### Security Approval Request * **How easily could an exploit be constructed based on the patch?**: I am not sure. There are a number of ways that a new thread could be spawned via JS interaction, starting a desktop capture, starting a call etc. These uses have different thread names that are all, as far as I can tell, string literals. There is very little control over the inputs to that function. Investigating this by looking at the code is made difficult by: 1) the number of places this can be triggered in the library, when we probably only exercise a small subset of them, and 2) the number of layers of indirection and proxy classes within the library. * **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: Unknown * **Which older supported branches are affected by this flaw?**: Firefox 53+, ESR 60, ESR 68 * **If not all supported branches, which bug introduced the flaw?**: None * **Do you have backports for the affected branches?**: No * **If not, how different, hard to create, and risky will they be?**: They should be trivial to create, apply, and are low risk. * **How likely is this patch to cause regressions; how much testing does it need?**: Probably fairly low, as it is code that exists elsewhere in the tree. I have only tested this on my personal Windows 10-64bit machine, and have not pushed to try to test other Windows build targets.
Bug 1580156 Comment 16 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
### Security Approval Request * **How easily could an exploit be constructed based on the patch?**: I am not sure. There are a number of ways that a new thread could be spawned via JS interaction, starting a desktop capture, starting a call etc. These uses have different thread names that are all, as far as I can tell, string literals. There is very little control over the inputs to that function. Investigating this by looking at the code is made difficult by: 1) the number of places this can be triggered in the library, when we probably only exercise a small subset of them, and 2) the number of layers of indirection and proxy classes within the library. * **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: Unknown * **Which older supported branches are affected by this flaw?**: all (this landed in FFx 53) * **If not all supported branches, which bug introduced the flaw?**: None * **Do you have backports for the affected branches?**: No * **If not, how different, hard to create, and risky will they be?**: They should be trivial to create, apply, and are low risk. * **How likely is this patch to cause regressions; how much testing does it need?**: Probably fairly low, as it is code that exists elsewhere in the tree. I have only tested this on my personal Windows 10-64bit machine, and have not pushed to try to test other Windows build targets.
### Security Approval Request * **How easily could an exploit be constructed based on the patch?**: I am not sure. There are a number of ways that a new thread could be spawned via JS interaction, starting a desktop capture, starting a call etc. These uses have different thread names that are all, as far as I can tell, string literals. There is very little control over the inputs to that function. Investigating this by looking at the code is made difficult by: 1) the number of places this can be triggered in the library, when we probably only exercise a small subset of them, and 2) the number of layers of indirection and proxy classes within the library. * **Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?**: Unknown * **Which older supported branches are affected by this flaw?**: all (this landed in FFx 53) * **If not all supported branches, which bug introduced the flaw?**: None * **Do you have backports for the affected branches?**: No * **If not, how different, hard to create, and risky will they be?**: They should be trivial to create and apply, and they are low risk. * **How likely is this patch to cause regressions; how much testing does it need?**: Probably fairly low, as it is code that exists elsewhere in the tree. I have only tested this on my personal Windows 10-64bit machine, and have not pushed to try to test other Windows build targets.