* CVE-2020-15677 Description: "By exploiting an Open Redirect vulnerability on a website, an attacker could have spoofed the site displayed in the download file dialog to show the original site (the one suffering from the open redirect) rather than the site the file was actually downloaded from." * CVE-2020-15676 Description: "Firefox sometimes ran the onload handler for SVG elements that the DOM sanitizer decided to remove, resulting in JavaScript being executed after pasting attacker-controlled data into a contenteditable element." * CVE-2020-15678 Description: "When recursing through graphical layers while scrolling, an iterator may have become invalid, resulting in a potential use-after-free. This occurs because the function APZCTreeManager::ComputeClippedCompositionBounds did not follow iterator invalidation rules." * CVE-2020-15673 Description: "Mozilla developer Jason Kratzer reported memory safety bugs present in Firefox 80 and Firefox ESR 78.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code."
*** Bug 744709 has been marked as a duplicate of this bug. ***
FYI: The reason for the slight delay has been rewriting the whole shebang to drop Python 2.x and other long-standing cleanups due. It should be here soon.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed273ce18a8de3340424291814e8376b4e787792 commit ed273ce18a8de3340424291814e8376b4e787792 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-09-29 23:29:43 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-09-29 23:39:33 +0000 www-client/firefox: bump to v81.0 Bug: https://bugs.gentoo.org/698978 Bug: https://bugs.gentoo.org/744208 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-client/firefox/Manifest | 97 ++ www-client/firefox/files/gentoo-default-prefs.js | 13 + www-client/firefox/files/gentoo-hwaccel-prefs.js-1 | 1 + www-client/firefox/files/icon/firefox-symbolic.svg | 64 ++ www-client/firefox/firefox-81.0.ebuild | 1028 ++++++++++++++++++++ 5 files changed, 1203 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eaf416cbcda53918cbd9250877bf1bd76ed5f5c1 commit eaf416cbcda53918cbd9250877bf1bd76ed5f5c1 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-09-30 01:02:06 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-09-30 01:05:11 +0000 www-client/firefox: bump to v78.3.0 Closes: https://bugs.gentoo.org/698978 Closes: https://bugs.gentoo.org/734924 Bug: https://bugs.gentoo.org/744208 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-client/firefox/Manifest | 97 +++ www-client/firefox/firefox-78.3.0.ebuild | 1028 ++++++++++++++++++++++++++++++ 2 files changed, 1125 insertions(+)
Sanity check failed: > www-client/firefox-78.3.0 > depend amd64 stable profile default/linux/amd64/17.0 (39 total) > >=media-libs/harfbuzz-2.6.8:0= > >=media-libs/libvpx-1.8.2:0=[postproc] > media-video/pipewire:0/0.3 > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total) > >=media-libs/harfbuzz-2.6.8:0= > >=media-libs/libvpx-1.8.2:0=[postproc] > media-video/pipewire:0/0.3 > rdepend amd64 stable profile default/linux/amd64/17.0 (39 total) > >=media-libs/harfbuzz-2.6.8:0= > >=media-libs/libvpx-1.8.2:0=[postproc] > media-video/pipewire:0/0.3 > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total) > >=media-libs/harfbuzz-2.6.8:0= > >=media-libs/libvpx-1.8.2:0=[postproc] > media-video/pipewire:0/0.3 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=media-libs/harfbuzz-2.6.8:0= > >=media-libs/libvpx-1.8.2:0=[postproc] > rdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=media-libs/harfbuzz-2.6.8:0= > >=media-libs/libvpx-1.8.2:0=[postproc]
*** Bug 745927 has been marked as a duplicate of this bug. ***
Unable to check for sanity: > no match for package: www-client/firefox-78.3.0
Unable to check for sanity: > no match for package: www-client/firefox-78.3.0-r1
Sanity check failed: > www-client/firefox-78.3.1 > depend amd64 stable profile default/linux/amd64/17.0 (39 total) > >=media-libs/harfbuzz-2.6.8:0= > >=media-libs/libvpx-1.8.2:0=[postproc] > media-video/pipewire:0/0.3 > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total) > >=media-libs/harfbuzz-2.6.8:0= > >=media-libs/libvpx-1.8.2:0=[postproc] > media-video/pipewire:0/0.3 > rdepend amd64 stable profile default/linux/amd64/17.0 (39 total) > >=media-libs/harfbuzz-2.6.8:0= > >=media-libs/libvpx-1.8.2:0=[postproc] > media-video/pipewire:0/0.3 > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total) > >=media-libs/harfbuzz-2.6.8:0= > >=media-libs/libvpx-1.8.2:0=[postproc] > media-video/pipewire:0/0.3 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=media-libs/harfbuzz-2.6.8:0= > >=media-libs/libvpx-1.8.2:0=[postproc] > rdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=media-libs/harfbuzz-2.6.8:0= > >=media-libs/libvpx-1.8.2:0=[postproc]
*** Bug 746104 has been marked as a duplicate of this bug. ***
Sanity check failed: > www-client/firefox-78.3.1 > depend amd64 stable profile default/linux/amd64/17.0 (39 total) > >=media-libs/harfbuzz-2.6.8:0= > media-video/pipewire:0/0.3 > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total) > >=media-libs/harfbuzz-2.6.8:0= > media-video/pipewire:0/0.3 > rdepend amd64 stable profile default/linux/amd64/17.0 (39 total) > >=media-libs/harfbuzz-2.6.8:0= > media-video/pipewire:0/0.3 > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total) > >=media-libs/harfbuzz-2.6.8:0= > media-video/pipewire:0/0.3 > depend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=media-libs/harfbuzz-2.6.8:0= > rdepend arm64 stable profile default/linux/arm64/17.0 (9 total) > >=media-libs/harfbuzz-2.6.8:0=
Sanity check failed: > www-client/firefox-78.3.1 > depend amd64 stable profile default/linux/amd64/17.0 (39 total) > media-video/pipewire:0/0.3 > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total) > media-video/pipewire:0/0.3 > rdepend amd64 stable profile default/linux/amd64/17.0 (39 total) > media-video/pipewire:0/0.3 > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total) > media-video/pipewire:0/0.3
There should be a p.use.stable.mask for USE=screencast since https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f64d43b3a0af5c8730ddff9b13c84cfdecb2f467
2nd attempt, https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=19f9b22e442231e79c4607ecae8ca731dd27d397
Sanity check failed: > www-client/firefox-78.3.1 > depend amd64 stable profile default/linux/amd64/17.0 (28 total) > >=media-libs/libvpx-1.8.2:0=[postproc] > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total) > >=media-libs/libvpx-1.8.2:0=[postproc] > rdepend amd64 stable profile default/linux/amd64/17.0 (28 total) > >=media-libs/libvpx-1.8.2:0=[postproc] > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (1 total) > >=media-libs/libvpx-1.8.2:0=[postproc]
amd64 done
Sanity check failed: > www-client/firefox-78.3.1 > depend x86 stable profile default/linux/x86/17.0 (11 total) > >=media-libs/libvpx-1.8.2:0=[postproc] > rdepend x86 stable profile default/linux/x86/17.0 (11 total) > >=media-libs/libvpx-1.8.2:0=[postproc]
All sanity-check issues have been resolved
arm64 done
x86 done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7552dbbb8d915123b39915e935f5342ed5a742ca commit 7552dbbb8d915123b39915e935f5342ed5a742ca Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-10-10 16:48:32 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-10-10 17:40:15 +0000 www-client/firefox-bin: security cleanup Bug: https://bugs.gentoo.org/744208 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> www-client/firefox-bin/Manifest | 279 ------------------- www-client/firefox-bin/files/10firefox-bin | 1 - www-client/firefox-bin/files/all-gentoo-3.js | 22 -- .../firefox-bin/files/firefox-bin-r1.desktop | 230 ---------------- www-client/firefox-bin/files/local-settings.js | 2 - www-client/firefox-bin/firefox-bin-68.12.0.ebuild | 280 ------------------- www-client/firefox-bin/firefox-bin-80.0.1.ebuild | 296 --------------------- www-client/firefox-bin/firefox-bin-80.0.ebuild | 296 --------------------- 8 files changed, 1406 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28c2356835ff57d2495c1f31b8dbd11c10ab961d commit 28c2356835ff57d2495c1f31b8dbd11c10ab961d Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-10-10 16:44:49 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-10-10 17:40:15 +0000 www-client/firefox: security cleanup Bug: https://bugs.gentoo.org/744208 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> profiles/arch/alpha/package.use.mask | 1 - profiles/default/linux/hppa/package.use.mask | 4 - www-client/firefox/Manifest | 279 ------ www-client/firefox/files/gentoo-default-prefs.js-3 | 19 - www-client/firefox/files/icon/firefox-r1.desktop | 230 ----- www-client/firefox/files/icon/firefox.desktop | 10 - www-client/firefox/firefox-68.12.0.ebuild | 935 --------------------- www-client/firefox/firefox-80.0.1-r1.ebuild | 933 -------------------- www-client/firefox/firefox-80.0.1.ebuild | 933 -------------------- www-client/firefox/firefox-80.0.ebuild | 927 -------------------- www-client/firefox/metadata.xml | 9 - 11 files changed, 4280 deletions(-)
This issue was resolved and addressed in GLSA 202010-02 at https://security.gentoo.org/glsa/202010-02 by GLSA coordinator Sam James (sam_c).