Bug 1433819
| Summary: | CVE-2017-5428 firefox: Mozilla: integer overflow in createImageBitmap() (MFSA 2017-08) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Timo Trinks <ttrinks> |
| Component: | firefox | Assignee: | Martin Stransky <stransky> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | bojan, gecko-bugs-nobody, jhorak, kengert, pjasicek, samoht0-bugzilla, samuel-rhbugs, stransky, ttrinks |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | firefox-52.0-6.fc25 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-24 18:56:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1433202 | ||
|
Description
Timo Trinks
2017-03-20 01:57:14 UTC
The fix is just shipping 52.0.1 for F24/25/26 which is available since Friday. This issue is serious and was addressed by Mozilla very fast. What takes so long here? Does the Firefox code get rebased against upstream all the time and, hence, has the patch been included already without being mentioned in changelog? If that's the case I'd recommend to explicitly list important CVEs that have been addressed in the changelog as it's done for the RHEL version. Thanks! (In reply to Timo Trinks from comment #2) > Does the Firefox code get rebased against upstream all the time and, hence, > has the patch been included already without being mentioned in changelog? Latest builds of F25 in repositories are from 10 Mar 2017. The fix for this was published on the 17th, so I'd say unlikely. Sorry I overlooked this one. Builds are in koji now, firefox-52.0-6 This is the link to the Firefox Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1348168 I don´t have access to this one. The latest build on koji was released on 2017-03-13 21:29:51 called firefox-52.0-5.fcXX. This does not include the fix released by Mozilla in Firefox 52.0.1. The fix for this vulnerability disables the experimental extensions to the createImageBitmap API. As far as I found out, you can´t disable it via "about:config". Therefore, version 52.0.1 should be pushed quite fast. (In reply to Martin Stransky from comment #4) > Sorry I overlooked this one. Builds are in koji now, firefox-52.0-6 Thanks, Martin! Any idea when this will hit Bodhi [1] and the official Fedora repos subsequently? Installing it directly from Koji is only semi-optimal... Thanks, Timo [1] https://bodhi.fedoraproject.org/updates/?packages=firefox firefox-52.0-6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-cd33654294 firefox-52.0-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-cd33654294 firefox-52.0-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |