Bug 27825

Summary: Firefox 78.6
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, fri, ouaurelien, sysadmin-bugs, tarazed25, wrw105
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga7-64-ok mga7-32-ok
Source RPM: nss, firefox CVE: CVE-2020-16042, CVE-2020-26971, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35111, CVE-2020-35113
Status comment:

Description David Walser 2020-12-15 01:40:12 CET 
Mozilla has released Firefox 78.6.0 today (December 14):
https://www.mozilla.org/en-US/firefox/78.6.0/releasenotes/

Release notes not out yet.

NSS 3.60 is also out:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.60_release_notes

Update in progress.  Package list will be as follows.

nss-3.60.0-1.mga7
nss-doc-3.60.0-1.mga7
libnss3-3.60.0-1.mga7
libnss-devel-3.60.0-1.mga7
libnss-static-devel-3.60.0-1.mga7
firefox-78.6.0-1.mga7
firefox-devel-78.6.0-1.mga7
firefox-af-78.6.0-1.mga7
firefox-an-78.6.0-1.mga7
firefox-ar-78.6.0-1.mga7
firefox-ast-78.6.0-1.mga7
firefox-az-78.6.0-1.mga7
firefox-be-78.6.0-1.mga7
firefox-bg-78.6.0-1.mga7
firefox-bn-78.6.0-1.mga7
firefox-br-78.6.0-1.mga7
firefox-bs-78.6.0-1.mga7
firefox-ca-78.6.0-1.mga7
firefox-cs-78.6.0-1.mga7
firefox-cy-78.6.0-1.mga7
firefox-da-78.6.0-1.mga7
firefox-de-78.6.0-1.mga7
firefox-el-78.6.0-1.mga7
firefox-en_CA-78.6.0-1.mga7
firefox-en_GB-78.6.0-1.mga7
firefox-en_US-78.6.0-1.mga7
firefox-eo-78.6.0-1.mga7
firefox-es_AR-78.6.0-1.mga7
firefox-es_CL-78.6.0-1.mga7
firefox-es_ES-78.6.0-1.mga7
firefox-es_MX-78.6.0-1.mga7
firefox-et-78.6.0-1.mga7
firefox-eu-78.6.0-1.mga7
firefox-fa-78.6.0-1.mga7
firefox-ff-78.6.0-1.mga7
firefox-fi-78.6.0-1.mga7
firefox-fr-78.6.0-1.mga7
firefox-fy_NL-78.6.0-1.mga7
firefox-ga_IE-78.6.0-1.mga7
firefox-gd-78.6.0-1.mga7
firefox-gl-78.6.0-1.mga7
firefox-gu_IN-78.6.0-1.mga7
firefox-he-78.6.0-1.mga7
firefox-hi_IN-78.6.0-1.mga7
firefox-hr-78.6.0-1.mga7
firefox-hsb-78.6.0-1.mga7
firefox-hu-78.6.0-1.mga7
firefox-hy_AM-78.6.0-1.mga7
firefox-ia-78.6.0-1.mga7
firefox-id-78.6.0-1.mga7
firefox-is-78.6.0-1.mga7
firefox-it-78.6.0-1.mga7
firefox-ja-78.6.0-1.mga7
firefox-ka-78.6.0-1.mga7
firefox-kab-78.6.0-1.mga7
firefox-kk-78.6.0-1.mga7
firefox-km-78.6.0-1.mga7
firefox-kn-78.6.0-1.mga7
firefox-ko-78.6.0-1.mga7
firefox-lij-78.6.0-1.mga7
firefox-lt-78.6.0-1.mga7
firefox-lv-78.6.0-1.mga7
firefox-mk-78.6.0-1.mga7
firefox-mr-78.6.0-1.mga7
firefox-ms-78.6.0-1.mga7
firefox-my-78.6.0-1.mga7
firefox-nb_NO-78.6.0-1.mga7
firefox-nl-78.6.0-1.mga7
firefox-nn_NO-78.6.0-1.mga7
firefox-oc-78.6.0-1.mga7
firefox-pa_IN-78.6.0-1.mga7
firefox-pl-78.6.0-1.mga7
firefox-pt_BR-78.6.0-1.mga7
firefox-pt_PT-78.6.0-1.mga7
firefox-ro-78.6.0-1.mga7
firefox-ru-78.6.0-1.mga7
firefox-si-78.6.0-1.mga7
firefox-sk-78.6.0-1.mga7
firefox-sl-78.6.0-1.mga7
firefox-sq-78.6.0-1.mga7
firefox-sr-78.6.0-1.mga7
firefox-sv_SE-78.6.0-1.mga7
firefox-ta-78.6.0-1.mga7
firefox-te-78.6.0-1.mga7
firefox-th-78.6.0-1.mga7
firefox-tl-78.6.0-1.mga7
firefox-tr-78.6.0-1.mga7
firefox-uk-78.6.0-1.mga7
firefox-ur-78.6.0-1.mga7
firefox-uz-78.6.0-1.mga7
firefox-vi-78.6.0-1.mga7
firefox-xh-78.6.0-1.mga7
firefox-zh_CN-78.6.0-1.mga7
firefox-zh_TW-78.6.0-1.mga7

from SRPMS:
nss-3.60.0-1.mga7.src.rpm
firefox-78.6.0-1.mga7.src.rpm
firefox-l10n-78.6.0-1.mga7.src.rpm
Comment 1 David Walser 2020-12-15 02:05:00 CET 
Should be available on mirrors in a few hours.  Packages in Comment 0.  Advisory to come.

Assignee: bugsquad => qa-bugs

Comment 2 Len Lawrence 2020-12-15 17:16:16 CET 
mga7, x64

Installed the nss, firefox packages, firefox-en-{GB,US}, including -devel.
Restarted firefox and restored previous session.  So far so good.
Connected to NAS drive monitor OK. Thunderbird weblinks work.
$ firefox localhost:631
brings up CUPS server page.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2020-12-15 17:19:26 CET 
"Rosanna Toto" in search bar brought up a Youtube video.  Sound and video working fine.
Comment 4 David Walser 2020-12-15 17:24:56 CET 
Advisory:
========================

Updated firefox packages fix security vulnerabilities:

When a BigInt was right-shifted the backing store was not properly cleared,
allowing uninitialized memory to be read (CVE-2020-16042).

Certain blit values provided by the user were not properly constrained leading
to a heap buffer overflow in WebGL on some video drivers (CVE-2020-26971).

Certain input to the CSS Sanitizer confused it, resulting in incorrect
components being removed. This could have been used as a sanitizer bypass
(CVE-2020-26973).

When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object
could have been incorrectly cast to the wrong type. This resulted in a heap
user-after-free, memory corruption, and a potentially exploitable crash
(CVE-2020-26974).

Using techniques that built on the slipstream research, a malicious webpage
could have exposed both an internal network's hosts as well as services running
on the user's local machine (CVE-2020-26978).

When an extension with the proxy permission registered to receive <all_urls>,
the proxy.onRequest callback was not triggered for view-source URLs. While web
content cannot navigate to such URLs, a user opening View Source could have
inadvertently leaked their IP address (CVE-2020-35111).

Mozilla developer Christian Holler reported memory safety bugs present in
Firefox ESR 78.5. Some of these bugs showed evidence of memory corruption and
we presume that with enough effort some of these could have been exploited to
run arbitrary code (CVE-2020-35113).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26971
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26973
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26974
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26978
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35111
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35113
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.60_release_notes
https://www.mozilla.org/en-US/security/advisories/mfsa2020-55/
Comment 5 Bill Wilkinson 2020-12-15 17:33:46 CET 
Tested mga7-64

General browsing, youtube video, jetstream javascript, all OK

CC: (none) => wrw105
Whiteboard: (none) => mga7-64-ok

Comment 6 Bill Wilkinson 2020-12-15 18:55:07 CET 
Tested mga7-32 as above, but unable to access browserbench.org for jetstream tests due to rootcerts update not recognizing its cert.

otherwise, looks good.

Whiteboard: mga7-64-ok => mga7-64-ok mga7-32-ok

Comment 7 David Walser 2020-12-16 15:19:55 CET 
RedHat has issued an advisory for this today (December 16):
https://access.redhat.com/errata/RHSA-2020:5562
Comment 8 Morgan Leijström 2020-12-16 17:54:14 CET 
64 bit OK here too.
Nvidia, Plasma
Banking sites, video sites...

CC: (none) => fri

Comment 9 Thomas Andrews 2020-12-17 00:36:29 CET 
Updated both Firefox and Thunderbird in one operation. Both look good.

Validating. Advisory in Comment 4.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 10 Aurelien Oudelet 2020-12-17 09:26:03 CET 
Advisory pushed to SVN.

CC: (none) => ouaurelien
CVE: (none) => CVE-2020-16042, CVE-2020-26971, CVE-2020-26973, CVE-2020-26974, CVE-2020-26978, CVE-2020-35111, CVE-2020-35113
Keywords: (none) => advisory

Comment 11 Mageia Robot 2020-12-17 14:12:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0461.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED