CVE-2019-11707 (Firefox) and Pale Moon

Users and developers helping users with technical Pale Moon issues (Windows and other non-Linux O.S.). Please direct questions about the Linux version to the appropriate Linux board.

Moderator: trava90

Forum rules
This board is for technical/usage questions and troubleshooting for the Pale Moon browser only. The main focus here is on Pale Moon on Windows. Please direct your questions for Linux, Android and Mac to the dedicated boards.
Technical issues and questions not related to the Pale Moon browser should be posted in "technical chat"
Please keep off-topic and general discussion out of this board, thank you!
Locked
User avatar
terranigma
Apollo supporter
Apollo supporter
Posts: 41
Joined: 2018-03-10, 01:46

CVE-2019-11707 (Firefox) and Pale Moon

Post by terranigma » 2019-06-20, 08:34

There is a remote code execution exploit surfaced on Firefox side. All versions prior Firefox 60.7.1 and 67.0.3 affected. As far as I know Pale Moon 28 is based on Firefox 57. Is there any info regarding Pale Moon and this CVE?

roytam1
Fanatic
Fanatic
Posts: 169
Joined: 2015-03-11, 07:01
Location: Hong Kong

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by roytam1 » 2019-06-20, 09:17

You may check this out: https://twitter.com/palemoonbrowser/sta ... 2260123648

BTW UXP is forked from gecko-52.6.0, not 57.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27068
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by Moonchild » 2019-06-20, 10:05

terranigma wrote:
2019-06-20, 08:34
All versions prior Firefox 60.7.1 and 67.0.3 affected.
Incorrect. All supported branches of Firefox prior to those versions are affected (meaning 60ESR and the current release).
This does not go back as far as our fork point because it became vulnerable with one of the JS refactoring sprees Mozilla did.

I've analyzed the issue and we aren't vulnerable to this exploit because we do not crash at all (let alone in an exploitable way). None of the UXP applications are vulnerable to this because it's in the shared JS platform component.

As an aside, it's peculiar that this is actually used in the wild. It's a Google Zero Day initiative exploit that was found through fuzzing in April (which starts a 90 day countdown for public exposure of the details). It's extremely unlikely that someone outside of the investigating team hit the same fuzzing parameters to trigger this (since by design fuzzing is random), so this may have been leaked on purpose.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
New Tobin Paradigm
Off-Topic Sheriff
Off-Topic Sheriff
Posts: 7342
Joined: 2012-10-09, 19:37
Location: Binary Outcast

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by New Tobin Paradigm » 2019-06-20, 12:24

I'd be interested in exactly when this refactoring change exposed this.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27068
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by Moonchild » 2019-06-20, 13:18

New Tobin Paradigm wrote:
2019-06-20, 12:24
I'd be interested in exactly when this refactoring change exposed this.
Looks like it was exposed in Firefox 56.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
Fedor2
Astronaut
Astronaut
Posts: 696
Joined: 2016-04-11, 01:26

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by Fedor2 » 2019-06-24, 12:40

https://news.ycombinator.com/item?id=20221327
They told that all versions of Firefox >= 38.0a1 (21 Apr 2015) might be vulnerable

So what about non uxp versions such as Palemoon 27 and Basilisk 55?

roytam1
Fanatic
Fanatic
Posts: 169
Joined: 2015-03-11, 07:01
Location: Hong Kong

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by roytam1 » 2019-06-24, 12:54

Fedor2 wrote:
2019-06-24, 12:40
https://news.ycombinator.com/item?id=20221327
They told that all versions of Firefox >= 38.0a1 (21 Apr 2015) might be vulnerable

So what about non uxp versions such as Palemoon 27 and Basilisk 55?
port the commit yourself and compile it. :)
I did mine :)
https://github.com/roytam1/palemoon27/c ... e22d040db1
https://github.com/roytam1/basilisk55/c ... 286d0e7591

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 27068
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: CVE-2019-11707 (Firefox) and Pale Moon

Post by Moonchild » 2019-06-24, 12:55

Fedor2 wrote:
2019-06-24, 12:40
https://news.ycombinator.com/item?id=20221327
They told that all versions of Firefox >= 38.0a1 (21 Apr 2015) might be vulnerable

So what about non uxp versions such as Palemoon 27 and Basilisk 55?
They are wrong. I already analyzed this and it was exposed as a vulnerability in Firefox 56.
The sensitive code may have been introduced that far back, but as long as it's not actually exposed, there is no issue and no vulnerability. So their "might be vulnerable" is theoretical. My "is not vulnerable" is practical.

Of course it can't hurt to port as a defense-in-depth measure (we've done that on UXP too) but it's not critical in any way.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

Locked