Bug 6389 - firefox needs to be updated to 10.0.5 for security issues
: firefox needs to be updated to 10.0.5 for security issues
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: All Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: mga1-32-OK mga1-64-OK
: validated_update
: 6548
: 6382
  Show dependency treegraph
 
Reported: 2012-06-09 20:31 CEST by David Walser
Modified: 2012-06-29 22:59 CEST (History)
5 users (show)

See Also:
Source RPM: firefox-10.0.4-1.mga1.src.rpm
CVE:
Status comment:


Attachments
firefox.tar.gz - 3 gnome-python-gtkmozembed test scripts in a firefox directory (698 bytes, application/x-gzip)
2012-06-27 19:56 CEST, claire robinson
Details

Description David Walser 2012-06-09 20:31:29 CEST
Mandriva has issued an advisory today (June 9):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:088

The SRPMS that need to be included are:
nspr
nss
xulrunner
firefox
firefox-l10n
and possibly icedtea-web (MDV rebuilt this for their update)

I've already submitted nspr and nss.  Last I checked, xulrunner had not been submitted yet, firefox had been, and firefox-l10n also had been but not totally successfully (incomplete build on Mageia 2).

Speaking of Mageia 2, it needs this update as well.  When all of the packages are built and ready for QA, I'll split a separate bug to make this one easier for QA.
Comment 1 David Walser 2012-06-09 20:57:27 CEST
Other packages that may be rebuilt with this update:
perl-Gtk2-MozEmbed (rebuilt last time)
gnome-python-extras (wouldn't build last time, should build now thanks to pterjan)
gjs (needs to be updated to be able to build, see Bug 6382)
eclipse (for swt, needs updated also, D Morgan said he might do that)
Comment 2 David Walser 2012-06-23 15:14:10 CEST
Mandriva has provided this update for MDV 2010.2 today (June 23):
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:088-1
Comment 3 David Walser 2012-06-23 17:57:29 CEST
Updates ready for testing.  Source RPM list at the bottom of this post, I'll
gather up the full RPM list later.

Note to QA: Mandriva has rebuilt icedtea-web for this update and we haven't. 
Please test that icedtea-web still works fine.  If there are any problems, I'll
submit a rebuild for it.

gjs may be updated later and will be handled in Bug 6382 for now.

eclipse may be updated later and will have its own bug report if so.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Heap-based buffer overflow in the utf16_to_isolatin1 function in
Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5,
Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and
SeaMonkey before 2.10 allows remote attackers to execute arbitrary
code via vectors that trigger a character-set conversion failure
(CVE-2012-1947)

Use-after-free vulnerability in the nsFrameList::FirstChild function
in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5,
Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and
SeaMonkey before 2.10 allows remote attackers to execute arbitrary code
or cause a denial of service (heap memory corruption and application
crash) by changing the size of a container of absolutely positioned
elements in a column (CVE-2012-1940).

Heap-based buffer overflow in the
nsHTMLReflowState::CalculateHypotheticalBox function in Mozilla
Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird
5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey
before 2.10 allows remote attackers to execute arbitrary code by
resizing a window displaying absolutely positioned and relatively
positioned elements in nested columns (CVE-2012-1941).

Use-after-free vulnerability in the nsINode::ReplaceOrInsertBefore
function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before
10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before
10.0.5, and SeaMonkey before 2.10 might allow remote attackers to
execute arbitrary code via document changes involving replacement or
insertion of a node (CVE-2012-1946).

Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5,
Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5,
and SeaMonkey before 2.10 allow local users to obtain sensitive
information via an HTML document that loads a shortcut (aka .lnk)
file for display within an IFRAME element, as demonstrated by a
network share implemented by (1) Microsoft Windows or (2) Samba
(CVE-2012-1945).

The Content Security Policy (CSP) implementation in Mozilla Firefox
4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0
through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey
before 2.10 does not block inline event handlers, which makes it
easier for remote attackers to conduct cross-site scripting (XSS)
attacks via a crafted HTML document (CVE-2012-1944).

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 13.0, Thunderbird before 13.0, and SeaMonkey before
2.10 allow remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute arbitrary
code via vectors related to (1) methodjit/ImmutableSync.cpp, (2)
the JSObject::makeDenseArraySlow function in js/src/jsarray.cpp,
and unknown other components (CVE-2012-1938).

jsinfer.cpp in Mozilla Firefox ESR 10.x before 10.0.5 and Thunderbird
ESR 10.x before 10.0.5 does not properly determine data types,
which allows remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute arbitrary code
via crafted JavaScript code (CVE-2012-1939).

Multiple unspecified vulnerabilities in the browser engine in
Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5,
Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5,
and SeaMonkey before 2.10 allow remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unknown vectors (CVE-2012-1937).

Ken Russell of Google reported a bug in NVIDIA graphics
drivers that they needed to work around in the Chromium WebGL
implementation. Mozilla has done the same in Firefox 13 and ESR 10.0.5
(CVE-2011-3101).

Additionally, the nspr and nss libraries have been upgraded to the
latest versions which resolve various upstream bugs.

Also, perl-Gtk2-MozEmbed and gnome-python-gtkmozembed have been
rebuilt against the updated xulrunner library.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1941
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1944
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1945
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1946
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1947
http://www.mozilla.org/security/announce/2012/mfsa2012-34.html
http://www.mozilla.org/security/announce/2012/mfsa2012-36.html
http://www.mozilla.org/security/announce/2012/mfsa2012-37.html
http://www.mozilla.org/security/announce/2012/mfsa2012-38.html
http://www.mozilla.org/security/announce/2012/mfsa2012-40.html
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:088-1
========================

Source RPMs:
nspr-4.9.1-1.mga1.src.rpm
nss-3.13.5-1.mga1.src.rpm
xulrunner-10.0.5-1.1.mga1.src.rpm
firefox-10.0.5-1.mga1.src.rpm
firefox-l10n-10.0.5-1.mga1.src.rpm
perl-Gtk2-MozEmbed-0.80.0-10.5.mga1.src.rpm
gnome-python-extras-2.25.3-24.3.mga1.src.rpm
Comment 4 David Walser 2012-06-23 18:09:22 CEST
Full RPM list:
libnspr4-4.9.1-1.mga1
libnspr-devel-4.9.1-1.mga1
nss-3.13.5-1.mga1
nss-doc-3.13.5-1.mga1
libnss3-3.13.5-1.mga1.i586.rpm
libnss-devel-3.13.5-1.mga1
libnss-static-devel-3.13.5-1.mga1
xulrunner-10.0.5-1.1.mga1
libxulrunner10.0.5-10.0.5-1.1.mga1
libxulrunner-devel-10.0.5-1.1.mga1
firefox-10.0.5-1.mga1
firefox-devel-10.0.5-1.mga1
firefox-af-10.0.5-1.mga1
firefox-ar-10.0.5-1.mga1
firefox-ast-10.0.5-1.mga1
firefox-be-10.0.5-1.mga1
firefox-bg-10.0.5-1.mga1
firefox-bn_BD-10.0.5-1.mga1
firefox-bn_IN-10.0.5-1.mga1
firefox-br-10.0.5-1.mga1
firefox-bs-10.0.5-1.mga1
firefox-ca-10.0.5-1.mga1
firefox-cs-10.0.5-1.mga1
firefox-cy-10.0.5-1.mga1
firefox-da-10.0.5-1.mga1
firefox-de-10.0.5-1.mga1
firefox-el-10.0.5-1.mga1
firefox-en_GB-10.0.5-1.mga1
firefox-en_ZA-10.0.5-1.mga1
firefox-eo-10.0.5-1.mga1
firefox-es_AR-10.0.5-1.mga1
firefox-es_CL-10.0.5-1.mga1
firefox-es_ES-10.0.5-1.mga1
firefox-es_MX-10.0.5-1.mga1
firefox-et-10.0.5-1.mga1
firefox-eu-10.0.5-1.mga1
firefox-fa-10.0.5-1.mga1
firefox-fi-10.0.5-1.mga1
firefox-fr-10.0.5-1.mga1
firefox-fy-10.0.5-1.mga1
firefox-ga_IE-10.0.5-1.mga1
firefox-gd-10.0.5-1.mga1
firefox-gl-10.0.5-1.mga1
firefox-gu_IN-10.0.5-1.mga1
firefox-he-10.0.5-1.mga1
firefox-hi-10.0.5-1.mga1
firefox-hr-10.0.5-1.mga1
firefox-hu-10.0.5-1.mga1
firefox-hy-10.0.5-1.mga1
firefox-id-10.0.5-1.mga1
firefox-is-10.0.5-1.mga1
firefox-it-10.0.5-1.mga1
firefox-ja-10.0.5-1.mga1
firefox-kk-10.0.5-1.mga1
firefox-kn-10.0.5-1.mga1
firefox-ko-10.0.5-1.mga1
firefox-ku-10.0.5-1.mga1
firefox-lg-10.0.5-1.mga1
firefox-lt-10.0.5-1.mga1
firefox-lv-10.0.5-1.mga1
firefox-mai-10.0.5-1.mga1
firefox-mk-10.0.5-1.mga1
firefox-ml-10.0.5-1.mga1
firefox-mr-10.0.5-1.mga1
firefox-nb_NO-10.0.5-1.mga1
firefox-nl-10.0.5-1.mga1
firefox-nn_NO-10.0.5-1.mga1
firefox-nso-10.0.5-1.mga1
firefox-or-10.0.5-1.mga1
firefox-pa_IN-10.0.5-1.mga1
firefox-pl-10.0.5-1.mga1
firefox-pt_BR-10.0.5-1.mga1
firefox-pt_PT-10.0.5-1.mga1
firefox-ro-10.0.5-1.mga1
firefox-ru-10.0.5-1.mga1
firefox-si-10.0.5-1.mga1
firefox-sk-10.0.5-1.mga1
firefox-sl-10.0.5-1.mga1
firefox-sq-10.0.5-1.mga1
firefox-sr-10.0.5-1.mga1
firefox-sv_SE-10.0.5-1.mga1
firefox-ta-10.0.5-1.mga1
firefox-ta_LK-10.0.5-1.mga1
firefox-te-10.0.5-1.mga1
firefox-th-10.0.5-1.mga1
firefox-tr-10.0.5-1.mga1
firefox-uk-10.0.5-1.mga1
firefox-vi-10.0.5-1.mga1
perl-Gtk2-MozEmbed-0.80.0-10.5.mga1
gnome-python-extras-2.25.3-24.3.mga1
gnome-python-gda-2.25.3-24.3.mga1
gnome-python-gda-devel-2.25.3-24.3.mga1
gnome-python-gdl-2.25.3-24.3.mga1
gnome-python-gtkspell-2.25.3-24.3.mga1
gnome-python-gtkmozembed-2.25.3-24.3.mga1
gnome-python-gtkhtml2-2.25.3-24.3.mga1
Comment 5 claire robinson 2012-06-27 19:54:23 CEST
Testing x86_64 Mageia 1

gnome-python-gtkmozembed causes segfaults with Release version.

$ python moz.py 
Segmentation fault
$ python moz2.py 
Segmentation fault
$ python moz3.py 
Segmentation fault

I'll attach the scripts.

Should lib(64)xulrunner remove previous versions?

# rpm -qa | grep lib64xul
lib64xulrunner10.0.5-10.0.5-1.1.mga1
lib64xulrunner2.0.1-2.0.1-1.mga1
lib64xulrunner10.0.4-10.0.4-1.mga1
lib64xulrunner-devel-10.0.5-1.1.mga1

mga2 is the same in this respect IINM.


Apart from the above, testing firefox itself..

https, flash, java, flash over https, l10n all seems OK
Comment 6 claire robinson 2012-06-27 19:56:02 CEST
Created attachment 2500 [details]
firefox.tar.gz - 3 gnome-python-gtkmozembed test scripts in a firefox directory
Comment 7 claire robinson 2012-06-27 19:58:03 CEST
Forgot to mention gnome-python-gtkmozembed also segfaults with the update installed.
Comment 8 David Walser 2012-06-27 19:58:50 CEST
(In reply to comment #5)
> Testing x86_64 Mageia 1
> 
> gnome-python-gtkmozembed causes segfaults with Release version.

This is true in both Mageia 1 and Mageia 2, release and updates versions?

> Should lib(64)xulrunner remove previous versions?

No.  I recommend QA to manually remove previous versions to help make sure we didn't miss anything.  Library policy is that the package won't remove them automatically, so sysadmins have to do it manually as well :o(

> Apart from the above, testing firefox itself..
> 
> https, flash, java, flash over https, l10n all seems OK

If the answer to my first question is yes, I guess we can validate these updates without gnome-python-extras (and remove mention of it from the advisories).
Comment 9 claire robinson 2012-06-28 11:17:37 CEST
I removed previous versions of lib64xulrunner but its hasn't helped.

$ python moz.py
Segmentation fault
$ python moz2.py
Segmentation fault
$ python moz3.py
Segmentation fault

$ rpm -qa | grep lib64xul
lib64xulrunner10.0.5-10.0.5-1.1.mga1
lib64xulrunner-devel-10.0.5-1.1.mga1
Comment 10 claire robinson 2012-06-28 11:18:58 CEST
It seems to be true in both versions in mga1 & 2 David yes.
Comment 11 claire robinson 2012-06-28 11:38:22 CEST
I tried perl-Gtk2-MozEmbed with the script on cpan:
http://search.cpan.org/~tsch/Gtk2-MozEmbed-0.06/MozEmbed.pm#SEE_ALSO

$ perl moz.pl
Segmentation fault

So seems to be a problem with lib64xulrunner
Comment 13 David Walser 2012-06-28 13:40:25 CEST
Thanks Claire.  Yet another Mandriva bug closed as OLD without being fixed :o)

I'll ask about it on the -dev list.
Comment 14 claire robinson 2012-06-28 19:44:57 CEST
Bug 6610 created for the xulrunner problem on mga1 & mga2

dmorgan is rebuilding eclipse without xulrunner so we shouldn't need to worry about that any more.

That just leaves firefox itself.

Source RPMs:
nspr-4.9.1-1.mga1.src.rpm
nss-3.13.5-1.mga1.src.rpm
firefox-10.0.5-1.mga1.src.rpm
firefox-l10n-10.0.5-1.mga1.src.rpm

Do you agree for the same thing as mga2 in bug 6548?
Comment 15 David Walser 2012-06-28 20:11:20 CEST
(In reply to comment #14)
> Do you agree for the same thing as mga2 in bug 6548?

I do.
Comment 16 Dave Hodgins 2012-06-28 23:17:55 CEST
Testing Mageia 1 i586 now.
Comment 17 Dave Hodgins 2012-06-28 23:25:11 CEST
Testing complete on i586 with https://www.youtube.com, en_GB language pack and other
standard browser tests.
Comment 18 claire robinson 2012-06-29 12:57:36 CEST
testing mga1 64
Comment 19 claire robinson 2012-06-29 13:33:10 CEST
Testing complete x86_64 mga1

Java, flash, flash over https, spellcheck, bookmarks. All seems fine.

Validating

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Heap-based buffer overflow in the utf16_to_isolatin1 function in
Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5,
Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and
SeaMonkey before 2.10 allows remote attackers to execute arbitrary
code via vectors that trigger a character-set conversion failure
(CVE-2012-1947)

Use-after-free vulnerability in the nsFrameList::FirstChild function
in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5,
Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and
SeaMonkey before 2.10 allows remote attackers to execute arbitrary code
or cause a denial of service (heap memory corruption and application
crash) by changing the size of a container of absolutely positioned
elements in a column (CVE-2012-1940).

Heap-based buffer overflow in the
nsHTMLReflowState::CalculateHypotheticalBox function in Mozilla
Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird
5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey
before 2.10 allows remote attackers to execute arbitrary code by
resizing a window displaying absolutely positioned and relatively
positioned elements in nested columns (CVE-2012-1941).

Use-after-free vulnerability in the nsINode::ReplaceOrInsertBefore
function in Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before
10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before
10.0.5, and SeaMonkey before 2.10 might allow remote attackers to
execute arbitrary code via document changes involving replacement or
insertion of a node (CVE-2012-1946).

Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5,
Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5,
and SeaMonkey before 2.10 allow local users to obtain sensitive
information via an HTML document that loads a shortcut (aka .lnk)
file for display within an IFRAME element, as demonstrated by a
network share implemented by (1) Microsoft Windows or (2) Samba
(CVE-2012-1945).

The Content Security Policy (CSP) implementation in Mozilla Firefox
4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0
through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey
before 2.10 does not block inline event handlers, which makes it
easier for remote attackers to conduct cross-site scripting (XSS)
attacks via a crafted HTML document (CVE-2012-1944).

Multiple unspecified vulnerabilities in the browser engine in Mozilla
Firefox before 13.0, Thunderbird before 13.0, and SeaMonkey before
2.10 allow remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute arbitrary
code via vectors related to (1) methodjit/ImmutableSync.cpp, (2)
the JSObject::makeDenseArraySlow function in js/src/jsarray.cpp,
and unknown other components (CVE-2012-1938).

jsinfer.cpp in Mozilla Firefox ESR 10.x before 10.0.5 and Thunderbird
ESR 10.x before 10.0.5 does not properly determine data types,
which allows remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute arbitrary code
via crafted JavaScript code (CVE-2012-1939).

Multiple unspecified vulnerabilities in the browser engine in
Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5,
Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5,
and SeaMonkey before 2.10 allow remote attackers to cause a denial of
service (memory corruption and application crash) or possibly execute
arbitrary code via unknown vectors (CVE-2012-1937).

Ken Russell of Google reported a bug in NVIDIA graphics
drivers that they needed to work around in the Chromium WebGL
implementation. Mozilla has done the same in Firefox 13 and ESR 10.0.5
(CVE-2011-3101).

Additionally, the nspr and nss libraries have been upgraded to the
latest versions which resolve various upstream bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3101
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1938
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1939
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1940
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1941
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1944
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1945
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1946
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1947
http://www.mozilla.org/security/announce/2012/mfsa2012-34.html
http://www.mozilla.org/security/announce/2012/mfsa2012-36.html
http://www.mozilla.org/security/announce/2012/mfsa2012-37.html
http://www.mozilla.org/security/announce/2012/mfsa2012-38.html
http://www.mozilla.org/security/announce/2012/mfsa2012-40.html
http://www.mandriva.com/en/support/security/advisories/?dis=2010.1&name=MDVSA-2012:088-1
========================

Source RPMs:
nspr-4.9.1-1.mga1.src.rpm
nss-3.13.5-1.mga1.src.rpm
firefox-10.0.5-1.mga1.src.rpm
firefox-l10n-10.0.5-1.mga1.src.rpm


Could sysadmin please push from core/updates_testing to core/updates. Please also remove the following srpm's from Testing:

xulrunner-10.0.5-1.1.mga1.src.rpm
perl-Gtk2-MozEmbed-0.80.0-10.5.mga1.src.rpm
gnome-python-extras-2.25.3-24.3.mga1.src.rpm

They are now the subject of bug 6610
Comment 20 Thomas Backlund 2012-06-29 22:59:21 CEST
xulrunner, perl-Gtk2-MozEmbed and gnome-python-extras removed from updates_testing

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0136

Note You need to log in before you can comment on or make changes to this bug.