Cherry-pick fixes to angle-66
Categories
(Core :: Graphics: CanvasWebGL, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | 68+ | fixed |
| firefox66 | --- | wontfix |
| firefox67 | --- | wontfix |
| firefox68 | --- | unaffected |
People
(Reporter: jgilbert, Assigned: jgilbert)
References
(Regression)
Details
(Keywords: regression, sec-high, Whiteboard: [post-critsmash-triage])
Attachments
(1 file, 1 obsolete file)
|
12.67 KB,
patch
|
RyanVM
:
approval-mozilla-esr60+
|
Details | Diff | Splinter Review |
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 1•5 years ago
|
||
|
|
Assignee | |
Comment 2•5 years ago
|
||
|
|
Assignee | |
Comment 3•5 years ago
|
||
Comment on attachment 9063958 [details]
Bug 1550655 - Cherry-pick fixes to angle-66.
Beta/Release Uplift Approval Request
- User impact if declined: sec-high, sec-high, sec-moderate
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Low, but not zero risk. We're taking these as cherry-picks, so while they seem to pass our tests, and they're the fixes taken upstream, non-trivial cherry-picks are inherently somewhat risky.
- String changes made/needed: none
|
||
Comment 4•5 years ago
|
||
I believe per https://wiki.mozilla.org/Security/Bug_Approval_Process that this patch should get sec-approval+ before uplifting so as that it gets on our security team radar. Jeff could you request it please? Thanks
|
|
Assignee | |
Comment 5•5 years ago
|
||
Comment on attachment 9063958 [details]
Bug 1550655 - Cherry-pick fixes to angle-66.
Security Approval Request
- How easily could an exploit be constructed based on the patch?: The main one that's obvious is the 2GB limit this adds, so exploiting it would just be a matter of creating a too-large buffer. That said, it's more of a vector than an exploit ready-to-go.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: esr60
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Should be fairly easy to create.
- How likely is this patch to cause regressions; how much testing does it need?: Low non-zero regression risk. We have quite good CI coverage, but we don't have an opportunity to bake these changes on Nightly first. (Nighly68 got an whole-ANGLE update. While that includes these patches, cherry-picks are always somewhat risky.
|
|
||
Comment 6•5 years ago
|
||
Comment on attachment 9063958 [details]
Bug 1550655 - Cherry-pick fixes to angle-66.
This is coming way too late (we are building RC today) for 67 and it seems risky to me as we have zero bake time on Beta to make sure we are not breaking the web, so I am not going to take these uplifts, sorry.
|
||
Comment 7•5 years ago
|
||
Comment on attachment 9063958 [details]
Bug 1550655 - Cherry-pick fixes to angle-66.
sec-approval for trunk so we don't have to manually merge to beta after we fork shortly. These are known issues.
I agree that this isn't necessarily safe to shove into the release at the last moment.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 10•5 years ago
|
||
Since 67 went WONTFIX, I don't think we should land this on ESR60 until 68 hits release. Does that sound right :dveditz?
|
|
Assignee | |
Comment 11•5 years ago
|
||
Offline discussion with dveditz concluded that we'd aim for ESR60 when we hit Release68, next cycle.
|
||
Comment 12•5 years ago
|
||
I'm a bit confused about the status of this bug. Wouldn't we want to get this on ESR60 now so it ships in the 60.8esr release alongside Fx68? If so, we should proceed with an ESR60 approval request.
|
|
Assignee | |
Comment 13•5 years ago
|
||
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high
- User impact if declined: sec-high UAFs, fixed and published in Chrome.
- Fix Landed on Version: none, unaffected on 68
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): There's some risk the UAF fix for the VAO unbinding is insufficient. (cherry-pick was a little messy due to age of ANGLE in ESR60)
- String or UUID changes made by this patch: none
|
|
Assignee | |
Comment 14•5 years ago
|
||
I ran the provided test for "Fix OOB access for dynamic attribs with offsets" after cherry-pick conflicts and it passed.
|
|
||
Comment 16•5 years ago
|
||
Comment on attachment 9073727 [details] [diff] [review] 0001-Bug-1550655-Cherry-pick-fixes-for-angle-66.-r-lsalzm.patch Fixes some known ANGLE security issues via upstream cherry-picks. Fx68 already has these fixes via a wholesale upstream update. Approved for 60.8esr so the fixes go out to all users at the same time.
|
|
||
Comment 17•5 years ago
|
||
| uplift | ||
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
Description
•