Bug 9599 - [Update Request] Update firefox and thunderbird packages to fix several security vulnerabilities
: [Update Request] Update firefox and thunderbird packages to fix several secur...
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: All Linux
: Normal Severity: critical
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/545695/
: mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-03 05:14 CEST by Funda Wang
Modified: 2013-04-09 15:47 CEST (History)
6 users (show)

See Also:
Source RPM: firefox-17.0.5-1.mga2, firefox-l10n-17.0.5-1.mga2, thunderbird-17.0.5-1.mga2, thunderbird-l10n-17.0.5-1.mga2, iceape-2.17-1.mga2
CVE:


Attachments

Description Funda Wang 2013-04-03 05:14:33 CEST
Several security vulnerabilities were found in firefox and thunderbird and packages shipped in Mageia 2 updates:

MFSA 2013-40(CVE-2013-0791):
  Out-of-bounds array read in CERT_DecodeCertPackage
MFSA 2013-39(CVE-2013-0792):
  Memory corruption while rendering grayscale PNG images
MFSA 2013-38(CVE-2013-0793):
  Cross-site scripting (XSS) using timed history navigations
MFSA 2013-37(CVE-2013-0794):
  Bypass of tab-modal dialog origin disclosure
MFSA 2013-36(CVE-2013-0795):
  Bypass of SOW protections allows cloning of protected nodes
MFSA 2013-35(CVE-2013-0796):
  WebGL crash with Mesa graphics driver on Linux
MFSA 2013-34(CVE-2013-0797):
  Privilege escalation through Mozilla Updater
MFSA 2013-32(CVE-2013-0799):
  Privilege escalation through Mozilla Maintenance Service
MFSA 2013-31(CVE-2013-0800):
  Out-of-bounds write in Cairo library
MFSA 2013-30(CVE-2013-0788, CVE-2013-0789, CVE-2013-0790):
  Miscellaneous memory safety hazards

The firefox and thunderbird packages have been updated to latest esr version to fix above security vulnerabilities.

Reproducible: 

Steps to Reproduce:
Comment 1 Bill Wilkinson 2013-04-03 15:38:08 CEST
No exploits on SecurityFocus, beyond except CVE-2013-0798 which lists "readily available tools".

Testing for general usage for MGA2-64.
Comment 2 Bill Wilkinson 2013-04-03 15:51:09 CEST
Funda:

Are there NSS and NSPR updates with this?  I'm not seeing them in updates-testing.
Comment 3 David Walser 2013-04-03 16:09:48 CEST
There certainly should be nspr at least, as I just updated that in Cauldron.  There wasn't a new nss when I checked this weekend, but I'll check today.
Comment 4 Bill Wilkinson 2013-04-03 16:37:34 CEST
Thanks, David!

I'll give it a couple of hours for things to filter through, then.

Could you follow up here if you find the nss update so I know when to start testing?

Thanks!
Comment 5 David Walser 2013-04-03 17:06:21 CEST
There is no new nss.

nspr-4.9.6-1.mga2 is uploaded for Mageia 2 updates_testing.
Comment 6 Carolyn Rowse 2013-04-03 19:52:22 CEST
Testing general usage 32-bit.

Carolyn
Comment 7 David Walser 2013-04-03 19:55:33 CEST
Hopefully MFSA 2013-40 was actually fixed in a previous update of NSS, since there's no new version available now.

Here's the advisories.

Advisory (Firefox):
========================

Updated firefox packages fix security vulnerabilities:

Several flaws were found in the processing of malformed web content. A web
page containing malicious content could cause Firefox to crash or,
potentially, execute arbitrary code with the privileges of the user running
Firefox (CVE-2013-0788).

A flaw was found in the way Same Origin Wrappers were implemented in
Firefox. A malicious site could use this flaw to bypass the same-origin
policy and execute arbitrary code with the privileges of the user running
Firefox (CVE-2013-0795).

A flaw was found in the embedded WebGL library in Firefox. A web page
containing malicious content could cause Firefox to crash or, potentially,
execute arbitrary code with the privileges of the user running Firefox.
Note: This issue only affected systems using the Intel Mesa graphics
drivers (CVE-2013-0796).

An out-of-bounds write flaw was found in the embedded Cairo library in
Firefox. A web page containing malicious content could cause Firefox to
crash or, potentially, execute arbitrary code with the privileges of the
user running Firefox (CVE-2013-0800).

A flaw was found in the way Firefox handled the JavaScript history
functions. A malicious site could cause a web page to be displayed that has
a baseURI pointing to a different site, allowing cross-site scripting (XSS)
and phishing attacks (CVE-2013-0793).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0795
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0800
http://www.mozilla.org/security/announce/2013/mfsa2013-30.html
http://www.mozilla.org/security/announce/2013/mfsa2013-31.html
http://www.mozilla.org/security/announce/2013/mfsa2013-35.html
http://www.mozilla.org/security/announce/2013/mfsa2013-36.html
http://www.mozilla.org/security/announce/2013/mfsa2013-38.html
http://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
https://rhn.redhat.com/errata/RHSA-2013-0696.html
========================

Source RPMs:
nspr-4.9.6-1.mga2.src.rpm
firefox-17.0.5-1.mga2.src.rpm
firefox-l10n-17.0.5-1.mga2.src.rpm
========================


Advisory (Thunderbird):
========================

Updated thunderbird packages fix security vulnerabilities:

Several flaws were found in the processing of malformed content. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird (CVE-2013-0788).

A flaw was found in the way Same Origin Wrappers were implemented in
Thunderbird. Malicious content could use this flaw to bypass the
same-origin policy and execute arbitrary code with the privileges of the
user running Thunderbird (CVE-2013-0795).

A flaw was found in the embedded WebGL library in Thunderbird. Malicious
content could cause Thunderbird to crash or, potentially, execute arbitrary
code with the privileges of the user running Thunderbird. Note: This issue
only affected systems using the Intel Mesa graphics drivers
(CVE-2013-0796).

An out-of-bounds write flaw was found in the embedded Cairo library in
Thunderbird. Malicious content could cause Thunderbird to crash or,
potentially, execute arbitrary code with the privileges of the user running
Thunderbird (CVE-2013-0800).

A flaw was found in the way Thunderbird handled the JavaScript history
functions. Malicious content could cause a page to be displayed that
has a baseURI pointing to a different site, allowing cross-site scripting
(XSS) and phishing attacks (CVE-2013-0793).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0795
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0800
http://www.mozilla.org/security/announce/2013/mfsa2013-30.html
http://www.mozilla.org/security/announce/2013/mfsa2013-31.html
http://www.mozilla.org/security/announce/2013/mfsa2013-35.html
http://www.mozilla.org/security/announce/2013/mfsa2013-36.html
http://www.mozilla.org/security/announce/2013/mfsa2013-38.html
http://www.mozilla.org/security/known-vulnerabilities/thunderbirdESR.html
https://rhn.redhat.com/errata/RHSA-2013-0697.html
========================

Source RPMs:
thunderbird-17.0.5-1.mga2.src.rpm
thunderbird-l10n-17.0.5-1.1.mga2.src.rpm
Comment 8 Carolyn Rowse 2013-04-03 21:41:57 CEST
General testing on 32-bit and no regressions found.

Firefox - changing configuration settings, general browsing, use of existing add-ons and installation of new ones.

Thunderbird - sending and receiving mail, marking as junk, setting up another mail account, adding to address book, setting up and using IRC account.

Carolyn
Comment 9 Bill Wilkinson 2013-04-03 22:17:19 CEST
testing complete mga2-64

Firefox tested general browsing, sunspider, java, flash (youtube).

Thunderbird tested send/receive SMTP/IMAP, delete message

Validating

Will sysadmin please push from core/updates_testing to core/updates?

Advisory and package list in comment 7
Comment 11 Oden Eriksson 2013-04-09 15:31:25 CEST
FYI: CVE-2013-0791 was fixed in nss-3.14.3

You forgot to mention CVE-2013-0792 here.
Comment 12 David Walser 2013-04-09 15:47:56 CEST
(In reply to Oden Eriksson from comment #11)
> FYI: CVE-2013-0791 was fixed in nss-3.14.3

Thought so.  Thanks.

> You forgot to mention CVE-2013-0792 here.

Nope, that does not affect the ESR branch.

Note You need to log in before you can comment on or make changes to this bug.