Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 744208 (MFSA-2020-43) - <www-client/firefox{,-bin}-78.3.0: Multiple vulnerabilities (MFSA-2020-43)
Summary: <www-client/firefox{,-bin}-78.3.0: Multiple vulnerabilities (MFSA-2020-43)
Status: RESOLVED FIXED
Alias: MFSA-2020-43
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: A2 [glsa+ cve]
Keywords: CC-ARCHES, STABLEREQ
: 744709 745927 MFSA-2020-36, MFSA-2020-42 (view as bug list)
Depends on: 746152 746155
Blocks: CVE-2020-15673, CVE-2020-15676, CVE-2020-15677, CVE-2020-15678
  Show dependency tree
 
Reported: 2020-09-23 03:50 UTC by Sam James
Modified: 2020-10-17 09:07 UTC (History)
7 users (show)

See Also:
Package list:
www-client/firefox-78.3.1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-09-23 03:50:59 UTC
* CVE-2020-15677

Description:
"By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from."

* CVE-2020-15676

Description:
"Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element."

* CVE-2020-15678

Description:
"When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules."

* CVE-2020-15673

Description:
"Mozilla developer Jason Kratzer reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code."
Comment 1 Sam James archtester gentoo-dev Security 2020-09-25 17:42:38 UTC
*** Bug 744709 has been marked as a duplicate of this bug. ***
Comment 2 Sam James archtester gentoo-dev Security 2020-09-29 21:06:31 UTC
FYI: The reason for the slight delay has been rewriting the whole shebang to drop Python 2.x and other long-standing cleanups due. It should be here soon.
Comment 3 Larry the Git Cow gentoo-dev 2020-09-29 23:39:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed273ce18a8de3340424291814e8376b4e787792

commit ed273ce18a8de3340424291814e8376b4e787792
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-09-29 23:29:43 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-09-29 23:39:33 +0000

    www-client/firefox: bump to v81.0
    
    Bug: https://bugs.gentoo.org/698978
    Bug: https://bugs.gentoo.org/744208
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-client/firefox/Manifest                        |   97 ++
 www-client/firefox/files/gentoo-default-prefs.js   |   13 +
 www-client/firefox/files/gentoo-hwaccel-prefs.js-1 |    1 +
 www-client/firefox/files/icon/firefox-symbolic.svg |   64 ++
 www-client/firefox/firefox-81.0.ebuild             | 1028 ++++++++++++++++++++
 5 files changed, 1203 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2020-09-30 01:09:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eaf416cbcda53918cbd9250877bf1bd76ed5f5c1

commit eaf416cbcda53918cbd9250877bf1bd76ed5f5c1
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-09-30 01:02:06 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-09-30 01:05:11 +0000

    www-client/firefox: bump to v78.3.0
    
    Closes: https://bugs.gentoo.org/698978
    Closes: https://bugs.gentoo.org/734924
    Bug: https://bugs.gentoo.org/744208
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-client/firefox/Manifest              |   97 +++
 www-client/firefox/firefox-78.3.0.ebuild | 1028 ++++++++++++++++++++++++++++++
 2 files changed, 1125 insertions(+)
Comment 5 NATTkA bot gentoo-dev 2020-09-30 01:36:55 UTC
Sanity check failed:

> www-client/firefox-78.3.0
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>     media-video/pipewire:0/0.3
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>     media-video/pipewire:0/0.3
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>     media-video/pipewire:0/0.3
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>     media-video/pipewire:0/0.3
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
Comment 6 Sam James archtester gentoo-dev Security 2020-10-01 10:33:54 UTC
*** Bug 745927 has been marked as a duplicate of this bug. ***
Comment 7 NATTkA bot gentoo-dev 2020-10-01 11:44:52 UTC
Unable to check for sanity:

> no match for package: www-client/firefox-78.3.0
Comment 8 NATTkA bot gentoo-dev 2020-10-01 11:48:50 UTC
Unable to check for sanity:

> no match for package: www-client/firefox-78.3.0-r1
Comment 9 NATTkA bot gentoo-dev 2020-10-01 11:53:01 UTC
Sanity check failed:

> www-client/firefox-78.3.1
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>     media-video/pipewire:0/0.3
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>     media-video/pipewire:0/0.3
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>     media-video/pipewire:0/0.3
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>     media-video/pipewire:0/0.3
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     >=media-libs/libvpx-1.8.2:0=[postproc]
Comment 10 Thomas Deutschmann gentoo-dev Security 2020-10-02 15:04:07 UTC
*** Bug 746104 has been marked as a duplicate of this bug. ***
Comment 11 NATTkA bot gentoo-dev 2020-10-02 15:26:31 UTC
Sanity check failed:

> www-client/firefox-78.3.1
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     media-video/pipewire:0/0.3
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     media-video/pipewire:0/0.3
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     media-video/pipewire:0/0.3
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>     media-video/pipewire:0/0.3
>   depend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=media-libs/harfbuzz-2.6.8:0=
>   rdepend arm64 stable profile default/linux/arm64/17.0 (9 total)
>     >=media-libs/harfbuzz-2.6.8:0=
Comment 12 NATTkA bot gentoo-dev 2020-10-02 15:33:08 UTC
Sanity check failed:

> www-client/firefox-78.3.1
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     media-video/pipewire:0/0.3
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     media-video/pipewire:0/0.3
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     media-video/pipewire:0/0.3
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     media-video/pipewire:0/0.3
Comment 13 NATTkA bot gentoo-dev 2020-10-02 19:57:44 UTC
Sanity check failed:

> www-client/firefox-78.3.1
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     media-video/pipewire:0/0.3
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     media-video/pipewire:0/0.3
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     media-video/pipewire:0/0.3
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     media-video/pipewire:0/0.3
Comment 14 Thomas Deutschmann gentoo-dev Security 2020-10-02 20:15:46 UTC
There should be a p.use.stable.mask for USE=screencast since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f64d43b3a0af5c8730ddff9b13c84cfdecb2f467
Comment 15 NATTkA bot gentoo-dev 2020-10-02 20:16:56 UTC
Sanity check failed:

> www-client/firefox-78.3.1
>   depend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     media-video/pipewire:0/0.3
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     media-video/pipewire:0/0.3
>   rdepend amd64 stable profile default/linux/amd64/17.0 (39 total)
>     media-video/pipewire:0/0.3
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     media-video/pipewire:0/0.3
Comment 17 NATTkA bot gentoo-dev 2020-10-02 22:13:58 UTC
Sanity check failed:

> www-client/firefox-78.3.1
>   depend amd64 stable profile default/linux/amd64/17.0 (28 total)
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>   rdepend amd64 stable profile default/linux/amd64/17.0 (28 total)
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total)
>     >=media-libs/libvpx-1.8.2:0=[postproc]
Comment 18 Sam James archtester gentoo-dev Security 2020-10-03 00:42:50 UTC
amd64 done
Comment 19 NATTkA bot gentoo-dev 2020-10-03 14:25:06 UTC
Sanity check failed:

> www-client/firefox-78.3.1
>   depend x86 stable profile default/linux/x86/17.0 (11 total)
>     >=media-libs/libvpx-1.8.2:0=[postproc]
>   rdepend x86 stable profile default/linux/x86/17.0 (11 total)
>     >=media-libs/libvpx-1.8.2:0=[postproc]
Comment 20 NATTkA bot gentoo-dev 2020-10-03 14:37:05 UTC
All sanity-check issues have been resolved
Comment 21 Sam James archtester gentoo-dev Security 2020-10-03 16:10:31 UTC
arm64 done
Comment 22 Sam James archtester gentoo-dev Security 2020-10-03 23:45:05 UTC
x86 done

all arches done
Comment 23 Sam James archtester gentoo-dev Security 2020-10-04 00:16:47 UTC
Please cleanup.
Comment 24 Larry the Git Cow gentoo-dev 2020-10-10 17:40:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7552dbbb8d915123b39915e935f5342ed5a742ca

commit 7552dbbb8d915123b39915e935f5342ed5a742ca
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-10 16:48:32 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-10-10 17:40:15 +0000

    www-client/firefox-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/744208
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 www-client/firefox-bin/Manifest                    | 279 -------------------
 www-client/firefox-bin/files/10firefox-bin         |   1 -
 www-client/firefox-bin/files/all-gentoo-3.js       |  22 --
 .../firefox-bin/files/firefox-bin-r1.desktop       | 230 ----------------
 www-client/firefox-bin/files/local-settings.js     |   2 -
 www-client/firefox-bin/firefox-bin-68.12.0.ebuild  | 280 -------------------
 www-client/firefox-bin/firefox-bin-80.0.1.ebuild   | 296 ---------------------
 www-client/firefox-bin/firefox-bin-80.0.ebuild     | 296 ---------------------
 8 files changed, 1406 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28c2356835ff57d2495c1f31b8dbd11c10ab961d

commit 28c2356835ff57d2495c1f31b8dbd11c10ab961d
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-10 16:44:49 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-10-10 17:40:15 +0000

    www-client/firefox: security cleanup
    
    Bug: https://bugs.gentoo.org/744208
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 profiles/arch/alpha/package.use.mask               |   1 -
 profiles/default/linux/hppa/package.use.mask       |   4 -
 www-client/firefox/Manifest                        | 279 ------
 www-client/firefox/files/gentoo-default-prefs.js-3 |  19 -
 www-client/firefox/files/icon/firefox-r1.desktop   | 230 -----
 www-client/firefox/files/icon/firefox.desktop      |  10 -
 www-client/firefox/firefox-68.12.0.ebuild          | 935 ---------------------
 www-client/firefox/firefox-80.0.1-r1.ebuild        | 933 --------------------
 www-client/firefox/firefox-80.0.1.ebuild           | 933 --------------------
 www-client/firefox/firefox-80.0.ebuild             | 927 --------------------
 www-client/firefox/metadata.xml                    |   9 -
 11 files changed, 4280 deletions(-)
Comment 25 GLSAMaker/CVETool Bot gentoo-dev 2020-10-17 09:07:23 UTC
This issue was resolved and addressed in
 GLSA 202010-02 at https://security.gentoo.org/glsa/202010-02
by GLSA coordinator Sam James (sam_c).