Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 531408 (CVE-2014-1587) - <www-client/firefox{,-bin}-31.3.0,34 <mail-client/thunderbird-{,-bin}-31.3.0 <www-client/seamonkey{,-bin}-2.31: multiple vulnerabilities (CVE-2014-{1587,1588,1589,1590,1591,1592,1593,1594,8631,8632})
Summary: <www-client/firefox{,-bin}-31.3.0,34 <mail-client/thunderbird-{,-bin}-31.3.0 ...
Status: RESOLVED FIXED
Alias: CVE-2014-1587
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa glsa]
Keywords:
Depends on: CVE-2015-0819
Blocks:
  Show dependency tree
 
Reported: 2014-12-02 08:30 UTC by Agostino Sarubbo
Modified: 2015-04-07 10:19 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Ian Stakenvicius gentoo-dev 2014-12-04 02:20:22 UTC
CVE mappings follow:

CVE-2014-1594
CVE-2014-1593
CVE-2014-1592
CVE-2014-1590
CVE-2014-1587

CVE-2014-1591 -- affects FF33 only
CVE-2014-1589 -- affects FF33 only it seems; is moderate risk
CVE-2014-1588 -- affects FF33 only


Ebuilds for firefox{,-bin}-31.3.0 and thunderbird{,-bin}-31.3.0 are in the tree now, as well as firefox-bin-34.0.5.  Firefox-34.0.5 will be added soon.  Please note that current seamonkey{,-bin} will be affected but new packages have not yet been released by upstream.

Stabilizations for {firefox,thunderbird}{,-bin}-31.3.0 can happen any time, imo.
Comment 2 Ian Stakenvicius gentoo-dev 2014-12-04 04:19:03 UTC
before 31.3.0 can be stabilized, >=dev-libs/nss-3.17.1 also needs to be stabilized.  Adding reference
Comment 3 Ian Stakenvicius gentoo-dev 2014-12-05 18:47:23 UTC
added seamonkey ebuilds to the tree and to the summary.  There are a couple of bugs I'm trying to resolve wrt. to the source builds, after those are done we can CC arches.
Comment 4 Lars Wendler (Polynomial-C) gentoo-dev 2014-12-05 19:53:23 UTC
+*seamonkey-2.31 (05 Dec 2014)
+
+  05 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> -seamonkey-2.29.1.ebuild,
+  +seamonkey-2.31.ebuild, metadata.xml:
+  Security bump (bug #531408). Removed old.
+
Comment 5 Ian Stakenvicius gentoo-dev 2014-12-09 16:06:22 UTC
As soon as mesa-10.2.8 is stable, arches please stabilize as follows:

www-client/firefox-bin-31.3.0 : Target KEYWORDS="amd64 x86"
mail-client/thunderbird-bin-31.3.0 : Target KEYWORDS="amd64 x86"
www-client/seamonkey-bin-2.31 : Target KEYWORDS="amd64 x86"

www-client/firefox-31.3.0 :
Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 x86"

mail-client/thunderbird-31.3.0 :
Target KEYWORDS="amd64 arm ppc ppc64 x86"

www-client/seamonkey-2.31 : Target KEYWORDS="amd64 x86"
(there are more arches that could be stabilized but these are the only two necessary to remove older ebuilds)

Please note these stabilizations supercede bug 525474
Comment 6 Jeroen Roovers gentoo-dev 2014-12-10 13:42:00 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2014-12-10 19:34:09 UTC
amd64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-12-10 19:34:57 UTC
x86 stable
Comment 9 Francisco Blas Izquierdo Riera gentoo-dev 2014-12-20 14:50:46 UTC
I'd like to bring your attention to https://bugs.gentoo.org/show_bug.cgi?id=533074 before it bites more people. Please consider adding RESTRICT="splitdebug" before doing further stabilizations.
Comment 10 Agostino Sarubbo gentoo-dev 2014-12-24 14:55:28 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-12-24 14:55:50 UTC
ppc64 stable
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-12-24 20:24:24 UTC
CVE-2014-8632 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8632):
  The structured-clone implementation in Mozilla Firefox before 34.0 and
  SeaMonkey before 2.31 does not properly interact with XrayWrapper property
  filtering, which allows remote attackers to bypass intended DOM object
  restrictions by leveraging property availability after XrayWrapper removal.

CVE-2014-8631 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8631):
  The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before
  34.0 and SeaMonkey before 2.31 supports native-interface passing, which
  allows remote attackers to bypass intended DOM object restrictions via a
  call to an unspecified method.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev Security 2014-12-28 19:09:53 UTC
Is nspr being stabilized as part of this bug? 
10 Dec 2014; Agostino Sarubbo <ago@gentoo.org> nspr-4.10.7-r1.ebuild:
6	  Stable for x86, wrt bug #531408
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2015-01-03 20:57:04 UTC
CVE-2014-1594 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1594):
  Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird
  before 31.3, and SeaMonkey before 2.31 might allow remote attackers to
  execute arbitrary code by leveraging an incorrect cast from the
  BasicThebesLayer data type to the BasicContainerLayer data type.

CVE-2014-1593 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1593):
  Stack-based buffer overflow in the mozilla::FileBlockCache::Read function in
  Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird
  before 31.3, and SeaMonkey before 2.31 allows remote attackers to execute
  arbitrary code via crafted media content.

CVE-2014-1592 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1592):
  Use-after-free vulnerability in the nsHtml5TreeOperation function in xul.dll
  in Mozilla Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird
  before 31.3, and SeaMonkey before 2.31 allows remote attackers to execute
  arbitrary code by adding a second root element to an HTML5 document during
  parsing.

CVE-2014-1591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1591):
  Mozilla Firefox 33.0 and SeaMonkey before 2.31 include path strings in CSP
  violation reports, which allows remote attackers to obtain sensitive
  information via a web site that receives a report after a redirect.

CVE-2014-1590 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1590):
  The XMLHttpRequest.prototype.send method in Mozilla Firefox before 34.0,
  Firefox ESR 31.x before 31.3, Thunderbird before 31.3, and SeaMonkey before
  2.31 allows remote attackers to cause a denial of service (application
  crash) via a crafted JavaScript object.

CVE-2014-1589 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1589):
  Mozilla Firefox before 34.0 and SeaMonkey before 2.31 provide stylesheets
  with an incorrect primary namespace, which allows remote attackers to bypass
  intended access restrictions via an XBL binding.

CVE-2014-1588 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1588):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 34.0 and SeaMonkey before 2.31 allow remote attackers to
  cause a denial of service (memory corruption and application crash) or
  possibly execute arbitrary code via unknown vectors.

CVE-2014-1587 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1587):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 34.0, Firefox ESR 31.x before 31.3, Thunderbird before 31.3,
  and SeaMonkey before 2.31 allow remote attackers to cause a denial of
  service (memory corruption and application crash) or possibly execute
  arbitrary code via unknown vectors.
Comment 15 Tobias Klausmann gentoo-dev 2015-01-09 20:52:06 UTC
Stable on alpha.
Comment 16 Agostino Sarubbo gentoo-dev 2015-02-23 11:39:11 UTC
ia64 stable
Comment 17 Yury German Gentoo Infrastructure gentoo-dev Security 2015-02-23 23:42:10 UTC
Arches with only one arch left, can we please stabilize arm so that we can close this bug and all the other bug's that it blocks.

Thank you
Comment 18 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-06 05:27:03 UTC
Added to an existing GLSA Request.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2015-04-07 10:19:10 UTC
This issue was resolved and addressed in
 GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01
by GLSA coordinator Kristian Fiskerstrand (K_F).