16550 – firefox new security issue CVE-2015-4495

Bug 16550 - firefox new security issue CVE-2015-4495

Summary: firefox new security issue CVE-2015-4495

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/653867/
Whiteboard:	MGA4TOO advisory has_procedure mga4-3...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-08-07 13:56 CEST by David Walser
Modified:	2015-08-08 21:34 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	firefox
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-08-07 13:56:45 CEST

Mozilla has issued an advisory on August 6:
https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/

The issue is fixed in versions 38.1.1 and 39.0.3.

This issue is reportedly being exploited in the wild.

I'll assign this to Thierry for Cauldron, and I can take care of stable.

There's also a new rootcerts (checked into SVN) and it looks like nss 3.19.3 is supposed to be coming soon, so I'll take care of that when it lands.

Reproducible: 

Steps to Reproduce:

David Walser 2015-08-07 13:56:53 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-08-07 14:21:34 CEST

Thierry, I've fixed the typo I made in the Cauldron firefox-l10n SPEC when I added the an language and checked in the update to 39.0.3 for that package in SVN.  Please be careful with how you check in new sources.  Do not use mgarepo sync -c, it makes a total mess out of SVN.  When you updated to 39.0 it made like 90 SVN commits instead of what should have been one.  Just use mgarepo sync -d to download the new source and then mgarepo ci to commit the updated SPEC and sha1.lst in one commit.  I also fixed the xpidir and put a comment in there to change it back when we switch back to ESR.

Comment 2 David Walser 2015-08-07 14:26:40 CEST

It looks like the NSS 3.19.3 update will just be about the rootcerts update, so I'm not sure why they haven't finalized it yet.  The release notes are here:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.3_release_notes

Comment 3 David Walser 2015-08-07 14:28:51 CEST

Updates are now checked into SVN for Mageia 4, Mageia 5, and Cauldron.

Will start pushing the stable release builds soon.

Comment 4 Thierry Vignaud 2015-08-07 14:48:34 CEST

ff-40 will be released in 4 days so we can as well wait for it for Cauldron

Comment 5 Thierry Vignaud 2015-08-07 14:49:17 CEST

Of course, if the patch is already ready in the cauldron branch, let's go

Comment 6 David Walser 2015-08-07 14:50:56 CEST

(In reply to Thierry Vignaud from comment #4)
> ff-40 will be released in 4 days so we can as well wait for it for Cauldron

Yeah, I thought the timing was a bit odd, since I thought I remembered that the next Mozilla releases would be out August 12th.  I guess you're saying the 11th, either way, 4 or 5 days away.  I guess it's a serious enough issue that they really wanted to get this out now, since it's being actively exploited.

(In reply to Thierry Vignaud from comment #5)
> Of course, if the patch is already ready in the cauldron branch, let's go

OK :o)

Comment 7 Thierry Vignaud 2015-08-07 15:14:16 CEST

(In reply to David Walser from comment #6)
No problem with that :-)

(In reply to David Walser from comment #1)
Yep, I could have searched for the origin of the bug, I just went the faster

> Do not use mgarepo sync -c, it makes a total mess out of SVN

Humm I never use "mgarepo sync -c" though...
Just "mgarepo sync"
What I do is:
as the handling of files that are updated but keep the same name doesn't work well with mgarepo sync, I:
1) wipe the SOURCES/sha1.lst content,
2) remove all the xpi,
3) download the new ones,
4) then run "mgarepo sync"
   really sg like:
(echo "new release">log; mgarepo sync && svn ci -m "$(<log)" && mgarepo submit</dev/null)

About "mgarepo sync -d", I never looked at that one.
I guess I should use "mgarepo sync -d" & "mgarepo ci" (especially if Colin ever do the switch to git :-)
(echo "new release">log; mgarepo sync -d && mgarepo ci -F log" && mgarepo submit</dev/null)
or:
(mgarepo sync -d && mgarepo ci -m "new release" && mgarepo submit</dev/null)

Comment 8 David Walser 2015-08-07 15:26:29 CEST

Which reminds me, please put the actual version number in the log instead of "new release" which makes it impossible to find things in SVN history.

But thanks for the clarification.  I'm actually confused though.  The process you outlined there won't commit each xpi file in a separate commit.  The process you outlined is actually perfectly fine.  If you look at "mgarepo log firefox-l10n" or here:
http://svnweb.mageia.org/packages/cauldron/firefox-l10n/current/SOURCES/sha1.lst?view=log

you see the large number of separate commits, silently uploading each xpi file one at a time.  The only thing I know of that does this is mgarepo sync -c, which looks *exactly* like that when it operates.

In fact, mgarepo sync -d by itself is fine for downloading and uploading source files when the name changes (usually because the version is in the name), but if the names don't change, as with the xpi files, you actually do need to clear them out of sha1.lst and delete them before you run mgarepo sync -d, just as you correctly stated.

So it should be almost as you described at first:
0) edit SPEC file to update the version
1) echo -n "" > SOURCES/sha1.lst
2) rm -f SOURCES/*.xpi
3) mgarepo sync -d
4) mgarepo ci -m 'new version 38.1.1'

Comment 9 David Walser 2015-08-07 16:23:36 CEST

Thierry, the build in Cauldron failed:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20150807135859.luigiwalser.valstar.29013/log/firefox-39.0.3-1.mga6/build.0.20150807140003.log

It ends with:
+ /usr/lib/rpm/brp-python-hardlink
Processing files: firefox-39.0.3-1.mga6.i586
error: Empty %files file /home/iurt/rpmbuild/BUILD/mozilla-release/firefox.lang

which I think means that %find_lang %{name} didn't find anything (though I don't know that the build should fail because of that).  Maybe an RPM bug?

Comment 10 David Walser 2015-08-07 16:23:57 CEST

(In reply to David Walser from comment #9)
> Thierry, the build in Cauldron failed:
> http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/
> 20150807135859.luigiwalser.valstar.29013/log/firefox-39.0.3-1.mga6/build.0.
> 20150807140003.log
> 
> It ends with:
> + /usr/lib/rpm/brp-python-hardlink
> Processing files: firefox-39.0.3-1.mga6.i586
> error: Empty %files file
> /home/iurt/rpmbuild/BUILD/mozilla-release/firefox.lang
> 
> which I think means that %find_lang %{name} didn't find anything (though I
> don't know that the build should fail because of that).  Maybe an RPM bug?

Or maybe the %find_lang call isn't needed.

Comment 11 David Walser 2015-08-07 16:25:07 CEST

Updated packages uploaded for Mageia 4 and Mageia 5.  Cauldron fix pending.

Note that this is urgent because this issue is being exploited in the wild.

Also note that this fixes the missing Norwegian langpacks from the 38.1 update.

Advisory:
========================

Updated firefox packages fix security vulnerability:

Security researcher Cody Crews reported on a way to violate the same origin
policy and inject script into a non-privileged part of the built-in PDF Viewer
in Firefox. This would allow an attacker to read and steal sensitive local
files on the victim's computer (CVE-2015-4495).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4495
https://www.mozilla.org/en-US/security/advisories/mfsa2015-78/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
========================

Updated packages in core/updates_testing:
========================
firefox-38.1.1-1.mga4
firefox-devel-38.1.1-1.mga4
firefox-af-38.1.1-1.mga4
firefox-an-38.1.1-1.mga4
firefox-ar-38.1.1-1.mga4
firefox-as-38.1.1-1.mga4
firefox-ast-38.1.1-1.mga4
firefox-az-38.1.1-1.mga4
firefox-be-38.1.1-1.mga4
firefox-bg-38.1.1-1.mga4
firefox-bn_IN-38.1.1-1.mga4
firefox-bn_BD-38.1.1-1.mga4
firefox-br-38.1.1-1.mga4
firefox-bs-38.1.1-1.mga4
firefox-ca-38.1.1-1.mga4
firefox-cs-38.1.1-1.mga4
firefox-cy-38.1.1-1.mga4
firefox-da-38.1.1-1.mga4
firefox-de-38.1.1-1.mga4
firefox-el-38.1.1-1.mga4
firefox-en_GB-38.1.1-1.mga4
firefox-en_US-38.1.1-1.mga4
firefox-en_ZA-38.1.1-1.mga4
firefox-eo-38.1.1-1.mga4
firefox-es_AR-38.1.1-1.mga4
firefox-es_CL-38.1.1-1.mga4
firefox-es_ES-38.1.1-1.mga4
firefox-es_MX-38.1.1-1.mga4
firefox-et-38.1.1-1.mga4
firefox-eu-38.1.1-1.mga4
firefox-fa-38.1.1-1.mga4
firefox-ff-38.1.1-1.mga4
firefox-fi-38.1.1-1.mga4
firefox-fr-38.1.1-1.mga4
firefox-fy_NL-38.1.1-1.mga4
firefox-ga_IE-38.1.1-1.mga4
firefox-gd-38.1.1-1.mga4
firefox-gl-38.1.1-1.mga4
firefox-gu_IN-38.1.1-1.mga4
firefox-he-38.1.1-1.mga4
firefox-hi_IN-38.1.1-1.mga4
firefox-hr-38.1.1-1.mga4
firefox-hsb-38.1.1-1.mga4
firefox-hu-38.1.1-1.mga4
firefox-hy_AM-38.1.1-1.mga4
firefox-id-38.1.1-1.mga4
firefox-is-38.1.1-1.mga4
firefox-it-38.1.1-1.mga4
firefox-ja-38.1.1-1.mga4
firefox-kk-38.1.1-1.mga4
firefox-km-38.1.1-1.mga4
firefox-kn-38.1.1-1.mga4
firefox-ko-38.1.1-1.mga4
firefox-lij-38.1.1-1.mga4
firefox-lt-38.1.1-1.mga4
firefox-lv-38.1.1-1.mga4
firefox-mai-38.1.1-1.mga4
firefox-mk-38.1.1-1.mga4
firefox-ml-38.1.1-1.mga4
firefox-mr-38.1.1-1.mga4
firefox-ms-38.1.1-1.mga4
firefox-nb_NO-38.1.1-1.mga4
firefox-nl-38.1.1-1.mga4
firefox-nn_NO-38.1.1-1.mga4
firefox-or-38.1.1-1.mga4
firefox-pa_IN-38.1.1-1.mga4
firefox-pl-38.1.1-1.mga4
firefox-pt_BR-38.1.1-1.mga4
firefox-pt_PT-38.1.1-1.mga4
firefox-ro-38.1.1-1.mga4
firefox-ru-38.1.1-1.mga4
firefox-si-38.1.1-1.mga4
firefox-sk-38.1.1-1.mga4
firefox-sl-38.1.1-1.mga4
firefox-sq-38.1.1-1.mga4
firefox-sr-38.1.1-1.mga4
firefox-sv_SE-38.1.1-1.mga4
firefox-ta-38.1.1-1.mga4
firefox-te-38.1.1-1.mga4
firefox-th-38.1.1-1.mga4
firefox-tr-38.1.1-1.mga4
firefox-uk-38.1.1-1.mga4
firefox-uz-38.1.1-1.mga4
firefox-vi-38.1.1-1.mga4
firefox-xh-38.1.1-1.mga4
firefox-zh_CN-38.1.1-1.mga4
firefox-zh_TW-38.1.1-1.mga4
firefox-38.1.1-1.mga5
firefox-devel-38.1.1-1.mga5
firefox-af-38.1.1-1.mga5
firefox-an-38.1.1-1.mga5
firefox-ar-38.1.1-1.mga5
firefox-as-38.1.1-1.mga5
firefox-ast-38.1.1-1.mga5
firefox-az-38.1.1-1.mga5
firefox-be-38.1.1-1.mga5
firefox-bg-38.1.1-1.mga5
firefox-bn_IN-38.1.1-1.mga5
firefox-bn_BD-38.1.1-1.mga5
firefox-br-38.1.1-1.mga5
firefox-bs-38.1.1-1.mga5
firefox-ca-38.1.1-1.mga5
firefox-cs-38.1.1-1.mga5
firefox-cy-38.1.1-1.mga5
firefox-da-38.1.1-1.mga5
firefox-de-38.1.1-1.mga5
firefox-el-38.1.1-1.mga5
firefox-en_GB-38.1.1-1.mga5
firefox-en_US-38.1.1-1.mga5
firefox-en_ZA-38.1.1-1.mga5
firefox-eo-38.1.1-1.mga5
firefox-es_AR-38.1.1-1.mga5
firefox-es_CL-38.1.1-1.mga5
firefox-es_ES-38.1.1-1.mga5
firefox-es_MX-38.1.1-1.mga5
firefox-et-38.1.1-1.mga5
firefox-eu-38.1.1-1.mga5
firefox-fa-38.1.1-1.mga5
firefox-ff-38.1.1-1.mga5
firefox-fi-38.1.1-1.mga5
firefox-fr-38.1.1-1.mga5
firefox-fy_NL-38.1.1-1.mga5
firefox-ga_IE-38.1.1-1.mga5
firefox-gd-38.1.1-1.mga5
firefox-gl-38.1.1-1.mga5
firefox-gu_IN-38.1.1-1.mga5
firefox-he-38.1.1-1.mga5
firefox-hi_IN-38.1.1-1.mga5
firefox-hr-38.1.1-1.mga5
firefox-hsb-38.1.1-1.mga5
firefox-hu-38.1.1-1.mga5
firefox-hy_AM-38.1.1-1.mga5
firefox-id-38.1.1-1.mga5
firefox-is-38.1.1-1.mga5
firefox-it-38.1.1-1.mga5
firefox-ja-38.1.1-1.mga5
firefox-kk-38.1.1-1.mga5
firefox-km-38.1.1-1.mga5
firefox-kn-38.1.1-1.mga5
firefox-ko-38.1.1-1.mga5
firefox-lij-38.1.1-1.mga5
firefox-lt-38.1.1-1.mga5
firefox-lv-38.1.1-1.mga5
firefox-mai-38.1.1-1.mga5
firefox-mk-38.1.1-1.mga5
firefox-ml-38.1.1-1.mga5
firefox-mr-38.1.1-1.mga5
firefox-ms-38.1.1-1.mga5
firefox-nb_NO-38.1.1-1.mga5
firefox-nl-38.1.1-1.mga5
firefox-nn_NO-38.1.1-1.mga5
firefox-or-38.1.1-1.mga5
firefox-pa_IN-38.1.1-1.mga5
firefox-pl-38.1.1-1.mga5
firefox-pt_BR-38.1.1-1.mga5
firefox-pt_PT-38.1.1-1.mga5
firefox-ro-38.1.1-1.mga5
firefox-ru-38.1.1-1.mga5
firefox-si-38.1.1-1.mga5
firefox-sk-38.1.1-1.mga5
firefox-sl-38.1.1-1.mga5
firefox-sq-38.1.1-1.mga5
firefox-sr-38.1.1-1.mga5
firefox-sv_SE-38.1.1-1.mga5
firefox-ta-38.1.1-1.mga5
firefox-te-38.1.1-1.mga5
firefox-th-38.1.1-1.mga5
firefox-tr-38.1.1-1.mga5
firefox-uk-38.1.1-1.mga5
firefox-uz-38.1.1-1.mga5
firefox-vi-38.1.1-1.mga5
firefox-xh-38.1.1-1.mga5
firefox-zh_CN-38.1.1-1.mga5
firefox-zh_TW-38.1.1-1.mga5

from SRPMS:
firefox-38.1.1-1.mga4.src.rpm
firefox-l10n-38.1.1-1.mga4.src.rpm
firefox-38.1.1-1.mga5.src.rpm
firefox-l10n-38.1.1-1.mga5.src.rpm

CC: (none) => thierry.vignaud
Version: Cauldron => 5
Assignee: thierry.vignaud => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 12 David Walser 2015-08-07 16:49:01 CEST

Thierry, the qemu build in Cauldron also failed for the same reason:
http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20150807142538.luigiwalser.valstar.13521/log/qemu-2.1.3-4.mga6/build.0.20150807142603.log

Processing files: qemu-2.1.3-4.mga6.x86_64
error: Empty %files file /home/iurt/rpmbuild/BUILD/qemu-2.1.3/qemu.lang

There's definitely an issue with RPM or find_lang in Cauldron.

Comment 13 Stuart Morgan 2015-08-07 17:29:33 CEST

Tested and working fine.

Missing firefox-en_GB-38.1.1-1.mga5 from the mirror I used, assuming that's related to the aforementioned find_lang issue

CC: (none) => smorgan

Comment 14 claire robinson 2015-08-07 17:42:33 CEST

Advisory uploaded.

Will test mga4 32 when they land on my mirror.

Whiteboard: MGA4TOO => MGA4TOO advisory

Comment 15 claire robinson 2015-08-07 17:44:45 CEST

en_GB present mga4

Comment 16 Stuart Morgan 2015-08-07 17:53:36 CEST

en_GB is not available on this mirror for mga5

Comment 17 claire robinson 2015-08-07 17:57:26 CEST

Tested pdf viewer with a testcase from one of the references on mozilla's announcement. Doesn't test the vulnerability AFAICT but the builtin pdf viewer.

https://bug1179262.bmoattachments.org/attachment.cgi?id=8628302

Tested flash at dailymotion, html5 at youtube, spellcheck here, javascript at sunspider http://www.webkit.org/perf/sunspider/sunspider.html

All else appears normal.

claire robinson 2015-08-07 17:57:44 CEST

Whiteboard: MGA4TOO advisory => MGA4TOO advisory has_procedure mga4-32-ok

Comment 18 Stuart Morgan 2015-08-07 18:09:48 CEST

Sorry, typo in previous comment. en_GB is NOW present on the mirror (mga5).

Comment 19 David Walser 2015-08-07 19:29:11 CEST

Everything's working fine on Mageia 4 and Mageia 5 i586.

Whiteboard: MGA4TOO advisory has_procedure mga4-32-ok => MGA4TOO advisory has_procedure mga4-32-ok mga5-32-ok

Dave Hodgins 2015-08-07 20:08:27 CEST

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 20 Mageia Robot 2015-08-07 21:21:09 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0305.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-08-07 21:35:24 CEST

URL: (none) => http://lwn.net/Vulnerabilities/653867/

Comment 21 Lewis Smith 2015-08-08 21:34:53 CEST

Testing Mageia 5 x64

Although the update had already been pushed, I tried the useful links from Claire's Comment 17. In fact the second one:
 http://www.webkit.org/perf/sunspider/sunspider.html
recommends instead:
 http://browserbench.org/JetStream/
BTAIM I ran both, also the first PDF 3 x view URL, and looked at the BBC site.
Seems OK.

CC: (none) => lewyssmith
Whiteboard: MGA4TOO advisory has_procedure mga4-32-ok mga5-32-ok => MGA4TOO advisory has_procedure mga4-32-ok mga5-32-ok MGA4-64-OK

Note You need to log in before you can comment on or make changes to this bug.