security upgrade of seamonkey 1.1.12

Bug #276437 reported by Fabien Tassin
256
Affects Status Importance Assigned to Milestone
seamonkey (Ubuntu)
Fix Released
Undecided
Fabien Tassin
Hardy
Fix Released
Undecided
Fabien Tassin
Intrepid
Fix Released
Undecided
Fabien Tassin

Bug Description

Binary package hint: seamonkey

seamonkey (1.1.12+nobinonly-0ubuntu1) intrepid; urgency=low

  * New security upstream release: 1.1.12
    - CVE-2008-4070: Heap overflow when canceling newsgroup message
    - CVE-2008-4069: XBM image uninitialized memory reading
    - CVE-2008-4067..4068: resource: traversal vulnerabilities
    - CVE-2008-4065..4066: BOM characters stripped from JavaScript before execution
    - CVE-2008-4061..4064: Crashes with evidence of memory corruption
    - CVE-2008-4058..4060: Privilege escalation via XPCnativeWrapper pollution
    - CVE-2008-3837: Forced mouse drag
    - CVE-2008-3835: nsXMLDocument::OnChannelRedirect() same-origin violation
    - CVE-2008-0016: UTF-8 URL stack buffer overflow

 -- Fabien Tassin <email address hidden> Tue, 30 Sep 2008 00:41:24 +0200

===

seamonkey (1.1.12+nobinonly-0ubuntu0.8.04.1) hardy-security; urgency=low

  * New security upstream release: 1.1.12 (LP: #276437)
    - CVE-2008-4070: Heap overflow when canceling newsgroup message
    - CVE-2008-4069: XBM image uninitialized memory reading
    - CVE-2008-4067..4068: resource: traversal vulnerabilities
    - CVE-2008-4065..4066: BOM characters stripped from JavaScript before execution
    - CVE-2008-4061..4064: Crashes with evidence of memory corruption
    - CVE-2008-4058..4060: Privilege escalation via XPCnativeWrapper pollution
    - CVE-2008-3837: Forced mouse drag
    - CVE-2008-3835: nsXMLDocument::OnChannelRedirect() same-origin violation
    - CVE-2008-0016: UTF-8 URL stack buffer overflow
  * Also includes security fixes from 1.1.11 and 1.1.10 (LP: #218534)
    - CVE-2008-2785: Remote code execution by overflowing CSS reference counter
    - CVE-2008-2811: Crash and remote code execution in block reflow
    - CVE-2008-2810: Remote site run as local file via Windows URL shortcut
    - CVE-2008-2809: Peer-trusted certs can use alt names to spoof
    - CVE-2008-2808: File location URL in directory listings not escaped properly
    - CVE-2008-2807: Faulty .properties file results in uninitialized memory being used
    - CVE-2008-2806: Arbitrary socket connections with Java LiveConnect on Mac OS X
    - CVE-2008-2805: Arbitrary file upload via originalTarget and DOM Range
    - MFSA 2008-26 (follow-up of CVE-2008-0304): Buffer length checks in MIME processing
    - CVE-2008-2803: Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
    - CVE-2008-2802: Chrome script loading from fastload file
    - CVE-2008-2801: Signed JAR tampering
    - CVE-2008-2800: XSS through JavaScript same-origin violation
    - CVE-2008-2798..2799: Crashes with evidence of memory corruption
    - CVE-2008-1380: Crash in JavaScript garbage collector
  * Refresh diverged patch:
    - update debian/patches/80_security_build.patch
  * Fix FTBFS with missing -lfontconfig
    - add debian/patches/11_fix_ftbfs_with_fontconfig.patch
    - update debian/patches/series

 -- Fabien Tassin <email address hidden> Tue, 30 Sep 2008 22:44:30 +0200

Fabien Tassin (fta)
Changed in seamonkey:
assignee: nobody → fta
assignee: nobody → fta
Revision history for this message
Fabien Tassin (fta) wrote :
Download full text (8.6 KiB)

Here is the full debdiff for intrepid. There's no packaging change, just the upstream bump.
Preview debs are in my PPA as seamonkey_1.1.12+nobinonly-0ubuntu1~fta1

Here is a diffstat of that debdiff:

ix:~/tmp$ diffstat seamonkey_1.1.11+nobinonly-0ubuntu1--1.1.12+nobinonly-0ubuntu1.debdiff
 browser/config/version.txt | 2
 client.mk | 10
 config/milestone.txt | 2
 content/base/src/nsDocument.cpp | 1
 content/base/src/nsDocument.h | 5
 content/base/src/nsXMLHttpRequest.cpp | 5
 content/html/content/src/Makefile.in | 1
 content/html/content/src/nsHTMLTableCellElement.cpp | 4
 content/xbl/src/nsXBLService.cpp | 10
 content/xml/document/src/nsXMLDocument.cpp | 48 -
 content/xml/document/src/nsXMLDocument.h | 1
 debian/changelog | 15
 dom/src/base/nsGlobalWindow.cpp | 58 +
 dom/src/base/nsJSUtils.cpp | 42 -
 dom/src/base/nsJSUtils.h | 3
 extensions/schema-validation/src/nsSchemaValidator.cpp | 21
 extensions/schema-validation/src/nsSchemaValidatorUtils.cpp | 56 +
 extensions/schema-validation/src/nsSchemaValidatorUtils.h | 12
 extensions/schema-validation/tests/schema.html | 11
 extensions/transformiix/source/xpath/XFormsFunctionCall.cpp | 185 ++++++
 extensions/transformiix/source/xpath/XFormsFunctions.h | 48 -
 extensions/transformiix/source/xpath/nsIXFormsUtilityService.h | 43 +
 extensions/transformiix/source/xpath/nsXFormsXPathEvaluator.cpp | 20
 extensions/transformiix/source/xpath/txXPathAtomList.h | 6
 extensions/transformiix/source/xslt/txMozillaTextOutput.cpp | 17
 extensions/transformiix/source/xslt/txMozillaXMLOutput.cpp | 11
 extensions/xforms/Makefile.in | 1
 extensions/xforms/install.rdf | 1
 extensions/xforms/nsIModelElementPrivate.idl | 8
 extensions/xforms/nsXFormsAtoms.cpp | 4
 extensions/xforms/nsXFormsAtoms.h | 1
 extensions/xforms/nsXFormsDOMEvent.cpp | 23
 extensions/xforms/nsXFormsDOMEvent.h | 5
 extensions/xforms/nsXFormsInsertDeleteElement.cpp | 9
 extensions/xforms/nsXFormsInstanceElement.cpp | 186 ++++--
 extensions/xforms/nsXFormsInstanceElement.h | 7
 extensions/xforms/nsXFormsModelElement.cpp | 15
 extensions/xforms/nsXFormsSchemaValidator.cpp | 20
 extensions/xforms/nsXFormsSchemaValidator.h | 3
 extensions/xforms/nsXFormsSubmissionElemen...

Read more...

Changed in seamonkey:
status: New → Fix Committed
status: Fix Committed → New
status: New → Fix Committed
Revision history for this message
Fabien Tassin (fta) wrote :

Here are all the links to the MFSAs giving links to upstream bugzilla.

MFSA 2008-46 Heap overflow when canceling newsgroup message
http://www.mozilla.org/security/announce/2008/mfsa2008-46.html

MFSA 2008-45 XBM image uninitialized memory reading
http://www.mozilla.org/security/announce/2008/mfsa2008-45.html

MFSA 2008-44 resource: traversal vulnerabilities
http://www.mozilla.org/security/announce/2008/mfsa2008-44.html

MFSA 2008-43 BOM characters stripped from JavaScript before execution
http://www.mozilla.org/security/announce/2008/mfsa2008-43.html

MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
http://www.mozilla.org/security/announce/2008/mfsa2008-42.html

MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
http://www.mozilla.org/security/announce/2008/mfsa2008-41.html

MFSA 2008-40 Forced mouse drag
http://www.mozilla.org/security/announce/2008/mfsa2008-40.html

MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
http://www.mozilla.org/security/announce/2008/mfsa2008-38.html

MFSA 2008-37 UTF-8 URL stack buffer overflow
http://www.mozilla.org/security/announce/2008/mfsa2008-37.html

Revision history for this message
Fabien Tassin (fta) wrote :

Here is the tarball, as from "debian/rules get-orig-source"

Revision history for this message
Fabien Tassin (fta) wrote :

Here is the full debdiff for hardy.

Changed in seamonkey:
status: New → Fix Committed
description: updated
Revision history for this message
Fabien Tassin (fta) wrote :
Revision history for this message
Fabien Tassin (fta) wrote :
Revision history for this message
Fabien Tassin (fta) wrote :
Revision history for this message
Fabien Tassin (fta) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package seamonkey - 1.1.12+nobinonly-0ubuntu1

---------------
seamonkey (1.1.12+nobinonly-0ubuntu1) intrepid; urgency=low

  * New security upstream release: 1.1.12 (LP: #276437)
    - CVE-2008-4070: Heap overflow when canceling newsgroup message
    - CVE-2008-4069: XBM image uninitialized memory reading
    - CVE-2008-4067..4068: resource: traversal vulnerabilities
    - CVE-2008-4065..4066: BOM characters stripped from JavaScript before execution
    - CVE-2008-4061..4064: Crashes with evidence of memory corruption
    - CVE-2008-4058..4060: Privilege escalation via XPCnativeWrapper pollution
    - CVE-2008-3837: Forced mouse drag
    - CVE-2008-3835: nsXMLDocument::OnChannelRedirect() same-origin violation
    - CVE-2008-0016: UTF-8 URL stack buffer overflow

 -- Fabien Tassin <email address hidden> Tue, 30 Sep 2008 00:41:24 +0200

Changed in seamonkey:
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Can someone comment on the testing done for the hardy upload?

Revision history for this message
Alexander Sack (asac) wrote :

i tested the browser and mail component for most common use cases (like AJAX, IMAP etc.). No problems.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for the work on the Hardy update.

As discussed on IRC. The debdiff for hardy is nearly 632,000 lines long. The vast majority of this is from nss-fips, which is apparently new. From what I can tell, this code is now being used based on changes in 80_security_build.patch. Apparently this is to fix upstream https://bugzilla.mozilla.org/show_bug.cgi?id=419030. Are the > 600,000 lines of newly compiled code really needed for this update? What testing has been done to show there are no regressions, especially in regards to the NSS related functionality?

Revision history for this message
Fabien Tassin (fta) wrote :

to be precise, those nss changes are visible in the ***context*** of 80_security_build.patch but are not part of what that patch is really addressing.

Those nss changes are from https://bugzilla.mozilla.org/show_bug.cgi?id=419030 which took the form of an import of the main nss branch (a stable tag) to the main gecko core branch (the 1.8 branch). This is the usual way for NSS fixes to enter mozilla.

I didn't test the OCSP code per say, but I did test various NSS related features such as cert management and navigation on various https sites.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

As discussed on IRC-- seamonkey on hardy is built with system nss and nspr4, and the nss-fips import is not used. Buildlogs and resulting binaries also show this to be true. 80_security_build.patch is also obsolete on systems that build with system nss and nspr4, and what it patches for nss are not used by the hardy build system. Proceeding with the upload.

Thanks for your work on this!

Changed in seamonkey:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.