Nixpkgs: Please update Firefox to 72.0.1, Firefox ESR to 68.4.1 to fix a security vulnerability exploited in the wild (CVE-2019-17026)

Created on 9 Jan 2020  路  9Comments  路  Source: NixOS/nixpkgs

Describe the bug

It would be great it this could be fixed in 19.03 too.

https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/

Mozilla Foundation Security Advisory 2020-03
Security Vulnerabilities fixed in Firefox 72.0.1 and Firefox ESR 68.4.1
Announced January 8, 2020
Impact critical
Products Firefox, Firefox ESR
Fixed in Firefox 72.0.1, Firefox ESR 68.4.1
CVE-2019-17026: IonMonkey type confusion with StoreElementHole and FallibleStoreElement
Reporter Qihoo 360 ATA
Description
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw.

To Reproduce
N/A
Expected behavior
N/A

Screenshots
N/A

Additional context
N/A

Metadata
N/A

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
  - firefox
  - firefox-esr
# a list of nixos modules affected by the problem
module:
bug security
Source
picture stefano-m

All 9 comments

See #77346 #77349

jakobrs picture jakobrs on 9 Jan 2020

This seems to be fixed in both master and 19.09.

19.03 is already out of support for some time - I assume many other security fixes didn't land in there.

I strongly recommend against still using it. If it absolutely needs to be, I'd propose fetching firefox from a 19.09 nixpkgs.

flokli picture flokli on 9 Jan 2020
👍1

@flokli I am not sure whether Firefox ESR has been updated too. I can see https://github.com/NixOS/nixpkgs/pull/77292/commits/18e4675e85002d00f0fca45793b8a915db07a9d3 that suggests that ESR 68.4.0 has been added, but not version 68.4.1 which is the one with the security fix.

Regarding NixOS 19.03, I would suggest that firefox is marked as insecure in case there are no plans of updating it (I can submit a PR if you think that's ok).

Would it be possible to reopen the issue until this comment is addressed please? Thanks.

stefano-m picture stefano-m on 9 Jan 2020

@stefano-m The bump to 68.4.1esr happened in 204d32a746f70cb8be163a98e0d6ec7f2c8b9ee4 (master) and 1cedf06c0953419b3cfb263b96fc82b872437bfd (19.09 backport).

I'd consider whole 19.03 as insecure by now, but feel free to open a PR marking firefox explicitly, too.

While at it, could you take a look at firefox-esr-60? Are there any backports for it? Should we mark it as insecure on master and 19.09, too? What's the reason we're still shipping that in first place?

flokli picture flokli on 9 Jan 2020

Thanks for the info @flokli

Regarding supporting older releases, I can now see that

https://nixos.org/nixos/manual/release-notes.html#sec-release-19.03

says

End of support is planned for end of October 2019, handing over to 19.09.

But it may be worth making it more explicit... it feels that that info is a bit hidden.

Also, I will try and have a look at ESR 60, but can't give you an ETA on this :wink:

stefano-m picture stefano-m on 9 Jan 2020

With ESR 60 the situation seems quite clear to me, so I directly marked it as vulnerable in f703a3a04a.

vcunat picture vcunat on 10 Jan 2020
🎉1

Can you packport this to 19.09 as well? Also, we could think about dropping it from nixpkgs master entirely.

flokli picture flokli on 10 Jan 2020

Yes, backport was on the way from the start, I was just repeating some mostly pointless checks before pushing.

Dropping: we still have 52 :-) For that see https://github.com/NixOS/nixpkgs/pull/45787

vcunat picture vcunat on 10 Jan 2020
🎉1

@stefano-m PTAL at https://github.com/NixOS/nixpkgs/pull/77434, too.

flokli picture flokli on 10 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sid-kap picture sid-kap  路  3Comments
ayyess picture ayyess  路  3Comments
chris-martin picture chris-martin  路  3Comments
edolstra picture edolstra  路  3Comments
langston-barrett picture langston-barrett  路  3Comments