Sec-Affects B2G 2.2
- Resolution: FIXED
- Classification: Client Software, Components
- Keywords: sec-critical, sec-high, sec-moderate, sec-other,
- Group: core-security
- Whiteboard: [b2g-adv-main2.2
- status-b2g-v2.2: affected, verified, fixed
255 bugs found.
ID | Product | Comp | Status▲ | Summary | status-firefox37 | status-b2g-v2.2 | status-b2g-v2.1 | Whiteboard | Keywords |
---|---|---|---|---|---|---|---|---|---|
1172397 | Core | WebRTC: Audio/Video | RESO |
Replaying a HTMLMedia |
--- | fixed | fixed | [adv-main39+][adv-esr38.1+] | sec-moderate |
1092025 | Core | Audio/Video | RESO |
Potential UAF in Media |
fixed | fixed | unaffected | [b2g-adv-main2.2-] | csectype-uaf, sec-high |
1036399 | Core | DOM: Security | RESO |
Multiple CSP policies should be combined towards an inter |
--- | fixed | fixed | [b2g-adv-main2.2-][post-critsmash-triage] | sec-moderate |
1185033 | NSS | Libraries | RESO |
ASan: use-after-poison in PK11 |
--- | affected | wontfix | [post-critsmash-triage][b2g-adv-main2.5?][adv-main45+][adv-esr38.8+] | csectype-uaf, sec-high |
1141749 | Core | WebRTC: Signaling | RESO | Prevent SSRC collisions in local tracks | fixed | fixed | unaffected | [post-critsmash-triage] | sec-high |
1089207 | Core | WebRTC: Signaling | RESO | sipcc SDP parser can corrupt memory | --- | fixed | fixed | [adv-main34+][adv-esr31.3+] | csectype-bounds, sec-high |
1233346 | Core | WebRTC: Networking | RESO | Potential buffer overrun in Windows ICE interface name code | --- | affected | wontfix | [post-critsmash-triage][adv-main44+][adv-esr38.6+] | csectype-bounds, sec-high |
1123492 | Core | Audio/Video | RESO |
Track |
fixed | fixed | unaffected | csectype-uaf, sec-high | |
1086145 | NSS | Libraries | RESO |
NSS incorrectly permits skipping of Server |
wontfix | fixed | fixed | [adv-main39+][adv-esr38.1+][adv-esr31.8+][b2g-adv-main2.2+] | sec-moderate |
1219339 | Core | WebRTC: Audio/Video | RESO |
Race condition in Get |
--- | affected | wontfix | [adv-main45+][post-critsmash-triage] | csectype-race, sec-high |
1130150 | Core | WebRTC: Audio/Video | RESO |
Audio |
fixed | fixed | fixed | [adv-main37+] | csectype-uaf, regression, sec-high |
1234571 | Core | WebRTC | RESO |
UAF in Mutex |
--- | affected | wontfix | [post-critsmash-triage][adv-main44+][adv-esr38.6+] | crash, csectype-uaf, sec-critical |
1190248 | NSS | Libraries | RESO |
mp |
--- | affected | wontfix | [post-critsmash-triage][b2g-adv-main2.5?][adv-main44+][adv-esr38.8+] see comment 27 for severity | sec-high |
1125025 | NSS | Libraries | RESO | ECC correctness issues | wontfix | fixed | fixed | [adv-main39+][adv-esr31.8+][adv-esr38.1+] | sec-moderate |
1090142 | Core | DOM: Workers | RESO |
Use After Free in Web |
--- | fixed | unaffected | [reporter-external] | csectype-uaf, regression, sec-critical |
1091962 | Core | DOM: Workers | RESO |
Use After Free in End |
fixed | fixed | unaffected | [b2g-adv-main2.2-] | csectype-uaf, regression, sec-critical |
1105194 | Core | DOM: Workers | RESO |
Use After Free in Dispatch |
fixed | fixed | unaffected | [reporter-external][b2g-adv-main2.2-] | csectype-uaf, sec-high |
1111971 | Core | DOM: Workers | RESO |
Use After Free in Web |
fixed | fixed | unaffected | [b2g-adv-main2.2-] | csectype-uaf, regression, sec-critical |
1112307 | Core | DOM: Core & HTML | RESO |
Web |
fixed | fixed | unaffected | sec-high | |
1123021 | Core | DOM: Workers | RESO |
Use After Free in Web |
fixed | fixed | unaffected | csectype-uaf, sec-critical | |
1166900 | Core | Networking: JAR | RESO |
Memory safety bug due to bad test in ns |
--- | fixed | fixed | [adv-main39+][adv-esr38.1+][adv-esr31.8+] | csectype-bounds, sec-high |
1166924 | Core | DOM: Workers | RESO |
Use After Free in Canonicalize |
--- | fixed | fixed | [asan][adv-main39+][adv-esr38.1+][adv-esr31.8+] | csectype-uaf, sec-critical |
1167888 | Core | Networking: JAR | RESO |
ns |
--- | fixed | fixed | [adv-main39+][adv-esr38.1+][adv-esr31.8+] | csectype-intoverflow, regression, sec-high |
1169867 | Core | DOM: Workers | RESO |
Use After Free in Canonicalize |
--- | fixed | fixed | [adv-main39+][adv-esr38.1+][adv-esr31.8+][b2g-adv-main2.2+] | csectype-uaf, sec-critical |
1170809 | Core | DOM: Core & HTML | RESO |
Overflow in ns |
--- | fixed | fixed | [adv-main39+][adv-esr38.1+][adv-esr31.8+] | csectype-intoverflow, sec-critical |
1172055 | Core | DOM: Core & HTML | RESO |
Overflow in ns |
--- | fixed | wontfix | [post-critsmash-triage][adv-main41+][adv-esr38.3+] | csectype-intoverflow, sec-moderate |
1185820 | Core | DOM: Workers | RESO |
Use After Free in XMLHttp |
--- | fixed | wontfix | [adv-main40+][adv-esr38.2+] | csectype-uaf, sec-high |
1155985 | Core | js-ctypes | RESO |
EXC |
--- | fixed | fixed | [adv-main39+] | sec-moderate |
1132468 | Core | Graphics: Color Mana | RESO | [qcms] heap info leak | fixed | fixed | wontfix | [adv-main37+] | sec-moderate |
1210413 | Core | DOM: Security | RESO |
anonymous CORS sends cookies to cross-origin redirects in |
--- | affected | affected | [b2g-adv-main2.5?] | sec-high |
1081703 | Core | Storage: IndexedDB | RESO |
crash in mozilla::dom::indexed |
--- | fixed | unaffected | [2.2-Daily-Testing] | crash, csectype-uaf, regression, sec-critical |
1122750 | Core | DOM: Core & HTML | RESO |
Crash [@ mozilla::detail::Atomic |
fixed | fixed | unaffected | [b2g-crash][caf-crash 442][caf priority: p1][CR 782853][adv-main36-] | crash, regression, sec-high |
1163109 | Core | DOM: Core & HTML | RESO | Inline JPEG images fail to load | --- | fixed | fixed | [pdfjs-c-ff-integration][adv-main39+][adv-esr38.1+][adv-esr31.8+] | csectype-priv-escalation, regression, sec-high |
1061600 | Core | JavaScript Engine | RESO |
Assertion failure: [infer failure] Missing type in object |
--- | fixed | fixed | [jsbugmon:][adv-main33+][adv-esr31.2+][b2g-adv-main2.2-] | assertion, regression, sec-critical, testcase |
1084280 | Core | JavaScript Engine | RESO | Regexp freeze | --- | fixed | fixed | Fx 32-35 requires non-default pref to be vulnerable | regression, sec-critical, testcase |
1096026 | Core | JavaScript Engine | RESO |
Assertion failure: !is |
--- | fixed | unaffected | [jsbugmon:update,ignore][adv-main34+][b2g-adv-main2.2-] | assertion, regression, sec-high, testcase |
1124018 | Core | JavaScript: GC | RESO |
Intermittent test |
fixed | fixed | fixed | [adv-main36+][adv-esr31.5+][post-critsmash-triage] | crash, intermittent-failure, sec-moderate |
1125389 | Core | JavaScript Engine | RESO |
Change |
fixed | fixed | unaffected | [adv-main36+]sec-high for Caja | regression, sec-moderate |
1138199 | Core | JavaScript: GC | RESO |
Crash [@ js::Constraint |
fixed | fixed | fixed | [jsbugmon:][adv-main37+][adv-esr31.6+][post-critsmash-triage] | assertion, crash, regression, sec-high, testcase |
984467 | Core | DOM: Core & HTML | RESO |
Should ns |
--- | fixed | fixed | [adv-main35-][b2g-adv-main2.2-] | sec-moderate |
1092388 | Core | DOM: Core & HTML | RESO |
ns |
--- | fixed | fixed | [adv-main35-][adv-esr31.4-][embargo until bug 1110614 fixed] | csectype-priv-escalation, regression, sec-high |
1124898 | Core | DOM: Core & HTML | RESO |
Privileged Window |
fixed | fixed | wontfix | [adv-main37+] Embargo until fixed on ESR31? | sec-high, sec-moderate |
1125483 | Core | XPConnect | RESO | Arbitrary code execution using bug 1120261 and bug 1110614 | --- | --- | fixed | [b2g-adv-main2.2-] | sec-high, verifyme |
1164567 | Core | Security: CAPS | RESO |
Various consumers in the tree use ns |
--- | fixed | fixed | [adv-main39+][adv-esr31.8+][adv-esr38.1+] | csectype-race, sec-high |
1182723 | Core | XPCOM | RESO |
Self-assignment in ns |
--- | fixed | fixed | [post-critsmash-triage][adv-main40+][adv-esr38.2+] | csectype-uaf, sec-high |
1087801 | Core | DOM: Core & HTML | RESO | Some properties of the CSS object are not safe in a sandbox | --- | fixed | fixed | [adv-main34-] | regression, sec-moderate |
1127206 | Core | DOM: Core & HTML | RESO | Crash when using certain File() constructors on workers | fixed | fixed | unaffected | [adv-main36+] | csectype-race, sec-high |
1167489 | Core | DOM: Core & HTML | RESO |
"Spy in the Sandbox" - Security issue related to High Res |
--- | affected | wontfix | [post-critsmash-triage][adv-main41+] | csectype-disclosure, privacy, sec-moderate |
1168207 | Core | DOM: Core & HTML | RESO |
Memory safety problem in Array |
--- | fixed | fixed | [adv-main39+][adv-esr38.1+][adv-esr31.8+] | csectype-intoverflow, regression, sec-high |
1186489 | Core | DOM: Workers | RESO |
Clamp the resolution of performance |
--- | affected | --- | [post-critsmash-triage][adv-main41-] | csectype-disclosure, privacy, sec-moderate |
1092363 | Core | CSS Parsing and Comp | RESO |
Heap-buffer-overflow in ns |
fixed | fixed | unaffected | [asan][adv-main36+][b2g-adv-main2.2-] | crash, csectype-bounds, regression, sec-high, testcase |
1127198 | Core | CSS Parsing and Comp | RESO |
Clear |
fixed | fixed | unaffected | csectype-bounds, sec-high | |
1146101 | Core | CSS Parsing and Comp | RESO |
"Assertion failure: false (destroying Text style struct s |
wontfix | fixed | unaffected | [adv-main38+] | assertion, sec-high, testcase |
1080987 | Core | DOM: Core & HTML | RESO |
navigator |
fixed | fixed | fixed | [reporter-external][adv-main35+][adv-esr31.4+][b2g-adv-main2.2+] | sec-moderate |
1111834 | Core | DOM: Security | RESO | CORS request after preflight should not follow 30x redirect | fixed | fixed | fixed | [adv-main37+][adv-esr31.6+] | sec-high |
1178058 | Core | XPConnect | RESO |
It's possible to read local files or perform privilege es |
--- | fixed | wontfix | [b2g-adv-main2.5+][adv-main39+][adv-esr38.1+] | sec-high |
1030667 | Core | DOM: Core & HTML | RESO |
Address |
--- | fixed | wontfix | [reporter-external][adv-main36+][b2g-adv-main2.2-] | reproducible, sec-high |
1167782 | Core | Layout | RESO |
crash in ns |
--- | fixed | wontfix | [adv-main39-][adv-esr38.1-] | assertion, crash, csectype-nullptr, regression, sec-other |
1147497 | Core | Security: PSM | RESO | key pinning checks for overridable errors do not work as ... | wontfix | fixed | unaffected | [adv-main39+][adv-esr38.1+] | sec-moderate |
1026774 | Core | WebRTC: Networking | RESO |
malloc of undefined size in stun |
--- | fixed | fixed | [adv-main35+][b2g-adv-main2.2+] | csectype-uninitialized, sec-moderate |
1072044 | Core | WebRTC: Networking | RESO | Several signals from PCMedia to PCImpl are unsafe | --- | fixed | fixed | [adv-main33+][adv-esr31.2+] | sec-high |
1082142 | Core | WebRTC: Signaling | RESO |
Potentially unterminated string buffers in |CC |
--- | fixed | unaffected | [CID 1244245][CID 1244246][CID 1244247] | coverity, sec-moderate |
1099414 | Core | WebRTC: Networking | RESO |
memory management issues in n |
disabled | fixed | fixed | [b2g-adv-main2.2?] | csectype-uaf, sec-high |
1123882 | Core | Audio/Video | RESO |
Media |
fixed | fixed | fixed | [adv-main36+][adv-esr31.5+] | sec-high |
1151139 | Core | WebRTC: Signaling | RESO |
Racy call to Peer |
wontfix | fixed | fixed | [adv-main38+][adv-esr31.7+] | sec-high |
1098583 | Core | WebRTC: Networking | RESO | Empty datachannel label results in heap overflow | --- | fixed | fixed | [adv-main35+][b2g-adv-main2.2+] | sec-moderate |
1135511 | Core | Graphics: Layers | RESO |
Memset crash in mozilla::layers::Buffer |
fixed | fixed | --- | [adv-main37+][fixed by bug 1135883][post-critsmash-triage] | sec-critical |
1092370 | Core | Audio/Video | RESO |
Stack-buffer-underflow in mozilla::MP3Frame |
fixed | fixed | fixed | [adv-main36+][b2g-adv-main2.2+] | crash, csectype-bounds, sec-moderate, testcase |
1113005 | Core | XPCOM | RESO |
Heap-buffer-overflow in ns |
fixed | fixed | unaffected | csectype-bounds, regression, sec-critical | |
1200856 | Core | DOM: Core & HTML | RESO | CORS preflight cache poisoning with the credentials flag | --- | fixed | wontfix | [post-critsmash-triage][adv-main41+][adv-esr38.3+] | csectype-sop, sec-high |
1200869 | Core | DOM: Core & HTML | RESO |
CORS preflight cache poisoning with a CORS header being m |
--- | fixed | wontfix | [post-critsmash-triage][adv-main41+][adv-esr38.3+] | csectype-sop, sec-high |
1140537 | Core | XML | RESO | Buffer overflow xml parser | wontfix | fixed | fixed | [adv-main38+][adv-esr31.7+] | csectype-bounds, sec-critical |
1111243 | Core | JavaScript Engine | RESO | Crash with structured-cloning and proxy wrapped Map/Sets | verified | fixed | fixed | [adv-main36+][adv-esr31.5+] | sec-high |
1111248 | Core | JavaScript Engine | RESO |
Crash in Boolean |
fixed | fixed | fixed | [adv-main36+][adv-esr31.5+] | sec-critical |
1066362 | Core | Security | RESO | Privileged apps on desktop don't apply a default CSP | --- | fixed | fixed | [adv-main34-] | sec-moderate |
1036515 | Core | XPCOM | RESO |
Refcounting on ns |
fixed | fixed | fixed | [adv-main37+][adv-esr31.6+][b2g-adv-main2.2+] | csectype-race, sec-high |
1094930 | Core | DOM: Core & HTML | RESO |
compartment mismatch in ns |
--- | fixed | --- | sec-high | |
1132358 | Core | Networking: DNS | RESO |
possible use after free in ns |
fixed | fixed | fixed | [adv-main36+][adv-esr31.6+] | csectype-uaf, sec-high |
1101576 | Core | JavaScript Engine: J | RESO |
Assertion failure: Integer input should be equal or highe |
--- | fixed | unaffected | [jsbugmon:] | assertion, regression, sec-high, testcase |
1192226 | Core | Audio/Video | RESO |
vp9 |
--- | affected | wontfix | [adv-main41+][adv-esr38.3+] | sec-moderate |
1064670 | NSS | Libraries | RESO |
ASN |
fixed | fixed | affected | [adv-main36-] sec-low/moderate after fix in bug 1064636, we don't know of any other exploitable paths | sec-critical |
1061214 | Core | JavaScript: GC | RESO |
Mark |
--- | fixed | fixed | [adv-main33+][adv-esr31.2+][b2g-adv-main2.2-] | sec-high |
1073577 | Core | JavaScript: GC | RESO |
Objects can be put into the wrong entry in the new object |
--- | fixed | disabled | [adv-main34+] | sec-high |
1110931 | Core | JavaScript: GC | RESO |
Intermittent crash at !In |
fixed | fixed | unaffected | sec-moderate | |
1116306 | Core | JavaScript: GC | RESO |
Assertion failure: [barrier verifier] Unmarked edge: allo |
fixed | fixed | unaffected | [adv-main37+] | assertion, regression, sec-moderate, testcase |
1127246 | Core | JavaScript: GC | RESO |
base |
fixed | fixed | unaffected | [adv-main36+] | sec-high |
1149526 | Core | JavaScript: GC | RESO |
Check Heap |
wontfix | fixed | fixed | [adv-main38+][b2g-adv-main2.2+] | sec-high |
1208665 | Core | JavaScript Engine | RESO |
Temp |
--- | affected | unaffected | [post-critsmash-triage][adv-main42+][adv-esr38.4+] | csectype-intoverflow, sec-high |
1086842 | Core | JavaScript Engine: J | RESO |
Assertion failure: [infer failure] Missing type in object |
--- | fixed | fixed | [jsbugmon:update][adv-main34+][b2g-adv-main2.2-] | assertion, regression, sec-critical, testcase |
1115776 | Core | JavaScript Engine | RESO |
Crashes in Enter |
fixed | fixed | fixed | [adv-main36+][adv-esr31.5+] | crash, sec-critical, topcrash |
1128196 | Core | JavaScript Engine: J | RESO |
Skipping argument type checks is unsafe when the callee i |
fixed | fixed | fixed | [adv-main36+][adv-esr31.5+] | sec-critical |
1160884 | Core | JavaScript Engine: J | RESO |
Crash [@ js::str |
--- | fixed | fixed | [adv-main39+][adv-esr31.8+][adv-esr38.1+] | assertion, crash, sec-critical |
1111065 | Core | IPC | RESO | Inadequate robustness of Chromium IPC Pickle code | fixed | fixed | fixed | [adv-main37-][post-critsmash-triage] | csectype-bounds, csectype-uninitialized, sec-high |
1111079 | Core | IPC | RESO | Chromium IPC channel bug: use-after-free in IPC::Channel:... | fixed | fixed | fixed | [adv-main37-][post-critsmash-triage] | csectype-uaf, sec-high |
1146416 | Core | IPC | RESO |
NS |
wontfix | fixed | wontfix | [adv-main39+] | csectype-race, sec-moderate |
1070990 | Core | DOM: Core & HTML | RESO |
B2G crash in JSAuto |
--- | fixed | unaffected | [b2g-crash] | crash, csectype-uaf, regression, sec-critical |
1161063 | Core | Storage: IndexedDB | RESO |
Getting a stored Mutable |
--- | fixed | unaffected | [post-critsmash-triage][adv-main41+][adv-esr38.3+] | csectype-race, sec-high |
1097253 | Core | JavaScript Engine | RESO |
SIGBUS due to unaligned Typed |
--- | fixed | unaffected | regression, sec-high | |
1127012 | Core | JavaScript Engine | RESO |
Assertion failure: pn |
fixed | fixed | fixed | [adv-main37+] | regression, sec-critical |
1128939 | Core | Audio/Video | RESO | MP4 crash access violation | fixed | fixed | fixed | [adv-main36+] | sec-critical |
1144107 | Core | Audio/Video | RESO |
crash in [@ stagefright::Sample |
--- | fixed | unaffected | [adv-main40+][adv-esr38.2+] | crash, crashreportid, regression, reproducible, sec-high, testcase |
1149605 | Core | Audio/Video | RESO |
Security Vulnerability in Stage |
wontfix | fixed | fixed | [Android and B2G] Embargo until July 8, 2015 (needs a fix in Firefox 39) [adv-main38-] | sec-critical |
1154683 | Core | Audio/Video | RESO |
Integer overflow in libstagefright (data tag in mp4) migh |
wontfix | fixed | fixed | [adv-main38+][see bug 1158568 and don't open until July 8] | csectype-bounds, sec-high |
1158568 | Core | Audio/Video | RESO |
Integer overflow in libstagefright might lead to heap ove |
wontfix | fixed | fixed | [b2g-adv-main-2.5+][adv-main38+] fixes CVE-2015-3864 | csectype-bounds, sec-high |
1163359 | Core | Web Audio | RESO |
Crash [@ moz |
--- | fixed | disabled | [adv-main39+][adv-esr38.1+] | assertion, crash, reproducible, sec-high |
1181651 | Core | Audio/Video | RESO |
crash in Cmp |
--- | affected | unaffected | [post-critsmash-triage][adv-main41+][adv-esr38.3+] | crash, sec-high |
1184871 | Core | Audio/Video: Playbac | RESO |
Stagefright: heap-use-after-free crash [@stagefright::ESD |
--- | fixed | wontfix | [b2g-adv-main2.5+][fixed by 1186718] | crash, csectype-uaf, sec-critical, testcase |
1185115 | Core | Audio/Video | RESO |
MPEG4 saio Chunk Integer Overflow (libstagefright) (ZDI-C |
--- | fixed | wontfix | [adv-main40+][adv-esr38.2+] | csectype-intoverflow, sec-critical |
1064636 | NSS | Libraries | RESO |
RSA PKCS#1 signature verification forgery is possible due |
--- | fixed | fixed | [status-firefox-esr24:fixed][status-b2g-v1.3:fixed][status-b2g-v1.3t:fixed][adv-main32+][adv-esr31.1+] | sec-critical |
1146026 | NSS | CA Certificates Code | RESO | Distrust MSCHOLDING intermediate certificate | --- | fixed | fixed | [b2g-adv-main2.2-] | sec-high |
1107009 | Core | Graphics: Layers | RESO |
Intermittent test |
fixed | fixed | fixed | [e10s only?][adv-main36+][adv-esr31.5+][b2g-adv-main2.2+] | crash, csectype-uaf, intermittent-failure, sec-critical |
1111737 | Core | DOM: Core & HTML | RESO |
crash ns |
fixed | fixed | fixed | [adv-main35+][adv-esr31.4+] | sec-moderate |
1145870 | Core | DOM: Navigation | RESO |
Pwn2Own bug still exploitable in 36 |
fixed | fixed | fixed | [b2g-adv-main2.2-] | sec-critical |
1152026 | Core | Storage: IndexedDB | RESO |
Indexed |
--- | fixed | unaffected | [fixed in 43 by bug 1179909][post-critsmash-triage][adv-main41+][adv-esr38.3+] | crash, sec-moderate |
1085175 | Core | Audio/Video | RESO |
Stack-buffer-overflow Write in mozilla::File |
--- | fixed | fixed | [adv-main34+][adv-esr31.3+] | csectype-bounds, sec-critical |
1171540 | Core | JavaScript Engine: J | RESO |
crash in void js::jit::Assembler |
--- | fixed | unaffected | [post-critsmash-triage][adv-main40+][adv-esr38.2+] | crash, sec-moderate |
1201793 | Core | JavaScript Engine | RESO |
"Assertion failure: !has(reg), at ../../../gecko/js/src/j |
--- | fixed | wontfix | [post-critsmash-triage][adv-main41+][adv-esr38.3+] | sec-high |
1204061 | Core | SVG | RESO |
Missing status checks in Add |
--- | fixed | wontfix | [b2g-adv-main-2.5+][post-critsmash-triage[adv-main42+][adv-esr38.4+] | sec-critical |
1054538 | Core | JavaScript Engine: J | RESO |
Crash [@ interp |
--- | fixed | wontfix | [adv-main35+][b2g-adv-main2.2+] | sec-high |
1152280 | Core | JavaScript Engine | RESO |
Incorrect asm |
wontfix | fixed | unaffected | [adv-main38+] | sec-critical |
1077687 | Core | CSS Parsing and Comp | RESO |
Style struct may refer to removed Counter |
--- | fixed | fixed | [adv-main34+] bug 1077718 protects with frame poisoning, backported to Fx34 | csectype-uaf, regression, sec-high |
1105938 | Core | CSS Parsing and Comp | RESO |
Global-buffer-overflow in CSSParser |
fixed | fixed | wontfix | [asan][adv-main37-][b2g-adv-main2.2-] | crash, csectype-dos, regression, sec-other, testcase |
1110557 | Toolkit | Autocomplete | RESO | Arbitrary File Read Vulnerability via Form Autocomplete | fixed | fixed | fixed | [adv-main36+][adv-esr31.5+] | csectype-disclosure, sec-high, testcase |
1143299 | Core | Layout | RESO |
Heap-use-after-free in Unhook |
wontfix | fixed | fixed | [asan][adv-main38+][adv-esr31.7+] | crash, csectype-uaf, sec-critical, testcase |
1153478 | Core | Layout: Text and Fon | RESO |
heap-use-after-free in Set |
wontfix | fixed | fixed | [asan][adv-main38+][adv-esr31.7+] | crash, csectype-uaf, sec-critical, testcase |
1189814 | Core | DOM: Copy & Paste an | RESO |
Dragging and dropping image to <textbox> pastes final URL |
--- | affected | unaffected | [adv-main41+][adv-esr38.3+] can be used in critical attacks against certain sites. | regression, sec-moderate |
1095859 | Core | Networking | RESO | Cookie injection by Proxy with 407 response | --- | fixed | fixed | [adv-main35+][adv-esr31.4+][b2g-adv-main2.2-] | sec-moderate |
1148328 | Core | Networking: HTTP | RESO | Server certificate verification bypass with Alt-Svc | verified | fixed | unaffected | csectype-sop, sec-critical | |
1196237 | Core | Networking | RESO |
ns |
--- | affected | wontfix | [post-critsmash-triage][adv-main42+] | csectype-race, csectype-uaf, sec-high |
1213979 | Core | Networking: HTTP | RESO |
Heap-use-after-free [@ mozilla::net::Http2Stream::Adjust |
--- | fixed | wontfix | [post-critsmash-triage][adv-main42+][adv-esr38.4+] | crash, csectype-uaf, dogfood, regression, sec-critical |
1186160 | Core | Networking: WebSocke | RESO |
Web |
--- | fixed | wontfix | [post-critsmash-triage][adv-main42+][adv-esr38.7+] | csectype-race, regression, sec-high |
1072871 | Core | Graphics | RESO |
IPC: heap-use-after-free crash [@mozilla::gfx::Draw |
fixed | fixed | fixed | [adv-main35+][b2g-adv-main2.2+] | crash, csectype-uaf, sec-high, testcase |
1099437 | Core | Graphics: Layers | RESO |
Negative-size-param memset in mozilla::layers::Buffer |
fixed | fixed | wontfix | [adv-main37+][b2g-adv-main2.2+] | sec-moderate |
1110488 | Core | Graphics: CanvasWebG | RESO | webgl shader compilation log strcpy not allocated memory | fixed | fixed | fixed | [adv-main36+][b2g-adv-main2.2+] | sec-moderate |
1147188 | Core | Storage: IndexedDB | RESO |
Security checks in Indexed |
wontfix | fixed | --- | [adv-main39-] | sec-high |
1074280 | Core | Graphics: Layers | RESO |
Bad casting: From Basic |
--- | fixed | fixed | [adv-main34+][adv-esr31.3+] | sec-high |
1076983 | Core | Security: PSM | RESO |
Padding oracle attack on SSL 3 |
--- | fixed | fixed | [adv-main34-][adv-esr31.3-] | relnote, sec-high |
1138554 | NSS | Libraries | RESO |
NSS accepts export-length DHE keys with regular DHE ciphe |
--- | fixed | fixed | [adv-main39+][adv-esr38.1+][adv-esr31.8+] Embargo until multi-vendor coordinated info release (May 19) | dev-doc-needed, sec-moderate, site-compat |
1072877 | Core | Graphics: Layers | RESO |
IPC: heap-buffer-overflow crash [@mozilla::layers::Tile |
--- | fixed | fixed | [fuzzblocker] | crash, csectype-bounds, sec-critical, testcase |
1151650 | Core | Graphics | RESO |
Gfx |
--- | fixed | fixed | [fixed by bug 1151713][adv-main39+][adv-esr38.1+] | sec-moderate |
1137624 | Core | JavaScript Engine: J | RESO |
MArray |
fixed | fixed | fixed | [adv-main37+] | regression, sec-critical, testcase |
1204700 | Core | JavaScript Engine: J | RESO |
Assertion failure: !has(reg), at jit/Register |
--- | fixed | wontfix | [jsbugmon:update][post-critsmash-triage][adv-main42+][adv-esr38.4+] | assertion, regression, sec-high, testcase |
1154672 | Core | Audio/Video | RESO | Heap buffer overflow in libstagefright (tx3g tag in mp4) | --- | fixed | fixed | [adv-main38+] fixed in bug 1154683 (separate testcase) | csectype-bounds, sec-high |
1211585 | Core | Security: PSM | RESO |
[meta] upgrade firefox 38 ESR to to nspr 4 |
--- | fixed | --- | [post-critsmash-triage][adv-esr38.4-] | meta, sec-other |
1108455 | Core | WebRTC | RESO |
Execution of arbitrary addresses in relation to Web |
fixed | fixed | fixed | [adv-main35+][adv-esr31.4+][b2g-adv-main2.2+] | sec-critical, valgrind |
1122218 | Core | Web Audio | RESO |
Out-of-Bounds Read in Audio |
wontfix | fixed | fixed | [adv-main39+][adv-esr38.1+] | csectype-bounds, sec-moderate |
988698 | Core | Audio/Video | RESO |
heap-use-after-free in ns |
wontfix | fixed | wontfix | [adv-main38+][b2g-adv-main2.2+] | crash, csectype-uaf, sec-moderate |
1080312 | Core | WebRTC: Networking | RESO |
Crash in Data |
--- | fixed | fixed | [webrtc-uplift][adv-main34+][adv-esr31.3+] | crash, csectype-uaf, sec-critical |
1122387 | Core | WebRTC: Audio/Video | RESO |
Media |
fixed | fixed | fixed | [adv-main36+] | regression, sec-high |
1178890 | Core | XPCOM | RESO |
Timer |
--- | fixed | fixed | [adv-main40+][adv-esr38.2+] | sec-high |
1064320 | Core | Security | RESO |
NSC |
--- | fixed | fixed | csectype-uninitialized, sec-high | |
1166031 | Core | Security: PSM | RESO |
Update to NSS 3 |
--- | fixed | fixed | [adv-main39-][adv-esr38.1-][adv-esr31.8-] fixes sec-high security bugs [b2g-adv-main2.2-]] | sec-other |
1119579 | Core | JavaScript Engine | RESO |
Assertion failure: !comp |
fixed | fixed | fixed | [adv-main36+][adv-esr31.5+] | assertion, regression, sec-high, testcase |
1136397 | Core | JavaScript Engine: J | RESO | [jsdbg2] Crash after resuming from breakpoint | fixed | fixed | unaffected | [adv-main37+][post-critsmash-triage] | sec-moderate |
1153688 | Core | XPConnect | RESO | Type confusion between object and symbol in XPCVariant | wontfix | fixed | unaffected | [adv-main38+] | assertion, sec-critical, testcase |
1183901 | Core | DOM: Core & HTML | RESO |
Distributed |
--- | fixed | wontfix | [adv-main42-] | sec-high |
1184065 | Core | DOM: Core & HTML | RESO |
Destination |
--- | fixed | wontfix | [post-critsmash-triage] | sec-high |
1056410 | Core | JavaScript: GC | RESO | More missing callgraph edges involving destructors | wontfix | fixed | fixed | [b2g-adv-main2.2+][adv-main39+][adv-esr38.1+] | sec-high |
1120655 | Core | JavaScript: GC | RESO | Make the analysis detect compartment iterator invalidation | wontfix | fixed | fixed | [asan][adv-main38+][adv-esr31.7+][post-critsmash-triage] | csectype-bounds, sec-high |
1133909 | Core | JavaScript: GC | RESO | Fix hazards revealed by adding in missing GCPointers | fixed | fixed | fixed | [adv-main37+] | sec-high |
1137326 | Core | JavaScript: GC | RESO | Avoid compartment iterator invalidation | fixed | fixed | fixed | [adv-main37+][adv-esr31.6+] | csectype-bounds, sec-high |
1137336 | Core | JavaScript: GC | RESO | fix weak map tracing hazard due to function pointer | fixed | fixed | --- | [adv-main37-][post-critsmash-triage] | sec-other |
1146724 | Toolkit | General | RESO | Untrusted page can see webchannel responses | wontfix | fixed | fixed | [adv-main38+] | dev-doc-needed, sec-high |
1125734 | Core | JavaScript Engine: J | RESO |
Twitter edit profile page consistently crashes with the L |
fixed | fixed | fixed | [adv-main36+] | crash, qawanted, regression, sec-high |
1163583 | Core | Layout | RESO |
Heap-buffer-overflow in ns |
--- | fixed | unaffected | [systemsfe] | csectype-bounds, regression, sec-critical, testcase |
1152177 | Core | JavaScript Engine | RESO |
"Assertion failure: js::Current |
wontfix | fixed | fixed | [adv-main38+][adv-esr31.7+] | assertion, sec-high, testcase |
1159321 | Core | JavaScript: GC | RESO | Well-known symbols in jsid's should not fire pre-barriers | wontfix | fixed | unaffected | [adv-main39+][adv-esr38.1+] | sec-high |
1011354 | Core | Networking | RESO |
crash in mozilla::net::ns |
--- | fixed | fixed | [adv-main33+][adv-esr31.2+][b2g-adv-main2.2+] | crash, csectype-uaf, sec-high |
1012609 | Core | Web Audio | VERI |
Out-of-Bounds Read in mozilla::dom::Oscillator |
--- | fixed | fixed | [adv-main33+][adv-esr31.2+][b2g-adv-main2.2+] | crash, regression, sec-high, testcase |
1082734 | Core | DOM: Core & HTML | VERI |
Saving window |
--- | fixed | fixed | csectype-disclosure, regression, sec-high | |
1089328 | Core | DOM: Workers | VERI |
Use-After-Free in Worker |
--- | fixed | unaffected | [reporter-external] | csectype-uaf, regression, sec-critical |
1160890 | Core | DOM: Workers | VERI |
Cross-origin information disclosure with error message of |
--- | affected | wontfix | [b2g-adv-main2.5?][adv-main43+] | csectype-disclosure, csectype-sop, sec-high |
1192350 | Core | DOM: Workers | VERI |
null crash in XMLHttp |
--- | fixed | unaffected | [adv-main41-][adv-esr38.3-] | csectype-nullptr, sec-other |
1130541 | Core | Storage: IndexedDB | VERI |
Heap use-after-free in mozilla::dom::Indexed |
verified | fixed | fixed | [adv-main36+][adv-esr31.5+] | csectype-uaf, sec-critical |
1142210 | Core | Storage: IndexedDB | VERI |
Type Confusion mozilla::dom::indexed |
wontfix | fixed | fixed | [adv-main39+][adv-esr38.1+][adv-esr31.8+] | qawanted, regression, sec-high |
1060276 | Core | JavaScript Engine | VERI |
Assertion failure: has |
--- | fixed | fixed | [fuzzblocker] [jsbugmon:][b2g-adv-main2.2-] | assertion, crash, regression, sec-critical, testcase |
1089665 | Core | JavaScript Engine | VERI |
Assertion failure: (*dictp)->in |
--- | fixed | unaffected | [reporter-external] | regression, sec-high |
1096016 | Core | JavaScript Engine | VERI |
Crash [@ compartment] or Crash [@ Object |
--- | fixed | unaffected | [jsbugmon:update] | crash, regression, sec-high, testcase |
1096023 | Core | JavaScript Engine | VERI |
Assertion failure: offset < length(), at jsscript |
--- | fixed | unaffected | [jsbugmon:update] | assertion, regression, sec-critical, testcase |
1102608 | Core | JavaScript Engine | VERI |
Crash [@ Object |
verified | fixed | unaffected | [jsbugmon:update][b2g-adv-main2.2-] | sec-critical |
1209471 | Core | JavaScript Engine | VERI |
Assertion failure: MIR instruction returned object with u |
--- | fixed | wontfix | [jsbugmon:update,ignore][adv-main42+][adv-esr38.4+] | assertion, regression, sec-high, testcase |
1072174 | Core | XPConnect | VERI |
Xray |
--- | fixed | fixed | [adv-main33+][adv-esr31.2+] | sec-high |
1228950 | Core | DOM: Core & HTML | VERI |
cross-origin restriction bypass & arbitrary local file re |
--- | affected | wontfix | [adv-main43+][adv-esr38.5+] | sec-critical |
1107011 | Core | JavaScript Engine: J | VERI |
Crash in js::jit::Live |
--- | fixed | unaffected | [adv-main42+][adv-esr38.4+] | crash, sec-high |
1234280 | Core | JavaScript Engine | VERI |
Assertion failure: a |
--- | affected | wontfix | [jsbugmon:update][adv-main44+][adv-esr38.6+] | assertion, regression, sec-high, testcase |
1144991 | Core | DOM: Core & HTML | VERI |
Privilege escalation from resource:// document (e |
verified | fixed | fixed | [adv-main37+][adv-esr31.6+] | csectype-priv-escalation, sec-moderate |
1041512 | Core | CSS Parsing and Comp | VERI |
Heap-buffer-overflow in ns |
--- | fixed | fixed | [adv-main33+][adv-esr31.2+][b2g-adv-main2.2-] | crash, csectype-bounds, regression, sec-high, testcase |
1149542 | Core | SVG | VERI |
Heap-buffer-overflow in SVGText |
wontfix | fixed | fixed | [adv-main38+][adv-esr31.7+] | csectype-bounds, sec-critical |
1069762 | Core | DOM: Security | VERI |
CSP violation report contains sensitive data of other ori |
--- | fixed | fixed | [reporter-external][adv-main34+] | regression, sec-high |
1230668 | Core | CSS Parsing and Comp | VERI |
Heap-use-after-free [@ ns |
--- | affected | wontfix | [adv-main44+][adv-esr38.6+] | assertion, crash, csectype-uaf, sec-critical, testcase |
1066089 | Core | CSS Parsing and Comp | VERI |
Heap-use-after-free in mozilla::Custom |
--- | fixed | unaffected | crash, csectype-uaf, regression, sec-critical, testcase | |
1065909 | Core | Security: PSM | VERI | HPKP and HSTS can be bypassed with extra dot in hostname | verified | fixed | fixed | [reporter-external][adv-main36+][b2g-adv-main2.2+] | sec-moderate |
1224100 | Core | Graphics: ImageLib | VERI | "Conditional jump or move depends on uninitialised value(... | --- | affected | wontfix | [asan][post-critsmash-triage][adv-main43+][adv-esr38.5+] | crash, csectype-bounds, sec-high |
1072760 | Core | JavaScript Engine | VERI |
Failed JS |
fixed | fixed | fixed | [adv-main36+][b2g-adv-main2.2+] | assertion, sec-high, testcase |
1096319 | Firefox | Security | VERI |
browser |
verified | --- | --- | [adv-main35-][adv-esr31.4-][embargo][b2g-adv-main2.2-][b2g-unaffected] | sec-high |
1063327 | Core | Audio/Video | VERI |
OOB write in get |
--- | fixed | fixed | [adv-main33+][adv-esr31.2+][b2g-adv-main2.2-] | csectype-bounds, regression, sec-critical |
1117406 | Core | Graphics: ImageLib | VERI |
PNG: heap-overflow crash [@qcms |
verified | fixed | fixed | [adv-main36+][adv-esr31.5+] | crash, csectype-bounds, sec-critical, testcase |
1088635 | Core | DOM: HTML Parser | VERI |
1410H - Firefox 32,33 xul |
--- | fixed | fixed | [adv-main34+][adv-esr31.3+] | csectype-uaf, regression, sec-critical |
1075546 | Core | JavaScript: GC | VERI |
Assertion failure: entry |
--- | fixed | disabled | [jsbugmon:][adv-main34+] | assertion, regression, sec-high, testcase |
1108007 | Core | JavaScript: GC | VERI |
Assertion failure: (ptr |
fixed | fixed | wontfix | [jsbugmon:update][b2g-adv-main2.2-] | assertion, regression, sec-other, testcase |
1108836 | Core | JavaScript: GC | VERI |
Crash [@ js::gc::GCRuntime::sweep |
verified | fixed | unaffected | [jsbugmon:update,bisect,ignore][fuzzblocker][b2g-adv-main2.2-] | crash, regression, sec-high, testcase |
1124563 | Core | JavaScript Engine | VERI |
Assertion failure: obj->last |
fixed | fixed | unaffected | [jsbugmon:update][adv-main36-] | assertion, csectype-uaf, regression, sec-high, testcase |
1057598 | Core | JavaScript Engine: J | VERI |
Crash [@ js::jit::Jit |
--- | fixed | fixed | [jsbugmon:][b2g-adv-main2.2-] | crash, sec-moderate, testcase |
1060398 | Core | JavaScript Engine: J | VERI |
Assertion failure: obj->as<Array |
--- | fixed | fixed | [jsbugmon:update][b2g-adv-main2.2-] | assertion, sec-moderate, testcase |
1085464 | Core | JavaScript Engine: J | VERI |
Crash [@ js::Generator |
--- | fixed | unaffected | [jsbugmon:update] | assertion, crash, regression, sec-critical, testcase |
1109889 | Core | JavaScript Engine | VERI | Crash [@ ??] with gczeal and recursion | verified | fixed | fixed | [jsbugmon:update][adv-main35+][adv-esr31.4+][b2g-adv-main2.2+] | crash, regression, sec-critical, testcase |
1143679 | Core | JavaScript Engine | VERI |
Crash [@ js::Unwind |
wontfix | fixed | fixed | [jsbugmon:ignore][adv-main39+][adv-esr31.8+][adv-esr38.1+] | assertion, crash, csectype-uaf, regression, sec-critical, testcase |
1182711 | Core | JavaScript Engine | VERI |
Crash [@ js::Scope |
--- | fixed | wontfix | [jsbugmon:update][post-critsmash-triage][adv-main40+][adv-esr38.2+] | assertion, crash, regression, sec-high, testcase |
1183153 | Core | JavaScript Engine | VERI |
Assertion failure: MIR instruction returned object with u |
--- | fixed | wontfix | [jsbugmon:update][post-critsmash-triage][adv-main41+][adv-esr38.3+] | assertion, regression, sec-high, testcase |
1205707 | Core | JavaScript Engine | VERI |
Assertion failure: this->is<T>(), at js/src/jsobj |
--- | affected | unaffected | [jsbugmon:update][adv-main42+][adv-esr38.4+] | assertion, regression, sec-high, testcase |
1221385 | Core | JavaScript Engine | VERI |
Crash [@ js::jit::Executable |
--- | affected | wontfix | [jsbugmon:update][adv-main44+][adv-esr38.6+] | assertion, crash, regression, sec-high, testcase |
1233152 | Core | JavaScript Engine | VERI |
Crash [@ js::Compartment |
--- | affected | wontfix | [jsbugmon:update][adv-main44+][adv-esr38.6+] | crash, regression, sec-high, testcase |
1062981 | Core | WebRTC | VERI |
Navigating away from a page with camera sharing in an ifr |
--- | fixed | fixed | [adv-main33+][adv-esr31.2+][b2g-adv-main2.2-] | privacy, sec-moderate |
1042567 | Core | JavaScript Engine | VERI |
Crash [@ js::Fetch |
--- | fixed | fixed | [jsbugmon:origRev=dc352a7bf234,testComment=9,update][adv-main34+][adv-esr31.3+][b2g-adv-main2.2-] | assertion, crash, regression, sec-critical, testcase |
1061665 | Core | JavaScript Engine | VERI |
Assertion failure: [barrier verifier] Unmarked edge: <unk |
--- | fixed | disabled | [jsbugmon:update,ignore][fixed by bug 1053676][b2g-adv-main2.2-][adv-main41-] | assertion, regression, sec-high, testcase |
1186718 | Core | Audio/Video: Playbac | VERI |
Stagefright: heap-buffer-overflow crash [@stagefright::ES |
--- | fixed | wontfix | [adv-main40+][adv-esr38.2+][post-critsmash-triage] | crash, csectype-bounds, sec-high |
1100409 | Core | Web Audio | VERI |
Crash in mozilla::dom::Audio |
--- | fixed | fixed | [adv-main35+][b2g-adv-main2.2+] | crash, csectype-bounds, reproducible, sec-moderate, testcase |
1175396 | Core | Audio/Video | VERI |
out of bounds read at mozilla::Audio |
--- | fixed | fixed | [adv-main40+][adv-esr38.2+] | csectype-bounds, csectype-uaf, sec-high |
1200148 | Core | Audio/Video: Playbac | VERI |
Heap-buffer-overflow due to overflow in nestegg |
--- | affected | wontfix | [adv-main41+][adv-esr38.3+] | crash, csectype-bounds, sec-high, testcase |
1064835 | Core | JavaScript Engine | VERI |
Assertion failure: stack |
--- | fixed | fixed | [adv-main34+] | assertion, crash, sec-moderate, testcase |
1076918 | Core | CSS Parsing and Comp | VERI |
Heap-buffer-overflow in ns |
--- | fixed | unaffected | crash, csectype-bounds, regression, sec-high, testcase | |
1117304 | Core | Graphics | VERI |
Heap-buffer-overflow write in mozilla::gfx::Copy |
verified | fixed | fixed | [adv-main36+][adv-esr31.5+] | csectype-bounds, regression, sec-high |
1164766 | Core | Graphics: Canvas2D | VERI |
use-after-free (& crash) after style flush in Canvas |
--- | fixed | wontfix | [QA: when verifying fix, please test all testcases on duplicate bug 1175278] ZDI will disclose October 2015 (Firefox 41)[b2g-adv-main2.5+] | crash, csectype-uaf, regression, reproducible, sec-critical, testcase |
1063733 | Core | Graphics: ImageLib | VERI |
Apparent use of uninitialized memory when rendering trunc |
--- | fixed | fixed | [adv-main33+] | sec-high |
1063653 | Core | JavaScript Engine: J | VERI |
Crash [@ js::jit::LRecover |
--- | fixed | fixed | [fuzzblocker][jsbugmon:update] | crash, regression, sec-high, testcase |
1106171 | Core | JavaScript Engine | VERI |
Assertion failure: live->empty(), at js/src/jit/Live |
verified | fixed | unaffected | [jsbugmon:update][b2g-adv-main2.2-] | assertion, crash, regression, sec-high, testcase |
1113940 | Core | JavaScript Engine: J | VERI |
Crash [@ js::Heap |
verified | fixed | unaffected | [jsbugmon:update] | assertion, crash, regression, sec-moderate, testcase |
1114569 | Core | JavaScript Engine | VERI |
Assertion failure: ion |
verified | fixed | unaffected | [jsbugmon:update][adv-main36+] | assertion, regression, sec-critical, testcase |
1138391 | Core | JavaScript Engine | VERI |
Crash [@ js::jit::Jit |
fixed | fixed | unaffected | [jsbugmon:][adv-main37+] | crash, regression, sec-critical, testcase |
1172076 | Core | JavaScript Engine | VERI |
Crash [@ js::jit::RValue |
--- | fixed | unaffected | [jsbugmon:update,ignore][adv-main39+][adv-esr38.1+] | crash, csectype-bounds, regression, sec-critical, testcase |
1179484 | Core | Audio/Video | VERI |
libcubeb Media |
--- | affected | unaffected | [adv-main40+][adv-esr38.7+] | csectype-uaf, sec-critical |
1062876 | Core | WebRTC | VERI |
The "stop sharing" option in the video sharing control in |
--- | fixed | fixed | [adv-main33+][adv-esr31.2+][b2g-adv-main2.2-] | privacy, sec-moderate |
1073350 | Core | WebRTC | VERI |
Web |
--- | fixed | fixed | crash, csectype-bounds, sec-high, testcase | |
1077274 | Core | WebRTC: Audio/Video | VERI | Dead object dereference if <video> GC'd before page closes | --- | fixed | fixed | csectype-uaf, regression, sec-critical | |
1079729 | Core | WebRTC: Networking | VERI |
Peer |
--- | fixed | fixed | [adv-main34+][adv-esr31.3+] | crash, csectype-bounds, sec-critical |
1143194 | Core | JavaScript Engine | VERI | for-of loops should emit trynotes | wontfix | fixed | unaffected | [adv-main38+] | assertion, crash, regression, sec-moderate, testcase |
1155474 | Core | JavaScript Engine | VERI | Crash [@ js::Shape::search] with heap-buffer-overflow | wontfix | fixed | unaffected | [jsbugmon:update][adv-main38+] | crash, csectype-bounds, regression, sec-critical, testcase |
1087633 | Core | DOM: Core & HTML | VERI |
XMLHttp |
--- | fixed | fixed | [adv-main34+][adv-esr31.3+] thread checks seem to protect from the worst | sec-moderate |
1144988 | Core | DOM: Navigation | VERI | Same-origin bypass via SVG hash navigation (ZDI-CAN-2825) | verified | fixed | fixed | [filed bug 1145195 to change svgView() behavior][adv-main37-][adv-esr31.6-][b2g-adv-main2.2-] | sec-critical |
1146339 | Core | DOM: Navigation | VERI | A variant of Bug 1144988 lets one bypass same-origin policy | verified | fixed | fixed | [adv-main37+][adv-esr31.6+][bg2-adv-main2.2+] | sec-high |
1149891 | Core | DOM: Security | VERI |
crash in CSPService::Should |
wontfix | fixed | unaffected | [adv-main39+][adv-esr38.1+] | crash, csectype-uaf, regression, reproducible, sec-critical |
1068218 | Core | DOM: Core & HTML | VERI |
Directionality |
--- | fixed | fixed | [adv-main33+][adv-esr31.2+] | crash, csectype-uaf, sec-critical, testcase |
1082986 | Core | Graphics: Layers | VERI |
Exploitable crash in mozilla::layers::Image |
--- | fixed | unaffected | crash, csectype-uaf, regression, sec-critical | |
1145255 | Core | JavaScript Engine | VERI |
Incorrect asm |
verified | fixed | fixed | [post-critsmash-triage][adv-main37-][adv-esr31.6-][jsbugmon:update,testComment=13,origRev=2e2222a40262] 32-bit | crash, csectype-bounds, regression, sec-critical, testcase |
1184500 | Toolkit | Application Update | VERI |
Out of bounds write in mar |
--- | fixed | fixed | [adv-main40+][adv-esr38.2+] | sec-high |
1077991 | Core | JavaScript Engine | VERI |
Crash [@ Get |
--- | fixed | unaffected | [jsbugmon:update] | crash, regression, sec-high, testcase |
1096138 | Core | JavaScript Engine: J | VERI |
Assertion failure: *to != *moves |
verified | fixed | fixed | [jsbugmon:update][adv-main36+][adv-esr31.5+][b2g-adv-main2.2+] | assertion, regression, sec-critical, testcase |
1118894 | Core | JavaScript Engine | VERI |
Assertion failure: pred->is |
fixed | fixed | fixed | [jsbugmon:update,ignore][adv-main36+] | assertion, regression, sec-high, testcase |
1230483 | Core | Audio/Video: Playbac | VERI |
crash in mozilla::Media |
--- | affected | wontfix | [adv-main44+][adv-esr38.6+] | crash, csectype-uaf, sec-critical |
1013001 | Core | JavaScript Engine: J | VERI |
Assertion failure: ptr->is |
--- | fixed | unaffected | [jsbugmon:update,testComment=6][adv-main34+][b2g-adv-main2.2-] | assertion, sec-high, testcase |
1023158 | Core | JavaScript Engine: J | VERI |
Assertion failure: ptr->is |
--- | fixed | unaffected | [jsbugmon:update,ignore][only a sec issue with GGC][adv-main34+][b2g-adv-main2.2-] | assertion, sec-high, testcase |
1064346 | Core | JavaScript Engine | VERI |
Crash [@ Is |
--- | fixed | fixed | [adv-main33+][adv-esr31.2+] | crash, csectype-uaf, sec-high, testcase |
1085355 | Core | JavaScript Engine | VERI |
Assertion failure: is |
verified | fixed | --- | [jsbugmon:update,ignore][b2g-adv-main2.2-] | assertion, sec-high, testcase |
1114058 | Core | JavaScript Engine: J | VERI |
Crash [@ js::Reg |
verified | fixed | fixed | [jsbugmon:update][adv-main36+] | crash, regression, sec-high, testcase |
1075336 | Core | CSS Parsing and Comp | VERI |
Heap-use-after-free in mozilla::Custom |
--- | fixed | fixed | [adv-main33-] | crash, csectype-uaf, regression, sec-critical, testcase |
REST |
CSV |
Feed |
iCalendar
Change Columns |
Edit Search |