Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 574602 (CVE-2016-1949) - <www-client/firefox{,-bin}-44.0.2 >=www-client/firefox{,-bin}-39: failure to restrict the interaction between service workers and plugins when using NPAPI (CVE-2016-1949)
Summary: <www-client/firefox{,-bin}-44.0.2 >=www-client/firefox{,-bin}-39: failure to ...
Status: RESOLVED INVALID
Alias: CVE-2016-1949
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: B4 [noglsa]
Keywords:
: 574594 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-02-13 07:21 UTC by Aaron Bauman
Modified: 2016-02-19 22:51 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-02-13 07:21:36 UTC
Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file.

CVE:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1949

Upstream Fix:
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox/#firefox44.0.2
Comment 1 Sergey Popov gentoo-dev 2016-02-13 13:18:26 UTC
*** Bug 574594 has been marked as a duplicate of this bug. ***
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-02-18 13:23:26 UTC
commit 1f4ef2b61a5dcc7598696fdc49905fecbcfb43fa
Author: Ian Stakenvicius <axs@gentoo.org>
Date:   Wed Feb 17 10:43:43 2016 -0500

    www-client/firefox-44.0.2: bump nss dependency to >=3.21
    
    Thanks to vthriller on github (sorry i botched the PR)
    
    Package-Manager: portage-2.2.26
Comment 3 Ian Stakenvicius (RETIRED) gentoo-dev 2016-02-18 15:22:45 UTC
Non-ESR firefox doesn't get stabilzed.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-02-19 02:35:31 UTC
(In reply to Ian Stakenvicius from comment #3)
> Non-ESR firefox doesn't get stabilzed.

Thanks.  How does this impact previous versions of Firefox (38.x ESR) as the CVE states www-<client/firefox-44.0.2?  We cannot proceed to cleanup as that would potentially purge all stable version from the tree.  Please advise.  Thanks.
Comment 5 Ian Stakenvicius (RETIRED) gentoo-dev 2016-02-19 05:56:45 UTC
(In reply to Aaron Bauman from comment #4)
> (In reply to Ian Stakenvicius from comment #3)
> > Non-ESR firefox doesn't get stabilzed.
> 
> Thanks.  How does this impact previous versions of Firefox (38.x ESR) as the
> CVE states www-<client/firefox-44.0.2?  We cannot proceed to cleanup as that
> would potentially purge all stable version from the tree.  Please advise. 
> Thanks.

Firefox-38.6.1 also contains the fix (as does Firefox-bin-38.6.1).  I believe I have also added hose to the tree, though I think their stabilization may be covered under another security bug...  Will check tomorrow once I'm at a real computer.
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-02-19 12:50:56 UTC
(In reply to Ian Stakenvicius from comment #5)
> (In reply to Aaron Bauman from comment #4)
> > (In reply to Ian Stakenvicius from comment #3)
> > > Non-ESR firefox doesn't get stabilzed.
> > 
> > Thanks.  How does this impact previous versions of Firefox (38.x ESR) as the
> > CVE states www-<client/firefox-44.0.2?  We cannot proceed to cleanup as that
> > would potentially purge all stable version from the tree.  Please advise. 
> > Thanks.
> 
> Firefox-38.6.1 also contains the fix (as does Firefox-bin-38.6.1).  I
> believe I have also added hose to the tree, though I think their
> stabilization may be covered under another security bug...  Will check
> tomorrow once I'm at a real computer.

Yes, 38.6.1 is in the tree.  So once you confirm the patch it looks like 38.5.0 and 38.6.0 will need to be purged.  Any objection?
Comment 7 Ian Stakenvicius (RETIRED) gentoo-dev 2016-02-19 16:25:27 UTC
OK, I've checked with upstream, and this vulnerability is in the "service worker" module, which was not included prior to firefox-39.  As such, firefox-38.x and earlier are unaffected.