Bug 23031 - Firefox 52.8.0
Summary: Firefox 52.8.0
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: mga6-64-ok has_procedure mga6-32-ok
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-05-13 23:58 CEST by David Walser
Modified: 2018-05-17 12:55 CEST (History)
6 users (show)

See Also:
Source RPM: rootcerts, nss, firefox
CVE:
Status comment:


Attachments

Description David Walser 2018-05-13 23:58:55 CEST
Mozilla has released Firefox 52.8.0 on May 9:
https://www.mozilla.org/en-US/firefox/52.8.0/releasenotes/

Security fixes are listed here:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/

This brings also a rootcerts update (and nss rebuild) to 20180411.

Mageia 5 Firefox still fails to build.

Updated packages:
rootcerts-20180411.00-1.mga6
rootcerts-java-20180411.00-1.mga6
nss-3.28.6-1.4.mga6
nss-doc-3.28.6-1.4.mga6
libnss3-3.28.6-1.4.mga6
libnss-devel-3.28.6-1.4.mga6
libnss-static-devel-3.28.6-1.4.mga6
firefox-52.8.0-1.mga6
firefox-devel-52.8.0-1.mga6
firefox-af-52.8.0-1.mga6
firefox-an-52.8.0-1.mga6
firefox-ar-52.8.0-1.mga6
firefox-as-52.8.0-1.mga6
firefox-ast-52.8.0-1.mga6
firefox-az-52.8.0-1.mga6
firefox-bg-52.8.0-1.mga6
firefox-bn_IN-52.8.0-1.mga6
firefox-bn_BD-52.8.0-1.mga6
firefox-br-52.8.0-1.mga6
firefox-bs-52.8.0-1.mga6
firefox-ca-52.8.0-1.mga6
firefox-cs-52.8.0-1.mga6
firefox-cy-52.8.0-1.mga6
firefox-da-52.8.0-1.mga6
firefox-de-52.8.0-1.mga6
firefox-el-52.8.0-1.mga6
firefox-en_GB-52.8.0-1.mga6
firefox-en_US-52.8.0-1.mga6
firefox-en_ZA-52.8.0-1.mga6
firefox-eo-52.8.0-1.mga6
firefox-es_AR-52.8.0-1.mga6
firefox-es_CL-52.8.0-1.mga6
firefox-es_ES-52.8.0-1.mga6
firefox-es_MX-52.8.0-1.mga6
firefox-et-52.8.0-1.mga6
firefox-eu-52.8.0-1.mga6
firefox-fa-52.8.0-1.mga6
firefox-ff-52.8.0-1.mga6
firefox-fi-52.8.0-1.mga6
firefox-fr-52.8.0-1.mga6
firefox-fy_NL-52.8.0-1.mga6
firefox-ga_IE-52.8.0-1.mga6
firefox-gd-52.8.0-1.mga6
firefox-gl-52.8.0-1.mga6
firefox-gu_IN-52.8.0-1.mga6
firefox-he-52.8.0-1.mga6
firefox-hi_IN-52.8.0-1.mga6
firefox-hr-52.8.0-1.mga6
firefox-hsb-52.8.0-1.mga6
firefox-hu-52.8.0-1.mga6
firefox-hy_AM-52.8.0-1.mga6
firefox-id-52.8.0-1.mga6
firefox-is-52.8.0-1.mga6
firefox-it-52.8.0-1.mga6
firefox-ja-52.8.0-1.mga6
firefox-kk-52.8.0-1.mga6
firefox-km-52.8.0-1.mga6
firefox-kn-52.8.0-1.mga6
firefox-ko-52.8.0-1.mga6
firefox-lij-52.8.0-1.mga6
firefox-lt-52.8.0-1.mga6
firefox-lv-52.8.0-1.mga6
firefox-mai-52.8.0-1.mga6
firefox-mk-52.8.0-1.mga6
firefox-ml-52.8.0-1.mga6
firefox-mr-52.8.0-1.mga6
firefox-ms-52.8.0-1.mga6
firefox-nb_NO-52.8.0-1.mga6
firefox-nl-52.8.0-1.mga6
firefox-nn_NO-52.8.0-1.mga6
firefox-or-52.8.0-1.mga6
firefox-pa_IN-52.8.0-1.mga6
firefox-pl-52.8.0-1.mga6
firefox-pt_BR-52.8.0-1.mga6
firefox-pt_PT-52.8.0-1.mga6
firefox-ro-52.8.0-1.mga6
firefox-ru-52.8.0-1.mga6
firefox-si-52.8.0-1.mga6
firefox-sk-52.8.0-1.mga6
firefox-sl-52.8.0-1.mga6
firefox-sq-52.8.0-1.mga6
firefox-sr-52.8.0-1.mga6
firefox-sv_SE-52.8.0-1.mga6
firefox-ta-52.8.0-1.mga6
firefox-te-52.8.0-1.mga6
firefox-th-52.8.0-1.mga6
firefox-tr-52.8.0-1.mga6
firefox-uk-52.8.0-1.mga6
firefox-uz-52.8.0-1.mga6
firefox-vi-52.8.0-1.mga6
firefox-xh-52.8.0-1.mga6
firefox-zh_CN-52.8.0-1.mga6
firefox-zh_TW-52.8.0-1.mga6

from SRPMS:
rootcerts-20180411.00-1.mga6.src.rpm
nss-3.28.6-1.4.mga6.src.rpm
firefox-52.8.0-1.mga6.src.rpm
firefox-l10n-52.8.0-1.mga6.src.rpm
Comment 1 Morgan Leijström 2018-05-14 00:58:08 CEST
Firefox 52.8.0-1 OK here 64 bit;

- firefox-52.8.0-1.mga6.x86_64
- firefox-sv_SE-52.8.0-1.mga6.noarch

This system use kernel 4.14.40-1, nvidia-current-390.48-1 also from testing.
Reopening tabs that were open in old version, plugins OK, Playing video OK.

CC: (none) => fri

Comment 2 Lewis Smith 2018-05-14 13:04:34 CEST
TESTING M6/64 real hardware with AMD/ATI/Radeon video

 rootcerts-20180411.00-1.mga6
 rootcerts-java-20180411.00-1.mga6
 nss-3.28.6-1.4.mga6
 lib64nss3-3.28.6-1.4.mga6
 firefox-52.8.0-1.mga6
 firefox-cy-52.8.0-1.mga6
 firefox-en_GB-52.8.0-1.mga6

Using it now, have tried a couple of mixed content sites including video with sound, all looks OK.
Comment 3 Bill Wilkinson 2018-05-14 15:52:36 CEST
Tested mga6-64

general browsing, jetstream, javatester all OK.

Acid3 renders to 99% with the yellow box rendering as gray.

Whiteboard: (none) => mga6-64-ok has_procedure
CC: (none) => wrw105

Comment 4 Lewis Smith 2018-05-14 16:08:53 CEST
(In reply to Bill Wilkinson from comment #3)
> Acid3 renders to 99% with the yellow box rendering as gray.
Could you please explain this - for future reference?
Comment 5 Bill Wilkinson 2018-05-14 19:52:36 CEST
Lewis,

The Acid tests (acidtests.org) are a series of browser standards compliance tests, the most often used of which are acid2 and acid3.  The acid3 test, which supersedes acid2 runs a script which lists a percentage and renders 7 boxes in the colors of the rainbow. If the script runs smoothly to 100% and all 7 boxes are the right color, the test passes.  This may be an issue with my own machine (it's from 2006), and has had some issues with previous releases.  Just part of the test to make sure browsers are working as they should.
Comment 6 Dave Hodgins 2018-05-14 21:36:26 CEST
Interesting.

In firefox 52.8, it reaches 97/100, but does not display any of the boxes, so
it's a complete fail on my system.

In firefox 52.6 (in a vb guest I haven't updated yet), it reaches 98/100 with
the 3rd and 5th boxes gray, so the change is a regression.

Btw, in opera 12.16, http://acid3.acidtests.org/ reaches 100/100 and displays
correctly, while in google chrome, it reaches 97/100, with the second and third
box showing gray instead of orange/yellow.

While it is a regression, and as Bill reported, system dependent, it's not one
serious enough to block the update.

CC: (none) => davidwhodgins

Comment 7 Len Lawrence 2018-05-15 10:50:46 CEST
Tried the acid tests:
1) Looked good
2) Not completely congruent; extra rectangle over the message.
3) 99/100

CC: (none) => tarazed25

Comment 8 David Walser 2018-05-15 21:48:32 CEST
RedHat has issued an advisory for this on May 14:
https://access.redhat.com/errata/RHSA-2018:1415

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

Mozilla: Memory safety bugs fixed in Firefox ESR 52.8 (CVE-2018-5150).

Mozilla: Backport critical security fixes in Skia (CVE-2018-5183).

Mozilla: Use-after-free with SVG animations and clip paths (CVE-2018-5154).

Mozilla: Use-after-free with SVG animations and text paths (CVE-2018-5155).

Mozilla: Same-origin bypass of PDF Viewer to view protected PDF files
(CVE-2018-5157).

Mozilla: Malicious PDF can inject JavaScript into PDF Viewer (CVE-2018-5158).

Mozilla: Integer overflow and out-of-bounds write in Skia (CVE-2018-5159).

Mozilla: Lightweight themes can be installed without user interaction
(CVE-2018-5168).

Mozilla: Buffer overflow during UTF-8 to Unicode string conversion through
legacy extension (CVE-2018-5178).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5154
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5155
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5157
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5158
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5159
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5178
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5183
https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/
https://www.mozilla.org/security/known-vulnerabilities/firefox-esr/
https://access.redhat.com/errata/RHSA-2018:1415
Comment 9 Bill Wilkinson 2018-05-17 05:11:25 CEST
tested mga6-32 in virtualbox under mate as above, same results.

Ready for validation when advisory added to svn.

Whiteboard: mga6-64-ok has_procedure => mga6-64-ok has_procedure mga6-32-ok

Bill Wilkinson 2018-05-17 05:17:29 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Thomas Backlund 2018-05-17 12:36:44 CEST
Advisory added to svn

CC: (none) => tmb
Keywords: (none) => advisory

Comment 11 Mageia Robot 2018-05-17 12:55:58 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0248.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.