Bug 3335 - multiple security issues in mozilla nss, firefox & rootcerts: CVE-2011-3640, CVE-2011-3648, CVE-2011-3650, CVE-2011-3651,CVE-2011-3652, CVE-2011-3654, CVE-2011-3655, rootcerts
Summary: multiple security issues in mozilla nss, firefox & rootcerts: CVE-2011-3640, ...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on: 3308
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-13 21:37 CET by Florian Hubold
Modified: 2011-11-25 23:06 CET (History)
6 users (show)

See Also:
Source RPM: firefox
CVE:
Status comment:


Attachments

Description Florian Hubold 2011-11-13 21:37:08 CET
+++ This bug was initially created as a clone of Bug #3308 +++

Description of problem:

CVE-2011-3640

Untrusted search path vulnerability in Mozilla Network Security
Services (NSS) might allow local users to gain privileges via a Trojan
horse pkcs11.txt file in a top-level directory.

CVE-2011-3648

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before
3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0
through 7.0 allows remote attackers to inject arbitrary web script
or HTML via crafted text with Shift JIS encoding.

CVE-2011-3650

Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird
before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript
files that contain many functions, which allows user-assisted
remote attackers to cause a denial of service (memory corruption and
application crash) or possibly have unspecified other impact via a
crafted file that is accessed by debugging APIs, as demonstrated by
Firebug.

CVE-2011-3651

Multiple unspecified vulnerabilities in the browser engine in
Mozilla Firefox 7.0 and Thunderbird 7.0 allow remote attackers to
cause a denial of service (memory corruption and application crash)
or possibly execute arbitrary code via unknown vectors.

CVE-2011-3652

The browser engine in Mozilla Firefox before 8.0 and Thunderbird before
8.0 does not properly allocate memory, which allows remote attackers
to cause a denial of service (memory corruption and application
crash) or possibly execute arbitrary code via unspecified vectors.

CVE-2011-3654

The browser engine in Mozilla Firefox before 8.0 and Thunderbird
before 8.0 does not properly handle links from SVG mpath elements to
non-SVG elements, which allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unspecified vectors.

CVE-2011-3655

Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform
access control without checking for use of the NoWaiverWrapper wrapper,
which allows remote attackers to gain privileges via a crafted web site.

------------------------------------------------------------------------------

http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/
http://www.entrust.net/advisories/malaysia.htm

22 weak 512-bit certificates were issued by the DigiCert Sdn. Bhd
certificate authority, due to this, DigiCert Sdn. Bhd has been revoked from the root CA storage.
DigiCert Sdn. Bhd is a Malaysian subordinate CA under Entrust and Verizon
(GTE CyberTrust). It bears no affiliation whatsoever with the
US-based corporation DigiCert, Inc., which is a member of Mozilla's
root program.


This bug was opened up for validation of coming Firefox, NSS and rootcerts update for Mageia 1.
Florian Hubold 2011-11-13 21:38:11 CET

Keywords: validated_update => (none)
Status: NEW => ASSIGNED
CC: pham182b, sysadmin-bugs, tmb => (none)
Assignee: bugsquad => dmorganec

Manuel Hiebel 2011-11-13 22:35:43 CET

Source RPM: (none) => firefox

Comment 1 Dave Hodgins 2011-11-16 20:54:13 CET
If this is ready for qa testing, i586 testing complete for the srpm packages
firefox-l10n-8.0.1-0.1.mga1.src.rpm
firefox-8.0.1-0.3.mga1.src.rpm
xulrunner-8.0.1-0.1.mga1.src.rpm
nss-3.13.1-0.2.mga1.src.rpm
rootcerts-20111103.00-0.1.mga1.src.rpm
mozilla-esteid-3.4.0-1.4.mga1.src.rpm

Usual browser tests (java/flash etc.), plus confirming
https://utmshare.utm.my now shows an invalid signature
on the certificate.

For the esteid extension, just confirming the Estonian
Card PKCS11 extension is not disabled.
Comment 2 Florian Hubold 2011-11-16 20:57:10 CET
No, it's not ready, needs to be resubmitted with a fix to not automatically disable our language packs (and maybe other systemwide installed addons).
Comment 3 Dave Hodgins 2011-11-16 21:02:46 CET
Ok.  I'll retest when it is ready.  Thanks for the update.
Comment 4 Florian Hubold 2011-11-20 13:50:11 CET
For reference, Dave, are you using any language pack? Upgrading from 7.0.1 to 8/8.0.1 did you have a dialog before the next start of firefox about the addons?
Comment 5 Florian Hubold 2011-11-20 17:54:13 CET
/note to self:

For reproduction purposes of the auto-disabling of addons after upgrade to firefox 8, this is how to safely trigger that event, if it would not be fixed properly:

1. If some firefox 8 version is already installed, remove it (f.ex. via
urpme -a firefox)

2. urpmi firefox-xx-7.0.1 --auto --noclean (replace xx by your language code, i.e. "de" for german language pack)

3. run firefox, check by entering "about:config" in adress bar for the existence of those preferences:
"extensions.autoDisableScopes"
"extensions.shownSelectionUI"
they should not be there with firefox < 8. If they are, please report this here.
QUIT firefox!

4. install latest firefox update candidate and language pack:
urpmi firefox-xx-8.0.1  --auto --noclean (replace xx by your language code, i.e. "de" for german language pack)

5. run firefox, check there is no "disabling addon selection dialog" before firefox main window opens (this does not mean the default "checking for updates for addons dialog which you see for every firefox update) and check that no addons have been disabled, especially not the language packs
You should now have above mentioned preferences, and the proper values, check via "about:config":
"extensions.autoDisableScopes, 0"
"extensions.shownSelectionUI, true"
Comment 6 Dave Hodgins 2011-11-21 01:02:53 CET
I just repeated the test using a clean install.

Installed firefox 7, and all ext in our repositories (using core release
and updates, not updates testing).

firefox-ext-mozvoikko-1.10.0-1.2.mga1 could not be installed, as it's still
only setup for firefox 6.

After enabling core updates testing as an update repository, used mgaapplet
to update to firefox 8.

I was given the option to disable all addons, a screen which is new with
firefox 8.  I selected keep for all items.  The following are disabled,
and marked as "will enable when compatible" after firefox starts.
Adblock plus
Bugzilla tweaks
Download statusbar
Grease monkey

Note that after the experience with firefox 7, qa will not wait for the
addons in the repositories to be updated, before validating the firefox
update, especially as the above updates can all be updated by the user
within firefox.

The language pack I use (en_GB) was in the list of addons that would
have been disabled, if I didn't select to keep it.
Comment 7 Manuel Hiebel 2011-11-21 01:10:14 CET
(In reply to comment #6)
> Note that after the experience with firefox 7, qa will not wait for the
> addons in the repositories to be updated, before validating the firefox
> update, especially as the above updates can all be updated by the user
> within firefox.
> 
Yep go for that. (And it was the same for firefox 7)

seems for mga2 we can remove all firefox-ext-*...
Comment 8 Florian Hubold 2011-11-21 12:48:35 CET
(In reply to comment #6)
> 
> I was given the option to disable all addons, a screen which is new with
> firefox 8.  I selected keep for all items.  The following are disabled,
> and marked as "will enable when compatible" after firefox starts.
> Adblock plus
> Bugzilla tweaks
> Download statusbar
> Grease monkey
[...]
> 
> The language pack I use (en_GB) was in the list of addons that would
> have been disabled, if I didn't select to keep it.

Thanks for reproducing, that is exactly the new "feature" from firefox 8 that we have to fix, this should be properly fixed in coming firefox-8.0.1-0.4.mga1.
Comment 9 Dave Hodgins 2011-11-25 04:43:04 CET
Testing complete on i586 for firefox 8.0.1-0.4.

In addition to normal browser testing, the startup screen defaulting
to disabling all addons no longer appears, and the language pack is retained.

The list of srpms now is
firefox-8.0.1-0.4.mga1.src.rpm
firefox-8.0.1-0.3.mga1.src.rpm
xulrunner-8.0.1-0.1.mga1.src.rpm
nss-3.13.1-0.2.mga1.src.rpm
rootcerts-20111103.00-0.1.mga1.src.rpm
mozilla-esteid-3.4.0-1.4.mga1.src.rpm
Comment 10 Dave Hodgins 2011-11-25 04:54:01 CET
Sorry, messed up the copy/paste.  The list of srpms is

firefox-8.0.1-0.4.mga1.src.rpm
firefox-l10n-8.0.1-0.1.mga1.src.rpm
xulrunner-8.0.1-0.1.mga1.src.rpm
nss-3.13.1-0.2.mga1.src.rpm
rootcerts-20111103.00-0.1.mga1.src.rpm
mozilla-esteid-3.4.0-1.4.mga1.src.rpm
Comment 11 Dave Hodgins 2011-11-25 04:55:39 CET
Just noticed this still hasn't been assigned to qa.  Is it ready to
assign?
Comment 12 D Morgan 2011-11-25 07:03:48 CET
now it is.

Assignee: dmorganec => qa-bugs

Comment 13 Dave Hodgins 2011-11-25 09:07:45 CET
We still need x86-64 testing for firefox 8.0.1.

In addition to normal browser tests, confirm the language
pack does not get disabled by the update.
Comment 14 Luan Pham 2011-11-25 13:33:52 CET
I just finish test this on x86_64 Mageia1 installation, and find no problem with language pack disable after update.

CC: (none) => pham182b

Comment 15 Dave Hodgins 2011-11-25 21:25:22 CET
Can someone from the sysadmin team push the srpms
firefox-8.0.1-0.4.mga1.src.rpm
firefox-l10n-8.0.1-0.1.mga1.src.rpm
xulrunner-8.0.1-0.1.mga1.src.rpm
nss-3.13.1-0.2.mga1.src.rpm
rootcerts-20111103.00-0.1.mga1.src.rpm
mozilla-esteid-3.4.0-1.4.mga1.src.rpm
from Core Updates Testing to Core Updates

Advisory:  This security update for firefox corrects the following:

CVE-2011-3640

Untrusted search path vulnerability in Mozilla Network Security
Services (NSS) might allow local users to gain privileges via a Trojan
horse pkcs11.txt file in a top-level directory.

CVE-2011-3648

Cross-site scripting (XSS) vulnerability in Mozilla Firefox before
3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0
through 7.0 allows remote attackers to inject arbitrary web script
or HTML via crafted text with Shift JIS encoding.

CVE-2011-3650

Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird
before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript
files that contain many functions, which allows user-assisted
remote attackers to cause a denial of service (memory corruption and
application crash) or possibly have unspecified other impact via a
crafted file that is accessed by debugging APIs, as demonstrated by
Firebug.

CVE-2011-3651

Multiple unspecified vulnerabilities in the browser engine in
Mozilla Firefox 7.0 and Thunderbird 7.0 allow remote attackers to
cause a denial of service (memory corruption and application crash)
or possibly execute arbitrary code via unknown vectors.

CVE-2011-3652

The browser engine in Mozilla Firefox before 8.0 and Thunderbird before
8.0 does not properly allocate memory, which allows remote attackers
to cause a denial of service (memory corruption and application
crash) or possibly execute arbitrary code via unspecified vectors.

CVE-2011-3654

The browser engine in Mozilla Firefox before 8.0 and Thunderbird
before 8.0 does not properly handle links from SVG mpath elements to
non-SVG elements, which allows remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unspecified vectors.

CVE-2011-3655

Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform
access control without checking for use of the NoWaiverWrapper wrapper,
which allows remote attackers to gain privileges via a crafted web site.

https://bugs.mageia.org/show_bug.cgi?id=3335

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 16 Thomas Backlund 2011-11-25 23:06:40 CET
Update pushed.

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.