On Mon, Mar 10, 2025 at 06:06:55PM -0500, Jacob Bachmeyer wrote:
> On 3/10/25 08:30, Valtteri Vuorikoski wrote:
> > [...] However the only issue ranked
> > critical only affects Android, looks like desktop versions top out at high.
>
> My understanding is that the issue was *reported* by the Android project,
> but it affects *ALL* builds, including desktop.
The timeline basically looks like this:
- CVE-2024-43768, CVE-2024-43767 and CVE-2024-43097 were fixed in the December
Android update and are in Skia, a 2G graphics library which is also bundled
by Firefox/Thunderbird
- These CVEs appeared in the CVE feed on 2025-01-02 and when triaging incoming
security issues for Debian, I noticed that while Firefox was fixed via some
rebase to a newer version of Skia, these fixes were missing in Firefox ESR
128, which hadn't seen the respective Skia rebase (since these fixes were
not identified as security-relevant)
- I reported these to the Mozilla security team on 2025-01-09
- On 2025-02-03 they confirmed that CVE-2024-43768 and CVE-2024-43767 are
in code which isn't exercised in Firefox
- On 2025-03-04 the Firefox/Thunderbird 128.8 releases were published which
include a fix for CVE-2024-43097
Cheers,
Moritz
