### Security Approval Request * **How easily could an exploit be constructed based on the patch?**: It reliably crashes on browser quit due to access to freed memory. * **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: No * **Which older supported branches are affected by this flaw?**: all * **If not all supported branches, which bug introduced the flaw?**: None * **Do you have backports for the affected branches?**: Yes * **If not, how different, hard to create, and risky will they be?**: No risk, we just properly release referenced object. It's the same for ESR line. Seems to depends on Gtk3 library version and not on Firefox itself. * **How likely is this patch to cause regressions; how much testing does it need?**: It crashes browser on quit, I can't imagine what other regression can be caused. * **Is Android affected?**: No
Bug 1811637 Comment 14 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
### Security Approval Request * **How easily could an exploit be constructed based on the patch?**: It reliably crashes on browser quit due to access to freed memory. The crash happens because ATK toolkit access (via DBus callback) to already deleted GtkWidget. * **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: No * **Which older supported branches are affected by this flaw?**: all * **If not all supported branches, which bug introduced the flaw?**: None * **Do you have backports for the affected branches?**: Yes * **If not, how different, hard to create, and risky will they be?**: No risk, we just properly release referenced object. It's the same for ESR line. Seems to depends on Gtk3 library version and not on Firefox itself. * **How likely is this patch to cause regressions; how much testing does it need?**: It crashes browser on quit, I can't imagine what other regression can be caused. * **Is Android affected?**: No
### Security Approval Request * **How easily could an exploit be constructed based on the patch?**: It reliably crashes when any Firefox window is closed due to access to freed memory. The crash happens because ATK toolkit access (via DBus callback) to already deleted GtkWidget which holds Firefox main window. * **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: No * **Which older supported branches are affected by this flaw?**: all * **If not all supported branches, which bug introduced the flaw?**: Seems to be caused by Gtk3 library which doesn't clear GtkWidget reference from ATK object. It happens for custom GtkWidgets which doesn't call stock (and private) gtk_widget_real_destroy() but only gtk_widget_finalize(). gtk_widget_finalize() doesn't clear back reference from ATK object to GtkWidget so when ATK object is used (after GtkWidget free) the freed GtkWidget is accessed. * **Do you have backports for the affected branches?**: Yes * **If not, how different, hard to create, and risky will they be?**: No risk, we just clear GtkWidget reference from ATK object so the callback is not performed. It's the same for ESR line. * **How likely is this patch to cause regressions; how much testing does it need?**: Should not cause a regression, at already crashes whole browser. * **Is Android affected?**: No
### Security Approval Request * **How easily could an exploit be constructed based on the patch?**: It reliably crashes when any Firefox window is closed due to access to freed memory. The crash happens because ATK toolkit access (via DBus callback) to already deleted GtkWidget which holds Firefox main window. * **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: No * **Which older supported branches are affected by this flaw?**: all * **If not all supported branches, which bug introduced the flaw?**: Seems to be caused by Gtk3 library which doesn't clear GtkWidget reference from ATK object. It happens for custom GtkWidgets which doesn't call stock (and private) gtk_widget_real_destroy() but only gtk_widget_finalize(). gtk_widget_finalize() doesn't clear back reference from ATK object to GtkWidget so when ATK object is used (after GtkWidget free) the freed GtkWidget is accessed. * **Do you have backports for the affected branches?**: Yes * **If not, how different, hard to create, and risky will they be?**: No risk, we just clear GtkWidget reference from ATK object so the callback is not performed. It's the same for ESR line. * **How likely is this patch to cause regressions; how much testing does it need?**: Should not cause a regression, at already crashes whole browser. * **Is Android affected?**: No