firefox-esr-60: 60.2.2 -> 60.3.0 [critical security fixes] #49690
+4
−11
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This update bumps the package to the latest stable version containing a few security fixes: - CVE-2018-12392: Crash with nested event loops When manipulating user events in nested loops while opening a document through script, it is possible to trigger a potentially exploitable crash due to poor event handling. - CVE-2018-12393: Integer overflow during Unicode conversion while loading JavaScript A potential vulnerability was found in 32-bit builds where an integer overflow during the conversion of scripts to an internal UTF-16 representation could result in allocating a buffer too small for the conversion. This leads to a possible out-of-bounds write. Note: 64-bit builds are not vulnerable to this issue. - CVE-2018-12395: WebExtension bypass of domain restrictions through header rewriting By rewriting the Host request headers using the webRequest API, a WebExtension can bypass domain restrictions through domain fronting. This would allow access to domains that share a host that are otherwise restricted. - CVE-2018-12396: WebExtension content scripts can execute in disallowed contexts A vulnerability where a WebExtension can run content scripts in disallowed contexts following navigation or other events. This allows for potential privilege escalation by the WebExtension on sites where content scripts should not be run. - CVE-2018-12397: Missing warning prompt when WebExtension requests local file access A WebExtension can request access to local files without the warning prompt stating that the extension will "Access your data for all websites" being displayed to the user. This allows extensions to run content scripts in local pages without permission warnings when a local file is opened. - CVE-2018-12389: Memory safety bugs fixed in Firefox ESR 60.3 Mozilla developers and community members Daniel Veditz and Philipp reported memory safety bugs present in Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. - CVE-2018-12390: Memory safety bugs fixed in Firefox 63 and Firefox ESR 60.3 Mozilla developers and community members Christian Holler, Bob Owen, Boris Zbarsky, Calixte Denizet, Jason Kratzer, Jed Davis, Taegeon Lee, Philipp, Ronald Crane, Raul Gurzau, Gary Kwong, Tyson Smith, Raymond Forbes, and Bogdan Tara reported memory safety bugs present in Firefox 62 and Firefox ESR 60.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. Source: https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/
c0bw3b
added
the
1.severity: security
|
@GrahamcOfBorg build firefoxPackages.firefox-esr /cc @andir |
|
No attempt on aarch64-linux (full log) The following builds were skipped because they don't evaluate on aarch64-linux: firefoxPackages.firefox-esr Partial log (click to expand)
|
|
No attempt on x86_64-linux (full log) The following builds were skipped because they don't evaluate on x86_64-linux: firefoxPackages.firefox-esr Partial log (click to expand)
|
|
@GrahamcOfBorg build firefox-esr-60 |
|
Failure on x86_64-darwin (full log) Attempted: firefox-esr-60 Partial log (click to expand)
|
|
Timed out, unknown build status on x86_64-linux (full log) Attempted: firefox-esr-60 Partial log (click to expand)
|
|
It looks fine. Compiling this right now. I must have forgotten to push that commit to master since it is on 18.09 and 18.03 :/ |
|
Failure on aarch64-linux (full log) Attempted: firefox-esr-60 Partial log (click to expand)
|
|
x86_64-linux seems fine, i686-linux is still building. I am dropping the skia patch from aarch64 that should fix the build. |
andir
force-pushed
the
unstable_firefox-esr-60.3.0
branch
from
cc387f7 to
c8d4508
Compare
With the upgrade to firefox 62 clang flags are now required on i686. (cherry picked from commit acf4a4e)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
https://www.mozilla.org/en-US/security/advisories/mfsa2018-27/
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)nix path-info -Sbefore and after)