roytam1 Posted September 16, 2023 Author Share Posted September 16, 2023 (edited) 2 hours ago, PPeti66x said: @roytam1 Another problem found in NM27 (current version - 16.9.2023): wikipedia triggers an instant crash. Previous version (9.9.2023) is OK. thanks, found a missing patch https://github.com/roytam1/palemoon27/commit/113bf758b922412eb5ca93ed258f68c79eebfbf3 it will work again in next build. EDIT: archives of NM27/KMG/45ESR are replaced. Edited September 17, 2023 by roytam1 1 Link to comment Share on other sites More sharing options...
Mathwiz Posted September 17, 2023 Share Posted September 17, 2023 On 9/12/2023 at 9:22 AM, roytam1 said: webp CVE is scary, ported changes of https://github.com/webmproject/libwebp/compare/7ba44f80f3b94fc0138db159afea770ef06532a0...95ea5226c870449522240ccff26f0b006037c520 will be in NM27/mozilla45esr/SP55/UXP in next build. (libwebp in NM26 is too old to get changes ported so no clue for it) Yeah, this is crossing-the-streams bad. It doesn't just affect browsers, and it doesn't just affect Windows. I just updated two iOS devices, but my old Android 6.0 phone appears to be SOL. I disabled image.webp.enabled in FF on that phone. Despite recent withdrawal of support, Win 7/8/8.1 users are mostly OK. M$ Edge 109 was updated (and the update was somewhat spookily pushed to my PC); I haven't checked but I assume Chrome 109 was updated too. Mozilla published an update to FF 102 ESR. And official Pale Moon was updated. Outside the browser world it's tougher. I found no Win 7 update for GIMP, or libwebp-7.dll, the afflicted code library. Edit: IrfanView may have an updated version. I'll check it out. On XP/Vista, our FF/PM-based browsers are updated thanks to @roytam1, but Chromium users won't be so lucky. Supermium was just patched for Vista users though (version 118). 2 Link to comment Share on other sites More sharing options...
UCyborg Posted September 17, 2023 Share Posted September 17, 2023 (edited) 5 hours ago, Mathwiz said: I just updated two iOS devices, but my old Android 6.0 phone appears to be SOL. I disabled image.webp.enabled in FF on that phone. Firefox still targets Android 5.0. https://www.apkmirror.com/apk/mozilla/firefox/firefox-117-1-0-release/firefox-fast-private-browser-117-1-0-3-android-apk-download/ Unless your phone has ARMv6 CPU. Am I the only one that's not concerned? Edited September 17, 2023 by UCyborg Link to comment Share on other sites More sharing options...
feodor2 Posted September 17, 2023 Share Posted September 17, 2023 Where to look actual how scary the CVE thing, for do i bother to updootes? The page on the mozillas is "access denied" Link to comment Share on other sites More sharing options...
roytam1 Posted September 17, 2023 Author Share Posted September 17, 2023 59 minutes ago, feodor2 said: Where to look actual how scary the CVE thing, for do i bother to updootes? The page on the mozillas is "access denied" many mozilla security bugzilla entries are limited to mozilla security members to view. Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted September 17, 2023 Share Posted September 17, 2023 3 hours ago, UCyborg said: Am I the only one that's not concerned? I'm in the "not concerned" camp. Link to comment Share on other sites More sharing options...
AstroSkipper Posted September 17, 2023 Share Posted September 17, 2023 (edited) 6 hours ago, UCyborg said: Firefox still targets Android 5.0. https://www.apkmirror.com/apk/mozilla/firefox/firefox-117-1-0-release/firefox-fast-private-browser-117-1-0-3-android-apk-download/ Unless your phone has ARMv6 CPU. Am I the only one that's not concerned? No, you are not the only one. :OT I use the following browsers on my Android 9.0 tablet with a Mediatek MT8163 CPU: Opera, Kiwi, Brave, Firefox and very rarely Chrome. TBH, I don't like the pure Android Chrome browser. Opera and Kiwi are much better. In Kiwi, you can even use extensions what is impossible in the pure Android Chrome browser. So, I am able to use uBlock Origin to get rid of ads. Same in Firefox. Opera has a built-in ad blocker. Firefox is in the version 117.1.0 and if I understood correctly, this version is not affected. Right? :End of OT Edited September 17, 2023 by AstroSkipper Update of content 1 Link to comment Share on other sites More sharing options...
nicolaasjan Posted September 17, 2023 Share Posted September 17, 2023 (edited) 2 hours ago, roytam1 said: many mozilla security bugzilla entries are limited to mozilla security members to view. The Chromium issue is also " Permission denied" (even when logged in with Google account) And yes, it is scary.: https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/ Quote Impact critical Description Opening a malicious WebP image could lead to a heap buffer overflow in the content process. We are aware of this issue being exploited in other products in the wild. References Bug https://bugzilla.mozilla.org/show_bug.cgi?id=1852649 Bug https://bugs.chromium.org/p/chromium/issues/detail?id=1479274 From: https://stackdiary.com/critical-vulnerability-in-webp-codec-cve-2023-4863/: Quote If you're interested, you can read this report from Citizen Lab (September 7) on a zero-click exploit they found in the wild. Subsequently, Apple made an update (September 7) to their ImageIO library and called it a "buffer overflow" (I linked it further down below) but Apple never assigned it a CVE, instead they disclosed it with Google first who then issued the fix (September 11). (it was a Zero-Click, Zero-Day Exploit from the infamous NSO Group, know for the Pegasus spyware) On Wikipedia you can find a list of software that uses libwebp: https://en.wikipedia.org/wiki/WebP#Support Edited September 17, 2023 by nicolaasjan 2 Link to comment Share on other sites More sharing options...
nicolaasjan Posted September 17, 2023 Share Posted September 17, 2023 (edited) (offtopic) IrfanView updated its webp plugin: Quote WEBP PlugIn (4.62.1) - ZIP (32 bit) or ZIP (64 bit) - Updated with LibWebP 1.3.2 Edited September 17, 2023 by nicolaasjan 1 Link to comment Share on other sites More sharing options...
UCyborg Posted September 17, 2023 Share Posted September 17, 2023 (edited) 3 hours ago, AstroSkipper said: I use the following browsers on my Android 9.0 tablet with a Mediatek MT8163 CPU: Opera, Kiwi, Brave, Firefox and very rarely Chrome I only use older 4.3.4 version of Via in conjunction with Chromium WebView (Android System WebView), conventional browsers consume too much memory. Though WebView also keeps getting bigger and bigger...while 1 GB of RAM on my phone isn't! Software today is like capitalism - infinite growth on finite planet. 3 hours ago, AstroSkipper said: So, I am able to use uBlock Origin to get rid of ads. Same in Firefox. Opera has a built-in ad blocker. Some of these WebView based browsers also have built-in ad blocker. Via uses AdBlock Plus lists. Or you can use AdGuard's DNS server. 3 hours ago, AstroSkipper said: Firefox is in the version 117.1.0 and if I understood correctly, this version is not affected. Right? Correct. Edited September 17, 2023 by UCyborg 1 Link to comment Share on other sites More sharing options...
AstroSkipper Posted September 17, 2023 Share Posted September 17, 2023 (edited) 6 hours ago, UCyborg said: Or you can use AdGuard's DNS server. :OT I use additionally the app AdGuard, which filters the whole traffic of my tablet via a local VPN connection. But I use it only on demand. Very effective. :End of OT Edited September 17, 2023 by AstroSkipper 1 Link to comment Share on other sites More sharing options...
PPeti66x Posted September 17, 2023 Share Posted September 17, 2023 19 hours ago, roytam1 said: EDIT: archives of NM27/KMG/45ESR are replaced. Thanks! Wikipedia now works correctly. (DuckDuckGo is still problematic.) Link to comment Share on other sites More sharing options...
Mathwiz Posted September 18, 2023 Share Posted September 18, 2023 (edited) 16 hours ago, feodor2 said: Where to look actual how scary the CVE thing, for do i bother to updootes? The page on the mozillas is "access denied" GitHub has a mirror of libwebp at https://github.com/webmproject/libwebp. You should be able to pull updated code from there. What's scary about it is, you don't even have to download and run anything. Just visit a Web page with a malicious image and bam - you're infected. And a malicious image could even be on a legit Web site if the site owner were hacked. Browsers generally trust images and download them automatically; after all, downloading an image should be safe (even if not safe for work). Heck - someone could just email you a malicious WebP image. Most email clients will block connecting to the Web to download an image, for privacy reasons, but if the image is embedded in the email itself and your email client isn't updated, you're screwed. 13 hours ago, AstroSkipper said: Firefox is in the version 117.1.0 and if I understood correctly, this version is not affected. Right? Right. Per Mozilla, Security Vulnerability fixed in Firefox 117.0.1, Firefox ESR 115.2.1, Firefox ESR 102.15.1, Thunderbird 102.15.1, and Thunderbird 115.2.2 (the ESR 102 version fixes are for Win 7/8/8.1 users) 12 hours ago, nicolaasjan said: <offtopic> IrfanView updated its webp plugin: Yes, I saw that and downloaded it. LibWebP 1.3.2 has the fix. Unfortunately it didn't help me with GIMP. Their DLLs are somewhat different, so I couldn't just copy over. Cygwin just updated their libWebP to 1.3.2. Theirs might work with GIMP.</offtopic> One more. Not many folks use the Adobe Flash browser plug-in any more, but if you do, you'd better update it too: https://gitlab.com/cleanflash/installer/-/releases/34.0.0.301 This is quite a mess. Edited September 18, 2023 by Mathwiz 2 Link to comment Share on other sites More sharing options...
UCyborg Posted September 18, 2023 Share Posted September 18, 2023 For all we know, Google left the hole there intentionally, now they're trying to cover up. Link to comment Share on other sites More sharing options...
Mehmed Posted September 18, 2023 Share Posted September 18, 2023 On 9/9/2023 at 6:02 AM, Mathwiz said: Although I'm not very concerned about the lack of sec fixes, for me the bigger concern is, as we go forward, further breakages like the one in the 20230902 build. Since e10s is a "relic" that hasn't been part of "official" UXP in ages, MCP obviously won't be testing their changes in that environment! This time, it was easy to revert the change that broke e10s. Next time we might not be so lucky, and I'll have to start running the 64-bit version so I can have one gargantuan process.... Your fears are completely justified... Now in multiprocess mode, basilisk52-g4.8.win32-git-20230916 is absolutely non-functional! Link to comment Share on other sites More sharing options...
Recommended Posts