CVE-2019-11707 (Firefox) and Pale Moon

Users and developers helping users with technical Pale Moon issues (Windows and other non-Linux O.S.). Please direct questions about the Linux version to the appropriate Linux board.

Moderators: trava90, satrow

Forum rules
This board is for technical/usage questions and troubleshooting for the Pale Moon browser only. The main focus here is on Pale Moon on Windows. Please direct your questions for Linux, Android and Mac to the dedicated boards.
Technical issues and questions not related to the Pale Moon browser should be posted in "technical chat"
Please keep off-topic and general discussion out of this board, thank you!
Post Reply
User avatar
terranigma
Apollo supporter
Apollo supporter
Posts: 41
Joined: 2018-03-10, 01:46

CVE-2019-11707 (Firefox) and Pale Moon

Post by terranigma » 2019-06-20, 08:34

There is a remote code execution exploit surfaced on Firefox side. All versions prior Firefox 60.7.1 and 67.0.3 affected. As far as I know Pale Moon 28 is based on Firefox 57. Is there any info regarding Pale Moon and this CVE?

roytam1
Fanatic
Fanatic
Posts: 161
Joined: 2015-03-11, 07:01
Location: Hong Kong

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by roytam1 » 2019-06-20, 09:17

You may check this out: https://twitter.com/palemoonbrowser/sta ... 2260123648

BTW UXP is forked from gecko-52.6.0, not 57.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25009
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by Moonchild » 2019-06-20, 10:05

terranigma wrote:
2019-06-20, 08:34
All versions prior Firefox 60.7.1 and 67.0.3 affected.
Incorrect. All supported branches of Firefox prior to those versions are affected (meaning 60ESR and the current release).
This does not go back as far as our fork point because it became vulnerable with one of the JS refactoring sprees Mozilla did.

I've analyzed the issue and we aren't vulnerable to this exploit because we do not crash at all (let alone in an exploitable way). None of the UXP applications are vulnerable to this because it's in the shared JS platform component.

As an aside, it's peculiar that this is actually used in the wild. It's a Google Zero Day initiative exploit that was found through fuzzing in April (which starts a 90 day countdown for public exposure of the details). It's extremely unlikely that someone outside of the investigating team hit the same fuzzing parameters to trigger this (since by design fuzzing is random), so this may have been leaked on purpose.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 6270
Joined: 2012-10-09, 19:37
Location: Sector 001

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by New Tobin Paradigm » 2019-06-20, 12:24

I'd be interested in exactly when this refactoring change exposed this.
Image
- Gorhill is an interdimensional shape-shifting reptilian.. -
http://binaryoutcast.com/ | http://thereisonlyxul.org/ | Freenode #binaryoutcast

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25009
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by Moonchild » 2019-06-20, 13:18

New Tobin Paradigm wrote:
2019-06-20, 12:24
I'd be interested in exactly when this refactoring change exposed this.
Looks like it was exposed in Firefox 56.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
Fedor2
Astronaut
Astronaut
Posts: 669
Joined: 2016-04-11, 01:26

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by Fedor2 » 2019-06-24, 12:40

https://news.ycombinator.com/item?id=20221327
They told that all versions of Firefox >= 38.0a1 (21 Apr 2015) might be vulnerable

So what about non uxp versions such as Palemoon 27 and Basilisk 55?

roytam1
Fanatic
Fanatic
Posts: 161
Joined: 2015-03-11, 07:01
Location: Hong Kong

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by roytam1 » 2019-06-24, 12:54

Fedor2 wrote:
2019-06-24, 12:40
https://news.ycombinator.com/item?id=20221327
They told that all versions of Firefox >= 38.0a1 (21 Apr 2015) might be vulnerable

So what about non uxp versions such as Palemoon 27 and Basilisk 55?
port the commit yourself and compile it. :)
I did mine :)
https://github.com/roytam1/palemoon27/c ... e22d040db1
https://github.com/roytam1/basilisk55/c ... 286d0e7591

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 25009
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by Moonchild » 2019-06-24, 12:55

Fedor2 wrote:
2019-06-24, 12:40
https://news.ycombinator.com/item?id=20221327
They told that all versions of Firefox >= 38.0a1 (21 Apr 2015) might be vulnerable

So what about non uxp versions such as Palemoon 27 and Basilisk 55?
They are wrong. I already analyzed this and it was exposed as a vulnerability in Firefox 56.
The sensitive code may have been introduced that far back, but as long as it's not actually exposed, there is no issue and no vulnerability. So their "might be vulnerable" is theoretical. My "is not vulnerable" is practical.

Of course it can't hurt to port as a defense-in-depth measure (we've done that on UXP too) but it's not critical in any way.
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

Post Reply