Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 342847 (CVE-2010-3765) - <www-client/firefox{-bin}-3.6.12, <mail-client/thunderbird{-bin}-3.1.6, <www-client/seamonkey{-bin}-2.0.10: Remote Code Execution Vulnerability (CVE-2010-3765)
Summary: <www-client/firefox{-bin}-3.6.12, <mail-client/thunderbird{-bin}-3.1.6, <www-...
Status: RESOLVED FIXED
Alias: CVE-2010-3765
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://blog.mozilla.com/security/2010...
Whiteboard: A2 [glsa]
Keywords:
Depends on: 342323
Blocks:
  Show dependency tree
 
Reported: 2010-10-27 00:26 UTC by Tim Sammut (RETIRED)
Modified: 2013-01-08 01:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-10-27 00:26:21 UTC
From $URL: 

Issue:
Mozilla is aware of a critical vulnerability affecting Firefox 3.5 and Firefox 3.6 users. We have received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild.

Impact to users:
Users who visited an infected site could have been affected by the malware through the vulnerability. The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox’s built-in malware protection. However, the exploit code could still be live on other websites.

Status:
We have diagnosed the issue and are currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested.

In the meantime, users can protect themselves by doing either of the following:

    * Disabling JavaScript in Firefox
    * Using the NoScript Add-on


This appears to this upstream bug, which is currently embargoed:

https://bugzilla.mozilla.org/show_bug.cgi?id=CVE-2010-3765
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-10-28 05:02:03 UTC
Mozilla has released their advisory, and fixed software.

http://www.mozilla.org/security/announce/2010/mfsa2010-73.html

Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2010-10-28 18:09:06 UTC
In the long tradition of security-related stabilization requests the mozilla team would like arch teams to stabilize the following packages:


Target keywords for =net-libs/xulrunner-1.9.2.12/=www-client/firefox-3.6.12 are:
alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~amd64-linux ~ia64-linux ~x86-linux ~sparc-solaris ~x64-solaris ~x86-solaris

Target keywords for =mail-client/thunderbird-3.1.6 are:
alpha amd64 arm ia64 ppc ppc64 sparc x86 ~x86-fbsd ~amd64-linux ~x86-linux

Target keywords for =www-client/seamonkey-2.0.10 are:
alpha amd64 arm hppa ia64 ppc ppc64 sparc x86

Taget keywords for =www-client/firefox-bin-3.6.12/=www-client/seamonkey-bin-2.0.10 are:
amd64 x86


www-client/icecat is lacking behind as usual. So amd46-, ppc-, ppc64- and x86-arches please prepare to get re-added once icecat comes with a bugfix-release, too.

Comment 3 Jeroen Roovers gentoo-dev 2010-10-29 02:59:24 UTC
Stable for HPPA.
Comment 4 Jeroen Roovers gentoo-dev 2010-10-29 06:36:24 UTC
Stable for PPC.
Comment 5 Lars Wendler (Polynomial-C) gentoo-dev 2010-10-29 11:25:32 UTC
Target keywords for =mail-client/thunderbird-bin-3.1.6:
amd64 x86
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2010-10-29 11:33:07 UTC
amd64 done
Comment 7 Mark Loeser (RETIRED) gentoo-dev 2010-10-30 00:37:21 UTC
ppc64 done
Comment 8 Markus Meier gentoo-dev 2010-10-30 10:06:19 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2010-10-30 18:24:56 UTC
arm stable
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2010-10-31 16:34:07 UTC
Mozilla team, Icecat 3.6.12 is released, please bump and readd

ppc@gentoo.org, ppc64@gentoo.org, x86@gentoo.org,amd64@gentoo.org
Comment 11 Jory A. Pratt gentoo-dev 2010-10-31 17:20:06 UTC
re-added archs for stabilization of icecat-3.6.12
Comment 12 Jory A. Pratt gentoo-dev 2010-10-31 17:21:08 UTC
would help to click add archs.
Comment 13 Markos Chandras (RETIRED) gentoo-dev 2010-10-31 18:34:51 UTC
amd64 done
Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2010-11-01 12:01:55 UTC
x86 stable
Comment 15 Mark Loeser (RETIRED) gentoo-dev 2010-11-01 17:24:51 UTC
ppc64 done
Comment 16 Jeroen Roovers gentoo-dev 2010-11-09 15:28:38 UTC
Stable for PPC.
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2010-11-14 12:49:39 UTC
alpha/ia64/sparc stable
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2010-11-14 14:28:05 UTC
ppc64, please stabilize:

=www-client/icecat-3.6.12

Thank you.
Comment 19 Brent Baude (RETIRED) gentoo-dev 2010-11-28 14:14:27 UTC
ppc64 done
Comment 20 Tim Sammut (RETIRED) gentoo-dev 2010-11-28 15:19:34 UTC
Thanks, folks. Added to existing Mozilla GLSA request. 
Comment 21 Jory A. Pratt gentoo-dev 2010-12-30 03:52:38 UTC
Nothing for mozilla team to handle, tree has all appropriate updates.
Comment 22 Jory A. Pratt gentoo-dev 2010-12-30 03:54:13 UTC
sorry for the noise just forgot to remove mozilla team from the bug reports.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2011-06-24 19:33:21 UTC
CVE-2010-3765 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3765):
  Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird
  3.1.6 before 3.1.6 and 3.0.x before 3.0.10, and SeaMonkey 2.x before 2.0.10,
  when JavaScript is enabled, allows remote attackers to execute arbitrary
  code via vectors related to nsCSSFrameConstructor::ContentAppended, the
  appendChild method, incorrect index tracking, and the creation of multiple
  frames, which triggers memory corruption, as exploited in the wild in
  October 2010 by the Belmoo malware.
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:04:27 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).