Bug 13515

Summary: Firefox and Thunderbird 24.6
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: sysadmin-bugs, tmb, wrw105
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/602039/
Whiteboard: MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok
Source RPM: firefox, thunderbird, rootcerts, nspr, nss CVE:
Status comment:

Description David Walser 2014-06-10 22:48:47 CEST 
Upstream has released version 24.6.0 today (June 10):
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html

Fixing three critical security issues:
http://www.mozilla.org/security/announce/2014/mfsa2014-48.html
http://www.mozilla.org/security/announce/2014/mfsa2014-49.html
http://www.mozilla.org/security/announce/2014/mfsa2014-52.html

which correspond to the following CVEs:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1533
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1541

The rootcerts, nspr, and nss packages have also been updated to the latest versions.

I'll post an advisory once RedHat posts theirs.

Updated packages:
rootcerts-20140401.00-1.mga3
rootcerts-java-20140401.00-1.mga3
libnspr4-4.10.6-1.mga3
libnspr-devel-4.10.6-1.mga3
nss-3.16.1-1.mga3
nss-doc-3.16.1-1.mga3
libnss3-3.16.1-1.mga3
libnss-devel-3.16.1-1.mga3
libnss-static-devel-3.16.1-1.mga3
firefox-24.6.0-1.mga3
firefox-devel-24.6.0-1.mga3
firefox-af-24.6.0-1.mga3
firefox-ar-24.6.0-1.mga3
firefox-as-24.6.0-1.mga3
firefox-ast-24.6.0-1.mga3
firefox-be-24.6.0-1.mga3
firefox-bg-24.6.0-1.mga3
firefox-bn_IN-24.6.0-1.mga3
firefox-bn_BD-24.6.0-1.mga3
firefox-br-24.6.0-1.mga3
firefox-bs-24.6.0-1.mga3
firefox-ca-24.6.0-1.mga3
firefox-cs-24.6.0-1.mga3
firefox-csb-24.6.0-1.mga3
firefox-cy-24.6.0-1.mga3
firefox-da-24.6.0-1.mga3
firefox-de-24.6.0-1.mga3
firefox-el-24.6.0-1.mga3
firefox-en_GB-24.6.0-1.mga3
firefox-en_ZA-24.6.0-1.mga3
firefox-eo-24.6.0-1.mga3
firefox-es_AR-24.6.0-1.mga3
firefox-es_CL-24.6.0-1.mga3
firefox-es_ES-24.6.0-1.mga3
firefox-es_MX-24.6.0-1.mga3
firefox-et-24.6.0-1.mga3
firefox-eu-24.6.0-1.mga3
firefox-fa-24.6.0-1.mga3
firefox-ff-24.6.0-1.mga3
firefox-fi-24.6.0-1.mga3
firefox-fr-24.6.0-1.mga3
firefox-fy-24.6.0-1.mga3
firefox-ga_IE-24.6.0-1.mga3
firefox-gd-24.6.0-1.mga3
firefox-gl-24.6.0-1.mga3
firefox-gu_IN-24.6.0-1.mga3
firefox-he-24.6.0-1.mga3
firefox-hi-24.6.0-1.mga3
firefox-hr-24.6.0-1.mga3
firefox-hu-24.6.0-1.mga3
firefox-hy-24.6.0-1.mga3
firefox-id-24.6.0-1.mga3
firefox-is-24.6.0-1.mga3
firefox-it-24.6.0-1.mga3
firefox-ja-24.6.0-1.mga3
firefox-kk-24.6.0-1.mga3
firefox-ko-24.6.0-1.mga3
firefox-km-24.6.0-1.mga3
firefox-kn-24.6.0-1.mga3
firefox-ku-24.6.0-1.mga3
firefox-lg-24.6.0-1.mga3
firefox-lij-24.6.0-1.mga3
firefox-lt-24.6.0-1.mga3
firefox-lv-24.6.0-1.mga3
firefox-mai-24.6.0-1.mga3
firefox-mk-24.6.0-1.mga3
firefox-ml-24.6.0-1.mga3
firefox-mr-24.6.0-1.mga3
firefox-nb_NO-24.6.0-1.mga3
firefox-nl-24.6.0-1.mga3
firefox-nn_NO-24.6.0-1.mga3
firefox-nso-24.6.0-1.mga3
firefox-or-24.6.0-1.mga3
firefox-pa_IN-24.6.0-1.mga3
firefox-pl-24.6.0-1.mga3
firefox-pt_BR-24.6.0-1.mga3
firefox-pt_PT-24.6.0-1.mga3
firefox-ro-24.6.0-1.mga3
firefox-ru-24.6.0-1.mga3
firefox-si-24.6.0-1.mga3
firefox-sk-24.6.0-1.mga3
firefox-sl-24.6.0-1.mga3
firefox-sq-24.6.0-1.mga3
firefox-sr-24.6.0-1.mga3
firefox-sv_SE-24.6.0-1.mga3
firefox-ta-24.6.0-1.mga3
firefox-ta_LK-24.6.0-1.mga3
firefox-te-24.6.0-1.mga3
firefox-th-24.6.0-1.mga3
firefox-tr-24.6.0-1.mga3
firefox-uk-24.6.0-1.mga3
firefox-vi-24.6.0-1.mga3
firefox-zh_CN-24.6.0-1.mga3
firefox-zh_TW-24.6.0-1.mga3
firefox-zu-24.6.0-1.mga3
thunderbird-24.6.0-1.mga3
thunderbird-enigmail-24.6.0-1.mga3
nsinstall-24.6.0-1.mga3
thunderbird-ar-24.6.0-1.mga3
thunderbird-ast-24.6.0-1.mga3
thunderbird-be-24.6.0-1.mga3
thunderbird-bg-24.6.0-1.mga3
thunderbird-bn_BD-24.6.0-1.mga3
thunderbird-br-24.6.0-1.mga3
thunderbird-ca-24.6.0-1.mga3
thunderbird-cs-24.6.0-1.mga3
thunderbird-da-24.6.0-1.mga3
thunderbird-de-24.6.0-1.mga3
thunderbird-el-24.6.0-1.mga3
thunderbird-en_GB-24.6.0-1.mga3
thunderbird-es_AR-24.6.0-1.mga3
thunderbird-es_ES-24.6.0-1.mga3
thunderbird-et-24.6.0-1.mga3
thunderbird-eu-24.6.0-1.mga3
thunderbird-fi-24.6.0-1.mga3
thunderbird-fr-24.6.0-1.mga3
thunderbird-fy-24.6.0-1.mga3
thunderbird-ga-24.6.0-1.mga3
thunderbird-gd-24.6.0-1.mga3
thunderbird-gl-24.6.0-1.mga3
thunderbird-he-24.6.0-1.mga3
thunderbird-hr-24.6.0-1.mga3
thunderbird-hu-24.6.0-1.mga3
thunderbird-hy-24.6.0-1.mga3
thunderbird-id-24.6.0-1.mga3
thunderbird-is-24.6.0-1.mga3
thunderbird-it-24.6.0-1.mga3
thunderbird-ja-24.6.0-1.mga3
thunderbird-ko-24.6.0-1.mga3
thunderbird-lt-24.6.0-1.mga3
thunderbird-nb_NO-24.6.0-1.mga3
thunderbird-nl-24.6.0-1.mga3
thunderbird-nn_NO-24.6.0-1.mga3
thunderbird-pl-24.6.0-1.mga3
thunderbird-pa_IN-24.6.0-1.mga3
thunderbird-pt_BR-24.6.0-1.mga3
thunderbird-pt_PT-24.6.0-1.mga3
thunderbird-ro-24.6.0-1.mga3
thunderbird-ru-24.6.0-1.mga3
thunderbird-si-24.6.0-1.mga3
thunderbird-sk-24.6.0-1.mga3
thunderbird-sl-24.6.0-1.mga3
thunderbird-sq-24.6.0-1.mga3
thunderbird-sv_SE-24.6.0-1.mga3
thunderbird-ta_LK-24.6.0-1.mga3
thunderbird-tr-24.6.0-1.mga3
thunderbird-uk-24.6.0-1.mga3
thunderbird-vi-24.6.0-1.mga3
thunderbird-zh_CN-24.6.0-1.mga3
thunderbird-zh_TW-24.6.0-1.mga3
rootcerts-20140401.00-1.mga4
rootcerts-java-20140401.00-1.mga4
libnspr4-4.10.6-1.mga4
libnspr-devel-4.10.6-1.mga4
nss-3.16.1-1.mga4
nss-doc-3.16.1-1.mga4
libnss3-3.16.1-1.mga4
libnss-devel-3.16.1-1.mga4
libnss-static-devel-3.16.1-1.mga4
firefox-24.6.0-1.mga4
firefox-devel-24.6.0-1.mga4
firefox-af-24.6.0-1.mga4
firefox-ar-24.6.0-1.mga4
firefox-as-24.6.0-1.mga4
firefox-ast-24.6.0-1.mga4
firefox-be-24.6.0-1.mga4
firefox-bg-24.6.0-1.mga4
firefox-bn_IN-24.6.0-1.mga4
firefox-bn_BD-24.6.0-1.mga4
firefox-br-24.6.0-1.mga4
firefox-bs-24.6.0-1.mga4
firefox-ca-24.6.0-1.mga4
firefox-cs-24.6.0-1.mga4
firefox-csb-24.6.0-1.mga4
firefox-cy-24.6.0-1.mga4
firefox-da-24.6.0-1.mga4
firefox-de-24.6.0-1.mga4
firefox-el-24.6.0-1.mga4
firefox-en_GB-24.6.0-1.mga4
firefox-en_ZA-24.6.0-1.mga4
firefox-eo-24.6.0-1.mga4
firefox-es_AR-24.6.0-1.mga4
firefox-es_CL-24.6.0-1.mga4
firefox-es_ES-24.6.0-1.mga4
firefox-es_MX-24.6.0-1.mga4
firefox-et-24.6.0-1.mga4
firefox-eu-24.6.0-1.mga4
firefox-fa-24.6.0-1.mga4
firefox-ff-24.6.0-1.mga4
firefox-fi-24.6.0-1.mga4
firefox-fr-24.6.0-1.mga4
firefox-fy-24.6.0-1.mga4
firefox-ga_IE-24.6.0-1.mga4
firefox-gd-24.6.0-1.mga4
firefox-gl-24.6.0-1.mga4
firefox-gu_IN-24.6.0-1.mga4
firefox-he-24.6.0-1.mga4
firefox-hi-24.6.0-1.mga4
firefox-hr-24.6.0-1.mga4
firefox-hu-24.6.0-1.mga4
firefox-hy-24.6.0-1.mga4
firefox-id-24.6.0-1.mga4
firefox-is-24.6.0-1.mga4
firefox-it-24.6.0-1.mga4
firefox-ja-24.6.0-1.mga4
firefox-kk-24.6.0-1.mga4
firefox-ko-24.6.0-1.mga4
firefox-km-24.6.0-1.mga4
firefox-kn-24.6.0-1.mga4
firefox-ku-24.6.0-1.mga4
firefox-lg-24.6.0-1.mga4
firefox-lij-24.6.0-1.mga4
firefox-lt-24.6.0-1.mga4
firefox-lv-24.6.0-1.mga4
firefox-mai-24.6.0-1.mga4
firefox-mk-24.6.0-1.mga4
firefox-ml-24.6.0-1.mga4
firefox-mr-24.6.0-1.mga4
firefox-nb_NO-24.6.0-1.mga4
firefox-nl-24.6.0-1.mga4
firefox-nn_NO-24.6.0-1.mga4
firefox-nso-24.6.0-1.mga4
firefox-or-24.6.0-1.mga4
firefox-pa_IN-24.6.0-1.mga4
firefox-pl-24.6.0-1.mga4
firefox-pt_BR-24.6.0-1.mga4
firefox-pt_PT-24.6.0-1.mga4
firefox-ro-24.6.0-1.mga4
firefox-ru-24.6.0-1.mga4
firefox-si-24.6.0-1.mga4
firefox-sk-24.6.0-1.mga4
firefox-sl-24.6.0-1.mga4
firefox-sq-24.6.0-1.mga4
firefox-sr-24.6.0-1.mga4
firefox-sv_SE-24.6.0-1.mga4
firefox-ta-24.6.0-1.mga4
firefox-ta_LK-24.6.0-1.mga4
firefox-te-24.6.0-1.mga4
firefox-th-24.6.0-1.mga4
firefox-tr-24.6.0-1.mga4
firefox-uk-24.6.0-1.mga4
firefox-vi-24.6.0-1.mga4
firefox-zh_CN-24.6.0-1.mga4
firefox-zh_TW-24.6.0-1.mga4
firefox-zu-24.6.0-1.mga4
thunderbird-24.6.0-1.mga4
thunderbird-enigmail-24.6.0-1.mga4
nsinstall-24.6.0-1.mga4
thunderbird-ar-24.6.0-1.mga4
thunderbird-ast-24.6.0-1.mga4
thunderbird-be-24.6.0-1.mga4
thunderbird-bg-24.6.0-1.mga4
thunderbird-bn_BD-24.6.0-1.mga4
thunderbird-br-24.6.0-1.mga4
thunderbird-ca-24.6.0-1.mga4
thunderbird-cs-24.6.0-1.mga4
thunderbird-da-24.6.0-1.mga4
thunderbird-de-24.6.0-1.mga4
thunderbird-el-24.6.0-1.mga4
thunderbird-en_GB-24.6.0-1.mga4
thunderbird-es_AR-24.6.0-1.mga4
thunderbird-es_ES-24.6.0-1.mga4
thunderbird-et-24.6.0-1.mga4
thunderbird-eu-24.6.0-1.mga4
thunderbird-fi-24.6.0-1.mga4
thunderbird-fr-24.6.0-1.mga4
thunderbird-fy-24.6.0-1.mga4
thunderbird-ga-24.6.0-1.mga4
thunderbird-gd-24.6.0-1.mga4
thunderbird-gl-24.6.0-1.mga4
thunderbird-he-24.6.0-1.mga4
thunderbird-hr-24.6.0-1.mga4
thunderbird-hu-24.6.0-1.mga4
thunderbird-hy-24.6.0-1.mga4
thunderbird-id-24.6.0-1.mga4
thunderbird-is-24.6.0-1.mga4
thunderbird-it-24.6.0-1.mga4
thunderbird-ja-24.6.0-1.mga4
thunderbird-ko-24.6.0-1.mga4
thunderbird-lt-24.6.0-1.mga4
thunderbird-nb_NO-24.6.0-1.mga4
thunderbird-nl-24.6.0-1.mga4
thunderbird-nn_NO-24.6.0-1.mga4
thunderbird-pl-24.6.0-1.mga4
thunderbird-pa_IN-24.6.0-1.mga4
thunderbird-pt_BR-24.6.0-1.mga4
thunderbird-pt_PT-24.6.0-1.mga4
thunderbird-ro-24.6.0-1.mga4
thunderbird-ru-24.6.0-1.mga4
thunderbird-si-24.6.0-1.mga4
thunderbird-sk-24.6.0-1.mga4
thunderbird-sl-24.6.0-1.mga4
thunderbird-sq-24.6.0-1.mga4
thunderbird-sv_SE-24.6.0-1.mga4
thunderbird-ta_LK-24.6.0-1.mga4
thunderbird-tr-24.6.0-1.mga4
thunderbird-uk-24.6.0-1.mga4
thunderbird-vi-24.6.0-1.mga4
thunderbird-zh_CN-24.6.0-1.mga4
thunderbird-zh_TW-24.6.0-1.mga4

from SRPMS:
rootcerts-20140401.00-1.mga3.src.rpm
nspr-4.10.6-1.mga3.src.rpm
nss-3.16.1-1.mga3.src.rpm
firefox-24.6.0-1.mga3.src.rpm
firefox-l10n-24.6.0-1.mga3.src.rpm
thunderbird-24.6.0-1.mga3.src.rpm
thunderbird-l10n-24.6.0-1.mga3.src.rpm
rootcerts-20140401.00-1.mga4.src.rpm
nspr-4.10.6-1.mga4.src.rpm
nss-3.16.1-1.mga4.src.rpm
firefox-24.6.0-1.mga4.src.rpm
firefox-l10n-24.6.0-1.mga4.src.rpm
thunderbird-24.6.0-1.mga4.src.rpm
thunderbird-l10n-24.6.0-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-10 22:48:53 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 Bill Wilkinson 2014-06-11 03:51:14 CEST 
No PoCs on Securityfocus.

Tested mga4-32 for general use.

FF:
acid 3 for rendering
sunspider for javascript
javatester for java
youtube for flash
general browsing

TB:
send/receive/move/delete on smtp/imap

All OK, no regressions noted.

CC: (none) => wrw105
Whiteboard: MGA3TOO => MGA3TOO mga4-32-ok

Comment 2 Bill Wilkinson 2014-06-11 04:29:24 CEST 
tested mga4-64 as above, all OK.

Whiteboard: MGA3TOO mga4-32-ok => MGA3TOO mga4-32-ok mga4-64-ok

Comment 3 Bill Wilkinson 2014-06-11 04:54:24 CEST 
tested mga3-32 as above, all OK.

Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok => MGA3TOO mga4-32-ok mga4-64-ok mga3-32-ok

Comment 4 Bill Wilkinson 2014-06-11 05:25:27 CEST 
tested mga3-64 as above, all OK.

Ready for validation when advisory uploaded to SVN.

Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok mga3-32-ok => MGA3TOO mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok

Comment 5 David Walser 2014-06-11 05:46:20 CEST 
Advisory:
========================

Updated firefox and thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to crash
or, potentially, execute arbitrary code with the privileges of the user
running it (CVE-2014-1533, CVE-2014-1538, CVE-2014-1541).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1533
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1538
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1541
http://www.mozilla.org/security/announce/2014/mfsa2014-48.html
http://www.mozilla.org/security/announce/2014/mfsa2014-49.html
http://www.mozilla.org/security/announce/2014/mfsa2014-52.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
https://rhn.redhat.com/errata/RHSA-2014-0741.html
https://rhn.redhat.com/errata/RHSA-2014-0742.html
Comment 6 claire robinson 2014-06-11 09:38:07 CEST 
Thanks both.

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok => MGA3TOO has_procedure advisory mga4-32-ok mga4-64-ok mga3-32-ok mga3-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Thomas Backlund 2014-06-11 19:18:08 CEST 

Update pushed:
http://advisories.mageia.org/MGASA-2014-0260.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Comment 8 David Walser 2014-06-11 19:51:35 CEST 
This update (specifically nspr) also fixed CVE-2014-1545:
http://lwn.net/Vulnerabilities/602042/

Advisory addendum:

Mozilla Netscape Portable Runtime (NSPR) before 4.10.6 allows remote attackers
to execute arbitrary code or cause a denial of service (out-of-bounds write)
via vectors involving the sprintf and console functions (CVE-2014-1545).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1545
http://www.mozilla.org/security/announce/2014/mfsa2014-55.html

URL: (none) => http://lwn.net/Vulnerabilities/602039/