Bug 23150 - Firefox 52.8.1
Summary: Firefox 52.8.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure mga6-64-ok MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-08 05:20 CEST by David Walser
Modified: 2018-06-14 20:16 CEST (History)
7 users (show)

See Also:
Source RPM: firefox
CVE:
Status comment:


Attachments

Description David Walser 2018-06-08 05:20:49 CEST
Mozilla has released Firefox 52.8.1 on June 6:
https://www.mozilla.org/en-US/firefox/52.8.1/releasenotes/

Security fix is listed here:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/

Mageia 5 Firefox still fails to build.

Advisory:
========================

Updated firefox packages fix security vulnerability:

A heap buffer overflow can occur in the Skia library when rasterizing paths
using a maliciously crafted SVG file with anti-aliasing turned off. This
results in a potentially exploitable crash (CVE-2018-6126).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6126
https://www.mozilla.org/en-US/security/advisories/mfsa2018-14/
https://www.mozilla.org/en-US/security/known-vulnerabilities/firefox-esr/
========================

Updated packages in core/updates_testing:
========================
firefox-52.8.1-1.mga6
firefox-devel-52.8.1-1.mga6
firefox-af-52.8.1-1.mga6
firefox-an-52.8.1-1.mga6
firefox-ar-52.8.1-1.mga6
firefox-as-52.8.1-1.mga6
firefox-ast-52.8.1-1.mga6
firefox-az-52.8.1-1.mga6
firefox-bg-52.8.1-1.mga6
firefox-bn_IN-52.8.1-1.mga6
firefox-bn_BD-52.8.1-1.mga6
firefox-br-52.8.1-1.mga6
firefox-bs-52.8.1-1.mga6
firefox-ca-52.8.1-1.mga6
firefox-cs-52.8.1-1.mga6
firefox-cy-52.8.1-1.mga6
firefox-da-52.8.1-1.mga6
firefox-de-52.8.1-1.mga6
firefox-el-52.8.1-1.mga6
firefox-en_GB-52.8.1-1.mga6
firefox-en_US-52.8.1-1.mga6
firefox-en_ZA-52.8.1-1.mga6
firefox-eo-52.8.1-1.mga6
firefox-es_AR-52.8.1-1.mga6
firefox-es_CL-52.8.1-1.mga6
firefox-es_ES-52.8.1-1.mga6
firefox-es_MX-52.8.1-1.mga6
firefox-et-52.8.1-1.mga6
firefox-eu-52.8.1-1.mga6
firefox-fa-52.8.1-1.mga6
firefox-ff-52.8.1-1.mga6
firefox-fi-52.8.1-1.mga6
firefox-fr-52.8.1-1.mga6
firefox-fy_NL-52.8.1-1.mga6
firefox-ga_IE-52.8.1-1.mga6
firefox-gd-52.8.1-1.mga6
firefox-gl-52.8.1-1.mga6
firefox-gu_IN-52.8.1-1.mga6
firefox-he-52.8.1-1.mga6
firefox-hi_IN-52.8.1-1.mga6
firefox-hr-52.8.1-1.mga6
firefox-hsb-52.8.1-1.mga6
firefox-hu-52.8.1-1.mga6
firefox-hy_AM-52.8.1-1.mga6
firefox-id-52.8.1-1.mga6
firefox-is-52.8.1-1.mga6
firefox-it-52.8.1-1.mga6
firefox-ja-52.8.1-1.mga6
firefox-kk-52.8.1-1.mga6
firefox-km-52.8.1-1.mga6
firefox-kn-52.8.1-1.mga6
firefox-ko-52.8.1-1.mga6
firefox-lij-52.8.1-1.mga6
firefox-lt-52.8.1-1.mga6
firefox-lv-52.8.1-1.mga6
firefox-mai-52.8.1-1.mga6
firefox-mk-52.8.1-1.mga6
firefox-ml-52.8.1-1.mga6
firefox-mr-52.8.1-1.mga6
firefox-ms-52.8.1-1.mga6
firefox-nb_NO-52.8.1-1.mga6
firefox-nl-52.8.1-1.mga6
firefox-nn_NO-52.8.1-1.mga6
firefox-or-52.8.1-1.mga6
firefox-pa_IN-52.8.1-1.mga6
firefox-pl-52.8.1-1.mga6
firefox-pt_BR-52.8.1-1.mga6
firefox-pt_PT-52.8.1-1.mga6
firefox-ro-52.8.1-1.mga6
firefox-ru-52.8.1-1.mga6
firefox-si-52.8.1-1.mga6
firefox-sk-52.8.1-1.mga6
firefox-sl-52.8.1-1.mga6
firefox-sq-52.8.1-1.mga6
firefox-sr-52.8.1-1.mga6
firefox-sv_SE-52.8.1-1.mga6
firefox-ta-52.8.1-1.mga6
firefox-te-52.8.1-1.mga6
firefox-th-52.8.1-1.mga6
firefox-tr-52.8.1-1.mga6
firefox-uk-52.8.1-1.mga6
firefox-uz-52.8.1-1.mga6
firefox-vi-52.8.1-1.mga6
firefox-xh-52.8.1-1.mga6
firefox-zh_CN-52.8.1-1.mga6
firefox-zh_TW-52.8.1-1.mga6

from SRPMS:
firefox-52.8.1-1.mga6.src.rpm
firefox-l10n-52.8.1-1.mga6.src.rpm
Bill Wilkinson 2018-06-08 16:53:18 CEST

Whiteboard: (none) => has_procedure mga6-64-ok
CC: (none) => wrw105

Comment 1 Bill Wilkinson 2018-06-08 16:54:12 CEST
Tested mga6-64

general browsing, video (YouTube), java plugin, jetstream, acid3 all OK
Comment 2 Len Lawrence 2018-06-08 18:39:15 CEST
Mageia 6, x86_64.

Fine here as well.  Tried jetstream, Guardian newspaper, Cassini site, Exoplanet catalog with forward link, Youtube scifi.
Acid tests behaved as before the update; Acid 2 did not match perfectly and Acid 3 returned 99/100 (one grey rectangle).
Tested local php file at localhost:8000 with apache-mod_php after starting the server.  That worked.

CC: (none) => tarazed25

Comment 3 Morgan Leijström 2018-06-08 20:08:00 CEST
64 bit some simple tests OK here too, keep using it. Plasma, Swedish.

CC: (none) => fri

Comment 4 James Kerr 2018-06-09 11:49:41 CEST
on mga6-64  plasma

installed:
firefox-en_GB-52.8.1-1.mga6.noarch 
firefox-52.8.1-1.mga6.x86_64 

no regressions noted

OK for mga6-64

CC: (none) => jim

Comment 5 James Kerr 2018-06-09 12:08:41 CEST
on mga6-32  plasma  in vbox VM

installed:
- firefox-52.8.1-1.mga6.i586
- firefox-en_GB-52.8.1-1.mga6.noarch

no regressions noted

OK for mga6-32

Whiteboard: has_procedure mga6-64-ok => has_procedure mga6-64-ok MGA6-32-OK

Comment 6 Thomas Andrews 2018-06-09 13:37:53 CEST
Used the 64-bit version to read my morning newspaper and to write this comment. Working OK here, as well.

CC: (none) => andrewsfarm

Comment 7 Thomas Andrews 2018-06-09 14:10:24 CEST
There is one site I visit where I can crash Firefox 52.x at will. It freezes up if I scroll in a certain way. As long as I avoid that situation, it's fine. Since it's this one site, it's probably their coding that's at fault, but I was hoping that this would fix it, anyway. It didn't.

Maybe, when we finally go to Firefox 60 ESR, it will. Maybe not.
Comment 8 Bill Wilkinson 2018-06-11 05:13:32 CEST
tested mga6-32 under virtual box.

Tested as above for 64 bit, all ok (with the acid3 caveat of going to 99%)

Validating, ready for push when advisory uploaded to svn.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2018-06-13 06:53:07 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 9 Mageia Robot 2018-06-14 20:16:06 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0282.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.