Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 568376 (CVE-2015-7203) - <www-client/firefox{,-bin}-{38.5.0,43.0}, <mail-client/thunderbird{,-bin}-38.5.0: Multiple vulnerabilities (CVE-2015-{7201,7202,7203,7204,7205,7207,7208,7210,7211,7212,7213,7214,7215,7216,7217,7218,7219,7220,7221,7222,7223})
Summary: <www-client/firefox{,-bin}-{38.5.0,43.0}, <mail-client/thunderbird{,-bin}-38....
Alias: CVE-2015-7203
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cve]
: 568408 (view as bug list)
Depends on: 570168
  Show dependency tree
Reported: 2015-12-16 04:32 UTC by Nikolay Edigaryev
Modified: 2016-02-25 08:38 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-12-16 08:51:17 UTC
Started going through the SAs, but out of time and found an exploitable crash possibility so sufficient for classification at this point, the list of CVEs is not complete at this point

SA		Severity	Desc / CVE
2015-135	High		Simple var assignments can trigger "can't convert undefined to object"
				exception (CVE-2015-7204). This crash was caused by a change
				to the JavaScript engine was first shipped in Firefox 41.
				Earlier versions of Firefox are unaffected by this problem,
				including Firefox ESR 38.
2015-136	High		performance.getEntries() shows x-domain URLs after a redirect
				when loading from cache (CVE-2015-7207)
				Cached redirects + History traversal reveal cross-origin URLs
2015-137	Moderate	allowing vertical tab in cookies leads to cookie injection
				on some servers (CVE-2015-7208)
2015-139	High		Memset crash in mozilla::layers
				::BufferTextureClient::AllocateForSurface (CVE-2015-7212)
2015-141	Low		Partial URL spoofing using the data URI scheme (CVE-2015-7211)
2015-142	Low		Firefox HTTP2 Malformed Header Frame DoS (CVE-2015-7218)
				Firefox HTTP2 Malformed PushPromise Underflow DoS (CVE-2015-7219)
2015-143	Moderate	Firefox in Linux is using Jasper which is unmaintained and
				vulnerable (CVE-2015-7216)
				Heap overflow and DoS with TGA files in gdk-pixbuf
				affecting Firefox (CVE-2015-7217)
				This issue only affects Linux systems running Gnome. 
				Windows, OS X, and Android operating systems are unaffected.
2015-144	Moderate	Buffer overflow on OOM in 
				DirectWriteFontInfo::LoadFontFamilyData (CVE-2015-7203)
				Overflow in XDRBuffer::grow can cause memory-safety
				bug (CVE-2015-7220)
				Overflow in nsDeque::GrowCapacity can cause
				memory-safety bug (CVE-2015-7221)
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2015-12-16 10:37:55 UTC
*** Bug 568408 has been marked as a duplicate of this bug. ***
Comment 3 Ian Stakenvicius (RETIRED) gentoo-dev 2015-12-17 00:38:13 UTC
firefox{,-bin}-{38.5.0,43.0} are now in the Gentoo repo.

Thunderbird packages are still days out, and I don't know what the status is on seamonkey.  Should we go ahead with stabilization now or wait a day or two for the other packages to join the bug?
Comment 4 Ian Stakenvicius (RETIRED) gentoo-dev 2015-12-24 15:45:58 UTC
Thunderbird packages have been added to the gentoo repo.

Arches, please stabilize:

=www-client/firefox-38.5.0 Stable KEYWORDS="amd64 hppa ppc ppc64 x86"

=www-client/firefox-bin-38.5.0 Stable KEYWORDS="amd64 x86"

=mail-client/thunderbird-38.5.0 Stable KEYWORDS="amd64 ppc ppc64 x86"

=mail-client/thunderbird-bin-38.5.0 Stable KEYWORDS="amd64 x86"
Comment 5 Agostino Sarubbo gentoo-dev 2015-12-24 20:11:58 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-12-25 18:22:13 UTC
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2015-12-25 19:38:04 UTC
Stable for PPC64.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2015-12-26 09:58:16 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2015-12-26 12:04:44 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 Francisco Blas Izquierdo Riera gentoo-dev 2015-12-29 22:43:00 UTC
Bug #570168 prevents building thunderbird on hardened systems and thus makes updating to fix the issues impossible.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-12-30 13:13:03 UTC
Arches, Thank you for your work.
Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s).
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-12-30 15:53:18 UTC
This issue was resolved and addressed in
 GLSA 201512-10 at
by GLSA coordinator Yury German (BlueKnight).
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-12-30 15:56:27 UTC
Re-Opening for cleanup. 

Maintainers, the GLSA has been released please clean up the Vulnerable versions.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 08:38:48 UTC
Maintainer(s), Thank you for your work.