Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 559186 (CVE-2015-4498) - <www-client/firefox-{38.2.1,40.0.3}: Add-on notification bypass through data URLs
Summary: <www-client/firefox-{38.2.1,40.0.3}: Add-on notification bypass through data...
Status: RESOLVED FIXED
Alias: CVE-2015-4498
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: A2 [glsa]
Keywords:
: 559090 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-08-30 18:32 UTC by Randy Barlow
Modified: 2016-05-31 05:54 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Randy Barlow 2015-08-30 18:32:31 UTC
The current stable version of Firefox in the portage tree is vulnerable to CVE-2015-4498:

https://www.mozilla.org/en-US/security/advisories/mfsa2015-95/

Reproducible: Always

Steps to Reproduce:
1. On a system configured for stable packages only with Firefox installed, you will have www-client/firefox-38.2.0


Expected Results:  
38.2.1 should be stabilized.
Comment 1 Randy Barlow 2015-08-30 21:14:06 UTC
There is another security flaw that is more serious (listed as critical) that these same versions of Firefox fix:

CVE-2015-4497: Use-after-free when resizing canvas element during restyling

https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/

Should I adjust this bug's CVE Alias and name to reflect the more serious of the two vulnerabilities since they both have the same fix (update to 38.2.1 and 40.0.3), or is this note sufficient, or should I file another bug about the other CVE? Sorry, I'm not very familiar with the Gentoo policies about this.

Should we raise the importance on the bug to reflect the severity of the other issue?
Comment 2 Jory A. Pratt gentoo-dev 2015-08-31 02:51:55 UTC
*** Bug 559090 has been marked as a duplicate of this bug. ***
Comment 3 Ian Stakenvicius gentoo-dev 2015-09-02 22:01:56 UTC
firefox{,-bin}-38.2.1 and firefox{,-bin}-40.0.3 are in the tree now.

ATs, Please stabilize 38.2.1 at your leisure.


www-client/firefox-38.2.0: Stable KEYWORDS="amd64 hppa ppc ppc64 x86"

www-client/firefox-bin-38.2.0: Stable KEYWORDS="amd64 x86"
Comment 4 Ian Stakenvicius gentoo-dev 2015-09-02 22:02:58 UTC
Err, sorry -- s/38.2.0/38.2.1/ (In reply to Ian Stakenvicius from comment #3)
> firefox{,-bin}-38.2.1 and firefox{,-bin}-40.0.3 are in the tree now.
> 
> ATs, Please stabilize 38.2.1 at your leisure.
> 
> 
> www-client/firefox-38.2.0: Stable KEYWORDS="amd64 hppa ppc ppc64 x86"
> 
> www-client/firefox-bin-38.2.0: Stable KEYWORDS="amd64 x86"

Err, sorry -- s/38.2.0/38.2.1/
Comment 5 Agostino Sarubbo gentoo-dev 2015-09-03 08:24:53 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-09-03 08:26:34 UTC
x86 stable
Comment 7 Jeroen Roovers gentoo-dev 2015-09-06 10:14:32 UTC
Stable for HPPA PPC64.
Comment 8 Agostino Sarubbo gentoo-dev 2015-11-04 14:43:13 UTC
38.3.0 was done in 561246
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-31 02:36:55 UTC
Added to an existing GLSA Request.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2016-05-31 05:54:07 UTC
This issue was resolved and addressed in
 GLSA 201605-06 at https://security.gentoo.org/glsa/201605-06
by GLSA coordinator Yury German (BlueKnight).