Packages are in the process of being submitted to the build system and should be available later today.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

A malicious website could have learned the size of a cross-origin resource
that supported Range requests (CVE-2022-31736).

A malicious webpage could have caused an out-of-bounds write in WebGL, leading
to memory corruption and a potentially exploitable crash (CVE-2022-31737).

When exiting fullscreen mode, an iframe could have confused the browser about
the current state of fullscreen, resulting in potential user confusion or
spoofing attacks (CVE-2022-31738).

On arm64, WASM code could have resulted in incorrect assembly generation
leading to a register allocation problem, and a potentially exploitable crash
(CVE-2022-31740).

A crafted CMS message could have been processed incorrectly, leading to an
invalid memory read, and potentially further memory corruption
(CVE-2022-31741).

An attacker could have exploited a timing attack by sending a large number of
allowCredential entries and detecting the difference between invalid key
handles and cross-origin key handles. This could have led to cross-origin
account linking in violation of WebAuthn goals (CVE-2022-31742).

Mozilla developers Andrew McCreight, Nicolas B. Pierron, and the Mozilla
Fuzzing Team reported memory safety bugs present in Firefox ESR 91.9. Some of
these bugs showed evidence of memory corruption and we presume that with
enough effort some of these could have been exploited to run arbitrary code
(CVE-2022-31747).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31736
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31738
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31741
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31747
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/e9q0AqO8t2k
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/ZghhNaaxnUA
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_79.html
https://www.mozilla.org/en-US/security/advisories/mfsa2022-21/

RedHat has issued an advisory for this today (June 1):
https://access.redhat.com/errata/RHSA-2022:4870

(In reply to David Walser from comment #1)
> should be available later today.

I see nss, but not Firefox?

CC: (none) => fri

Having a build system issue in Cauldron.

Packages finally building and should be available later today.

Assignee: luigiwalser => qa-bugs

mga8-64 OK here
Plasma, nvidia-current
Swedish locale
Tested some video sites, banking, and eshops

HP Probook 6550b, MGA8-64 Plasma system. Updated Firefox and Thunderbird in one operation.

All websites seem to work, but there is one VERY annoying new "feature" - at least two ad blockers have ceased to function. I use Adblock Plus and Ultimate Adblocker, and until this update both were working (though not at the same time, of course). 

When it is working properly, Adblock Plus will block most ads, but will allow certain "unobtrusive" ads. But after this update it doesn't block ANY of them. Ultmate Adblocker is supposed to block all ads, and it, too isn't blocking any of them.

And before you ask, I did check my add-ons to make sure that each, in turn, was listed as "enabled." As far as I know, both extensions are up-to-date.

If just one was affected, I'd suspect the add-on. But with both of them effectively disabled, it has to be Firefox that is the problem.

CC: (none) => andrewsfarm

I just checked, and my Ultimate Adblocker was last updated on 25 May, while Adblock Plus was updated 31 May. Just a few days ago for each, and both worked yesterday before this Firefox update.

On a different computer now, where I have the vendor's Firefox installed in parallel to ours. Just updated to version 101.0, and Ultimate Adblocker updated itself. 

And it still works. A problem with our build?

One question: do you have both adblockers at the same time installed at the same firefox profile? It is not recommended to have more than one adblocker installed at the same time as this will definitly will lead to problems.

If you don't have them installed at the same profile i missread your comment 7 then and you can forget my question...

Both are installed, but only one is enabled at a time. And when I switch them, I always disable the one that is enabled before I enable the other.

I've been doing it this way for years, and it's never been a problem before. Most of the time, I use the one that blocks all ads, but every once in a while I run into sites that won't work unless some of the ads are enabled. 

I have to go to work now, but later today I will try removing one or the other in the install where they aren't working, and see if the problem goes away. And with either enabled, a site that won't work with ANY ad blocker enabled still works. Right now, it's as if both are disabled, even when each shows as enabled.

Maybe it would also help to create a new firefox profile for testing (this would create a clean testing environment as your old firefox profile could be "bad"). Install only one adblocker in the new firefox profile and check if it works. If it works with only one extension then either the two extensions are blocking each other or you firefox profile is borked.

I don't know what has happened to that install. Now, it's completely borked, refuses to boot, sent off to emergency mode. Simplest fix is probably a new re-install.

I DO NOT believe that this Firefox update did this. I now think that the failure of the ad blockers was just the first noticed symptom of another failure somewhere. Hardware perhaps? Random bit rot? I don't know.

I have done the update on another system with the same two-blocker setup, and everything works as it should. 

Sorry for the noise.

I have determined that the issues I had in the previous comments were probably due to the internal wifi module that chose that critical time to fail, somehow taking the install with it. I have removed the module, and have booted into a different mga8-64 install on the same hardware, except that wifi is now through a usb dongle.

Updated Firefox and Thunderbird in one operation. Ran Firefox, and everything seems to be working, including ad blockers. 

So, OK on this hardware, as long as the hardware itself is OK.

MGA8-64, Gnome, Asus Laptop

AMD A6-9225 RADEON R4
RTL8723BE 
Bluetooth

The following 7 packages are going to be installed:

- firefox-91.10.0-1.mga8.x86_64
- firefox-en_CA-91.10.0-1.mga8.noarch
- firefox-en_GB-91.10.0-1.mga8.noarch
- firefox-en_US-91.10.0-1.mga8.noarch
- lib64nspr4-4.34-1.mga8.x86_64
- lib64nss3-3.79.0-1.mga8.x86_64
- nss-3.79.0-1.mga8.x86_64

73KB of additional disk space will be used.


---- restarted system

I've used it on my favorite websites (video/audio/text) - no issues

I did run into some site misbehavior.  Cleared Cache and that fixed it.

CC: (none) => brtians1

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0220.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

CVE-2022-31741 fix was in nss.

(In reply to David Walser from comment #17)
> CVE-2022-31741 fix was in nss.

That was this one in the nss release notes:
- Bug 1767590 - Initialize pointers passed to NSS_CMSDigestContext_FinishMultiple.

CVE-2022-34480 was also fixed by this nss update, which was this one:
- Bug 1454072 - Use of uninitialized pointer in lg_init after alloc fail.

As also seen here:
https://ubuntu.com/security/notices/USN-5506-1
https://www.mozilla.org/en-US/security/advisories/mfsa2022-24/#CVE-2022-34480