An integer overflow in <code>createImageBitmap()</code> reported through the Pwn2Own contest. The fix for this vulnerability disables the experimental <code>createImageBitmap</code> API. This function runs in the content sandbox, requiring a second vulnerability to compromise a user's computer. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2017-08/#CVE-2017-5428 Acknowledgements: Name: the Mozilla project Upstream: Chaitin Security Research Lab via Trend Micro's Zero Day Initiative
The fix is just shipping 52.0.1 for F24/25/26 which is available since Friday. This issue is serious and was addressed by Mozilla very fast. What takes so long here?
Does the Firefox code get rebased against upstream all the time and, hence, has the patch been included already without being mentioned in changelog? If that's the case I'd recommend to explicitly list important CVEs that have been addressed in the changelog as it's done for the RHEL version. Thanks!
(In reply to Timo Trinks from comment #2) > Does the Firefox code get rebased against upstream all the time and, hence, > has the patch been included already without being mentioned in changelog? Latest builds of F25 in repositories are from 10 Mar 2017. The fix for this was published on the 17th, so I'd say unlikely.
Sorry I overlooked this one. Builds are in koji now, firefox-52.0-6
This is the link to the Firefox Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1348168 I don´t have access to this one. The latest build on koji was released on 2017-03-13 21:29:51 called firefox-52.0-5.fcXX. This does not include the fix released by Mozilla in Firefox 52.0.1. The fix for this vulnerability disables the experimental extensions to the createImageBitmap API. As far as I found out, you can´t disable it via "about:config". Therefore, version 52.0.1 should be pushed quite fast.
(In reply to Martin Stransky from comment #4) > Sorry I overlooked this one. Builds are in koji now, firefox-52.0-6 Thanks, Martin! Any idea when this will hit Bodhi [1] and the official Fedora repos subsequently? Installing it directly from Koji is only semi-optimal... Thanks, Timo [1] https://bodhi.fedoraproject.org/updates/?packages=firefox
firefox-52.0-6.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-cd33654294
firefox-52.0-6.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-cd33654294
firefox-52.0-6.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.