Bug 15920 - Firefox and Thunderbird 31.7
Summary: Firefox and Thunderbird 31.7
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/644248/
Whiteboard: mga4-32-ok mga4-64-ok advisory has_pr...
Keywords: validated_update
Depends on:
Blocks: 15756
  Show dependency treegraph
 
Reported: 2015-05-13 01:16 CEST by David Walser
Modified: 2015-05-18 21:09 CEST (History)
2 users (show)

See Also:
Source RPM: firefox, thunderbird, rootcerts, nss, sqlite3
CVE:
Status comment:


Attachments

Description David Walser 2015-05-13 01:16:44 CEST
Mozilla has issued advisories today (May 12):
https://www.mozilla.org/en-US/security/advisories/mfsa2015-46/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-51/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-54/

Corresponding to these CVEs that affect ESR:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2708
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2713
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2716

These were just posted here:
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/

RedHat has issued an advisory for this today (May 12):
https://rhn.redhat.com/errata/RHSA-2015-0988.html

There will be rootcerts and nss updates to go along with this, as well as an update for sqlite3, fixing several security issues, as noted in Bug 15756.

Note that we already fixed CVE-2015-0797 in Bug 15713.

Updates committed in SVN.  Freeze push requested for Firefox in Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-05-13 01:25:13 CEST
I'll have to add in RedHat's Thunderbird advisory to the References once it's available, but otherwise the advisory and package list should look like this once everything's available.

Advisory:
========================

Updated firefox, thunderbird, and sqlite3 packages fix security
vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox or Thunderbird to
crash or, potentially, execute arbitrary code with the privileges of the
user running it (CVE-2015-2708, CVE-2015-2710, CVE-2015-2713).

A heap-based buffer overflow flaw was found in the way Firefox and
Thunderbird processed compressed XML data. An attacker could create
specially crafted compressed XML content that, when processed by Firefox
or Thunderbird, could cause it to crash or execute arbitrary code with the
privileges of the user running it (CVE-2015-2716).

SQLite before 3.8.9 does not properly implement the dequoting of
collation-sequence names, which allows context-dependent attackers to
cause a denial of service (uninitialized memory access and application
crash) or possibly have unspecified other impact via a crafted COLLATE
clause, as demonstrated by COLLATE at the end of a SELECT statement
(CVE-2015-3414).

The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9
does not properly implement comparison operators, which allows
context-dependent attackers to cause a denial of service (invalid
free operation) or possibly have unspecified other impact via a
crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE
TABLE statement (CVE-2015-3415).

The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does
not properly handle precision and width values during floating-point
conversions, which allows context-dependent attackers to cause a
denial of service (integer overflow and stack-based buffer overflow)
or possibly have unspecified other impact via large integers in a
crafted printf function call in a SELECT statement (CVE-2015-3416).

The sqlite3 package has been updated to version 3.10.8, fixing the
CVE-2015-3414, CVE-2015-3415, and CVE-2015-3416 security issues, also
fixing heap overflow and other possible issues found by fuzzing, as well
as containing many other bug fixes and enhancements.

The nss package has been updated to version 3.19, containing multiple root
certificate updates, security enhancements, and other bug fixes.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2708
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2713
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2716
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3416
https://www.mozilla.org/en-US/security/advisories/mfsa2015-46/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-48/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-51/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-54/
https://sqlite.org/changes.html
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19_release_notes
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/
http://www.mandriva.com/en/support/security/advisories/mbs2/MDVSA-2015%3A217/
http://openwall.com/lists/oss-security/2015/05/12/7
https://rhn.redhat.com/errata/RHSA-2015-0988.html
https://bugs.mageia.org/show_bug.cgi?id=15756
https://bugs.mageia.org/show_bug.cgi?id=15920
========================

Updated packages in core/updates_testing:
========================
sqlite3-tcl-3.8.10.1-1.mga4
sqlite3-tools-3.8.10.1-1.mga4
lemon-3.8.10.1-1.mga4
libsqlite3-devel-3.8.10.1-1.mga4
libsqlite3-static-devel-3.8.10.1-1.mga4
libsqlite3_0-3.8.10.1-1.mga4
rootcerts-20150420.00-1.mga4
rootcerts-java-20150420.00-1.mga4
nss-3.19.0-1.1.mga4
nss-doc-3.19.0-1.1.mga4
libnss3-3.19.0-1.1.mga4
libnss-devel-3.19.0-1.1.mga4
libnss-static-devel-3.19.0-1.1.mga4
firefox-31.7.0-1.mga4
firefox-devel-31.7.0-1.mga4
firefox-af-31.7.0-1.mga4
firefox-ar-31.7.0-1.mga4
firefox-as-31.7.0-1.mga4
firefox-ast-31.7.0-1.mga4
firefox-be-31.7.0-1.mga4
firefox-bg-31.7.0-1.mga4
firefox-bn_IN-31.7.0-1.mga4
firefox-bn_BD-31.7.0-1.mga4
firefox-br-31.7.0-1.mga4
firefox-bs-31.7.0-1.mga4
firefox-ca-31.7.0-1.mga4
firefox-cs-31.7.0-1.mga4
firefox-csb-31.7.0-1.mga4
firefox-cy-31.7.0-1.mga4
firefox-da-31.7.0-1.mga4
firefox-de-31.7.0-1.mga4
firefox-el-31.7.0-1.mga4
firefox-en_GB-31.7.0-1.mga4
firefox-en_ZA-31.7.0-1.mga4
firefox-eo-31.7.0-1.mga4
firefox-es_AR-31.7.0-1.mga4
firefox-es_CL-31.7.0-1.mga4
firefox-es_ES-31.7.0-1.mga4
firefox-es_MX-31.7.0-1.mga4
firefox-et-31.7.0-1.mga4
firefox-eu-31.7.0-1.mga4
firefox-fa-31.7.0-1.mga4
firefox-ff-31.7.0-1.mga4
firefox-fi-31.7.0-1.mga4
firefox-fr-31.7.0-1.mga4
firefox-fy-31.7.0-1.mga4
firefox-ga_IE-31.7.0-1.mga4
firefox-gd-31.7.0-1.mga4
firefox-gl-31.7.0-1.mga4
firefox-gu_IN-31.7.0-1.mga4
firefox-he-31.7.0-1.mga4
firefox-hi-31.7.0-1.mga4
firefox-hr-31.7.0-1.mga4
firefox-hu-31.7.0-1.mga4
firefox-hy-31.7.0-1.mga4
firefox-id-31.7.0-1.mga4
firefox-is-31.7.0-1.mga4
firefox-it-31.7.0-1.mga4
firefox-ja-31.7.0-1.mga4
firefox-kk-31.7.0-1.mga4
firefox-ko-31.7.0-1.mga4
firefox-km-31.7.0-1.mga4
firefox-kn-31.7.0-1.mga4
firefox-ku-31.7.0-1.mga4
firefox-lij-31.7.0-1.mga4
firefox-lt-31.7.0-1.mga4
firefox-lv-31.7.0-1.mga4
firefox-mai-31.7.0-1.mga4
firefox-mk-31.7.0-1.mga4
firefox-ml-31.7.0-1.mga4
firefox-mr-31.7.0-1.mga4
firefox-nb_NO-31.7.0-1.mga4
firefox-nl-31.7.0-1.mga4
firefox-nn_NO-31.7.0-1.mga4
firefox-or-31.7.0-1.mga4
firefox-pa_IN-31.7.0-1.mga4
firefox-pl-31.7.0-1.mga4
firefox-pt_BR-31.7.0-1.mga4
firefox-pt_PT-31.7.0-1.mga4
firefox-ro-31.7.0-1.mga4
firefox-ru-31.7.0-1.mga4
firefox-si-31.7.0-1.mga4
firefox-sk-31.7.0-1.mga4
firefox-sl-31.7.0-1.mga4
firefox-sq-31.7.0-1.mga4
firefox-sr-31.7.0-1.mga4
firefox-sv_SE-31.7.0-1.mga4
firefox-ta-31.7.0-1.mga4
firefox-te-31.7.0-1.mga4
firefox-th-31.7.0-1.mga4
firefox-tr-31.7.0-1.mga4
firefox-uk-31.7.0-1.mga4
firefox-vi-31.7.0-1.mga4
firefox-zh_CN-31.7.0-1.mga4
firefox-zh_TW-31.7.0-1.mga4
firefox-zu-31.7.0-1.mga4
thunderbird-31.7.0-1.mga4
thunderbird-enigmail-31.7.0-1.mga4
nsinstall-31.7.0-1.mga4
thunderbird-ar-31.7.0-1.mga4
thunderbird-ast-31.7.0-1.mga4
thunderbird-be-31.7.0-1.mga4
thunderbird-bg-31.7.0-1.mga4
thunderbird-bn_BD-31.7.0-1.mga4
thunderbird-br-31.7.0-1.mga4
thunderbird-ca-31.7.0-1.mga4
thunderbird-cs-31.7.0-1.mga4
thunderbird-da-31.7.0-1.mga4
thunderbird-de-31.7.0-1.mga4
thunderbird-el-31.7.0-1.mga4
thunderbird-en_GB-31.7.0-1.mga4
thunderbird-es_AR-31.7.0-1.mga4
thunderbird-es_ES-31.7.0-1.mga4
thunderbird-et-31.7.0-1.mga4
thunderbird-eu-31.7.0-1.mga4
thunderbird-fi-31.7.0-1.mga4
thunderbird-fr-31.7.0-1.mga4
thunderbird-fy-31.7.0-1.mga4
thunderbird-ga-31.7.0-1.mga4
thunderbird-gd-31.7.0-1.mga4
thunderbird-gl-31.7.0-1.mga4
thunderbird-he-31.7.0-1.mga4
thunderbird-hr-31.7.0-1.mga4
thunderbird-hu-31.7.0-1.mga4
thunderbird-hy-31.7.0-1.mga4
thunderbird-id-31.7.0-1.mga4
thunderbird-is-31.7.0-1.mga4
thunderbird-it-31.7.0-1.mga4
thunderbird-ja-31.7.0-1.mga4
thunderbird-ko-31.7.0-1.mga4
thunderbird-lt-31.7.0-1.mga4
thunderbird-nb_NO-31.7.0-1.mga4
thunderbird-nl-31.7.0-1.mga4
thunderbird-nn_NO-31.7.0-1.mga4
thunderbird-pl-31.7.0-1.mga4
thunderbird-pa_IN-31.7.0-1.mga4
thunderbird-pt_BR-31.7.0-1.mga4
thunderbird-pt_PT-31.7.0-1.mga4
thunderbird-ro-31.7.0-1.mga4
thunderbird-ru-31.7.0-1.mga4
thunderbird-si-31.7.0-1.mga4
thunderbird-sk-31.7.0-1.mga4
thunderbird-sl-31.7.0-1.mga4
thunderbird-sq-31.7.0-1.mga4
thunderbird-sv_SE-31.7.0-1.mga4
thunderbird-ta_LK-31.7.0-1.mga4
thunderbird-tr-31.7.0-1.mga4
thunderbird-uk-31.7.0-1.mga4
thunderbird-vi-31.7.0-1.mga4
thunderbird-zh_CN-31.7.0-1.mga4
thunderbird-zh_TW-31.7.0-1.mga4

from SRPMS:
sqlite3-3.8.10.1-1.mga4.src.rpm
rootcerts-20150420.00-1.mga4.src.rpm
nss-3.19.0-1.1.mga4.src.rpm
firefox-31.7.0-1.mga4.src.rpm
firefox-l10n-31.7.0-1.mga4.src.rpm
thunderbird-31.7.0-1.mga4.src.rpm
thunderbird-l10n-31.7.0-1.mga4.src.rpm
David Walser 2015-05-14 01:26:35 CEST

URL: (none) => http://lwn.net/Vulnerabilities/644248/

Comment 2 David Walser 2015-05-15 18:25:01 CEST
All packages are uploaded.  Advisory and package list in Comment 1.

Assignee: bugsquad => qa-bugs

Comment 3 Bill Wilkinson 2015-05-15 21:46:09 CEST
Tested mga4-64.

Firefox:

General browsing, youtube for flash, sunspider for javascript, javatester for java, acid3 all OK.

Thunderbird:

Send/receive/move/delete over SMTP/IMAP all OK.

CC: (none) => wrw105
Whiteboard: (none) => mga4-64-ok has_procedure

Comment 4 David Walser 2015-05-16 02:19:50 CEST
Both are working fine on Mageia 4 i586 also.

Whiteboard: mga4-64-ok has_procedure => mga4-32-ok mga4-64-ok has_procedure

Comment 5 Manuel Hiebel 2015-05-16 09:20:15 CEST
(On cauldron Thunderbird says it's the Daily branch, guess is the same mga4)
Comment 6 David Walser 2015-05-16 12:15:22 CEST
Yes, as I already mentioned on the dev ml, upstream failed to make the proper release tarballs available, so Fedora apparently had to use a nightly one and I copied it from them.  Help > About does say 31.7.0, so it'll have to do.  Hopefully next time upstream won't forget to release the source tarball!
Comment 7 Manuel Hiebel 2015-05-16 12:23:16 CEST
well I guess end users will be afraid/confused if they saw this, will be better to found the tarball, 

Looks florian has a link
Comment 8 David Walser 2015-05-16 12:33:07 CEST
So four days late they finally decided to post the tarball.  Anyway, you only see this screen when Thunderbird first starts, and only if you don't click on anything (and have it set to show the home screen when it starts).
Comment 9 David Walser 2015-05-16 12:46:04 CEST
(In reply to David Walser from comment #8)
> So four days late they finally decided to post the tarball.  Anyway, you
> only see this screen when Thunderbird first starts, and only if you don't
> click on anything (and have it set to show the home screen when it starts).

And then they still posted the wrong tarball.  The one in the usual location that's finally there now is the same tarball that we used.
David Walser 2015-05-17 18:24:39 CEST

Blocks: (none) => 15756

Comment 10 claire robinson 2015-05-18 15:04:55 CEST
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: mga4-32-ok mga4-64-ok has_procedure => mga4-32-ok mga4-64-ok advisory has_procedure
CC: (none) => sysadmin-bugs

Comment 11 David Walser 2015-05-18 18:17:32 CEST
RedHat has issued an advisory for Thunderbird today (May 18):
https://rhn.redhat.com/errata/RHSA-2015-1012.html

I added it to the references in the advisory in SVN.
Comment 12 Mageia Robot 2015-05-18 21:09:11 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0234.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.