Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 512896 (CVE-2014-1533) - <www-client/firefox{,-bin}-{24.6.0,30}, <mail-client/thunderbird{,-bin}-24.6.0, <dev-libs/nspr-4.10.6, <www-client/seamonkey{,-bin}-2.26.1: multiple vulnerabilities (CVE-2014-{1533,1534,1536,1537,1538,1539,1540,1541,1542,1543,1545})
Summary: <www-client/firefox{,-bin}-{24.6.0,30}, <mail-client/thunderbird{,-bin}-24.6....
Status: RESOLVED FIXED
Alias: CVE-2014-1533
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/security/know...
Whiteboard: A2 [glsa glsa]
Keywords:
: 513112 (view as bug list)
Depends on: CVE-2015-0819
Blocks:
  Show dependency tree
 
Reported: 2014-06-10 16:40 UTC by Frank Krömmelbein
Modified: 2015-04-07 10:18 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Krömmelbein 2014-06-10 16:40:55 UTC
Release Notes for Firefox:
https://www.mozilla.org/en-US/firefox/30.0/releasenotes/



Reproducible: Always
Comment 1 Agostino Sarubbo gentoo-dev 2014-06-11 07:59:32 UTC
MFSA 2014-55 Out of bounds write in NSPR
MFSA 2014-54 Buffer overflow in Gamepad API
MFSA 2014-53 Buffer overflow in Web Audio Speex resampler
MFSA 2014-52 Use-after-free with SMIL Animation Controller
MFSA 2014-51 Use-after-free in Event Listener Manager
MFSA 2014-50 Clickjacking through cursor invisability after Flash interaction
MFSA 2014-49 Use-after-free and out of bounds issues found using Address Sanitizer
MFSA 2014-48 Miscellaneous memory safety hazards (rv:30.0 / rv:24.6)
Comment 2 Agostino Sarubbo gentoo-dev 2014-06-11 08:01:32 UTC
@mozilla team:

when is time to stabilize please describe the versions and the targets with order.

Thanks.
Comment 3 Ian Stakenvicius gentoo-dev 2014-06-11 21:14:44 UTC
(In reply to Agostino Sarubbo from comment #2)
> @mozilla team:
> 
> when is time to stabilize please describe the versions and the targets with
> order.
> 
> Thanks.

{thunderbird,firefox}{,-bin}-24.6.0 are in the tree and ready for stabilization, nspr-4.10.6 is not a trivial bump and will have to wait for tomorrow.  Firefox-30 will also need to wait but it doesn't get stabilized.

No word on seamonkey yet, upstream has not made a 2.27 release and I didn't check the MFSA's to see if seamonkey is affected yet, either.

If nobody is in a huge rush, i will file the official stablereq's tomorrow once nspr is done.
Comment 4 Jeroen Roovers gentoo-dev 2014-06-13 12:58:36 UTC
*** Bug 513112 has been marked as a duplicate of this bug. ***
Comment 5 Ian Stakenvicius gentoo-dev 2014-06-13 14:37:37 UTC
OK, all stabilizable targets are in the tree.

Arch Teams, please test and please stabilize as follows:

=dev-libs/nspr-4.10.6
Target stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

=mail-client/thunderbird-24.6.0
Target stable KEYWORDS : amd64 arm ppc ppc64 x86

=www-client/firefox-24.6.0
Target stable KEYWORDS : amd64 arm hppa ppc ppc64 x86


(note: firefox-30 is still coming)
Comment 6 Ian Stakenvicius gentoo-dev 2014-06-13 14:42:12 UTC
(In reply to Ian Stakenvicius from comment #5)
> OK, all stabilizable targets are in the tree.
> 
> Arch Teams, please test and please stabilize as follows:

..forgot the -bin packages...

=www-client/firefox-bin-24.6.0
Target stable KEYWORDS : amd64 x86

=mail-client/thunderbird-bin-24.6.0
Target stable KEYWORDS : amd64 x86
Comment 7 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-06-13 16:18:21 UTC
amd64 stable
Comment 8 Tomasz Golinski 2014-06-13 22:51:49 UTC
www-client/firefox-30.0 needs newer sqlite package:


configure:22859: checking for sqlite3 >= 3.8.3.1
configure: error: Library requirements (sqlite3 >= 3.8.3.1) not met; consider adjusting the PKG_CONFIG_PATH environment variable if your libraries are in a nonstandard prefix so pkg-config can find them.

While in ebuild the requirement is only:

system-sqlite? ( >=dev-db/sqlite-3.8.1.3:3[secure-delete,debug=] )
Comment 9 Ian Stakenvicius gentoo-dev 2014-06-14 00:28:50 UTC
(In reply to Tomasz Golinski from comment #8)
> www-client/firefox-30.0 needs newer sqlite package:
> 
> 
> configure:22859: checking for sqlite3 >= 3.8.3.1
> system-sqlite? ( >=dev-db/sqlite-3.8.1.3:3[secure-delete,debug=] )

Apologies for my dyslexia, i thought the dep was already correct.  Fixed in-place in the tree, for expediency; I will go through every dep again over the next 24/48h to confirm they are correct too.
Comment 10 Jeroen Roovers gentoo-dev 2014-06-14 01:40:36 UTC
Stable for HPPA.
Comment 11 Agostino Sarubbo gentoo-dev 2014-06-15 08:34:02 UTC
x86 stable
Comment 12 Markus Meier gentoo-dev 2014-06-19 18:04:27 UTC
arm stable for =dev-libs/nspr-4.10.6.
Comment 13 Ian Stakenvicius gentoo-dev 2014-06-25 14:19:00 UTC
Added seamonkey to the bug since it too is vulnerable.

Arches, please test and stabilize:

=www-client/seamonkey{,-bin}-2.26.1
Target stable KEYWORDS : amd64 x86
Comment 14 Agostino Sarubbo gentoo-dev 2014-06-28 09:58:40 UTC
amd64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2014-07-05 11:24:31 UTC
x86 stable
Comment 16 Agostino Sarubbo gentoo-dev 2014-07-05 11:31:55 UTC
alpha stable
Comment 17 Agostino Sarubbo gentoo-dev 2014-07-05 12:46:50 UTC
ppc stable
Comment 18 Agostino Sarubbo gentoo-dev 2014-07-05 12:47:29 UTC
ppc64 stable
Comment 19 Agostino Sarubbo gentoo-dev 2014-07-05 12:47:54 UTC
ia64 stable
Comment 20 Agostino Sarubbo gentoo-dev 2014-07-05 12:57:57 UTC
sparc stable
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 21:09:33 UTC
CVE-2014-1542 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1542):
  Buffer overflow in the Speex resampler in the Web Audio subsystem in Mozilla
  Firefox before 30.0 allows remote attackers to execute arbitrary code via
  vectors related to a crafted AudioBuffer channel count and sample rate.

CVE-2014-1541 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1541):
  Use-after-free vulnerability in the RefreshDriverTimer::TickDriver function
  in the SMIL Animation Controller in Mozilla Firefox before 30.0, Firefox ESR
  24.x before 24.6, and Thunderbird before 24.6 allows remote attackers to
  execute arbitrary code or cause a denial of service (heap memory corruption)
  via crafted web content.

CVE-2014-1540 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1540):
  Use-after-free vulnerability in the
  nsEventListenerManager::CompileEventHandlerInternal function in the Event
  Listener Manager in Mozilla Firefox before 30.0 allows remote attackers to
  execute arbitrary code or cause a denial of service (heap memory corruption)
  via crafted web content.

CVE-2014-1539 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1539):
  Mozilla Firefox before 30.0 and Thunderbird through 24.6 on OS X do not
  ensure visibility of the cursor after interaction with a Flash object and a
  DIV element, which makes it easier for remote attackers to conduct
  clickjacking attacks via JavaScript code that produces a fake cursor image.

CVE-2014-1538 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1538):
  Use-after-free vulnerability in the nsTextEditRules::CreateMozBR function in
  Mozilla Firefox before 30.0, Firefox ESR 24.x before 24.6, and Thunderbird
  before 24.6 allows remote attackers to execute arbitrary code or cause a
  denial of service (heap memory corruption) via unspecified vectors.

CVE-2014-1537 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1537):
  Use-after-free vulnerability in the
  mozilla::dom::workers::WorkerPrivateParent function in Mozilla Firefox
  before 30.0 allows remote attackers to execute arbitrary code or cause a
  denial of service (heap memory corruption) via unspecified vectors.

CVE-2014-1536 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1536):
  The PropertyProvider::FindJustificationRange function in Mozilla Firefox
  before 30.0 allows remote attackers to execute arbitrary code or cause a
  denial of service (out-of-bounds read) via unspecified vectors.

CVE-2014-1534 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1534):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 30.0 allow remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute arbitrary code
  via unknown vectors.

CVE-2014-1533 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1533):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 30.0, Firefox ESR 24.x before 24.6, and Thunderbird before
  24.6 allow remote attackers to cause a denial of service (memory corruption
  and application crash) or possibly execute arbitrary code via unknown
  vectors.
Comment 22 Yury German Gentoo Infrastructure gentoo-dev Security 2014-12-28 23:07:18 UTC
Merging multiple bugs for www-client/firefox{,-bin}, mail-client/thunderbird{,-bin}, www-client/seamonkey{,-bin) under the latest bug 531408 which is undergoing stabilization with each bug either needing cleanup or some stabilization.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 20:49:12 UTC
CVE-2014-1545 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1545):
  Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote
  attackers to execute arbitrary code or cause a denial of service
  (out-of-bounds write) via vectors involving the sprintf and console
  functions.

CVE-2014-1543 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1543):
  Multiple heap-based buffer overflows in the navigator.getGamepads function
  in the Gamepad API in Mozilla Firefox before 30.0 allow remote attackers to
  execute arbitrary code by using non-contiguous axes with a (1) physical or
  (2) virtual Gamepad device.
Comment 24 Yury German Gentoo Infrastructure gentoo-dev Security 2015-03-04 01:19:48 UTC
Setting blocker to Bug 541506, stabilization of version: 31.5.0

Arm stabilization was not completed as part of this build.
Comment 25 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-06 05:47:28 UTC
Added to an existing GLSA Request.
Comment 26 GLSAMaker/CVETool Bot gentoo-dev 2015-04-07 10:18:31 UTC
This issue was resolved and addressed in
 GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01
by GLSA coordinator Kristian Fiskerstrand (K_F).