From secunia security advisory: 1) A use-after-free error exists within shlwapi.dll when closing a child window that uses the file open dialog. 2) An error when handling certain drag and drop actions can be exploited to conduct cross-site scripting attacks. 3) A use-after-free error exists within the "nsSMILTimeValueSpec::ConvertBetweenTimeContainers()" function when handling certain SVG animation. 4) An out-of-bounds read error in SVG filters can be exploited to disclose certain data. 5) An error when handling Content Security Policy headers can be exploited to conduct cross-site scripting attacks. 6) An error when handling "javascript:" home page can be exploited to execute script code in "about:sessionrestore" context. 7) An unspecified error exists when accessing a keyframe's cssText after dynamic modification. 8) The window.fullScreen property does not properly enforce the mozRequestFullscreen policy, which can be exploited to bypass the policy and spoof certain content. 9) Multiple unspecified errors can be exploited to corrupt memory. Successful exploitation of vulnerabilities #1, #3, #6, #7, and #9 may allow execution of arbitrary code. Solution Update or upgrade to Firefox versions 11.0 or 10.0.3, Thunderbird versions 11.0 or 10.0.3, and SeaMonkey version 2.8.
*** Bug 408371 has been marked as a duplicate of this bug. ***
*** Bug 408359 has been marked as a duplicate of this bug. ***
Firefox-10.0.3 and Thunderbird-10.0.3 are in the tree now, and are the stable candidates.
Arches, please test and mark stable: =www-client/firefox-10.0.3 Target keywords : "alpha amd64 arm ia64 ppc x86" =www-client/firefox-bin-10.0.3 Target keywords : "amd64 x86" =mail-client/thunderbird-10.0.3 Target keywords : "alpha amd64 x86" =mail-client/thunderbird-bin-10.0.3 Target keywords : "amd64 x86" =www-client/seamonkey-2.8 Target keywords : "alpha amd64 arm ppc x86" =www-client/seamonkey-bin-2.8 Target keywords : "amd64 x86" Icecat will be masked asap.
(In reply to comment #4) > =www-client/firefox-bin-10.0.3 > =mail-client/thunderbird-bin-10.0.3 > =www-client/seamonkey-bin-2.8 amd64 ok
Pulled in also: =dev-libs/nss-3.13.3 =dev-libs/nspr-4.9
amd64 stable
CVE-2012-0464 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0464): Use-after-free vulnerability in the browser engine in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allows remote attackers to execute arbitrary code via vectors involving an empty argument to the array.join function in conjunction with the triggering of garbage collection. CVE-2012-0463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0463): The nsWindow implementation in the browser engine in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 does not check the validity of an instance after event dispatching, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, as demonstrated by Mobile Firefox on Android. CVE-2012-0462 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0462): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2012-0461 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0461): Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. CVE-2012-0460 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0460): Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict write access to the window.fullScreen object, which allows remote attackers to spoof the user interface via a crafted web page. CVE-2012-0459 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0459): The Cascading Style Sheets (CSS) implementation in Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via dynamic modification of a keyframe followed by access to the cssText of the keyframe. CVE-2012-0458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0458): Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict setting the home page through the dragging of a URL to the home button, which allows user-assisted remote attackers to execute arbitrary JavaScript code with chrome privileges via a javascript: URL that is later interpreted in the about:sessionrestore context. CVE-2012-0457 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0457): Use-after-free vulnerability in the nsSMILTimeValueSpec::ConvertBetweenTimeContainer function in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 might allow remote attackers to execute arbitrary code via an SVG animation. CVE-2012-0456 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0456): The SVG Filters implementation in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 might allow remote attackers to obtain sensitive information from process memory via vectors that trigger an out-of-bounds read. CVE-2012-0455 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0455): Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict drag-and-drop operations on javascript: URLs, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web page, related to a "DragAndDropJacking" issue. CVE-2012-0454 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0454): Use-after-free vulnerability in Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 on 32-bit Windows 7 platforms allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving use of the file-open dialog in a child window, related to the IUnknown_QueryService function in the Windows shlwapi.dll library. CVE-2012-0451 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-0451): CRLF injection vulnerability in Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allows remote web servers to bypass intended Content Security Policy (CSP) restrictions and possibly conduct cross-site scripting (XSS) attacks via crafted HTTP headers.
@mozilla: Will updated 3.6.28 ebuilds be provided for sparc?
(In reply to comment #9) > @mozilla: > > Will updated 3.6.28 ebuilds be provided for sparc? I am not wanting to what I need is a bt of the failure on sparc so it can be resolved.
Arches, could you look out for bug 409331 while testing and report there? This wasn't caught by the AMD64 team.
(In reply to comment #11) > Arches, could you look out for bug 409331 while testing and report there? > This wasn't caught by the AMD64 team. Myckel, this is a duplicate of bug 388585 and this is not a regression.
(In reply to comment #12) > (In reply to comment #11) > > Arches, could you look out for bug 409331 while testing and report there? > > This wasn't caught by the AMD64 team. > > Myckel, this is a duplicate of bug 388585 and this is not a regression. I think it is a regression, www-client/firefox-10.0.1-r1 builts and 10.0.3 does not.
Alright bug 409331 is solved and (independently) bug 388585 is not a regression. x86 stable. Thanks.
Once again, remaining arches will continue in bug 413657
This issue was resolved and addressed in GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml by GLSA coordinator Sean Amoss (ackle).
