Bug 30134

Summary: Firefox 91.7
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: davidwhodgins, fri, joselp, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK MGA8-32-OK
Source RPM: firefox CVE:
Status comment:

Description David Walser 2022-03-07 18:16:37 CET 
Mozilla has released Firefox 91.7.0 today (March 7):
https://www.mozilla.org/en-US/firefox/91.7.0/releasenotes/

The release notes for 91.7.0 are not available yet as of this posting.

NSS and rootcerts updates already went out in Bug 30124.

Package list should be as follows.

Updated packages in core/updates_testing:
========================================
firefox-91.7.0-1.mga8
firefox-ru-91.7.0-1.mga8
firefox-uk-91.7.0-1.mga8
firefox-be-91.7.0-1.mga8
firefox-el-91.7.0-1.mga8
firefox-kk-91.7.0-1.mga8
firefox-th-91.7.0-1.mga8
firefox-pa_IN-91.7.0-1.mga8
firefox-ka-91.7.0-1.mga8
firefox-ja-91.7.0-1.mga8
firefox-bg-91.7.0-1.mga8
firefox-sr-91.7.0-1.mga8
firefox-hy_AM-91.7.0-1.mga8
firefox-ko-91.7.0-1.mga8
firefox-zh_TW-91.7.0-1.mga8
firefox-vi-91.7.0-1.mga8
firefox-zh_CN-91.7.0-1.mga8
firefox-hu-91.7.0-1.mga8
firefox-bn-91.7.0-1.mga8
firefox-hi_IN-91.7.0-1.mga8
firefox-ar-91.7.0-1.mga8
firefox-sk-91.7.0-1.mga8
firefox-cs-91.7.0-1.mga8
firefox-ur-91.7.0-1.mga8
firefox-hsb-91.7.0-1.mga8
firefox-lt-91.7.0-1.mga8
firefox-te-91.7.0-1.mga8
firefox-fr-91.7.0-1.mga8
firefox-he-91.7.0-1.mga8
firefox-pl-91.7.0-1.mga8
firefox-sq-91.7.0-1.mga8
firefox-fa-91.7.0-1.mga8
firefox-de-91.7.0-1.mga8
firefox-oc-91.7.0-1.mga8
firefox-tr-91.7.0-1.mga8
firefox-kab-91.7.0-1.mga8
firefox-es_MX-91.7.0-1.mga8
firefox-es_AR-91.7.0-1.mga8
firefox-es_CL-91.7.0-1.mga8
firefox-pt_PT-91.7.0-1.mga8
firefox-fy_NL-91.7.0-1.mga8
firefox-pt_BR-91.7.0-1.mga8
firefox-gl-91.7.0-1.mga8
firefox-cy-91.7.0-1.mga8
firefox-sv_SE-91.7.0-1.mga8
firefox-gd-91.7.0-1.mga8
firefox-km-91.7.0-1.mga8
firefox-ro-91.7.0-1.mga8
firefox-mr-91.7.0-1.mga8
firefox-gu_IN-91.7.0-1.mga8
firefox-hr-91.7.0-1.mga8
firefox-sl-91.7.0-1.mga8
firefox-nl-91.7.0-1.mga8
firefox-es_ES-91.7.0-1.mga8
firefox-eo-91.7.0-1.mga8
firefox-ca-91.7.0-1.mga8
firefox-da-91.7.0-1.mga8
firefox-fi-91.7.0-1.mga8
firefox-eu-91.7.0-1.mga8
firefox-ia-91.7.0-1.mga8
firefox-nn_NO-91.7.0-1.mga8
firefox-nb_NO-91.7.0-1.mga8
firefox-br-91.7.0-1.mga8
firefox-id-91.7.0-1.mga8
firefox-tl-91.7.0-1.mga8
firefox-my-91.7.0-1.mga8
firefox-ta-91.7.0-1.mga8
firefox-en_GB-91.7.0-1.mga8
firefox-szl-91.7.0-1.mga8
firefox-en_CA-91.7.0-1.mga8
firefox-an-91.7.0-1.mga8
firefox-ast-91.7.0-1.mga8
firefox-kn-91.7.0-1.mga8
firefox-az-91.7.0-1.mga8
firefox-si-91.7.0-1.mga8
firefox-en_US-91.7.0-1.mga8
firefox-et-91.7.0-1.mga8
firefox-ff-91.7.0-1.mga8
firefox-lij-91.7.0-1.mga8
firefox-uz-91.7.0-1.mga8
firefox-is-91.7.0-1.mga8
firefox-mk-91.7.0-1.mga8
firefox-lv-91.7.0-1.mga8
firefox-bs-91.7.0-1.mga8
firefox-ga_IE-91.7.0-1.mga8
firefox-it-91.7.0-1.mga8
firefox-ms-91.7.0-1.mga8
firefox-xh-91.7.0-1.mga8
firefox-af-91.7.0-1.mga8

from SRPMS:
firefox-91.7.0-1.mga8.src.rpm
firefox-l10n-91.7.0-1.mga8.src.rpm
Comment 1 David Walser 2022-03-08 00:01:46 CET 
Packages submitted to the build system and should be available in a few hours.

Assignee: luigiwalser => qa-bugs

Comment 2 Dave Hodgins 2022-03-08 00:44:17 CET 
Advisory committed to svn as ...
$ cat 30134.adv 
type: security
subject: Updated firefox packages fix security vulnerability
src:
  8:
   core:
     - firefox-91.7.0-1.mga8
     - firefox-l10n-91.7.0-1.mga8
description: |
  Release notes are not available at this time. See the referenced
  link when they do become available.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=30134
 - https://www.mozilla.org/en-US/firefox/91.7.0/releasenotes/

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 3 David Walser 2022-03-08 02:14:51 CET 
That's not the real advisory.  The release notes will be available tomorrow.
David Walser 2022-03-08 02:15:13 CET

Keywords: advisory => (none)

Comment 4 Dave Hodgins 2022-03-08 06:25:27 CET 
Tested on x86-64 using Canadian English and Parisian French, i586 under vb, and
aarch64 on rpi 4b.

Validating the update. Ready to push as soon as the real advisory is available
and updated in svn.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK MGA8-32-OK

Comment 5 David Walser 2022-03-08 06:32:05 CET 
Thanks.  I don't think the updates pushing script actually checks for the advisory keyword in Bugzilla, it just checks for one in SVN, so let's hold off on validating while there's an incorrect one there.

Keywords: validated_update => (none)

Comment 6 Jose Manuel López 2022-03-08 10:52:50 CET 
Hi, I have tested in Vbox and in my personal computer. Works fine, video and audio, settings, banks, sync, updated from Firefox 91.6.

CC: (none) => joselp

Comment 7 David Walser 2022-03-08 16:14:17 CET 
Advisory:
========================

Updated firefox packages fix security vulnerabilities:

An attacker could have caused a use-after-free by forcing a text reflow in an
SVG object leading to a potentially exploitable crash (CVE-2022-26381).

When resizing a popup after requesting fullscreen access, the popup would not
display the fullscreen notification (CVE-2022-26383).

If an attacker could control the contents of an iframe sandboxed with
allow-popups but not allow-scripts, they were able to craft a link that, when
clicked, would lead to JavaScript execution in violation of the sandbox
(CVE-2022-26384).

Previously Firefox for macOS and Linux would download temporary files to a
user-specific directory in /tmp, but this behavior was changed to download
them to /tmp where they could be affected by other local users. This behavior
was reverted to the original, user-specific directory (CVE-2022-26386).

When installing an add-on, Firefox verified the signature before prompting the
user; but while the user was confirming the prompt, the underlying add-on file
could have been modified and Firefox would not have noticed (CVE-2022-26387).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26381
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26383
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26384
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26386
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26387
https://www.mozilla.org/en-US/security/advisories/mfsa2022-11/

Keywords: (none) => advisory, validated_update

Comment 8 Thomas Backlund 2022-03-08 17:49:58 CET 
(In reply to David Walser from comment #5)
> Thanks.  I don't think the updates pushing script actually checks for the
> advisory keyword in Bugzilla, it just checks for one in SVN, so let's hold
> off on validating while there's an incorrect one there.

Yes, if there is an advisory file added in svn, we only check for validated_update keyword (and potential blocker bugs)

the "advisory" keywoard is for showing up as as a "*" in madb to inform that the advisory has been added to svn.

Is the updated advisory from comment 7 committed to svn ?
Comment 9 Dave Hodgins 2022-03-08 18:02:46 CET 
Yes, David Walser updated it at 2022-03-08 16:14:17 +0100
Comment 10 Mageia Robot 2022-03-08 19:11:39 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0093.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 11 Morgan Leijström 2022-03-08 21:18:19 CET 
OK mga8-64, swedish, i7, plasma, nvidia-current, 4kscreen
various sites; banking, video...

CC: (none) => fri

Comment 12 David Walser 2022-03-10 16:51:23 CET 
RedHat has issued an advisory for this today (March 10):
https://access.redhat.com/errata/RHSA-2022:0818