Firefox Klar, IceCatMobile, Fennec F-Droid and Android Firefox ESR

F-Droid is featuring various Firefox builds and none of them get updated with critical patches (fast enough). Here’s that -partial- list, in no particular order:

  • Firefox Klar, ver. 6.1.1 Added on 8/20/18

  • IceCatMobile, ver. 60.5.1 Added 2/19/19

  • Fennec F-Droid, ver. 67.0.2 Added 6/6/19

  • Android Firefox ESR: not available, Mozilla doesn’t build it.

  • EXTRA: Firefox Lite, ver. 1.4.0 Added 5/1/19

… Actual (GitHub) version: 1.6.2 Added 6/18/19; the only one which actually got patched.

The issue in question:

0-day critical (JavaScript) vulnerability (June 18, 2019), NOT patched in any F-Droid releases, as of June 19, 2019: https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/

Mozilla Foundation Security Advisory 2019-18

Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1

Announced
June 18, 2019
Impact
critical
Products
Firefox, Firefox ESR
Fixed in
Firefox 67.0.3
Firefox ESR 60.7.1

One article link, “Update Your Firefox Browser, Hackers Are Abusing a Serious Bug”, https://www.pcmag.com/news/369097/update-your-firefox-browser-hackers-are-abusing-a-serious-b

What’s there to be done about this, pls., tnx! :slight_smile:

1 Like

Just btw., I am not affected as I’m using the gHacks (pants) user.js (hosted on GitHub and mirrored on GitLab) config file, which can be injected to a non-rooted Android device using Firefox Developer Tools:

https://github.com/ghacksuserjs/ghacks-user.js/issues/318#issuecomment-359181951

… And here’s the heavily-edited file which I’m using, in case anybody needs it:

https://pastebin.com/YnHqvWQN

Below a few missing /and extra-modified about:config entries, some need to be set, some reset to default: depending on your -personal- preferences…:slight_smile:

  • about:config?filter=dom.w3c_touch_events.enabled

  • about:config?filter=browser.sessionstore.max_resumed_crashes

  • about:config?filter=dom.event.contextmenu.enabled

  • about:config?filter=network.http.referer.XOriginPolicy

The file is made for desktop Firefox (the way that I use it) and there are redundant /extra settings for Android. I would probably need to add more entries to the list!

(There are settings which break functionality and especially so in the original file, as it’s built for Tor; for privacy and security - and against tracking and fingerprinting.)

EDIT: For example, even though I’m using uBlock Origin (together with Decentraleyes and a few more add-ons), the internal Mozilla blocking systems are left on - so, the browser IS connecting and downloading those -various- blocklists from them; and btw., the user.js does “sanitize” some of those requests - it’s documented in the file.

Fdroid is known to have a week or so lag between a new release of an open source app and the time it is available for users. Personally, given that f-droid is a volunteer driven organization, I accept that extra risk.

I understand the problem if your threat model makes this security risk unacceptable, however it is not fair to blame f-droid contributors if they don’t have the resources to identify, test and deploy near instant updates.

3 Likes

https://gitlab.com/fdroid/fdroiddata/issues/1233#note_84089409
https://gitlab.com/fdroid/fdroiddata/issues/1390#note_175015426

https://lists.gnu.org/archive/html/bug-gnuzilla/2019-05/msg00003.html

https://gitlab.com/fdroid/fdroiddata/blob/master/CONTRIBUTING.md

?

https://gitlab.com/fdroid/fdroiddata/issues/1609#note_164903681

2 Likes

F-Droid should handle browser more important then other apps to fix it ASAP (not only this important 0-day).
It’s sad a Webview/ Chromium browser is ATM more secure then Fennec because of slow update

2 Likes

@relan added the build metadata for Fennec 67.0.3 : https://gitlab.com/fdroid/fdroiddata/commit/d337a4a4b1b56e29bcdb4765c88ba564e1475d3e
So it should be available in the repository in a few days.

2 Likes

Great, now do it again for .4 :slight_smile: :slight_smile:

1 Like

There’s no FENNEC_67_0_4_RELEASE tag (yet?).

It looks like 67.0.4 has only be released for desktop (for now?).

[…] not fair to blame f-droid contributors

Thank you very much for the replies; I apologise if anything in my posts had indicated any sort of hostility!.. Not my intention, at all (!), I get what and how is the whole system. :slight_smile:

Speaking of which, may I also mention how STRANGE F-Droid gets - with certain things disabled on the phone… This is what it looks like, it’ll only sometimes load (some) images and apparently randomly to make it more confusing:

Updating repositories is also an issue, even though NetGuard isn’t blocking much - and it has to be disabled, otherwise nothing gets fetched, at all:

EDIT: Most probably, it is “Spock” - it’s somewhat hard to wrangle this Mi A2 into submission (without rooting. :))

Again, very unfortunate that Mozilla doesn’t build ESR for mobile, btw. :confused:

1 Like

What does “not blocking much mean”? You need to allow F-Droid or uncheck apply rules.

Works fine with Netguard on multiple devices here for me, so it’s a configuration issue on your side.

Did you slide the Wi-Fi and mobile data sliders in F-Droid Settings all the way to the right?

1 Like

mobile data

Definitely not mobile data…:slight_smile: It’s crazy, had to set “Data limit” to 0 B as not to have it auto-activate under certain conditions. No big deal I guess, haven’t been able to figure out what’s blocking and firewalling what.

The real issue is that F-Droid Fennec is lagging behind again, two minor builds: 68.0.1 and 68.0.2

What are we to do, if anybody knows of plans to keep the build cycle up with releases?

The real issue is that F-Droid Fennec is lagging behind again, two minor builds: 68.0.1 and 68.0.2

Fennec 68.0.1 never happened; 68.0.2 includes a minor fix and no security patches, see https://www.mozilla.org/en-US/firefox/android/68.0.2/releasenotes/. I decided to skip 68.0.2.

2 Likes

oh :open_mouth:, please don’t! See
https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/

1 Like

please don’t! See
https://www.mozilla.org/en-US/security/advisories/mfsa2019-24/

This issue affects only desktop Firefox, see the fix:
https://hg.mozilla.org/releases/mozilla-release/rev/b6cc9968b1772b8ccd239bef0087b4c7ddd8198d

2 Likes

Hello, Will 68.1 be added?

Already build… But I’m seeing 69 on Desktop already :slight_smile:

Mozilla stopped developing Fennec and switched to Fenix. They’ll make only 68.x updates to Fennec now.

As of writing, our build server compiled Fennec 68.1 for arm and x86, currently building arm64.

1 Like

Riiight, forgot that.

What’s the status on that for F-Droid?

Mastodon