Bug 10101 - [Update Request]Update firefox and thunderbird packages to fix several security vulnerabilities
: [Update Request]Update firefox and thunderbird packages to fix several securi...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 3
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/550702/
: MGA2TOO mga2-64-ok mga2-32-ok mga3-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-05-15 04:53 CEST by Funda Wang
Modified: 2013-05-25 21:56 CEST (History)
5 users (show)

See Also:
Source RPM: firefox-17.0.6-1, firefox-l10n-17.0.6-1, thunderbird-17.0.6-1, thunderbird-l10n-17.0.6-1
CVE:
Status comment:


Attachments

Description Funda Wang 2013-05-15 04:53:02 CEST
Firefox ESR and Thunderbird ESR prior to 17.0.6 contains following security vulnerabilities:

* CVE-2013-0801, CVE-2013-1669: Miscellaneous memory safety hazards.
* CVE-2013-1670: Call content level constructor as if from a chrome/privileged page
* CVE-2013-1672: Arbitrary code execution by Mozilla Maintenance Service with junctions
* CVE-2013-1674: UAF with video and onresize event
* CVE-2013-1675: nsDOMSVGZoomEvent::m{Previous,New}Scale are used uninitialized
* CVE-2013-1676: Out of Bounds Read in SelectionIterator::GetNextSegment
* CVE-2013-1677: Out-of-bound read in gfxSkipCharsIterator::SetOffsets
* CVE-2013-1678: Invalid write in _cairo_xlib_surface_add_glyph
* CVE-2013-1679: Heap-use-after-free in mozilla::plugins::child::_geturlnotify
* CVE-2013-1680: Heap-use-after-free in nsFrameList::FirstChild
* CVE-2013-1681: Heap-use-after-free in nsContentUtils::RemoveScriptBlocker

References:
http://www.mozilla.org/security/announce/2013/mfsa2013-41.html
http://www.mozilla.org/security/announce/2013/mfsa2013-42.html
http://www.mozilla.org/security/announce/2013/mfsa2013-44.html
http://www.mozilla.org/security/announce/2013/mfsa2013-46.html
http://www.mozilla.org/security/announce/2013/mfsa2013-47.html
http://www.mozilla.org/security/announce/2013/mfsa2013-48.html

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-05-15 05:35:39 CEST
This also needs to wait until after the release of course.

FYI, there are no nspr and nss updates needed this time.
Comment 2 Funda Wang 2013-05-15 05:50:49 CEST
Well, mga2 could be validated at this time.
Comment 3 David Walser 2013-05-15 05:59:15 CEST
(In reply to Funda Wang from comment #2)
> Well, mga2 could be validated at this time.

Validated, yes.  Pushed, no.
Comment 4 David Walser 2013-05-15 12:30:30 CEST
Mandriva has issued an advisory for this today (May 15):
http://www.mandriva.com/en/support/security/advisories/mes5/MDVSA-2013:165/
Comment 5 Bill Wilkinson 2013-05-15 13:48:16 CEST
No PoCs on SecurityFocus.

Testing MGA2-64
Comment 6 Bill Wilkinson 2013-05-15 15:45:24 CEST
Tested MGA2-64 Thunderbird sending (SMTP), receiving (IMAP), Moving between folders, all OK.

Tested firefox on youtube for flash, javatester, sunspider, and general browsing, all OK
Comment 7 David GEIGER 2013-05-15 17:23:05 CEST
Testing complete for firefox-17.0.6-1.mga2 on Mageia release 2 (Official) for x86_64, it's ok for me nothing to report and work fine.

firefox-fr-17.0.6-1.mga2 too.

Test flash-player, java, and general browsing, etc...
Comment 8 Bill Wilkinson 2013-05-16 03:16:22 CEST
testing complete for mga2-32.

tested firefox and thunderbird as described in comment 6, all OK.
Comment 9 claire robinson 2013-05-21 15:48:52 CEST
These will need to be rebuilt now for mageia 3 so setting feedback marker until they're ready.
Comment 10 Funda Wang 2013-05-23 22:57:48 CEST
Now the time for mga3 testing.
Comment 11 Bill Wilkinson 2013-05-24 01:39:36 CEST
Testing mga3-64
Comment 12 Bill Wilkinson 2013-05-24 02:13:15 CEST
Tested firefox and thunderbird for mga3-64 as described in comment 6. All OK.
Comment 13 Bill Wilkinson 2013-05-24 05:55:26 CEST
Tested firefox and thunderbird for mga3-32 as described in comment 6. All OK.

Funda, can you provide a SRPM list so we can push this update?

Thanks!
Comment 14 Funda Wang 2013-05-24 06:10:27 CEST
MGA2:
firefox-17.0.6-1.mga2
firefox-l10n-17.0.6-1.mga2
thunderbird-17.0.6-1.mga2
thunderbird-l10n-17.0.6-1.mga2


MGA3:
firefox-17.0.6-1.mga3
firefox-l10n-17.0.6-1.mga3
thunderbird-17.0.6-1.mga3
thunderbird-l10n-17.0.6-1.mga3
Comment 15 Bill Wilkinson 2013-05-24 06:21:22 CEST
Thanks for the quick response, Funda!

validating.

Can someone from the sysadmin team please push from core/updates_testing to core/updates for mga2 and mga3?
 

srpm list in comment 14 
advisory in comment 0

Thanks!
Comment 16 David Walser 2013-05-24 06:23:56 CEST
CVE-2013-1669 only affects Firefox and not ESR, and MFSA 2013-44 is for Windows.

Please use the advisory text and references list from the Mandriva advisory (see Comment 4).
Comment 17 David Walser 2013-05-24 19:34:16 CEST
Advisory:
========================

Updated firefox and thunderbird packages fix security vulnerabilities:

Mozilla developers identified and fixed several memory safety
bugs in the browser engine used in Firefox and other Mozilla-based
products. Some of these bugs showed evidence of memory corruption under
certain circumstances, and we presume that with enough effort at least
some of these could be exploited to run arbitrary code (CVE-2013-0801).

Security researcher Cody Crews reported a method to call a content
level constructor that allows for this constructor to have chrome
privileged accesss. This affects chrome object wrappers (COW) and
allows for write actions on objects when only read actions should
be allowed. This can lead to cross-site scripting (XSS) attacks
(CVE-2013-1670).

Security researcher Nils reported a use-after-free when resizing
video while playing. This could allow for arbitrary code execution
(CVE-2013-1674).

Mozilla community member Ms2ger discovered that some DOMSVGZoomEvent
functions are used without being properly initialized, causing
uninitialized memory to be used when they are called by web
content. This could lead to a information leakage to sites depending
on the contents of this uninitialized memory (CVE-2013-1675).

Security researcher Abhishek Arya (Inferno) of the Google Chrome
Security Team used the Address Sanitizer tool to discover a series of
use-after-free, out of bounds read, and invalid write problems rated
as moderate to critical as security issues in shipped software. Some
of these issues are potentially exploitable, allowing for remote
code execution. We would also like to thank Abhishek for reporting
additional use-after-free flaws in dir=auto code introduced during
Firefox development. These were fixed before general release
(CVE-2013-1676, CVE-2013-1677, CVE-2013-1678, CVE-2013-1679,
CVE-2013-1680, CVE-2013-1681).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1674
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1675
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1676
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1677
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1678
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1679
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1680
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1681
http://www.mozilla.org/security/announce/2013/mfsa2013-41.html
http://www.mozilla.org/security/announce/2013/mfsa2013-42.html
http://www.mozilla.org/security/announce/2013/mfsa2013-46.html
http://www.mozilla.org/security/announce/2013/mfsa2013-47.html
http://www.mozilla.org/security/announce/2013/mfsa2013-48.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
http://www.mozilla.org/security/known-vulnerabilities/thunderbirdESR.html
http://www.mandriva.com/en/support/security/advisories/mes5/MDVSA-2013:165/
Comment 18 Thomas Backlund 2013-05-25 21:56:49 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0156

Note You need to log in before you can comment on or make changes to this bug.