Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 59419 - net-www/mozilla, mozilla-firefox : 1.7.2 and 0.9.3 release fixes security vulns
Summary: net-www/mozilla, mozilla-firefox : 1.7.2 and 0.9.3 release fixes security vulns
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
: 57380 59420 59437 59439 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-08-04 10:22 UTC by ChazeFroy
Modified: 2011-10-30 22:37 UTC (History)
9 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ChazeFroy 2004-08-04 10:22:07 UTC
Mozilla Firefox 0.9.3 released, fixing several security vulnerabilities.

Bug 253121 - lock icon and certificates spoofable with onunload document.write
Bug 249004 - Importing false CA certificate leading to error -8182 (perm DoS), especially exploitable by email
Bug 251381 - new libpng buffer overflow vulnerabilities
Bug 250906 - null (%00) in filename fakes extension (ftp, file)

Reproducible: Always
Steps to Reproduce:
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-08-04 10:35:15 UTC
Mozilla team : please bump to 1.7.2 and 0.9.3.
Comment 2 Aron Griffis (RETIRED) gentoo-dev 2004-08-04 11:16:56 UTC
Ok, I'm working on this
Comment 3 Aron Griffis (RETIRED) gentoo-dev 2004-08-04 17:04:47 UTC
thunderbird is finished.  mozilla and firefox are still in the works.  In the case of mozilla enough things have changed that it wasn't a simple bump (at least one patch of ours no longer applies).  In the case of firefox it doesn't even build out of the box; they apparently left some files out of the distribution.

Stay tuned...
Comment 4 Aron Griffis (RETIRED) gentoo-dev 2004-08-04 17:05:32 UTC
thunderbird is finished.  mozilla and firefox are still in the works.  In the case of mozilla enough things have changed that it wasn't a simple bump (at least one patch of ours no longer applies).  And thanks to the haste of our friends at mozilla.org, neither moz nor ff builds out of the box!  :-(

Stay tuned...
Comment 5 ChazeFroy 2004-08-04 17:39:53 UTC
I simply copied the 0.9.1 ebuild to 0.9.3, and it compiled fine on x86.
Comment 6 ChazeFroy 2004-08-04 17:44:00 UTC
I simply copied the 0.9.1 ebuild to 0.9.3, and firefox compiled fine on x86.
Comment 7 Aron Griffis (RETIRED) gentoo-dev 2004-08-04 19:20:17 UTC
mozilla-1.7.2 source package is incomplete
    http://bugzilla.mozilla.org/show_bug.cgi?id=254346
Comment 8 Aron Griffis (RETIRED) gentoo-dev 2004-08-04 19:23:43 UTC
Thanks Chaze, I'll try that now.  My updated ebuild had some modifications, but nothing that I thought would cause the build to fail.  It might depend on USE flags.  Stay tuned...
Comment 9 Aron Griffis (RETIRED) gentoo-dev 2004-08-04 19:24:06 UTC
*** Bug 59439 has been marked as a duplicate of this bug. ***
Comment 10 Aron Griffis (RETIRED) gentoo-dev 2004-08-05 04:50:31 UTC
*** Bug 59437 has been marked as a duplicate of this bug. ***
Comment 11 Aron Griffis (RETIRED) gentoo-dev 2004-08-05 04:54:56 UTC
mozilla-firefox-0.9.3
mozilla-firefox-bin-0.9.3
mozilla-thunderbird-0.7.3
mozilla-thunderbird-bin-0.7.3
mozilla-bin-1.7.2

These are all in portage now, marked ~arch for the moment.  It's still impossible to build mozilla-1.7.2 from source so we're waiting on upstream for that.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-08-05 04:58:29 UTC
*** Bug 57380 has been marked as a duplicate of this bug. ***
Comment 13 Aron Griffis (RETIRED) gentoo-dev 2004-08-05 04:59:01 UTC
*** Bug 59420 has been marked as a duplicate of this bug. ***
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2004-08-05 05:17:09 UTC
agriffis: From CVSweb it looks like you bumped mozilla-firefox-0.9.3 directly with the 0.9.1 keywords, i.e. stable on most arches... I don't think it was your intention ?
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-08-05 05:43:10 UTC
Here are the target keywords :

mozilla-firefox-0.9.3 : "x86 ppc sparc alpha amd64 ia64"
mozilla-firefox-bin-0.9.3 : "x86 amd64"
mozilla-thunderbird-0.7.3 : "x86 ~ppc sparc ~alpha amd64 ia64"
mozilla-thunderbird-bin-0.7.3 : "~x86" (done)
mozilla-bin-1.7.2 : (none, new package)
mozilla-1.7.2 (when available) : "x86 ppc sparc alpha amd64 ia64"

Please test and mark stable for the moment :
x86 : mozilla-firefox-bin-0.9.3 mozilla-thunderbird-0.7.3
ppc : mozilla-firefox-0.9.3
sparc : mozilla-firefox-0.9.3 mozilla-thunderbird-0.7.3
alpha : mozilla-firefox-0.9.3
amd64 : mozilla-firefox-0.9.3 mozilla-firefox-bin-0.9.3 mozilla-thunderbird-0.7.3
ia64 : mozilla-firefox-0.9.3 mozilla-thunderbird-0.7.3
Comment 16 Olivier Crete (RETIRED) gentoo-dev 2004-08-05 07:15:00 UTC
firefox-bin stable on x86.. two more comments on that ebuild: virtual/x11 is twice in RDEPEND and virtual/libc is in DEPEND but is missing from RDEPEND... 
Comment 17 Tom Martin (RETIRED) gentoo-dev 2004-08-05 13:00:10 UTC
mozilla-thunderbird-0.7.3 fails with:

gmake[2]: Entering directory `/var/tmp/portage/mozilla-thunderbird-0.7.3/work/mozilla/other-licenses/libart_lgpl'
gmake[2]: *** No rule to make target `export'.  Stop.
gmake[2]: Leaving directory `/var/tmp/portage/mozilla-thunderbird-0.7.3/work/mozilla/other-licenses/libart_lgpl'
gmake[1]: *** [tier_1] Error 2

This happened to anyone else?

Revelant USE: "+crypt -debug -gtk2 +java -ldap -moznoxft +mozsvg -xinerama -xprint"

/var/tmp/portage/mozilla-thunderbird-0.7.3/work/mozilla/other-licenses/libart-lgpl is empty for me.
Comment 18 Tom Martin (RETIRED) gentoo-dev 2004-08-05 13:10:10 UTC
mozilla-firefox and mozilla-firefox-bin 0.9.3 now stable on amd64.. Thunderbird can wait till I find out what happened with the error up <a href="http://bugs.gentoo.org/show_bug.cgi?id=59419#c17">here</a>.
Comment 19 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-05 13:32:12 UTC
mozilla-firefox-0.9.3 sparc stable.
mozilla-thunderbird-0.7.3 sparc stable thanks to squash.
now waiting for moz 1.7.2.
Comment 20 Joe Jezak (RETIRED) gentoo-dev 2004-08-05 13:52:53 UTC
Same result as Comment #17 on ppc with gcc-3.4.1.
Comment 21 Aron Griffis (RETIRED) gentoo-dev 2004-08-05 19:29:42 UTC
Slarti, the thunderbird problem you mentioned was bug 59521.  It's fixed now.
Comment 22 Dan Margolis (RETIRED) gentoo-dev 2004-08-05 22:11:11 UTC
GLSA drafted
Comment 23 Thierry Carrez (RETIRED) gentoo-dev 2004-08-06 02:18:56 UTC
Back to upstream status waiting for a fix in the 1.7.2 sources bug :
http://bugzilla.mozilla.org/show_bug.cgi?id=254346
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2004-08-06 02:26:08 UTC
Link to security fixes, for reference :
http://www.mozilla.org/projects/security/known-vulnerabilities.html
Comment 25 Tom Martin (RETIRED) gentoo-dev 2004-08-06 04:06:11 UTC
mozilla-thunderbird-0.7.3 now stable on amd64, that's amd64 done for now.
Comment 26 opello@opello.org 2004-08-07 10:00:19 UTC
Getting odd errors when clicking on links for files (non-web pages) causes an odd 'Gecko' titled error dialogs:
XML Parsing Error: not well-formed
Location: chrome://mozapps/content/downloads/unknownContentType.xul
Line Number 1, Column 1:
(2 blank lines)
^
(the carat is red, and like it should point to some code, but is blank)

Sorry if this is in the wrong place.
Comment 27 Oliver Schoett 2004-08-08 01:15:51 UTC
The 1.7.2 Mozilla sources have been fixed upstream (Bug http://bugzilla.mozilla.org/show_bug.cgi?id=254346 has been closed).
Comment 28 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-08 12:13:04 UTC
Upstream fixed tarballs for Mozilla 1.7.2 back to stable.
Comment 29 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-08 12:28:39 UTC
Sorry back to ebuild. Still no mozilla ebuild.
Comment 30 Aron Griffis (RETIRED) gentoo-dev 2004-08-08 12:58:14 UTC
mozilla-1.7.2 is now in portage
Comment 31 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-08 13:15:43 UTC
Now we have a ebuild for mozilla-1.7.2 to mark stable.
Comment 32 Tom Martin (RETIRED) gentoo-dev 2004-08-08 16:58:02 UTC
Stable on amd64.
Comment 33 Jason Wever (RETIRED) gentoo-dev 2004-08-09 05:27:44 UTC
Stable on sparc.
Comment 34 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-09 07:02:04 UTC
Please note that at least for sparc epiphany-1.2.7 was bumped to stable since 1.2.6 didn't build against mozilla-1.7.2.
Comment 35 Tim Leslie 2004-08-10 16:17:45 UTC
Epiphany and other variant packages should be updated to reflect new version to allow proper emerges of those packages (they currently break).
Comment 36 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-08-12 13:01:09 UTC
stable on ppc
Comment 37 Bryan Østergaard (RETIRED) gentoo-dev 2004-08-13 02:45:33 UTC
Stable on alpha.
Comment 38 Robert Davis 2004-08-13 14:39:09 UTC
I am getting nsIJVMManager.h: No such file or directory now trying to build galeon.  Is that another file missing from Mozilla?
Comment 39 Robert Davis 2004-08-13 15:12:03 UTC
Hmm. My bad.  Somehow I don't have USE="java".  Either I lost it or now the oji stuff isn't loaded if you don't have it.
Comment 40 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-14 11:54:14 UTC
ppc x86 please mark mozilla-1.7.2 stable asap.
Comment 41 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-08-14 12:00:24 UTC
stable on ppc
Comment 42 Tim Yamin (RETIRED) gentoo-dev 2004-08-14 15:11:33 UTC
Stable on x86.
Comment 43 Dan Margolis (RETIRED) gentoo-dev 2004-08-16 10:57:11 UTC
It appears Epiphany and Galeon (and any other gecko-based browsers?) may also be vulnerable to some of these issues (see http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.667659, https://rhn.redhat.com/errata/RHSA-2004-421.html). 

Mozilla herd: can you confirm that this bug affects these packages? If so, can you fix the RDEPEND so that they build against the new patched versions of Mozilla?
Comment 44 Aron Griffis (RETIRED) gentoo-dev 2004-08-18 12:52:47 UTC
You're right, galeon and epiphany would be affected.  However the mozilla team doesn't touch those packages.  The gnome team should update the depends.
Comment 45 foser (RETIRED) gentoo-dev 2004-08-18 13:59:17 UTC
we'll fix epiphany-1.2.7 to dep hard on moz-1.7.2, needs a bump because it's already stable on an arch. I'll let you know in a second when epiphany-1.2.7-r1 gets added.

Galeon is maintained by hanno, CC-ing
Comment 46 foser (RETIRED) gentoo-dev 2004-08-18 14:05:58 UTC
epiphany-1.2.7-r1 added & stable on x86 + sparc

hanno on CC for fixing galeon
Comment 47 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-08-18 18:22:50 UTC
epiphany stable on ppc.

please add ppc again when galeon needs testing.
Comment 48 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-23 06:44:01 UTC
GLSA 200408-22

hanno please fix galeon
Comment 49 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-08-24 11:41:33 UTC
I recommend we strip the relevant bullet point from the GLSA, but do not reissue.

----------
Subject: [Full-Disclosure] RE: [ GLSA 200408-22 ] Mozilla, Firefox,
Thunderbird: New releases fix vulnerabilities
Date: Tuesday 24 August 2004 11:04
From: Gervase Markham <gerv@gerv.net>
To: klieber@gentoo.org
Cc: bugtraq@securityfocus.com;, full-disclosure@lists.netsys.com;,
security-alerts@linuxsecurity.com

As has been pointed out to the author of the relevant "advisory" several
times, Mozilla has neither a "local zone" nor "predictable cache file
locations". The author assumed that the random string generated for his
cache file location was the same as everyone else's.

I wonder how Gentoo can have fixed, QAed and tested the fix for a
vulnerability which doesn't exist?

(Note: none of the referenced CVE numbers in the advisory refer to this
"issue".)

Gerv
Comment 50 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-08-24 11:43:22 UTC
ooh.  I forgot to mention that when I went back and looked, I couldn't find any reference to the file cache vulnerabilities referenced in the GLSA, either on Mozilla's website or in any of the CVEs.  So I think it's fairly safe to assume he's right and the vulnerability doesn't exist.
Comment 51 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-24 12:27:48 UTC
GLSA updated and not reissued.
Comment 52 Hanno Böck gentoo-dev 2004-08-24 13:45:20 UTC
galeon-1.3.17 added and depends on >=mozilla-1.7.2-r1
Comment 53 Danny van Dyk (RETIRED) gentoo-dev 2004-08-25 13:24:35 UTC
Removing amd64@g.o from cc
Comment 54 Bryan Østergaard (RETIRED) gentoo-dev 2004-08-25 16:50:38 UTC
Galeon stable on alpha.
Comment 55 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-28 15:56:43 UTC
Arches please mark Galeon 1.3.17 stable.
Comment 56 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-08-28 16:31:12 UTC
stable on ppc
Comment 57 Gustavo Zacarias (RETIRED) gentoo-dev 2004-08-31 14:17:45 UTC
sparc was done but not removed, removing...
Comment 58 Thierry Carrez (RETIRED) gentoo-dev 2004-09-02 06:44:39 UTC
amd64: please mark galeon-1.3.17 stable
Comment 59 Danny van Dyk (RETIRED) gentoo-dev 2004-09-02 13:15:27 UTC
galeon-1.3.17 marked stable on amd64.
Comment 60 Thierry Carrez (RETIRED) gentoo-dev 2004-09-02 13:39:49 UTC
Ready for a Galeon/Epiphany GLSA... Or an update of the other one
Comment 61 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-03 02:52:02 UTC
Thx everybody.

GLSA 200408-22 updated and reissued
Comment 62 Danny van Dyk (RETIRED) gentoo-dev 2006-05-31 07:52:30 UTC
GLSA 200408-22 contains format bug:
    <package name="net-www/epiphany" auto="yes" arch="*">
      <unaffected range="ge">1.2.7-r1</unaffected>
      <vulnerable range="lt"> 1.2.7-r1</vulnerable>
    </package>
Please remove the space before the version-spec in vulnerable tag.
Comment 63 Stefan Cornelius (RETIRED) gentoo-dev 2006-05-31 07:58:00 UTC
Thanks, fixed in CVS
Comment 64 Thierry Carrez (RETIRED) gentoo-dev 2006-05-31 10:17:14 UTC
and closed again