Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 585308 (CVE-2016-2815, CVE-2016-2818, CVE-2016-2819, CVE-2016-2821, CVE-2016-2822, CVE-2016-2824, CVE-2016-2825, CVE-2016-2826, CVE-2016-2828, CVE-2016-2829, CVE-2016-2831, CVE-2016-2832, CVE-2016-2833, CVE-2016-2834) - <www-client/firefox{,-bin}-{45.2.0,47.0} <mail-client/thunderbird{,-bin}-45.2.0: Multiple vulnerabilities (CVE-2016-{2815,2818,2819,2821,2822,2824,2825,2826,2828,2829,2831,2832,2833,2834})
Summary: <www-client/firefox{,-bin}-{45.2.0,47.0} <mail-client/thunderbird{,-bin}-45.2...
Status: RESOLVED OBSOLETE
Alias: CVE-2016-2815, CVE-2016-2818, CVE-2016-2819, CVE-2016-2821, CVE-2016-2822, CVE-2016-2824, CVE-2016-2825, CVE-2016-2826, CVE-2016-2828, CVE-2016-2829, CVE-2016-2831, CVE-2016-2832, CVE-2016-2833, CVE-2016-2834
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~2 [stable cve]
Keywords:
: 588072 (view as bug list)
Depends on: 585350 585354 588044
Blocks:
  Show dependency tree
 
Reported: 2016-06-07 15:57 UTC by Nikolay Edigaryev
Modified: 2016-12-02 09:54 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Ian Stakenvicius gentoo-dev 2016-06-08 14:15:47 UTC
New versions are in the tree.  Arches, please stabilize the ESR 45.2 version as follows:

www-client/firefox-45.2.0 Target KEYWORDS="amd64 hppa ppc ppc64 x86"

www-client/firefox-bin-45.2.0 Target KEYWORDS="amd64 x86"
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-06-21 05:31:26 UTC
cc'ing arches...

Please stabilize the ESR 45.2 version as follows:

www-client/firefox-45.2.0 Target KEYWORDS="amd64 hppa ppc ppc64 x86"

www-client/firefox-bin-45.2.0 Target KEYWORDS="amd64 x86"
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-06-21 05:36:12 UTC
CVE-2016-2834 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2834):
  Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla
  Firefox before 47.0, allows remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly have unspecified other
  impact via unknown vectors.

CVE-2016-2833 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2833):
  Mozilla Firefox before 47.0 ignores Content Security Policy (CSP) directives
  for cross-domain Java applets, which makes it easier for remote attackers to
  conduct cross-site scripting (XSS) attacks via a crafted applet.

CVE-2016-2832 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2832):
  Mozilla Firefox before 47.0 allows remote attackers to discover the list of
  disabled plugins via a fingerprinting attack involving Cascading Style
  Sheets (CSS) pseudo-classes.

CVE-2016-2831 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2831):
  Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 do not ensure
  that the user approves the fullscreen and pointerlock settings, which allows
  remote attackers to cause a denial of service (UI outage), or conduct
  clickjacking or spoofing attacks, via a crafted web site.

CVE-2016-2829 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2829):
  Mozilla Firefox before 47.0 allows remote attackers to spoof permission
  notifications via a crafted web site that rapidly triggers permission
  requests, as demonstrated by the microphone permission or the geolocation
  permission.

CVE-2016-2828 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2828):
  Use-after-free vulnerability in Mozilla Firefox before 47.0 and Firefox ESR
  45.x before 45.2 allows remote attackers to execute arbitrary code via WebGL
  content that triggers texture access after destruction of the texture's
  recycle pool.

CVE-2016-2826 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2826):
  The maintenance service in Mozilla Firefox before 47.0 and Firefox ESR 45.x
  before 45.2 on Windows does not prevent MAR extracted-file modification
  during updater execution, which might allow local users to gain privileges
  via a Trojan horse file.

CVE-2016-2825 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2825):
  Mozilla Firefox before 47.0 allows remote attackers to bypass the Same
  Origin Policy and modify the location.host property via an invalid data:
  URL.

CVE-2016-2824 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2824):
  The TSymbolTableLevel class in ANGLE, as used in Mozilla Firefox before 47.0
  and Firefox ESR 45.x before 45.2 on Windows, allows remote attackers to
  cause a denial of service (out-of-bounds write and application crash) or
  possibly have unspecified other impact by triggering use of a WebGL shader
  that writes to an array.

CVE-2016-2822 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2822):
  Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allow remote
  attackers to spoof the address bar via a SELECT element with a persistent
  menu.

CVE-2016-2821 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2821):
  Use-after-free vulnerability in the mozilla::dom::Element class in Mozilla
  Firefox before 47.0 and Firefox ESR 45.x before 45.2, when contenteditable
  mode is enabled, allows remote attackers to execute arbitrary code or cause
  a denial of service (heap memory corruption) by triggering deletion of DOM
  elements that were created in the editor.

CVE-2016-2819 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2819):
  Heap-based buffer overflow in Mozilla Firefox before 47.0 and Firefox ESR
  45.x before 45.2 allows remote attackers to execute arbitrary code via
  foreign-context HTML5 fragments, as demonstrated by fragments within an SVG
  element.

CVE-2016-2818 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2818):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 47.0 and Firefox ESR 45.x before 45.2 allow remote attackers
  to cause a denial of service (memory corruption and application crash) or
  possibly execute arbitrary code via unknown vectors.

CVE-2016-2815 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2815):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 47.0 allow remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute arbitrary code
  via unknown vectors.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-07-03 07:09:44 UTC
Not sure how I messed that up... arches, please stabilize:

=www-client/firefox-45.2.0 Target KEYWORDS="amd64 hppa ppc ppc64 x86"

=www-client/firefox-bin-45.2.0 Target KEYWORDS="amd64 x86"
Comment 5 Jeroen Roovers gentoo-dev 2016-07-04 07:57:31 UTC
RepoMan scours the neighborhood...
  dependency.bad [fatal]        14
   www-client/firefox/firefox-45.2.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']
   www-client/firefox/firefox-45.2.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']
   www-client/firefox/firefox-45.2.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']
   www-client/firefox/firefox-45.2.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']
   www-client/firefox/firefox-45.2.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop/gnome)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']
   www-client/firefox/firefox-45.2.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop/gnome)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']
   www-client/firefox/firefox-45.2.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop/gnome/systemd)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']
   www-client/firefox/firefox-45.2.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop/gnome/systemd)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']
   www-client/firefox/firefox-45.2.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop/kde)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']
   www-client/firefox/firefox-45.2.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop/kde)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']
   www-client/firefox/firefox-45.2.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop/kde/systemd)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']
   www-client/firefox/firefox-45.2.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/desktop/kde/systemd)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']
   www-client/firefox/firefox-45.2.0.ebuild: DEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/developer)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']
   www-client/firefox/firefox-45.2.0.ebuild: RDEPEND: ppc64(default/linux/powerpc/ppc64/13.0/64bit-userland/developer)
['>=media-gfx/graphite2-1.3.8', '>=media-libs/libvpx-1.5.0:0=[postproc]']

Waiting for two blocking bugs.
Comment 6 Jeroen Roovers gentoo-dev 2016-07-05 15:55:15 UTC
Dropped HPPA keywording.
Comment 7 Ian Stakenvicius gentoo-dev 2016-07-06 21:33:01 UTC
*** Bug 588072 has been marked as a duplicate of this bug. ***
Comment 8 Ian Stakenvicius gentoo-dev 2016-07-06 21:43:30 UTC
Since no arch has gone stable yet with this version, I'm adding mail-client/thunderbird-45.2.0 to this bug instead of filing a new one.  It's a subset of the same vulnerability list.

AT's please stabilize as follows:

mail-client/thunderbird-45.2.0 Stable KEYWORDS="amd64 ppc ppc64 x86"

mail-client/thunderbird-bin-45.2.0 Stable KEYWORDS="amd64 x86"
Comment 9 Jeroen Roovers gentoo-dev 2016-07-13 13:51:36 UTC
Stable for PPC64.
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-14 12:07:46 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-14 12:08:34 UTC
x86 stable
Comment 12 Ian Stakenvicius gentoo-dev 2016-09-12 15:38:45 UTC
www-client/firefox-45.2.0 has been removed from the tree. ppc arch, please continue stabilization on bug 590330