Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 544056 (CVE-2015-0817) - <www-client/firefox{,-bin}-31.5.3,<www-client/seamonkey{,-bin}-2.33.1: Multiple vulnerabilities (CVE-2015-{0817,0818})
Summary: <www-client/firefox{,-bin}-31.5.3,<www-client/seamonkey{,-bin}-2.33.1: Multip...
Status: RESOLVED FIXED
Alias: CVE-2015-0817
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: A2 [glsa]
Keywords:
: 544268 (view as bug list)
Depends on: 544436
Blocks: CVE-2015-0819
  Show dependency tree
 
Reported: 2015-03-21 20:21 UTC by Coacher
Modified: 2015-04-10 23:36 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Coacher 2015-03-21 20:21:09 UTC
Hello.

Firefox-31.5.2 was released recently with fixes for vulnerabilities disclosed at Pwn2Own contest: https://www.mozilla.org/en-US/firefox/31.5.2/releasenotes/

Also there is a security advisory regarding 31.5.3 version with additional security fixes, but no release announcement yet: https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/#firefoxesr31.5.3

Probably release announcement will follow shortly, but sources are already there:
https://ftp.mozilla.org/pub/mozilla.org/firefox/releases/31.5.3esr/

Please bump straight to 31.5.3.

Reproducible: Always
Comment 1 Coacher 2015-03-21 20:22:12 UTC
Update: mozilla has just posted release notes for 31.5.3: https://www.mozilla.org/en-US/firefox/31.5.3/releasenotes/
Comment 3 Agostino Sarubbo gentoo-dev 2015-03-24 08:17:53 UTC
*** Bug 544268 has been marked as a duplicate of this bug. ***
Comment 4 Lars Wendler (Polynomial-C) gentoo-dev 2015-03-24 08:53:37 UTC
+*firefox-36.0.4 (24 Mar 2015)
+*firefox-31.5.3 (24 Mar 2015)
+
+  24 Mar 2015; Lars Wendler <polynomial-c@gentoo.org> -firefox-31.3.0.ebuild,
+  +firefox-31.5.3.ebuild, +firefox-36.0.4.ebuild:
+  Security bump (bug #544056). Removed old.
+

seamonkey-2.33.1 was also bumped.
Comment 5 Kristian Fiskerstrand gentoo-dev Security 2015-03-24 17:31:33 UTC
Thanks, 

Arches, please stabilize:
=www-client/firefox-31.5.3
Stable targets: amd64 arm hppa ia64 ppc ppc64 x86

=www-client/seamonkey-2.33.1
Stable targets: amd64 x86

We seem to be missing ebuilds for firefox-bin and seamonkey-bin
Comment 6 Lars Wendler (Polynomial-C) gentoo-dev 2015-03-24 23:28:19 UTC
+*firefox-bin-36.0.4 (24 Mar 2015)
+*firefox-bin-31.5.3 (24 Mar 2015)
+
+  24 Mar 2015; Lars Wendler <polynomial-c@gentoo.org>
+  -firefox-bin-31.4.0.ebuild, +firefox-bin-31.5.3.ebuild,
+  +firefox-bin-36.0.4.ebuild:
+  Security bump (bug #544056). Removed old.
+


+*seamonkey-bin-2.33.1 (24 Mar 2015)
+
+  24 Mar 2015; Lars Wendler <polynomial-c@gentoo.org>
+  -seamonkey-bin-2.30-r1.ebuild, -seamonkey-bin-2.32.1.ebuild,
+  -seamonkey-bin-2.33.ebuild, +seamonkey-bin-2.33.1.ebuild:
+  Security bump (bug #544056). Removed old.
+

Sorry guys, I always forget about the -bin packages. Arches, please stable the same versions as for the source packages for amd64 and x86. Thanks.
Comment 7 Agostino Sarubbo gentoo-dev 2015-03-25 16:08:49 UTC
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-03-26 11:36:17 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-03-26 11:36:59 UTC
x86 stable
Comment 10 Jeroen Roovers gentoo-dev 2015-03-27 05:54:41 UTC
Stable for HPPA.
Comment 11 Agostino Sarubbo gentoo-dev 2015-03-27 09:20:20 UTC
Stable for ppc/ppc64
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-03-28 17:18:24 UTC
CVE-2015-0818 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0818):
  Mozilla Firefox before 36.0.4, Firefox ESR 31.x before 31.5.3, and SeaMonkey
  before 2.33.1 allow remote attackers to bypass the Same Origin Policy and
  execute arbitrary JavaScript code with chrome privileges via vectors
  involving SVG hash navigation.

CVE-2015-0817 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0817):
  The asm.js implementation in Mozilla Firefox before 36.0.3, Firefox ESR 31.x
  before 31.5.2, and SeaMonkey before 2.33.1 does not properly determine the
  cases in which bounds checking may be safely skipped during JIT compilation
  and heap access, which allows remote attackers to read or write to
  unintended memory locations, and consequently execute arbitrary code, via
  crafted JavaScript.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-06 04:55:13 UTC
Arm is pending stabilization. 

New GLSA Request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2015-04-07 10:19:54 UTC
This issue was resolved and addressed in
 GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01
by GLSA coordinator Kristian Fiskerstrand (K_F).