Marking invalid per comment #1.
** Information type changed from Private Security to Public Security
** Changed in: firefox (Ubuntu)
Status: New => Invalid
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1594034
Title:
Firefox and Thunderbird possibly affected by CVE-2016-3190
Status in firefox package in Ubuntu:
Invalid
Bug description:
Firefox comes along with a heavily patched version of libcairo 1.9.5.
That holds true even for Firefox 47.0 which comes shipped with ubuntu
16.04. It should also hold true with all versions of Firefox back to
~2010 at least.
According to
https://www.suse.com/security/cve/CVE-2016-3190.html
https://www.cvedetails.com/cve/CVE-2016-3190/
all versions of cairo before 1.14.2 are affected by CVE-2016-3190.
That would include many Firefox versions.
To my knowledge, ubuntu builds Firefox and Thunderbird packages
against against Mozilla's patched libcairo 1.9.5 which is in their
mercurical repo in gfx/cairo/cairo. The libcairo2 ubuntu/debian
package is not used for compilation (I tried it out via
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/802942).
Please check if CVE-2016-3190 is patched in mozilla-upstream and if
CVE-2016-3190 could somehow be used by attackers.
It could also be that the whole issue is just SuSE related, but I
think this is not very likely.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1594034/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
