Bug 1557571

Summary: Firefox 59.0.1 available: CVE-2018-5146: Out of bounds memory write in libvorbis
Product: [Fedora] Fedora Reporter: JayJayJazz <jayjayjazz>
Component: firefoxAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: alexl, gecko-bugs-nobody, gmarr, jhorak, john.j5live, kengert, klember, pjasicek, rhughes, rstrode, sandmann, stransky
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard: AcceptedFreezeException
Fixed In Version: firefox-59.0.1-1.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-26 22:29:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1469205    

Description JayJayJazz 2018-03-16 22:28:07 UTC 
Description of problem:
CVE-2018-5146: Out of bounds memory write in libvorbis

Version-Release number of selected component (if applicable):
59.0.1

How reproducible:
https://www.mozilla.org/en-US/security/advisories/mfsa2018-08/

Additional info:
https://bugzilla.mozilla.org/show_bug.cgi?id=1446062
Comment 1 Kalev Lember 2018-03-26 16:59:29 UTC 
Proposing as a FE for Fedora 28 Beta, to avoid shipping beta with known security vulnerabilities in our default browser.

Note that this may need matching NSS update pulled in through the freeze as well if accepted, not entirely sure.
Comment 2 Martin Stransky 2018-03-26 18:52:08 UTC 
The update is here - https://bodhi.fedoraproject.org/updates/FEDORA-2018-3de9cb411f
Comment 3 Geoffrey Marr 2018-03-26 19:01:11 UTC 
Discussed during the 2018-03-26 blocker review meeting: [1]

The decision to classify this bug as an AcceptedFreezeException was made as it's obviously desirable to fix significant security issues in the default browser for most desktops for Beta. Note we have verified no nss/nspr update is required here.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-03-26/f28-blocker-review.2018-03-26-16.01.txt
Comment 4 Fedora Update System 2018-03-26 21:15:31 UTC 
firefox-59.0.1-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3de9cb411f
Comment 5 Fedora Update System 2018-03-26 22:29:19 UTC 
firefox-59.0.1-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.