Waterfox: (Mozilla 1440717) (MFSA 2018-10) (CVE-2018-5148) use-after-free in compositor: use RefPtr for CompositingRenderTargetOGL::mGL

My bad, https://www.google.com/search?q=1440717+site%3Asvnweb.freebsd.org found nothing, I'll make a mental note to not rely on Google for searches of that domain.

Found:

VuXML: mozilla -- use-after-free in compositor

– affected www/waterfox < 56.0.4.36_3 on FreeBSD and from there, I found https://svnweb.freebsd.org/ports/head/www/waterfox/files/patch-bug1440717?view=markup&pathrev=464679 with keyword 1440717 … apologies for the noise. Closing.

FreeBSD may have applied the patch to their build, but the patch isn't part of Waterfox yet. This issue should still be open.

… on the other hand, I don't see 1440717 amongst the commits at https://github.com/MrAlex94/Waterfox/pull/480 (2018-03-21)

(Rewind to 20th March, when I saw 56.0.4.72 as the successor for 56.0.4.36_3 I probably assumed (without paying proper attention) that the patches for vulnerabilities were 'coming together' in the FreeBSD and GitHub areas for Waterfox.)

Windows doesn't use OpenGL compositing by default, Linux/BSDs/Solaris are yet to enable, so this probably mainly affects Android/OSX . In the meantime, ESR52 got more secfixes.

@laniakea64 thanks for the nudge 👍 we were seconds apart; @jbeich thanks (as always) for the insight.

https://github.com/MrAlex94/Waterfox/commit/a52b5eab5aa079a614683ad9442be74a852321b1