[Tony-E]

A chemspill release to address a security issue will be released tomorrow.

As well as Firefox 10.0.2, there will be updates to Firefox ESR 10.0.2, Firefox 3.6.27, beta builds & mobile builds.

[makaiguy]

Will this be needed for Thunderbird, too?

[Tony-E]

Will this be needed for Thunderbird, too?

Yes

[WaltS48]

What is the security issue that is being fixed?

I didn't see any mention of a chemspill release in the recent meeting notes.

https://wiki.mozilla.org/Firefox/Planning/2012-02-15

[Chris Wood]

http://techdows.com/2012/02/firefox-10- ... eased.html

[michaell522]

http://techdows.com/2012/02/firefox-10-0-2-released.html

Hrm... not sure where they got that information from - the linked bugs seem to have been fixed in 10.0.0.

The only change between 10.0.1 and 10.0.2 is a security fix for an integer overflow in libpng - bug 727401 (currently restricted). The problem means that it's possible for memory to get overwritten by a malformed PNG file, which could be exploited to execute code with the privileges of the browser.

As the bug is in libpng, this also affects other software - Chrome and various Linux distros also have patches out. It's CVE-2011-3026. Mozilla will presumably publish an advisory shortly.

I didn't see any mention of a chemspill release in the recent meeting notes.

Looks like the details of the vulnerability were published on Wednesday afternoon, after that meeting.

[Chris Wood]

They linked to https://www.mozilla.org/en-US/mobile/10 ... easenotes/ and talked as if it applied to desktop as well?

[michaell522]

They linked to https://www.mozilla.org/en-US/mobile/10 ... easenotes/ and talked as if it applied to desktop as well?

Well, yes, but if you look at the 10.0.0 notes https://www.mozilla.org/en-US/mobile/10.0/releasenotes/ you can see that everything is already there, except the security fixes.

[WaltS48]

Thanks for the info.

I get skeptical when someone reports it without a link to supporting information.

[michaell522]

Mozilla has now posted the advisory:
http://blog.mozilla.com/security/2012/0 ... 2011-3026/

The libpng graphics library, used by Firefox and Thunderbird as well as many other software packages, contains an exploitable integer overflow bug. An attacker could craft malicious images which exploit this bug, and deliver them to users through websites or email messages.

This bug is remotely exploitable and can lead to arbitrary code execution. Firefox, Thunderbird and Seamonkey users could be attacked simply by displaying a maliciously crafted image.

(If you'd like your software to be remotely exploited via any webpage or email, then you don't have to update... I think I will)

[Kevin McFarlane]

My Linux install cannot update itself automatically even if it tried because it doesn't have sufficient permissions. root and all that ...

Ditto Win 7 as standard user.

[LoudNoise]

Locking temp for surgery

[LoudNoise]

I split all the off topic stuff to here: viewtopic.php?f=7&t=2430305

Opinions about frequency of updates should continue there.

Reopened

[Frank Lion]

10.0.2 is now out on Firefox 10 ESR.