Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 549356 - <www-client/firefox{,-bin}-{31.7.0,38.0}, mail-client/thunderbird{,-bin}-31.7.0: multiple vulnerabilities (CVE-2015-{2708,2709,2710,2711,2712,2713,2714,2715,2716,2717,2718})
Summary: <www-client/firefox{,-bin}-{31.7.0,38.0}, mail-client/thunderbird{,-bin}-31.7...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 2 votes (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/firefox...
Whiteboard: A2 [glsa]
Keywords:
: 549362 549424 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-05-13 08:59 UTC by Martin Wohlert
Modified: 2016-05-31 05:53 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Martin Wohlert 2015-05-13 08:59:12 UTC
Firefox 38 has been released yesterday (2015-05-12)
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2015-05-14 06:47:31 UTC
*** Bug 549362 has been marked as a duplicate of this bug. ***
Comment 3 Agostino Sarubbo gentoo-dev 2015-05-14 08:16:16 UTC
*** Bug 549424 has been marked as a duplicate of this bug. ***
Comment 4 Akiraba Honata 2015-05-14 23:39:09 UTC
Firefox 38.0.1 released
Comment 5 charles17 2015-05-15 04:18:59 UTC
(In reply to akiraba_honata from comment #4)
> Firefox 38.0.1 released

https://www.mozilla.org/en-US/firefox/38.0.1/releasenotes/

also, since 38 would need some more time for stabilization:
https://www.mozilla.org/en-US/firefox/31.7.0/releasenotes/

Copying the 31.6.0 ebuild to 31.7.0 does work.
Comment 6 Ian Stakenvicius gentoo-dev 2015-05-15 21:43:26 UTC
Ebuilds for thunderbird{,-bin}-31.7.0, firefox-bin-31.7.0 and firefox-bin-38.0.1 have just been committed to the tree, firefox-31.7.0 will follow shortly and then stabilization efforts can begin.

ESR 38.x will likely not be stabilized for at least one more minor version.
Comment 7 Ian Stakenvicius gentoo-dev 2015-05-16 01:13:35 UTC
All ESR ebuilds in place.  Arches, please stabilize as follows:

=www-client/firefox-31.7.0 Target KEYWORDS="amd64 hppa ia64 ppc ppc64 x86"
=www-client/firefox-bin-31.7.0 Target KEYWORDS="-* amd64 x86"

=mail-client/thunderbird-31.7.0 Target KEYWORDS="amd64 ppc ppc64 x86"
=mail-client/thunderbird-bin-31.7.0 Target KEYWORDS="-* amd64 x86"



The Firefox-38.0 ebuild is still outstanding and will be comitted soon, once mozilla team's fearless leader is back online.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-05-17 00:51:33 UTC
CVE-2015-2718 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2718):
  The WebChannel.jsm module in Mozilla Firefox before 38.0 allows remote
  attackers to bypass the Same Origin Policy and obtain sensitive
  webchannel-response data via a crafted web site containing an IFRAME element
  referencing a different web site that is intended to read this data.

CVE-2015-2717 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2717):
  Integer overflow in libstagefright in Mozilla Firefox before 38.0 allows
  remote attackers to execute arbitrary code or cause a denial of service
  (heap-based buffer overflow and out-of-bounds read) via an MP4 video file
  containing invalid metadata.

CVE-2015-2716 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2716):
  Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox
  ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to
  execute arbitrary code by providing a large amount of compressed XML data.

CVE-2015-2715 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2715):
  Race condition in the nsThreadManager::RegisterCurrentThread function in
  Mozilla Firefox before 38.0 allows remote attackers to execute arbitrary
  code or cause a denial of service (use-after-free and heap memory
  corruption) by leveraging improper Media Decoder Thread creation at the time
  of a shutdown.

CVE-2015-2714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2714):
  Mozilla Firefox before 38.0 on Android does not properly restrict writing
  URL data to the Android logging system, which allows attackers to obtain
  sensitive information via a crafted application that has a required
  permission for reading a log, as demonstrated by the READ_LOGS permission
  for the mixed-content violation log on Android 4.0 and earlier.

CVE-2015-2713 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2713):
  Use-after-free vulnerability in the SetBreaks function in Mozilla Firefox
  before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7
  allows remote attackers to execute arbitrary code or cause a denial of
  service (heap memory corruption) via a document containing crafted text in
  conjunction with a Cascading Style Sheets (CSS) token sequence containing
  properties related to vertical text.

CVE-2015-2712 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2712):
  The asm.js implementation in Mozilla Firefox before 38.0 does not properly
  determine heap lengths during identification of cases in which bounds
  checking may be safely skipped, which allows remote attackers to trigger
  out-of-bounds write operations and possibly execute arbitrary code, or
  trigger out-of-bounds read operations and possibly obtain sensitive
  information from process memory, via crafted JavaScript.

CVE-2015-2711 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2711):
  Mozilla Firefox before 38.0 does not recognize a referrer policy delivered
  by a referrer META element in cases of context-menu navigation and
  middle-click navigation, which allows remote attackers to obtain sensitive
  information by reading web-server Referer logs that contain private data in
  a URL, as demonstrated by a private path component.

CVE-2015-2710 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2710):
  Heap-based buffer overflow in the SVGTextFrame class in Mozilla Firefox
  before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7
  allows remote attackers to execute arbitrary code via crafted SVG graphics
  data in conjunction with a crafted Cascading Style Sheets (CSS) token
  sequence.

CVE-2015-2709 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2709):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 38.0 allow remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute arbitrary code
  via unknown vectors.

CVE-2015-2708 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2708):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before
  31.7 allow remote attackers to cause a denial of service (memory corruption
  and application crash) or possibly execute arbitrary code via unknown
  vectors.
Comment 9 Jeroen Roovers gentoo-dev 2015-05-18 05:03:48 UTC
Stable for PPC64.
Comment 10 Agostino Sarubbo gentoo-dev 2015-05-18 10:05:23 UTC
amd64 stable
Comment 11 Jeroen Roovers gentoo-dev 2015-05-19 05:01:41 UTC
Stable for HPPA.
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-05-23 19:06:19 UTC
x86 stable
Comment 13 Till Schäfer 2015-05-23 20:23:03 UTC
I still can not see firefox-38 in tree. As this is a pressuring security issue for many user, i would like to bump this thread.
Comment 14 Kristian Fiskerstrand gentoo-dev Security 2015-05-23 20:33:56 UTC
(In reply to Till Schäfer from comment #13)
> I still can not see firefox-38 in tree. As this is a pressuring security
> issue for many user, i would like to bump this thread.

that is an unstable version and as such not tracked by security
Comment 15 Heiko Baums 2015-05-23 21:45:28 UTC
(In reply to Kristian Fiskerstrand from comment #14)
> that is an unstable version and as such not tracked by security

It is a stable version. Click onto the download link on the website and it will download 38.0.1. The download link on the website only offers the latest stable version.

And there is a security issue with earlier versions which is fixed in 38.0.1 as far as I know. At least they are working on a fix. See Logjam.
Comment 16 Kristian Fiskerstrand gentoo-dev Security 2015-05-23 21:49:36 UTC
(In reply to Heiko Baums from comment #15)
> (In reply to Kristian Fiskerstrand from comment #14)
> > that is an unstable version and as such not tracked by security
> 
> It is a stable version. Click onto the download link on the website and it
> will download 38.0.1. The download link on the website only offers the
> latest stable version.

The current stable in Gentoo is 31 ESR

> 
> And there is a security issue with earlier versions which is fixed in 38.0.1
> as far as I know. At least they are working on a fix. See Logjam.

This should also be fixed in 31 ESR
Comment 17 Heiko Baums 2015-05-23 21:54:19 UTC
The latest stable upstream version is 38.0.1, and I'm using ~amd86. So the ~amd86 version should be updated, too, to fix this security issue.

A security issue doesn't only apply to Gentoo's stable tree.

So it would be nice, if firefox would be updated to 38.0.1 anytime soon.
Comment 18 Heiko Baums 2015-05-23 21:55:35 UTC
Obviously ~amd64.
Comment 19 Herbert Wantesh 2015-05-25 09:22:18 UTC
+1, please update firefox to 38.0.1
Comment 20 Ari Entlich 2015-05-25 09:51:19 UTC
Why was the definition of this bug changed? As reported, this bug is about the Firefox 38 release. Why was it changed to also include the new version of Firefox 31?

I guess I can conclude from the fact that this hasn't been done yet that this new release basically requires rewriting the whole ebuild, rite?
Comment 21 Ian Stakenvicius gentoo-dev 2015-05-25 14:07:38 UTC
(In reply to Ari Entlich from comment #20)
> Why was the definition of this bug changed? As reported, this bug is about
> the Firefox 38 release. Why was it changed to also include the new version
> of Firefox 31?
> 
> I guess I can conclude from the fact that this hasn't been done yet that
> this new release basically requires rewriting the whole ebuild, rite?

The subject of the bug changed because this is a security bug about the various CVEs listed in the bug, and they need to be addressed on all packages they apply to, not just the latest ~arch firefox.  Remember everyone this isn't a "version bump" bug, it's a security bug.

Firefox-38 is coming; if you are worried about these vulnerabilities in the meantime then you can run firefox-31.7 or firefox-bin-38.0.1.  Also just so that everyone is aware, firefox-31.x will remain the stabilization candidate until -at least- firefox-38.2 is released.
Comment 22 Heiko Baums 2015-05-25 16:38:18 UTC
(In reply to Ian Stakenvicius from comment #21)
> The subject of the bug changed because this is a security bug about the
> various CVEs listed in the bug, and they need to be addressed on all
> packages they apply to, not just the latest ~arch firefox.  Remember
> everyone this isn't a "version bump" bug, it's a security bug.

And because it's a security bug, and at least one of the security issues with firefox < 38.0.1 is fixed in 38.0.1, firefox needs to be updated in the portage tree urgently.

And, btw., the version bump bug 549424 was closed as duplicate of this bug report. If you think, that this bug report is only a security bug and not a version bump bug, then you should reopen bug 549424. Nevertheless in my opinion it doesn't matter if firefox gets updated because of a security or a version bump bug report, because it's both a version bump and a fix of a not so trivial security issue called Logjam.

So, please, update firefox instead of coming up with excuses.

> Firefox-38 is coming; if you are worried about these vulnerabilities in the
> meantime then you can run firefox-31.7 or firefox-bin-38.0.1.

firefox-bin is not an option for users of firefox, because there are a few incompatibilities between firefox and firefox-bin.
Comment 23 Ari Entlich 2015-05-26 21:07:11 UTC
(In reply to Ian Stakenvicius from comment #21)
> The subject of the bug changed because this is a security bug about the
> various CVEs listed in the bug, and they need to be addressed on all
> packages they apply to, not just the latest ~arch firefox.  Remember
> everyone this isn't a "version bump" bug, it's a security bug.

And yet it is not being treated as a security bug. The 31.7 version bump was handled within a couple days, and the 38 version bump has now taken almost two weeks and counting. So which is it? Is this a security bug or not?

In comment #7, you assured everyone that the Firefox 38 ebuild would be added "once mozilla team's fearless leader is back online". Are none of the five other members of the mozilla team[1] able to perform this simple version bump?

1. As listed here: https://wiki.gentoo.org/wiki/Project:Mozilla
Comment 24 Alexander Tsoy 2015-05-26 21:44:12 UTC
Guys, this bug was already converted to security bug and assigned to security@ team. As they usually deal with security issues in *stable* packages, I urge you to move the discussion to a more relevant bug 550424.
Comment 25 Ari Entlich 2015-05-26 21:48:48 UTC
(In reply to Alexander Tsoy from comment #24)
> Guys, this bug was already converted to security bug and assigned to
> security@ team. As they usually deal with security issues in *stable*
> packages, I urge you to move the discussion to a more relevant bug 550424.

What are you talking about? Multiple people have explicitly said that Firefox 38 is included in this bug. It's included in the title. If they didn't want this bug to include Firefox 38, they should have said so. That would have been pretty ridiculous however, considering that this bug was created to be about Firefox 38.

However, bug 550424 is also extremely relevant in a general sense.
Comment 26 Heiko Baums 2015-05-26 21:53:01 UTC
(In reply to Alexander Tsoy from comment #24)
> Guys, this bug was already converted to security bug and assigned to
> security@ team. As they usually deal with security issues in *stable*
> packages, I urge you to move the discussion to a more relevant bug 550424.

And bug 550424 is actually a duplicate of bug 549424 which itself is closed as duplicate of this bug report. So I guess someone should clean those bugs and reopen bug 549424, close bug 550424 as duplicate of bug 549424, if it is not to be handled as a duplicate of this bug.
Comment 27 Ian Stakenvicius gentoo-dev 2015-05-27 19:34:39 UTC
(In reply to Ari Entlich from comment #25)
> (In reply to Alexander Tsoy from comment #24)
> > Guys, this bug was already converted to security bug and assigned to
> > security@ team. As they usually deal with security issues in *stable*
> > packages, I urge you to move the discussion to a more relevant bug 550424.
> 
> What are you talking about? [...]

Alexander's point here is that because this is a security bug, commentary should be limited here to security related issues, not general chatter about version bumping.


Now back to the point in hand -- firefox-38.0.1 has been committed to the main tree.

There are still no seamonkey versions available from upstream with the necessary fixes.  I don't know what security wants to do about that.
Comment 28 Heiko Baums 2015-05-27 20:20:52 UTC
(In reply to Ian Stakenvicius from comment #27)
> Alexander's point here is that because this is a security bug, commentary
> should be limited here to security related issues, not general chatter about
> version bumping.

Version bumping is/was security related in this case.

> Now back to the point in hand -- firefox-38.0.1 has been committed to the
> main tree.

I don't see it (yet) in the portage tree, but maybe mirrors aren't synced yet.
Comment 29 Herbert Wantesh 2015-05-27 22:40:47 UTC
(In reply to Ian Stakenvicius from comment #27)
> (In reply to Ari Entlich from comment #25)
> > (In reply to Alexander Tsoy from comment #24)
> > > Guys, this bug was already converted to security bug and assigned to
> > > security@ team. As they usually deal with security issues in *stable*
> > > packages, I urge you to move the discussion to a more relevant bug 550424.
> > 
> > What are you talking about? [...]
> 
> Alexander's point here is that because this is a security bug, commentary
> should be limited here to security related issues, not general chatter about
> version bumping.
> 
> 
> Now back to the point in hand -- firefox-38.0.1 has been committed to the
> main tree.
> 
> There are still no seamonkey versions available from upstream with the
> necessary fixes.  I don't know what security wants to do about that.

there was no commit by now...

see https://packages.gentoo.org/package/www-client/firefox
Comment 31 Frank Krömmelbein 2015-05-27 23:32:19 UTC
It seems to be a synchronization problem with (some/all ?) Gentoo mirrors.
For a few hours only metadata/timestamp.chk get updated, 
So it looks like a Gentoo Infrastructure problem.

Timestamp of repository gentoo: Wed, 27 May 2015 23:00:01 +0000

ls -l /usr/portage/www-client/firefox
total 493
-rw-r--r-- 1 root root  68673 May 23 21:31 ChangeLog
-rw-r--r-- 1 root root 109736 Jan  2  2012 ChangeLog-2009
-rw-r--r-- 1 root root 229461 May 23 21:31 Manifest
drwxr-xr-x 3 root root    536 Apr  7 08:50 files
-rw-r--r-- 1 root root  12084 Feb 26 23:01 firefox-24.3.0.ebuild
-rw-r--r-- 1 root root  11618 Mar 27 10:31 firefox-31.5.3.ebuild
-rw-r--r-- 1 root root  11619 Apr 29 11:31 firefox-31.6.0.ebuild
-rw-r--r-- 1 root root  11624 May 23 21:31 firefox-31.7.0.ebuild
-rw-r--r-- 1 root root  11783 Mar 24 09:53 firefox-36.0.4.ebuild
-rw-r--r-- 1 root root  11716 Apr  7 01:01 firefox-37.0.1.ebuild
-rw-r--r-- 1 root root  11725 Apr 23 15:14 firefox-37.0.2.ebuild
-rw-r--r-- 1 root root   1332 Feb 26 23:01 metadata.xml
Comment 32 Agostino Sarubbo gentoo-dev 2015-06-24 09:01:29 UTC
ppc stable
Comment 33 Yury German Gentoo Infrastructure gentoo-dev Security 2015-07-16 14:00:09 UTC
Ping on ia64 stabilization.
Comment 34 Yury German Gentoo Infrastructure gentoo-dev Security 2015-08-10 22:26:26 UTC
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 35 GLSAMaker/CVETool Bot gentoo-dev 2016-05-31 05:53:26 UTC
This issue was resolved and addressed in
 GLSA 201605-06 at https://security.gentoo.org/glsa/201605-06
by GLSA coordinator Yury German (BlueKnight).