CVE-2019-11707 (Firefox) and Pale Moon

Users and developers helping users with generic and technical Pale Moon issues on all operating systems.

Moderator: trava90

Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
terranigma

CVE-2019-11707 (Firefox) and Pale Moon

Unread post by terranigma » 2019-06-20, 08:34

There is a remote code execution exploit surfaced on Firefox side. All versions prior Firefox 60.7.1 and 67.0.3 affected. As far as I know Pale Moon 28 is based on Firefox 57. Is there any info regarding Pale Moon and this CVE?

roytam1

Re: CVE-2019-11707 (Firefox) and Pale Moon

Unread post by roytam1 » 2019-06-20, 09:17

You may check this out: https://twitter.com/palemoonbrowser/sta ... 2260123648

BTW UXP is forked from gecko-52.6.0, not 57.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: CVE-2019-11707 (Firefox) and Pale Moon

Unread post by Moonchild » 2019-06-20, 10:05

terranigma wrote:
2019-06-20, 08:34
All versions prior Firefox 60.7.1 and 67.0.3 affected.
Incorrect. All supported branches of Firefox prior to those versions are affected (meaning 60ESR and the current release).
This does not go back as far as our fork point because it became vulnerable with one of the JS refactoring sprees Mozilla did.

I've analyzed the issue and we aren't vulnerable to this exploit because we do not crash at all (let alone in an exploitable way). None of the UXP applications are vulnerable to this because it's in the shared JS platform component.

As an aside, it's peculiar that this is actually used in the wild. It's a Google Zero Day initiative exploit that was found through fuzzing in April (which starts a 90 day countdown for public exposure of the details). It's extremely unlikely that someone outside of the investigating team hit the same fuzzing parameters to trigger this (since by design fuzzing is random), so this may have been leaked on purpose.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

New Tobin Paradigm

Re: CVE-2019-11707 (Firefox) and Pale Moon

Unread post by New Tobin Paradigm » 2019-06-20, 12:24

I'd be interested in exactly when this refactoring change exposed this.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: CVE-2019-11707 (Firefox) and Pale Moon

Unread post by Moonchild » 2019-06-20, 13:18

New Tobin Paradigm wrote:
2019-06-20, 12:24
I'd be interested in exactly when this refactoring change exposed this.
Looks like it was exposed in Firefox 56.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Fedor2

Re: CVE-2019-11707 (Firefox) and Pale Moon

Unread post by Fedor2 » 2019-06-24, 12:40

https://news.ycombinator.com/item?id=20221327
They told that all versions of Firefox >= 38.0a1 (21 Apr 2015) might be vulnerable

So what about non uxp versions such as Palemoon 27 and Basilisk 55?

roytam1

Re: CVE-2019-11707 (Firefox) and Pale Moon

Unread post by roytam1 » 2019-06-24, 12:54

Fedor2 wrote:
2019-06-24, 12:40
https://news.ycombinator.com/item?id=20221327
They told that all versions of Firefox >= 38.0a1 (21 Apr 2015) might be vulnerable

So what about non uxp versions such as Palemoon 27 and Basilisk 55?
port the commit yourself and compile it. :)
I did mine :)
https://github.com/roytam1/palemoon27/c ... e22d040db1
https://github.com/roytam1/basilisk55/c ... 286d0e7591

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: CVE-2019-11707 (Firefox) and Pale Moon

Unread post by Moonchild » 2019-06-24, 12:55

Fedor2 wrote:
2019-06-24, 12:40
https://news.ycombinator.com/item?id=20221327
They told that all versions of Firefox >= 38.0a1 (21 Apr 2015) might be vulnerable

So what about non uxp versions such as Palemoon 27 and Basilisk 55?
They are wrong. I already analyzed this and it was exposed as a vulnerability in Firefox 56.
The sensitive code may have been introduced that far back, but as long as it's not actually exposed, there is no issue and no vulnerability. So their "might be vulnerable" is theoretical. My "is not vulnerable" is practical.

Of course it can't hurt to port as a defense-in-depth measure (we've done that on UXP too) but it's not critical in any way.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked