Bug 31415 - Firefox 102.7
Summary: Firefox 102.7
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK, MGA8-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 31438
  Show dependency treegraph
 
Reported: 2023-01-17 18:02 CET by David Walser
Modified: 2023-01-24 09:00 CET (History)
8 users (show)

See Also:
Source RPM: nss, firefox
CVE:
Status comment:


Attachments

Description David Walser 2023-01-17 18:02:16 CET
Mozilla has released Firefox 102.7.0 today (January 17):
https://www.mozilla.org/en-US/firefox/102.7.0/releasenotes/

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/

There is also an nss update:
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/7D6OeqrEDcE
https://firefox-source-docs.mozilla.org/security/nss/releases/index.html
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html

Package list should be as follows.

Updated packages in core/updates_testing:
========================================
libnss3-3.87.0-1.mga8
libnss-devel-3.87.0-1.mga8
libnss-static-devel-3.87.0-1.mga8
nss-3.87.0-1.mga8
nss-doc-3.87.0-1.mga8
firefox-102.7.0-1.mga8
firefox-af-102.7.0-1.mga8
firefox-an-102.7.0-1.mga8
firefox-ar-102.7.0-1.mga8
firefox-ast-102.7.0-1.mga8
firefox-az-102.7.0-1.mga8
firefox-be-102.7.0-1.mga8
firefox-bg-102.7.0-1.mga8
firefox-bn-102.7.0-1.mga8
firefox-br-102.7.0-1.mga8
firefox-bs-102.7.0-1.mga8
firefox-ca-102.7.0-1.mga8
firefox-cs-102.7.0-1.mga8
firefox-cy-102.7.0-1.mga8
firefox-da-102.7.0-1.mga8
firefox-de-102.7.0-1.mga8
firefox-el-102.7.0-1.mga8
firefox-en_CA-102.7.0-1.mga8
firefox-en_GB-102.7.0-1.mga8
firefox-en_US-102.7.0-1.mga8
firefox-eo-102.7.0-1.mga8
firefox-es_AR-102.7.0-1.mga8
firefox-es_CL-102.7.0-1.mga8
firefox-es_ES-102.7.0-1.mga8
firefox-es_MX-102.7.0-1.mga8
firefox-et-102.7.0-1.mga8
firefox-eu-102.7.0-1.mga8
firefox-fa-102.7.0-1.mga8
firefox-ff-102.7.0-1.mga8
firefox-fi-102.7.0-1.mga8
firefox-fr-102.7.0-1.mga8
firefox-fy_NL-102.7.0-1.mga8
firefox-ga_IE-102.7.0-1.mga8
firefox-gd-102.7.0-1.mga8
firefox-gl-102.7.0-1.mga8
firefox-gu_IN-102.7.0-1.mga8
firefox-he-102.7.0-1.mga8
firefox-hi_IN-102.7.0-1.mga8
firefox-hr-102.7.0-1.mga8
firefox-hsb-102.7.0-1.mga8
firefox-hu-102.7.0-1.mga8
firefox-hy_AM-102.7.0-1.mga8
firefox-ia-102.7.0-1.mga8
firefox-id-102.7.0-1.mga8
firefox-is-102.7.0-1.mga8
firefox-it-102.7.0-1.mga8
firefox-ja-102.7.0-1.mga8
firefox-ka-102.7.0-1.mga8
firefox-kab-102.7.0-1.mga8
firefox-kk-102.7.0-1.mga8
firefox-km-102.7.0-1.mga8
firefox-kn-102.7.0-1.mga8
firefox-ko-102.7.0-1.mga8
firefox-lij-102.7.0-1.mga8
firefox-lt-102.7.0-1.mga8
firefox-lv-102.7.0-1.mga8
firefox-mk-102.7.0-1.mga8
firefox-mr-102.7.0-1.mga8
firefox-ms-102.7.0-1.mga8
firefox-my-102.7.0-1.mga8
firefox-nb_NO-102.7.0-1.mga8
firefox-nl-102.7.0-1.mga8
firefox-nn_NO-102.7.0-1.mga8
firefox-oc-102.7.0-1.mga8
firefox-pa_IN-102.7.0-1.mga8
firefox-pl-102.7.0-1.mga8
firefox-pt_BR-102.7.0-1.mga8
firefox-pt_PT-102.7.0-1.mga8
firefox-ro-102.7.0-1.mga8
firefox-ru-102.7.0-1.mga8
firefox-si-102.7.0-1.mga8
firefox-sk-102.7.0-1.mga8
firefox-sl-102.7.0-1.mga8
firefox-sq-102.7.0-1.mga8
firefox-sr-102.7.0-1.mga8
firefox-sv_SE-102.7.0-1.mga8
firefox-szl-102.7.0-1.mga8
firefox-ta-102.7.0-1.mga8
firefox-te-102.7.0-1.mga8
firefox-th-102.7.0-1.mga8
firefox-tl-102.7.0-1.mga8
firefox-tr-102.7.0-1.mga8
firefox-uk-102.7.0-1.mga8
firefox-ur-102.7.0-1.mga8
firefox-uz-102.7.0-1.mga8
firefox-vi-102.7.0-1.mga8
firefox-xh-102.7.0-1.mga8
firefox-zh_CN-102.7.0-1.mga8
firefox-zh_TW-102.7.0-1.mga8

from SRPMS:
nss-3.87.0-1.mga8.src.rpm
firefox-102.7.0-1.mga8.src.rpm
firefox-l10n-102.7.0-1.mga8.src.rpm
Comment 1 David Walser 2023-01-17 18:08:45 CET
Updates have been committed to SVN and are in the process of being built.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

An out of date library (libusrsctp) contained vulnerabilities that could
potentially be exploited (CVE-2022-46871).

By confusing the browser, the fullscreen notification could have been delayed
or suppressed, resulting in potential user confusion or spoofing attacks
(CVE-2022-46877).

Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK
treating all text/plain MIMEs containing file URLs as being dragged a website
could arbitrarily read a file via a call to DataTransfer.setData
(CVE-2023-23598).

Navigations were being allowed when dragging a URL from a cross-origin iframe
into the same tab which could lead to website spoofing attacks
(CVE-2023-23601).

A mishandled security check when creating a WebSocket in a WebWorker caused
the Content Security Policy connect-src header to be ignored. This could lead
to connections to restricted origins from inside WebWorkers (CVE-2023-23602).

Regular expressions used to filter out forbidden properties and values from
style directives in calls to console.log weren't accounting for external URLs,
allowing bypassing Content Security Policy via format directives. Data could
then be potentially exfiltrated from the browser (CVE-2023-23603).

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs
present in Firefox ESR 102.6. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code (CVE-2023-23605).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46871
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46877
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23602
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23603
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23605
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/7D6OeqrEDcE
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html
https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/

Version: Cauldron => 8

Comment 2 David Walser 2023-01-17 21:06:10 CET
Updates have been submitted to the build system and should be available by the end of the day.

Assignee: luigiwalser => qa-bugs

Comment 3 Herman Viaene 2023-01-18 16:15:24 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
Running now, checked newspapersite with text and sound and video, all works OK.

CC: (none) => herman.viaene

Comment 4 Morgan Leijström 2023-01-18 22:46:50 CET
mga8-64 OK for me

Plasma, i7-3770, GM107 [GeForce GTX 750] using nvidia-current; GeForce 635 series and later, 4k display.

Updated to:
- firefox-102.7.0-1.mga8.x86_64
- firefox-sv_SE-102.7.0-1.mga8.noarch
- lib64nss3-3.87.0-1.mga8.x86_64
- nss-3.87.0-1.mga8.x86_644

Kernels desktop-5.15.88-1 and desktop-6.1.6-1

Tested various banking, authority, shops, different login methods, video sites.
Swedish locale.


__Still not fixed__
The about box still say "mageia - 1.0"   Are we never gonna get this sorted?


----8<----

Weird:

First, I had it segfaults I resize Firefox while playing YT;
Repeatable:
Play https://youtu.be/-lR0qoIW1Cw?list=PLhTQil6jHokkfblf5xsL4grv4Wxtcvv9a
grab a corner of firefox and drag it around, crash within a few seconds.

I also verified this for our last version in updates.
Tried our release repo version and it did not crash, but it had created a new profile.
When i again updated to 102.7.0-1 it also did not crash with the new profile.
So I restored my old profile, and it crashed again.
So something in the profile made it crash. Reliably.
But now this: abive tests was all with Kernel desktop-5.15.88-1.
Now while testing kernel desktop-6.1.6-1, i cant get firefox to crash.
So it is some compound effect... 
Anyway, i think it is OK - no regression over opur previous with same profile, and with new profile or backport kernel!? it do not crash. For me.

CC: (none) => fri

Comment 5 Morgan Leijström 2023-01-18 22:51:46 CET
sidenote, the output in terminal from crashing firefox:

$ firefox 
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
Missing chrome or resource URL: resource://gre/modules/UpdateListener.jsm
Missing chrome or resource URL: resource://gre/modules/UpdateListener.sys.mjs
[2023-01-18T15:06:14Z ERROR mp4parse] Found 2 nul bytes in "\u{0}\u{0}"
[2023-01-18T15:06:14Z ERROR mp4parse] Found 2 nul bytes in "\u{0}\u{0}"
[2023-01-18T15:06:14Z ERROR mp4parse] Found 2 nul bytes in "\u{0}\u{0}"
[2023-01-18T15:06:14Z ERROR mp4parse] Found 2 nul bytes in "\u{0}\u{0}"
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: GFX: RenderThread detected a device reset in PostUpdate (t=45.4169) [GFX1-]: GFX: RenderThread detected a device reset in PostUpdate
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: GFX: RenderThread detected a device reset in PostUpdate (t=45.4169) |[1][GFX1-]: GFX: RenderThread detected a device reset in PostUpdate (t=46.4581) [GFX1-]: GFX: RenderThread detected a device reset in PostUpdate
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Segmenteringsfel (minnesutskrift skapad)
Comment 6 David Walser 2023-01-19 01:32:22 CET
There's a separate bug for the about box thing.  Please refrain from commenting about it in security updates unless a packager mentions that it has been addressed.
Comment 7 Jose Manuel López 2023-01-19 13:24:50 CET
Hi,

Installed on Mga8 Plasma x64. No issues for the moment.

- Video ok.
- Banks ok.
- Addons ok.
- Spanish language ok.
- Private mode ok.


Writing from this new version right now!

Greetings!

CC: (none) => joselp

David Walser 2023-01-20 17:24:19 CET

Blocks: (none) => 31438

Comment 8 David Walser 2023-01-20 17:41:35 CET
- Bug 1774654 tstclnt crashes when accessing gnutls server without a user cert in the database.

in this nss update is CVE-2022-3479:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YPGIG3RLJJT2HMZS76SNGJZMTWOTMFUX/

So that's fixed in this update as well.

Advisory:
========================

Updated firefox packages fix security vulnerabilities:

A vulnerability was found in NSS. The NSS client auth crashes without a user
certificate in the database, leading to a segmentation fault or crash
(CVE-2022-3479).

An out of date library (libusrsctp) contained vulnerabilities that could
potentially be exploited (CVE-2022-46871).

By confusing the browser, the fullscreen notification could have been delayed
or suppressed, resulting in potential user confusion or spoofing attacks
(CVE-2022-46877).

Due to the Firefox GTK wrapper code's use of text/plain for drag data and GTK
treating all text/plain MIMEs containing file URLs as being dragged a website
could arbitrarily read a file via a call to DataTransfer.setData
(CVE-2023-23598).

Navigations were being allowed when dragging a URL from a cross-origin iframe
into the same tab which could lead to website spoofing attacks
(CVE-2023-23601).

A mishandled security check when creating a WebSocket in a WebWorker caused
the Content Security Policy connect-src header to be ignored. This could lead
to connections to restricted origins from inside WebWorkers (CVE-2023-23602).

Regular expressions used to filter out forbidden properties and values from
style directives in calls to console.log weren't accounting for external URLs,
allowing bypassing Content Security Policy via format directives. Data could
then be potentially exfiltrated from the browser (CVE-2023-23603).

Mozilla developers and the Mozilla Fuzzing Team reported memory safety bugs
present in Firefox ESR 102.6. Some of these bugs showed evidence of memory
corruption and we presume that with enough effort some of these could have
been exploited to run arbitrary code (CVE-2023-23605).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3479
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46871
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46877
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23598
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23601
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23602
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23603
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23605
https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/7D6OeqrEDcE
https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_87.html
https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YPGIG3RLJJT2HMZS76SNGJZMTWOTMFUX/
Comment 9 Brian Rockwell 2023-01-20 18:07:51 CET
MGA8-64, on Xfce, Toshiba Laptop

AMD A6-3420M APU 
Radeon HD 6520G
RTL8188CE 802.11b/g/n WiFi Adapter
 

The following 6 packages are going to be installed:

- firefox-102.7.0-1.mga8.x86_64
- firefox-en_CA-102.7.0-1.mga8.noarch
- firefox-en_GB-102.7.0-1.mga8.noarch
- firefox-en_US-102.7.0-1.mga8.noarch
- lib64nss3-3.87.0-1.mga8.x86_64
- nss-3.87.0-1.mga8.x86_64



verified version
working as expected

CC: (none) => brtians1

Comment 10 Len Lawrence 2023-01-21 15:34:32 CET
- firefox-102.7.0-1.mga8.x86_64
- firefox-en_GB-102.7.0-1.mga8.noarch
- lib64nss-devel-3.87.0-1.mga8.x86_64
- lib64nss-static-devel-3.87.0-1.mga8.x86_64
- lib64nss3-3.87.0-1.mga8.x86_64
- nss-3.87.0-1.mga8.x86_64
- nss-doc-3.87.0-1.mga8.noarch

Restarted and tried a few astronomical sites, links to The Guardian from Thunderbird, and a baroque high definition music video on Youtube.  Also no trouble with resizing before or after the new version.

CC: (none) => tarazed25

Comment 11 David Walser 2023-01-23 17:23:53 CET
RedHat has issued an advisory for this today (January 23):
https://access.redhat.com/errata/RHSA-2023:0288
Comment 12 Thomas Andrews 2023-01-23 17:35:56 CET
MGA8-64 Plasma. No installation issues.

I've been using this for two days now, with no issues to report. I did some banking, sent an email with Thunderbird from a website link, downloaded a couple of pdfs, watched some of Morgan's Youtube link. No problems resizing while on Youtube.

CC: (none) => andrewsfarm

Comment 13 Dave Hodgins 2023-01-24 00:37:25 CET
No regressions noticed. Tested on x86_64, aarch64, and i586 (vb).
Validating the update.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK, MGA8-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Dave Hodgins 2023-01-24 01:02:37 CET

Keywords: (none) => advisory

Comment 14 Mageia Robot 2023-01-24 09:00:36 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0018.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.