Closed Bug 1764170 Opened 3 years ago Closed 3 years ago

Expat vulnerabilities of 2022

Categories

(Core :: XML, defect)

Product:
Core
Component:
XML
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1754724

People

(Reporter: ar-tmp+mozilla, Unassigned)

Details

Steps to reproduce:

According to [1], for instance, CVE-2022-23852 of libexpat is relevant for Thunderbird (and also Firefox). Fedora has recently added some patches for the embedded expat library to resolve CVE-2022-25235, CVE-2022-25236 and CVE-2022-25315, see [2].

If the libexpat vulnerabilities apply both to Thunderbird and Firefox, they should be fixed, I guess.

[1] https://ubuntu.com/security/CVE-2022-23852
[2] https://src.fedoraproject.org/rpms/thunderbird/tree/rawhide

Flags: needinfo?(mkmelin+mozilla)

This seems to be a webrtc dependency.

Component: Untriaged → WebRTC
Flags: needinfo?(mkmelin+mozilla)
Product: Thunderbird → Core
Version: Thunderbird 91 → unspecified

Other bugs on expat, such as #741713 and #1713841, have the component XML assigned.

From what @mjf and I can tell, our WebRTC code does not depend on libexpat.

The imported third_party/libwebrtc folder contains files we use and some we don't, and we don't see libexpat in any of our third_party/libwebrtc moz.build files or BUILD.gn files...

...except for third_party/libwebrtc/build/config/android/internal_rules.gni which we're apparently executing parts of, but the path names it is building using that library list do not exist in our tree (third_party/android_build_tools/art/lib/), and some asserts confirmed that the template (template("dex")) that uses _default_art_libs is not used when we generate build files.

But thanks for running it by us, as it was a good thing to check!

Component: WebRTC → XML
Group: dom-core-security

I think we've addressed this in bug 1754724

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE

Thanks for the clarification and the fix.

FYI: this (expat in combination with Firefox and Thunderbird) has been (partially) covered by at least some german news site on January 28th in 2022: https://heise.de/-6341560.

As I do not have access to the referenced other bug: are you allowed to give me an estimate on when this will land in the releases? Fedora still ships their patches with the current Thunderbird 91.8.0 release.

It looks like the patch was first shipped in Firefox 91.7esr.

https://hg.mozilla.org/releases/mozilla-esr91/rev/c084e1e90301ca414be9dee690a3ca9ebc2a0a0e
and a few other commits at the same time

Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.