Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 601320 (CVE-2016-9079) - <www-client/firefox{,-bin}-{45.5.1,50.0.1} <mail-client/thunderbird{,-bin}-45.5.1: Use-after-free in SVG Animation (CVE-2016-9079)
Summary: <www-client/firefox{,-bin}-{45.5.1,50.0.1} <mail-client/thunderbird{,-bin}-45...
Status: RESOLVED FIXED
Alias: CVE-2016-9079
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo Security
URL: https://www.mozilla.org/en-US/securit...
Whiteboard: A1 [glsa cve blocked]
Keywords:
Depends on: CVE-2016-9893, CVE-2016-9895, CVE-2016-9897, CVE-2016-9898, CVE-2016-9899, CVE-2016-9900, CVE-2016-9901, CVE-2016-9902, CVE-2016-9904, CVE-2016-9905
Blocks: CVE-2016-5290, CVE-2016-5291, CVE-2016-5293, CVE-2016-5294, CVE-2016-5296, CVE-2016-5297, CVE-2016-9064, CVE-2016-9066, CVE-2016-9074
  Show dependency tree
 
Reported: 2016-11-30 23:27 UTC by Luke-Jr
Modified: 2017-01-03 13:02 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
version bump for ebuild (firefox-50.0.2.ebuild,11.42 KB, text/plain)
2016-12-01 06:11 UTC, gentoo
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Luke-Jr 2016-11-30 23:27:47 UTC
A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in the wild targeting Firefox and Tor Browser users on Windows.
Comment 1 gentoo 2016-12-01 06:11:22 UTC
Created attachment 454816 [details]
version bump for ebuild

Just bumping the revision, no need to actually change anything in the build. Have confirmed that the bug causes the assertion that the mozilla devs expect now, so a safe crash rather than a potentially exploitable one.
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2016-12-01 08:52:56 UTC
commit ca6c03ddef83791f42d00c0f05a715375cb075f7
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Thu Dec 1 09:45:23 2016

    www-client/firefox-bin: Sec bump to versions 45.5.1 and 50.0.2 (bug #601320).

    Package-Manager: portage-2.3.2

commit 9bcbd4d9eb899ee0723c2156203bea6430f6ecb6
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Thu Dec 1 09:34:45 2016

    www-client/firefox: Sec bump to versions 45.5.1 and 50.0.2 (bug #601320).

    Package-Manager: portage-2.3.2
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-12-01 22:37:20 UTC
@arches, please stabilize:

=mail-client/thunderbird-45.5.1 ppc ppc64

=www-client/firefox-45.5.1 ppc ppc64 x86
Comment 4 Agostino Sarubbo gentoo-dev 2016-12-13 11:39:35 UTC
x86 stable
Comment 5 Thomas Deutschmann gentoo-dev Security 2016-12-14 01:03:46 UTC
@ Arches,

please continue thunderbird stabilization; Firefox stabilization has been moved to bug 602576.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2017-01-03 13:02:58 UTC
This issue was resolved and addressed in
 GLSA 201701-15 at https://security.gentoo.org/glsa/201701-15
by GLSA coordinator Thomas Deutschmann (whissi).