Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 545232 - <www-client/firefox{,-bin}-{31.6.0,37.0.2}, <mail-client/thunderbird{,-bin}-31.6.0: Multiple vulnerabilities (CVE-2015-{0798,0799,0801,0802,0803,0804,0805,0806,0807,0808,0810,0811,0812,0813,0814,0815,0816,2706,2808})
Summary: <www-client/firefox{,-bin}-{31.6.0,37.0.2}, <mail-client/thunderbird{,-bin}-3...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-01 14:05 UTC by Agostino Sarubbo
Modified: 2015-12-30 15:52 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Denis Misiurca 2015-04-03 17:19:43 UTC
Why www-client/firefox-bin was updated but www-client/firefox wasn't?
Comment 2 charles17 2015-04-04 09:06:11 UTC
(In reply to Denis Misiurca from comment #1)
> Why www-client/firefox-bin was updated but www-client/firefox wasn't?

Same for thunderbird-bin / thunderbird.
Comment 3 Ian Stakenvicius (RETIRED) gentoo-dev 2015-04-04 21:31:06 UTC
The *-bin's are practically trivial to bump, the source ones not so much.  

I'm also personally without reliable internet access at the moment and that's holding me back a fair bit in terms of getting these packages bumped.
Comment 4 Stephan Hartmann gentoo-dev 2015-04-06 10:18:23 UTC
(In reply to charles17 from comment #2)
> (In reply to Denis Misiurca from comment #1)
> > Why www-client/firefox-bin was updated but www-client/firefox wasn't?
> 
> Same for thunderbird-bin / thunderbird.

+*firefox-31.6.0 (05 Apr 2015)
+
+  05 Apr 2015; Lars Wendler <polynomial-c@g.o> -firefox-31.4.0.ebuild,
+  -firefox-31.5.0.ebuild, +firefox-31.6.0.ebuild:
+  Version bump. Removed old.

+*thunderbird-31.6.0 (06 Apr 2015)
+
+  06 Apr 2015; Lars Wendler <polynomial-c@g.o>
+  -thunderbird-31.3.0.ebuild, +thunderbird-31.6.0.ebuild:
+  Version bump. Removed old.
Comment 5 Stephan Hartmann gentoo-dev 2015-04-23 05:36:39 UTC
firefox{,-bin} and thunderbird{,-bin} in tree for over two weeks now. Can we stabilize?
Comment 6 Ian Stakenvicius (RETIRED) gentoo-dev 2015-04-23 14:04:50 UTC
(In reply to Stephan Hartmann from comment #5)
> firefox{,-bin} and thunderbird{,-bin} in tree for over two weeks now. Can we
> stabilize?

Absolutely -- please stabilize 31.6.0 versions.  In fact, as soon as the ESR versions hit the tree they can be stabilized for security, as far as I am concerned.

www-client/firefox-bin-31.6.0 Target KEYWORDS="amd64 x86"
www-client/firefox-31.6.0 Target KEYWORDS="amd64 arm hppa ppc ppc64 x86"
mail-client/thunderbird-bin-31.6.0 Target KEYWORDS="amd64 x86"
mail-client/thunderbird-31.6.0 Target KEYWORDS="amd64 ppc ppc64 x86"

Note that a new seamonkey release is afaik still pending from upstream, to resolve the firefox MFSAs within that codebase.
Comment 7 Ian Stakenvicius (RETIRED) gentoo-dev 2015-04-23 15:17:41 UTC
CC'ing arches.
Comment 8 Yury German Gentoo Infrastructure gentoo-dev 2015-04-23 15:48:21 UTC
This is the CVE table and the versions:
During Cleanup we will have to drop <37.0.2 in the version:37.X

Thunderbird / Firefox - 31.6
2015-30 = CVE-2015-0815, CVE-2015-0814 
2015-31	= CVE-2015-0813
2015-33 = CVE-2015-0816
2015-37 = CVE-2015-0807
2015-40 = CVE-2015-0801

Firefox 37.0.2
2015-45 = CVE-2015-2706

Firefox 37.0.1
2015-43 = CVE-2015-0798
2015-44 = CVE-2015-0799

Firefox 37
2015-30 = CVE-2015-0814,0815
2015-31	= CVE-2015-0813
2015-32 = CVE-2015-0812
2015-33 = CVE-2015-0816
2015-34 = CVE-2015-0811
2015-35 = CVE-2015-0810
2015-36 = CVE-2015-0808
2015-37 = CVE-2015-0807
2015-38 = CVE-2015-0805,0806
2015-39 = CVE-2015-0803,0804
2015-40 = CVE-2015-0801
2015-41 = CVE-2015-0800,2808
2015-42 = CVE-2015-0802
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-24 06:03:52 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2015-04-24 09:58:03 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2015-04-24 09:58:37 UTC
x86 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2015-04-25 09:24:51 UTC
Stable for PPC64.
Comment 13 Agostino Sarubbo gentoo-dev 2015-04-29 09:13:32 UTC
ppc stable
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-06-07 02:51:05 UTC
Can we either stabilize firefox for "arm" arch, we have not had a stable version for it for a long time.
Comment 15 Jory A. Pratt gentoo-dev 2015-06-08 02:05:59 UTC
(In reply to Yury German from comment #14)
> Can we either stabilize firefox for "arm" arch, we have not had a stable
> version for it for a long time.

If you stabilize arm you will be required to keep up with latest esr, we will not support anything older.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2015-06-13 08:09:48 UTC
Currently 24.3.0 is the only stable version which is from 2013 and has a very long list of vulnerabilities. So we either need to make it stable or drop it to ~arm and clean up the vulnerable versions.
Comment 17 Ian Stakenvicius (RETIRED) gentoo-dev 2015-06-13 13:04:30 UTC
(In reply to Yury German from comment #16)
> Currently 24.3.0 is the only stable version which is from 2013 and has a
> very long list of vulnerabilities. So we either need to make it stable or
> drop it to ~arm and clean up the vulnerable versions.

Agreed, we should drop stable arm keywords on all three major mozilla packages in the tree.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2015-06-30 22:33:21 UTC
CVE-2015-0816 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0816):
  Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird
  before 31.6 do not properly restrict resource: URLs, which makes it easier
  for remote attackers to execute arbitrary JavaScript code with chrome
  privileges by leveraging the ability to bypass the Same Origin Policy, as
  demonstrated by the resource: URL associated with PDF.js.

CVE-2015-0815 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0815):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before
  31.6 allow remote attackers to cause a denial of service (memory corruption
  and application crash) or possibly execute arbitrary code via unknown
  vectors.

CVE-2015-0814 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0814):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 37.0 allow remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute arbitrary code
  via unknown vectors.

CVE-2015-0812 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0812):
  Mozilla Firefox before 37.0 does not require an HTTPS session for
  lightweight theme add-on installations, which allows man-in-the-middle
  attackers to bypass an intended user-confirmation requirement by deploying a
  crafted web site and conducting a DNS spoofing attack against a mozilla.org
  subdomain.

CVE-2015-0811 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0811):
  The QCMS implementation in Mozilla Firefox before 37.0 allows remote
  attackers to obtain sensitive information from process heap memory or cause
  a denial of service (out-of-bounds read) via an image that is improperly
  handled during transformation.

CVE-2015-0808 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0808):
  The webrtc::VPMContentAnalysis::Release function in the WebRTC
  implementation in Mozilla Firefox before 37.0 uses incompatible approaches
  to the deallocation of memory for simple-type arrays, which might allow
  remote attackers to cause a denial of service (memory corruption) via
  unspecified vectors.

CVE-2015-0807 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0807):
  The navigator.sendBeacon implementation in Mozilla Firefox before 37.0,
  Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 processes HTTP 30x
  status codes for redirects after a preflight request has occurred, which
  allows remote attackers to bypass intended CORS access-control checks and
  conduct cross-site request forgery (CSRF) attacks via a crafted web site, a
  similar issue to CVE-2014-8638.

CVE-2015-0806 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0806):
  The Off Main Thread Compositing (OMTC) implementation in Mozilla Firefox
  before 37.0 attempts to use memset for a memory region of negative length
  during interaction with the
  mozilla::layers::BufferTextureClient::AllocateForSurface function, which
  allows remote attackers to execute arbitrary code or cause a denial of
  service (memory corruption) via vectors that trigger rendering of 2D
  graphics content.

CVE-2015-0805 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0805):
  The Off Main Thread Compositing (OMTC) implementation in Mozilla Firefox
  before 37.0 makes an incorrect memset call during interaction with the
  mozilla::layers::BufferTextureClient::AllocateForSurface function, which
  allows remote attackers to execute arbitrary code or cause a denial of
  service (memory corruption and application crash) via vectors that trigger
  rendering of 2D graphics content.

CVE-2015-0804 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0804):
  The HTMLSourceElement::BindToTree function in Mozilla Firefox before 37.0
  does not properly constrain a data type after omitting namespace validation
  during certain tree-binding operations, which allows remote attackers to
  execute arbitrary code or cause a denial of service (use-after-free) via a
  crafted HTML document containing a SOURCE element.

CVE-2015-0803 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0803):
  The HTMLSourceElement::AfterSetAttr function in Mozilla Firefox before 37.0
  does not properly constrain the original data type of a casted value during
  the setting of a SOURCE element's attributes, which allows remote attackers
  to execute arbitrary code or cause a denial of service (use-after-free) via
  a crafted HTML document.

CVE-2015-0802 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0802):
  Mozilla Firefox before 37.0 relies on docshell type information instead of
  page principal information for Window.webidl access control, which might
  allow remote attackers to execute arbitrary JavaScript code with chrome
  privileges via certain content navigation that leverages the reachability of
  a privileged window with an unintended persistence of access to restricted
  internal methods.

CVE-2015-0801 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0801):
  Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird
  before 31.6 allow remote attackers to bypass the Same Origin Policy and
  execute arbitrary JavaScript code with chrome privileges via vectors
  involving anchor navigation, a similar issue to CVE-2015-0818.

CVE-2015-0799 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0799):
  The HTTP Alternative Services feature in Mozilla Firefox before 37.0.1
  allows man-in-the-middle attackers to bypass an intended X.509
  certificate-verification step for an SSL server by specifying that server in
  the uri-host field of an Alt-Svc HTTP/2 response header.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2015-06-30 22:34:39 UTC
CVE-2015-2706 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2706):
  Race condition in the AsyncPaintWaitEvent::AsyncPaintWaitEvent function in
  Mozilla Firefox before 37.0.2 allows remote attackers to execute arbitrary
  code or cause a denial of service (use-after-free) via a crafted plugin that
  does not properly complete initialization.
Comment 20 Sean Amoss (RETIRED) gentoo-dev Security 2015-06-30 23:13:04 UTC
CVE-2015-8002 appears to have been a typo.
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2015-07-16 13:55:25 UTC
It has been agreed by the maintainer and the arm team that the Mozilla based packages should be moved in to the unstable arch for arm, and keyworded appropriately. (~arm). This has been done already.

New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Firefox is no longer in tree, Thunderbird is still there.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2015-12-30 15:52:50 UTC
This issue was resolved and addressed in
 GLSA 201512-10 at https://security.gentoo.org/glsa/201512-10
by GLSA coordinator Yury German (BlueKnight).