Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 802768 (CVE-2021-29972, CVE-2021-29974, CVE-2021-29975, CVE-2021-29977) - <www-client/firefox{-bin,}-{78.12.0,90.0}: multiple vulnerabilities (CVE-2021-{29972,29974,29975,29977})
Summary: <www-client/firefox{-bin,}-{78.12.0,90.0}: multiple vulnerabilities (CVE-2021...
Status: IN_PROGRESS
Alias: CVE-2021-29972, CVE-2021-29974, CVE-2021-29975, CVE-2021-29977
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa?]
Keywords:
Depends on:
Blocks: CVE-2021-29970, CVE-2021-29976, CVE-2021-30547
  Show dependency tree
 
Reported: 2021-07-18 16:22 UTC by John Helmert III
Modified: 2021-08-24 13:20 UTC (History)
1 user (show)

See Also:
Package list:
www-client/firefox-78.12.0
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2021-07-18 16:22:26 UTC
CVE-2021-29972: Use of out-of-date library included use-after-free vulnerability

A user-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. Updating the library resolved the issue, and may have remediated other, unknown security vulnerabilities as well.

CVE-2021-29974: HSTS errors could be overridden when network partitioning was enabled

When network partitioning was enabled, e.g. as a result of Enhanced Tracking Protection settings, a TLS error page would allow the user to override an error on a domain which had specified HTTP Strict Transport Security (which implies that the error should not be override-able.) This issue did not affect the network connections, and they were correctly upgraded to HTTPS automatically.

CVE-2021-29975: Text message could be overlaid on top of another website

Through a series of DOM manipulations, a message, over which the attacker had control of the text but not HTML or formatting, could be overlaid on top of another domain (with the new domain correctly shown in the address bar) resulting in possible user confusion.

CVE-2021-29977: Memory safety bugs fixed in Firefox 90

Mozilla developers Andrew McCreight, Tyson Smith, Christian Holler, and Gabriele Svelto reported memory safety bugs present in Firefox 89. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.


Need to stabilize 78.12.0.
Comment 1 Larry the Git Cow gentoo-dev 2021-07-22 05:33:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=57b2b525563f1f8ad9a15e963cae3565e2ab4332

commit 57b2b525563f1f8ad9a15e963cae3565e2ab4332
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-22 05:32:08 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-22 05:33:48 +0000

    www-client/firefox-bin: drop vulnerable versions
    
     - drop 78.11.0, 89.0, 89.0.1, 89.0.2, 90.0
    
    Bug: https://bugs.gentoo.org/802768
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-client/firefox-bin/Manifest                   | 485 ----------------------
 www-client/firefox-bin/firefox-bin-78.11.0.ebuild | 411 ------------------
 www-client/firefox-bin/firefox-bin-89.0.1.ebuild  | 411 ------------------
 www-client/firefox-bin/firefox-bin-89.0.2.ebuild  | 411 ------------------
 www-client/firefox-bin/firefox-bin-89.0.ebuild    | 411 ------------------
 www-client/firefox-bin/firefox-bin-90.0.ebuild    | 417 -------------------
 6 files changed, 2546 deletions(-)
Comment 2 Sam James archtester gentoo-dev Security 2021-07-23 17:56:46 UTC
x86 done
Comment 3 Sam James archtester gentoo-dev Security 2021-07-23 17:58:07 UTC
amd64 done
Comment 4 Sam James archtester gentoo-dev Security 2021-07-26 00:30:42 UTC
arm64 done

all arches done
Comment 5 Sam James archtester gentoo-dev Security 2021-07-26 00:33:21 UTC
Please cleanup, thanks!
Comment 6 Larry the Git Cow gentoo-dev 2021-07-26 05:23:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5e8c0b609a7a5247b6b75b63e1845aa50757c628

commit 5e8c0b609a7a5247b6b75b63e1845aa50757c628
Author:     Joonas Niilola <juippis@gentoo.org>
AuthorDate: 2021-07-26 05:22:28 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2021-07-26 05:23:30 +0000

    www-client/firefox: security cleanup
    
     - drop 78.11.0, 89.0, 89.0.1, 89.0.2, 90.0, 90.0.1
    
    Bug: https://bugs.gentoo.org/802768
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-client/firefox/Manifest               |  584 --------------
 www-client/firefox/firefox-78.11.0.ebuild | 1183 -----------------------------
 www-client/firefox/firefox-89.0.1.ebuild  | 1179 ----------------------------
 www-client/firefox/firefox-89.0.2.ebuild  | 1179 ----------------------------
 www-client/firefox/firefox-89.0.ebuild    | 1179 ----------------------------
 www-client/firefox/firefox-90.0.1.ebuild  | 1182 ----------------------------
 www-client/firefox/firefox-90.0.ebuild    | 1182 ----------------------------
 7 files changed, 7668 deletions(-)
Comment 7 NATTkA bot gentoo-dev 2021-08-24 13:20:31 UTC
Unable to check for sanity:

> no match for package: www-client/firefox-78.12.0