Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 262704 (CVE-2009-1044) - <www-client/mozilla-firefox-3.0.8: Multiple vulnerabilities (CVE-2009-{1044,1169})
Summary: <www-client/mozilla-firefox-3.0.8: Multiple vulnerabilities (CVE-2009-{1044,1...
Status: RESOLVED FIXED
Alias: CVE-2009-1044
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://developer.mozilla.org/devnews...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-16 20:02 UTC by Alex Legler (RETIRED)
Modified: 2013-01-08 01:03 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-16 20:02:57 UTC
From milw0rm:

Mozilla Firefox 3.0.7 OnbeforeUnLoad DesignMode Dereference Crash
(see URL for PoC code)
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-16 20:07:33 UTC
Exploit crashed non-bin Fx 3.0.7 here on amd64.

Mozilla people, I'm sure you know the upstream bugzie better than I do, maybe you find an upstream bug or feel like opening one. ;)
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-03-28 10:26:32 UTC
CVE-2009-1044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1044):
  Unspecified vulnerability in Mozilla Firefox 3.0.7 on Windows 7
  allows remote attackers to execute arbitrary code via unknown vectors
  triggered by clicking on a link, as demonstrated by Nils during a
  PWN2OWN competition at CanSecWest 2009.

CVE-2009-1169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1169):
  The txMozillaXSLTProcessor::TransformToDoc function in Mozilla
  Firefox 3.0.7 and earlier allows remote attackers to cause a denial
  of service (crash) via an XML file with a crafted XSLT transform.
Comment 3 Raúl Porcel (RETIRED) gentoo-dev 2009-03-28 17:01:22 UTC
Arches, please test and mark stable:
=net-libs/xulrunner-1.9.0.8
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 x86"
=www-client/mozilla-firefox-3.0.8
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 x86"
=www-client/mozilla-firefox-bin-3.0.8
Target keywords : "amd64 x86"
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2009-03-29 14:37:03 UTC
Stable for HPPA.
Comment 5 nixnut (RETIRED) gentoo-dev 2009-03-29 17:04:29 UTC
ppc stable
Comment 6 Richard Freeman gentoo-dev 2009-03-29 17:21:28 UTC
=net-libs/xulrunner-1.9.0.8
=www-client/mozilla-firefox-3.0.8

stable on amd64 (-bin still remains)
Comment 7 Brent Baude (RETIRED) gentoo-dev 2009-03-29 22:47:39 UTC
ppc64 done
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2009-03-30 15:12:28 UTC
alpha/arm/ia64/x86 stable, sparc has nothing to do here
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-04-02 08:11:47 UTC
ping, amd64
Comment 10 Olivier Crete (RETIRED) gentoo-dev 2009-04-02 14:26:44 UTC
rich0 made is amd64 stable 3 days ago.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2009-04-02 14:31:23 UTC
(In reply to comment #10)
> rich0 made is amd64 stable 3 days ago.
> 

not mozilla-firefox-bin
Comment 12 Olivier Crete (RETIRED) gentoo-dev 2009-04-02 14:38:06 UTC
-bin done
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2009-04-04 15:06:16 UTC
Alright, already handled in glsamaker.
Comment 14 Nirbheek Chauhan (RETIRED) gentoo-dev 2009-05-01 21:03:46 UTC
All done?
Comment 15 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:22:35 UTC
Nothing for mozilla team to do here, none of the affected versions are in-tree anymore.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:13 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).