Bug 29247

Summary: Firefox 78.12
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: bequimao.de, brtians1, fri, hdetavernier, ouaurelien, sysadmin-bugs, wrw105
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK MGA8-32-OK
Source RPM: nspr, rootcerts, nss, firefox CVE: CVE-2021-29970, CVE-2021-29976, CVE-2021-30547
Status comment:
Bug Depends on:    
Bug Blocks: 29258    

Description David Walser 2021-07-12 16:59:37 CEST 
Mozilla has released Firefox 78.12.0 today (July 12):
https://www.mozilla.org/en-US/firefox/78.12.0/releasenotes/

The release notes for 78.12.0 are not available yet as of this posting.

NSPR 4.32 and NSS 3.68 are also out:
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/M01xJ10PkAc
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.67_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.68_release_notes

NSS 3.68 release notes also not available yet as of this posting, and 3.67's are only here currently:
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/tq8zqPNVtK8

There is a new nssckbi.h for rootcerts available too that was missed (by upstream) in the last update.

Update in progress.
Comment 1 David Walser 2021-07-12 17:05:02 CEST 
Package list should be as follows.

Updated packages in core/updates_testing:
========================================
libnspr4-4.32-1.mga8
libnspr-devel-4.32-1.mga8
rootcerts-20210525.00-1.1.mga8
rootcerts-java-20210525.00-1.1.mga8
nss-3.68.0-1.mga8
nss-doc-3.68.0-1.mga8
libnss3-3.68.0-1.mga8
libnss-devel-3.68.0-1.mga8
libnss-static-devel-3.68.0-1.mga8
firefox-78.12.0-1.mga8
firefox-devel-78.12.0-1.mga8
firefox-af-78.12.0-1.mga8
firefox-an-78.12.0-1.mga8
firefox-ar-78.12.0-1.mga8
firefox-ast-78.12.0-1.mga8
firefox-az-78.12.0-1.mga8
firefox-be-78.12.0-1.mga8
firefox-bg-78.12.0-1.mga8
firefox-bn-78.12.0-1.mga8
firefox-br-78.12.0-1.mga8
firefox-bs-78.12.0-1.mga8
firefox-ca-78.12.0-1.mga8
firefox-cs-78.12.0-1.mga8
firefox-cy-78.12.0-1.mga8
firefox-da-78.12.0-1.mga8
firefox-de-78.12.0-1.mga8
firefox-el-78.12.0-1.mga8
firefox-en_CA-78.12.0-1.mga8
firefox-en_GB-78.12.0-1.mga8
firefox-en_US-78.12.0-1.mga8
firefox-eo-78.12.0-1.mga8
firefox-es_AR-78.12.0-1.mga8
firefox-es_CL-78.12.0-1.mga8
firefox-es_ES-78.12.0-1.mga8
firefox-es_MX-78.12.0-1.mga8
firefox-et-78.12.0-1.mga8
firefox-eu-78.12.0-1.mga8
firefox-fa-78.12.0-1.mga8
firefox-ff-78.12.0-1.mga8
firefox-fi-78.12.0-1.mga8
firefox-fr-78.12.0-1.mga8
firefox-fy_NL-78.12.0-1.mga8
firefox-ga_IE-78.12.0-1.mga8
firefox-gd-78.12.0-1.mga8
firefox-gl-78.12.0-1.mga8
firefox-gu_IN-78.12.0-1.mga8
firefox-he-78.12.0-1.mga8
firefox-hi_IN-78.12.0-1.mga8
firefox-hr-78.12.0-1.mga8
firefox-hsb-78.12.0-1.mga8
firefox-hu-78.12.0-1.mga8
firefox-hy_AM-78.12.0-1.mga8
firefox-ia-78.12.0-1.mga8
firefox-id-78.12.0-1.mga8
firefox-is-78.12.0-1.mga8
firefox-it-78.12.0-1.mga8
firefox-ja-78.12.0-1.mga8
firefox-ka-78.12.0-1.mga8
firefox-kab-78.12.0-1.mga8
firefox-kk-78.12.0-1.mga8
firefox-km-78.12.0-1.mga8
firefox-kn-78.12.0-1.mga8
firefox-ko-78.12.0-1.mga8
firefox-lij-78.12.0-1.mga8
firefox-lt-78.12.0-1.mga8
firefox-lv-78.12.0-1.mga8
firefox-mk-78.12.0-1.mga8
firefox-mr-78.12.0-1.mga8
firefox-ms-78.12.0-1.mga8
firefox-my-78.12.0-1.mga8
firefox-nb_NO-78.12.0-1.mga8
firefox-nl-78.12.0-1.mga8
firefox-nn_NO-78.12.0-1.mga8
firefox-oc-78.12.0-1.mga8
firefox-pa_IN-78.12.0-1.mga8
firefox-pl-78.12.0-1.mga8
firefox-pt_BR-78.12.0-1.mga8
firefox-pt_PT-78.12.0-1.mga8
firefox-ro-78.12.0-1.mga8
firefox-ru-78.12.0-1.mga8
firefox-si-78.12.0-1.mga8
firefox-sk-78.12.0-1.mga8
firefox-sl-78.12.0-1.mga8
firefox-sq-78.12.0-1.mga8
firefox-sr-78.12.0-1.mga8
firefox-sv_SE-78.12.0-1.mga8
firefox-ta-78.12.0-1.mga8
firefox-te-78.12.0-1.mga8
firefox-th-78.12.0-1.mga8
firefox-tl-78.12.0-1.mga8
firefox-tr-78.12.0-1.mga8
firefox-uk-78.12.0-1.mga8
firefox-ur-78.12.0-1.mga8
firefox-uz-78.12.0-1.mga8
firefox-vi-78.12.0-1.mga8
firefox-xh-78.12.0-1.mga8
firefox-zh_CN-78.12.0-1.mga8
firefox-zh_TW-78.12.0-1.mga8

from SRPMS:
nspr-4.32-1.mga8.src.rpm
rootcerts-20210525.00-1.1.mga8.src.rpm
nss-3.68.0-1.mga8.src.rpm
firefox-78.12.0-1.mga8.src.rpm
firefox-l10n-78.12.0-1.mga8.src.rpm
Comment 2 David Walser 2021-07-12 19:54:39 CEST 
Packages should be available on your local mirror in the next few hours.

Assignee: bugsquad => qa-bugs

Comment 3 David Walser 2021-07-13 17:52:53 CEST 
Release notes are posted.  Also this is working fine for me on Mageia 8 x86_64.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

A malicious webpage could have triggered a use-after-free in accessibility
features of a document, causing memory corruption and a potentially exploitable
crash when accessibility was enabled (CVE-2021-29970).

Mozilla developers Valentin Gosu, Randell Jesup, Emil Ghitta, Tyson Smith, and
Olli Pettay reported memory safety bugs present in Firefox ESR 78.11. Some of
these bugs showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run arbitrary code
(CVE-2021-29976).

An out of bounds write in ANGLE could have allowed an attacker to corrupt
memory leading to a potentially exploitable crash (CVE-2021-30547).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29970
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29976
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30547
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/M01xJ10PkAc
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.67_release_notes
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.68_release_notes
https://www.mozilla.org/en-US/security/advisories/mfsa2021-29/
Comment 4 Aurelien Oudelet 2021-07-13 21:43:29 CEST 
Using QARepo:

$ LANG=C sudo urpmi --auto-update
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Updates (distrib37)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "QA Testing (64-bit)")
  firefox                        78.12.0      1.mga8        x86_64  
  firefox-fr                     78.12.0      1.mga8        noarch  
  lib64nspr4                     4.32         1.mga8        x86_64  
  lib64nss3                      3.68.0       1.mga8        x86_64  
  nss                            3.68.0       1.mga8        x86_64  
  rootcerts                      20210525.00  1.1.mga8      noarch  
  rootcerts-java                 20210525.00  1.1.mga8      noarch  
140KB of disk space will be freed.
67MB of packages will be retrieved.
Proceed with the installation of the 7 packages? (Y/n) y


installing lib64nspr4-4.32-1.mga8.x86_64.rpm lib64nss3-3.68.0-1.mga8.x86_64.rpm firefox-fr-78.12.0-1.mga8.noarch.rpm rootcerts-20210525.00-1.1.mga8.noarch.rpm nss-3.68.0-1.mga8.x86_64.rpm rootcerts-java-20210525.00-1.1.mga8.noarch.rpm firefox-78.12.0-1.mga8.x86_64.rpm from //home/aurelien/qa-testing/x86_64
Preparing...                     ##########################################################################
      1/7: lib64nspr4            ##########################################################################
      2/7: nss                   ##########################################################################
      3/7: lib64nss3             ##########################################################################
      4/7: firefox-fr            ##########################################################################
      5/7: firefox               ##########################################################################
      6/7: rootcerts-java        ##########################################################################
      7/7: rootcerts             ##########################################################################
      1/7: removing firefox-fr-78.11.0-1.mga8.noarch
                                 ##########################################################################
      2/7: removing rootcerts-java-1:20210525.00-1.mga8.noarch
                                 ##########################################################################
      3/7: removing rootcerts-1:20210525.00-1.mga8.noarch
                                 ##########################################################################
      4/7: removing firefox-0:78.11.0-1.mga8.x86_64
                                 ##########################################################################
      5/7: removing lib64nss3-2:3.66.0-1.mga8.x86_64
                                 ##########################################################################
      6/7: removing nss-2:3.66.0-1.mga8.x86_64
                                 ##########################################################################
      7/7: removing lib64nspr4-2:4.31-1.mga8.x86_64
                                 ##########################################################################

Updated OK.
Testing basic browsing,
SSL OK
Widevine-enabled sites OK
Printing OK
UI in French for me OK.

Giving this an OK.

CC: (none) => ouaurelien

Comment 5 Morgan Leijström 2021-07-13 22:08:10 CEST 
OK here mga8 x86_64, Plasma, nvidia-current, Swedish
Picks up previously opened tabs, settings...
Did some banking, forums, watched videos,

CC: (none) => fri

Comment 6 Brian Rockwell 2021-07-14 23:25:20 CEST 
MGA8 - 64 - GNOME - Laptop

The following 11 packages are going to be installed:

- firefox-78.12.0-1.mga8.x86_64
- firefox-en_CA-78.12.0-1.mga8.noarch
- firefox-en_GB-78.12.0-1.mga8.noarch
- firefox-en_US-78.12.0-1.mga8.noarch
- glibc-2.32-17.mga8.x86_64
- glibc-devel-2.32-17.mga8.x86_64
- lib64nspr4-4.32-1.mga8.x86_64
- lib64nss3-3.68.0-1.mga8.x86_64
- nss-3.68.0-1.mga8.x86_64
- rootcerts-20210525.00-1.1.mga8.noarch
- rootcerts-java-20210525.00-1.1.mga8.noarch


rebooted

browser working as expected.

CC: (none) => brtians1

David Walser 2021-07-15 15:08:19 CEST

Blocks: (none) => 29258

Comment 7 David Walser 2021-07-15 15:54:57 CEST 
RedHat has issued an advisory for this today (July 15):
https://access.redhat.com/errata/RHSA-2021:2741
Comment 8 Hugues Detavernier 2021-07-15 16:32:42 CEST 
Mageia 8 X64

urpmi --media "Core Updates testing" firefox
Pour satisfaire les dépendances, les paquetages suivants vont être installés :
  Paquetage                      Version      Révision      Arch    
(média « Core Updates Testing »)
  firefox                        78.12.0      1.mga8        x86_64  
  firefox-fr                     78.12.0      1.mga8        noarch  
un espace de 188Ko sera libéré.
57Mo de paquets seront récupérés.
Procéder à l'installation des 2 paquetages ? (O/n) O


    $MIRRORLIST: media/core/updates_testing/firefox-fr-78.12.0-1.mga8.noarch.rpm
    $MIRRORLIST: media/core/updates_testing/firefox-78.12.0-1.mga8.x86_64.rpm  
installation de firefox-fr-78.12.0-1.mga8.noarch.rpm firefox-78.12.0-1.mga8.x86_64.rpm depuis /var/cache/urpmi/rpms
Préparation...                   #############################################
      1/2: firefox               #############################################
      2/2: firefox-fr            #############################################
      1/2: désinstallation de firefox-fr-78.11.0-1.mga8.noarch
                                 #############################################
      2/2: désinstallation de firefox-0:78.11.0-1.mga8.x86_64
                                 #############################################

rpm -q firefox
firefox-78.12.0-1.mga8

Signets are stil there :)

Tested with youtube, Twitch and others sites without problems

CC: (none) => hdetavernier

Comment 9 Bill Wilkinson 2021-07-15 19:52:46 CEST 
Tested mga8-64

General browsing, video, jetstream all OK

CC: (none) => wrw105
Whiteboard: (none) => mga8-64-ok

Comment 10 Ulrich Beckmann 2021-07-15 19:59:42 CEST 
Tested in MGA8 64-bit. 
Languages are German and Brazilian Portuguese.
No regression found.

CC: (none) => bequimao.de

Comment 11 Aurelien Oudelet 2021-07-15 22:26:04 CEST 
It works OK under a MGA8-32 Plasma VM.

Validating.
Advisory committed to SVN.

Keywords: (none) => advisory, validated_update
Whiteboard: mga8-64-ok => MGA8-64-OK MGA8-32-OK
CVE: (none) => CVE-2021-29970, CVE-2021-29976, CVE-2021-30547
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2021-07-16 10:26:45 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0354.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 13 David Walser 2021-09-07 17:59:44 CEST 
NSS 3.68's release notes are finally available here:
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_68.html