2222652 – (CVE-2023-3600) CVE-2023-3600 firefox: use-after-free in workers

Bug 2222652 (CVE-2023-3600) - CVE-2023-3600 firefox: use-after-free in workers

Summary: CVE-2023-3600 firefox: use-after-free in workers

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2023-3600
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2222653 2222654 2222655 2222656 2222657 2222658 2222659 2222660 2222661 2225313 2225314 2225315 2225316 2225317 2225318 2225319 2225320 2225321 2225322 2225323
Blocks:	2222360 2225084
TreeView+	depends on / blocked

Reported:	2023-07-13 11:33 UTC by Dhananjay Arunesh
Modified:	2023-07-31 07:43 UTC (History)
CC List:	9 users (show)
Fixed In Version:	firefox 115.0.2, thunderbird 115.0.1
Doc Type:	If docs needed, set a value
Doc Text:	The Mozilla Foundation Security Advisory describes this flaw as: During the worker lifecycle, a use-after-free condition could have occured, which could have led to a potentially exploitable crash.
Clone Of:
Environment:
Last Closed:	2023-07-20 09:31:08 UTC
Embargoed:

Attachments	(Terms of Use)

Description Dhananjay Arunesh 2023-07-13 11:33:57 UTC

During the worker lifecycle, a use-after-free condition could have occured, which could have led to a potentially exploitable crash.

External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-26/#CVE-2023-3600
https://www.mozilla.org/en-US/security/advisories/mfsa2023-27/#CVE-2023-3600

Comment 5 Jan Horak 2023-07-20 09:31:08 UTC

From the upstream I get that the 102 is unaffected by this bug. Also changed code in the repository are not present in the 102. 

From the past experience upstream always fix affected supported versions. And 102 ESR should be supported until September 26.

Note You need to log in before you can comment on or make changes to this bug.