Bug 23653

RPMS:
firefox-60.2.2-1.mga6.{i586|x86_64}.rpm
firefox-*-60.2.2-1.mga6.noarch.rpm

firefox-60.2.2-1.mga6.srpm
firefox-l10n-60.2.2-1.mga6.srpm

Suggested advisory :

Firefox ESR 60.2.2 adresses two security fixes : CVE-2018-12386 and CVE-2018-12387.

Status: NEW => ASSIGNED

_way_ too little info in the advisory...

A better one would be something like:

Updated firefox packages fix security vulnerabilities:

A vulnerability in register allocation in JavaScript can lead to type
confusion, allowing for an arbitrary read and write. This leads to remote
code execution inside the sandboxed content process when triggered
(CVE-2018-12386).


A vulnerability where the JavaScript JIT compiler inlines Array.prototype.push
with multiple arguments that results in the stack pointer being off by 8 bytes
after a bailout. This leaks a memory address to the calling function which can
be used as part of an exploit inside the sandboxed content process
(CVE-2018-12386).

References:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/

CC: (none) => tmb

Build succeeded, so it is ready to test.

Assignee: lists.jjorge => qa-bugs
CC: (none) => lists.jjorge

RedHat has issued an advisory for this on October 8:
https://access.redhat.com/errata/RHSA-2018:2884

Watch for the typo in tmb's advisory, one of the CVE's ends in a 7.

QA Contact: (none) => security
Component: RPM Packages => Security

Tested in x86_64, no regressions found.

Whiteboard: (none) => MGA6-64-OK

Mageia 6, x86_64

Running fine here.  Open tabs recovered.  Ran Adobe flash video from APOD a few days back.

CC: (none) => tarazed25

Re comment #7

Having said that, th Acid tests did not do so well; 2 was almost correct but 3  showed two grey rectangles.

http://acid3.acidtests.org/

On mga6-64

packages installed cleanly:
- firefox-60.2.2-1.mga6.x86_64
- firefox-en_GB-60.2.2-1.mga6.noarch

no regressions noted.

Looks OK for mga6-64

CC: (none) => jim

on mga6-32  in a vbox VM

packages installed cleanly
- firefox-60.2.2-1.mga6.i586
- firefox-en_GB-60.2.2-1.mga6.noarch

no regressions noted

looks OK for mga6-32

In VirtualBox, M6, Mate, 32-bit

Package(s) under test:
firefox firefox-en_US firefox-en_GB

default install of firefox firefox-en_US & firefox-en_GB

[root@localhost wilcal]# urpmi firefox
Package firefox-60.2.1-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi firefox-en_US
Package firefox-en_US-60.2.1-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-60.2.1-1.mga6.noarch is already installed

Firefox works, many websites are accessible, YouTube & Vimeo videos play,
common plugins are active. weather.com works fine.
http://www.webstandards.org/files/acid2/test.html#top  test ok
http://acid3.acidtests.org/   test ok

install firefox firefox-en_US & firefox-en_GB from updates_testing

[root@localhost wilcal]# urpmi firefox
Package firefox-60.2.2-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi firefox-en_US
Package firefox-en_US-60.2.2-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi firefox-en_GB
Package firefox-en_GB-60.2.2-1.mga6.noarch is already installed

Firefox works, many websites are accessible, YouTube & Vimeo videos play,
common plugins are active. weather.com does work.
http://www.webstandards.org/files/acid2/test.html#top  test ok
http://acid3.acidtests.org/   test ok

CC: (none) => wilcal.int

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0396.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED