Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 590330 (CVE-2016-2830, CVE-2016-2835, CVE-2016-2836, CVE-2016-2837, CVE-2016-2838, CVE-2016-2839, CVE-2016-5250, CVE-2016-5251, CVE-2016-5252, CVE-2016-5253, CVE-2016-5254, CVE-2016-5255, CVE-2016-5258, CVE-2016-5259, CVE-2016-5260, CVE-2016-5261, CVE-2016-5262, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-5266, CVE-2016-5267, CVE-2016-5268) - <www-client/firefox{,-bin}-{45.3.0,48.0}, <mail-client/thunderbird{,-bin}-45.3.0: multiple vulnerabilities
Summary: <www-client/firefox{,-bin}-{45.3.0,48.0}, <mail-client/thunderbird{,-bin}-45....
Status: RESOLVED FIXED
Alias: CVE-2016-2830, CVE-2016-2835, CVE-2016-2836, CVE-2016-2837, CVE-2016-2838, CVE-2016-2839, CVE-2016-5250, CVE-2016-5251, CVE-2016-5252, CVE-2016-5253, CVE-2016-5254, CVE-2016-5255, CVE-2016-5258, CVE-2016-5259, CVE-2016-5260, CVE-2016-5261, CVE-2016-5262, CVE-2016-5263, CVE-2016-5264, CVE-2016-5265, CVE-2016-5266, CVE-2016-5267, CVE-2016-5268
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa cve]
Keywords:
Depends on: CVE-2016-2827, CVE-2016-5256, CVE-2016-5257, CVE-2016-5270, CVE-2016-5271, CVE-2016-5272, CVE-2016-5273, CVE-2016-5274, CVE-2016-5275, CVE-2016-5276, CVE-2016-5277, CVE-2016-5278, CVE-2016-5279, CVE-2016-5280, CVE-2016-5281, CVE-2016-5282, CVE-2016-5283, CVE-2016-5284
Blocks:
  Show dependency tree
 
Reported: 2016-08-02 19:40 UTC by Nikolay Edigaryev
Modified: 2017-01-03 13:02 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Nikolay Edigaryev 2016-08-02 19:40:06 UTC
https://www.mozilla.org/en-US/security/advisories/mfsa2016-73/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-72/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-62/

https://www.mozilla.org/en-US/security/advisories/mfsa2016-79/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-78/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-77/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-75/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-67/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-64/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-63/

https://www.mozilla.org/en-US/security/advisories/mfsa2016-84/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-82/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-81/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-80/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-76/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-74/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-71/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-70/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-69/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-68/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-65/

https://www.mozilla.org/en-US/security/advisories/mfsa2016-83/
https://www.mozilla.org/en-US/security/advisories/mfsa2016-66/
Comment 1 Ian Stakenvicius (RETIRED) gentoo-dev 2016-08-04 03:49:05 UTC
Ebuilds for both versions are in the gentoo repo.

I know I'm getting a little ahead of the security team, but:  ATs, please stabilize www-client/firefox-45.3.0 for Target KEYWORDS="amd64 ppc ppc64 x86"

Thanks!
Comment 2 Agostino Sarubbo gentoo-dev 2016-08-07 10:46:33 UTC
amd64 stable
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-08-10 00:04:28 UTC
Stable for PPC64.
Comment 4 Ian Stakenvicius (RETIRED) gentoo-dev 2016-08-31 14:45:21 UTC
Since this bug hasn't been processed by security yet, I'd like to usurp it to add thunderbird-45.3.0 (with the same CVE list).

Arches, please also stabilize mail-client/thunderbird-45.3.0 for target
KEYWORDS="ppc ppc64 x86" (I've already done amd64)
Comment 5 Samuel Bernardo 2016-09-03 21:33:31 UTC
(In reply to Agostino Sarubbo from comment #2)
> amd64 stable

I can't compile thunderbird 45.3.0. It gives me the following error:

/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/../../../../x86_64-pc-linux-gnu/bin/ld: ../../xpcom/components/nsComponentManager.o: relocation R_X86_64_PC32 against protected symbol `end_kPStaticModules_NSModule' can not be used when making a shared object
/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/../../../../x86_64-pc-linux-gnu/bin/ld: final link failed: Bad value
collect2: error: ld returned 1 exit status
/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/mozilla/config/rules.mk:824: recipe for target 'libxul.so' failed
make[4]: *** [libxul.so] Error 1
make[4]: Leaving directory '/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/tbird/toolkit/library'
/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/mozilla/config/recurse.mk:71: recipe for target 'toolkit/library/target' failed
make[3]: *** [toolkit/library/target] Error 2
make[3]: Leaving directory '/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/tbird'
/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/mozilla/config/recurse.mk:32: recipe for target 'compile' failed
make[2]: *** [compile] Error 2
make[2]: Leaving directory '/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/tbird'
/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/mozilla/config/rules.mk:547: recipe for target 'default' failed
make[1]: *** [default] Error 2
make[1]: Leaving directory '/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/tbird'
/var/tmp/portage/mail-client/thunderbird-45.3.0/work/thunderbird-45.3.0/client.mk:404: recipe for target 'build' failed
make: *** [build] Error 2


Compilation environment:
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /etc/stunnel/stunnel.conf /usr/lib64/libreoffice/program/sofficerc /usr/share/config /usr/share/gnupg/qualified.
txt /usr/share/maven-bin-3.0/conf /usr/share/maven-bin-3.3/conf /var/lib/hsqldb"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/ap
ache2-php5.6/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/term
info /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -march=native"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--quiet --jobs=20 --load-average=13.00 --keep-going=y --with-bdeps=y --buildpkg-exclude 'virtual/* sys-kernel/*-
sources'"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildpkg ccache collision-protect compressdebug config-protect-if-modified distlocks ebuild-lock
s fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms splitdebug strict unknown-features-warn unmer
ge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"


Active use flags:
crypt dbus ffmpeg gstreamer jemalloc3 jit ldap lightning minimal pulseaudio


Any help would be great, since this is also a security update to thunderbird.

Thanks
Comment 6 Mark Davies 2016-09-20 13:43:08 UTC
Any chance of getting www-client/firefox-45.3.0 stable for x86. Now 45.2.0 has been removed stable falls back to 38.8 for x86.
Comment 7 Yury German Gentoo Infrastructure gentoo-dev 2016-09-23 05:01:04 UTC
Further Changes in bug 594616 
CVE's will be modified for the correct version.
Comment 8 Agostino Sarubbo gentoo-dev 2016-09-29 09:07:19 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-09-29 13:08:59 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2017-01-03 13:02:33 UTC
This issue was resolved and addressed in
 GLSA 201701-15 at https://security.gentoo.org/glsa/201701-15
by GLSA coordinator Thomas Deutschmann (whissi).