Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 556942 (CVE-2015-4495) - <www-client/firefox{,-bin}-{38.1.1,39.0.3}: Same origin violation and local file stealing via PDF readerMozilla Foundation Security Advisory 2015-78 (CVE-2015-4495)
Summary: <www-client/firefox{,-bin}-{38.1.1,39.0.3}: Same origin violation and local f...
Status: RESOLVED FIXED
Alias: CVE-2015-4495
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
: 556944 556958 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-08-07 12:38 UTC by Louis Sautier (sbraz)
Modified: 2015-12-30 15:53 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Louis Sautier (sbraz) gentoo-dev 2015-08-07 12:38:35 UTC
Hi, an exploit was found and Mozilla released a fix for firefox 38 and 39. It would be nice to see it fixed in the tree.
https://blog.mozilla.org/security/2015/08/06/firefox-exploit-found-in-the-wild/
Comment 1 Brian Evans Gentoo Infrastructure gentoo-dev 2015-08-07 12:51:13 UTC
*** Bug 556944 has been marked as a duplicate of this bug. ***
Comment 2 Brian Evans Gentoo Infrastructure gentoo-dev 2015-08-07 14:56:04 UTC
*** Bug 556958 has been marked as a duplicate of this bug. ***
Comment 3 Nils Freydank 2015-08-07 15:21:22 UTC
A simple version bump (to be more precisely: just a copy of firefox-39.0.ebuild to firefox-39.0.3.ebuild) built here at ~amd64 (and runs). I didn't really check all the language packages from mozilla.org, only the ones I used plus the main tarball. Therefore I can't provide a proper Manifest file.

Hope this helps anywone.
Comment 4 Louis Sautier (sbraz) gentoo-dev 2015-08-07 15:23:13 UTC
I can provide it: http://sprunge.us/aFNJ
It rebuilt fine for me as well on amd64.
Comment 5 Ian Stakenvicius (RETIRED) gentoo-dev 2015-08-07 15:25:30 UTC
I'm doing the bumps now, it'll take a bit of time to compile-test and run-test before I can commit though.  Will be done by end of day today.

Does anyone here have an issue with me pushing the 38.1.1 bump direct to stable?  I haven't completed a full diff yet but so far as I can tell from upstream bugzilla the only change is to the PDF.js module, so all other operational bits remain the same between 38.1.0 and 38.1.1..
Comment 6 Mario Kicherer 2015-08-07 16:24:20 UTC
38.1.1 works fine with an ebuild bump on AMD64 here.
Comment 7 Ian Stakenvicius (RETIRED) gentoo-dev 2015-08-07 16:44:29 UTC
(In reply to Ian Stakenvicius from comment #5)
> Does anyone here have an issue with me pushing the 38.1.1 bump direct to
> stable?  I haven't completed a full diff yet but so far as I can tell from
> upstream bugzilla the only change is to the PDF.js module, so all other
> operational bits remain the same between 38.1.0 and 38.1.1..

Ugh, nevermind -- they added a whole ton of additions to the build system as well; i think it's all just related to mozilla's own release system but I can't say exactly for sure.  Better safe than sorry.

Arch Teams, please stabilize as soon as possible:

www-client/firefox-bin-38.1.1:
Target KEYWORDS="-* amd64 x86"

www-client/firefox-38.1.1:
Target KEYWORDS="amd64 hppa ppc ppc64 x86"
Comment 8 Agostino Sarubbo gentoo-dev 2015-08-07 18:15:14 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-08-07 18:15:36 UTC
x86 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-08-08 10:00:50 UTC
ppc stable
Comment 11 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-12 05:06:09 UTC
Stable for PPC64.
Comment 12 Brent Busby 2015-08-14 19:28:20 UTC
Hate to ruin the party just as you're getting ESR 38.1.1 out the door, but Mozilla just released 38.2.  The vulnerabilities it fixes are mostly more academic than the serious PDF viewer exploit in the last one, but nonetheless, it is a security-fix release:

https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/

Also, they say 38.2 is supposed to fix a build problem on hppa, though I don't know if Gentoo ever had that problem.
Comment 13 Ian Stakenvicius (RETIRED) gentoo-dev 2015-08-14 20:02:02 UTC
(In reply to Brent Busby from comment #12)
> Hate to ruin the party just as you're getting ESR 38.1.1 out the door, but
> Mozilla just released 38.2.  The vulnerabilities it fixes are mostly more
> academic than the serious PDF viewer exploit in the last one, but
> nonetheless, it is a security-fix release:
> 
> https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
> 
> Also, they say 38.2 is supposed to fix a build problem on hppa, though I
> don't know if Gentoo ever had that problem.

Already in the tree as per version bump bug 557532, and security bug has been filed as well, bug 557590.  Gentoo-Security will handle this bug until resolution.
Comment 14 Yury German Gentoo Infrastructure gentoo-dev 2015-08-15 16:29:36 UTC
Dependency set
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-17 04:21:55 UTC
Stable for HPPA.
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2015-09-13 13:45:19 UTC
Arches and Maintainer(s), Thank you for your work.

Added to an existing GLSA Request.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2015-12-30 15:53:04 UTC
This issue was resolved and addressed in
 GLSA 201512-10 at https://security.gentoo.org/glsa/201512-10
by GLSA coordinator Yury German (BlueKnight).