Bug 9141

Summary: Firefox 17.0.3
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal CC: davidwhodgins, fundawang, geiger.david68210, sysadmin-bugs, tmb, wrw105
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/539198/
Whiteboard: MGA2-64-OK MGA2-32-OK
Source RPM: firefox-17.0.2-3.mga2.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 9142    

Description David Walser 2013-02-21 01:05:58 CET 
RedHat has issued an advisory on February 19:
https://rhn.redhat.com/errata/RHSA-2013-0271.html

nspr and nss also need to be updated.  They are in SVN but not built yet.

nss 3.14.3 also fixes a security issue, CVE-2013-1620:
https://bugzilla.mozilla.org/show_bug.cgi?id=822365

Reproducible: 

Steps to Reproduce:
David Walser 2013-02-21 01:08:25 CET

Blocks: (none) => 9142

Comment 1 David Walser 2013-02-21 01:36:59 CET 
*** Bug 9136 has been marked as a duplicate of this bug. ***

CC: (none) => fundawang

Comment 2 David Walser 2013-02-21 02:19:05 CET 
Everything is now built and this is ready for QA.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

The Chrome Object Wrapper (COW) and System Only Wrapper (SOW) implementations
in Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird
before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16
do not prevent modifications to a prototype, which allows remote attackers to
obtain sensitive information from chrome objects or possibly execute arbitrary
JavaScript code with chrome privileges via a crafted web site (CVE-2013-0773).

Mozilla Firefox before 19.0, Firefox ESR 17.x before 17.0.3, Thunderbird
before 17.0.3, Thunderbird ESR 17.x before 17.0.3, and SeaMonkey before 2.16
do not prevent JavaScript workers from reading the browser-profile directory
name, which has unspecified impact and remote attack vectors (CVE-2013-0774).

Several flaws were found in the processing of malformed web content. A
web page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user
running Firefox (CVE-2013-0775, CVE-2013-0780, CVE-2013-0782,
CVE-2013-0783).

It was found that, after canceling a proxy server's authentication
prompt, the address bar continued to show the requested site's address. An
attacker could use this flaw to conduct phishing attacks by tricking a
user into believing they are viewing a trusted site (CVE-2013-0776).

The TLS implementation in Mozilla Network Security Services (NSS) does not
properly consider timing side-channel attacks on a noncompliant MAC check
operation during the processing of malformed CBC padding, which allows remote
attackers to conduct distinguishing attacks and plaintext-recovery attacks
via statistical analysis of timing data for crafted packets (CVE-2013-1620).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0773
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0774
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0775
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0780
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0782
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0783
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1620
http://www.mozilla.org/security/announce/2013/mfsa2013-21.html
http://www.mozilla.org/security/announce/2013/mfsa2013-24.html
http://www.mozilla.org/security/announce/2013/mfsa2013-25.html
http://www.mozilla.org/security/announce/2013/mfsa2013-26.html
http://www.mozilla.org/security/announce/2013/mfsa2013-27.html
http://www.mozilla.org/security/announce/2013/mfsa2013-28.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://bugzilla.mozilla.org/show_bug.cgi?id=822365
https://rhn.redhat.com/errata/RHSA-2013-0271.html
========================

Source RPMs:
nspr-4.9.5-1.mga2.src.rpm
nss-3.14.3-1.mga2.src.rpm
firefox-17.0.3-1.mga2.src.rpm
firefox-l10n-17.0.3-1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

Comment 3 Bill Wilkinson 2013-02-21 03:03:31 CET 
testing x86_64
Repeated testing from earlier today with nss and nspr installed in addition to firefox 17.0.3.
No PoC found for bugs

Tested javascript with Sunspider-OK
https://www.webkit.org/perf/sunspider/sunspider.html
Tested Java through javatester.com -OK

Tested flash with lemmings game and several YouTube videos--OK

general browsing-including ACID 3 test --OK
http://www.acidtests.org

CC: (none) => wrw105
Whiteboard: (none) => MGA2_64_OK

Bill Wilkinson 2013-02-21 04:08:44 CET

Whiteboard: MGA2_64_OK => MGA2-64-OK

Comment 4 Dave Hodgins 2013-02-21 05:05:49 CET 
Testing complete on Mageia 2 i586.

Could someone from the sysadmin team push the srpms
nspr-4.9.5-1.mga2.src.rpm
nss-3.14.3-1.mga2.src.rpm
firefox-17.0.3-1.mga2.src.rpm
firefox-l10n-17.0.3-1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

See comment 2 for the advisory and references.

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA2-64-OK => MGA2-64-OK MGA2-32-OK

Comment 5 David GEIGER 2013-02-21 18:25:09 CET 
Testing complete for firefox-17.0.3 on Mageia release 2 (Official) for x86_64,
for me it's Ok nothing to report and works fine.

-Flash-player : Ok
-Java-plugin : Ok
-Some .xpi Addons , Adblock,flagfox, Firebug, Xmarks, Downthemall, Foxtab, etc... works fine.

CC: (none) => geiger.david68210

Comment 6 Thomas Backlund 2013-02-21 22:21:32 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0063

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED