Closed Bug 1799748 (CVE-2022-44638) Opened 2 years ago Closed 2 years ago

Evaluate libpixman CVE-2022-44638 fix

Categories

(Core :: Graphics, defect)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
108 Branch
Tracking Flags:
Tracking Status
firefox-esr102 108+ fixed
firefox106 --- wontfix
firefox107 --- wontfix
firefox108 + fixed

People

(Reporter: RyanVM, Assigned: RyanVM)

References

Details

Attachments

(1 file)

Bug 1799748 - Backport fix for libpixman CVE-2022-44638. r=jfkthame
48 bytes, text/x-phabricator-request
diannaS
: approval-mozilla-esr102+
Details | Review

libpixman 0.42.2 was recently announced with a fix for CVE-2022-44638.
https://lists.freedesktop.org/archives/pixman/2022-November/004994.html

The actual fix looks pretty simple if it's something that impacts Firefox.
https://gitlab.freedesktop.org/pixman/pixman/-/commit/a1f88e842e0216a5b4df1ab023caebe33c101395

I'll put up a patch for that to get the ball rolling.

Assignee: nobody → ryanvm
Status: NEW → ASSIGNED

https://hg.mozilla.org/mozilla-central/rev/bac7456de5c6

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox108: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 108 Branch

The patch landed in nightly and beta is affected.
:RyanVM, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox107 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(ryanvm)

AFAWCT, this isn't critical enough to warrant a late uplift this cycle. We'll uplift it to ESR next cycle just for completeness' sake, however.

status-firefox107: affectedwontfix
tracking-firefox108: --- → +
tracking-firefox-esr102: --- → 108+
Flags: needinfo?(ryanvm)
See Also: → 1800187

Comment on attachment 9302587 [details]
Bug 1799748 - Backport fix for libpixman CVE-2022-44638. r=jfkthame

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Backport of an upstream security fix
  • User impact if declined: Not entirely clear how reachable this code actually is in Gecko, but the risk of the patch is basically zero so better safe than sorry
  • Fix Landed on Version: 108
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky):
Attachment #9302587 - Flags: approval-mozilla-esr102?

Comment on attachment 9302587 [details]
Bug 1799748 - Backport fix for libpixman CVE-2022-44638. r=jfkthame

Approved for 102.6esr

Attachment #9302587 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
Duplicate of this bug: 1804356
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: