From the advisory Title: Crashes with evidence of memory corruption (rv:1.9.0.6) Impact: Critical Announced: February 3, 2009 Reporter: Mozilla developers Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 3.0.6 Thunderbird 2.0.0.21 SeaMonkey 1.1.15 Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code. Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images.
Firefox 3.0.6 is available, please provide an ebuild, also because of 255687, 255234 and 256131.
*** Bug 257630 has been marked as a duplicate of this bug. ***
www-client/mozilla-firefox-3.0.6: Arches: alpha arm amd64 hppa ia64 ppc ppc64 x86 www-client/mozilla-firefox-bin-3.0.6: Arches: amd64 x86 net-libs/xulrunner-1.9.0.6: Arches: alpha arm amd64 hppa ia64 ppc ppc64 x86 This also needs =dev-libs/nss-3.12.2 stable. I don't see planed a seamonkey release and thunderbird will come out on March. Proceed as you wish.
CVE-2009-0352 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0352): Multiple unspecified vulnerabilities in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the layout engine and destruction of arbitrary layout objects by the nsViewManager::Composite function. CVE-2009-0353 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0353): Unspecified vulnerability in Mozilla Firefox 3.x before 3.0.6, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to the JavaScript engine. CVE-2009-0354 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0354): Cross-domain vulnerability in js/src/jsobj.cpp in Mozilla Firefox 3.x before 3.0.6 allows remote attackers to bypass the Same Origin Policy, and access the properties of an arbitrary window and conduct cross-site scripting (XSS) attacks, via vectors involving a chrome XBL method and the window.eval function. CVE-2009-0355 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0355): components/sessionstore/src/nsSessionStore.js in Mozilla Firefox before 3.0.6 does not block changes of INPUT elements to type="file" during tab restoration, which allows user-assisted remote attackers to read arbitrary files on a client machine via a crafted INPUT element. CVE-2009-0356 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0356): Mozilla Firefox before 3.0.6 and SeaMonkey do not block links to the (1) about:plugins and (2) about:config URIs from .desktop files, which allows user-assisted remote attackers to bypass the Same Origin Policy and execute arbitrary code with chrome privileges via vectors involving the URL field in a Desktop Entry section of a .desktop file, related to representation of about: URIs as jar:file:// URIs. NOTE: this issue exists because of an incomplete fix for CVE-2008-4582. CVE-2009-0357 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0357): Mozilla Firefox before 3.0.6 and SeaMonkey before 1.1.15 do not properly restrict access from web pages to the (1) Set-Cookie and (2) Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. CVE-2009-0358 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0358): Mozilla Firefox 3.x before 3.0.6 does not properly implement the (1) no-store and (2) no-cache Cache-Control directives, which allows local users to obtain sensitive information by using the (a) back button or (b) history list of the victim's browser, as demonstrated by reading the response page of an https POST request.
Is there a reason arch teams aren't cc'ed? It's a week now...
http://bugs.gentoo.org/show_activity.cgi?id=257577 The mozilla herd was cc'ed from the beginning.
Carsten: I didn't add them, because I'm very short on time currently and didn't look. And why did I read herd? I'm confused. Anyways, what is this place?! :D
Formal request to arches: Arches, please test and mark stable: =www-client/mozilla-firefox-3.0.6 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
I didn't imply anything, Craig. ;) There's always the chance there's a reason not stated in the bug report. I consider it to be the package maintainer responsibility to cc the arch teams anyways. It's a (hopefully) maintained package having to go through the security process, not the other way around, after all. (In reply to comment #8) > Arches, please test and mark stable: > =www-client/mozilla-firefox-3.0.6 > Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" And also the ebuilds stated in comment three.
Stable for HPPA.
ppc64 and ppc done
Good morning!
(In reply to comment #12) > Good morning! > While I personally like such ironic comments, the (lack of) man power remains the same. Getting your hands dirty makes the difference.
amd64/x86 stable
alpha/arm/ia64 stable
Arches, please test and mark stable: =www-client/seamonkey-1.1.16 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
And =www-client/seamonkey-bin-1.1.16 Target keywords : "amd64 x86"
amd64 done
alpha/arm/ia64/sparc/x86 stable
nirbheek, can you say something about the status of xulrunner-bin? We need to dump the 1.8 versions and get one based on 1.9.0.8 in the tree and stable shortly.
ppc and ppc64 done
(In reply to comment #20) > nirbheek, can you say something about the status of xulrunner-bin? We need to > dump the 1.8 versions and get one based on 1.9.0.8 in the tree and stable > shortly. ping, nirbheek / mozilla herd?
(In reply to comment #23) > (In reply to comment #20) > > nirbheek, can you say something about the status of xulrunner-bin? We need to > > dump the 1.8 versions and get one based on 1.9.0.8 in the tree and stable > > shortly. > > ping, nirbheek / mozilla herd? > Bad nirbheek. We can't remove xulrunner-bin-1.8* because it contains libgtkembedmoz, which xul-1.9 doesn't have. The only user of xulrunner-bin AFAIK is acroread, so ask the maintainers :) Still, that would be a shortliving package :P
CVE-2009-2535 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2535): Mozilla Firefox before 2.0.0.19 and 3.x before 3.0.5, SeaMonkey, and Thunderbird allow remote attackers to cause a denial of service (memory consumption and application crash) via a large integer value for the length property of a Select object, a related issue to CVE-2009-1692.
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
GLSA with other mozilla bugs.
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).