Bug 33629 - firefox: CVE-2024-9680: Use-after-free in Animation timeline
Summary: firefox: CVE-2024-9680: Use-after-free in Animation timeline
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 33607
  Show dependency treegraph
 
Reported: 2024-10-10 13:16 CEST by papoteur
Modified: 2024-10-14 21:54 CEST (History)
7 users (show)

See Also:
Source RPM: firefox, firefox-l10n
CVE: CVE-2024-9680
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description papoteur 2024-10-10 13:16:59 CEST 
Description of problem:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
Description

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild.

Version-Release number of selected component (if applicable):
firefox 128.3.0esr
Comment 1 papoteur 2024-10-10 13:18:32 CEST 
Solved in 128.3.1esr
Tested locally that it builds on x86_64

Whiteboard: (none) => MGA9TOO

Nicolas Salguero 2024-10-10 13:37:02 CEST

QA Contact: (none) => security
CVE: (none) => CVE-2024-9680
Source RPM: firefox => firefox, firefox-l10n
Component: RPM Packages => Security

Nicolas Salguero 2024-10-10 13:38:40 CEST

Blocks: (none) => 33607

Comment 2 Nicolas Salguero 2024-10-10 13:39:35 CEST 
See also: https://www.mozilla.org/en-US/firefox/128.3.1/releasenotes/
Nicolas Salguero 2024-10-10 13:42:49 CEST

Severity: normal => critical

Comment 3 Nicolas Salguero 2024-10-11 09:29:11 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Use-after-free in Animation timeline. (CVE-2024-9680)

References:
https://www.mozilla.org/en-US/firefox/128.3.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
========================

Updated packages in core/updates_testing:
========================
firefox-128.3.1-1.mga9
firefox-af-128.3.1-1.mga9
firefox-an-128.3.1-1.mga9
firefox-ar-128.3.1-1.mga9
firefox-ast-128.3.1-1.mga9
firefox-az-128.3.1-1.mga9
firefox-be-128.3.1-1.mga9
firefox-bg-128.3.1-1.mga9
firefox-bn-128.3.1-1.mga9
firefox-br-128.3.1-1.mga9
firefox-bs-128.3.1-1.mga9
firefox-ca-128.3.1-1.mga9
firefox-cs-128.3.1-1.mga9
firefox-cy-128.3.1-1.mga9
firefox-da-128.3.1-1.mga9
firefox-de-128.3.1-1.mga9
firefox-el-128.3.1-1.mga9
firefox-en_CA-128.3.1-1.mga9
firefox-en_GB-128.3.1-1.mga9
firefox-en_US-128.3.1-1.mga9
firefox-eo-128.3.1-1.mga9
firefox-es_AR-128.3.1-1.mga9
firefox-es_CL-128.3.1-1.mga9
firefox-es_ES-128.3.1-1.mga9
firefox-es_MX-128.3.1-1.mga9
firefox-et-128.3.1-1.mga9
firefox-eu-128.3.1-1.mga9
firefox-fa-128.3.1-1.mga9
firefox-ff-128.3.1-1.mga9
firefox-fi-128.3.1-1.mga9
firefox-fr-128.3.1-1.mga9
firefox-fur-128.3.1-1.mga9
firefox-fy_NL-128.3.1-1.mga9
firefox-ga_IE-128.3.1-1.mga9
firefox-gd-128.3.1-1.mga9
firefox-gl-128.3.1-1.mga9
firefox-gu_IN-128.3.1-1.mga9
firefox-he-128.3.1-1.mga9
firefox-hi_IN-128.3.1-1.mga9
firefox-hr-128.3.1-1.mga9
firefox-hsb-128.3.1-1.mga9
firefox-hu-128.3.1-1.mga9
firefox-hy_AM-128.3.1-1.mga9
firefox-ia-128.3.1-1.mga9
firefox-id-128.3.1-1.mga9
firefox-is-128.3.1-1.mga9
firefox-it-128.3.1-1.mga9
firefox-ja-128.3.1-1.mga9
firefox-ka-128.3.1-1.mga9
firefox-kab-128.3.1-1.mga9
firefox-kk-128.3.1-1.mga9
firefox-km-128.3.1-1.mga9
firefox-kn-128.3.1-1.mga9
firefox-ko-128.3.1-1.mga9
firefox-lij-128.3.1-1.mga9
firefox-lt-128.3.1-1.mga9
firefox-lv-128.3.1-1.mga9
firefox-mk-128.3.1-1.mga9
firefox-mr-128.3.1-1.mga9
firefox-ms-128.3.1-1.mga9
firefox-my-128.3.1-1.mga9
firefox-nb_NO-128.3.1-1.mga9
firefox-nl-128.3.1-1.mga9
firefox-nn_NO-128.3.1-1.mga9
firefox-oc-128.3.1-1.mga9
firefox-pa_IN-128.3.1-1.mga9
firefox-pl-128.3.1-1.mga9
firefox-pt_BR-128.3.1-1.mga9
firefox-pt_PT-128.3.1-1.mga9
firefox-ro-128.3.1-1.mga9
firefox-ru-128.3.1-1.mga9
firefox-sc-128.3.1-1.mga9
firefox-si-128.3.1-1.mga9
firefox-sk-128.3.1-1.mga9
firefox-sl-128.3.1-1.mga9
firefox-sq-128.3.1-1.mga9
firefox-sr-128.3.1-1.mga9
firefox-sv_SE-128.3.1-1.mga9
firefox-szl-128.3.1-1.mga9
firefox-ta-128.3.1-1.mga9
firefox-te-128.3.1-1.mga9
firefox-tg-128.3.1-1.mga9
firefox-th-128.3.1-1.mga9
firefox-tl-128.3.1-1.mga9
firefox-tr-128.3.1-1.mga9
firefox-uk-128.3.1-1.mga9
firefox-ur-128.3.1-1.mga9
firefox-uz-128.3.1-1.mga9
firefox-vi-128.3.1-1.mga9
firefox-xh-128.3.1-1.mga9
firefox-zh_CN-128.3.1-1.mga9
firefox-zh_TW-128.3.1-1.mga9

from SRPMS:
firefox-128.3.1-1.mga9.src.rpm
firefox-l10n-128.3.1-1.mga9.src.rpm

Version: Cauldron => 9
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA9TOO => (none)

Comment 4 papoteur 2024-10-11 10:38:20 CEST 
Installed 
firefox-128.3.1-1.mga9
firefox-fr-128.3.1-1.mga9

All is fine after restarting firefox.
Comment 5 Thomas Andrews 2024-10-13 21:18:06 CEST 
US English version, MGA9 Plasma, i5-7500, Nvidia Quadro K620 graphics.

No installation issues, and it seems to be working as it should.

CC: (none) => andrewsfarm

Comment 6 Ben McMonagle 2024-10-13 23:56:19 CEST 
updated:

firefox-en_US-128.3.1-1.mga9.noarch
firefox-en_GB-128.3.1-1.mga9.noarch
firefox-en_CA-128.3.1-1.mga9.noarch
firefox-128.3.1-1.mga9.x86_64

closed current ff session and invoked from cli.

restored previous session  -ok

browsed some web pages - ok

CC: (none) => westel

Comment 7 Tony Blackwell 2024-10-14 00:56:31 CEST 
Seems fine to me:
downloads  work
youtube audio/vidoe works
bokmarking works
other language fonts (e.g. Thai) work

No isues I can find.

CC: (none) => tablackwell

Comment 8 Tony Blackwell 2024-10-14 00:57:20 CEST 
(apart from my typing...)
Comment 9 Thomas Andrews 2024-10-14 02:05:13 CEST 
Thank you, Gentlemen! Looks OK for the 64-bit version. Validating. Advisory in Comment 3.

This is a critical update that's being exploited in the wild. It needs to go out as soon as possible. Hoping the version for other arches is ready soon (Bug 33607).

Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 10 Brian Rockwell 2024-10-14 03:13:40 CEST 
Gnome, Ryzen, Nvidia

The following 4 packages are going to be installed:

- firefox-128.3.1-1.mga9.x86_64
- firefox-en_CA-128.3.1-1.mga9.noarch
- firefox-en_GB-128.3.1-1.mga9.noarch
- firefox-en_US-128.3.1-1.mga9.noarch

7.5KB of additional disk space will be used.


$ firefox -version
Mozilla Firefox 128.3.1esr


videos play
common sites work
sound works

This is good to go

CC: (none) => brtians1

Comment 11 Dan Fandrich 2024-10-14 04:23:48 CEST 
This update is missing an advisory.

CC: (none) => dan

Comment 12 Morgan Leijström 2024-10-14 08:34:06 CEST 
mga9-64 OK for me too
Plasma, Swedish

cc katnatek for advisory

CC: (none) => fri, j.alberto.vc

papoteur 2024-10-14 16:48:19 CEST

Keywords: (none) => advisory

Comment 13 katnatek 2024-10-14 19:33:36 CEST 
I add note about is just for x86_64 for the moment
Thank you papoteur
katnatek 2024-10-14 19:34:12 CEST

CC: j.alberto.vc => (none)

Comment 14 Dan Fandrich 2024-10-14 20:58:16 CEST 
I've manually moved only the x86_64 architecture for this package. I believe I've set it up so that future security or bugfix pushes won't automatically move the other architectures' packages, although this bug may spontaneously auto-close on the next push. In any case, it's probably wise to create a new bug, new new package version and new MGASA when it comes time to push the other architectures, because the tooling thinks this one is complete, plus, the advisories themselves say that only x86_64 has been pushed.
Comment 15 Mageia Robot 2024-10-14 21:54:53 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0331.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.