Ubuntu
seamonkey package

security upgrade of seamonkey 1.1.12

Bug #276437 reported by Fabien Tassin on 2008-09-30

256

	Status	Importance	Assigned to
seamonkey (Ubuntu)	Fix Released	Undecided	Fabien Tassin
Hardy	Fix Released	Undecided	Fabien Tassin
Intrepid	Fix Released	Undecided	Fabien Tassin

Bug Description

Binary package hint: seamonkey

seamonkey (1.1.12+nobinonly-0ubuntu1) intrepid; urgency=low

  * New security upstream release: 1.1.12
    - CVE-2008-4070: Heap overflow when canceling newsgroup message
    - CVE-2008-4069: XBM image uninitialized memory reading
    - CVE-2008-4067..4068: resource: traversal vulnerabilities
    - CVE-2008-4065..4066: BOM characters stripped from JavaScript before execution
    - CVE-2008-4061..4064: Crashes with evidence of memory corruption
    - CVE-2008-4058..4060: Privilege escalation via XPCnativeWrapper pollution
    - CVE-2008-3837: Forced mouse drag
    - CVE-2008-3835: nsXMLDocument::OnChannelRedirect() same-origin violation
    - CVE-2008-0016: UTF-8 URL stack buffer overflow

-- Fabien Tassin <email address hidden> Tue, 30 Sep 2008 00:41:24 +0200

===

seamonkey (1.1.12+nobinonly-0ubuntu0.8.04.1) hardy-security; urgency=low

  * New security upstream release: 1.1.12 (LP: #276437)
    - CVE-2008-4070: Heap overflow when canceling newsgroup message
    - CVE-2008-4069: XBM image uninitialized memory reading
    - CVE-2008-4067..4068: resource: traversal vulnerabilities
    - CVE-2008-4065..4066: BOM characters stripped from JavaScript before execution
    - CVE-2008-4061..4064: Crashes with evidence of memory corruption
    - CVE-2008-4058..4060: Privilege escalation via XPCnativeWrapper pollution
    - CVE-2008-3837: Forced mouse drag
    - CVE-2008-3835: nsXMLDocument::OnChannelRedirect() same-origin violation
    - CVE-2008-0016: UTF-8 URL stack buffer overflow
  * Also includes security fixes from 1.1.11 and 1.1.10 (LP: #218534)
    - CVE-2008-2785: Remote code execution by overflowing CSS reference counter
    - CVE-2008-2811: Crash and remote code execution in block reflow
    - CVE-2008-2810: Remote site run as local file via Windows URL shortcut
    - CVE-2008-2809: Peer-trusted certs can use alt names to spoof
    - CVE-2008-2808: File location URL in directory listings not escaped properly
    - CVE-2008-2807: Faulty .properties file results in uninitialized memory being used
    - CVE-2008-2806: Arbitrary socket connections with Java LiveConnect on Mac OS X
    - CVE-2008-2805: Arbitrary file upload via originalTarget and DOM Range
    - MFSA 2008-26 (follow-up of CVE-2008-0304): Buffer length checks in MIME processing
    - CVE-2008-2803: Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
    - CVE-2008-2802: Chrome script loading from fastload file
    - CVE-2008-2801: Signed JAR tampering
    - CVE-2008-2800: XSS through JavaScript same-origin violation
    - CVE-2008-2798..2799: Crashes with evidence of memory corruption
    - CVE-2008-1380: Crash in JavaScript garbage collector
  * Refresh diverged patch:
    - update debian/patches/80_security_build.patch
  * Fix FTBFS with missing -lfontconfig
    - add debian/patches/11_fix_ftbfs_with_fontconfig.patch
    - update debian/patches/series

-- Fabien Tassin <email address hidden> Tue, 30 Sep 2008 22:44:30 +0200

See original description

Related branches

lp://staging/~mozillateam/seamonkey/seamonkey-1.1.hardy

lp://staging/ubuntu/karmic/seamonkey

lp://staging/ubuntu/hardy-security/seamonkey

CVE References

Fabien Tassin (fta) on 2008-09-30

Changed in seamonkey:
assignee:	nobody → fta
assignee:	nobody → fta

Revision history for this message

Fabien Tassin (fta) wrote on 2008-09-30:

seamonkey_1.1.11+nobinonly-0ubuntu1--1.1.12+nobinonly-0ubuntu1.debdiff Edit (205.1 KiB, text/plain)

Download full text (8.6 KiB)

Here is the full debdiff for intrepid. There's no packaging change, just the upstream bump.
Preview debs are in my PPA as seamonkey_1.1.12+nobinonly-0ubuntu1~fta1

Here is a diffstat of that debdiff:

Here is the full debdiff for intrepid. There's no packaging change, just the upstream bump.
Preview debs are in my PPA as seamonkey_1.1.12+nobinonly-0ubuntu1~fta1

Here is a diffstat of that debdiff:

ix:~/tmp$ diffstat  seamonkey_1.1.11+nobinonly-0ubuntu1--1.1.12+nobinonly-0ubuntu1.debdiff
 browser/config/version.txt                                      |    2 
 client.mk                                                       |   10 
 config/milestone.txt                                            |    2 
 content/base/src/nsDocument.cpp                                 |    1 
 content/base/src/nsDocument.h                                   |    5 
 content/base/src/nsXMLHttpRequest.cpp                           |    5 
 content/html/content/src/Makefile.in                            |    1 
 content/html/content/src/nsHTMLTableCellElement.cpp             |    4 
 content/xbl/src/nsXBLService.cpp                                |   10 
 content/xml/document/src/nsXMLDocument.cpp                      |   48 -
 content/xml/document/src/nsXMLDocument.h                        |    1 
 debian/changelog                                                |   15 
 dom/src/base/nsGlobalWindow.cpp                                 |   58 +
 dom/src/base/nsJSUtils.cpp                                      |   42 -
 dom/src/base/nsJSUtils.h                                        |    3 
 extensions/schema-validation/src/nsSchemaValidator.cpp          |   21 
 extensions/schema-validation/src/nsSchemaValidatorUtils.cpp     |   56 +
 extensions/schema-validation/src/nsSchemaValidatorUtils.h       |   12 
 extensions/schema-validation/tests/schema.html                  |   11 
 extensions/transformiix/source/xpath/XFormsFunctionCall.cpp     |  185 ++++++
 extensions/transformiix/source/xpath/XFormsFunctions.h          |   48 -
 extensions/transformiix/source/xpath/nsIXFormsUtilityService.h  |   43 +
 extensions/transformiix/source/xpath/nsXFormsXPathEvaluator.cpp |   20 
 extensions/transformiix/source/xpath/txXPathAtomList.h          |    6 
 extensions/transformiix/source/xslt/txMozillaTextOutput.cpp     |   17 
 extensions/transformiix/source/xslt/txMozillaXMLOutput.cpp      |   11 
 extensions/xforms/Makefile.in                                   |    1 
 extensions/xforms/install.rdf                                   |    1 
 extensions/xforms/nsIModelElementPrivate.idl                    |    8 
 extensions/xforms/nsXFormsAtoms.cpp                             |    4 
 extensions/xforms/nsXFormsAtoms.h                               |    1 
 extensions/xforms/nsXFormsDOMEvent.cpp                          |   23 
 extensions/xforms/nsXFormsDOMEvent.h                            |    5 
 extensions/xforms/nsXFormsInsertDeleteElement.cpp               |    9 
 extensions/xforms/nsXFormsInstanceElement.cpp                   |  186 ++++--
 extensions/xforms/nsXFormsInstanceElement.h                     |    7 
 extensions/xforms/nsXFormsModelElement.cpp                      |   15 
 extensions/xforms/nsXFormsSchemaValidator.cpp                   |   20 
 extensions/xforms/nsXFormsSchemaValidator.h                     |    3 
 extensions/xforms/nsXFormsSubmissionElement.cpp                 |  285 ++++++++-
 extensions/xforms/nsXFormsSubmissionElement.h                   |    4 
 extensions/xforms/nsXFormsUtilityService.cpp                    |  301 +++++++++-
 extensions/xforms/nsXFormsUtils.cpp                             |   41 +
 extensions/xforms/nsXFormsUtils.h                               |   14 
 extensions/xforms/resources/locale/en-US/xforms.properties      |    2 
 gfx/src/gtk/nsFontMetricsGTK.cpp                                |   16 
 intl/uconv/src/charsetData.properties                           |    1 
 intl/uconv/ucvko/nsISO2022KRToUnicode.cpp                       |   22 
 intl/uconv/ucvko/nsISO2022KRToUnicode.h                         |    5 
 intl/unicharutil/util/nsUnicharUtils.h                          |   15 
 js/src/jsdbgapi.c                                               |    1 
 js/src/jsemit.c                                                 |    8 
 js/src/jsfun.c                                                  |    8 
 js/src/jsgc.c                                                   |    3 
 js/src/jsinterp.c                                               |   11 
 js/src/jsinterp.h                                               |    1 
 js/src/jsiter.c                                                 |    1 
 js/src/jsnum.c                                                  |   27 
 js/src/jsobj.c                                                  |   25 
 js/src/jsobj.h                                                  |    6 
 js/src/jsopcode.c                                               |   25 
 js/src/jsopcode.tbl                                             |    2 
 js/src/jsscan.c                                                 |  257 ++++----
 js/src/jsscript.c                                               |    8 
 js/src/jsxdrapi.h                                               |    2 
 js/src/jsxml.c                                                  |  150 ++--
 js/src/xpconnect/src/XPCNativeWrapper.cpp                       |   53 +
 js/src/xpconnect/src/XPCNativeWrapper.h                         |    3 
 js/src/xpconnect/src/xpcconvert.cpp                             |   20 
 layout/mathml/base/src/nsMathMLmtableFrame.cpp                  |    6 
 layout/style/nsCSSScanner.cpp                                   |   47 -
 layout/style/nsCSSScanner.h                                     |    2 
 layout/tables/celldata.h                                        |    3 
 mail/config/version.txt                                         |    2 
 mailnews/base/resources/content/msgAccountCentral.xul           |    6 
 mailnews/base/resources/content/widgetglue.js                   |    5 
 mailnews/base/src/nsMsgQuickSearchDBView.cpp                    |    3 
 mailnews/import/eudora/src/nsEudoraWin32.cpp                    |   14 
 mailnews/local/src/nsParseMailbox.cpp                           |    2 
 mailnews/local/src/nsParseMailbox.h                             |    2 
 mailnews/news/src/nsNNTPProtocol.cpp                            |   24 
 modules/libpr0n/decoders/xbm/nsXBMDecoder.cpp                   |    2 
 modules/plugin/base/src/nsJSNPRuntime.cpp                       |   12 
 modules/plugin/base/src/nsPluginHostImpl.cpp                    |    1 
 netwerk/base/src/nsStandardURL.cpp                              |    1 
 netwerk/dns/src/nsIDNService.cpp                                |    3 
 netwerk/protocol/res/src/nsResProtocolHandler.cpp               |   35 +
 parser/htmlparser/src/nsHTMLTokens.cpp                          |    7 
 toolkit/content/charsetOverlay.js                               |   20 
 toolkit/locales/en-US/chrome/global/intl.properties             |    2 
 toolkit/locales/l10n.ini                                        |    8 
 toolkit/mozapps/installer/windows/nsis/version.nsh              |    1 
 widget/public/nsIDragService.idl                                |   10 
 widget/src/beos/nsDragService.cpp                               |   11 
 widget/src/gtk/nsDragService.cpp                                |   10 
 widget/src/gtk2/nsDragService.cpp                               |   10 
 widget/src/mac/nsDragService.cpp                                |   11 
 widget/src/os2/nsDragService.cpp                                |   13 
 widget/src/os2/nsWindow.cpp                                     |    4 
 widget/src/photon/nsDragService.cpp                             |   12 
 widget/src/qt/nsDragService.cpp                                 |   12 
 widget/src/windows/nsDragService.cpp                            |    7 
 widget/src/windows/nsNativeDragTarget.cpp                       |    4 
 widget/src/xlib/nsDragService.cpp                               |    9 
 widget/src/xpwidgets/nsBaseDragService.cpp                      |   23 
 widget/src/xpwidgets/nsBaseDragService.h                        |    4 
 xpcom/glue/nsTArray.cpp                                         |    2 
 xpcom/io/nsEscape.cpp                                           |   31 -
 xpcom/string/public/nsCharTraits.h                              |   31 +
 xpcom/string/public/nsReadableUtils.h                           |    2 
 xpcom/string/public/nsUTF8Utils.h                               |   34 -
 xpcom/string/src/nsReadableUtils.cpp                            |   16 
 xpfe/bootstrap/module.ver                                       |    4 
 xpfe/bootstrap/version.txt                                      |    1 
 xpfe/components/intl/nsCharsetMenu.cpp                          |   24 
 115 files changed, 2080 insertions(+), 650 deletions(-)

Changed in seamonkey:
status:	New → Fix Committed
status:	Fix Committed → New
status:	New → Fix Committed

Revision history for this message

Fabien Tassin (fta) wrote on 2008-09-30:

Here are all the links to the MFSAs giving links to upstream bugzilla.

MFSA 2008-46 Heap overflow when canceling newsgroup message
http://www.mozilla.org/security/announce/2008/mfsa2008-46.html

MFSA 2008-45 XBM image uninitialized memory reading
http://www.mozilla.org/security/announce/2008/mfsa2008-45.html

MFSA 2008-44 resource: traversal vulnerabilities
http://www.mozilla.org/security/announce/2008/mfsa2008-44.html

MFSA 2008-43 BOM characters stripped from JavaScript before execution
http://www.mozilla.org/security/announce/2008/mfsa2008-43.html

MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
http://www.mozilla.org/security/announce/2008/mfsa2008-42.html

MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
http://www.mozilla.org/security/announce/2008/mfsa2008-41.html

MFSA 2008-40 Forced mouse drag
http://www.mozilla.org/security/announce/2008/mfsa2008-40.html

MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
http://www.mozilla.org/security/announce/2008/mfsa2008-38.html

MFSA 2008-37 UTF-8 URL stack buffer overflow
http://www.mozilla.org/security/announce/2008/mfsa2008-37.html

Revision history for this message

Fabien Tassin (fta) wrote on 2008-09-30:

seamonkey_1.1.12+nobinonly.orig.tar.gz Edit (43.4 MiB, application/x-tar)

Here is the tarball, as from "debian/rules get-orig-source"

Revision history for this message

Fabien Tassin (fta) wrote on 2008-09-30:

seamonkey_1.1.11+nobinonly-0ubuntu1--1.1.12+nobinonly-0ubuntu0.8.04.1.debdiff Edit (209.0 KiB, text/plain)

Here is the full debdiff for hardy.

Changed in seamonkey:
status:	New → Fix Committed
description:	updated

Revision history for this message

Fabien Tassin (fta) wrote on 2008-09-30:

seamonkey_1.1.12+nobinonly-0ubuntu1.diff.gz Edit (136.3 KiB, text/x-diff)

Revision history for this message

Fabien Tassin (fta) wrote on 2008-09-30:

seamonkey_1.1.12+nobinonly-0ubuntu1.dsc Edit (2.0 KiB, text/plain)

Revision history for this message

Fabien Tassin (fta) wrote on 2008-09-30:

seamonkey_1.1.12+nobinonly-0ubuntu0.8.04.1.diff.gz Edit (136.7 KiB, text/x-diff)

Revision history for this message

Fabien Tassin (fta) wrote on 2008-09-30:

seamonkey_1.1.12+nobinonly-0ubuntu0.8.04.1.dsc Edit (2.1 KiB, text/plain)

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-10-01:

This bug was fixed in the package seamonkey - 1.1.12+nobinonly-0ubuntu1

---------------
seamonkey (1.1.12+nobinonly-0ubuntu1) intrepid; urgency=low

-- Fabien Tassin <email address hidden> Tue, 30 Sep 2008 00:41:24 +0200

Changed in seamonkey:
status:	Fix Committed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-10-02:

#10

Can someone comment on the testing done for the hardy upload?

Revision history for this message

Alexander Sack (asac) wrote on 2008-10-02:

#11

i tested the browser and mail component for most common use cases (like AJAX, IMAP etc.). No problems.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-10-03:

#12

Thanks for the work on the Hardy update.

As discussed on IRC. The debdiff for hardy is nearly 632,000 lines long. The vast majority of this is from nss-fips, which is apparently new. From what I can tell, this code is now being used based on changes in 80_security_build.patch. Apparently this is to fix upstream https://bugzilla.mozilla.org/show_bug.cgi?id=419030. Are the > 600,000 lines of newly compiled code really needed for this update? What testing has been done to show there are no regressions, especially in regards to the NSS related functionality?

Revision history for this message

Fabien Tassin (fta) wrote on 2008-10-03:

#13

to be precise, those nss changes are visible in the ***context*** of 80_security_build.patch but are not part of what that patch is really addressing.

Those nss changes are from https://bugzilla.mozilla.org/show_bug.cgi?id=419030 which took the form of an import of the main nss branch (a stable tag) to the main gecko core branch (the 1.8 branch). This is the usual way for NSS fixes to enter mozilla.

I didn't test the OCSP code per say, but I did test various NSS related features such as cert management and navigation on various https sites.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2008-10-03:

#14

As discussed on IRC-- seamonkey on hardy is built with system nss and nspr4, and the nss-fips import is not used. Buildlogs and resulting binaries also show this to be true. 80_security_build.patch is also obsolete on systems that build with system nss and nspr4, and what it patches for nss are not used by the hardy build system. Proceeding with the upload.

Thanks for your work on this!

Jamie Strandboge (jdstrand) on 2008-10-06

Changed in seamonkey:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

mozilla-bugs #419030
[RESOLVED FIXED] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuseamonkey package

security upgrade of seamonkey 1.1.12

Bug Description

Related branches

CVE References

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
seamonkey package