Just in case people worry about the critical sec vulnerability:
"CVE-2024-9680: Use-after-free in Animation timeline"
As listed in MFSA 2024-15, it does not apply to Pale Moon or UXP.
CVE-2024-9680: Use-after-free in Animation timeline
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
-
Moonchild
- Pale Moon guru
- Posts: 37762
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
CVE-2024-9680: Use-after-free in Animation timeline
"A dead end street is a place to turn around and go into a new direction" - Anonymous
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
moonbat
- Knows the dark side
- Posts: 5605
- Joined: 2015-12-09, 15:45
Re: CVE-2024-9680: Use-after-free in Animation timeline
Correct me if I'm wrong, but the reason PM is immune is that a separate content process has to actually exist for it to be exploitable right?An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Jabber: moonbat@hot-chili.net
KDE Neon on a Slimbook Excalibur (Ryzen 7 8845HS, 64 GB RAM)
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX
Jabber: moonbat@hot-chili.net
-
Moonchild
- Pale Moon guru
- Posts: 37762
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: CVE-2024-9680: Use-after-free in Animation timeline
It still warrants investigation even if it at first glance it is an electrolysis sec bug (one of hundreds found by now...). If it's not immediately related to or dependent on the messaging/IPC then it can still be applicable to a single-process application. A "content process crash" would in that case simply be an "application crash", instead, but still potentially exploitable.
Usually the mention specifically of a "content process" leans towards e10s-related but it still needs to be looked at, but it's not an immediate disqualifier.
"A dead end street is a place to turn around and go into a new direction" - Anonymous
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite