Pale Moon forum

There is a remote code execution exploit surfaced on Firefox side. All versions prior Firefox 60.7.1 and 67.0.3 affected. As far as I know Pale Moon 28 is based on Firefox 57. Is there any info regarding Pale Moon and this CVE?

You may check this out: https://twitter.com/palemoonbrowser/sta ... 2260123648

BTW UXP is forked from gecko-52.6.0, not 57.

terranigma wrote: ↑

2019-06-20, 08:34

All versions prior Firefox 60.7.1 and 67.0.3 affected.

Incorrect. All supported branches of Firefox prior to those versions are affected (meaning 60ESR and the current release).
This does not go back as far as our fork point because it became vulnerable with one of the JS refactoring sprees Mozilla did.

I've analyzed the issue and we aren't vulnerable to this exploit because we do not crash at all (let alone in an exploitable way). None of the UXP applications are vulnerable to this because it's in the shared JS platform component.

As an aside, it's peculiar that this is actually used in the wild. It's a Google Zero Day initiative exploit that was found through fuzzing in April (which starts a 90 day countdown for public exposure of the details). It's extremely unlikely that someone outside of the investigating team hit the same fuzzing parameters to trigger this (since by design fuzzing is random), so this may have been leaked on purpose.

I'd be interested in exactly when this refactoring change exposed this.

New Tobin Paradigm wrote: ↑

2019-06-20, 12:24

I'd be interested in exactly when this refactoring change exposed this.

Looks like it was exposed in Firefox 56.

https://news.ycombinator.com/item?id=20221327
They told that all versions of Firefox >= 38.0a1 (21 Apr 2015) might be vulnerable

So what about non uxp versions such as Palemoon 27 and Basilisk 55?

Fedor2 wrote: ↑

2019-06-24, 12:40

https://news.ycombinator.com/item?id=20221327
They told that all versions of Firefox >= 38.0a1 (21 Apr 2015) might be vulnerable

So what about non uxp versions such as Palemoon 27 and Basilisk 55?

port the commit yourself and compile it.
I did mine
https://github.com/roytam1/palemoon27/c ... e22d040db1
https://github.com/roytam1/basilisk55/c ... 286d0e7591

Fedor2 wrote: ↑

2019-06-24, 12:40

https://news.ycombinator.com/item?id=20221327
They told that all versions of Firefox >= 38.0a1 (21 Apr 2015) might be vulnerable

So what about non uxp versions such as Palemoon 27 and Basilisk 55?

They are wrong. I already analyzed this and it was exposed as a vulnerability in Firefox 56.
The sensitive code may have been introduced that far back, but as long as it's not actually exposed, there is no issue and no vulnerability. So their "might be vulnerable" is theoretical. My "is not vulnerable" is practical.

Of course it can't hurt to port as a defense-in-depth measure (we've done that on UXP too) but it's not critical in any way.