulnerability in the
  nsGenericHTMLElement::GetWidthHeightForImage function in Mozilla Firefox
  before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and
  SeaMonkey before 2.26 allows remote attackers to execute arbitrary code or
  cause a denial of service (heap memory corruption) via vectors involving an
  imgLoader object that is not properly handled during an image-resize
  operation.

CVE-2014-1530 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1530):
  The docshell implementation in Mozilla Firefox before 29.0, Firefox ESR 24.x
  before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows
  remote attackers to trigger the loading of a URL with a spoofed baseURI
  property, and conduct cross-site scripting (XSS) attacks, via a crafted web
  site that performs history navigation.

CVE-2014-1529 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1529):
  The Web Notification API in Mozilla Firefox before 29.0, Firefox ESR 24.x
  before 24.5, Thunderbird before 24.5, and SeaMonkey before 2.26 allows
  remote attackers to bypass intended source-component restrictions and
  execute arbitrary JavaScript code in a privileged context via a crafted web
  page for which Notification.permission is granted.

CVE-2014-1526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1526):
  The XrayWrapper implementation in Mozilla Firefox before 29.0 and SeaMonkey
  before 2.26 allows user-assisted remote attackers to bypass intended access
  restrictions via a crafted web site that is visited in the debugger, leading
  to unwrapping operations and calls to DOM methods on the unwrapped objects.

CVE-2014-1525 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1525):
  The mozilla::dom::TextTrack::AddCue function in Mozilla Firefox before 29.0
  and SeaMonkey before 2.26 does not properly perform garbage collection for
  Text Track Manager variables, which allows remote attackers to execute
  arbitrary code or cause a denial of service (use-after-free and heap memory
  corruption) via a crafted VIDEO element in an HTML document.

CVE-2014-1524 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1524):
  The nsXBLProtoImpl::InstallImplementation function in Mozilla Firefox before
  29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and SeaMonkey
  before 2.26 does not properly check whether objects are XBL objects, which
  allows remote attackers to execute arbitrary code or cause a denial of
  service (buffer overflow) via crafted JavaScript code that accesses a
  non-XBL object as if it were an XBL object.

CVE-2014-1523 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1523):
  Heap-based buffer overflow in the read_u32 function in Mozilla Firefox
  before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5, and
  SeaMonkey before 2.26 allows remote attackers to cause a denial of service
  (out-of-bounds read and application crash) via a crafted JPEG image.

CVE-2014-1522 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1522):
  The mozilla::dom::OscillatorNodeEngine::ComputeCustom function in the Web
  Audio subsystem in Mozilla Firefox before 29.0 and SeaMonkey before 2.26
  allows remote attackers to execute arbitrary code or cause a denial of
  service (out-of-bounds read, memory corruption, and application crash) via
  crafted content.

CVE-2014-1519 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1519):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 29.0 and SeaMonkey before 2.26 allow remote attackers to
  cause a denial of service (memory corruption and application crash) or
  possibly execute arbitrary code via unknown vectors.

CVE-2014-1518 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1518):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 29.0, Firefox ESR 24.x before 24.5, Thunderbird before 24.5,
  and SeaMonkey before 2.26 allow remote attackers to cause a denial of
  service (memory corruption and application crash) or possibly execute
  arbitrary code via unknown vectors.
Comment 30 Agostino Sarubbo gentoo-dev 2014-06-08 09:50:48 UTC
Could I have a full list with real/existent versions in the tree?
Comment 31 Agostino Sarubbo gentoo-dev 2014-06-08 13:04:04 UTC
Thunderbird is now stable on both x86/amd64.
Comment 32 GLSAMaker/CVETool Bot gentoo-dev 2014-10-11 21:03:29 UTC
CVE-2014-1492 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1492):
  The cert_TestHostName function in lib/certdb/certdb.c in the
  certificate-checking implementation in Mozilla Network Security Services
  (NSS) before 3.16 accepts a wildcard character that is embedded in an
  internationalized domain name's U-label, which might allow man-in-the-middle
  attackers to spoof SSL servers via a crafted certificate.
Comment 33 Yury German Gentoo Infrastructure gentoo-dev Security 2014-12-28 23:08:29 UTC
Merging multiple bugs for www-client/firefox{,-bin}, mail-client/thunderbird{,-bin}, www-client/seamonkey{,-bin) under the latest bug 531408 which is undergoing stabilization with each bug either needing cleanup or some stabilization.
Comment 34 Yury German Gentoo Infrastructure gentoo-dev Security 2015-03-04 01:17:48 UTC
Setting blocker to Bug 541506, stabilization of version: 31.5.0

Arm stabilization was not completed as part of this build.
Comment 35 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-06 05:50:44 UTC
Added to an existing GLSA Request.
Comment 36 GLSAMaker/CVETool Bot gentoo-dev 2015-04-07 10:18:23 UTC
This issue was resolved and addressed in
 GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01
by GLSA coordinator Kristian Fiskerstrand (K_F).