1210212 – VUL-0: MozillaFirefox / MozillaThunderbird: update to 112 and 102.10esr

Bug 1210212 - VUL-0: MozillaFirefox / MozillaThunderbird: update to 112 and 102.10esr

Summary: VUL-0: MozillaFirefox / MozillaThunderbird: update to 112 and 102.10esr

Status:	RESOLVED FIXED

Alias:	None

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/362568/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-1945:6.1:(AV:N...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-04-06 09:44 UTC by Martin Sirringhaus
Modified:	2023-11-15 10:00 UTC (History)
CC List:	9 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Gianluca Gabrielli 2023-04-11 13:36:24 UTC

Fix the following vulnerabilities:

#CVE-2023-29531: Out-of-bound memory access in WebGL on macOS
#CVE-2023-29532: Mozilla Maintenance Service Write-lock bypass
#CVE-2023-29533: Fullscreen notification obscured
#MFSA-TMP-2023-0001: Double-free in libwebp
#CVE-2023-29535: Potential Memory Corruption following Garbage Collector compaction
#CVE-2023-29536: Invalid free from JavaScript code
#CVE-2023-29539: Content-Disposition filename truncation leads to Reflected File Download
#CVE-2023-29541: Files with malicious extensions could have been downloaded unsafely on Linux
#CVE-2023-29542: Bypass of file download extension restrictions
#CVE-2023-29545: Windows Save As dialog resolved environment variables
#CVE-2023-1945: Memory Corruption in Safe Browsing Code
#CVE-2023-29548: Incorrect optimization result on ARM64
#CVE-2023-29550: Memory safety bugs fixed in Firefox 112 and Firefox ESR 102.10

Comment 3 Maintenance Automation 2023-04-11 16:30:01 UTC

SUSE-SU-2023:1819-1: An update that solves 12 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1210212
CVE References: CVE-2023-1945, CVE-2023-29531, CVE-2023-29532, CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-29539, CVE-2023-29541, CVE-2023-29542, CVE-2023-29545, CVE-2023-29548, CVE-2023-29550
Sources used:
SUSE OpenStack Cloud 9 (src): MozillaFirefox-102.10.0-112.156.1
SUSE OpenStack Cloud Crowbar 9 (src): MozillaFirefox-102.10.0-112.156.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): MozillaFirefox-102.10.0-112.156.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): MozillaFirefox-102.10.0-112.156.1
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): MozillaFirefox-102.10.0-112.156.1
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): MozillaFirefox-102.10.0-112.156.1
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): MozillaFirefox-102.10.0-112.156.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): MozillaFirefox-102.10.0-112.156.1
SUSE Linux Enterprise Server 12 SP5 (src): MozillaFirefox-102.10.0-112.156.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): MozillaFirefox-102.10.0-112.156.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 4 Maintenance Automation 2023-04-11 16:30:03 UTC

SUSE-SU-2023:1817-1: An update that solves 12 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1210212
CVE References: CVE-2023-1945, CVE-2023-29531, CVE-2023-29532, CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-29539, CVE-2023-29541, CVE-2023-29542, CVE-2023-29545, CVE-2023-29548, CVE-2023-29550
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): MozillaFirefox-102.10.0-150000.150.82.1
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): MozillaFirefox-102.10.0-150000.150.82.1
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): MozillaFirefox-102.10.0-150000.150.82.1
SUSE CaaS Platform 4.0 (src): MozillaFirefox-102.10.0-150000.150.82.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 OBSbugzilla Bot 2023-04-11 21:45:03 UTC

This is an autogenerated message for OBS integration:
This bug (1210212) was mentioned in
https://build.opensuse.org/request/show/1078519 Factory / MozillaThunderbird
https://build.opensuse.org/request/show/1078521 Factory / MozillaFirefox

Comment 6 Maintenance Automation 2023-04-14 16:30:26 UTC

SUSE-SU-2023:1855-1: An update that solves 12 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1210212
CVE References: CVE-2023-1945, CVE-2023-29531, CVE-2023-29532, CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-29539, CVE-2023-29541, CVE-2023-29542, CVE-2023-29545, CVE-2023-29548, CVE-2023-29550
Sources used:
openSUSE Leap 15.4 (src): MozillaFirefox-102.10.0-150200.152.84.1
Desktop Applications Module 15-SP4 (src): MozillaFirefox-102.10.0-150200.152.84.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): MozillaFirefox-102.10.0-150200.152.84.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): MozillaFirefox-102.10.0-150200.152.84.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): MozillaFirefox-102.10.0-150200.152.84.1
SUSE Linux Enterprise Real Time 15 SP3 (src): MozillaFirefox-102.10.0-150200.152.84.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): MozillaFirefox-102.10.0-150200.152.84.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): MozillaFirefox-102.10.0-150200.152.84.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): MozillaFirefox-102.10.0-150200.152.84.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): MozillaFirefox-102.10.0-150200.152.84.1
SUSE Enterprise Storage 7.1 (src): MozillaFirefox-102.10.0-150200.152.84.1
SUSE Enterprise Storage 7 (src): MozillaFirefox-102.10.0-150200.152.84.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Maintenance Automation 2023-04-28 14:01:18 UTC

SUSE-SU-2023:2064-1: An update that solves 15 vulnerabilities can now be installed.

Category: security (important)
Bug References: 1210212
CVE References: CVE-2023-0547, CVE-2023-1945, CVE-2023-1999, CVE-2023-29479, CVE-2023-29531, CVE-2023-29532, CVE-2023-29533, CVE-2023-29535, CVE-2023-29536, CVE-2023-29539, CVE-2023-29541, CVE-2023-29542, CVE-2023-29545, CVE-2023-29548, CVE-2023-29550
Sources used:
openSUSE Leap 15.4 (src): MozillaThunderbird-102.10.1-150200.8.113.2
SUSE Package Hub 15 15-SP4 (src): MozillaThunderbird-102.10.1-150200.8.113.2
SUSE Linux Enterprise Workstation Extension 15 SP4 (src): MozillaThunderbird-102.10.1-150200.8.113.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Yifan Jiang 2023-05-29 04:06:41 UTC

It took a while to find out what is missing. I guess this one "#MFSA-TMP-2023-0001: Double-free in libwebp" spotted by Mozilla without CVE/bug number is of our interests.

Xiaoguang, I found the following commit is probably the one we need to backport regarding to the comment#9. Can you double check and help on deal with it? Thanks.

https://github.com/webmproject/libwebp/commit/a486d800b60d0af4cc0836bf7ed8f21e12974129.patch

Comment 13 Alexander Bergmann 2023-05-31 10:03:17 UTC

The previous MFSA-TMP-2023-0001 is now referenced as CVE-2023-1999: 

CVE-2023-1999: Double-free in libwebp

Reporter:
  Irvan Kurniawan
Impact:
  high
Description:
  A double-free in libwebp could have led to memory corruption and a 
  potentially exploitable crash.

Comment 15 Maintenance Automation 2023-06-08 08:30:14 UTC

SUSE-SU-2023:2467-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1210212
CVE References: CVE-2023-1999
Sources used:
openSUSE Leap 15.4 (src): libwebp-1.0.3-150200.3.5.1
openSUSE Leap 15.5 (src): libwebp-1.0.3-150200.3.5.1
Basesystem Module 15-SP4 (src): libwebp-1.0.3-150200.3.5.1
Basesystem Module 15-SP5 (src): libwebp-1.0.3-150200.3.5.1
SUSE Package Hub 15 15-SP4 (src): libwebp-1.0.3-150200.3.5.1
SUSE Package Hub 15 15-SP5 (src): libwebp-1.0.3-150200.3.5.1
SUSE Linux Enterprise Real Time 15 SP3 (src): libwebp-1.0.3-150200.3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 16 Andreas Stieger 2023-06-12 21:26:49 UTC

CVE-2023-29479 affected the rnp package separately - see bug 1212253. See bug 1212259 for work related to rnp being bundled in MozillaThunderbird

Comment 17 Maintenance Automation 2023-06-13 08:30:04 UTC

SUSE-SU-2023:2490-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1210212
CVE References: CVE-2023-1999
Sources used:
openSUSE Leap 15.4 (src): libwebp-0.5.0-150000.3.11.1
SUSE Package Hub 15 15-SP4 (src): libwebp-0.5.0-150000.3.11.1
SUSE Package Hub 15 15-SP5 (src): libwebp-0.5.0-150000.3.11.1
SUSE Linux Enterprise Workstation Extension 15 SP4 (src): libwebp-0.5.0-150000.3.11.1
SUSE Linux Enterprise Workstation Extension 15 SP5 (src): libwebp-0.5.0-150000.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 18 Maintenance Automation 2023-06-20 09:14:32 UTC

SUSE-SU-2023:2552-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1210212
CVE References: CVE-2023-1999
Sources used:
HPE Helion OpenStack 8 (src): libwebp-0.4.3-4.10.1
SUSE OpenStack Cloud 8 (src): libwebp-0.4.3-4.10.1
SUSE OpenStack Cloud 9 (src): libwebp-0.4.3-4.10.1
SUSE OpenStack Cloud Crowbar 8 (src): libwebp-0.4.3-4.10.1
SUSE OpenStack Cloud Crowbar 9 (src): libwebp-0.4.3-4.10.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): libwebp-0.4.3-4.10.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): libwebp-0.4.3-4.10.1
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): libwebp-0.4.3-4.10.1
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): libwebp-0.4.3-4.10.1
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): libwebp-0.4.3-4.10.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): libwebp-0.4.3-4.10.1
SUSE Linux Enterprise Server 12 SP5 (src): libwebp-0.4.3-4.10.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): libwebp-0.4.3-4.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 19 Robert Frohl 2023-06-20 09:46:12 UTC

(In reply to Alexander Bergmann from comment #13)
> The previous MFSA-TMP-2023-0001 is now referenced as CVE-2023-1999: 
> 
> CVE-2023-1999: Double-free in libwebp
> 
> Reporter:
>   Irvan Kurniawan
> Impact:
>   high
> Description:
>   A double-free in libwebp could have led to memory corruption and a 
>   potentially exploitable crash.

Does not look like this was addressed in openSUSE Factory and therefor also missing in ALP (SUSE:ALP:Source:Standard:1.0/libwebp). Could you also submit the patch to those two codestreams ?

Comment 20 Robert Frohl 2023-06-20 09:47:35 UTC

adding openSUSE libwebp maintainer for visibility.

Comment 22 OBSbugzilla Bot 2023-06-21 11:35:02 UTC

This is an autogenerated message for OBS integration:
This bug (1210212) was mentioned in
https://build.opensuse.org/request/show/1094342 Factory / libwebp

Comment 23 xiaoguang wang 2023-07-03 01:09:29 UTC

SR was accepted.
ALP: https://build.suse.de/request/show/301825
openSUSE:Factory: https://build.opensuse.org/request/show/1094342

Comment 24 Marcus Meissner 2023-09-14 12:36:55 UTC

done