Updates submitted to the build system, freeze move request posted for Cauldron, updated packages should be available on mirrors by the end of the day.

Assignee: luigiwalser => qa-bugs

Physical hardware - AMD/Nvidia (390), Plasma

$ uname -a
Linux localhost 5.15.98-desktop-1.mga8 #1 SMP Sat Mar 4 12:16:27 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
The following 3 packages are going to be installed:

- firefox-102.10.0-1.mga8.x86_64
- firefox-en_GB-102.10.0-1.mga8.noarch
- firefox-en_US-102.10.0-1.mga8.noarch


$ firefox -version
Mozilla Firefox 102.10.0esr


I've spent some time on a few sites as well as audio/video.  No issues.

CC: (none) => brtians1

mga8-64, Plasma, nvidia-current, kernel 5.15.88-desktop-1.mga8, Intel i7, Swedish

$ firefox -version
Mozilla Firefox 102.10.0esr

Localisation OK
Kept tabs, settings, plugins
Three different login methods to Banking, shops
Video sites working... but occasional crash when resizing.
Actually I had that once with previous version yesterday too.

$ firefox
Missing chrome or resource URL: resource://gre/modules/UpdateListener.jsm
Missing chrome or resource URL: resource://gre/modules/UpdateListener.sys.mjs
 --< and here i played a film on svt.se, and when resizing firefox it crashed: >--
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Exiting due to channel error.
Segmenteringsfel (minnesutskrift skapad)    --< segmentation fault >--

I also have seen, without crash, the following line output:

Crash Annotation GraphicsCriticalError: |[0][GFX1-]: GFX: RenderThread detected a device reset in PostUpdate (t=21.8524) [GFX1-]: GFX: RenderThread detected a device reset in PostUpdate

As in https://bugs.mageia.org/show_bug.cgi?id=31415#c5

So no regression, but nowadays Firefox is not as stable as it used to be, on my system.

CC: (none) => fri

Security issues fixed:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-14/

One is in libwebp, which we'll have to fix as well.  The Mozilla bug is private, but it's possibly this:
https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129

(In reply to David Walser from comment #4)
> Security issues fixed:
> https://www.mozilla.org/en-US/security/advisories/mfsa2023-14/
> 
> One is in libwebp, which we'll have to fix as well.  The Mozilla bug is
> private, but it's possibly this:
> https://github.com/webmproject/libwebp/commit/
> a486d800b60d0af4cc0836bf7ed8f21e12974129

Upstream link for that commit:
https://chromium.googlesource.com/webm/libwebp/+/a486d800b60d0af4cc0836bf7ed8f21e12974129%5E%21/#F0

Two other fixes that might be good to add:
https://chromium.googlesource.com/webm/libwebp/+/0edbb6ea7176eca19955be701178fa70ecb497ee%5E%21/#F0
https://chromium.googlesource.com/webm/libwebp/+/8f7513b7c0aec45bf163c107284bccb86aa478ef%5E%21/#F0

Advisory:
========================

Updated firefox and libwebp packages fix security vulnerabilities:

Unexpected data returned from the Safe Browsing API could have led to memory
corruption and a potentially exploitable crash (CVE-2023-1945).

A website could have obscured the fullscreen notification by using a
combination of window.open, fullscreen requests, window.name assignments, and
setInterval calls. This could have led to user confusion and possible spoofing
attacks (CVE-2023-29533).

Following a Garbage Collector compaction, weak maps may have been accessed
before they were correctly traced. This resulted in memory corruption and a
potentially exploitable crash (CVE-2023-29535).

An attacker could, via JavaScript code, cause the memory manager to
incorrectly free a pointer that addresses attacker-controlled memory,
resulting in an assertion, memory corruption, or a potentially exploitable
crash (CVE-2023-29536).

When handling the filename directive in the Content-Disposition header, the
filename would be truncated if the filename contained a NULL character. This
could have led to reflected file download attacks potentially tricking users
to install malware (CVE-2023-29539).

Firefox did not properly handle downloads of files ending in .desktop, which
can be interpreted to run attacker-controlled commands (CVE-2023-29541).

Mozilla developers Andrew Osmond, Sebastian Hengst, Andrew McCreight, and the
Mozilla Fuzzing Team reported memory safety bugs present in Firefox ESR 102.9.
Some of these bugs showed evidence of memory corruption and we presume that
with enough effort some of these could have been exploited to run arbitrary
code (CVE-2023-29550).

A double-free in libwebp could have led to memory corruption and a
potentially exploitable crash (MFSA-TMP-2023-0001).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1945
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29533
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29535
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29536
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29541
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29550
https://www.mozilla.org/en-US/security/advisories/mfsa2023-14/


Adding to the package list:
libwebp7-1.1.0-2.1.mga8
libwebp-tools-1.1.0-2.1.mga8
libwebpdecoder3-1.1.0-2.1.mga8
libwebp-devel-1.1.0-2.1.mga8
libwebpmux3-1.1.0-2.1.mga8
libwebpdemux2-1.1.0-2.1.mga8

from libwebp-1.1.0-2.1.mga8.src.rpm

MGA8-64 MATE on Acer Aspire 5253
Installed firefox (+ en_US and en_GB) and
lib64webp7-1.1.0-2.1.mga8
libwebp-tools-1.1.0-2.1.mga8
lib64webpdecoder3-1.1.0-2.1.mga8
lib64webp-devel-1.1.0-2.1.mga8
lib64webpmux3-1.1.0-2.1.mga8
lib64webpdemux2-1.1.0-2.1.mga8
Fired up new version of firefox and tested on newspapersite and youtube: all works OK.

CC: (none) => herman.viaene

Added the following to my firefox update

The following 4 packages are going to be installed:

- lib64webp7-1.1.0-2.1.mga8.x86_64
- lib64webpdemux2-1.1.0-2.1.mga8.x86_64
- lib64webpmux3-1.1.0-2.1.mga8.x86_64
- libwebp-tools-1.1.0-2.1.mga8.x86_64


I've spent a few hours doing my normal stuff.  Working as expected.

(In reply to Brian Rockwell from comment #8)
> Added the following to my firefox update
> 
> The following 4 packages are going to be installed:
> 
> - lib64webp7-1.1.0-2.1.mga8.x86_64
> - lib64webpdemux2-1.1.0-2.1.mga8.x86_64
> - lib64webpmux3-1.1.0-2.1.mga8.x86_64
> - libwebp-tools-1.1.0-2.1.mga8.x86_64
> 
> 
> I've spent a few hours doing my normal stuff.  Working as expected.

Also included a full reboot to confirm new versions were used.

No nss packages this time. Seems odd...

CC: (none) => andrewsfarm

MGA8-64 Plasma. The following 5 packages are going to be installed:

- firefox-102.10.0-1.mga8.x86_64
- firefox-en_US-102.10.0-1.mga8.noarch
- lib64webp7-1.1.0-2.1.mga8.x86_64
- lib64webpdemux2-1.1.0-2.1.mga8.x86_64
- lib64webpmux3-1.1.0-2.1.mga8.x86_64

No installation issues. Checked Facebook, weather forecast (80% chance of rain on Monday), watched a brief video. No issues to report.

(In reply to Thomas Andrews from comment #10)
> No nss packages this time. Seems odd...

Indeed.  I can't remember that ever happening.

Ok in my testing. Advisory committed to svn. Validating.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA8-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0146.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

RedHat has issued an advisory for this on April 14:
https://access.redhat.com/errata/RHSA-2023:1786

(In reply to David Walser from comment #4)
> Security issues fixed:
> https://www.mozilla.org/en-US/security/advisories/mfsa2023-14/
> 
> One is in libwebp, which we'll have to fix as well.  The Mozilla bug is
> private, but it's possibly this:
> https://github.com/webmproject/libwebp/commit/
> a486d800b60d0af4cc0836bf7ed8f21e12974129

This is now CVE-2023-1999 (Mozilla advisory updated).

RedHat has issued an advisory for this on May 2:
https://access.redhat.com/errata/RHSA-2023:2077

Summary: Firefox 102.10 => Firefox 102.10 (and libwebp CVE-2023-1999)