Bug 11250

Summary: firefox/thunderbird new security issues fixed in 17.0.9
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, oe, sysadmin-bugs, tmb, wrw105
Version: 3Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/567271/
Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok mga2-64-ok mga2-64-ok
Source RPM: firefox, thunderbird CVE:
Status comment:

Description David Walser 2013-09-17 21:57:28 CEST 
RedHat has issued advisories today (September 17):
https://rhn.redhat.com/errata/RHSA-2013-1268.html
https://rhn.redhat.com/errata/RHSA-2013-1269.html

Updated packages uploaded for Mageia 2 and Mageia 3.

Advisory:
========================

Updated firefox and thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to crash
or, potentially, execute arbitrary code with the privileges of the user
running Firefox or Thunderbird (CVE-2013-1718, CVE-2013-1722, CVE-2013-1725,
CVE-2013-1730, CVE-2013-1732, CVE-2013-1735, CVE-2013-1736).

A flaw was found in the way Firefox and Thunderbird handled certain DOM
JavaScript objects. An attacker could use this flaw to make JavaScript client
or add-on code make incorrect, security sensitive decisions (CVE-2013-1737).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1718
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1722
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1725
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1730
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1732
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1735
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1736
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1737
http://www.mozilla.org/security/announce/2013/mfsa2013-76.html
http://www.mozilla.org/security/announce/2013/mfsa2013-79.html
http://www.mozilla.org/security/announce/2013/mfsa2013-82.html
http://www.mozilla.org/security/announce/2013/mfsa2013-83.html
http://www.mozilla.org/security/announce/2013/mfsa2013-88.html
http://www.mozilla.org/security/announce/2013/mfsa2013-89.html
http://www.mozilla.org/security/announce/2013/mfsa2013-90.html
http://www.mozilla.org/security/announce/2013/mfsa2013-91.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://rhn.redhat.com/errata/RHSA-2013-1268.html
https://rhn.redhat.com/errata/RHSA-2013-1269.html
========================

Updated packages in core/updates_testing:
========================
firefox-17.0.9-1.mga2
firefox-devel-17.0.9-1.mga2
firefox-af-17.0.9-1.mga2
firefox-ar-17.0.9-1.mga2
firefox-ast-17.0.9-1.mga2
firefox-be-17.0.9-1.mga2
firefox-bg-17.0.9-1.mga2
firefox-bn_BD-17.0.9-1.mga2
firefox-bn_IN-17.0.9-1.mga2
firefox-br-17.0.9-1.mga2
firefox-bs-17.0.9-1.mga2
firefox-ca-17.0.9-1.mga2
firefox-cs-17.0.9-1.mga2
firefox-cy-17.0.9-1.mga2
firefox-da-17.0.9-1.mga2
firefox-de-17.0.9-1.mga2
firefox-el-17.0.9-1.mga2
firefox-en_GB-17.0.9-1.mga2
firefox-en_ZA-17.0.9-1.mga2
firefox-eo-17.0.9-1.mga2
firefox-es_AR-17.0.9-1.mga2
firefox-es_CL-17.0.9-1.mga2
firefox-es_ES-17.0.9-1.mga2
firefox-es_MX-17.0.9-1.mga2
firefox-et-17.0.9-1.mga2
firefox-eu-17.0.9-1.mga2
firefox-fa-17.0.9-1.mga2
firefox-fi-17.0.9-1.mga2
firefox-fr-17.0.9-1.mga2
firefox-fy-17.0.9-1.mga2
firefox-ga_IE-17.0.9-1.mga2
firefox-gd-17.0.9-1.mga2
firefox-gl-17.0.9-1.mga2
firefox-gu_IN-17.0.9-1.mga2
firefox-he-17.0.9-1.mga2
firefox-hi-17.0.9-1.mga2
firefox-hr-17.0.9-1.mga2
firefox-hu-17.0.9-1.mga2
firefox-hy-17.0.9-1.mga2
firefox-id-17.0.9-1.mga2
firefox-is-17.0.9-1.mga2
firefox-it-17.0.9-1.mga2
firefox-ja-17.0.9-1.mga2
firefox-kk-17.0.9-1.mga2
firefox-kn-17.0.9-1.mga2
firefox-ko-17.0.9-1.mga2
firefox-ku-17.0.9-1.mga2
firefox-lg-17.0.9-1.mga2
firefox-lt-17.0.9-1.mga2
firefox-lv-17.0.9-1.mga2
firefox-mai-17.0.9-1.mga2
firefox-mk-17.0.9-1.mga2
firefox-ml-17.0.9-1.mga2
firefox-mr-17.0.9-1.mga2
firefox-nb_NO-17.0.9-1.mga2
firefox-nl-17.0.9-1.mga2
firefox-nn_NO-17.0.9-1.mga2
firefox-nso-17.0.9-1.mga2
firefox-or-17.0.9-1.mga2
firefox-pa_IN-17.0.9-1.mga2
firefox-pl-17.0.9-1.mga2
firefox-pt_BR-17.0.9-1.mga2
firefox-pt_PT-17.0.9-1.mga2
firefox-ro-17.0.9-1.mga2
firefox-ru-17.0.9-1.mga2
firefox-si-17.0.9-1.mga2
firefox-sk-17.0.9-1.mga2
firefox-sl-17.0.9-1.mga2
firefox-sq-17.0.9-1.mga2
firefox-sr-17.0.9-1.mga2
firefox-sv_SE-17.0.9-1.mga2
firefox-ta-17.0.9-1.mga2
firefox-ta_LK-17.0.9-1.mga2
firefox-te-17.0.9-1.mga2
firefox-th-17.0.9-1.mga2
firefox-tr-17.0.9-1.mga2
firefox-uk-17.0.9-1.mga2
firefox-vi-17.0.9-1.mga2
firefox-zh_CN-17.0.9-1.mga2
firefox-zh_TW-17.0.9-1.mga2
firefox-zu-17.0.9-1.mga2
thunderbird-17.0.9-1.mga2
thunderbird-enigmail-17.0.9-1.mga2
nsinstall-17.0.9-1.mga2
thunderbird-ar-17.0.9-1.mga2
thunderbird-ast-17.0.9-1.mga2
thunderbird-be-17.0.9-1.mga2
thunderbird-bg-17.0.9-1.mga2
thunderbird-bn_BD-17.0.9-1.mga2
thunderbird-br-17.0.9-1.mga2
thunderbird-ca-17.0.9-1.mga2
thunderbird-cs-17.0.9-1.mga2
thunderbird-da-17.0.9-1.mga2
thunderbird-de-17.0.9-1.mga2
thunderbird-el-17.0.9-1.mga2
thunderbird-en_GB-17.0.9-1.mga2
thunderbird-es_AR-17.0.9-1.mga2
thunderbird-es_ES-17.0.9-1.mga2
thunderbird-et-17.0.9-1.mga2
thunderbird-eu-17.0.9-1.mga2
thunderbird-fi-17.0.9-1.mga2
thunderbird-fr-17.0.9-1.mga2
thunderbird-fy-17.0.9-1.mga2
thunderbird-ga-17.0.9-1.mga2
thunderbird-gd-17.0.9-1.mga2
thunderbird-gl-17.0.9-1.mga2
thunderbird-he-17.0.9-1.mga2
thunderbird-hu-17.0.9-1.mga2
thunderbird-id-17.0.9-1.mga2
thunderbird-is-17.0.9-1.mga2
thunderbird-it-17.0.9-1.mga2
thunderbird-ja-17.0.9-1.mga2
thunderbird-ko-17.0.9-1.mga2
thunderbird-lt-17.0.9-1.mga2
thunderbird-nb_NO-17.0.9-1.mga2
thunderbird-nl-17.0.9-1.mga2
thunderbird-nn_NO-17.0.9-1.mga2
thunderbird-pa_IN-17.0.9-1.mga2
thunderbird-pl-17.0.9-1.mga2
thunderbird-pt_BR-17.0.9-1.mga2
thunderbird-pt_PT-17.0.9-1.mga2
thunderbird-ro-17.0.9-1.mga2
thunderbird-ru-17.0.9-1.mga2
thunderbird-si-17.0.9-1.mga2
thunderbird-sk-17.0.9-1.mga2
thunderbird-sl-17.0.9-1.mga2
thunderbird-sq-17.0.9-1.mga2
thunderbird-sv_SE-17.0.9-1.mga2
thunderbird-ta_LK-17.0.9-1.mga2
thunderbird-tr-17.0.9-1.mga2
thunderbird-uk-17.0.9-1.mga2
thunderbird-vi-17.0.9-1.mga2
thunderbird-zh_CN-17.0.9-1.mga2
thunderbird-zh_TW-17.0.9-1.mga2
firefox-17.0.9-1.mga3
firefox-devel-17.0.9-1.mga3
firefox-af-17.0.9-1.mga3
firefox-ar-17.0.9-1.mga3
firefox-ast-17.0.9-1.mga3
firefox-be-17.0.9-1.mga3
firefox-bg-17.0.9-1.mga3
firefox-bn_BD-17.0.9-1.mga3
firefox-bn_IN-17.0.9-1.mga3
firefox-br-17.0.9-1.mga3
firefox-bs-17.0.9-1.mga3
firefox-ca-17.0.9-1.mga3
firefox-cs-17.0.9-1.mga3
firefox-cy-17.0.9-1.mga3
firefox-da-17.0.9-1.mga3
firefox-de-17.0.9-1.mga3
firefox-el-17.0.9-1.mga3
firefox-en_GB-17.0.9-1.mga3
firefox-en_ZA-17.0.9-1.mga3
firefox-eo-17.0.9-1.mga3
firefox-es_AR-17.0.9-1.mga3
firefox-es_CL-17.0.9-1.mga3
firefox-es_ES-17.0.9-1.mga3
firefox-es_MX-17.0.9-1.mga3
firefox-et-17.0.9-1.mga3
firefox-eu-17.0.9-1.mga3
firefox-fa-17.0.9-1.mga3
firefox-fi-17.0.9-1.mga3
firefox-fr-17.0.9-1.mga3
firefox-fy-17.0.9-1.mga3
firefox-ga_IE-17.0.9-1.mga3
firefox-gd-17.0.9-1.mga3
firefox-gl-17.0.9-1.mga3
firefox-gu_IN-17.0.9-1.mga3
firefox-he-17.0.9-1.mga3
firefox-hi-17.0.9-1.mga3
firefox-hr-17.0.9-1.mga3
firefox-hu-17.0.9-1.mga3
firefox-hy-17.0.9-1.mga3
firefox-id-17.0.9-1.mga3
firefox-is-17.0.9-1.mga3
firefox-it-17.0.9-1.mga3
firefox-ja-17.0.9-1.mga3
firefox-kk-17.0.9-1.mga3
firefox-kn-17.0.9-1.mga3
firefox-ko-17.0.9-1.mga3
firefox-ku-17.0.9-1.mga3
firefox-lg-17.0.9-1.mga3
firefox-lt-17.0.9-1.mga3
firefox-lv-17.0.9-1.mga3
firefox-mai-17.0.9-1.mga3
firefox-mk-17.0.9-1.mga3
firefox-ml-17.0.9-1.mga3
firefox-mr-17.0.9-1.mga3
firefox-nb_NO-17.0.9-1.mga3
firefox-nl-17.0.9-1.mga3
firefox-nn_NO-17.0.9-1.mga3
firefox-nso-17.0.9-1.mga3
firefox-or-17.0.9-1.mga3
firefox-pa_IN-17.0.9-1.mga3
firefox-pl-17.0.9-1.mga3
firefox-pt_BR-17.0.9-1.mga3
firefox-pt_PT-17.0.9-1.mga3
firefox-ro-17.0.9-1.mga3
firefox-ru-17.0.9-1.mga3
firefox-si-17.0.9-1.mga3
firefox-sk-17.0.9-1.mga3
firefox-sl-17.0.9-1.mga3
firefox-sq-17.0.9-1.mga3
firefox-sr-17.0.9-1.mga3
firefox-sv_SE-17.0.9-1.mga3
firefox-ta-17.0.9-1.mga3
firefox-ta_LK-17.0.9-1.mga3
firefox-te-17.0.9-1.mga3
firefox-th-17.0.9-1.mga3
firefox-tr-17.0.9-1.mga3
firefox-uk-17.0.9-1.mga3
firefox-vi-17.0.9-1.mga3
firefox-zh_CN-17.0.9-1.mga3
firefox-zh_TW-17.0.9-1.mga3
firefox-zu-17.0.9-1.mga3
thunderbird-17.0.9-1.mga3
thunderbird-enigmail-17.0.9-1.mga3
nsinstall-17.0.9-1.mga3
thunderbird-ar-17.0.9-1.mga3
thunderbird-ast-17.0.9-1.mga3
thunderbird-be-17.0.9-1.mga3
thunderbird-bg-17.0.9-1.mga3
thunderbird-bn_BD-17.0.9-1.mga3
thunderbird-br-17.0.9-1.mga3
thunderbird-ca-17.0.9-1.mga3
thunderbird-cs-17.0.9-1.mga3
thunderbird-da-17.0.9-1.mga3
thunderbird-de-17.0.9-1.mga3
thunderbird-el-17.0.9-1.mga3
thunderbird-en_GB-17.0.9-1.mga3
thunderbird-es_AR-17.0.9-1.mga3
thunderbird-es_ES-17.0.9-1.mga3
thunderbird-et-17.0.9-1.mga3
thunderbird-eu-17.0.9-1.mga3
thunderbird-fi-17.0.9-1.mga3
thunderbird-fr-17.0.9-1.mga3
thunderbird-fy-17.0.9-1.mga3
thunderbird-ga-17.0.9-1.mga3
thunderbird-gd-17.0.9-1.mga3
thunderbird-gl-17.0.9-1.mga3
thunderbird-he-17.0.9-1.mga3
thunderbird-hu-17.0.9-1.mga3
thunderbird-id-17.0.9-1.mga3
thunderbird-is-17.0.9-1.mga3
thunderbird-it-17.0.9-1.mga3
thunderbird-ja-17.0.9-1.mga3
thunderbird-ko-17.0.9-1.mga3
thunderbird-lt-17.0.9-1.mga3
thunderbird-nb_NO-17.0.9-1.mga3
thunderbird-nl-17.0.9-1.mga3
thunderbird-nn_NO-17.0.9-1.mga3
thunderbird-pa_IN-17.0.9-1.mga3
thunderbird-pl-17.0.9-1.mga3
thunderbird-pt_BR-17.0.9-1.mga3
thunderbird-pt_PT-17.0.9-1.mga3
thunderbird-ro-17.0.9-1.mga3
thunderbird-ru-17.0.9-1.mga3
thunderbird-si-17.0.9-1.mga3
thunderbird-sk-17.0.9-1.mga3
thunderbird-sl-17.0.9-1.mga3
thunderbird-sq-17.0.9-1.mga3
thunderbird-sv_SE-17.0.9-1.mga3
thunderbird-ta_LK-17.0.9-1.mga3
thunderbird-tr-17.0.9-1.mga3
thunderbird-uk-17.0.9-1.mga3
thunderbird-vi-17.0.9-1.mga3
thunderbird-zh_CN-17.0.9-1.mga3
thunderbird-zh_TW-17.0.9-1.mga3

from SRPMS:
firefox-17.0.9-1.mga2.src.rpm
firefox-l10n-17.0.9-1.mga2.src.rpm
thunderbird-17.0.9-1.mga2.src.rpm
thunderbird-l10n-17.0.9-1.mga2.src.rpm
firefox-17.0.9-1.mga3.src.rpm
firefox-l10n-17.0.9-1.mga3.src.rpm
thunderbird-17.0.9-1.mga3.src.rpm
thunderbird-l10n-17.0.9-1.mga3.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2013-09-17 21:57:38 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 Bill Wilkinson 2013-09-18 00:31:26 CEST 
No PoC on SecurityFocus.  Testing mga3-64.

CC: (none) => wrw105

Comment 2 Bill Wilkinson 2013-09-18 00:49:50 CEST 
Firefox: tested general browsing, sunspider javascript, javatester for java, youtube for flash.

Thunderbird: read/write, move messages over IMAP, send SMTP, receive IMAP. 

As a side note, will there be an NSS/NSPR update for this release?

Whiteboard: MGA2TOO => MGA2TOO mga3-64-ok

Comment 3 David Walser 2013-09-18 00:57:00 CEST 
(In reply to Bill Wilkinson from comment #2)
> As a side note, will there be an NSS/NSPR update for this release?

No, just as a reminder of what I said during the 17.0.8 update, we'll update nss and nspr when we update to 24 ESR, which should be the next round of FF/TB updates after this one.  Also, while it's good to ask that question, as we don't want to forget it (and the packager who usually packages the TB/FF updates, usually does forget about nss/nspr), as well as rootcerts, I personally won't push a FF/TB update to QA without considering nss/nspr first (although I did forget rootcerts until just now, so it's still good you asked...it's good for now too BTW :o).
Comment 4 Bill Wilkinson 2013-09-18 01:44:52 CEST 
Thanks, David!  Just trying to be thorough!

Completed same tests with mga3-32, all OK.

Whiteboard: MGA2TOO mga3-64-ok => MGA2TOO mga3-64-ok mga3-32-ok

Comment 5 Bill Wilkinson 2013-09-18 02:23:19 CEST 
completed same tests with mga2-32, all OK.

As I don't have a working mga2-64 I'll ask someone else to test that one.

Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok

Comment 6 Dave Hodgins 2013-09-18 03:18:17 CEST 
Testing complete and advisory committed to svn.

Someone from the sysadmin team please push 11250.adv to updates.

Keywords: (none) => validated_update
Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok mga2-64-ok
CC: (none) => davidwhodgins, sysadmin-bugs

Dave Hodgins 2013-09-18 03:18:32 CEST

Whiteboard: MGA2TOO mga3-64-ok mga3-32-ok mga2-32-ok mga2-64-ok => MGA2TOO mga3-64-ok mga3-32-ok mga2-64-ok mga2-64-ok

David Walser 2013-09-18 20:09:55 CEST

URL: (none) => http://lwn.net/Vulnerabilities/567271/

Comment 7 Oden Eriksson 2013-09-19 11:14:16 CEST 
FYI.

For NSS/NSPR, I find it faster to view a diff between the old and new firefox version to see if there is changes in the bundled ones, than try to find info elsewhere.

CC: (none) => oe

Comment 8 Thomas Backlund 2013-09-19 11:55:00 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2013-0287.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED