Bug 16842 - Iceape multiple security fixes in Seamonkey 2.38
Summary: Iceape multiple security fixes in Seamonkey 2.38
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: has_procedure mga5-64-ok advisory
Keywords: validated_update
Depends on:
Blocks: 16814
  Show dependency treegraph
 
Reported: 2015-09-27 19:58 CEST by Bill Wilkinson
Modified: 2015-10-27 13:48 CET (History)
4 users (show)

See Also:
Source RPM: iceape
CVE:
Status comment:


Attachments

Description Bill Wilkinson 2015-09-27 19:58:42 CEST
The Seamonkey team has released v. 2.38 with multiple security fixes.

Reproducible: 

Steps to Reproduce:
Christiaan Welvaart 2015-10-04 15:04:53 CEST

Status: NEW => ASSIGNED
CC: (none) => cjw
Assignee: bugsquad => cjw

Comment 1 Christiaan Welvaart 2015-10-04 15:11:14 CEST
iceape 2.38 in cauldron crashes sometimes, or at least it exits suddenly but there is nothing in syslog and so far I have not found anything in a terminal either (I usually start it from the applications menu). It happened with the 2.38 beta release so I hoped it was fixed in the final release but iceape disappeared again after I updated this bugreport. I don't know what triggers it so no idea how to proceed.
Comment 2 Bill Wilkinson 2015-10-07 00:49:16 CEST
Have you tried the usual mozilla disable extensions?  The only outstanding freeze bug I'm seeing in their bugzilla is with flash, so maybe start there? And will you be enabling the built in calendar this time?  Thanks!

CC: (none) => wrw105

Comment 3 Christiaan Welvaart 2015-10-11 16:03:42 CEST
I don't use flash, and the only extension I have installed just adds some menu so should not interfere with page rendering.

It looks like I found a page that reliably crashes iceape on cauldron:
  http://www.howtogeek.com/200897/how-to-use-miracast-screen-mirroring-from-windows-or-android/

This happens in a new user account without any additional extensions installed. The crash is in the "Storage I/O" thread. Maybe it has something to do with sqlite, I don't know much about mozilla code.

The same page does not crash iceape 2.38 on mga5. I had already uploaded packages to mga5 updates_testing so maybe I should just continue the update.
Comment 4 David Walser 2015-10-14 23:11:31 CEST
As long as the sqlite3 update doesn't cause problems with Firefox, you can go ahead with this.  The iceape issues will hopefully get sorted out in Cauldron before Mageia 6 is released.
Comment 5 Christiaan Welvaart 2015-10-23 06:01:07 CEST
Packages are ready for testing.

MGA5
SRPMS:
sqlite3-3.8.10.2-1.1.mga5.src.rpm
iceape-2.38-1.mga5.src.rpm

RPMS:
iceape-2.38-1.mga5.i586.rpm
lemon-3.8.10.2-1.1.mga5.i586.rpm
libsqlite3_0-3.8.10.2-1.1.mga5.i586.rpm
libsqlite3-devel-3.8.10.2-1.1.mga5.i586.rpm
libsqlite3-static-devel-3.8.10.2-1.1.mga5.i586.rpm
sqlite3-tcl-3.8.10.2-1.1.mga5.i586.rpm
sqlite3-tools-3.8.10.2-1.1.mga5.i586.rpm
iceape-2.38-1.mga5.x86_64.rpm
lemon-3.8.10.2-1.1.mga5.x86_64.rpm
lib64sqlite3_0-3.8.10.2-1.1.mga5.x86_64.rpm
lib64sqlite3-devel-3.8.10.2-1.1.mga5.x86_64.rpm
lib64sqlite3-static-devel-3.8.10.2-1.1.mga5.x86_64.rpm
sqlite3-tcl-3.8.10.2-1.1.mga5.x86_64.rpm
sqlite3-tools-3.8.10.2-1.1.mga5.x86_64.rpm




Proposed advisory:




Updated iceape packages fix security issues. The sqlite3 package has been updated as well since the new iceape version requires the SQLITE_ENABLE_DBSTAT_VTAB feature to be enabled in sqlite. This sqlite3 update also enables ICU support, fixing bug #16814 .

Use-after-free vulnerability in the MediaStream playback feature in Mozilla Firefox before 40.0 allows remote attackers to execute arbitrary code via unspecified use of the Web Audio API. (CVE-2015-4477)

Mozilla Firefox before 40.0 allows man-in-the-middle attackers to bypass a mixed-content protection mechanism via a feed: URL in a POST request. (CVE-2015-4483)

The nsCSPHostSrc::permits function in dom/security/nsCSPUtils.cpp in Mozilla Firefox before 40.0 does not implement the Content Security Policy Level 2 exceptions for the blob, data, and filesystem URL schemes during wildcard source-expression matching, which might make it easier for remote attackers to conduct cross-site scripting (XSS) attacks by leveraging unexpected policy-enforcement behavior. (CVE-2015-4490)

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2015-4500)

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 41.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2015-4501)

The lut_inverse_interp16 function in the QCMS library in Mozilla Firefox before 41.0 allows remote attackers to obtain sensitive information or cause a denial of service (buffer over-read and application crash) via crafted attributes in the ICC 4 profile of an image. (CVE-2015-4504)

The SavedStacks class in the JavaScript implementation in Mozilla Firefox before 41.0, when the Debugger API is enabled, allows remote attackers to cause a denial of service (getSlotRef assertion failure and application exit) or possibly execute arbitrary code via a crafted web site. (CVE-2015-4507)

Mozilla Firefox before 41.0, when reader mode is enabled, allows remote attackers to spoof the relationship between address-bar URLs and web content via a crafted web site. (CVE-2015-4508)

Race condition in the WorkerPrivate::NotifyFeatures function in Mozilla Firefox before 41.0 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) by leveraging improper interaction between shared workers and the IndexedDB implementation. (CVE-2015-4510)

Heap-based buffer overflow in the nestegg_track_codec_data function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allows remote attackers to execute arbitrary code via a crafted header in a WebM video. (CVE-2015-4511)

Use-after-free vulnerability in the HTMLVideoElement interface in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allows remote attackers to execute arbitrary code via crafted JavaScript code that modifies the URI table of a media element, aka ZDI-CAN-3176. (CVE-2015-4509)

gfx/2d/DataSurfaceHelpers.cpp in Mozilla Firefox before 41.0 on Linux improperly attempts to use the Cairo library with 32-bit color-depth surface creation followed by 16-bit color-depth surface display, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) by using a CANVAS element to trigger 2D rendering. (CVE-2015-4512)

js/src/proxy/Proxy.cpp in Mozilla Firefox before 41.0 mishandles certain receiver arguments, which allows remote attackers to bypass intended window access restrictions via a crafted web site. (CVE-2015-4502)

Mozilla Firefox before 41.0 allows remote attackers to bypass certain ECMAScript 5 (aka ES5) API protection mechanisms and modify immutable properties, and consequently execute arbitrary JavaScript code with chrome privileges, via a crafted web page that does not use ES5 APIs. (CVE-2015-4516)

Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow user-assisted remote attackers to bypass intended access restrictions and discover a redirect's target URL via crafted JavaScript code that executes after a drag-and-drop action of an image into a TEXTBOX element. (CVE-2015-4519)

Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 allow remote attackers to bypass CORS preflight protection mechanisms by leveraging (1) duplicate cache-key generation or (2) retrieval of a value from an incorrect HTTP Access-Control-* response header. (CVE-2015-4520)

NetworkUtils.cpp in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. (CVE-2015-4517)

The ConvertDialogOptions function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. (CVE-2015-4521)

The nsUnicodeToUTF8::GetMaxLength function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an "overflow." (CVE-2015-4522)

The nsAttrAndChildArray::GrowBy function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an "overflow." (CVE-2015-7174)

The XULContentSinkImpl::AddText function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors, related to an "overflow." (CVE-2015-7175)

The AnimationThread function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 uses an incorrect argument to the sscanf function, which might allow remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via unknown vectors. (CVE-2015-7176)

The InitTextures function in Mozilla Firefox before 41.0 and Firefox ESR 38.x before 38.3 might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. (CVE-2015-7177)





References:
https://bugs.mageia.org/show_bug.cgi?id=16814
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4477
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4483
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4490
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4501
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4502
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4504
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4507
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4509
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4510
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4512
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4516
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4520
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7176
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7177
https://www.mozilla.org/en-US/security/advisories/mfsa2015-81/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-86/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-91/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-96/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-98/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-102/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-103/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-104/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-105/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-106/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-107/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-108/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-109/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-110/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-111/
https://www.mozilla.org/en-US/security/advisories/mfsa2015-112/

Assignee: cjw => qa-bugs

David Walser 2015-10-23 16:37:37 CEST

Source RPM: (none) => iceape

Comment 6 Bill Wilkinson 2015-10-23 21:35:36 CEST
Tested mga5-64

Browser:
General browsing, java plugin, jetstream for javascript, flash video playback in vimeo, acid3, all ok

Mail:
Send/receive/move/delete over SMTP/IMAP OK

Chat: 

Connected to #mageia-qa

All OK.

Whiteboard: (none) => has_procedure mga5-64-ok

Dave Hodgins 2015-10-26 00:27:24 CET

Keywords: (none) => validated_update
Whiteboard: has_procedure mga5-64-ok => has_procedure mga5-64-ok advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Mageia Robot 2015-10-27 10:07:41 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0414.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-10-27 13:48:27 CET

Blocks: (none) => 16814


Note You need to log in before you can comment on or make changes to this bug.