Firefox ESR and Thunderbird ESR prior to 17.0.6 contains following security vulnerabilities: * CVE-2013-0801, CVE-2013-1669: Miscellaneous memory safety hazards. * CVE-2013-1670: Call content level constructor as if from a chrome/privileged page * CVE-2013-1672: Arbitrary code execution by Mozilla Maintenance Service with junctions * CVE-2013-1674: UAF with video and onresize event * CVE-2013-1675: nsDOMSVGZoomEvent::m{Previous,New}Scale are used uninitialized * CVE-2013-1676: Out of Bounds Read in SelectionIterator::GetNextSegment * CVE-2013-1677: Out-of-bound read in gfxSkipCharsIterator::SetOffsets * CVE-2013-1678: Invalid write in _cairo_xlib_surface_add_glyph * CVE-2013-1679: Heap-use-after-free in mozilla::plugins::child::_geturlnotify * CVE-2013-1680: Heap-use-after-free in nsFrameList::FirstChild * CVE-2013-1681: Heap-use-after-free in nsContentUtils::RemoveScriptBlocker References: http://www.mozilla.org/security/announce/2013/mfsa2013-41.html http://www.mozilla.org/security/announce/2013/mfsa2013-42.html http://www.mozilla.org/security/announce/2013/mfsa2013-44.html http://www.mozilla.org/security/announce/2013/mfsa2013-46.html http://www.mozilla.org/security/announce/2013/mfsa2013-47.html http://www.mozilla.org/security/announce/2013/mfsa2013-48.html Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA2TOO
This also needs to wait until after the release of course. FYI, there are no nspr and nss updates needed this time.
CC: (none) => luigiwalser
Well, mga2 could be validated at this time.
(In reply to Funda Wang from comment #2) > Well, mga2 could be validated at this time. Validated, yes. Pushed, no.
Mandriva has issued an advisory for this today (May 15): http://www.mandriva.com/en/support/security/advisories/mes5/MDVSA-2013:165/
No PoCs on SecurityFocus. Testing MGA2-64
CC: (none) => wrw105
Tested MGA2-64 Thunderbird sending (SMTP), receiving (IMAP), Moving between folders, all OK. Tested firefox on youtube for flash, javatester, sunspider, and general browsing, all OK
Whiteboard: MGA2TOO => MGA2TOO mga2-64-ok
Testing complete for firefox-17.0.6-1.mga2 on Mageia release 2 (Official) for x86_64, it's ok for me nothing to report and work fine. firefox-fr-17.0.6-1.mga2 too. Test flash-player, java, and general browsing, etc...
CC: (none) => geiger.david68210
URL: http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html, http://www.mozilla.org/security/known-vulnerabilities/thunderbirdESR.html => http://lwn.net/Vulnerabilities/550702/
testing complete for mga2-32. tested firefox and thunderbird as described in comment 6, all OK.
Whiteboard: MGA2TOO mga2-64-ok => MGA2TOO mga2-64-ok mga2-32-ok
These will need to be rebuilt now for mageia 3 so setting feedback marker until they're ready.
Whiteboard: MGA2TOO mga2-64-ok mga2-32-ok => MGA2TOO mga2-64-ok mga2-32-ok feedback
Now the time for mga3 testing.
Testing mga3-64
Tested firefox and thunderbird for mga3-64 as described in comment 6. All OK.
Whiteboard: MGA2TOO mga2-64-ok mga2-32-ok feedback => MGA2TOO mga2-64-ok mga2-32-ok mga3-64-ok
Tested firefox and thunderbird for mga3-32 as described in comment 6. All OK. Funda, can you provide a SRPM list so we can push this update? Thanks!
Whiteboard: MGA2TOO mga2-64-ok mga2-32-ok mga3-64-ok => MGA2TOO mga2-64-ok mga2-32-ok mga3-64-ok mga3-32-ok feedback
MGA2: firefox-17.0.6-1.mga2 firefox-l10n-17.0.6-1.mga2 thunderbird-17.0.6-1.mga2 thunderbird-l10n-17.0.6-1.mga2 MGA3: firefox-17.0.6-1.mga3 firefox-l10n-17.0.6-1.mga3 thunderbird-17.0.6-1.mga3 thunderbird-l10n-17.0.6-1.mga3
Whiteboard: MGA2TOO mga2-64-ok mga2-32-ok mga3-64-ok mga3-32-ok feedback => MGA2TOO mga2-64-ok mga2-32-ok mga3-64-ok mga3-32-ok
Thanks for the quick response, Funda! validating. Can someone from the sysadmin team please push from core/updates_testing to core/updates for mga2 and mga3? srpm list in comment 14 advisory in comment 0 Thanks!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CVE-2013-1669 only affects Firefox and not ESR, and MFSA 2013-44 is for Windows. Please use the advisory text and references list from the Mandriva advisory (see Comment 4).
Advisory: ======================== Updated firefox and thunderbird packages fix security vulnerabilities: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2013-0801). Security researcher Cody Crews reported a method to call a content level constructor that allows for this constructor to have chrome privileged accesss. This affects chrome object wrappers (COW) and allows for write actions on objects when only read actions should be allowed. This can lead to cross-site scripting (XSS) attacks (CVE-2013-1670). Security researcher Nils reported a use-after-free when resizing video while playing. This could allow for arbitrary code execution (CVE-2013-1674). Mozilla community member Ms2ger discovered that some DOMSVGZoomEvent functions are used without being properly initialized, causing uninitialized memory to be used when they are called by web content. This could lead to a information leakage to sites depending on the contents of this uninitialized memory (CVE-2013-1675). Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free, out of bounds read, and invalid write problems rated as moderate to critical as security issues in shipped software. Some of these issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting additional use-after-free flaws in dir=auto code introduced during Firefox development. These were fixed before general release (CVE-2013-1676, CVE-2013-1677, CVE-2013-1678, CVE-2013-1679, CVE-2013-1680, CVE-2013-1681). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1674 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1676 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1677 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1678 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1679 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1680 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1681 http://www.mozilla.org/security/announce/2013/mfsa2013-41.html http://www.mozilla.org/security/announce/2013/mfsa2013-42.html http://www.mozilla.org/security/announce/2013/mfsa2013-46.html http://www.mozilla.org/security/announce/2013/mfsa2013-47.html http://www.mozilla.org/security/announce/2013/mfsa2013-48.html http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html http://www.mozilla.org/security/known-vulnerabilities/thunderbirdESR.html http://www.mandriva.com/en/support/security/advisories/mes5/MDVSA-2013:165/
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0156
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED