Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 84074 - www-client/mozilla{-bin}: Version 1.7.6 fixes security issues
Summary: www-client/mozilla{-bin}: Version 1.7.6 fixes security issues
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major
Assignee: Gentoo Security
URL: http://www.mozilla.org/projects/secur...
Whiteboard: A2 [glsa] koon
Keywords:
Depends on:
Blocks:
 
Reported: 2005-03-04 04:41 UTC by Thierry Carrez (RETIRED)
Modified: 2005-06-26 06:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-03-04 04:41:05 UTC
Those will be fixed in upcoming Mozilla 1.7.6 release:

MFSA 2005-29 Internationalized Domain Name (IDN) homograph spoofing (Gentoo bug 81113)
MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files (Gentoo bug 81011)
MFSA 2005-27 Plugins can be used to load privileged content (CAN-2005-0527) (Gentoo bug 81307)
MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab (Gentoo bug 81307)
MFSA 2005-25 Image drag and drop executable spoofing (Gentoo bug 81307)
MFSA 2005-24 HTTP auth prompt tab spoofing
MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts
MFSA 2005-18 Memory overwrite in string library (CAN-2005-0255)
MFSA 2005-17 Install source spoofing with user:pass@host
MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion
MFSA 2005-14 SSL "secure site" indicator spoofing
MFSA 2005-13 Window Injection Spoofing (CAN-2004-1156) (Gentoo bug 73870)
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-03-22 00:38:56 UTC
Fixed in 1.7.6:
MFSA 2005-29  Internationalized Domain Name (IDN) homograph spoofing
MFSA 2005-28 Unsafe /tmp/plugtmp directory exploitable to erase user's files
MFSA 2005-27 Plugins can be used to load privileged content
MFSA 2005-26 Cross-site scripting by dropping javascript: link on tab
MFSA 2005-25 Image drag and drop executable spoofing
MFSA 2005-24 HTTP auth prompt tab spoofing
MFSA 2005-23 Download dialog source spoofing
MFSA 2005-20 XSLT can include stylesheets from arbitrary hosts
MFSA 2005-18 Memory overwrite in string library
MFSA 2005-17 Install source spoofing with user:pass@host
MFSA 2005-16 Spoofing download and security dialogs with overlapping windows
MFSA 2005-15 Heap overflow possible in UTF8 to Unicode conversion
MFSA 2005-14 SSL "secure site" indicator spoofing
MFSA 2005-13 Window Injection Spoofing

Mozilla team, please bump
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-03-23 06:23:41 UTC
net-www/mozilla bumped to 1.7.6 thanks to brad, mozilla-bin still needed.
CC-ing seemant so that he keeps us posted in case mozilla changes category.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-03-23 06:26:52 UTC
Arches: please test and mark mozilla-1.7.6 stable...
Comment 4 Brad Laue (RETIRED) gentoo-dev 2005-03-23 06:32:33 UTC
mozilla-bin updated and bumped to stable.
Comment 5 Brad Laue (RETIRED) gentoo-dev 2005-03-23 06:32:56 UTC
Err, on x86. 
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-23 11:22:47 UTC
The new ebuilds fails for me (ppc, USE includes ldap) on libldap50.so:

======= making ./libldap50.so
ld -shared -Wl,-soname -Wl,libldap50.so    -o libldap50.so ./abandon.o ./add.o ./bind.o ./cache.o ./charray.o ./charset.o ./compare.o ./compat.o ./control.o ./countvalues.o ./delete.o ./disptmpl.o ./dsparse.o ./error.o ./extendop.o ./free.o ./freevalues.o ./friendly.o ./getattr.o ./getdn.o ./getdxbyname.o ./getentry.o ./getfilter.o ./getoption.o ./getvalues.o ./memcache.o ./message.o ./modify.o ./open.o ./os-ip.o ./proxyauthctrl.o ./psearch.o ./referral.o ./regex.o ./rename.o ./request.o ./reslist.o ./result.o ./saslbind.o ./sbind.o ./search.o ./setoption.o ./sort.o ./sortctrl.o ./srchpref.o ./tmplout.o ./ufn.o ./unbind.o ./unescape.o ./url.o ./utf8.o ./vlistctrl.o  -L/var/tmp/portage/mozilla-1.7.6/work/mozilla/dist/lib -llber50
ld: unrecognized option '-Wl,-soname'
ld: use the --help option for usage information
gmake[5]: *** [libldap50.so] Error 1
gmake[5]: *** Waiting for unfinished jobs....
Comment 7 Serge 2005-03-23 13:36:49 UTC
The new ebuilds fails for me (x86, USE="nptl -kde -qt cdr tcltk -ipv6" with ldap installed) on libldap50.so:

======= making ./libldap50.so
ld -shared -Wl,-soname -Wl,libldap50.so    -o libldap50.so ./abandon.o ./add.o ./bind.o ./cache.o ./charray.o ./charset.o ./compare.o ./compat.o ./control.o ./countvalues.o ./delete.o ./disptmpl.o ./dsparse.o ./error.o ./extendop.o ./free.o ./freevalues.o ./friendly.o ./getattr.o ./getdn.o ./getdxbyname.o ./getentry.o ./getfilter.o ./getoption.o ./getvalues.o ./memcache.o ./message.o ./modify.o ./open.o ./os-ip.o ./proxyauthctrl.o ./psearch.o ./referral.o ./regex.o ./rename.o ./request.o ./reslist.o ./result.o ./saslbind.o ./sbind.o ./search.o ./setoption.o ./sort.o ./sortctrl.o ./srchpref.o ./tmplout.o ./ufn.o ./unbind.o ./unescape.o ./url.o ./utf8.o ./vlistctrl.o  -L/var/tmp/portage/mozilla-1.7.6/work/mozilla/dist/lib -llber50
ld: unrecognized option '-Wl,-soname'
ld: use the --help option for usage information
gmake[5]: *** [libldap50.so] Error 1
gmake[5]: *** Waiting for unfinished jobs....
Comment 8 Aron Griffis (RETIRED) gentoo-dev 2005-03-23 14:41:54 UTC
Ok, I fixed the ldap issue, I believe.  Please update and test
Comment 9 Jason Wever (RETIRED) gentoo-dev 2005-03-23 20:33:48 UTC
SPARCtastic
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-03-24 01:37:13 UTC
Arches, please test and mark stable:

mozilla-1.7.6-r1: alpha amd64 hppa ia64 ppc
Comment 11 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-03-24 11:44:39 UTC
Stable on ppc.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-03-25 00:41:38 UTC
alpha and ia64 are done
Comment 13 Serge 2005-03-25 03:46:34 UTC
on x86 the libldap50.so error is corrected
Thanks.
Comment 14 Simon Stelling (RETIRED) gentoo-dev 2005-03-25 03:52:27 UTC
all stable on amd64
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2005-03-25 05:01:26 UTC
GLSA 200503-30
hppa sould mark stable to benefit from GLSA
Comment 16 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 06:29:44 UTC
ebuild no longer in portage