Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 246602 (CVE-2008-0017) - Mozilla Firefox, Thunderbird, Seamonkey, Xulrunner: ".18" fixes (CVE-2008-{0017,4582,5012,5013,5014,5015,5017,5018,5019,5021,5022,5023,5024,5052,6961})
Summary: Mozilla Firefox, Thunderbird, Seamonkey, Xulrunner: ".18" fixes (CVE-2008-{00...
Status: RESOLVED FIXED
Alias: CVE-2008-0017
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/security/annou...
Whiteboard: A2 [glsa]
Keywords:
: 246751 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-11-13 11:57 UTC by stupendoussteve
Modified: 2013-01-08 01:02 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description stupendoussteve 2008-11-13 11:57:32 UTC
MFSA 2008-48 Image stealing via canvas and HTTP redirect
MFSA 2008-50 Crash and remote code execution via __proto__ tampering
MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
MFSA 2008-55 Crash and remote code execution in nsFrameManager
MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
MFSA 2008-58 Parsing error in E4X default namespace
MFSA 2008-47 Information stealing via local shortcut files (appears to be Windows-only)
MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading
MFSA 2008-53 XSS and JavaScript privilege escalation via session restore
MFSA 2008-54 Buffer overflow in http-index-format parser
MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals
MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome


Problems Fixed in:
Firefox 3.0.4
Firefox 2.0.0.18
Thunderbird 2.0.0.18
SeaMonkey 1.1.13

Reproducible: Always
Comment 1 Raúl Porcel (RETIRED) gentoo-dev 2008-11-14 09:55:27 UTC
www-client/mozilla-firefox-2.0.0.18:
Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86
www-client/mozilla-firefox-bin-2.0.0.18:
Arches: amd64 x86

www-client/seamonkey-1.1.13:
Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86
www-client/seamonkey-bin-1.1.13:
Arches: amd64 x86

net-libs/xulrunner-1.8.1.18:
Arches: alpha arm amd64 hppa ia64 ppc ppc64 sparc x86
net-libs/xulrunner-bin-1.8.1.18:
Arches: amd64 x86

All in the tree, thunderbird will go out on 19th november
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2008-11-14 16:41:40 UTC
*** Bug 246751 has been marked as a duplicate of this bug. ***
Comment 3 Markus Rothe (RETIRED) gentoo-dev 2008-11-15 12:59:38 UTC
ppc64 stable
Comment 4 Markus Meier gentoo-dev 2008-11-15 16:04:19 UTC
amd64/x86 stable
Comment 5 Raúl Porcel (RETIRED) gentoo-dev 2008-11-15 17:21:49 UTC
alpha/arm/ia64/sparc stable
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-15 17:52:36 UTC
ppc stable
Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2008-11-15 22:17:48 UTC
CVE-2008-5052 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5052):
  The AppendAttributeValue function in the JavaScript engine in Mozilla
  Firefox 2.x before 2.0.0.18, Thunderbird 2.x before 2.0.0.18, and
  SeaMonkey 1.x before 1.1.13 allows remote attackers to cause a denial
  of service (crash) via unknown vectors that trigger memory
  corruption, as demonstrated by e4x/extensions/regress-410192.js.
Comment 8 Jeroen Roovers gentoo-dev 2008-11-16 15:32:16 UTC
Stable for HPPA.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2008-11-20 19:49:57 UTC
Please stabilize:
mail-client/mozilla-thunderbird-2.0.0.18
Arches: alpha amd64 ia64 ppc ppc64 sparc x86

mail-client/mozilla-thunderbird-bin-2.0.0.18
Arches: amd64 x86

Thanks
Comment 10 Markus Meier gentoo-dev 2008-11-22 14:03:14 UTC
amd64/x86 stable
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-22 15:52:46 UTC
ppc stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2008-11-23 16:22:47 UTC
alpha/ia64/sparc stable
Comment 13 Brent Baude (RETIRED) gentoo-dev 2008-11-24 20:33:54 UTC
ppc64 done
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-07 20:24:19 UTC
GLSA request filed, any reason why nobody did this before me?
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2010-01-29 11:54:58 UTC
CVE-2008-6961 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-6961):
  mailnews in Mozilla Thunderbird before 2.0.0.18 and SeaMonkey before
  1.1.13, when JavaScript is enabled in mail, allows remote attackers
  to obtain sensitive information about the recipient, or comments in
  forwarded mail, via script that reads the (1) .documentURI or (2)
  .textContent DOM properties.

Comment 16 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:35:46 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:02:50 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).