Multiple security updates in Seamonkey 2.31 for use as iceape. Reproducible: Steps to Reproduce:
Status: NEW => ASSIGNEDCC: (none) => cjwAssignee: bugsquad => cjw
Updated packages are ready for testing: MGA4 Source RPM: iceape-2.31-1.mga4.src.rpm Binary RPMS: iceape-2.31-1.mga4.i586.rpm iceape-2.31-1.mga4.x86_64.rpm Proposed advisory: Updated iceape packages fix security issues: Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. (CVE-2014-1587, CVE-2014-1588) A method was found to trigger chrome level XML Binding Language (XBL) bindings through web content. This was possible because some chrome accessible CSS stylesheets had their primary namespace improperly declared. When this occurred, it was possible to use these stylesheets to manipulate XBL bindings, allowing web content to bypass security restrictions. This issue was limited to a specific set of stylesheets. (CVE-2014-1589) In Iceape (seamonkey) before version 2.31, passing a JavaScript object to XMLHttpRequest that mimics an input stream will result in a crash. This crash is not exploitable and can only be used for denial of service attacks. (CVE-2014-1590) Content Security Policy (CSP) violation reports triggered by a redirect did not remove path information as required by the CSP specification in Iceape (seamonkey) 2.30. This potentially reveals information about the redirect that would not otherwise be known to the original site. This could be used by a malicious site to obtain sensitive information such as usernames or single-sign-on tokens encoded within the target URLs. (CVE-2014-1591) In Iceape (seamonkey) before version 2.31, a use-after-free could be created by triggering the creation of a second root element while parsing HTML written to a document created with document.open(). This leads to a potentially exploitable crash. (CVE-2014-1592) A buffer overflow during the parsing of media content was found using the Address Sanitizer tool. This leads to a potentially exploitable crash. (CVE-2014-1593) A bad casting from the BasicThebesLayer to BasicContainerLayer resulted in undefined behavior. This behavior is potentially exploitable with some compilers but no clear mechanism to trigger it through web content was identified. (CVE-2014-1594) When chrome objects are protected by Chrome Object Wrappers (COW) and are passed as native interfaces, if this is done with some methods, normally protected objects may be accessible to native methods exposed to web content. (CVE-2014-8631) When XrayWrappers filter object properties and validation of the object initially occurs, one set of object properties will appear to be available. Later, when the XrayWrappers are removed, a more expansive set of properties is available. These are then stored without further validation, making these properties available and bypassing security protections that would normally protect them from access. (CVE-2014-8632) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1587 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1588 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1589 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1591 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1592 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1593 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1594 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8631 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8632 https://www.mozilla.org/en-US/security/advisories/mfsa2014-83/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-84/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-85/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-86/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-87/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-88/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-91/
Assignee: cjw => qa-bugs
Component: RPM Packages => SecurityHardware: x86_64 => All
Created attachment 5686 [details] iceape 2-30 gdb output
CC: (none) => olchal
Created attachment 5687 [details] iceape 2-31 gdb output Testing on Mageia4x64 real hardware With current package : -------------------- iceape-2.30-1.mga4.x86_64 Could launch iceape, but as soon as I clicked an item in menu, experience a crash (segmentation fault). It seems related to : https://bugs.mageia.org/show_bug.cgi?id=12978 With updated testing package : ---------------------------- iceape-2.31-1.mga4.x86_64 Could not even launch iceape, crashed with a segmentation fault while checking add-ons compatibility.
Whiteboard: (none) => feedback
AFAICT such crashes are related to oxygen-gtk. I did not see such behavior with the Ia-Ora Orange theme. When I selected the oxygen-gtk theme iceape started crashing when selecting a menu.
Crash will be solved first, assigning back.
Assignee: qa-bugs => cjw
New packages should fix the crash with oxygen-gtk: MGA4 Source RPM: iceape-2.31-3.mga4.src.rpm Binary RPMS: iceape-2.31-3.mga4.i586.rpm iceape-2.31-3.mga4.x86_64.rpm Updated advisory: Updated iceape packages fix security issues and an incompatibility with the oxygen-gtk theme: When the oxygen-gtk was active and iceape tried to draw a menu (for example after a mouse down event on the menu bar), a segmentation fault was triggered causing iceape to crash. The oxygen-gtk theme engine contains a solution for this problem, this is now enabled for iceape. (MGA #12978) Mozilla developers and community identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code. (CVE-2014-1587, CVE-2014-1588) A method was found to trigger chrome level XML Binding Language (XBL) bindings through web content. This was possible because some chrome accessible CSS stylesheets had their primary namespace improperly declared. When this occurred, it was possible to use these stylesheets to manipulate XBL bindings, allowing web content to bypass security restrictions. This issue was limited to a specific set of stylesheets. (CVE-2014-1589) In Iceape (seamonkey) before version 2.31, passing a JavaScript object to XMLHttpRequest that mimics an input stream will result in a crash. This crash is not exploitable and can only be used for denial of service attacks. (CVE-2014-1590) Content Security Policy (CSP) violation reports triggered by a redirect did not remove path information as required by the CSP specification in Iceape (seamonkey) 2.30. This potentially reveals information about the redirect that would not otherwise be known to the original site. This could be used by a malicious site to obtain sensitive information such as usernames or single-sign-on tokens encoded within the target URLs. (CVE-2014-1591) In Iceape (seamonkey) before version 2.31, a use-after-free could be created by triggering the creation of a second root element while parsing HTML written to a document created with document.open(). This leads to a potentially exploitable crash. (CVE-2014-1592) A buffer overflow during the parsing of media content was found using the Address Sanitizer tool. This leads to a potentially exploitable crash. (CVE-2014-1593) A bad casting from the BasicThebesLayer to BasicContainerLayer resulted in undefined behavior. This behavior is potentially exploitable with some compilers but no clear mechanism to trigger it through web content was identified. (CVE-2014-1594) When chrome objects are protected by Chrome Object Wrappers (COW) and are passed as native interfaces, if this is done with some methods, normally protected objects may be accessible to native methods exposed to web content. (CVE-2014-8631) When XrayWrappers filter object properties and validation of the object initially occurs, one set of object properties will appear to be available. Later, when the XrayWrappers are removed, a more expansive set of properties is available. These are then stored without further validation, making these properties available and bypassing security protections that would normally protect them from access. (CVE-2014-8632) References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1587 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1588 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1589 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1590 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1591 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1592 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1593 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1594 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8631 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8632 https://www.mozilla.org/en-US/security/advisories/mfsa2014-83/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-84/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-85/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-86/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-87/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-88/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-89/ https://www.mozilla.org/en-US/security/advisories/mfsa2014-91/ https://bugs.mageia.org/show_bug.cgi?id=12978
Assignee: cjw => qa-bugsWhiteboard: feedback => (none)
Source RPM: (none) => iceape-2.31-3.mga4.src.rpm
Testing on Mageia 4x32 real hardware, KDE Desktop, Oxygen-gtk Wonder one thing which I had already noticed but didn't bother to report, when using MCC to install iceape, only iceape 2.22-1 appears. With current package : -------------------- # urpmi iceape brings : iceape-2.30-1.mga4 Verified that I still had the segmentation fault, which I had. With updated testing package : ---------------------------- Installed - iceape-2.31-3.mga4.i586 through MCC $ iceape Opens a windows checking for Addons-compatibility and crash. Erreur de segmentation Uninstalled iceape completely Reinstalled iceape-2.31-3.mga4.i586 from scratch (without a previous iceape 2.22-1 install) $ iceape Opens a windows checking for Addons-compatibility and crash. Erreur de segmentation. Same unhappy outcome for me with this version.
Mageia4-64 on HP Probook 6555b. Installed iceape-2.31-3.mga4 on "virgin" machine. Theme used was Air Iceape opens OK and plays my favorite internetradio (after installing flash-plugin), also chcecked addon manager. Changed theme to oxygen in systemsettings, logged out and logged in again. No problem found with iceape.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA4-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: iceape default install of iceape [root@localhost wilcal]# urpmi iceape Package iceape-2.25-1.mga4.i586 is already installed http://www.webstandards.org/files/acid2/test.html#top http://acid3.acidtests.org/ http://www.cnn.com/ https://vimeo.com/ All work just fine in iceape ( Navigator ). install iceape from updates_testing [root@localhost wilcal]# urpmi iceape Package iceape-2.30-1.mga4.i586 is already installed http://www.webstandards.org/files/acid2/test.html#top http://acid3.acidtests.org/ http://www.cnn.com/ https://vimeo.com/ All work just fine in iceape ( Navigator ). Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
Whiteboard: MGA4-64-OK => MGA4-32-OK MGA4-64-OK
This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory
As this is still not running neither in Mageia4x32 and Mageia4x64 (real hardware) for me, I dug more into this. I found that iceape shares a folder with firefox (which is installed on both Mageia). Removing /usr/lib(64)/mozilla, I could make iceape-2.31-3.mga4 work after it built its own mozilla folder. Plugins installed in firefox are flash, icedtea-web, gnome shell integration, QuickTime, DivX Web Player,Windows Media Player Plug-in 10, VLC Multimedia. One of these plugins associated with icetea must cause the segmentation fault which I experienced.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0518.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED