Bug 2222652 (CVE-2023-3600) - CVE-2023-3600 firefox: use-after-free in workers
Summary: CVE-2023-3600 firefox: use-after-free in workers
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-3600
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2222653 2222654 2222655 2222656 2222657 2222658 2222659 2222660 2222661 2225313 2225314 2225315 2225316 2225317 2225318 2225319 2225320 2225321 2225322 2225323
Blocks: 2222360 2225084
TreeView+ depends on / blocked
 
Reported: 2023-07-13 11:33 UTC by Dhananjay Arunesh
Modified: 2023-10-05 14:51 UTC (History)
9 users (show)

Fixed In Version: firefox 115.0.2, thunderbird 115.0.1
Doc Type: If docs needed, set a value
Doc Text:
The Mozilla Foundation Security Advisory describes this flaw as: During the worker lifecycle, a use-after-free condition could have occured, which could have led to a potentially exploitable crash.
Clone Of:
Environment:
Last Closed: 2023-07-20 09:31:08 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5426 0 None None None 2023-10-04 11:09:12 UTC
Red Hat Product Errata RHSA-2023:5427 0 None None None 2023-10-04 11:03:18 UTC
Red Hat Product Errata RHSA-2023:5428 0 None None None 2023-10-04 11:26:27 UTC
Red Hat Product Errata RHSA-2023:5429 0 None None None 2023-10-04 11:29:18 UTC
Red Hat Product Errata RHSA-2023:5430 0 None None None 2023-10-04 11:38:24 UTC
Red Hat Product Errata RHSA-2023:5432 0 None None None 2023-10-04 11:44:21 UTC
Red Hat Product Errata RHSA-2023:5433 0 None None None 2023-10-04 11:49:32 UTC
Red Hat Product Errata RHSA-2023:5434 0 None None None 2023-10-04 11:46:55 UTC
Red Hat Product Errata RHSA-2023:5435 0 None None None 2023-10-04 11:49:26 UTC
Red Hat Product Errata RHSA-2023:5436 0 None None None 2023-10-04 11:48:39 UTC
Red Hat Product Errata RHSA-2023:5437 0 None None None 2023-10-04 11:55:38 UTC
Red Hat Product Errata RHSA-2023:5438 0 None None None 2023-10-04 11:59:52 UTC
Red Hat Product Errata RHSA-2023:5439 0 None None None 2023-10-04 11:53:11 UTC
Red Hat Product Errata RHSA-2023:5440 0 None None None 2023-10-04 11:59:46 UTC
Red Hat Product Errata RHSA-2023:5475 0 None None None 2023-10-05 14:51:16 UTC
Red Hat Product Errata RHSA-2023:5477 0 None None None 2023-10-05 14:51:29 UTC

Description Dhananjay Arunesh 2023-07-13 11:33:57 UTC 
During the worker lifecycle, a use-after-free condition could have occured, which could have led to a potentially exploitable crash.

External Reference:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-26/#CVE-2023-3600
https://www.mozilla.org/en-US/security/advisories/mfsa2023-27/#CVE-2023-3600
Comment 5 Jan Horak 2023-07-20 09:31:08 UTC 
From the upstream I get that the 102 is unaffected by this bug. Also changed code in the repository are not present in the 102. 

From the past experience upstream always fix affected supported versions. And 102 ESR should be supported until September 26.
Comment 10 Tomas Popela 2023-08-21 11:36:19 UTC 
Dhananjay can you also please close all the tracker bugs that you've created for this?
Comment 11 Dhananjay Arunesh 2023-08-29 07:45:24 UTC 
In reply to comment #10:
> Dhananjay can you also please close all the tracker bugs that you've created
> for this?

closed all trackers with resolution NOTABUG.
Comment 12 Tomas Popela 2023-08-30 07:15:51 UTC 
(In reply to Dhananjay Arunesh from comment #11)
> In reply to comment #10:
> > Dhananjay can you also please close all the tracker bugs that you've created
> > for this?
> 
> closed all trackers with resolution NOTABUG.

Bug 2225319 was missed, but I will close that one. Thanks!
Comment 13 errata-xmlrpc 2023-10-04 11:03:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5427 https://access.redhat.com/errata/RHSA-2023:5427
Comment 14 errata-xmlrpc 2023-10-04 11:09:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5426 https://access.redhat.com/errata/RHSA-2023:5426
Comment 15 errata-xmlrpc 2023-10-04 11:26:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5428 https://access.redhat.com/errata/RHSA-2023:5428
Comment 16 errata-xmlrpc 2023-10-04 11:29:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5429 https://access.redhat.com/errata/RHSA-2023:5429
Comment 17 errata-xmlrpc 2023-10-04 11:38:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5430 https://access.redhat.com/errata/RHSA-2023:5430
Comment 18 errata-xmlrpc 2023-10-04 11:44:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5432 https://access.redhat.com/errata/RHSA-2023:5432
Comment 19 errata-xmlrpc 2023-10-04 11:46:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5434 https://access.redhat.com/errata/RHSA-2023:5434
Comment 20 errata-xmlrpc 2023-10-04 11:48:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5436 https://access.redhat.com/errata/RHSA-2023:5436
Comment 21 errata-xmlrpc 2023-10-04 11:49:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5435 https://access.redhat.com/errata/RHSA-2023:5435
Comment 22 errata-xmlrpc 2023-10-04 11:49:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5433 https://access.redhat.com/errata/RHSA-2023:5433
Comment 23 errata-xmlrpc 2023-10-04 11:53:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5439 https://access.redhat.com/errata/RHSA-2023:5439
Comment 24 errata-xmlrpc 2023-10-04 11:55:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5437 https://access.redhat.com/errata/RHSA-2023:5437
Comment 25 errata-xmlrpc 2023-10-04 11:59:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5440 https://access.redhat.com/errata/RHSA-2023:5440
Comment 26 errata-xmlrpc 2023-10-04 11:59:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5438 https://access.redhat.com/errata/RHSA-2023:5438
Comment 27 errata-xmlrpc 2023-10-05 14:51:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:5475 https://access.redhat.com/errata/RHSA-2023:5475
Comment 28 errata-xmlrpc 2023-10-05 14:51:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:5477 https://access.redhat.com/errata/RHSA-2023:5477
Note You need to log in before you can comment on or make changes to this bug.