[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14

Bug #218534 reported by Mathieu Marquer
268
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Fix Released
Undecided
Mozilla Bugs
Dapper
Fix Released
Critical
Alexander Sack
Feisty
Fix Released
Critical
Alexander Sack
Gutsy
Fix Released
Critical
Alexander Sack
Hardy
Fix Released
Critical
Alexander Sack
Intrepid
Fix Released
Undecided
Mozilla Bugs
seamonkey (Ubuntu)
Fix Released
Critical
Fabien Tassin
Dapper
Invalid
Undecided
Unassigned
Feisty
Invalid
Undecided
Unassigned
Gutsy
Invalid
Undecided
Unassigned
Hardy
Fix Released
Critical
Alexander Sack
Intrepid
Fix Released
Critical
Fabien Tassin
thunderbird (Ubuntu)
Fix Released
Critical
Alexander Sack
Dapper
Fix Released
Critical
Alexander Sack
Feisty
Fix Released
Critical
Alexander Sack
Gutsy
Fix Released
Critical
Alexander Sack
Hardy
Fix Released
Critical
Alexander Sack
Intrepid
Fix Released
Critical
Alexander Sack
xulrunner (Ubuntu)
Fix Released
Critical
Fabien Tassin
Dapper
Invalid
Undecided
Unassigned
Feisty
Invalid
Critical
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Fix Released
Critical
Alexander Sack
Intrepid
Fix Released
Critical
Fabien Tassin

Bug Description

Flaws were discovered in Firefox which could lead to crashes during JavaScript garbage collection. If a user were tricked into opening a malicious web page, an attacker may be able to crash the browser or possibly execute arbitrary code with the user's privileges. (CVE-2008-1380)

Revision history for this message
John Vivirito (gnomefreak) wrote : Re: [Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey before 2.0.0.13/1.1.9

The Mozilla- team is aware of these issues and will release the updated packages as soon as we can. Thank you for your bug report.

Changed in firefox:
assignee: nobody → mozilla-bugs
status: New → Incomplete
Changed in seamonkey:
assignee: nobody → mozilla-bugs
status: New → Incomplete
Changed in thunderbird:
assignee: nobody → mozilla-bugs
status: New → Incomplete
Revision history for this message
Mathieu Marquer (slasher-fun) wrote :

Fix for Firefox has been released.

Changed in firefox:
status: Incomplete → Fix Released
Alexander Sack (asac)
description: updated
description: updated
Revision history for this message
John Vivirito (gnomefreak) wrote :

Assigned to the team and marked as incomplete until its released in archives.

Changed in xulrunner:
assignee: nobody → mozilla-bugs
status: New → Incomplete
Revision history for this message
Fabien Tassin (fta) wrote :

Here is a debdiff for xulrunner

Revision history for this message
Fabien Tassin (fta) wrote :

..and the corresponding tarball (because of the +nobinonly clean-up)

It could me recreated using mozilla-devscripts:

make -f /usr/share/mozilla-devscripts/xulrunner-1.8.mk get-orig-source DEBIAN_TAG=FIREFOX_2_0_0_14_RELEASE=1.8.1.14

Revision history for this message
Alexander Sack (asac) wrote :

thunderbird (2.0.0.14+nobinonly-0ubuntu2) intrepid; urgency=low

  * fix "ftbfs with gcc 4.3 because of include of not shipped iostream.h"
    - add debian/patches/bz419350_attachment_306066.patch
    - update debian/patches/series

thunderbird (2.0.0.14+nobinonly-0ubuntu1) intrepid; urgency=low

  * 2.0.0.14 security/stability update (USN-605-1)
  * don't force gcc/g++ 4.2 as compiler anymore (4.3 is now in intrepid)
    and drop the versioned build-depends accordingly.
    - update debian/rules
    - update debian/control
  * drop patches applied upstream:
    - delete debian/patches/bz399589_fix_missing_symbol_with_new_nss.patch
    - update debian/patches/series

 -- Alexander Sack < <email address hidden>> Fri, 02 May 2008 15:19:13 +0200

Changed in thunderbird:
status: Incomplete → Fix Released
Revision history for this message
Fabien Tassin (fta) wrote :

and the corresponding diff.gz

Alexander Sack (asac)
Changed in seamonkey:
status: New → Invalid
status: New → Invalid
Changed in xulrunner:
importance: Undecided → Critical
status: Incomplete → Fix Committed
Changed in seamonkey:
status: New → Invalid
assignee: nobody → asac
status: New → In Progress
assignee: mozilla-bugs → fta
status: Incomplete → In Progress
Changed in thunderbird:
assignee: nobody → asac
importance: Undecided → Critical
status: New → In Progress
importance: Undecided → Critical
status: New → In Progress
assignee: nobody → asac
assignee: nobody → asac
importance: Undecided → Critical
status: New → In Progress
assignee: nobody → asac
importance: Undecided → Critical
status: New → In Progress
importance: Undecided → Critical
Changed in seamonkey:
importance: Undecided → Critical
importance: Undecided → Critical
Revision history for this message
Alexander Sack (asac) wrote :

we won't upgrade xulrunner for feisty.

Changed in xulrunner:
status: New → Invalid
importance: Undecided → Critical
status: New → Won't Fix
status: Won't Fix → Invalid
Revision history for this message
Alexander Sack (asac) wrote :

err, i ment in gutsy.

Changed in xulrunner:
status: New → Invalid
status: Invalid → Won't Fix
assignee: nobody → asac
importance: Undecided → Critical
status: New → In Progress
assignee: mozilla-bugs → fta
Revision history for this message
Alexander Sack (asac) wrote :

firefox (1.5.dfsg+1.5.0.15~prepatch080417a-0ubuntu1) dapper-security; urgency=low

  * release backports for security issues disclosed in 2.0.0.14
    - see USN-602-1
  * patches on top of 1.8.0 branch cvs checkout (17 apr 08) are in
    patches/series

 -- Alexander Sack < <email address hidden>> Thu, 17 Apr 2008 12:18:04 +0200

Changed in firefox:
assignee: nobody → asac
importance: Undecided → Critical
status: New → Fix Released
Revision history for this message
Alexander Sack (asac) wrote :

firefox (2.0.0.14+1nobinonly-0ubuntu0.7.4) feisty-security; urgency=low

  [ Alexander Sack ]
  * New security/stability upstream release (v2.0.0.14)
    - see USN-602-1

 -- Alexander Sack < <email address hidden>> Fri, 18 Apr 2008 12:57:37 +0200

Changed in firefox:
assignee: nobody → asac
importance: Undecided → Critical
status: New → Fix Released
Revision history for this message
Alexander Sack (asac) wrote :

firefox (2.0.0.14+2nobinonly-0ubuntu0.7.10) gutsy-security; urgency=low

  * New security/stability upstream release (v2.0.0.14)
    - see USN-602-1

 -- Alexander Sack < <email address hidden>> Fri, 18 Apr 2008 13:02:41 +0200

Changed in firefox:
assignee: nobody → asac
importance: Undecided → Critical
status: New → Fix Released
Revision history for this message
Alexander Sack (asac) wrote :

firefox (2.0.0.14+2nobinonly-0ubuntu1) hardy; urgency=low

  * New security/stability upstream release (v2.0.0.14)
    - see USN-602-1
  * fix "shipped nss links don't point to latest so version"
    - update firefox-2.links

 -- Alexander Sack < <email address hidden>> Fri, 18 Apr 2008 15:05:20 +0200

Changed in firefox:
assignee: nobody → asac
importance: Undecided → Critical
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xulrunner - 1.8.1.14+nobinonly-1ubuntu1

---------------
xulrunner (1.8.1.14+nobinonly-1ubuntu1) intrepid; urgency=low

  * New security upstream release: 1.8.1.14 (LP: #218534)
    Fixes USN-602-1 / mfsa-2008-20 / CVE-2008-1380
  * Merge from debian unstable (1.8.1.14-1). Remaining ubuntu changes:
    - debian/patches/88_force-no-pragma-visibility-for-gcc-4.2_4.3.dpatch
    - xulrunner alternative in /usr/bin
  * Update configure for the visibility patch:
    - update debian/patches/99_configure.dpatch

 -- Fabien Tassin <email address hidden> Fri, 2 May 2008 17:03:00 +0200

Changed in xulrunner:
status: Fix Committed → Fix Released
Alexander Sack (asac)
Changed in thunderbird:
assignee: mozilla-bugs → asac
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in thunderbird:
status: In Progress → Fix Released
status: In Progress → Fix Released
status: In Progress → Fix Released
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package seamonkey - 1.1.11+nobinonly-0ubuntu1

---------------
seamonkey (1.1.11+nobinonly-0ubuntu1) intrepid; urgency=low

  * New security upstream release: 1.1.11 (LP: #218534)
    Fixes USN-602-1, USN-619-1, USN-623-1 and USN-629-1
  * Refresh diverged patch:
    - update debian/patches/80_security_build.patch
  * Fix FTBFS with missing -lfontconfig
    - add debian/patches/11_fix_ftbfs_with_fontconfig.patch
    - update debian/patches/series
  * Build with default gcc (hardy: 4.2, intrepid: 4.3)
    - update debian/rules
    - update debian/control

 -- Fabien Tassin <email address hidden> Tue, 29 Jul 2008 21:29:02 +0200

Changed in seamonkey:
status: In Progress → Fix Released
Revision history for this message
nanotube (nanotube) wrote :

So... no love for seamonkey in hardy? latest package is still 1.1.9, a few months old by now...

Alexander Sack (asac)
Changed in seamonkey:
status: In Progress → Triaged
Changed in xulrunner:
status: In Progress → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package seamonkey - 1.1.12+nobinonly-0ubuntu0.8.04.1

---------------
seamonkey (1.1.12+nobinonly-0ubuntu0.8.04.1) hardy-security; urgency=low

  * New security upstream release: 1.1.12 (LP: #276437)
    - CVE-2008-4070: Heap overflow when canceling newsgroup message
    - CVE-2008-4069: XBM image uninitialized memory reading
    - CVE-2008-4067..4068: resource: traversal vulnerabilities
    - CVE-2008-4065..4066: BOM characters stripped from JavaScript before execution
    - CVE-2008-4061..4064: Crashes with evidence of memory corruption
    - CVE-2008-4058..4060: Privilege escalation via XPCnativeWrapper pollution
    - CVE-2008-3837: Forced mouse drag
    - CVE-2008-3835: nsXMLDocument::OnChannelRedirect() same-origin violation
    - CVE-2008-0016: UTF-8 URL stack buffer overflow
  * Also includes security fixes from 1.1.11 and 1.1.10 (LP: #218534)
    - CVE-2008-2785: Remote code execution by overflowing CSS reference counter
    - CVE-2008-2811: Crash and remote code execution in block reflow
    - CVE-2008-2810: Remote site run as local file via Windows URL shortcut
    - CVE-2008-2809: Peer-trusted certs can use alt names to spoof
    - CVE-2008-2808: File location URL in directory listings not escaped properly
    - CVE-2008-2807: Faulty .properties file results in uninitialized memory being used
    - CVE-2008-2806: Arbitrary socket connections with Java LiveConnect on Mac OS X
    - CVE-2008-2805: Arbitrary file upload via originalTarget and DOM Range
    - MFSA 2008-26 (follow-up of CVE-2008-0304): Buffer length checks in MIME processing
    - CVE-2008-2803: Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
    - CVE-2008-2802: Chrome script loading from fastload file
    - CVE-2008-2801: Signed JAR tampering
    - CVE-2008-2800: XSS through JavaScript same-origin violation
    - CVE-2008-2798..2799: Crashes with evidence of memory corruption
    - CVE-2008-1380: Crash in JavaScript garbage collector
  * Refresh diverged patch:
    - update debian/patches/80_security_build.patch
  * Fix FTBFS with missing -lfontconfig
    - add debian/patches/11_fix_ftbfs_with_fontconfig.patch
    - update debian/patches/series

 -- Fabien Tassin <email address hidden> Tue, 30 Sep 2008 22:44:30 +0200

Changed in seamonkey:
status: Triaged → Fix Released
Revision history for this message
Rolf Leggewie (r0lf) wrote :

what is up with the hardy xulrunner task, is that meant to be left open?

Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 218534] Re: [Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14

On Tue, Feb 03, 2009 at 05:32:02AM -0000, Rolf Leggewie wrote:
> what is up with the hardy xulrunner task, is that meant to be left open?
>

hardy xulrunner packages havent been updated yet. so yes.

 - Alexander

Revision history for this message
Alexander Sack (asac) wrote :

hardy got updated during the 3.0.8 release

Changed in xulrunner (Ubuntu Hardy):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.