Bug 3308

Summary: multiple security issues in mozilla nss, firefox & thunderbird: CVE-2011-3640, CVE-2011-3648, CVE-2011-3650, CVE-2011-3651,CVE-2011-3652, CVE-2011-3654, CVE-2011-3655, rootcerts
Product: Mageia Reporter: Florian Hubold <doktor5000>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, dmorganec, doktor5000, pham182b, sysadmin-bugs, tmb
Version: CauldronKeywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 3335    

Description Florian Hubold 2011-11-10 10:01:43 CET 
Description of problem:

CVE-2011-3640

Untrusted search path vulnerability in Mozilla Network Security
Services (NSS) might allow local users to gain privileges via a Trojan
horse pkcs11.txt file in a top-level directory.

CVE-2011-3648

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before
3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0
through 7.0 allows remote attackers to inject arbitrary web script
or HTML via crafted text with Shift JIS encoding.

CVE-2011-3650

Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird
before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript
files that contain many functions, which allows user-assisted
remote attackers to cause a denial of service (memory corruption and
application crash) or possibly have unspecified other impact via a
crafted file that is accessed by debugging APIs, as demonstrated by
Firebug.

CVE-2011-3651

Multiple unspecified vulnerabilities in the browser engine in
Mozilla Firefox 7.0 and Thunderbird 7.0 allow remote attackers to
cause a denial of service (memory corruption and application crash)
or possibly execute arbitrary code via unknown vectors.

CVE-2011-3652

The browser engine in Mozilla Firefox before 8.0 and Thunderbird before
8.0 does not properly allocate memory, which allows remote attackers
to cause a denial of service (memory corruption and application
crash) or possibly execute arbitrary code via unspecified vectors.

CVE-2011-3654

The browser engine in Mozilla Firefox before 8.0 and Thunderbird
before 8.0 does not properly handle links from SVG mpath elements to
non-SVG elements, which allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unspecified vectors.

CVE-2011-3655

Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform
access control without checking for use of the NoWaiverWrapper wrapper,
which allows remote attackers to gain privileges via a crafted web site.

------------------------------------------------------------------------------

http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/
http://www.entrust.net/advisories/malaysia.htm

22 weak 512-bit certificates were issued by the DigiCert Sdn. Bhd
certificate authority, due to this, DigiCert Sdn. Bhd has been revoked from the root CA storage.
DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon
(GTE CyberTrust). It bears no affiliation whatsoever with the
US-based corporation DigiCert, Inc., which is a member of Mozilla's
root program.
Comment 1 Florian Hubold 2011-11-10 10:06:21 CET 
This is already being worked on by dmorgan and me, not sure who to assign it to as it covers at least 3 different src.rpms ...

CC: (none) => doktor5000

Comment 2 Florian Hubold 2011-11-10 18:57:28 CET 
Thunderbird 3.1.15 on mga 1 is susceptible to at least CVE-2011-3640, where mozilla provides a patch that fixes this, which i've applied, awaiting review.

CVE-2011-3648 and CVE-2011-3650 are fixed by updating to 3.1.6.

And according to upstream developers 3.1 series is not susceptible to anything mentioned in http://www.mozilla.org/security/announce/2011/mfsa2011-48.html which references:
CVE-2011-3651
CVE-2011-3652
CVE-2011-3654
(All the relevant bug reports to these are not public.)

CVE-2011-3655 is only relevant for Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0.
Comment 3 Manuel Hiebel 2011-11-11 00:16:13 CET 
Add the three most committers if no maintainers for the packages.

CC: (none) => dmorganec, fundawang, jani.valimaa, mageia, pterjan

Comment 4 Florian Hubold 2011-11-11 00:40:20 CET 
Well, maybe not, thunderbird has already been submitted for mga1 and i saw dmorgan already updated to firefox 8 in SVN for mga1. I'll assign it to dmorgan as he also wanted to do the rootcerts update.

Status: NEW => ASSIGNED
CC: fundawang, jani.valimaa, mageia, pterjan => (none)
Assignee: bugsquad => dmorganec

Comment 5 Florian Hubold 2011-11-11 00:44:02 CET 
There is now mozilla-thunderbird-3.1.16-1.mga1 in core/updates_testing to validate
-------------------------------------------------------


Suggested advisory:
-------------------
This update addresses the following CVEs:

- CVE-2011-2722

An untrusted search path vulnerability which might allow local users to gain privileges via a Trojan horse pkcs11.txt file in a top-level directory

Other fixes in this release:

- http://www.mozilla.org/security/announce/2011/mfsa2011-46.html
(loadSubScript unwraps XPCNativeWrapper scope parameter, a malicious page
could potentially exploit a Thunderbird user who had installed an add-on
that used loadSubscript in vulnerable ways)

- http://www.mozilla.org/security/announce/2011/mfsa2011-47.html
(Potential cross-site-scripting against sites using Shift-JIS encoding,
CVE-2011-3648)

- http://www.mozilla.org/security/announce/2011/mfsa2011-49.html
(memory corruption while profiling using Firebug, CVE-2011-3650)

-------------------------------------------------------
Steps to reproduce:

- install/update to update candidate
Comment 6 Manuel Hiebel 2011-11-11 01:42:34 CET 
And for nss and rootcerts ?
Comment 7 Manuel Hiebel 2011-11-11 01:43:50 CET 
(ok read to fast, but I think it's better to have one bug/package)
Comment 8 Florian Hubold 2011-11-11 01:47:03 CET 
OK, i'll open another one tomorrow for firefox, nss and rootcerts as they belong together. This one can be validated now for thunderbird with above advisory.

Assignee: dmorganec => qa-bugs

Comment 9 Dave Hodgins 2011-11-11 02:57:10 CET 
Testing on i586 complete for the srpm
mozilla-thunderbird-3.1.16-1.mga1.src.rpm

Testing used an email account, and an nntp account.

CC: (none) => davidwhodgins

Comment 10 Luan Pham 2011-11-11 05:32:15 CET 
Testing on x86_64 using email and nntp accounts with out any problem.

CC: (none) => pham182b

Comment 11 Dave Hodgins 2011-11-11 05:54:58 CET 
Validating the update.

Could someone from the sysadmin team push the srpm
mozilla-thunderbird-3.1.16-1.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory: This mozilla-thunderbird update addresses the following CVEs:

- CVE-2011-2722

An untrusted search path vulnerability which might allow local users to gain
privileges via a Trojan horse pkcs11.txt file in a top-level directory

Other fixes in this release:

- http://www.mozilla.org/security/announce/2011/mfsa2011-46.html
(loadSubScript unwraps XPCNativeWrapper scope parameter, a malicious page
could potentially exploit a Thunderbird user who had installed an add-on
that used loadSubscript in vulnerable ways)

- http://www.mozilla.org/security/announce/2011/mfsa2011-47.html
(Potential cross-site-scripting against sites using Shift-JIS encoding,
CVE-2011-3648)

- http://www.mozilla.org/security/announce/2011/mfsa2011-49.html
(memory corruption while profiling using Firebug, CVE-2011-3650)

https://bugs.mageia.org/show_bug.cgi?id=3308

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 12 Florian Hubold 2011-11-11 12:01:39 CET 
(In reply to comment #11)
> Validating the update.
> 
> Could someone from the sysadmin team push the srpm
> mozilla-thunderbird-3.1.16-1.mga1.src.rpm
> from Core Updates Testing to Core Updates.

Uhmm, please don't forget the language packs from mozilla-thunderbird-l10n-3.1.16-1.mga1.src.rpm
Comment 13 Thomas Backlund 2011-11-11 20:40:39 CET 
Update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Florian Hubold 2011-11-13 21:37:08 CET

Blocks: (none) => 3335