Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 489796 (CVE-2013-5590) - <mail-client/thunderbird{,-bin}-24.1.1-r1, <www-client/firefox{,-bin}-24.1.1-r1, <www-client/seamonkey{,-bin}-2.22.1: Multiple vulnerabilities (CVE-2013-{5590,5591,5592,5593,5595,5596,5597,5598,5599,5600,5601,5602,5603,5604})
Summary: <mail-client/thunderbird{,-bin}-24.1.1-r1, <www-client/firefox{,-bin}-24.1.1-...
Status: RESOLVED FIXED
Alias: CVE-2013-5590
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/security/anno...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-29 17:37 UTC by Alex Xu (Hello71)
Modified: 2015-04-07 10:17 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Xu (Hello71) 2013-10-29 17:37:43 UTC
Fixed in Firefox ESR 24.1
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-99 Security bypass of PDF.js checks using iframes
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

Fixed in Firefox ESR 17.0.10
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

Fixed in Thunderbird ESR 17.0.10
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)

Fixed in SeaMonkey 2.22
MFSA 2013-102 Use-after-free in HTML document templates
MFSA 2013-101 Memory corruption in workers
MFSA 2013-100 Miscellaneous use-after-free issues found through ASAN fuzzing
MFSA 2013-98 Use-after-free when updating offline cache
MFSA 2013-97 Writing to cycle collected object during image decoding
MFSA 2013-96 Improperly initialized memory and overflows in some JavaScript functions
MFSA 2013-95 Access violation with XSLT and uninitialized data
MFSA 2013-94 Spoofing addressbar though SELECT element
MFSA 2013-93 Miscellaneous memory safety hazards (rv:25.0 / rv:24.1 / rv:17.0.10)
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2013-11-02 15:27:38 UTC
+*seamonkey-2.22 (02 Nov 2013)
+
+  02 Nov 2013; Lars Wendler <polynomial-c@gentoo.org> +seamonkey-2.22.ebuild:
+  Security bump (bug #489796).
+
Comment 2 Jory A. Pratt gentoo-dev 2013-11-04 14:04:25 UTC
thunderbird/firefox-24.1.0 are in tree ready to go stable. We are not gonna do 17.0.10 release we are moving esr to 24.1.0 ALL ebuilds are in tree we can bring in archs anytime.
Comment 3 Ian Stakenvicius gentoo-dev 2013-11-04 15:50:38 UTC
CVE list is as follows:

CVE-2013-5604
CVE-2013-5603
CVE-2013-5602
CVE-2013-5601
CVE-2013-5600
CVE-2013-5599
CVE-2013-5598
CVE-2013-5597
CVE-2013-5596
CVE-2013-5595
CVE-2013-5593
CVE-2013-5592
CVE-2013-5591
CVE-2013-5590

Note, MFSA 2013-93 also includes a listing of 
CVE-2013-1739 , which is for NSS, therefore only applies to *-bin packages.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-11-05 02:07:26 UTC
CVE-2013-5604 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5604):
  The txXPathNodeUtils::getBaseURI function in the XSLT processor in Mozilla
  Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1,
  Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey
  before 2.22 does not properly initialize data, which allows remote attackers
  to execute arbitrary code or cause a denial of service (stack-based buffer
  overflow and application crash) via crafted documents.

CVE-2013-5603 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5603):
  Use-after-free vulnerability in the
  nsContentUtils::ContentIsHostIncludingDescendantOf function in Mozilla
  Firefox before 25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1,
  and SeaMonkey before 2.22 allows remote attackers to execute arbitrary code
  or cause a denial of service (heap memory corruption) via vectors involving
  HTML document templates.

CVE-2013-5602 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5602):
  The Worker::SetEventListener function in the Web workers implementation in
  Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before
  24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and
  SeaMonkey before 2.22 allows remote attackers to execute arbitrary code or
  cause a denial of service (memory corruption) via vectors related to direct
  proxies.

CVE-2013-5601 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5601):
  Use-after-free vulnerability in the nsEventListenerManager::SetEventHandler
  function in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and
  24.x before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before
  17.0.10, and SeaMonkey before 2.22 allows remote attackers to execute
  arbitrary code via vectors related to a memory allocation through the
  garbage collection (GC) API.

CVE-2013-5600 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5600):
  Use-after-free vulnerability in the
  nsIOService::NewChannelFromURIWithProxyFlags function in Mozilla Firefox
  before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1,
  Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey
  before 2.22 allows remote attackers to execute arbitrary code via vectors
  involving a blob: URL.

CVE-2013-5599 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5599):
  Use-after-free vulnerability in the nsIPresShell::GetPresContext function in
  the PresShell (aka presentation shell) implementation in Mozilla Firefox
  before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1,
  Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey
  before 2.22 allows remote attackers to execute arbitrary code or cause a
  denial of service (heap memory corruption and application crash) via vectors
  involving a CANVAS element, a mozTextStyle attribute, and an onresize event.

CVE-2013-5598 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5598):
  PDF.js in Mozilla Firefox before 25.0 and Firefox ESR 24.x before 24.1 does
  not properly handle the appending of an IFRAME element, which allows remote
  attackers to read arbitrary files or execute arbitrary JavaScript code with
  chrome privileges by using this element within an embedded PDF object.

CVE-2013-5597 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5597):
  Use-after-free vulnerability in the nsDocLoader::doStopDocumentLoad function
  in Mozilla Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x
  before 24.1, Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10,
  and SeaMonkey before 2.22 allows remote attackers to execute arbitrary code
  or cause a denial of service (heap memory corruption) via vectors involving
  a state-change event during an update of the offline cache.

CVE-2013-5596 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5596):
  The cycle collection (CC) implementation in Mozilla Firefox before 25.0,
  Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey before
  2.22 does not properly determine the thread for release of an image object,
  which allows remote attackers to execute arbitrary code or cause a denial of
  service (race condition and application crash) via a large HTML document
  containing IMG elements, as demonstrated by the Never-Ending Reddit on
  reddit.com.

CVE-2013-5595 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5595):
  The JavaScript engine in Mozilla Firefox before 25.0, Firefox ESR 17.x
  before 17.0.10 and 24.x before 24.1, Thunderbird before 24.1, Thunderbird
  ESR 17.x before 17.0.10, and SeaMonkey before 2.22 does not properly
  allocate memory for unspecified functions, which allows remote attackers to
  conduct buffer overflow attacks via a crafted web page.

CVE-2013-5593 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5593):
  The SELECT element implementation in Mozilla Firefox before 25.0, Firefox
  ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey before 2.22
  does not properly restrict the nature or placement of HTML within a dropdown
  menu, which allows remote attackers to spoof the address bar or conduct
  clickjacking attacks via vectors that trigger navigation off of a page
  containing this element.

CVE-2013-5592 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5592):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 25.0 allow remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute arbitrary code
  via unknown vectors.

CVE-2013-5591 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5591):
  Unspecified vulnerability in the browser engine in Mozilla Firefox before
  25.0, Firefox ESR 24.x before 24.1, Thunderbird before 24.1, and SeaMonkey
  before 2.22 allows remote attackers to cause a denial of service (memory
  corruption and application crash) or possibly execute arbitrary code via
  unknown vectors.

CVE-2013-5590 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-5590):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 25.0, Firefox ESR 17.x before 17.0.10 and 24.x before 24.1,
  Thunderbird before 24.1, Thunderbird ESR 17.x before 17.0.10, and SeaMonkey
  before 2.22 allow remote attackers to cause a denial of service (memory
  corruption and application crash) or possibly execute arbitrary code via
  unknown vectors.
Comment 5 Lars Wendler (Polynomial-C) gentoo-dev 2013-11-05 11:59:56 UTC
In order to stabilize seamonkey-2.22 we need >=media-libs/libpng-1.5.17 stable. Right now 1.5.15 is latest stable version.
Unfortunately libpng-1.5.17 ebuild in portage only installes the .so library (SLOT="1.5") and nothing else. So either we can convince libpng maintainers to add a complete libpng-1.5.17 (SLOT="0") ebuild to portage or we need to stabilize libpng-1.6.x. Dunno what's the less painful approach here.
Comment 6 Brent Busby 2013-11-05 16:25:56 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #5)
> In order to stabilize seamonkey-2.22 we need >=media-libs/libpng-1.5.17
> stable. Right now 1.5.15 is latest stable version.
> Unfortunately libpng-1.5.17 ebuild in portage only installes the .so library
> (SLOT="1.5") and nothing else. So either we can convince libpng maintainers
> to add a complete libpng-1.5.17 (SLOT="0") ebuild to portage or we need to
> stabilize libpng-1.6.x. Dunno what's the less painful approach here.

Just a suggestion (without knowing if it's the best thing):

If it's a choice between upgrading an insecure package to a newer version to avoid an exploit, and upgrading a dependency package whose newer version may not be stable yet, is it possible to avoid both and just in this case go the Debian route -- patch the vulnerability in the existing version of seamonkey?  I don't know what the complications of that would be, so I'm just mentioning the possibility, since it seems like otherwise we're having to choose from two bad options.
Comment 7 adr 2013-11-05 21:49:22 UTC
How about not using --with-system-png in this version?
Comment 8 Lars Wendler (Polynomial-C) gentoo-dev 2013-11-06 08:14:02 UTC
(In reply to Brent Busby from comment #6)
> Just a suggestion (without knowing if it's the best thing):
> 
> If it's a choice between upgrading an insecure package to a newer version to
> avoid an exploit, and upgrading a dependency package whose newer version may
> not be stable yet, is it possible to avoid both and just in this case go the
> Debian route -- patch the vulnerability in the existing version of
> seamonkey?  I don't know what the complications of that would be, so I'm
> just mentioning the possibility, since it seems like otherwise we're having
> to choose from two bad options.

Unfortunately I cannot do that kind of backporting work myself because this is way beyond my level of skills. Furthermore it would be a very tedious and thankless work as each and every change since seamonkey-2.21 would have to be analyzed if it's important to one of the above mentioned CVEs or simple development progress which can be left away.

(In reply to adr from comment #7)
> How about not using --with-system-png in this version?

That would violate Gentoo policy which we are already doing way too often in mozilla packages. I am not very attached to that solution.

See also https://wiki.gentoo.org/wiki/Why_not_bundle_dependencies


I just rememberd that libpng belongs to base-system herd which I recently happen to be a member of. So I added a full working libpng-1.5.17 ebuild myself:

+*libpng-1.5.17-r15 (06 Nov 2013)
+*libpng-1.5.17-r1 (06 Nov 2013)
+
+  06 Nov 2013; Lars Wendler <polynomial-c@gentoo.org> -libpng-1.5.17.ebuild,
+  +libpng-1.5.17-r1.ebuild, +libpng-1.5.17-r15.ebuild:
+  Added a fully blown 1.5.17 version as it's needed for stabilization of
+  seamonkey-2.22 (see bug #489796). Moved the SLOT=1.5 ebuild to 1.5.17-r15.
+
Comment 9 Stephan Hartmann 2013-11-18 06:36:52 UTC
Any progress here?
Comment 10 Ian Stakenvicius gentoo-dev 2013-11-18 20:02:04 UTC
(In reply to Stephan Hartmann from comment #9)
> Any progress here?

Should mozilla herd bring in arches for stabilization itself?  we gave go-ahead back on comment #2
Comment 11 Jory A. Pratt gentoo-dev 2013-11-19 00:47:22 UTC
(In reply to Ian Stakenvicius from comment #10)
> (In reply to Stephan Hartmann from comment #9)
> > Any progress here?
> 
> Should mozilla herd bring in arches for stabilization itself?  we gave
> go-ahead back on comment #2

We will add them soon as we land 24.1.1 firefox.
Comment 12 Jory A. Pratt gentoo-dev 2013-11-21 14:44:42 UTC
(In reply to Jory A. Pratt from comment #11)
> (In reply to Ian Stakenvicius from comment #10)
> > (In reply to Stephan Hartmann from comment #9)
> > > Any progress here?
> > 
> > Should mozilla herd bring in arches for stabilization itself?  we gave
> > go-ahead back on comment #2
> 
> We will add them soon as we land 24.1.1 firefox.

We can bring in the archs, we are going for firefox{-bin}-24.1.1 thunderbird{-bin}-24.1.1 nspr-4.10.2 nss-3.15.4 seamonkey{-bin}-2.22.1, libpng-1.5.17 will also need to be stabilized.
Comment 13 Alex Xu (Hello71) 2013-11-29 12:44:03 UTC
libpng stable is not technically done, but sufficient to allow these keywords.

=dev-libs/nspr-4.10.2:
Target KEYWORDS="amd64 arm ppc ppc64 x86"

=dev-libs/nss-3.15.4:
Target KEYWORDS="amd64 arm ppc ppc64 x86"

=www-client/firefox-24.1.1:
Target KEYWORDS="amd64 arm ppc ppc64 x86"

=www-client/firefox-bin-24.1.1:
Target KEYWORDS="amd64 x86"

=mail-client/thunderbird-24.1.1:
Target KEYWORDS="amd64 arm ppc ppc64 x86"

=mail-client/thunderbird-bin-24.1.1:
Target KEYWORDS="amd64 x86"

=www-client/seamonkey-2.22.1:
Target KEYWORDS="amd64 x86"

=www-client/seamonkey-bin-2.22.1:
Target KEYWORDS="amd64 x86"

nb for GLSA: nspr/nss + their CVEs (see MFSA 2013-103) should be in summary, but max length reached
Comment 14 Alex Xu (Hello71) 2013-11-29 19:05:25 UTC
Hm, I just noticed bug 491234. And also typo in comment 12.

Merge these CVEs into 491234?
Comment 15 Agostino Sarubbo gentoo-dev 2013-12-01 12:18:14 UTC
amd64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2013-12-01 12:19:13 UTC
x86 stable
Comment 17 Agostino Sarubbo gentoo-dev 2013-12-01 18:09:53 UTC
ppc stable
Comment 18 Agostino Sarubbo gentoo-dev 2013-12-01 18:10:16 UTC
ppc64 stable
Comment 19 Agostino Sarubbo gentoo-dev 2013-12-07 19:53:01 UTC
arm stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev Security 2013-12-30 04:32:47 UTC
Ping for cleanup, packages been stable for 20 days.
Comment 21 Alex Xu (Hello71) 2014-04-19 02:10:05 UTC
cleaned up as part of bug 491234; sec, please decide whether to glsa this or coalesce into that one.
Comment 22 Yury German Gentoo Infrastructure gentoo-dev Security 2014-06-19 02:04:34 UTC
Arches and Mainter(s), Thank you for your work.

Added to an existing GLSA request.
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2015-04-07 10:17:03 UTC
This issue was resolved and addressed in
 GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01
by GLSA coordinator Kristian Fiskerstrand (K_F).
Comment 24 GLSAMaker/CVETool Bot gentoo-dev 2015-04-07 10:17:47 UTC
This issue was resolved and addressed in
 GLSA 201504-01 at https://security.gentoo.org/glsa/201504-01
by GLSA coordinator Kristian Fiskerstrand (K_F).