Firefox and Thunderbird possibly affected by CVE-2016-3190
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| firefox (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Bug Description
Firefox comes along with a heavily patched version of libcairo 1.9.5. That holds true even for Firefox 47.0 which comes shipped with ubuntu 16.04. It should also hold true with all versions of Firefox back to ~2010 at least.
According to
https:/
https:/
all versions of cairo before 1.14.2 are affected by CVE-2016-3190. That would include many Firefox versions.
To my knowledge, ubuntu builds Firefox and Thunderbird packages against against Mozilla's patched libcairo 1.9.5 which is in their mercurical repo in gfx/cairo/cairo. The libcairo2 ubuntu/debian package is not used for compilation (I tried it out via https:/
Please check if CVE-2016-3190 is patched in mozilla-upstream and if CVE-2016-3190 could somehow be used by attackers.
It could also be that the whole issue is just SuSE related, but I think this is not very likely.
CVE References
| Thomas Mayer (thomas303) wrote | #1 |
| Tyler Hicks (tyhicks) wrote | #2 |
| information type: | Private Security → Public Security |
| Changed in firefox (Ubuntu): | |
| status: | New → Invalid |
As far as I can see, cairo-image-
Plus, is there no function fill_xrgb32_
I guess cairo-image-
I think this issue can be closed then. FF seems not to be affected by CVE-2016-3190.